S'pore banks gear up for stronger authentication

SINGAPORE--Banks in the island-state are readying to provide stronger authentication for online banking services, in time for the year-end deadline set by the financial industry regulator.

In a move to protect banking customers, the Monetary Authority of Singapore (MAS) issued an advisory to banks here last November, strongly recommending that they implement two-factor authentication at login for all Internet banking systems by December 2006. The industry regulator also urged banks to consider making it compulsory for their customers to provide the additional authentication factor during high risk transactions or when making changes to sensitive data after login.

The changes could impact at least half of Singapore's Internet population. Estimates from Financial Insights Asia, the financial research arm of analyst IDC, indicate that between 1.6 million and 1.8 million people, or about 53 percent of Singaporean Internet users, were "active" Internet banking users as of last May. "Active" users refer to those who log on to their Internet banking accounts at least once in three months.

Patrick Chew, head of delivery for consumer financial services at the Oversea-Chinese Banking Corporation (OCBC) Bank, told ZDNet Asia in an e-mail that the bank is in the "final stages" of evaluating suppliers of two-factor authentication solutions for its customers. The local bank, he added, is open to both hardware and software tokens, and will "not discount the possibility of offering our customers multiple types of tokens in the long term".

For its corporate customers, however, OCBC offers a physical token known as the Digipass to authorized users, which is used to generate a response to a time-sensitive challenge code issued by the bank in order to validate fund transfers and payments. The Digipass, available since 2001, is available to customers for free during promotional periods, and otherwise costs S$50 (US$31.75), according to Ricky Lim, OCBC's head of implementation for group transaction banking.

When contacted, Singapore's DBS Bank confirmed that it has already decided on the authentication technology, but did not disclose further details.

Over at Dutch bank ABN AMRO, two-factor authentication is not new. It introduced a second authentication factor when it launched its Internet banking service two years ago, said Suhail Chander, the bank's head of consumer clients in Singapore. ABN AMRO does not charge for the hardware, but imposes a charge for replacement of lost devices.

The bank opted for a hardware-based dynamic security password generator as the second authentication factor because it was more widely accepted, Chander noted. "Furthermore, the MAS has strongly recommended hardware-based form of two-factor authentication," he added.

In an e-mail reply to queries from ZDNet Asia, a MAS spokesperson said that the banks have "responded positively" to the Authority's recommendations and foresees that they will proceed to implement two-factor authentication.

"Banks themselves are well aware of the need for enhanced Internet security," the spokesperson added. "They recognize that it is in their interest, as well as their customers', to tighten Internet banking controls."

MAS will leave it to the banks to decide what authentication modes best meet their requirements. No penalties will be imposed should the banks not implement two-factor authentication at login, the spokesperson said.

Logistics headache
According to several technology vendors, the banks will not have much difficulty implementing the right infrastructure, but the real challenge will be in getting the message across to Internet banking users and ensuring that they use the stronger authentication with care.

Ross Wilson, managing director for South Asia and India at RSA Security, noted that "the banks will be in a good position to comply by the end of the year" in terms of having the infrastructure in place. The rollout, however, will require a longer time, he said.

"The majority of the time and effort spent on such projects is not during the implementation stage," Wilson pointed out. "Rather, it is on the logistics of rolling out the physical tokens to the end users and ensuring that the end users have all the information they need to use the technology provided by the bank," he added.

James Chong, senior vice president of sales at Meridea, a mobile banking software vendor, agreed, saying that it is not likely that the banks will be able to "roll out to everybody by January 1". However, there will at least be a plan in place for customers to sign up to download software tokens or collect physical tokens, he added.

When ABN AMRO initiated two-factor authentication, the bank assigned dedicated staff to demonstrate the use of the device to every client who signed up for its Internet banking service, said Chander. Customers can obtain the password generator at any branch outlet and, on average, begin transacting online with the bank in less than four working days, he added.

According to Douglas Jaffe, associate director for Financial Insights Asia-Pacific, cost is an issue that the banks have to grapple with, as complying with MAS' requirements will be "very onerous" on the banks. He noted that the requirements are "the most stringent in Asia", more so than the mandate in Hong Kong last year.

"Mandating two-factor authentication at the point of login is going to be a very expensive proposition for banks," said Jaffe. "Already some banks have put in place [SMS-based] systems to protect customers, and many felt these were sufficient to protect customer assets."

Jaffe also noted that it "isn't clear yet" if customers will need to shoulder some of the costs.

Added RSA's Wilson: "It is important that high-quality, robust and reliable tokens are used because of the potential issues in the management, replacement and support of the large number of tokens being deployed. Otherwise, the support, replacement and logistic costs will dwarf the initial costs of implementation."

Wilson said banks also need to look beyond authentication. "With fraudsters exhausting the various avenues in North America and Europe, they are looking for 'greener pastures' within Asia. Local banks should definitely start looking into implementing a layered approach to safeguard their customers before online fraud becomes more prevalent here," he noted.

A multi-layered approach, Wilson explained, would include antiphishing as a first layer to sift out attacks, strong authentication for added protection, as well as a system in place to monitor transaction activities.

The rollout of the banks' two-factor authentication plans will be monitored closely by the Infocomm Development Authority of Singapore (IDA), which is in the process of developing a national authentication framework. The framework is expected to facilitate authentication in transactions between the public sector, businesses and citizens.

IDA's chief executive Chan Yeng Kit announced last month that the broader framework could "ride on the same infrastructure". The IDA, he added, is "in close discussion with MAS and the banks" to work out a common platform.