Major retail banks in Singapore will progressively withdraw the use of one-time passwords (OTPs) for authenticating customers logging on to their bank accounts in a bid to reduce the extent of phishing. A joint announcement by the Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) said that customers who have activated a digital token on their mobile phone have only three months before they can no longer receive OTPs for authentication. Other customers will be ‘strongly encouraged’ to switch to using a token on their phone to authenticate themselves. A representative of ABS noted that the change would cause some inconvenience for customers, but that…
…such measures are necessary to help prevent scams and protect customers.
This move sees Singapore emulate neighboring Malaysia. Last year the Malaysian central bank, Bank Negara Malaysia, prohibited authentication that used OTPs sent by SMS. That diktat ruffled some feathers amongst security experts who argued for the merits of using SMS as a ‘universal’ method of communication. However, it is telling that East Asia is now well ahead of Western countries in tightening the security nexus between telecoms and banking. Grandstanding by Western banks about the need for tighter security cannot disguise the fact that many were only beginning to introduce OTPs as a second authentication factor when East Asian authorities were investigating how to move beyond OTPs. Singapore is rightly addressing the weaknesses introduced when using insecure channels to transmit passwords and the ease with which passwords can be compromised using social engineering.
Click here to see the announcement on the MAS website.



