Part 3 of the DBS/TFA deal

Just sent off this to the MAS to seek their inputs.

===
date Dec 11, 2006 2:16 PM
subject MAS’ recommendation for a two factor authentication for internet banking

[name deleted] –

Hi. I am writing to you (and cc’ing DBS’ customer service) based on a series of email exchanges I had with DBS with regards to the proposed two factor authentication recommendation by MAS.

In the MAS document “Circular No: SRD TR 02/2005” dated November 25, 2005 [1], the MAS directed banks under it’s control to consider introducing a two factor authentication (TFA) scheme by end of 2006.

I have read that document and I must acknowledge that it is fairly comprehensive and useful. I would at this point, bring to your attention what security researchers have noted about the futility of TFAs for they do not prevent phishing in the first place[5].

While I recognize that MAS should let the banks decide on the details of how to get the TFA going, the path taken by DBS (and others except OCBC – from what I know[6]) is in rolling out inconvenient, bulky, battery operated devices.

I have asked DBS to consider making available a cell phone based Java application [2][3][4] that does the one-time-password but they have not been able to agree saying that the MAS is hard and fast on the timing and the recommendations to roll out a TFA. I would like to seek your help in recommending to the banks to either delay the introduction of this scheme or to require them to have at least two forms of TFA – token, Java; toke, SMS or just one with SMS.

I have offered to DBS that I am willing to test out their Java-based solution, but they are reluctant to do so and point to MAS for wanting to roll it out by end December 06.

I look forward to a reply from you.

Thanks and best regards.

Harish Pillay
[1] http://www.mas.gov.sg/regulations/download/IBTRM.pdf
[2] http://www.securityfocus.com/tools/3591
[3] http://marcin.studio4plus.com/en/otpgen/files.html
[4] http://www.cs.umd.edu/~harry/jotp/
[5] http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
[6] http://www.ocbc.com.sg/personal-banking/2FA/index.shtml

Leave a Reply