A father with a special needs child lost the S$250,000 that he had saved for more than 10 years after he got tricked by an elaborate phishing scam seemingly aimed at OCBC bank users last month.
A woman had her S$68,000 life savings stolen, leaving her penniless and starving at Christmas, after she had supplied login credentials on a fake website linked from a spoof SMS message. All in, more than 469 people in Singapore lost S$8.5 million.
These victims’ stories are heartbreaking, and they are made more painful by the many questions that OCBC has failed to answer.
In saying its own systems were not breached, its message seems to be that customers should take full responsibility by taking more care of their login credentials.
That may sound correct, because it goes with common logic that if you’re not careful and got scammed, then it’s on you, not the bank. However, that may be right only if a bank has indeed done enough to protect you against such scams.
While the job of “doing enough” is not spelt out clearly in law – a review with the authorities is underway – there are clearly good practices that should have been in place.
First, the SMS one-time password (OTP) that many still rely on as a two-factor authentication (2FA) tool.
For the hackers to have stolen the money, they would have to not only steal the login and password from the fake website that they’ve set up to trick a user into typing their credentials in.
They also have to, within a short period of time…