SMS Phishing Campaign Prompts Singapore to Introduce Internet Banking Security Measures
In the wake of an SMS phishing campaign that targeted the Oversea-Chinese Banking Corporation, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) are requiring financial institutions to implement security measures. The organizations will be required to take clickable links out of text messages and emails sent to customers; set default funds transfer thresholds to SG $100 (US $74); and impose a 12-hour delay for activating mobile software tokens. In a separate story, UnionBank of the Philippines is also adopting stronger security practices to protect its customers from fraud. UnionBank says it will no longer use clickable website links in promotional materials.
These are interesting security measures in that they really strike at the intersection of confidentiality, integrity, and availability. Here, they're protecting the integrity of the accounts by limiting availability of some features. On the issue of clickable links in text and emails, that train has unfortunately already left the station. While this will definitely stop some cybercrime, it will take some time to get people to adjust to the idea that any clickable link is an attack. That said, this is a gold mine for security awareness. Instead of trying to train users on which links are safe to click (which I think we can all agree has been an abject failure), end users can now be trained that *any* link from participating institutions is an attack. This heuristic will certainly be easier for users to apply reliably and consistently.
While these are good security measures, they also impact usability and remove the risk-based decision from the individual financial institution. The challenge to the FI is to train users to use alternative more secure methods, such as non-SMS authentication verification, out of band verification for transactions which exceed risk thresholds to support the expected transaction volume of modern banking users.
This measure from MAS/ABS along with the Philippines bank to no longer use clickable links in SMS and emails is an interesting strategy. Inconvenient from a user perspective but the extra steps to copy and paste the URL may give the user time to think about what they are about to do. This is, of course, if it does not become a habit.
Modern email clients (including browsers) and secure web gateways all give some level of protection to users when they click on embedded links in email. SMS messaging does not go through such protection which is why “smishing” is increasing. Until phone number spoofing is stopped or until such protections are available, it is a very good thing to make it clear that no responsible institution would include clickable links in a text message.