Safer way to shop online soon

Banks may let credit card holders use security tokens to generate passwords

Making online purchases could soon be even safer.

Banks here are exploring the possibility of allowing credit card customers who shop on the Internet to generate passwords using their tokens before they pay for goods. Tokens are the calculator-like devices given to online banking customers.

Mrs Ong-Ang Ai Boon, director of the Association of Banks in Singapore (ABS), told The Straits Times that customers would be able to choose from this option or the existing one-time password (OTP) system, in which a code is sent by the bank via SMS to the customer.

The current system, known as 3D Secure, is a common security feature on online merchant websites and prompts customers to key in a six-digit password to authenticate their purchases.

Only Maybank and OCBC currently give their customers the choice to opt for this password to be generated from a security token instead.

For OCBC, this choice is only available if the customer has an Internet banking account.


Hardware token-generated OTPs are not at risk of being compromised by malware, as hardware tokens are standalone devices.

MR CHARLES FAN, chief executive of IT security specialist Assurity.

Now, other major banks, including DBS, CitiBank, Standard Chartered and UOB, are also exploring offering the security token option for their credit card customers.

Mrs Ong-Ang said: "Banks are doing this to give their customers the choice of a greater level of security when performing online transactions."

Banks here say most customers prefer SMS OTPs as they are more convenient. However, if the users' mobile phones are compromised with malicious software or malware, hackers can access their personal information and read their SMSes, including the OTPs sent to them.

This breach thus overrides the key security feature of 3D Secure.

A physical token makes such transactions safer. "Hardware token-generated OTPs are not at risk of being compromised by malware, as hardware tokens are standalone devices," said Mr Charles Fan, chief executive of IT security specialist Assurity.

For undergraduate Marcus Ting, 24, having the option to choose between the two would open up more security features for users, although he prefers using SMS as it is more convenient. "Sometimes, if I want to shop online on the spur of the moment, I may not have the token on hand," he said.

A version of this article appeared in the print edition of The Straits Times on February 13, 2016, with the headline 'Safer way to shop online soon'. Print Edition | Subscribe