One-time passwords on phones an outdated security mechanism

I am surprised that United Overseas Bank (UOB) considers one-time passwords secure enough such that it would not waive the charges chalked up on Mr Philip Loh's credit card by hackers ("Man in row with bank over hacked phone"; Jan 27).

One-time passwords (OTP) made sense perhaps eight years ago, when most online banking transactions were conducted on a personal computer and when phones were not as "smart" as they are today.

The principle behind the OTP was that even if hackers obtained a user's password via an infected computer, it was highly unlikely that they would have simultaneous access to the user's mobile phone, so the bank account remains safe.

However, online banking activities have migrated to the phone. These days, phones are regularly used for online banking activities. In fact, banks even vigorously promote their online banking apps.

But, performing two-factor authentication via the same compromisable device is as good as using just one. Phones these days are just as vulnerable to malware as PCs.

If hackers have access to your on-screen keyboard, they probably have access to your SMS, too, so an OTP provides no additional security. It does not even require malware - a "keyboard" app with permission to read SMSes is sufficient.

Thus, for UOB to assert that its authentication method is secure is outdated thinking. It should waive the charges for Mr Loh, given that it used an outdated security mechanism to protect his assets.

Banks should require that all online banking transactions be conducted with the use of a secure token. Otherwise, they should buy enough insurance to cover criminal losses via online theft.

Sum Siew Kee