Information Technology

The ongoing situation in Ukraine means organisations around the world should be prepared to defend their networks against cyberattacks originating from Russia – although the potential impact of aggressive cyber activity shouldn’t be overestimated. “Concerns are reasonable and valid; Russia has a well-established history of aggressively using their considerable cyber capabilities in Ukraine and abroad,” said Sandra Joyce, executive vice president of global intelligence at cybersecurity company Mandiant, which regularly tracks hostile Russian cyber activity.

Russia is suspected of being behind offensive cyber campaigns against other countries, including cyberattacks against Georgia, as well as attacks that took down Ukrainian power grids in December 2015.SEE: A winning strategy for cybersecurity (ZDNet special report)International consensus has also accused the Russian military of being behind the widespread and disruptive NotPetya malware attack of June 2017.NotPetya was designed to target organisations in the Ukrainian financial, energy and government sectors, but powered by EternalBlue – a leaked NSA hacking tool – the self-replicating virus quickly spread to organisations around the world. It wiped networks and caused what was estimated as billions of dollars in damages as victims across Europe, Asia and the Americas were impacted by a cyberattack that wasn’t directly aimed at them. Mandiant warned that this type of incident could potentially happen again.

“We are concerned that, as the situation escalates, serious cyber events will not merely affect Ukraine,” said Joyce.”But while we are warning our customers to prepare themselves and their operations, we are confident that we can weather these cyberattacks. We should prepare, but not panic because our perceptions are also the target,” she added.Organisations that fell victim to NotPetya did so because they hadn’t yet applied critical security updates, which were released months before and were designed to protect networks against EternalBlue.Meanwhile, cyber criminals and nation state-backed hackers continue to take advantage of security issues like the vulnerabilities in Microsoft Exchange, which received critical security updates last year but, in many cases, still haven’t been applied by businesses or consumers.Applying security patches in a timely manner can go a long way to protecting networks and infrastructure against intrusions.”We are imploring our customers and community to prepare for disruptive and destructive attacks, similar to those that have recently transpired in Ukraine,” said Joyce. “Many of the same steps defenders might take to harden their networks against ransomware crime will serve to prepare them from a determined state actor – if they take them now”.SEE: Cloud security: A business guide to essential tools and best practices Mandiant also warned that part of the strategy behind offensive cyber activity is designed to create worry and uncertainty. By ensuring that networks are as well-defended against attacks as possible, the damage done by attacks can be minimised, avoiding the panic that adversaries hope to generate.”Cyberattacks can be costly for individual organisations and may even seem frightening to some, but their real target is our perceptions. The purpose of these cyberattacks is not simply to wipe hard drives or turn out the lights, but to frighten those who cannot help but notice,” said Joyce.”The audience of these attacks is broad, but it is also empowered to determine how effective they are. While these incidents can be quite serious for many, we must remain mindful of their limitations. We only do the adversary a service by overestimating their reach.”Mandiant’s warning follows a similar warning from the UK’s National Cyber Security Centre in January, which urged organisations to take action to bolster their cyber resilience as a result of the ongoing tensions around Russia and Ukraine.In recent weeks, Ukraine has faced DDoS attacks affecting government services as well as banks, while government websites have been defaced. Nobody has yet explicitly claimed responsibility for the attacks.MORE ON CYBERSECURITY More

To perform a ransomware attack successfully, cybercriminals must first obtain access to their victim’s PC or network. Gone are the days when ransomware was confined to malware that targeted individuals with fake threats from organizations like the FBI or IRS, demanding payment through a PC pop-up following encryption. 

Now, while individuals may still encounter ransomware — especially when antivirus programs are not in use — companies are the big game that criminals hunt.  Time is money in the corporate world, and ransomware has exploded in recent years to become an almost separate cybercriminal business of its own. As a result, ‘sub’ services have emerged that assist ransomware developers in the deployment of their illicit creations — ranging from language services to handle ransom payment negotiation to Initial Access Brokers (IABs) who offer the covert access to a network required in the first stage of a ransomware attack.  As noted in new research conducted by KELA, the ransomware-as-a-service (RaaS) economy relies on IABs to reduce the need for extended reconnaissance or the time to find a method for entry.  On average, IABs sell initial access for $4600, and sales take between one and three days to finalize. In the cases identified by the cybersecurity firm, once access has been purchased, it takes up to a month for a ransomware attack to take place — and potentially for the victim to be subsequently named and shamed on a leak site. 
KELA
At the very least, five known Russian-speaking ransomware operators are using IABs: LockBit, Avaddon, DarkSide, Conti, and BlackByte.

