DBS probing three-hour online service disruption

DBS is investigating why its Internet banking users relying on security tokens were unable to to log in for three hours on Tuesday morning.
DBS is investigating why its Internet banking users relying on security tokens were unable to to log in for three hours on Tuesday morning. ST PHOTO: TIFFANY GOH

Downtime affects all transactions for Internet banking users relying on security tokens

DBS is investigating why its Internet banking users who rely on their security tokens to log in and use online services were unable to do so for three hours yesterday morning.

The downtime affected all transactions which required users to log in with a one-time password (OTP) generated by their DBS security tokens. These included transferring funds, checking account balances and paying bills.

When users keyed in their OTPs on the website, they received an error message saying that the wrong password had been entered.

All services were fully restored by 12.40pm yesterday afternoon, according to a DBS spokesman.

In a statement on its Facebook page, DBS said customers could use an SMS OTP - where a password is sent to the user's mobile phone - to carry out their transactions instead.

The spokesman said: "Some customers may have experienced difficulties accessing DBS/POSB iBanking services via their iB Secure Device/Token yesterday morning. They were advised to use SMS OTP to conduct their transactions instead. We took immediate steps to rectify the situation and to minimise service disruptions."

The Straits Times understands that the downtime was due to system issues and that DBS is investigating the root cause of the matter.

These security tokens form the second layer of two-factor authentication (2FA), where sensitive transactions are protected by two sets of passwords. Banks have made 2FA a standard protection for online access since 2006, as required by the Monetary Authority of Singapore.

One way that these security tokens work is through time-based synchronisation, where passwords are generated using the current time that is run through an algorithm, said Mr Charles Fan, chief executive of IT security specialist Assurity Trusted Solutions.

"The problem could be that the security tokens are out of sync with the authentication server - the central system," said Mr Fan.

"This incident could be due to a time drift on the authentication server, thus causing all security tokens to be out of sync.

"This means that the OTP displayed on the token and the OTP in the authentication server are different. Thus, the system will not allow the transaction to go through," he added.

Funeral director Alvin Goh, 39, said the downtime was inconvenient for him as he was unable to process business transactions yesterday morning.

He said: "I could not access any Internet banking services and was subsequently locked out due to security measures. Services resumed at about 3pm for me. The downtime took a bit too long. I also could not get any help from DBS as I couldn't get through on its hotline."

A version of this article appeared in the print edition of The Straits Times on December 23, 2015, with the headline 'DBS probing three-hour online service disruption'. Print Edition | Subscribe