OCBC continues with physical tokens, reversing plan to phase them out

The bank had planned to phase out the physical tokens on its online banking platform by March 31 and transition to a fully digital authentication process. PHOTOS: CHONG JUN LIANG, ST READER

SINGAPORE - OCBC Bank will now allow customers to continue using hardware tokens for security verifications after an earlier announcement said they would be axed.

The bank had planned to phase out the physical tokens on its online banking platform by March 31 and transition to a fully digital authentication process.

But it has reversed that position, as its head of global consumer financial services noted on Friday (Jan 7).

Mr Sunny Quek said: "We are not phasing out hardware tokens and will continue to enable customers to use hardware tokens for two-factor authentication (2FA) of digital banking."

The Straits Times understands the decision factored in customer feedback.

Customers can use the bank's digital OneToken for authenticating digital banking transactions or stick with the physical one.

OCBC rolled out the digital token in 2019, a move that was expected to save it around $25 million over five years by eliminating the need to issue physical tokens and reducing one-time passwords that are sent by SMS.

Customers can activate the digital token on their mobile devices.

Several other banks have done away with physical tokens, citing their digital alternative's convenience and security.

DBS Bank, Singapore's largest bank, stopped issuing physical tokens last February and fully phased out their use last April.

A spokesman said the vast majority of its customers are using digital tokens but they can ask for a physical one.

"The DBS digital token is just as secure as a physical token. It has in-built security features such as end-to-end encryption that provides multi-layered protection to our customers," he added.

UOB stopped automatically issuing physical tokens in 2018 although customers can still opt for them. The lender said that average monthly requests for physical security tokens fell about 60 per cent from 2020 to last year.

A Standard Chartered Bank spokesman said the bank stopped issuing physical tokens in 2019.

Security has become increasingly important to local banks given a sharp rise in phishing scams.

There were 469 cases of people falling prey to such scams in December involving OCBC, with reported losses totalling at least $8.5 million.

Victims received unsolicited SMSes purporting to be from the bank, claiming there were issues with an account. They were told to click on a link given in the message to resolve the problem.

The link led to fake bank websites. Victims were then asked to key in their Internet banking account login details only to discover later that they had been scammed when they received notifications about unauthorised transactions.

ST understands that the scams are still occurring.

Mr Francisco Celio, OCBC's head of group corporate security, called the fraud "particularly aggressive and highly sophisticated in duping consumers into disclosing their personal banking details".

He added that the bank is helping affected customers and that OCBC's banking systems have not been hacked and remain secure.

"We want to remind our customers not to disclose their personal banking details to unverified sites... OCBC will never ask customers to access their bank accounts through SMS links," said Mr Celio.

Follow ST on LinkedIn and stay updated on the latest career news, insights and more.