The March of Cluelessness at DBS Marketing

Sigh. DBS need not become a bank/company that one would want to hate like Microsoft. DBS marketing is taking more than a few pages (looks like a whole chapter) on how to annoy and break the compact between a buyer and a seller.

In DBS’ relentless pursuit to listen to the boss, they took a path of irrational waste of money by introducing a token based two factor authentication. Interestingly, they only rolled it out to stupid DBS customers (I fall into that) and left the smarter POSB alone. But it looks like the POSB customers are now suspect and today, I (albeit my wife) received a token to access POSB internet banking accounts. Sigh, sigh.

Just look at what the third largest bank in Singapore OCBC has done:
======================================
12/08/2006 07:19 PM Please respond to
To OCBC customers
Subject OCBC 2-Factor Authetication (2FA) : Invitation to a More Secure Online Banking Experience

Dear Internet Banking user,

We are pleased to invite you to come on board today and experience greater peace of mind when you bank online with 2-Factor Authentication (2FA) – the latest security measure from OCBC that provides effective protection against Internet threats such as identity theft and phishing.

As a 2FA user, you will be prompted to enter a One Time Password (OTP) as a 2nd level of authentication whenever you initiate login to Internet or Mobile Banking. OTPs are obtained via 2FA Tokens, which depending on your choice, may involve a physical hardware device or your mobile phone.

Login to Internet and Mobile banking with the following steps:

* Step 1 – Enter your Access Code and PIN
* Step 2 – Enter an OTP, generated by your preferred 2FA token, to complete the login process

Choose from 3 simple 2FA solutions to suit your lifestyle
We understand that additional levels of security should not come with additional levels of complexity or inconvenience. We have gone the extra mile to offer 3 easy ways- via 2FA tokens- to generate your OTP. Pick the token that suits your lifestyle best!

A key chained-sized device that generates your OTP. Generate your OTP from a simple software that is installed into your mobile phone. Your OTP is sent via SMS when you initiate the login process to Internet or Mobile Banking.

For full details on your 2FA choices, visit http://www.ocbc.com/2FA now!

OCBC Personal Banking | Banking | Insurance | Investment | Loans | Cards | Promotions Conditions of Access | Privacy Policy | Unsubscribe
Copyright 2006 – OCBC Bank | All Rights Reserved. Co. Reg. No.: 193200032W
===================================

DBS continues to be defiant, cocky and indifferent to customer (that would be me) requests. Perhaps I should do a public demo of how trivial it is to hijack/fake a two-factor authentication scheme – to highlight the folly of having to have this method in the first place. Urrgh!

8 comments


  1. Re: The _real_ danger
    You can have the best keys, access controls and carelessness aka human frailties, defeat them every time.
    But that is not the issue. The issue is that given life’s quirks, and accepting that there is some valid reason for putting up some protection, would it not be far smarter and definitely less annoying, if the two factor access is done with multiple means?
    We all know the “_real_danger”. Nothing today stops that from happening.
    Harish


    • Re: The _real_ danger
      “The issue is that given life’s quirks, and accepting that there is some valid reason for putting up some protection, would it not be far smarter and definitely less annoying, if the two factor access is done with multiple means?”
      Yes, it would be less annoying to have a TFA cellphone application instead of a small battery-powered device, as you mentioned in
      http://harishpillay.livejournal.com/43216.html .
      But a trojan or pisher would not be deterred no matter what device the TFA key comes from. It is the access that it wants.
      http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
      Thus, I don’t think it would be “smarter”, but it would certainly be “less annoying” and more convenient.


  2. The easiest way to annoy a customer is by misleading him
    Hi, nice post. However, I think, the easiest way to annoy a customer is by misleading him. For example, I was first in croatia offering copywriting services (ad.com.hr), and people started looking in shock not believing that I am willing to prove myself before getting paid. I think most important is honesty.
    Btw. Isn’t that international bank, OCBC?


    • Re: The easiest way to annoy a customer is by misleading him
      Thanks for the comment. OCBC is a Singaporean company and what you are thinking of is HSBC.


  3. This year elections have already become history. That is indeed a turning point in US history. For better, hopefully. But President Obama togegher with this chief magistracy he took over, took up a heavy burden. The USA (and pretty much the rest of the world) is going through tough times. And it will be really hard for Mr. Obama to meet expectations of Americans and of other countries. He has so much to change for the better – healthcare system, taxation, financial system, the situation on the real estate market(business mortgage loans, home loans, etc.) The next 4 years will be a pretty rough time for the President.


  4. xournal is great
    Yes, xournal is lovely. Used it to mark up changes on a multi page PDF from a professional shop which used Adobe InDesign — the only thing they could deliver was PDF ! (other than .INDD format which I don’t have the tools for!)

Leave a Reply