DBS’s two factor authentication fiasco in the making


Sent this to DBS Singapore:

I received a note from you about the two factor authentication (TFA) scheme for accessing i-banking. While I agree that a TFA scheme is long overdue, the mode in which you are doing this is needs questioning. See http://tinyurl.com/5yyc8 for details about the futility of TFA.

Based on the comment by a world reknowned security professional in the URL above, I want to opt out of this method. But recognizing that your bank is too committed into this scheme, I would like to opt out of using a separate token and instead to be able to use my cell phone as the device for TFA. Please do not tell me that it is any less secure than the hardware device you are shipping. Imagine the millions you are spending and the millions customers like me are going to be stuck with to pay for when you decide that the project is a disaster (the sarcasm is implied).

In the URL above, it is clearly evident that no matter which scheme you do, phishing and pharming can happen. But since the bank seems to be wanting to continue this path of failure, I would want you to send me via SMS after I log in, an OTP . With that OTP via SMS, your TFA program can start quicker and with far less cost/pain/annoyance.

To repeat, I will not use YET ANOTHER DEVICE for accessing the my account.

Many questions about this device: what happens when and if I loose the token? What if the battery is dead? What happens when I need it and it is at home for example? What happens if there is a hardware problem? Have you thought through all of these issues? I am sure that the vendor who convinced you to roll this out is laughing all the way to his bank (which probably is not using it)!

Unlike this additional piece of hardware, the handphone with SMS is handy and well known as an interface that almost all of your internet banking customers would be having.

For those who do not have a handphone, perhaps this token scheme would be workable – alternatively, you could cook up a clever scheme with the local telcos to get a handphone to them.

It appears that you might not have run a survey about alternative schemes to do TFA. Do you realize the amount of utter inconvenience and customer annoyance you are creating? Your may be the biggest bank in Singapore, but you certainly have no idea about customer convenience.

I just called your 1800# and the person on the other side said that this is “mandated by MAS”. I think that is not true – please show me where it is stated in MAS’ site that you need a silly TFA scheme. I believe it is optional.

Bottom line, I want out of this. Give me another way to do this TFA.

Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s