Forum: Bring back physical tokens for online banking
Sign up now: Get ST's newsletters delivered to your inbox
Follow topic:
Physical online banking tokens have proved to be the most secure form of second-factor authentication (2FA), albeit with some costs to periodically replace tokens that have malfunctioned or run out of battery.
It is curious that banks have eliminated this form of 2FA and largely replaced it with an in-app notification on our phones. While more convenient, it is manifestly less secure.
For example, it does not take much for a malicious website to impersonate the look and feel of a banking app to trick potential scam victims into giving up their online banking credentials.
When the 2FA in-app notification pops up on the same device, unsuspecting victims are lulled into “clicking through”, granting scammers full access to their accounts.
Physical tokens are not susceptible to “clicking through”. The time taken for a potential scam victim to retrieve the physical banking token provides a cooling-off period to reconsider the transaction.
In cases of less technologically savvy users whose tokens are kept safe by a trusted family member, it also means a second pair of eyes to scrutinise the transaction.
In the light of the Government’s position that bank customers have a responsibility to protect access to their accounts (Banks should reimburse scam victims, suggests WP’s Sylvia Lim; Govt says it may lead to complacency, Sept 19), the Monetary Authority of Singapore should mandate banks to offer physical tokens as an option.
Tan Hao Yang
