privacy security

OCBC phishing scam – how it could have happened

Disclaimer: The following analysis of what could have happened is pure speculation based on publicly available information.

On 8 Jan 2022, news broke that as many as 469 OCBC bank customers were affected by phishing scams, racking losses of up to S$8.5 million in total. This should be one of the biggest and most successful phishing attack of a Singapore bank in recent memory.

Based on details of the news report, it appears that the scam works mainly as a result of 2 factors:
1. Successful social engineering
2. Possible SMS hijacking

Fake bank SMS

According to reports, users who got scammed received SMS messages that appear to originate from the bank. Scammers prey on user’s tendency to trust messages that appear alongside previous legitimate SMSes. How scammers are able to do this is to make use of a feature of SMS sending known as Alphanumeric sender ID. Meaning, they can send an SMS with a chosen sender ID that the bank uses. In this case, they chose “OCBC” as the sender ID. When the user receives such a SMS, it will appear alongside existing SMSes from the same sender ID “OCBC”.

As a quick test, I sent myself a test message with sender ID set to “BOC SG” (what Bank of China Singapore uses) and this is what I see:

This is just to show how easy it is to fake a sender ID. Interestingly, I was unable to reproduce this using “OCBC” as the sender ID, probably because the service provider/ISP is filtering out such IDs.

If a user thinks that it is a legitimate message from the bank, they tend to let their guard down and click on the link that the “bank” has sent – especially if it’s worded as something urgent. In this case it directs to a phishing site that looks exactly like the bank’s login page. Once the user enters their login user/password, the scammer would have captured their login credentials.

SMS hijacking

Just having login credentials is insufficient to make the attack successful. Because most banks would require 2FA for full login and to perform other more important actions like money transfer. This is where the SMS hijacking comes in.

It has been known for quite some time that SMS is NOT a reliable form of 2FA. To understand why, we have to dig into how SMS is implemented. Those who are interested can find out more here. There are some sites – which I won’t link to – that offers to provide such hijacking service for as little as $16.

To cut the long story short, if an attacker knows your mobile phone number, they can intercept your SMS messages, without you knowing. Shocking. I know. But this is well known and has been repeatedly demonstrated in cybersecurity conferences and other public forums.

With both the login credentials and hijacked SMS messages carrying OTP messages, an attacker can in theory carry out transactions without the user being notified.

Actually that is not all, if the bank calls your mobile number – for example, to verify the transaction – that can be intercepted as well via the same mechanism.

Closing the gap

The attack worked in this case because Singapore allows for Alphanumeric sender ID without requiring pre-registration by the sending organization. There are now renewed calls to make pre-registration compulsory to use this feature.

Fixing SMS hijacking – if it’s indeed the mechanism being used – will take more effort and probably require all ISPs to put in place mitigation in their systems. The easier fix may be to deprecate SMS as a 2FA option and stick to other more secure options like authenticating through app or physical tokens.

There are also some questions as to why automatic fraud detection that banks usually have in place is not working in this case. I shall not speculate on this but wait for further information from the investigation.


OCBC customers are not the first to fall prey to scams and neither will they be the last. As we move more and more to the digital world we can expect cyber criminals to keep exploiting both technical loopholes as well as human weaknesses to achieve their objectives. User education remains important and so are improving processes and closing technology gaps.

3D gis

Comparing Google Maps 3D with Singapore’s OneMap3D

OneMap3D is envisioned to be “Asia’s first, open-source 3D nationwide map”.

OneMap 3D (sic) will enable users to orient themselves in a three-dimensional representation of the real world, empowering them to navigate around identifiable landmarks, walkways and even void deck spaces. OneMap 3D will first be launched to developers by the end of 2020.


  1. Full disclosure: we are enrolled in OneMap3D Developer Programme and are bounded by the NDA. The following content does not reveal anything that is forbidden by the NDA.
  2. It appears that earlier articles use the term “OneMap 3D” and recent ones “OneMap3D”. For consistency we will use the term “OneMap3D”.


In 2014, Singapore announced the launch of the Smart Nation Initiative, of which Virtual Singapore is a key feature. One of the products of Virtual Singapore is the island-wide 3D map of Singapore. Today, the custodian of this 3D map is the Singapore Land Authority (SLA), and the platform in which this data will be available is called OneMap3D.

This article primarily focuses on the comparison of 3D model available on Google Maps and OneMap3D. Other aspects such as API capabilities etc are not explored.

Google Maps 3D

When Google Maps was launched, the world of digital mapping was introduced to the masses. It began with making tile-based maps accessible through the browser. Then Google acquired a company called KeyHole and took over the product to be launched as Google Earth, a desktop application. Google Earth was its foray into interactive 3D mapping – fulling Neal Stephenson’s vision in a round-about way since the original KeyHole application was said to be inspired by the author’s novel.

