Follow-up on that DBS tfa deal


This is a set of replies and responses to the original note I sent DBS about them requiring me to use a silly tfa device.

Reply #1:
November 7 2006:

Customer Service Feedback
date Nov 7, 2006 3:05 PM
subject (DS0711) RE: Feedback for DBS Group

Dear Mr Pillay,

We refer to your email of 2 November 2006.

Thank you for taking time to share with us your thoughts about our products and service.

We would like to clarify that the introduction of second-factor authentication (“2FA”) is in line with the regulatory guidelines from the Monetary Authority of Singapore (“MAS”) and we attach the circular from MAS for your reference.

After careful assessment, DBS decided to go with the physical security device which we call the “DBS iB Secure Device”. This device is user friendly and reliable, providing users with a dynamic, unique and time sensitive PIN which acts as a good second level of authentication for the user. We have also ensured that it is as light and as portable as possible for your convenience. We recommend that you keep this securitydevice with items you are unlikely to leave behind such as your keys to ensure that you have it with you at all times. We regret that we would not be able to allow opt out from the program.

As a commitment to our customers, we will be issuing the first DBS iB Secure Device to our customers with our compliments. The DBS iB Secure Device has a long lifespan and should last up to 5 years before it has to be replaced (customers can also choose to replace the battery without replacing the DBS iB Secure Device). As with all other banking collaterals, such as ATM and credit cards, there will be a replacement charge for lost DBS iB Secure devices. In this case, the charge is$20 (subject to GST).

Regarding the use of SMS for setting up of account for funds transfer, DBS iB Secure provides the you with a dynamic, unique and time sensitive PIN which acts as a second level of authentication without time lags as it is not reliant on a third party. SMS is not a viable solution as it relies on a third party (i.e. telecommunication companies) and during peak periods such as Christmas and New Year, the SMS messages may not be disseminated in a timely manner to customers. There are also considerations about the incompatibility of telecommunications network in countries such as Korea and Japan.

Nonetheless, your feedback is valuable to us, as it will help us to further enhance our service to all customers. We have forwarded your suggestion to the relevant department, and will be giving your feedback due consideration in our ongoing business review of our products and services.

We would like to assure you that the Bank places significant emphasis on the quality of our service and customer satisfaction, and remain committed to listening to our customers and serving them better. Should you require any assistance, please do not hesitate to contact our Customer Service Officers at 1800 111 1111 (or 65 6327 2265 from overseas).

Thank you for banking with DBS Bank.

Best regards,

[name deleted]
Manager
Customer Feedback & Service Management
Consumer Banking Group Singapore
Fax: 6534-4077
Email Address: customerservice@dbs.com

Operation Hours: 8.30am to 6.15pm, Monday to Friday
============================
Response #1:
November 7th:

Customer Service Feedback
date Nov 7, 2006 3:28 PM
subject Re: (DS0711) RE: Feedback for DBS Group

[name deleted] –

Hi. Thanks for the reply. The note from MAS does not mandate the TFA, just recommends it. You have chosen to go beyond that. And
that is annoying.

> After careful assessment, DBS decided to go with the physical security
> device which we call the “DBS iB Secure Device”. This device is user
> friendly and reliable, providing users with a dynamic, unique and time
> sensitive PIN which acts as a good second level of authentication for the
> user. We have also ensured that it is as light and as portable as possible
> for your convenience. We recommend that you keep this security device with
> items you are unlikely to leave behind such as your keys to ensure that you
> have it with you at all times. We regret that we would not be able to allow
> opt out from the program.

No, I do not intend to carry it around. It is yet another nuisance device – we want to go cashless, but need to carry around additional devices to ensure it.

> Regarding the use of SMS for setting up of account for funds transfer, DBS
> iB Secure provides the you with a dynamic, unique and time sensitive PIN
> which acts as a second level of authentication without time lags as it is
> not reliant on a third party. SMS is not a viable solution as it relies on
> a third party (i.e. telecommunication companies) and during peak periods
> such as Christmas and New Year, the SMS messages may not be disseminated in
> a timely manner to customers. There are also considerations about the
> incompatibility of telecommunications network in countries such as Korea and
> Japan.

Oh, come on. Can you honestly tell me how many customers need to do internet banking transactions from Japan and Korea? And, given that those who would are probably already using 3G phones, they can already get it working in those countries. So, that reason is invalid.

If you had just spent time thinking through this, you could have looked at other options as well:
a) An OTP program that runs in a handphone using Java.
b) Print out a list of OTPs on the monthly statement for people to use – this is what is being done in Germany.

> We would like to assure you that the Bank places significant emphasis on the
> quality of our service and customer satisfaction, and remain committed to
> listening to our customers and serving them better. Should you require any
> assistance, please do not hesitate to contact our Customer Service Officers
> at 1800 111 1111 (or 65 6327 2265 from overseas).

Yes, I still want to opt out.

Harish
=========================================
Reply #2:
November 12 2006:

Customer Service Feedback
date Nov 12, 2006 6:53 PM
subject (JE/DS) (DS0711) Feedback for DBS Group

Dear Mr Harish Pillay

Thank you for your email of 07 November 2006.

We would like to assure you that the Bank has considered the various options and has decided on DBS iB Secure Device as the Second Factor Authentication (2FA).

We regret to inform you that this is the only option currently available to all our iBanking customers.