KELA conducted an examination of past security incidents involving these ransomware groups. First up is LockBit, of which an attack began against Bangkok Airways due to AnyConnect VPN access offered by a threat actor called “babam.”While it isn’t clear exactly who purchased Bangkok Airways access, on August 23, 2021 — not yet a month after access was offered in underground forums — the airline became infected by ransomware. Two days later, Bangkok Airways appeared on the LockBit leak site. “Bangkok Airways did not disclose any investigation details, but based on the timeline, it is highly possible that the attack was performed using the bought access,” the researchers noted. 
KELA
In an attack conducted by Avaddon, access to a UAE steel product supplier was found to be up for sale on a forum in a post dated March 8, 2021. Three weeks later, the company appeared on the Avaddon domain. (This group has reportedly closed down and a tool has been made available to generate decryption keys.)DarkSide is infamous for an attack on Colonial Pipeline that caused fuel panic-buying in the United States. However, in a separate incident taking place on January 16, 2021, the same “babam” IAB tried to sell access to mining technology firm Gyrodata.  Two days later, access was declared as sold, and between January 16 and February 22, an unauthorized actor was lurking on the firm’s networks. On February 20, DarkSide published the company’s name as a victim.  In another case, access to a US manufacturer was sold on October 8, 2021, for $800. Within two weeks, Conti exposed the firm on its leak site and some stolen data was also published online.   Ransomware attacks against high-profile targets won’t be going away anytime soon. Just before the Super Bowl kicked off, the San Francisco 49ers became the latest victim of BlackByte, who also named the organization on a leak website. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon Web Services (AWS) has updated the ‘detectors’ in its CodeGuru Reviewer tool to seek out log injection flaws like the recently disclosed Log4Shell bug in the popular Java logging library Log4J.The critical Log4J bugs, collectively dubbed Log4Shell after their disclosure in December, jolted the tech industry and end-user organizations into mass remediation efforts that may have averted major attacks to date, but are expected to lurk in systems for years.

At the time, AWS released several tools to help customers protect resources, such as new web application firewall rules, and updates to its Inspector tool to detect the vulnerability in EC2 VM instances.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)AWS has now announced two new features for CodeGuru Reviewer, AWS’s scanner that uses machine learning to check code during reviews for bugs and to suggest improvements for security issues. The tool aims to improve code reviews in the context of continuous integration and development (CI/CD) processes for developers with code. After developers commit code to say, GitHub or Bitbucket, they can add CodeGuru Reviewer as a code reviewer.The new features help flesh out the service’s security checks. Last year, it added the CodeGuru Reviewer Secrets Detector, which detects risky hardcoded secrets in source code and configuration files for Java and Python applications, like passwords and API access keys.The brand-new features for CodeGuru Review are a new Detector Library for several common security flaws affecting Java and Python web applications, as well as several new security detectors specifically aimed at Log4Shell-like log injection flaws.

The Detector Library contains a list of several detectors for various flaws common to Java and Python programming, such as unauthenticated LDAP requests in Java code. It offers details about each security issue, their severity and impact on an application, and one case of non-compliant and compliant code for each issue. The library currently contains 91 Java detectors and 69 Python detectors.AWS notes that CodeGuru “uses machine learning and automated reasoning” to identify possible issues, so each detector can find a range of defects on top of the example on the detector’s description page.In response to Log4Shell, AWS introduced a more general detector for similar flaws that check if developers are logging data that “is not sanitized and possibly executable”. If it finds an example of such code, it warns that “user-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log’s integrity, forge log entries, or bypass log monitors.” It then provides examples of non-compliant and compliant code. “These detectors work with Java and Python code and, for Java, are not limited to the Log4j library,” AWS notes. “They don’t work by looking at the version of the libraries you use, but check what you are actually logging. In this way, they can protect you if similar bugs happen in the future.”The service comes at a cost, but might help alleviate issues for organizations facing developer or security skills shortages. The new features are available where CodeGuru Reviewer is available, which includes select US, Europe and Asia Pacific AWS regions. Pricing for CodeGuru Reviewer starts at $10 a month for the first 100,000 lines of code in onboarded repositories, and charges $30 a month for each additional 100,000 lines of code.   More