Nowadays, the line is blurring between Google Maps and Google Earth since the former is capable of showing 3D content as well. On your modern desktop browser, just turn on Satellite mode and if the area happens to have 3D content it will be shown. Singapore is lucky enough to have this feature enabled for a large part of the main island. Our comparison will be based on the 3D content available through Google Maps.


OneMap3D is envisioned to be the upgrade from the existing OneMap service provided by SLA. By enrolling in the OneMap3D Developer Programme, we are given access to 1) 3D building models, and 2) API to access 3D models.

The 3D building models are provided in CityGML version 2 format. For those who are unfamiliar, “CityGML is an open data model and XML-based format for the storage and exchange of virtual 3D city models.”. It is both an OGC as well as an ISO standard.

The tools for processing CityGML are quite lacking unfortunately, as commercial support is not high. For the purpose of this comparison, we will import CityGML files into 3DCityDB, and export it out as a COLLADA file.

First Look

Google Maps
OneMap 3D

At this zoom distance, both models in Google Maps and OneMap3D look quite good. It may not be apparent, but the water tanks on the rooftops for OneMap3D are modelled separately.

Another Example

Google Maps
OneMap 3D

For a more articulated building, OneMap3D clearly shines. One can see small features such as the cross on the rooftop and words on the facade can be read.

Model Representation

Google doesn’t reveal how its 3D mapping content is constructed but one can try to guess. One FAQ for Google Earth – which probably shares the same data sources as Google Maps – says that imagery collected includes “satellite, aerial, 3D, and Street View images” from “providers and platforms”. The fusion of all these data into a model should be largely automated and powered by their proprietary algorithms.

Based on how 3D contents are streamed in Google Maps, they should be using some form of progressive mesh techniques.

OneMap3D models are based on buildings and each building is provided as a CityGML file. The likely data sources include LiDAR, aerial photography, site survey, official building footprint, etc. It is apparent that the models are handcrafted through some modelling software and converted to the designated format.

OneMap 3D building mesh


As with most things, there are pros and cons to either modelling approaches. Here is a non-exhaustive comparison:


Pros Cons
Clean modelColors/textures can be inconsistent
OptimizedTextures can look repetitive
Sharp even when zoomed inSubject to human errors
Small features can be seenLabour intensive
Ground-level details can be seen
Inconsistent texture quality between roof and facade
Ground level details can be seen

Google Maps

Pros Cons
Consistent look and feel“Melted building” syndrome when close-up
Scalable to large areasEdges are not straight
Occasional artifacts
Building not separated from terrain mesh
Shadows are not removed
Visual artifacts

More OneMap3D Examples


OneMap3D represents the herculean effort of creating and maintaining an up-to-date database of 3D building models for the whole of Singapore.

Google Maps approach on the other hand, allows it to scale to potentially any city in the world. And it will only get better with newer data acquisition techniques and algorithms.

Beyond 3D representation, however, OneMap3D’s models also contain rich semantic information that allows it to be used in different types of applications, eg. computing roof surface area. And since buildings are standard 3D assets, they can be used in various types of 3D applications such as VR, gaming, rendering etc. There are clearly pros and cons of either approach and we are excited to see the types of applications that OneMap3D will bring when it officially launches end of the year.

Edit: Contact me if you would like to know more about converting OneMap3D data to other commonly used 3D formats.


On SGQR, Singapore’s unified QR code payment system

What is it?

The so-called unified QR code is finally out.

SGQR code is purportedly Singapore’s effort in “unifying” the fragmented e-payment market – what with DBS PayLah!, Singtel Dash, Grab Pay, LiquidPay, AliPay etc coming into the fray.

MAS says:

For consumers

Your current payment app probably works with SGQR already. All you need to do at the merchant checkout is:

• PICK and launch your preferred payment app
• SCAN the SGQR and check the merchant name
• PAY the correct amount

In other words, ideally a consumer can use his/her preferred payment app to make payment to a merchant through SGQR.

How well has it achieved its goals?

There are some upsides and some downsides. On the upside, consumer will only see one QR code per merchant. So it is less confusing compared to now where the payer have to carefully match the array of QR codes being shown to the right app.

On the downside, while the SGQR specification can enable multiple e-payment providers, merchants are unlikely to sign up with ALL of them (up to 27 payment schemes). So you can end up in a situation where you see a SGQR code but are unable to use your preferred payment app (say Grab Pay) to make payment. The payer have to look at the row of icons below the QR code to know which e-payment solution is accepted.

Technical Details

Very little technical information is publicly available about this SGQR code. After some research, I found on MAS website that it’s based on EMVCo QR code. EMVCo is made up of members from American Express, Discover, JCB, Mastercard, UnionPay, and Visa, and is the body that creates standards for secure payment.