Nonetheless, we have noted your feedback and suggestion and have forwarded it to the department concerned for their consideration in our ongoing efforts to provide a secure virtual banking environment for our customers.

We thank you for the opportunity to allow us to respond to your concerns and seek your kind understanding in the matter.

Thank you for banking with DBS Bank.

Warmest Regards
[name deleted]
Assistant Vice President
Customer Feedback & Service Management Unit
Consumer Banking Group Singapore
DBS Bank Ltd

Email Address : customerservice@dbs.com
Fax : (65) 65344077
Operation Hours : Monday to Friday, 8.30am to 6.15pm
============================================
Response #2:
November 13 2006:

Customer Service Feedback
date Nov 13, 2006 8:34 AM
subject Re: (JE/DS) (DS0711) Feedback for DBS Group

[name deleted] –

> Thank you for your email of 07 November 2006.

Thanks for the reply.

> We would like to assure you that the Bank has considered the various
> options and has decided on DBS iB Secure Device as the Second Factor
> Authentication (2FA).

I would challenge that. Have you even considered these:
a) For those with a Java phone, get them to download (OTA, or via the Internet) a DBS-signed Java otp (one-time-password/pin) program that will do EXACTLY what that TFA will do at a tiny fraction of the cost of the ONLY scheme you have today. As almost ALL phones sold today run Java, this is a no brainer option – unless of course you are DBS🙂. I am certain that you have not thought through this enough.
b) With 3G, one can access SMS/voice networks in Korea and Japan. I know I can – I have a Nokia 6233. I would question the real number of your customers who are travelling to Japan/Korea that would need to do internet banking and would be challenged by this perceived phone network issue. The fact that to cater to a tiny number of high-net worth (perhaps) individuals, you are willing to impose a significant cost on the bank as well as customers is mindboggling.
c) You can get into some creative marketing bundles with the phone makers and telcos to sell newest Java phones to all of your customers.

The OTP java code is not dependent on connectivity with the phone network and you do not need to send/receive SMSes as well. So, in one swoop, you took care of the TFA and removed the need to build and operate a whole separate device infrastructure.

> We regret to inform you that this is the only option currently available
> to all our iBanking customers.

I am glad to inform you that I will choose *NOT* to use it until you decide to accomodate other cleverer options.

> Nonetheless, we have noted your feedback and suggestion and have
> forwarded it to the department concerned for their consideration in our
> ongoing efforts to provide a secure virtual banking environment for our
> customers.

I am in the IT industry and have been doing IT security related stuff for over fifteen years so I think I do know what I am talking about. If I were your management, I would have insisted on multiple means to do this TFA because technology is moving so rapidly, that not doing so is down right financially irresponsible. Naturally, it would be great to make a tonne of money selling a solution that could have other cheaper ways to solve.

> We thank you for the opportunity to allow us to respond to your concerns
> and seek your kind understanding in the matter.

There is nothing to understand here except that you are exhibiting a lack of common sense. You are wasting customers money in rolling out this option as is. I would have walked out of your bank if not for the fact that I have some housing deals with you.

> Thank you for banking with DBS Bank.

Please, don’t thank me because you are annoying me. You are becoming as clueless as some of the other banks.

> Warmest Regards
> [name deleted]
> Assistant Vice President
> Customer Feedback & Service Management Unit
> Consumer Banking Group Singapore
> DBS Bank Ltd

Regards.
Harish Pillay
Unhappy DBS Customer
=====================
Reply #3:
November 14th 2006

Customer Service Feedback
date Nov 14, 2006 8:34 AM
subject (JE/DS) (DS0711) Feedback for DBS Group

Dear Mr Harish Pillay

We sincerely appreciate the time you have taken to write to us and provide us with your valuable suggestions on the various options available. However, at this moment, we only have one option available for our iBanking customers, which is our DBS iB Secure device. Moving forward, all iBanking customers will have to register and use this device when accessing iBanking.

As mentioned in our earlier replies to you, we would like to assure you that we have forwarded your valuable feedback to the relevant department for their continuous review and seek you kind understanding in the matter.

Thank You.

Warmest Regards

[name deleted]
=====================================
Response #3:
November 14th 2006:

to Customer Service Feedback
date Nov 14, 2006 9:54 AM
subject Re: (JE/DS) (DS0711) Feedback for DBS Group

[name deleted] –

> We sincerely appreciate the time you have taken to write to us and
> provide us with your valuable suggestions on the various options
> available. However, at this moment, we only have one option available
> for our iBanking customers, which is our DBS iB Secure device. Moving
> forward, all iBanking customers will have to register and use this
> device when accessing iBanking.
>
> As mentioned in our earlier replies to you, we would like to assure you
> that we have forwarded your valuable feedback to the relevant department
> for their continuous review and seek you kind understanding in the
> matter.

No, this is not an acceptable state of affairs. I want an option. I refuse to carry around another piece of hardware when I receive it. What I will do is to leave it at home, call home and ask my family to get me the code when I need to do the internet banking.

Here’s a suggestion – I am willing to be a beta tester for you using the following code at:
http://www.securityfocus.com/tools/3591
http://marcin.studio4plus.com/en/otpgen/files.html

This will work on my handphone and give the same stuff that you need. The code can be modified if needed to suit “DBS security”.

Shall we work on this?

Harish
PS: another source is this: http://www.cs.umd.edu/~harry/jotp/
===

Alas, no replies to the response #3 yet!

2 thoughts on “Follow-up on that DBS tfa deal

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s