Malaysia is migrating from the usage of SMS OTP. Is biometrics the answer?

• Bank Negara Malaysia has instructed financial institutions to stop using SMS OTP as a form of authentication for online activities or transactions.
• The central bank urges financial institutions to adopt more secure authentication methods to curb financial scams.

Bank scams are not a new phenomena — the world has been grappling with it for years, but the pandemic has definitely led to an explosion in such crimes. In Malaysia, one-time password (OTP) theft particularly has been on the rise, and to fight that, the country’s central bank, Bank Negara Malaysia (BNM), is urging financial institutions to ditch SMS OTP altogether, for a more secure authentication method.

To put into context how severe SMS OTP scams are, cybersecurity experts have warned that scammers have new tools in their arsenal that can get around bank security systems. In particular, Cybersecurity service provider LGMS Berhad chairman Fong Choong Fook told local media theSun that “New versions of software are now able to read one-time passwords and they can even delete the SMS sent by banks, leading (victims) to believe they were not given any notification before fund transfers.”

To curb the ongoing issues that have impacted many, BNM in a series of tweets, announced measures for financial institutions to take “to further strengthen safeguards against financial scams’ ‘, including moving away from SMS OTP, a two-factor authentication that was once deemed safe. The SMS OTP is often used for account opening, fund transfers, and payments—as well as changes to personal information and account settings. 

The upside is that major local banks like Maybank and CIMB have already started this process of migrating to more secure forms of authentication, but users are still able to use the SMS OTP method in certain circumstances. In Malaysia, SMS OTP/TAC scam has fleeced Malaysians of almost RM15 million in 2018 alone.

“We have been and will continue to step up efforts to combat financial scams, and in doing so collaborate with other stakeholders. These include rolling out preventive measures, pursuing more effective and coordinated enforcement actions, and raising public awareness,” said the central bank governor Nor Shamsiah Mohd Yunus said separately during the launch of the Financial Crime Exhibition.

BNM also instructed financial institutions to “further tighten fraud detection rules and triggers for blocking suspected scam transactions”. Which means, customers should be immediately alerted when an activity involving their banking accounts is detected and as an additional measure, financial institutions will need to block transactions, and customers will need to be asked to confirm if the transactions are genuine before they are unblocked.

Another measure includes restricting customers to only one mobile or device for the authentication of online banking transactions. There will also be a cooling-off period for first-time enrolments of online banking services or devices. During this time, no online banking activity is allowed to be conducted. 

As it is the case with many countries, Malaysia too saw a drastic increase of online scams over the last two years during the pandemic. According to the Royal Malaysia Police’s (PDRM) commercial crimes investigation department (CCID), a total of 71,833 scams, amounting to more than RM5.2 billion losses was reported between 2020 and May 2022.

Earlier this year, the Monetary Authority of Singapore (MAS) also requested banks to move away from SMS OTPs and shift towards the use of mobile banking apps to authenticate customers, authorize transactions and send alerts to customers as part of a multi-pronged effort to thwart scams. The move will make it harder for scammers to abuse the apps if the technology is implemented well.

Singapore is implementing these changes following the OCBC Bank phishing scams. MAS and the banks may also introduce additional customer confirmation requirements, and not just notifications, for significant changes to customers’ accounts or high-risk transactions.

---

---

---

---