Paul Mah explains why he is impressed with how Singapore-based DBS Bank implements two-factor authentication for its online banking system.
When I read recently about a small business owner who became the victim in a half-million-dollar cyberheist, it shocked me to learn of banks that have yet to implement two-factor authentication. At a time when specialized financial malware are growing increasingly sophisticated, two-factor authentication is a necessity that financial organizations cannot ignore.
Here's my look at how Singapore-based DBS Bank has architected its online Internet banking service. Its Internet banking service requires a second-factor authentication using a security fob to log in and to further authenticate certain activities. While it's not possible to delve into each aspect of DBS Bank's comprehensive Internet banking service, I highlight some of the key components that the bank has implemented well.
Before funds can be transferred to a new account, details pertaining to the destination account must first be added; this entails keying in the pertinent details, such as a name, bank code, and account number. Moreover, a One Time Password sent via text message must be keyed in before the new payee is formally activated. Subsequently, all fund transfers to any third-party account requires a code generated by the security fob, and results in a notification being sent as a text message and email.
Bill payment requires the least security, because the organizations on the list are businesses that are already preapproved and known to DBS Bank. While it is possible to do one-time bill payments without any further authentication, users will want to create a list of organizations that they make payments to on a regular basis. Adding a new payee on this list triggers a text message and email alert, but does not require the use of the security fob.
DBS offers a comprehensive notification system using email and text messages, which is managed under a section named Alerts. To prevent a hacker from diverting messages from the bank, any changes in this section requires a code generated by the security fob and sends out a mandatory email and text message from the bank. As an added precaution, the date on which modifications were last made to the settings are also reflected where applicable.
An impressive system
I am impressed at how DBS Bank has successfully created a multi-layered system that makes it substantially harder to mount an attack by automated agents. In order to steal funds, a hacker would need two sets of code from the security fob: The first to log in, and another to perform the money transfer. In between, the hacker would also need to intercept the verification code sent to the victim's phone in order to validate the rogue account. Presumably, various email notifications automatically sent when creating the rogue account and transferring of funds must also be intercepted and hidden from the victim.
Even the system outlined above can be circumvented with the right malware on both the victim's computer and mobile phone. It is far more likely, however, that cybercriminals will opt to target low-hanging fruit instead.