3 banks plan to retire one-time passwords for customers with digital tokens

The move to phase out OTP authentication is part of efforts by Singapore's financial institutions to safeguard against phishing.
Written by Eileen Yu, Senior Contributing Editor
OTP on phone with laptop in background
hirun/Getty Images

DBS, OCBC, and UOB in Singapore are slated to retire the use of one-time passwords (OTPs) for customers who have digital tokens, in a move that aims to combat phishing scams

To be phased out within the next three months, OTPs will remain available to customers of the three banks who still rely on physical tokens. These users, however, are "strongly encouraged" to activate their digital tokens to better safeguard their credentials against phishing attacks, according to a joint statement released Tuesday by industry regulator Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS).

Also: Banks must move past PIN, OTP to ensure mobile security

With the OTP phase out, customers will have to use their digital tokens on their mobile devices for authentication when they log into their bank account or mobile banking app.

Singapore adopted OTPs in the 2000s as an MFA (multi-factor authentication) option, but social engineering tactics have since grown more sophisticated. These have enabled scammers to more easily gain access to customers' OTPs via phishing attacks -- for example, through fraudulent bank websites created to resemble genuine ones. 

Retiring the use of OTPs will enhance the user authentication process and make it more difficult for scammers to access customer bank accounts and funds, without customers' explicit authorization through their mobile devices.

Phishing attacks were among the top five scam categories last year in Singapore, accounting for SG$14.2 million ($10.52 million) lost through these scams, according to Singapore Police Force's (SPF) annual scams and cybercrime 2023 report.

Local banks have been working with MAS and law enforcement to implement measures that address this threat landscape, the industry regulator said.

"While they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers," ABS director Ong-Ang Ai Boon said. 

Also: Banks defending their right to security are missing the point about consumer trust

MAS last October laid out a framework detailing parties that should be held responsible for phishing scams, with banks and telcos taking on accountability first and foremost. 

Scams and cybercrime cases in Singapore climbed 49.6% in 2023, with the number of cases hitting 50,376, up from 33,669 cases in 2022. Scams accounted for 92.4% of overall cases, SPF's numbers revealed

The police force works with various institutions, including fintech companies and cryptocurrency platforms, via its Anti-Scam Command office to freeze accounts and recover funds to reduce losses. More than 19,600 bank accounts were frozen in 2023 based on investigations by the Anti-Scam Command Centre, recovering more than SG$100 million. 

The center also works with local telcos and e-commerce platforms on anti-scam measures, terminating more than 9,200 mobile lines and 29,200 WhatsApp lines in 2023 that were suspected of being used in scams. 

Editorial standards