Software investigate

How DBS Bank implements two-factor authentication

Paul Mah explains why he is impressed with how Singapore-based DBS Bank implements two-factor authentication for its online banking system.

When I read recently about a small business owner who became the victim in a half-million-dollar cyberheist, it shocked me to learn of banks that have yet to implement two-factor authentication. At a time when specialized financial malware are growing increasingly sophisticated, two-factor authentication is a necessity that financial organizations cannot ignore.

Here's my look at how Singapore-based DBS Bank has architected its online Internet banking service. Its Internet banking service requires a second-factor authentication using a security fob to log in and to further authenticate certain activities. While it's not possible to delve into each aspect of DBS Bank's comprehensive Internet banking service, I highlight some of the key components that the bank has implemented well.

Fund transfers

Before funds can be transferred to a new account, details pertaining to the destination account must first be added; this entails keying in the pertinent details, such as a name, bank code, and account number. Moreover, a One Time Password sent via text message must be keyed in before the new payee is formally activated. Subsequently, all fund transfers to any third-party account requires a code generated by the security fob, and results in a notification being sent as a text message and email.

Bill payments

Bill payment requires the least security, because the organizations on the list are businesses that are already preapproved and known to DBS Bank. While it is possible to do one-time bill payments without any further authentication, users will want to create a list of organizations that they make payments to on a regular basis. Adding a new payee on this list triggers a text message and email alert, but does not require the use of the security fob.

Alerts

DBS offers a comprehensive notification system using email and text messages, which is managed under a section named Alerts. To prevent a hacker from diverting messages from the bank, any changes in this section requires a code generated by the security fob and sends out a mandatory email and text message from the bank. As an added precaution, the date on which modifications were last made to the settings are also reflected where applicable.

An impressive system

I am impressed at how DBS Bank has successfully created a multi-layered system that makes it substantially harder to mount an attack by automated agents. In order to steal funds, a hacker would need two sets of code from the security fob: The first to log in, and another to perform the money transfer. In between, the hacker would also need to intercept the verification code sent to the victim's phone in order to validate the rogue account. Presumably, various email notifications automatically sent when creating the rogue account and transferring of funds must also be intercepted and hidden from the victim.

Conclusion

Even the system outlined above can be circumvented with the right malware on both the victim's computer and mobile phone. It is far more likely, however, that cybercriminals will opt to target low-hanging fruit instead.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

6 comments
Tgneg
Tgneg

It's nice to see another company giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.

zarino_tong
zarino_tong

As an IT professional, I don't see how these are different from any major banks in the world. As a bank client, these are bottom line security I would look for before banking in.

phyongpp
phyongpp

I don't \understand why DBS sends one-time passwords sometimes to our second factor tokens and sometimes to our mobile phone SMS. This makes it very inconvenient for travellers, because it means that they will have to carry both their tokens as well as their mobile phones with them wherever they go. What about those whose registered mobile does not have roaming facility in a particular country? They will be completely cut off from using DBS facility too. I strongly suggest that DBS allows the user to choose between tokens and mobile SMS, just like what OCBC and Stanchart do. So, in this respect DBS is still primitive compared to other banks. DBS should do away with sending one-time passwords to mobiles for people who travel to a country that does not have roaming facilities for our Singapore SIMcards.

jcjunne
jcjunne

With a Digipass (specialized pocket calculator), the customer would not have to wait for an email from its bank before transferring money to a new beneficiary. European banks for this case ask the client to input additional details directly thru the digipass machine. Similarly, if the amount to be transferred is over $2000,00 , again as a precaution: the bank asks to key in additional details directly into the digipass. As you can see, no idle time is spent waiting for an email (which may never arrived if sent to the wrong address).

diasl
diasl

Recently I have seen voice biometrics gaining traction, voice will be very difficult to mimic, combine that with 2fa. It however depends on the strength of the biometric system.

TechyBoyz
TechyBoyz

The two-way authentication is not new to security industry but don't understant why many international banks are still not able to implement this. Many European banks strictly follow two-way authentication but there are many banks and organizations missing this!