SINGAPORE--Banks in the island-state are readying to provide stronger authentication for online banking services, in time for the year-end deadline set by the financial industry regulator.
In a move to protect banking customers, the Monetary Authority of Singapore (MAS) issued an advisory to banks here last November, strongly recommending that they implement two-factor authentication at login for all Internet banking systems by December 2006. The industry regulator also urged banks to consider making it compulsory for their customers to provide the additional authentication factor during high risk transactions or when making changes to sensitive data after login.
The changes could impact at least half of Singapore's Internet population. Estimates from Financial Insights Asia, the financial research arm of analyst IDC, indicate that between 1.6 million and 1.8 million people, or about 53 percent of Singaporean Internet users, were "active" Internet banking users as of last May. "Active" users refer to those who log on to their Internet banking accounts at least once in three months.
Patrick Chew, head of delivery for consumer financial services at the Oversea-Chinese Banking Corporation (OCBC) Bank, told ZDNet Asia in an e-mail that the bank is in the "final stages" of evaluating suppliers of two-factor authentication solutions for its customers. The local bank, he added, is open to both hardware and software tokens, and will "not discount the possibility of offering our customers multiple types of tokens in the long term".
For its corporate customers, however, OCBC offers a physical token known as the Digipass to authorized users, which is used to generate a response to a time-sensitive challenge code issued by the bank in order to validate fund transfers and payments. The Digipass, available since 2001, is available to customers for free during promotional periods, and otherwise costs S$50 (US$31.75), according to Ricky Lim, OCBC's head of implementation for group transaction banking.
When contacted, Singapore's DBS Bank confirmed that it has already decided on the authentication technology, but did not disclose further details.
Over at Dutch bank ABN AMRO, two-factor authentication is not new. It introduced a second authentication factor when it launched its Internet banking service two years ago, said Suhail Chander, the bank's head of consumer clients in Singapore. ABN AMRO does not charge for the hardware, but imposes a charge for replacement of lost devices.
The bank opted for a hardware-based dynamic security password generator as the second authentication factor because it was more widely accepted, Chander noted. "Furthermore, the MAS has strongly recommended hardware-based form of two-factor authentication," he added.
In an e-mail reply to queries from ZDNet Asia, a MAS spokesperson said that the banks have "responded positively" to the Authority's recommendations and foresees that they will proceed to implement two-factor authentication.
"Banks themselves are well aware of the need for enhanced Internet security," the spokesperson added. "They recognize that it is in their interest, as well as their customers', to tighten Internet banking controls."
MAS will leave it to the banks to decide what authentication modes best meet their requirements. No penalties will be imposed should the banks not implement two-factor authentication at login, the spokesperson said.
Logistics headache
According to several technology vendors, the banks will not have much difficulty implementing the right infrastructure, but the real challenge will be in getting the message
Play video
There are currently no comments for this post.