Bank Negara Malaysia (BNM) has instructed financial institutions to stop using SMS One Time Passwords (OTP) as a form of authentication for online activities or transactions. Instead, they have announced measures for financial institutions to take “to further strengthen safeguards against financial scams”.
“Scams and cybercrimes have been on the rise of late, not just in Malaysia but all around the world. This is a concerning development which Bank Negara Malaysia (BNM) takes seriously. This is especially so where these cases concern financial scams. We have been and will continue to step up efforts to combat financial scams, and in doing so collaborate with other stakeholders. These include rolling out preventive measures, pursuing more effective and coordinated enforcement actions, and raising public awareness,” said Tan Sri Nor Shamsiah Mohd Yunus at the Launching of Financial Crime Exhibition.
No more SMS OTPs
BNM instructed financial institutions to migrate from SMS OTPs to more secure forms of authentication for online activities or transactions. This includes account opening, fund transfers, and payments—as well as changes to personal information and account settings. Major banks like Maybank and CIMB have already started this process of migrating to more secure forms of authentication, but you’re still able to currently use the SMS OTP method in certain circumstances.
Phasing this method out completely could mean that scammers would no longer be able to use the SMS OTP method of scamming—something that is incredibly common recently. Users have reported to have received an SMS OTP by Maxis. After that, they received a call through WhatsApp right after receiving the SMS. It’s likely that whoever was on the other line was trying to get the sensitive TAC number from them.
Customers to be immediately alerted when activities involving their banking accounts is detected
The second instruction by BNM is for financial institutions will “further tighten fraud detection rules and triggers for blocking suspected scam transactions”. Customers should be immediately alerted when an activity involving their banking accounts is detected—something that should have been the norm anyway. As an additional measure, financial institutions will need to block transactions, and customers will need to be asked to confirm if the transactions are genuine before they are unblocked.
Cooling-off period for new devices
Customers will be restricted to only one mobile or device for the authentication of online banking transactions. There will also be a cooling-off period for first-time enrolments of online banking services or devices. During this time, no online banking activity is allowed to be conducted. However, we don’t know how long this cooling period will be yet.
To set up hotlines for financial scam incident reports
Financial institutions will also be required to set up dedicated hotlines for customers to report financial scam incidents. BNM also added that financial institutions should take more responsibility—and to “be more responsive to scam reports lodged by customers”. They have also been directed to facilitate efforts to recover and protect stolen funds—including working with relevant agencies to prevent further losses. It’s a little disconcerting that financial institutions don’t already do this, if this needed to be mentioned.
Additionally, financial institutions are required to provide convenient ways for customers to suspend their bank accounts if they suspect that their accounts have been compromised as a result of a scam. Customers should also be able to subsequently reactivate their accounts after a while to ensure that their accounts are secure.
“BNM will also continue to monitor and take appropriate action on financial institutions to ensure that the highest levels of controls and security standards are observed. We will also continue to take effective preventive measures against ever-evolving financial scams,” continued Tan Sri Nor Shamsiah Mohd Yunus.
While it is a good step, getting rid of the SMS OTP method won’t stop scammers from asking victims to send their secure TAC through instant messaging or through other phishing methods. You can watch our Let’s Talk About episode regarding this subject above.