Monday, May 29, 2023

How a scammer steals from a bank account

Many people are quite illogical. They are fearful of scams but they do not pay attention to how the scams are carried out. They spread fear and advised people wrongly, due to their ignorance.

The scammer cannot steal your money from the following:

a) knowing your email address
b) when you ordered food with a QR code

To access your bank account and steal your money, the scammer needs to know your account login credentials (i.e. your sign in code and password). Most people have set up a 2FA, so the scammer need to have your physical phone (to generate a 2FA token) or to receive a one time PIN sent by your bank.

This is how a few recent scams worked.

The scammer sent an email to the customer purporting to come from the bank. This email contain a link to a fake website that looked like the bank's website.

The customer (who does not suspect the scam) clicked on the link to enter the login credentials (code and password). The scammer uses the credentials to access the real website of the bank. The bank sends a PIN to the customer.

The customer enters the PIN into the fake website. The scammer now has the PIN which they can access the real website.

I have set up a 2FA using the bank's digital token. My bank does not send a PIN. The scammer needs to have my physical phone to access the digital token. But, my phone is protected by my fingerprint (which the scammer does not have).

The chance of a scammer accessing my bank account is extremely low. It may happen, but most likely it will not.

I encourage people to take the trouble to learn how how a scammer carries out the scam, rather than have a blind fear and spread fear through ignorance.

Tan Kin Lian

Wisdom of the Crowd - New Issues

1. How should the public receive their business mail from organizations?
2. Singapore allows land for religious organizations to be given by ballot
3. How should the COE quota be handled?

Vote in

How to deal with scam emails and phone calls

The incidences of scam emails and phone calls are rampant in Singapore. We need to understand the root cause and take the appropriate measures to deal with it.

For the past two decades, the Singapore authorities (and in particular the Ministry of Finance and the Monetary Authority of Singapore) have mandated government agencies and financial institutions to avoid sending  business communication  (i.e. statements, invoices, notices) by email, on the ground that emails may be hacked. 

These institutions stored their business communications in their websites and send email notifications to remind the public to login to the websites to retrieve these communications.

This practice has created an unintended consequence. The scammers realized that they could send false notifications to the public and direct them to their scam websites. The public did not realize that they were logging into the scam websites and the scammers were able to capture their login credentials. The scammers used the credentials to login to the real websites. 

It can be harmful if the credentials are to access bank accounts and allow money to be transferred.

To eradicate these scams, we have to deal with the root of the problem. The organizations should not store their business communications in their own websites. Instead, they should send these communications directly to the email accounts of the recipients or into a secure website (which I will name as the Business Mail website). 

Each person has an account in the Business Mail website, and the business communications from all participating organizations will be sent to this account.

The public is likely to login into one account regularly, maybe daily, as it contains the communications from all the relevant organizations. It is like opening the paper mail that is sent to his home address. 

When the Business Mail platform is created, there is no need for the individual organizations to send email notifications to the public. The public will not be scammed into accessing the scam websites. 

Tan Kin Lian 

Sunday, May 28, 2023

WOTC - Rental of Ridout Road bungalows

 Wisdom of the Crowd: 100 % of respondents said that there is no reason to keep the rental of the Ridout Road bungalows to the ministers private, as the rental of government properties are generally published in other situations.

CDC Vouchers

 I suggest a new approach to handle CDC vouchers in future.

Blog Archive