Better authentication allays online banking fears

Some Asian regulators have mandated the use of two-factor authentication for Internet banking, but not how it is implemented. ZDNet Asia checks on where the banks are at.
Written by Isabelle Chan, Contributor

Two-factor authentication (2FA) may be a regulatory requirement and an additional cost for Asia's banks to bear, but the enhanced protection may be what the financial institutions need to boost confidence in Internet banking.

No thanks to phishing scams and fake Web sites, concerns over the security of online transactions have risen over the years, prompting banks to do more to secure their Internet banking channel.

Banking Web sites now have a list of frequently-asked questions about Internet security to educate their customers on how to better protect their online transactions from fraud. Regulators like the Monetary of Singapore, Hong Kong Monetary Authority and Bank Negara Malaysia have also issued guidelines--albeit of varying degree--for banks to implement 2FA as an additional layer of security on top of the regular password.

So is the stepped-up security mechanism working for banks?

The results have been more than encouraging for OCBC Bank in both Singapore and Malaysia. Patrick Chew, head of delivery for OCBC Consumer Financial Services, said online banking activity in Singapore has gone up since the bank began offering the stepped-up security measure.

"The total number of transactions has actually gone up by 20 percent and the average value has also gone up by the same percentage points," said Chew. "And what's interesting is the average value per user or customer, has gone up by more than 50 percent."

"What this tells us is customers are [logging on] to Internet banking and are doing more; they are [conducting] transactions of higher value than they've ever done."

Without a doubt, 2FA has boosted the banking customers' level of confidence in online banking, said the elated OCBC executive of 15 years.

"We're glad that this is the situation because prior to 2FA, there were a lot of doomsday predictions that transaction volume would absolutely drop," Chew said. "[Customers] are telling us that we're doing the right thing for them."

Sheila Wong, head of delivery for OCBC in Malaysia, said that compared to last year, the bank has almost doubled its Internet banking customer base and the number of financial transactions per month has increased by about 20 percent.

2FA choice Hardware token
• Close to 970,000 customers conduct online banking.
• Bank is on track to complete 2FA rollout by the third quarter this year.
• Customers are "readily embracing" 2FA and making transactions with higher amounts than before, says DBS.
2FA choice SMS or hardware token in Singapore; SMS only in Hong Kong
• Singapore customers prefer SMS because of its portability and convenience; only 20 percent have opted for the hardware token. The bank says that customers in Singapore are not required to sign up for 2FA, hence all its customers in the country are automatically given the option to transact with 2FA.
• Since implementing 2FA in Singapore, total transactions grew about 20 percent from 2006, of which online banking transactions accounted for almost 50 percent of all transactions. Average transaction value per customer increased about 9 percent year-on-year.
• In Hong Kong, 1FA is still used for transactions with low-risk potential such as fund transfers within accounts under the same Citibank customer's name, bill payment to government regulatory bodies and utility companies. 2FA is used for services with high-risk potential such as third-party fund transactions.
2FA choice The only Singapore bank to offer three types: SMS, mobile phone and hardware token. Only SMS and hardware token are offered in Malaysia.
• In Singapore, 300,000 retail customers have signed up for Internet banking. In Malaysia, OCBC has doubled its Internet banking customers between 2006 and 2007.
• Customers prefer SMS, followed by hardware token as a distant second.
• Since implementing 2FA in Singapore, the total number of transactions and average value per transaction have increased 20 percent; average value per user has increased 50 percent. In Malaysia, the number of financial transactions per month increased by about 20 percent.
• On Jul. 1, 2007, OCBC Singapore will "turn off" 1FA.
• Singapore corporate customers have been using hardware tokens for online transactions since 2001. However, the bank is in the final stages of migrating them to hardware tokens for both login and transaction approval, as mandated by the Monetary Authority of Singapore. OCBC is reviewing the implemetation of 2FA for corporate customers' system login in Malaysia.
Standard Chartered
2FA choice SMS is the bank's global 2FA solution
• On average, 25 percent of Standard Chartered customers in Asia have Internet banking accounts.
• Too early to say if customers are making higher value transactions, says bank.
• 2FA should be rolled out to 90 percent of Internet banking customers in Singapore by the end of June 2007, and to the remaining customers by year-end.
• More than 50 percent of Singapore Internet banking customers are using SMS authentication; to date, more than 150,000 passwords per month have been sent out via SMS.
2FA choice • Hardware token for private clients; digital certificates for institutional clients
• UBS has been using 2FA in Asia for private clients since it began offering Internet banking in Singapore and Hong Kong in 2001.
• Hardware token for private clients is used for both Internet- and phone-based authentication. Hardware token was selected because RSA's SecurID was "the market leader at the time of selection, and because it was already in use within UBS internally, it was easy to implement", the bank says.
• Digital certificate for institutional clients is ideal because it is "fast, secure and better suited for corporations", UBS says.
• For institutional clients, 2FA will be introduced from the third quarter of 2007, targeted for completion by year-end.
• Bank says it is evaluating proprietary access card technology.
2FA method SMS and hardware token
• About 40 percent of UOB customers make online transactions.
• More customers have opted for SMS; tokens usually opted by customers who travel frequently, bank says.
• No change in the type of transactions made since the implementation of 2FA, banks says.
• By June 2007, all UOB personal Internet banking customers will be required to log in using the one-time password, in addition to their current username and password. Customers will have a choice of using either SMS or the hardware token.
• For those who have not opted for 2FA, they can only view enquiries on their accounts via the Web and cannot perform any online transaction.

DBS, which has operations in Singapore and Hong Kong, has also received a positive response.

"Over the last few months, we see customers readily embracing the additional level of security through our 2FA token device," said a DBS spokesperson. "This is evident from the fact that they are making transactions with higher amounts than before, reflecting a higher confidence in banking via the Internet channel."

But not everyone has the same report card.

UOB told ZDNet Asia it has not seen a change in the type of online transactions following the implementation of 2FA, while Standard Chartered said it is still too early to tell.

However, Shee Tse Koon, chief information officer for Standard Chartered Bank in Singapore, is looking forward to increased online activities.

"We are optimistic that 2FA has an enhanced security feature which will encourage higher value usage in time to come," Shee said. "As more customers get used to the idea of Internet banking and become more comfortable with the security features in place, we will consider building in more transaction capabilities that customers can conduct online."

But 2FA is not a panacea for all ills.

OCBC's Chew said that threats to online security will always be there, and although 2FA is now in place, it does not mean that banks can sit on their laurels.

"2FA is not the silver bullet," he said. "It is one of the many measures the bank has taken to combat online fraud. What we're doing is adding another hurdle for any would-be fraudster to commit online fraud."

He added that his bank will continue to monitor the situation and take additional security measures when required.

Editorial standards