When it comes to Australia’s encryption laws, two out of the three arms can now be publicly said to have been used, following the release of the Telecommunications (Interception and Access) Act 1979 — Annual Report 2020-21 this week. In previous years, agencies had only used voluntary Technical Assistance Requests (TAR) to get service providers to help them, but the latest report shows NSW Police in the past year also turned to the first of the compulsory notices available. That request, used in a homicide investigation, is the first use of a compulsory Technical Assistance Notice (TAN) to force a provider to use a capability they already possess. Assistance notices issued by state-level law enforcement are reviewed by the Commissioner of the Australian Federal Police (AFP). Read more: What’s actually in Australia’s encryption laws? Everything you need to know This leaves the compulsory Technical Capability Notice (TCN) as the only form of notice yet to be publicly disclosed as used. The TCN forces providers to build a new capability for agencies and requires sign-off from the federal Attorney-General and Minister for Communications. The report said no TCNs were sought across the reporting period.Of the 25 TARs issued by agencies, NSW Police accounted for 16, Victoria Police for five, with the AFP and Australian Criminal Intelligence Commission both issuing a pair. The category of offences under which the TAR was issued were eight for organised offences, seven for homicide, seven for drug offences, and one each for sexual assault, cybercrime, and acts intended to cause injury. Australia’s encryption laws were passed in December 2018, with then-Labor leader Bill Shorten saying he wanted to make Australians safe over Christmas. A year later after losing an election, Labor wanted to fix the laws it voted for.

Since its passing, the most public display of these powers has been Operation Ironside, which the AFP labelled its “most significant operation in policing history”.A recent review of the TOLA Act gave a tick to the laws, but it did so while asking for additional safeguards to be added.For the now AU$238 million metadata retention scheme, over 314,000 requests for telco data were made. Almost 270,000 pieces of retained data were less than three months old, while over 5,700 were beyond the two-year retention window. Victoria Police made the most requests, with over 110,000, followed by NSW Police on 106,000, and WA Police making just over 26,200 requests for the period. Over 312,000 of the requests related to criminal offences, and almost 3,500 related to missing persons. Following the trend of years past, drug offences continued to be the offence with the most requests, this year with 68,500, followed by fraud, homicide, unlawful entry, abduction, and sexual assault all sitting in a band between 29,000 to 20,000 requests each. No agencies were authorised to become an enforcement agency in the 2020-21 reporting period, the report said. Inception warrants also continued the trend of past years, with Administrative Appeals Tribunal (AAT) members continuing to issue the vast bulk of said warrants, accounting for 2,900 of the 3,500 warrants issued. Of the AAT member number, just shy of 1,700 warrants were applied for by NSW Police with the force only getting 72 from Federal Court judges. Similarly, the AFP had 590 warrants approved by AAT members from its 653 total. Overall, 3,481 interception warrants were issued to all agencies, and information gained was used in 3,327 arrests, 6,424 prosecutions, and 2,610 convictions. Related Coverage More

