A group of OCBC Singapore customers fell prey to SMS banking scam costing $8.7 million Singapore Dollar. The scam is very sophisticated and uses weakness in the standard SMS protocol to sent out SMS appearing to come from OCBC Singapore.
The SMS sent from the scammers looked like it was sent from OCBC Singapore and inside the message contains links to the fake OCBC Bank website which was used to farm for OCBC customer's banking ID and password. The scammer then uses the customer's banking id and password to do banking transactions up to their daily transaction limit. For now the case is still under investigation and the exact modus operandi is based on guesswork.
SMS header (From who field aka Caller ID field) can be spoofed and changed so do not trust the SMS header text everytime.
OCBC Singapore recently announced that they will compensate victims of the SMS scam on good will basis even though they are not liable for this scam. Not sure if this is coincidence since MAS (Monetary Authority of Singapore) is considering to make OCBC liable.
SMS is still used in Malaysia widely because it is universal for all phones and does not require data connection line or installation of any mobile apps. The older generation who does their banking online also rely a lot on SMS for the banking. The big banks in Malaysia already have options to phase out SMS via in app notification and also in app TAC number (eg Maybank Secure2U). Some banks like Public Bank insists on all transactions to be verified using SMS regardless of the daily limit serves as a deterrent to this scam.
📍Links
Security Advisory | OCBC Online Banking | OCBC Singapore