The OTPs may have been intercepted by malware on victims' phones, or were diverted to overseas telcos that had been hacked, say cybersecurity experts.

[Prime 13]

Information asymmetry.
Most pple donch know if what the IT sexperts said ish true or notch.
Plus no way to verify.

They claim it's chuir phone kenna hackered therefore chiu lose monies ish chuir fault to ownself clear ownself, who ish cano verify?

 

[Ev0d3vil]

Gong jiao Wei is it? Or should everyone use apple then it’s safe ?

 

[Tsl8550]

Cyber security expert. Please show how to intercept sms and divert to overseas telcom? Dont talk rubbish

 

[nasfieldjohn]

Sexperts say got malware on chiu phone so the fault is the android or ios?

 

[iosnewbie]

https://www.punkt.ch/en/products/mp02-4g-mobile-phone/
This minimalist 4G phone goes for more than 300 euros brand new. 2nd hand ones on eBay still goes for around 250 usd. Ang mos really treat their privacy a lot more important than us.

 

[Ev0d3vil]

Cyber security expert. Please show how to intercept sms and divert to overseas telcom? Dont talk rubbish

bunch of gong jiao Wei sia. Why not ask everyone use iPhone since it’s the most “secure” phone ?

 

[cleffa3000]

https://www.straitstimes.com/tech/tech-news/why-some-ocbc-customers-in-sms-scams-did-not-get-otps

win liao lor

mobile devices also less protection so easily tio malware also

as long got 1 weak point gg liao

if server side cant tio, then tio client side.

 

[sTiCkY]

moi wonder how many haxx0rs they have working round the clock to achieve this mass targeted attack...

the time it takes to plan and recon alr not worth it... 8mil nia....

if 80mil return they sure do la... this way la... maybe even buy a bunch of femtocells to deploy in the neighbourhoods...

 

[cleffa3000]

A huge insult to Singapore's cybersecurity and highly regarded digital systems~ There is the Singpass app which displays my digital NRIC without the need for a password, now am worrying about my phone getting hacked~

boh lang install antivirus in phone mah

even if got antivirus , also dunno it will detect and stop the malware or not

 

[Towelie]

Where are the "experts" from~?

Same experts from MOH maybe? Afterall they are experts with viruses and ownself check ownself

 

[cleffa3000]

think most secure is atm lah
want withdraw/transfer huge cash then go to bank

 

[Apex01]

always the fault of others!!!
SG banking system is 500 percent safe!!

 

[86technie]

Does it mean it’s worth to pay for subscription like bitdefender for protection ?

Yes but that is not the point here.
Point here is they claimed is malware/virus.
However why the SMS and website so identical to the real one?

 

[Dougiehowsia]

What about other incidents overseas? Surely this is not th first attack of its kind in the world

 

[lalalalalala]

lol, i like how they say "divert to overseas telcos that might be hacked"

they got proof first anot

 

[lalalalalala]

Yes but that is not the point here.
Point here is they claimed is malware/virus.
However why the SMS and website so identical to the real one?

it's actually pretty hard to inject malware into phone because apps are all sandboxed

 

[lalalalalala]

Cyber security expert. Please show how to intercept sms and divert to overseas telcom? Dont talk rubbish

it's actually extremely difficult to do, you need the person to be using a cracked sms app. and usually people use the default app for sms, iphone use imessage, android use the default one provided by os

if anything i'd say the otp is legit, just that hacker managed to bypass or delay the sms trigger on ocbc end, either via ddos or sth

 

[86technie]

it's actually extremely difficult to do, you need the person to be using a cracked sms app. and usually people use the default app for sms, iphone use imessage, android use the default one provided by os

if anything i'd say the otp is legit, just that hacker managed to bypass or delay the sms trigger on ocbc end, either via ddos or sth

This I agree, user phone are just the client so it must come from "somewhere."
The way they put it as it came from the user phone.
Whoever these experts are, opt to check their cert real or not.

 

[havoc23]

 

[Towelie]

it's actually extremely difficult to do, you need the person to be using a cracked sms app. and usually people use the default app for sms, iphone use imessage, android use the default one provided by os

if anything i'd say the otp is legit, just that hacker managed to bypass or delay the sms trigger on ocbc end, either via ddos or sth

Actually the simplest explanation is

They cloned the ocbc website design, triggered an sms using spoofed phone number that used url shortener that directed to the fake site.

Got a list of ocbc customers or some banking list sold on those dark web. Did the above, then the customers went in, type in login credentials, auto "login". Real otp sent to user's phone. User typed the otp on that fake site and voila.

Not sure if additional step was done to show the balance, but this would have been quite easily done also, only needs the hacker to edit the figures, so long as he or she has the ocbc website interface after login

might need to insert a "delay" tactic here during login so that the OCBC users will not suspect for that 10-15seconds

This move can potentially delay the more "savvy" IT users response and cause them to call the bank only much later

The other end, they spoofed singapore IP maybe? Then the hacker just typed in credentials and otp.

How this didnt trigger ocbc's alarm bells is worrying, how the large amounts of money simply sent overseas just like that.

I think this was a carefully planned one time operation... Done by like those scam centers u see on youtube