Image: Getty Images
The circulation of election conspiracy theories in Australia has increased with the country set to have its federal election later this year, Australia’s electoral commissioner said on Tuesday night. Appearing before Senate estimates, AEC commissioner Tom Rogers said the uptick in election conspiracy theories mirrored what has been occurring in overseas jurisdictions. Among the conspiracies posted online has been that postal voting is not secure, Rogers said. The AEC commissioner also warned of other election conspiracies, specifically debunking misinformation that unvaccinated people will not be allowed to vote in person.”One [conspiracy] doesn’t seem to go away is that somehow we’re mandating that voters be vaccinated, and that this will deny people the vote,” he said, confirming that people will be allowed to vote in person regardless of their vaccination status. To address the rise in conspiracy theories, Rogers said his agency has been working more closely with social media platforms to quickly remove election misinformation and disinformation. For one instance of the postal voting conspiracy content arising online, the commissioner said his agency pointed out to Twitter that the content breached the platform’s terms of service, which culminated in that information being removed within three hours. “Twitter and others get rightly criticised, but it’s a shout out to them for being very responsive to remove something that’s dangerous,” Rogers said.

He noted, however, that addressing election misinformation is a complex issue as the nature of some conspiracies means their removal can fuel the creation of further conspiracies. “[This] can become very circular, so you need to exercise some judgment about how we deal with those issues,” he said. Rogers added that while the AEC was able to reach out to Twitter, negotiations are still ongoing with Digital Industry Group Inc (DiGi), the industry group advocating for big tech, to create a formal protocol for working with social media platforms to remove election disinformation and misinformation. In the meantime, all major social media platforms have given “assurances” that they would allocate more resources for monitoring election disinformation and misinformation for the upcoming Australian federal election, said deputy electoral commissioner Jeff Pope, who appeared alongside Rogers at Senate estimates. “For this election, we’re getting assurances from all of them that they will be expanding their hours of service, including having not just expanded hours of service here in Australia but then actually having staff in other parts of the world so that they can try and get as close to 24/7 coverage — so they’re not confined by the business hours of the staff here in Australia,” Pope explained. “For instance, some of them have staff here in Australia, they have a regional office in Singapore, then they have another office in Europe. They will be effectively following the sun as we go through the election to try and get as much maximum coverage as possible.” For the upcoming federal election, where voting is mandatory, the commission expects to go through 4.5 million pencils — up from 100,000 in 2019 — along with 34,000 bottles of surface cleaner, and 63,000 litres of hand sanitiser as part of its pandemic safety measures. Related Coverage More

VMware released patches for several vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Cloud Foundation on Tuesday after security researchers participating in China’s Tianfu Cup discovered the issues.The company published a security advisory, VMSA-2022-0004, and told ZDNet that they encourage customers to deploy their products “in a security hardened configuration” while also applying all updates, security patches, and mitigations. The advisory covers CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, and CVE-2021-22050. 

“VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company explained. It added that VMware ESXi, Workstation, and Fusion also contain a double-fetch vulnerability in the UHCI USB controller.”These issues were discovered as part of the Tianfu Cup, a Chinese security event that VMware participates in. These vulnerabilities were reported to the Chinese government by the researchers that discovered them, in accordance with their laws,” VMware said in another FAQ on the issues. VMware also said ESXi contains an unauthorized access vulnerability due to VMX having access to setting authorization tickets. It gave the issue a maximum CVSSv3 base score of 8.2, noting that a hacker with privileges within the VMX process may only be able to access settings service running as a high-privileged user. VMware ESXi also has a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. That issue also has a maximum CVSSv3 base score of 8.2 because it allows malicious actors with access to settings to escalate their privileges by writing arbitrary files. “ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests,” VMware added. 

In the security advisory, VMware thanked Wei and VictorV of Kunlun Lab — working with the 2021 Tianfu Cup Pwn Contest — for reporting the issues. George Noseevich and Sergey Gerasimov of SolidLab were also thanked for their help with the issues. While VMware urged users to apply all patches, they also included workarounds in their advisories, telling customers that removing the USB controllers from virtual machines may also help deal with the issue. But the advisory says that may be infeasible at scale and “does not eliminate the potential threat like patching does.”

