This is a reply from the regulator – MAS – but is not really optimum.
====================
Reply from MAS:
from [name deleted]
to me
cc customerservice@dbs.com
date Dec 15, 2006 10:29 AM
subject Two factor authentication for internet banking
Dear Mr Pillay
Thank you for your email dated 11 Dec 06.
MAS issued a guideline in November 2005 for the implementation of 2FA for all types of internet banking by 31 December 2006. In response to this guideline, banks have been rolling out their two factor authentication (2FA) solutions. Some are offering a variety of 2FA choices while others have decided on a token-only solution. MAS does not prescribe any particular type of solution. Customers are free to choose which banks they want to have their internet accounts with.
In recent years, there has been a persistent increase in security incidents involving the capture or misappropriation of customer PINs by cyber criminals, hackers, internal or external adversaries, and possibly even cyber terrorists. Continuing reliance on a single-factor PIN for safeguarding access to internet banking accounts is flawed and questionable.
2FA is a security solution to mitigate the vulnerabilities and limitations of single-factor PINs. It is a strong security control but is not a panacea for all types of security threats to internet banking. There is no single omnipotent security solution for all the security challenges and complexities of internet banking. Security vendors, experts and consultants have been known to express varying, and sometimes disparate, opinions about the efficacy and adequacy of different security solutions.
The principal purpose of 2FA is not only to protect the integrity and soundness of our internet banking systems but also to enhance public confidence so that the continuing growth and popularity of internet banking could be nurtured and sustained.
Yours sincerely
{name and department deleted]
My reply to the MAS:
to [name deleted]
cc customerservice@dbs.com
date Dec 15, 2006 12:14 PM
subject Re: Two factor authentication for internet banking
[name deleted] –
> Thank you for your email dated 11 Dec 06.
Hi. Thanks a lot for the reply. I am really glad that you did and do appreciate the time taken as well.
> MAS issued a guideline in November 2005 for the implementation of 2FA for
> all types of internet banking by 31 December 2006. In response to this
> guideline, banks have been rolling out their two factor authentication
> (2FA) solutions. Some are offering a variety of 2FA choices while others
> have decided on a token-only solution. MAS does not prescribe any
> particular type of solution.
Which is the right thing for MAS to do – clap, clap, clap. However, MAS could suggest that the banks not rely on just one form of TFA so that customers are not inconvenienced. The current scheme with DBS means that if I were to loose the hardware token, I am out of luck with Internet banking access. I have to wait till I get another – days later and at a price. Why? A java applet in my cell phone would do the same thing just as well and at an extremely low cost. The convenience of Internet banking has been turned on it’s head with less than optimum solutions. I am glad to see other banks thinking from the customers point of view and am very disappointed with DBS.
> Customers are free to choose which banks they
> want to have their internet accounts with.
While it is true that customers are indeed free to choose which banks they want to have their Internet accounts with, the reality is one of vendor lock-in. I am stuck with DBS because of the housing loans I have to service and you would agree with me that it is a major hurdle to cross to move to another banking/housing loan vendor.
> In recent years, there has been a persistent increase in security incidents
> involving the capture or misappropriation of customer PINs by cyber
> criminals, hackers, internal or external adversaries, and possibly even
> cyber terrorists. Continuing reliance on a single-factor PIN for
> safeguarding access to internet banking accounts is flawed and
> questionable.
Hacking is a noble thing. Cracking is probably what you are referring to above.
> 2FA is a security solution to mitigate the vulnerabilities and limitations
> of single-factor PINs. It is a strong security control but is not a panacea
> for all types of security threats to internet banking. There is no single
> omnipotent security solution for all the security challenges and
> complexities of internet banking. Security vendors, experts and consultants
> have been known to express varying, and sometimes disparate, opinions about
> the efficacy and adequacy of different security solutions.
As a 15-year IT security practitioner myself, I see minimal value with TFAs for use with Internet banking for it gives a false sense of security without addressing the real issues. Throwing more money and hardware at the problem is not the best way forward – it has to do with understanding why/how it happens and how best to mitigate it. The sorry statistic is that almost 100% of the compromises were users running Windows which clearly shows where the problem lies.
> The principal purpose of 2FA is not only to protect the integrity and
> soundness of our internet banking systems but also to enhance public
> confidence so that the continuing growth and popularity of internet banking
> could be nurtured and sustained.
While growing and sustaining a safe and secure Internet banking environment is a laudable objective, there are simpler ways this security requirement can be met as well. For one, recommend to people that they should be running
secure operating systems like Linux. I run Linux exclusively at home and at work for the last 10+ years and I have not had any issue with it. I continue to bank with DBS because they were “enlightened” enough that I could do Internet banking with them via Netscape/Firefox/Mozilla/Opera on Linux all these years. They seem to have lost their enlightenment when it came to this TFA deal. Unlike the browser/OS environment, in the TFA scenario, no choice was offered and I cannot see how this unfortunate corner they have painted themselves in can be escaped from without MAS cutting them some slack.
Would you be able to work with the banks to allow for a delayed roll out of this, thus allowing DBS time to offer a second and third way to do the TFA? Dec 31 is not the end of the world in terms of this requirement and, from an outsider’s point of view, can be changed.
I am sure DBS would not want to ask MAS for an extension for the mess they are in, so I am asking for it on their behalf. Please give DBS a 6 month extension – till June 30 2007 – to roll out the TFA that will address the issue of choice.
Thanks and compliments of the season!
> Yours sincerely
> [name deleted]
Regards.
Harish Pillay
PS: For the record, I do not work for DBS, nor own any of their shares. I am just a customer – increasingly frustrated no doubt – and stuck with them because of my housing loans.
======
It is December 29th now. I do not expect any reply from MAS nor DBS.
A friend sent me this. I hang my DBS token on the key rack at home so that anyone can get to it when I need it. BTW, I noticed that those with a POSB internet banking have not been issued with the token. Perhaps POSB customers are expendable (or are also smarter) unlike DBS customers who are windows users and therefore stupid and prone to phishing.