Can scammers steal your OTP and hack into your ‘mobile money account’ via PayNow?

We came across this post on Facebook:

The post attempts to warn individuals about “emerging Mobile Money fraudulent tricks” which involves the use of peer-to-peer fund transfer service PayNow. The modus operandi of the scammers involves them sending victims money. The scammer would then call the victim, asking them to reverse the process and send the money back to them. The author then warns members of the public not to do so, as it is part of a “trick for them to steal your PIN (OTP)”. The author states that in the process of the victim sending the money back, the scammer would be able to access the victim’s “mobile money account” and “steal all [their] reserves”.

The post also includes a photo of an individual wearing a mask. It is uncertain what the individual has to do with the content of the post.

It is also important to note that the text in the Facebook post is rather convoluted, with terms like OTP/PIN and PayNow/PayLah being used interchangeably.

At time of publication, the post had been shared over 613 times. However, a number of netizens have come forward to express their doubts on the claims made in the post:

Not the first time we hear about PayNow/PayLah scams

Earlier this year, we came across yet another Facebook post which aimed to warn members of the public about a scam involving PayNow:

The post reproduces a WhatsApp message which recounted an incident where an individual received a $20 PayNow transfer from a stranger. The payee then asked that the lady immediately asked him/her to transfer the money back to her. Sensing that something was off, the payee informed the lady that he/she would consult the bank for the return transfer. The post ends off with the claim that an individual’s name and bank account shows up on PayNow transactions, and due to this, puts one’s account at the risk of hacking.

When we did a check on DBS Bank’s website, we read that upon receiving the PayNow transaction, only the name of the sender will appear on the bank statement and email alert. The name of the bank and the sender’s bank account number will not be revealed on the payee’s bank statement.

Then, we rated the claim as false.

OTP or PIN? PayNow or PayLah?

As a quick background on the terms, PayNow was launched by the Association of Banks in Singapore (ABS) on 10 July 2017 and allows users to transfer funds between accounts under different banks. Individuals and corporate entities can also use PayNow to transfer and receive funds.

PayLah on the other hand is a personal mobile wallet by DBS Bank which allows individuals to perform transactions such as funds transfer and ‘Scan and Pay’. According to PayLah’s FAQ page, in order for an individual to log into a PayLah account, one would need to enter a PayLah password or use biometric access (Touch ID/Fingerprint ID).

In a media release by the Singapore Police Force on OTP-related scams, we read that an OTP (one-time password) is a security feature commonly used as a part of two-factor authentication. OTPs are unique passwords that are available for a defined period of time and are only valid for a single transaction. OTPs are usually sent to one’s phone via SMS, but some banks provide alternative options of using email, a physical banking token or a mobile phone application that can generate an OTP.

A PIN, or personal identification number, is like a password that you use for banking services like online banking (used alongside a user ID/access code) or with a physical bank card at an ATM.

Going back to the claim made in the Facebook post, we read that scammers are apparently able to steal an individual’s PIN or OTP via a PayNow/PayLah fund transfer, and use that information to access the victim’s account. However, unless the victim reveals the OTP he/she receives from the bank, there is no way that the scammer would be able to know what OTP the victim got. The same goes for a PIN.

What’s more, logging into one’s online banking account and making a transaction using PayNow or PayLah requires more than just a PIN or OTP.

Therefore, the claim that scammers are able to steal your PIN/OTP via PayNow/PayLah is false.

Regardless, it would still be prudent for individuals to report any erroneous fund transfers to their bank and lodge a police report, given that it is a criminal offence to hold or use funds that do not belong to you.

Leave a Reply