“The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments. Organizations that practice change management using the ITIL definitions of change types would consider this an ’emergency change,'” VMware said. VMSA-2022-0004 is widespread in terms of versions affected and operating systems it can run on, according to nVisium director of infrastructure Shawn Smith and Vectra vice president Aaron Turner. Turner said the use of VMWare technologies within most enterprises is widespread, well beyond what most security teams track as part of their vulnerability management programs.But Blumira CTO Matthew Warner said the vulnerabilities all require local access and, in some cases, privileged local access. In theory, CVE-2021-22041 could be executed remotely if an attacker exploited the guest, got onto the guest, and mounted a USB to it, Warner noted. “Ideally, remote execution of CVE-2021-22050 (DoS) should be impossible because ESXi should not be exposed to the internet. As usual, patch as soon as you can and ensure that your VMWare environments are not facing the internet. Treat local VMWare virtualization like Workstation and Fusion with care by ensuring you are collecting data from endpoints utilizing this software,” he said.  Turner echoed those remarks but said it could be a significant vulnerability exploited in an East-West or lateral movement campaign to gain access to virtualized workloads. More

The Ukrainian Defense Ministry and several state-backed banks were hit with distributed denial-of-service (DDoS) incidents or disruptions on Tuesday. The Defense Ministry website is down, and it confirmed that it was attacked, telling the public that it will be communicating through Twitter and Facebook. “The MOU website was probably attacked by DDoS. An excessive number of requests per second were recorded. Technical works on restoration of regular functioning are being carried out,” the Defense Ministry said on Tuesday afternoon.

❗️Сайт МОУ зазнав, ймовірно, DDoS-атаки: фіксувалася надмірна кількість звернень на секунду.Проводяться техроботи з відновлення штатного функціонування.Комунікація через сторінки в FB та Twitter, сайти АрміяInform https://t.co/ukMW41irPW та Армія FM https://t.co/IpDnBXoMXw.— Defence of Ukraine (@DefenceU) February 15, 2022

The confirmation came as residents of Ukraine reported issues with some ATMs and banking services at State Savings Bank, PrivatBank, and Oschadbank. NetBlocks, an organization tracking internet outages around the world, confirmed the loss of service to multiple banking and online platforms in Ukraine “in a manner consistent with a denial of service attack.””Metrics indicate impact beginning from early Tuesday intensifying in severity over the course of the day. Work is ongoing to assess the incident, which is ongoing at the time of writing,” the organization said. Their data showed that service returned after about an hour or two of issues. 

The Ukrainian Strategic Communications Center and Information Security also confirmed the attacks on the country’s banks in a statement, telling the public that they too believed it was a DDoS attack. 

“For the last few hours, Ukraine’s largest state-owned bank, Privatbank, has been under a massive DDoS attack. Users of the bank’s internet banking service Privat24 report problems with payments and the application in general,” it said, adding that customers of Oschadbank were also reporting serious issues.  

PrivatBank told the Strategic Communications Center and Information Security that no user funds have been stolen during the incident. The National Police later announced a criminal investigation into the DDoS incidents. The attack came as Russia announced a partial troop withdrawal from areas near Ukraine’s border. Russian President Vladimir Putin also said on Tuesday that he was interested in security discussions with the United States and NATO.Russia has faced international backlash for troop buildups near Ukraine’s border but has denied it plans to attack the country. US officials — who will not share their intelligence with the press — have repeatedly said a Russian attack is imminent. The US began evacuating almost all of the staff from its embassy in Kyiv this week, and Jake Sullivan, President Joe Biden’s national security adviser, urged all Americans in Ukraine to leave as soon as possible. Doug Madory, director of internet analysis at Kentik, said he analyzed some of the DDoS attacks and found that the targets include Mirohost (AS28907), which hosts the websites of the Ukraine Army. “Additionally, there has been a sudden surge of traffic directed at Ukraine’s largest bank, PrivatBank (AS15742) in recent hours,” Madory said. 
Kentik/Doug Madory
Christian Sorensen, former lead of the international cyber warfare team at US CYBERCOM, said the attacks are designed to ratchet up attention and pressure. “It doesn’t sound like much impact yet. In the coming hours/days, I would anticipate more activities to isolate and disrupt Ukrainian citizens and especially government activities,” said Sorensen, who is now CEO of cybersecurity firm SightGain. 

