After around two decades of allowing one-time passwords (OTPs) delivered by text message to assist log ins to bank accounts in Singapore, the city-state will abandon the authentication technique.

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) announced on Tuesday that "major retail banks in Singapore will progressively phase out the use of One-Time Passwords (OTPs) for bank account login by customers who are digital token users within the next three months."

The banks hope this will "better protect against phishing" - at least against attacks in which scammers trick customers into disclosing their OTP. Instead, MAS and ABS encourage the use of digital tokens -apps running on smartphones that produce OTPs - as the source of second factors for bank account authentication.

Bryan Tan, partner at tech-centric law firm Reed Smith, told The Reg the move was "not unexpected given that scammers have figured out how to game the current OTP system notwithstanding that it was two factor."

The Register asked ABS and MAS what measures, if any, will be taken to include those who don't have or want mobile phones - a situation Singapore recognized in 2020 when it created a device to substitute for its COVID-19 tracking app. It’s therefore unclear how the plan to ditch SMS 2FA will impact groups such as neo-luddites and the elderly, especially as dedicated physical tokens have also been a phased out in Singapore. We will update should a substantial reply materialize.

However, in a canned statement, ABS director Ong-Ang Ai Boon reasoned that "while they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers."

Smartphone ownership in Singapore reached [PDF] 97 percent in 2023, but the country has had to engage in digital inclusivity outreach programs to certain parts of the population - including lower-income seniors.

Only 46 percent of residents aged 60 and above were found to keep their smartphones up to date as of 2022. They also lagged behind on enabling 2FA and conducting security checks when making online transactions.

Accessibility concerns aside, the move signifies a global pivot in cyber security practices and the evolution of digital banking security. Singapore routinely stays at the forefront of such practices. ®

https://www.theregister.com//2024/07/12/singapore_banks_fight_phishing/