Let’s try and see what the QR code contains. Fortunately the QR code in the article is clear enough to be decoded:

To parse the content of the QR code, one can refer to the EMVCo QR code specifications which is available on the EMVCo website.

After a bit of parsing,

It’s clear that this QR code contains meta-data for only some payment providers.


We are still in the early days of SGQR. It remains to be seen how widely adopted businesses and consumers will take to this form of payment.

For now, the only thing it probably saves is real-estate for display QR codes.

Update (2018-09-21): Yeah! This article made it onto the front page of Hacker News! See the comments on HN here.


Imagen: Text-to-Image Diffusion Models

Text-to-image generation is now surprising good. Some predicts the end of stock photo business – why use a stock photo when you can generate any image you need just based on description?

Google develops competing model to DALL-E 2, which purportedly performs better than the latter and other models in a test with human raters.

Generated from text prompt “A robot couple fine dining with Eiffel Tower in the background”.

Source: Imagen: Text-to-Image Diffusion Models



Another ground-breaking work from OpenAI.

We are all familiar with AI models that does image analysis and outputs text description or labels. For instance,

Dall-E and its successor, Dall-E 2, sort of does the reverse. It produces an image based on text description. There’s some degree of randomization there so it can produce different outputs from the same prompt text.

Here’s an example generated from “An astronaut riding a horse in the style of Andy Warhol”.

Someone used Dall-E 2 to generate pictures from Twitter bios and the results are just jaw-dropping.

happy sisyphus


machine learning researchoor | technology brother | “prolific Twitter shitposter

It’s currently in private preview but should not be long before it provides a commercial offering.

DALL·E 2 is a new AI system that can create realistic images and art from a description in natural language.

Source: DALL·E 2

phishing security

Lupinia Studios – I’m a Scam Prevention Expert, and I Got Scammed

There’s a lot to unpack here: scam prevention expert gets scammed, ‘cos a supposed fraud prevention department turns out to be the actual fraud. Goes to show anyone can fall for these attacks, even experts.

I’m a Scam Prevention Expert, and I Got Scammed

Source: Lupinia Studios – I’m a Scam Prevention Expert, and I Got Scammed

3D programming

Data Management OSS (Object Storage Service) migrating to Direct-to-S3 approach

It’s no secret that Autodesk Forge uses AWS. But now they made it explicit. Some of the API will be exposing AWS services – in particular S3 – directly.

Source: Data Management OSS (Object Storage Service) migrating to Direct-to-S3 approach

programming security

BIG sabotage: Famous npm package deletes files to protest Ukraine war

Oh dear. Yet another npm author went rouge. This time it appears that the npm package deletes files for users with Russian/Belarus IP addresses. Time to take package pinning more seriously.

This week, the developer of the popular npm package ‘node-ipc’ released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. The ‘node-ipc’ package, which gets downloaded over a million times weekly, began deleting files on developer’s machines, in addition to creating new text files with “peace” messages.

Source: BIG sabotage: Famous npm package deletes files to protest Ukraine war

bug programming security

Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

Previously we had attackers using hijacked npm libraries to steal credentials. In this case the libraries or the maintainer wasn’t compromised. In fact it was the maintainer who deliberately introduced bugs into his libraries, thereby breaking thousands of apps that depends on it. There’s no easy solution to this dependency problem. For now use pinned versions and manually approve upgrades.

Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there’s more to the story.

Source: Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps

programming security

RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

log4j is a common logging library for Java applications. This vulnerability is extremely easy to exploit, and allows the attacker to run arbitrary code in the server. IOW, very bad. For now, set log4j.formatMsgNoLookups=true to mitigate the issue, until an official patch is out.

Given how ubiquitous this library is, the impact of this vulnerability is quite severe. Learn how to patch it, why it’s bad, and more in this post.

Source: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec


Microsoft Defender scares admins with Emotet false positives

Got hit by this today. Was trying to open a Word doc from a colleague when I receive the following scary warning.

Submitting the same file to VirusTotal returns 0 threats detected. Hmmm.

Searching for the keyword Win32/PowEmotet.SB returns the following:

Microsoft Defender for Endpoint is currently blocking Office documents from being opened and some executables from launching due to a false positive tagging the files as potentially bundling an Emotet malware payload.

Source: Microsoft Defender scares admins with Emotet false positives

If you are hit by the same issue, just update your threat definition and it should go away:

gis programming

OneMap API

Do you know that you can do this? No API key or token is required to do simple geocoding via OpenMap API.

Notice the response returns LONGTITUDE and LONGITUDE containing the same values. This is due a misspelling in the earlier API and a decision not to break the earlier API.

Find out more here: