OCBC S'pore scam victims, many who lost life savings, slam bank for underwhelming response

[ahnyaahnya]

https://www.change.org/p/imda-stop-...dium=copylink&utm_campaign=petition_dashboardWill this help in any way if the SMS comes from overseas ?

 

[Humster]

https://www.change.org/p/imda-stop-...dium=copylink&utm_campaign=petition_dashboardWill this help in any way if the SMS comes from overseas ?

Support this.

 

[schlep]

I am not a scam victim of the OCBC Bank but I do receive SMSes from OCBC now and then.

If I received an SMS that falls within the same OCBC thread which contains prior msges which were legit, I too may be tricked into clicking the link. Except, maybe I have the habit of checking the address bar to check if the link is legit. But someone who is in a hurry or in a state of panic may not be so proactive.

That is why I sympathize with the victims. It does look like a clever scam by the scammer. In situation like this, I do hope the banks could offer additional protection. Some suggestions (which some EDMWers have suggested):
(1) Requiring additional OTP or authentication if transfer limit is altered. DBS has this right?
(2) Blocking or verifying with the user if large sums of money is transferred to an overseas account. Scam victims aside, wouldnt you need this for Anti-Money Laundering?
(3) Similar to what I see in streaming services before - block or require additional authentication if account is accessed through an overseas IP or known VPN services address.

It is easy to blame the victims from their carelessness but I think as a user of the banking services, I do hope to receive some forms of protection from having my money totally wiped out at one go.

I wonder if anyone here feel like closing their accounts with OCBC after reading through all the cases. I worry about their lack of responsibility and transparancy in this case.

 

[Maichapsiao]

I am not a scam victim of the OCBC Bank but I do receive SMSes from OCBC now and then.

If I received an SMS that falls within the same OCBC thread which contains prior msges which were legit, I too may be tricked into clicking the link. Except, maybe I have the habit of checking the address bar to check if the link is legit. But someone who is in a hurry or in a state of panic may not be so proactive.

That is why I sympathize with the victims. It does look like a clever scam by the scammer. In situation like this, I do hope the banks could offer additional protection. Some suggestions (which some EDMWers have suggested):
(1) Requiring additional OTP or authentication if transfer limit is altered. DBS has this right?
(2) Blocking or verifying with the user if large sums of money is transferred to an overseas account. Scam victims aside, wouldnt you need this for Anti-Money Laundering?
(3) Similar to what I see in streaming services before - block or require additional authentication if account is accessed through an overseas IP or known VPN services address.

It is easy to blame the victims from their carelessness but I think as a user of the banking services, I do hope to receive some forms of protection from having my money totally wiped out at one go.

I wonder if anyone here feel like closing their accounts with OCBC after reading through all the cases. I worry about their lack of responsibility and transparancy in this case.

If the banks compensate the victims, next time there will be cases of people using scams to scam the bank.

 

[platee]

Is it possible for fake bank app in google or apple app store? To setup the app need to login. Scammer will get the login credentials.

Cannot la.

 

[ocs_woodlands]

in the past hr, I have come to a complete understanding of how the fraud was perpetrated and who is at fault.

my conclusion is simple. SMS should NOT have been approved or continued to be approved as a 2FA.

The party at fault is MAS.
why? because they allowed it.

Just tell you something, without screencap from MY phone (I don't want my screencap tp go viral)....

on a single sms thread sharing the ID AUTHMSG I have MULTIPLE organisations' sms message grouped together. They are: Gardens by the Bay, Endowus and an IP camera brand

 

[_eMuu_]

Plot twist. OCBC is working with the scammer

 

[kayaloti.club]

To be honest, it's CLEARLY a system issue aka OCBC fault and to an extent telcos too

lemme explain:
1) Why are all victims OCBC clients only?
2) it is possible and common to have a few idiot.s BUT uncommon to have 500 idio.ts with substantial bank savings (that means these folks are gainfully/meaningfully employed aka they are not your market Ah Soh type..)

Ask head of digital and technology @OCBC Bank.

1+1 you get the pigture.

https://www.linkedin.com/in/shankar-narayanan-722981https://www.linkedin.com/in/aditya-gupta-6936146https://www.linkedin.com/in/praveenraina

 

[brojay]

Ownself stupid and get scam but blame others. Really deserved it.

when 639 accounts were compromised. not one or two, it's definitely the bank's poor security system. it is possible to have anti phishing system these days and ocbc is outdated. yet, they push all the blame to the victims.

dont think you are so smart, it just take one moment when you are caught off guard and the nex scam victim could be you!

People at EDMW should rally for better anti phishing for all the banks in sg... not balme th victims.



Read HWZ Forum Rules!

 

[ocs_woodlands]

Ask head of digital and technology @OCBC Bank.

