Maybank to stop using SMS OTPs by June 2023 to prevent scams, switching to Secure2U instead

Following Bank Negara Malaysia’s (BNM) instruction for banks to stop using SMS one-time passwords (OTP) for authentication, Maybank has confirmed it will heed the directive by fully migrating to its Secure2U system by June 2023. The move, aimed at combating rising scam activity, will affect all online activities and transactions related to account opening, fund transfers and payments, as well as changes to personal information and account settings.

Secure2U was introduced in 2017, adding transaction authorisations and six-digit transaction activation code (TAC) generation through the Maybank2U (M2U MY) and MAE apps. Only one device can be registered per customer in an attempt to stop online banking details from being leaked. Customers are alerted via SMS, a push notification and an email when Secure2u is registered on a new device.

To meet BNM’s directive, Maybank is adding a 12-hour cooling-off period after enrolling to Secure2U for the first time or registering a new device, during which no banking activity can be made on said device. This feature, which will be rolled out in October, will give customers enough time to report any unauthorised activation to the bank.

The bank recently announced it has switched over all new Secure2U activations to the MAE app, meaning you will no longer be able to enrol yourself or add new devices through M2U MY. Although you can still use Secure2U on the M2U MY app if you’re already registered, the company has strongly encouraged users to move over to the newer platform.

Maybank says it has a fraud detection and monitoring system with customised rules and additional risk parameters, along with a call-back verification process to alert customers of suspicious transactions. The bank has also released some tips for customers to avoid being scammed:

• Avoid downloading and installing apps or Android Package Kit (APK) files or clicking on suspicious links sent via text messages
• Do not give permission for any app to send or view your SMSs
• Do not ignore any warnings from your devices, especially when downloading or installing a new file
• Do not enter your banking details, especially username or password, into any suspicious apps or websites
• Always keep your antivirus software updated for constant protection
• Only download apps from the genuine app stores (i.e. Apple App Store, Google Play Store or Huawei App Gallery) and not from a link
• Be alert if you are being prompted to download a file that is not compatible with your device (i.e. iPhone/iPad device being asked to use an Android device to download a file)
• Always look out for your online banking security image and phrase (i.e. Maybank2u security image and phrase), to ensure the website and app are legitimate
• Do not root or jailbreak your device
• Update your smartphone OS and apps regularly

Customers are urged to immediately call Maybank’s dedicated fraud hotline at 03-58914744 if they suspect their banking details have been compromised or that a suspicious transaction has taken place; they can also quickly suspend their bank account through this number. Alternatively, they can contact the bank’s usual customer care hotline at 1-300-88-6688.

Abolishing SMS OTPs in favour of more secure authentication methods was one of the steps outlined by Lembah Pantai MP Fahmi Fadzil last week to help prevent scams. This will help eradicate a popular method of scamming, whereby customers will get an official SMS with the TAC number followed by a call from a scam artist asking for said TAC. Of course, this move won’t stop scammers from trying to get an app-generated TAC from you, but it’s a good first step nevertheless.