The Monetary Authority of Singapore (MAS) has announced a new requirement impacting all major retail banks in the country to phase out the use of one-time passwords (OTPs) within the next three months.
This initiative was agreed upon between the government and the Association of Banks in Singapore (ABS) to protect consumers against phishing and other scams.
“The use of OTP was introduced in the 2000s as a multi-factor authentication option to strengthen online security,” reads the MAS announcement.
“However, technological developments and more sophisticated social engineering tactics have since enabled scammers to more easily phish for customers’ OTP, for example through setting up fake bank websites that closely resemble the genuine websites.”
In addition to phishing sites, OTPs have been the target of Android malware for many years, helping their operators bypass two-factor authentication protections on target accounts.
This has prompted Google to take more aggressive action against the abuse of the ‘RECEIVE_SMS,’ ‘READ_SMS,’ and ‘BIND_Notifications’ permissions this year, with Singapore being among the first countries to receive the new protections.
Additionally, OTPs can be intercepted by man-in-the-middle attacks, and if they’re SMS-based, they can be intercepted by threat actors who conduct SIM-swapping attacks.
Singapore bank customers will now use digital tokens instead of OTPs, which they must activate on their mobile devices.
According to ABS, digital tokens are already activated for 60% to 90% of the customers of the country’s three major banks: DBS, OCBC, and UOB.
“The digital token will authenticate customers’ login without the need for an OTP that scammers can steal, or trick customers into disclosing,” explains MAS.
Those who have not activated their digital tokens are strongly encouraged to do so soon to benefit from better security against phishing actors and scammers.
Customers who don’t activate digital tokens will continue to receive OTPs as before, but those are expected to be an increasingly dwindling minority.
How Digital Tokens Will Work ?
Digital tokens, in the context of Singapore banks, are mobile applications that enhance security for online banking transactions. Here’s a breakdown of how they work:
Replacing OTPs:
- Traditionally, logging in to your bank account and authorizing transactions involved one-time passwords (OTPs) sent via SMS.
- Digital tokens eliminate the need for SMS OTPs.
Mobile App-Based:
- You’ll download a digital token app from your bank and activate it on your smartphone.
Security Features:
- Digital tokens use various security features like fingerprint recognition or facial recognition for verification.
- Some might require a PIN or password for an extra layer of security.
Transaction Authorization:
- When logging in or authorizing a transaction, the bank app will prompt you to verify your identity through the digital token app.
- This might involve using your fingerprint, entering a PIN, or undergoing facial recognition.
- Once verified, the transaction proceeds.
Benefits:
- Enhanced Security: Digital tokens are considered more secure than SMS OTPs because they are not transmitted over SMS, which can be vulnerable to interception.
- Reduced Phishing Risk: Since digital tokens rely on features on your phone, they are less susceptible to phishing scams that try to steal your login credentials.
- Convenience: Having the token on your phone eliminates the need to wait for SMS OTPs.
Overall, digital tokens offer a more secure and convenient way to manage your online banking activities in Singapore.