1+1 you get the pigture.

https://www.linkedin.com/in/shankar-narayanan-722981https://www.linkedin.com/in/aditya-gupta-6936146https://www.linkedin.com/in/praveenraina

I have gotten the full picture in the last 2 hours.

can't blame OCBC only since sms is an approved 2 FA channel.

its regulatory failure ie MAS. an sms system that allows impersonation through senderID cannot qualify as a secure 2FA channel.

ocbc fault is in putting their infamous 18003633333 as the only way to contact them in the event that an add payee transaction is a fraud.

 

[diediex]

My burning question is whether the scam activity still going on? or did OCBC patched something to prevent further incident. If they did patch something, doesn't it means their security system is not robust in the first place? Or is everyone (OCBC, MAS) sitting on their hand and watching more people get scam everyday?

If i were the scammer for sure i will not stop my operation.

 

[iMac]

I think until the authority fixed the problem, our money in the bank is not safe.

Going to take out all my money from the bank asap.

 

[iMac]

My burning question is whether the scam activity still going on? or did OCBC patched something to prevent further incident. If they did patch something, doesn't it means their security system is not robust in the first place? Or is everyone (OCBC, MAS) sitting on their hand and watching more people get scam everyday?

If i were the scammer for sure i will not stop my operation.

Most of the bank out-sourced their work to overseas call centre.

I am not surprise the data leak from there.

 

[brojay]

I have gotten the full picture in the last 2 hours.
can't blame OCBC since sms is an approved 2 FA channel.
its regulatory failure ie MAS. an sms system that allows impersonation through senderID cannot qualify as a secure 2FA channel

i disagree. it's ocbc failure at so many levels

1. even if login otp is being compromised, how can ocbc allow amounts such as 250k, 120k, 68K to be fully empitied within mins? No additional security?

2. even if max transfer cap can be increased, why no 24hrs or 36hrs delay?

3. how can funds be transferred without the customers OTP approval? If the thieves can change the mobile number for OTP, why didnt ocbc design a system that required additonal approval or delay the mobile number change?

4. no detection of new login devices to warn or notify the customers. I get a notifications when i use a different device or try to login to gmail from overseas. Even gmail has better security that ocbc.

bottom line is dont blame mas or anyone one else for your own failure. 639 accounts compromised means ocbc screwed up big time and someone need to take responsibility.

dont give me the crap that customers shouldnt be compensated because it will encourage customers to play victim in future. banks do not need to compensate one or two blur kings and queens but when 639 accounts are compromised means it's ocbc fault and ocbc MUST compensate.

I will encourage all ocbc account holders to take their money out if the bank refuse to own up to their own failure.



Read HWZ Forum Rules!

 

[netbookcraze]

I still cannot figure out how SMS can be intercepted.

It's only bank claimed, and jumped into conclusion.

MAS seriously need to set up a public inquiry to investigate.

 

[brojay]

Ask head of digital and technology
@OCBC Bank
.
1+1 you get the pigture.
https://www.linkedin.com/in/shankar-narayanan-722981
https://www.linkedin.com/in/aditya-gupta-6936146
https://www.linkedin.com/in/praveenraina

absolutely agree! not a few blur sotongs but 639 accounts were compromised! OCBC must take responsibolity!

Read HWZ Forum Rules!

 

[netbookcraze]

I am looking from the technical angle.

First, hacker only has user name and password. Hacker cannot change the registered mobile phone number with first level login.

Then SMS send from OCBC server to the mobile phone number.

It never reached victim but was intercepted by hacker.


How that possible happened. Meaning hackers can intercept any SMS?

If what was claimed is true, Then pls.. MOH dun send us SMS anymore. It is unsafed!

Opposition MP.really need to question MAS in parliament if pap continue to to keep quiet.

 

[brojay]

I am looking from the technical angle.
First, hacker only has user name and password. Hacker cannot change the registered mobile phone number with first level login.
Then SMS send from OCBC server to the mobile phone number.
It never reached victim but was intercepted by hacker.
How that possible happened. Meaning hackers can intercept any SMS?
If what was claimed is true, Then pls.. MOH dun send us SMS anymore. It is unsafed!
Opposition MP.really need to question MAS in parliament if pap continue to to keep quiet.

not sophisticated lah. scammers used the login details they collected to login on the real ocbc website ... and ocbc users will get their OTP and will enter it into the fake website... this gives scammers access to the OTP to login.

but what ocbc bank screwed up is...

1. allowing max transfer limits to be increased without OTP

2. allowing funds to be transferred without OTP

that's why ocbc is targeted and not the other banks



Read HWZ Forum Rules!

 

[J050615]

How can the bank transfer huge sum immediate to untraceble accounts??? I find this preposterous

 

[ahsiahkiahz]

To be honest, it's CLEARLY a system issue aka OCBC fault and to an extent telcos too

lemme explain:
1) Why are all victims OCBC clients only?
2) it is possible and common to have a few idiot.s BUT uncommon to have 500 idio.ts with substantial bank savings (that means these folks are gainfully/meaningfully employed aka they are not your market Ah Soh type..)

kohleng ish bank hacker collab wif telco??????????