ST Picks: How will doing away with OTPs make banking safer?
SINGAPORE – By November, customers of UOB, DBS and OCBC who have enabled their digital banking token will no longer receive one-time passwords (OTPs) when logging in.
- by autobot
- July 28, 2024
- Source article
Publisher object (23)
SINGAPORE – By November, customers of UOB, DBS and OCBC who have enabled their digital banking token will no longer receive one-time passwords (OTPs) when logging in. The move, by the Monetary Authority of Singapore and the Association of Banks in Singapore on July 9, is said to be part of larger efforts to thwart phishing scams. Customers who are using hardware tokens can still continue to use OTPs. But the authorities are urging users of physical tokens to switch to digital tokens. Is the digital token safer than OTPs and hardware tokens as a second-factor authentication measure? Are there limits to how effective digital tokens are in protecting customers from major types of scams? The Straits Times answers these questions and more. A digital token authenticates logins and transactions on a mobile banking app and essentially replaces a bank-issued physical token. Once the digital token is set up, customers no longer need to use their physical token. Through the digital token, users will only authenticate through an app-generated prompt, which users must tap on to approve the transaction. The OTP option will be removed by November across all major banks. OTPs were introduced in the 2000s to strengthen online security, but social engineering tactics and technological developments have since allowed scammers to phish for customers’ OTPs through fake bank websites. Victims of phishing scams are often tricked into disclosing their login credentials, like their username and password, as well as OTPs, which can be generated by hardware tokens and software tokens. Some of the biggest problems with SMS OTPs is that the SMS messages can be mistakenly shared or, in rare cases, intercepted. Scammers can use the OTPs to execute unauthorised transactions without the victims’ knowledge. Removing the OTP option on the digital token will force users to use only the app-generated prompt, which will contain details of the actual transaction, prominently displayed on the authorisation prompt. Unsuspecting victims would be alerted to any unusual activities in this way. This is also the reason why the authorities are urging users of physical tokens to switch to digital tokens. Phishing sites can still lull unsuspecting victims to tap on prompts generated by digital tokens to unknowingly approve their digital token to be transferred. Doing so will allow fraudsters to receive ownership of the digital token after 12 hours and perform transactions on their device. Also, digital tokens can quicken the confirmation of any transactions, including suspicious ones, as authentications are carried out with a single tap. OTPs, on the other hand, have to be copied and pasted into a text box. Thus, users should always scrutinise the content of digital token-generated prompts carefully and only confirm a transaction if they are certain of its purpose. Hardware tokens have the lowest risk of online attacks because they operate independently from the internet and have to be used in-person, said US cyber-security software provider Keeper Security chief executive Darren Guccione. Digital tokens try to match the same level of security for users by allowing the token to be paired to only one device at a time. This, coupled with the apps’ malware-scanning, which shuts down the mobile app when apps with suspicious permissions are detected, helps to secure digital tokens. Since digital tokens can be assigned to only one device at a time, scammers who attempt to activate a victim’s digital token on another device will have to wait 12 hours, adding more friction to the process, said head of anti-fraud at OCBC Beaver Chua. Even though physical hardware tokens are separated from the internet, users are often the weakest link. Users can still be exposed to OTP phishing tactics if they transact on fake websites using hardware token-generated OTPs.