“The purpose at this stage is to increase leverage in negotiations. The next stage will be impactful and continue deterrence for other countries to get involved.” Biden responded forcefully to reports of a wide-ranging cyberattack on Ukrainian government systems in January, telling reporters that the US would respond with its own cyberattacks if Russia continues to target Ukraine’s digital infrastructure.  Biden’s comments came after Ukrainian officials told journalist Kim Zetter that dozens of systems within at least two government agencies were wiped during a cyberattack in January. Microsoft released a detailed blog about the wiping malware, named “WhisperGate,” and said it was first discovered on January 13. The wipers were launched days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with Russian secret services. Both the National Cyber Security Centre (NCSC) in the UK and the Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings about the potential for cyberattacks against both Ukraine and its allies. The Washington Post reported late on Tuesday that US officials believe hackers tied to the Russian government have already “broadly penetrated Ukrainian military, energy, and other critical computer networks.”  More

Singapore is stepping up security measures to bolster the local banking and communications infrastructures, which include the need for SMS service providers to check against a registry before sending through messages. Bank also are expected to develop “more versatile” artificial intelligence (AI) models to detect suspicious transactions.  The additional safeguards come in the heels of a recent spate of SMS phishing scams, which wiped out SG$13.7 million ($10.17 million) from the accounts of 790 OCBC Bank customers. Scammers had manipulated SMS Sender ID details to push out messages that appeared to be from OCBC, urging the victims to resolve issues with their bank accounts. They then were redirected to phishing websites and instructed to key in their bank login details, including username, PIN, and One-Time Password (OTP).   Describing the incident as the country’s most serious phishing scam involving spoofed SMSes impersonating banks, Minister for Finance Lawrence Wong said various steps would be taken to better mitigate the risks of such scams. These would span the entire ecosystem, including banks, telecommunications, law enforcement, and consumer education, Wong said Tuesday during his ministerial statement in parliament. The minister also is deputy chairman of the Monetary Authority of Singapore (MAS).  The OCBC scams prompted MAS to mandate new security measures last month that, amongst others, required banks to remove hyperlinks from email or SMS messages sent to consumers and implement a 12-hour delay in activating mobile software tokens. 

Wong noted that MAS last October were in discussions with local banks to highlight gaps that surfaced from the regulator’s “focused supervisory review”, which was conducted in the third quarter of 2021. Initiated in view of the increase in scam cases over the past two years, the review assessed fraud controls in the digital banking channels of the three local banks, including DBS Bank and UOB.  Wong said the banks were provided recommendations to remediate the gaps and they put in place timelines to deploy the various measures, some of which required extensive changes in their IT systems. With the spike in phishing scams last December, he said OCBC accelerated the implementation of some of these measures, such as extending the cooling period–during which higher risk transactions could not be carried out–after a digital token had been set up on a new mobile device.  More steps were in the works, the minister said. 

