Hackers managed to hijack one-time passwords (OTPs) sent via SMS by Singapore banks to customers and use them to carry out fraudulent credit card transactions worth a total of S$500,000.
The fraud was carried out late last year by criminals overseas and affected 75 bank customers, according to the Monetary Authority of Singapore and the island's police force.
The hacks were not the result of compromised bank systems. Instead, an investigation has found that crooks gained unauthorised access to the systems of overseas telcos and used them to modify the location data of the mobile phones used by the victims in Singapore.
This let them divert the SMS OTPs sent by the banks to their customers to overseas mobile network systems. Having separately obtained their victims’ card details, the hackers made fraudulent online transactions and authenticated them using the diverted SMS OTPs.
The country's Infocomm Media Development Authority has asked mobile operator to put specialised firewalls and system safeguards in place while the public is being told to be alert to malware and phishing dangers.
Meanwhile, "given the unique circumstances of these cases, banks will provide a goodwill waiver to affected customers who had taken care to protect their credentials".