Forum: Scammed of $100,000, but fault is not mine alone

  • Have you been Scammed?
    Follow this advisory from National Crime Prevention Council (NCPC) on the next steps you can take. More info

Nakshatra

Senior Member
Joined
Apr 21, 2015
Messages
1,194
Reaction score
153
No, that's just the app... still tied to paynow service right?

Anyhow, your paynow number is just your online identifier for ppl to transfer money to you isn't it? It's like your account nick here.... you can change it but what are you trying to prove?
ah, ok. understand.

I have a personal phone I use for internet banking and an office phone for work. different numbers.

once I am able to login to the ocbc app with my "ID" and "password". (combined with One Token assigned to my phone), I was able to change my paynow mobile number without being challenged.

next I installed ocbc app on my office phone and I could activate new one token with otp sent directly to my office number, bypassing my personal phone totally.
 

rtkgamer

Supremacy Member
Joined
Mar 14, 2005
Messages
5,552
Reaction score
1,032
if so many people kena scammed, then its either the scammers are so smart or the system inplace is flawed.

i think MAS should take charge, together with the bank and telco to rework the current system so as to prevent future scams. Alot of questions that PSP, WP can ask in the parliament:

1/ why telco cannot choose to block +65 numbers?
2/ how does the scammer delay the SMS by 4hr?
3/ why banks call centers take so long to handle enquiries?
etc.
 

toyo23

Member
Joined
Apr 6, 2007
Messages
273
Reaction score
76
This is what I have been telling many people. But they don’t **** care.

DBS should explain why that is a good practice.

"Customers using soft token should do online banking from a different device to that that has the soft token."

I also want to know, as I don't see any benefits in the above

anyways thanks for explaining about "soft token" tied to one HP only

like that I am lost to how scammer managed to clear out bank account unless victim not using "soft token" only using SMS for OTP 2FA
 

TickTechToe

Master Member
Joined
Dec 4, 2010
Messages
3,549
Reaction score
1,316
I searched through all the older sms from OCBC right to 2019 but can’t find any of such links. You have any example of this? Just so that I can keep a lookout under what circumstances they’ll send such links

I received quite a few of these types of SMS from OCBC with bit.ly links.. they all start with <ADV> for several promotions.. the latest one as recent as Dec 2021.. so when OCBC broadcast that they never send SMS with links, I was like..WTH? I click the link before, it shows the promotion details, like 360 Interest Promotion for Investment Products.. and there is a Login feature.. it looks very legit.. of course, I won't login thru this link, because it is just a promotion.. but if the sms says something urgent, I think it is human nature to login..


Read HWZ Forum Rules!
 

pantss

Senior Member
Joined
Apr 2, 2008
Messages
2,259
Reaction score
765
If i can answer your question how to safeguard then i will be the head of OCBC. But that doesn't mean i cannot see there are issues with OCBC's system in this particular scam.

Already someone mentioned earlier it likely cannot be done in the same way with POSB as they require further verification for limit changes.
the person head of POSB ah? How they know it cannot be done in same way with Posb?
 

stupidog

Arch-Supremacy Member
Joined
Feb 15, 2005
Messages
21,554
Reaction score
8,473
However, OCBC's hotline is not equipped to immediately handle scams which are in progress.

I had to navigate an automated system for a long time before reaching a person.

this is the most knn part.
 

VEF888

Supremacy Member
Joined
May 3, 2006
Messages
9,472
Reaction score
2,368
I received quite a few of these types of SMS from OCBC with bit.ly links.. they all start with <ADV> for several promotions.. the latest one as recent as Dec 2021.. so when OCBC broadcast that they never send SMS with links, I was like..WTH? I click the link before, it shows the promotion details, like 360 Interest Promotion for Investment Products.. and there is a Login feature.. it looks very legit.. of course, I won't login thru this link, because it is just a promotion.. but if the sms says something urgent, I think it is human nature to login..
Read HWZ Forum Rules!

but never under OCBC it’s under 7xxx number
 

occifer

High Supremacy Member
Joined
Mar 9, 2018
Messages
38,964
Reaction score
4,193
am Siti, a mother of seven wonderful children. A wife to a caring educator. And a victim of the recent scam targeting OCBC Bank customers.

On Dec 28 last year, at 11.47am, I received an SMS which looked very much like the other ones I have received from the OCBC SMS system, which read: "The transaction function of your OCBC account will be suspended. To prevent the account from being locked out, update it on December 28. Access bit.ly/3q****."

At that time, I was occupied with my children and did not act upon it. At 2pm, I reread the SMS and followed the instructions and clicked on the link. It brought me to an authentic-looking site with the OCBC name.

As I was anxious about the account being suspended and I had some transactions to make to my children's accounts later in the day, I did not think further, and keyed in my username and password and other relevant details and checked into my account.

