All organisations should adopt anti-SMS spoofing measures, say cyber security experts
A day after banks were told to put in place more stringent measures to bolster the security of digital banking within the next two weeks, cyber-security experts said all organisations should adopt anti-SMS spoofing measures.
An example would be signing up for the SMS sender ID registry, which was launched as a pilot by the Infocomm Media Development Authority (IMDA) last August.
"It should be the immediate priority, as scams originating via spoofed SMS and calls are becoming one of the top security concerns among the residents in Singapore," said Mr C.K. Chim, cyber-security firm Cybereason's field chief security officer for the Asia-Pacific region.
"Organisations must ensure the safety and security of their customers' data, or risk losing credibility among consumers."
The registry enables organisations to register the SMS sender IDs they wish to protect. Any unauthorised party that tries to send SMS messages using the registered IDs will be flagged and blocked on mobile operators' networks.
The adoption of the registry is one of the solutions to combat SMS spoofing that banks will continue to work closely with the Monetary Authority of Singapore (MAS), IMDA, and the police on, following a recent spate of SMS phishing scams targeting OCBC Bank customers.
On Wednesday (Jan 19), MAS and the Association of Banks in Singapore (ABS) also introduced additional measures, including removing clickable links in SMSes or e-mails sent to retail customers, a delay of at least 12 hours before the activation of a new soft token on a mobile device, and notification to an existing registered mobile number or registered e-mail whenever there is a request to change a customer's contact details.
Some experts said some of the measures introduced by MAS and ABS can be implemented consistently across all sectors.
Mr Leow Kim Hock, Asia chief executive of cyber-security services provider Wizlynx Group, believes that Government agencies should remove clickable links in SMSes sent to members of the public.
This is because the transactions handled by these organisations usually involve personal data or funds of members of the public, which could be compromised by scam links.
But aside from this measure, each agency should determine independently which other safeguards to adopt, as not all of them may be relevant, he added.
Private organisations should do the same, he said.
Some experts said that the measures introduced by MAS and ABS should help reduce the effectiveness of certain scams, such as those involving the change of contact details.
But others felt that some of the measures may compromise on the efficiency of an organisation's services or may not address all types of scams.
Mr Ilia Rozhov, the head of digital risk protection at cyber-security firm Group-IB in the Asia Pacific, also noted: "There are so many different scams out there that are evolving constantly. The fraudsters tend to adapt their techniques to the new detection mechanisms quickly."
He said that a lot of fraudulent schemes do not require users to click on shortened URLs sent via SMS and do not try to issue a new soft token.
"Humans have always been and will always be the weakest link in digital security," he said.
"The bottom line is that companies need to focus on fraud and scam hunting mechanisms, instead of over-relying on human awareness."