Banks would be working to further bolster their fraud monitoring capabilities to better identify suspicious and anomalous transactions, including credit card transactions. While most banks already had some rules-based parameters, these needed to be expanded to take account of a brander range of scam scenarios, Wong explained.  “Beyond pre-defined parameters, MAS will expect banks to develop more versatile algorithms employing AI and machine learning to detect suspicious transactions,” he said. “Such algorithms should be based on multiple sources of information, including customer profile and vulnerabilities, past transaction patterns, account activity, and mobile device identification.” He stressed, though, that advanced fraud monitoring systems would not be able to detect every scam.  Singapore banks also would be beefing up their ability to more quickly block suspicious transactions and contact customers to verify their authenticity. Transactions would only be unblocked and processed when confirmed by the customer, he said. Again, while banks already had these capabilities today, he noted that these were not consistent across various types of transactions.  In addition, MAS was looking into the possibility of allowing customers to freeze their own accounts without needing to contact the banks.  Banks also would introduce additional confirmations from customers, beyond notifications, for significant changes made to their accounts or high-risk transactions, such as changes in the details of the account holder and activation of tokens on another device.  These would come with added inconvenience to customers carrying out legitimate transactions, but were necessary to boost the security of digital banking and users would have to adapt, Wong said.  Local banks also would look at widening the use of biometrics as a means of authentication, in addition to passwords and OTPs. The minister said this would add another layer of security that could not be easily phished by scammers.  Banks would further accelerate the move towards using mobile banking apps to authenticate customer’s identity, authorise transactions, and deliver bank notifications.  A review also was being carried out on the use of SMS-based OTPs and measures needed to reduce the risks of its use.  Security measures needed across infrastructures Further steps are in the pipeline that involve other proponents in the ecosystem, specifically, telecommunications services providers. Commenting on the need to beef up defences through telco networks, Minister for Communications and Information Josephine Teo, said: “To combat phishing and spoofing by scammers, we should disrupt as many parts of their modus operandi as possible. Apart from enhanced safeguards in the banking system to prevent scams from easily succeeding, upstream measures are also needed to disrupt scammers’ reach to potential victims.”  For one, SMS service providers and telcos will be required to check against the national Sender ID registry and only send through messages when the sender details match the registry records, Teo said Tuesday, during her ministerial statement in parliament. This means that SMS messages that spoof registered IDs will not reach their intended targets.  A pilot was launched last August to enable organisations to register SMS Sender ID headers they wished to safeguard with the registry. Doing so would help ensure messages sent via unauthorised use of the protected SMS Sender ID would be blocked.  According to Teo, all organisations also must have a valid UEN (unique entity number) if they want to send SMS messages through registered IDs, to phone subscribers in Singapore.  She added that MAS had made it mandatory for all major retail banks to register their Sender ID details with the registry. All government agencies also would do likewise.  Noting that scammers also used IDs that looked similar to legitimate Sender IDs, she said the government was exploring the possibility of requiring all users of alphanumeric IDs to be registered. This would prevent scammers from sending SMS messages using such IDs, without first joining the registry, she said.  Teo said these measures would require time to implement and involved additional costs for businesses. Those that chose not to register their Sender ID details would have their SMS messages show up only with their telephone number. Customers then would have to save the number in their contact list to recognise future messages from the organisation.  Industry regulator Infocomm Media Development Authority would consider such implications in deciding whether to mandate the registration of all alphanumeric IDs, she said.  She urged businesses to assess their use of SMS to engage customers, as the medium was based on an old technology and not designed for secure communications. She called for “more restraint” in using the platform to transmit sensitive or confidential information or for high value transactions.  Other measures also were planned, including telcos’ efforts to incorporate additional analytics to block more suspected scam calls. This could lead to 55 million calls blocked a month, up from the 15 million, or one in seven of all incoming overseas calls to Singapore, currently blocked each month.Phishing websites also would continue to be blacklisted. Some 12,000 scam websites were blocked last year, up from 500 websites blocked in 2020, according to Teo.The National Crime Prevention Council also will start a WhatsApp channel, by the third quarter of this year, to crowdsource from the public information on scam websites and messages, she added. Wong said: “There is no single measure that can guarantee the security of digital banking. The techniques employed by scammers are constantly evolving and gaining in sophistication. This is why in the fight against scams, banks need to employ a combination of measures in prevention, detection, response and recovery, and constantly review and recalibrate these measures.”He added that customers, the industry, and infrastructure providers must remain alert to prevent a recurrence of large-scale scams such as those involving OCBC. “The breadth of the issues raised underscore we need to take an ecosystem approach to strengthen our collective defence against phishing scams, and scams in general,” he said. “Everyone in this ecosystem must play their part.”In the OCBC phishing scams, to date, the Singapore Police Force has frozen 121 bank accounts here and recovered some SG$2 million. Another SG$2.2 million of victims’ funds were traced to 89 overseas bank accounts. At least 107 local and 171 overseas IP addresses were linked to the unauthorised access of the victims’ internet banking accounts. Many of the phishing websites used in the OCBC scams were hosted on web hosting companies based overseas, according to Minister of State for Ministry of Home Affairs, Desmond Tan. He said the SPF was working with the Interpol and foreign law enforcement agencies to investigate recipients of funds transferred overseas as well as hosts of the scam websites.RELATED COVERAGE More