A few moments later, I received a notification stating that my transfer limit had been increased to $100,000. When I noticed that, I immediately called OCBC as I had not approved this.

However, OCBC's hotline is not equipped to immediately handle scams which are in progress.

I had to navigate an automated system for a long time before reaching a person.


By this wasted time, I had already received multiple notifications stating that monies were transferred out of my savings accounts and six of my children's savings accounts.

In just a few minutes, almost $100,000 was gone.

We have since made a police report but we have been told that even though accounts are insured by up to $50,000, we are unlikely to have any of our funds returned to us as it was my mistake for clicking on the link.

How can the blame be pinned entirely on me when OCBC's scam prevention measures are poorly equipped to urgently deal with a case as it is happening?

Siti Raudhah Mohd Ali

https://www.straitstimes.com/opinion/forum/forum-scammed-of-100000-but-fault-is-not-mine-alone

phones should have an option to make url unclickable in sms and watsapp.
So far phones dont have such function?

And it needs to show that the sms isnt from the same thread as a telco. That seems unfair imo.
 

makann

Great Supremacy Member
Joined
Mar 22, 2013
Messages
51,191
Reaction score
6,986
Many ppl don't even understand that this insurance is not even for scam... She is not going to get back a single cent
jin cham. 100k just gone like that. change to coins throw into sinkapore river still can hear a sound :crazy:
 

tanakow

Banned
Joined
Jan 3, 2004
Messages
9,837
Reaction score
1,422
"Customers using soft token should do online banking from a different device to that that has the soft token."

I also want to know, as I don't see any benefits in the above

anyways thanks for explaining about "soft token" tied to one HP only

like that I am lost to how scammer managed to clear out bank account unless victim not using "soft token" only using SMS for OTP 2FA
One benefit is that if you lose a phone, you only lose one factor of authentication. Unless you lose both phones at the same time.

Another benefit is that if your phone is hacked, you are still protected because your token is in another phone. Unless both phones kena hacked, which is quite unlikely.
 

frigatex

Member
Joined
Mar 13, 2007
Messages
250
Reaction score
34
Unless my memory c*** up, on 10th Jan when I logged in using desktop, it required me to approve the login using my mobile app (it just appears as 'authorise the transaction', without saying what I'm authorising). Just need to click yes to allow, this is the equivalent of OTP.

Then when I changed transaction limits then, I didn't remember the need to have further authorisation (unless like I said my memory was messed up). I also received the sms notifications (8 SMS in total) at 7am, despite changing the transaction limit at 2am. Doubt it is a telco issue because just 5 minutes earlier, I still received SMS from ocbc when I paid for a transaction. Back then, paynow limit was minimum 5k.

Fast forward to today, I just tried, changing transaction limits now require authorisation. Also, the paynow limit is now adjusted to minimum $100. SMS received immediately.

But notably and interestingly, my SMS said this for one of the change to transaction limit:

OCBC: Online Banking is being used to change your transaction limit for Overseas Funds Transfers from SGD 1,000.00 to Deactivate. If you are not doing this, call 1800 363 3333 at once. This SMS was sent at 2.39am on 10 Jan 2022.

But my email notification say:
As you instructed, we updated your authorization limit for Overseas transfer from SGD 1,000.00 to Any Amount at 2.39am on 10 Jan 2022.

Today, I did the same thing, email said:
As you instructed, we updated your daily limit for overseas transfer from SGD 0.00 to Deactivate at 11.20am on 15 Jan 2022.


Seems like protocols were changed quickly over these few days.
 

eterna2

Arch-Supremacy Member
Joined
Aug 16, 2007
Messages
18,815
Reaction score
471
ah, ok. understand.

I have a personal phone I use for internet banking and an office phone for work. different numbers.

once I am able to login to the ocbc app with my "ID" and "password". (combined with One Token assigned to my phone), I was able to change my paynow mobile number without being challenged.

next I installed ocbc app on my office phone and I could activate new one token with otp sent directly to my office number, bypassing my personal phone totally.
This one is for when u lose ur phone.

As in this design is designed for pple losing their mobile phone.
 

moonlighter_sg

Arch-Supremacy Member
Joined
Aug 15, 2005
Messages
11,713
Reaction score
2,647
When the scammer can do things without OTP, it means there is a loophole in the OCBC platform. I hope OCBC and victims should be clear in their reporting to the public.
 

pantss

Senior Member
Joined
Apr 2, 2008
Messages
2,259
Reaction score
765
phones should have an option to make url unclickable in sms and watsapp.
So far phones dont have such function?

And it needs to show that the sms isnt from the same thread as a telco. That seems unfair imo.
Like Windows ah? Need admin to confirm
 

vbhelper

Great Supremacy Member
Joined
Aug 21, 2000
Messages
51,863
Reaction score
7,832
Why don’t even need OTP?

tot there are 2 type of OTP

1 is for login
The other for transaction signing
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top