While transaction signing is set to be next security standard in banks, experts observe that it will also cause inconvenience to users as they invest time and effort understanding new technologies, and go through various authentication processes.
Transaction signing--another layer on top of traditional two-factor authentication methods--requires users to key in details embedded in their transactions, which only they would know, to generate a random one-time PIN. If hackers attempted to change details, the signature would be void and the transaction will not be approved.
Existing 2FA deployments, which are mostly based on one-time passwords (OTP) are still vulnerable to Trojan infected Web sites and man-in-the-middle attacks risks, noted Lyon Poh, partner of management consulting at KPMG Singapore. As such, stronger authentication is necessary to help secure fund transfers and access to confidential data, he added.
Singapore-based bank DBS had been among the first in the region to adopt the added security layer, when last December it rolled out new transaction-signing tokens to its local customers.
ZDNet Asia understands that other banks such as UOB are also considering similar plans.
DBS transaction signing token
User convenience to be big hurdle
While the industry is keen to get the highest level of protection of everyone, the rapid rise of many new and innovative applications over the past years have made it difficult for users to keep up with complex security technologies, Rob Forsyth, managing director of Sophos Asia-Pacific, observed.
Another observer, Gerry Chng, IT risk and assurance partner at Ernst & Young, also agreed with Forsyth's view. He elaborated that the new tokens' transaction signing capabilities will be "confusing" for customers as there are more buttons on the device than the current single button on most tokens.
It would introduce extra steps for customers to key the details into the new token before an OTP is generated for the transaction signature, before an OTP is generated for the transaction signature, he explained.
A local bank customer, Jasper Tan, also told ZDNet Asia that he would find three security layers "extremely time consuming".
According to Tan, he would have to "re-learn" about the new security technologies, as well as go through many authentication processes "just to see his bank statements and transfer small amounts of money".
Another customer, Lee May Chee, also noted that said the Internet had made banking more convenient, compared to "queuing up for ages" at ATM machines. "Adding security layers would simply defeat the purpose of making banking convenient," she said.
However, KPMG's Poh maintained between giving up a little convenience and risking the prospect of unauthorized transactions due to security shortfalls, "the choice is clear for most users". This is especially relevant in light of the threatening cybersecurity landscape today, he said.
Banks to prepare for transaction-signing
With transaction signing, banks should take a "pragmatic approach" because the customer should not be inconvenienced for low-risk activities such as viewing account details or transferring funds between their own accounts, Chng advised.
He explained that the additional steps should only be required for high-risk activities, such as transferring large sums of money.
Poh also added banks should "take lessons" from the initial roll out of public key infrastructure (PKI). While it had been holistic by security standards, when it was first launched, users found it "cumbersome" to deploy and hard to understand.
That is why the technologies developed as well as education put forth by the bank must be easy to use and comprehend from a consumer's viewpoint, he surmised.
"With the challenge of keeping user convenience and security strength in balance, transaction signing must be user friendly and integrated into marketing campaigns to drive widespread adoption," he said.
Internally, while implementing transaction signing tokens, banks will also face operational and technical challenges when distributing new tokens to their customers, Chng noted.
As such, banks should increase the level of support needed to help them register the tokens, as well as upgrade their application and infrastructure to handle the additional logic to challenge and authenticate the response from customers.