Tan Kin Lian's Blog: Simplify Internet Banking

Tuesday, July 07, 2009

Simplify Internet Banking

Editor
Forum Page
Straits Times

I use internet banking to transfer money to the other people through their bank account. I find this service to be convenient, compared to sending a cheque to them.
However, I find that the actual implementation of this service by my bank to be a hassle in the following aspects:

1. The bank requires the customer to create a record for each new payee and to authenticate it through a PIN sent through the mobile phone.

2. The bank requires the customer to enter the IB Secure PIN for every payment

These layers of security measures are duplicative, as the customer already has to enter user ID, PIN and an IB secure PIN to gain access to the internet banking facility.
The real risk to the customer is by entering the wrong account code of the payee or the wrong amount. The bank is not helping the customer to mitigate this risk.
By giving hassle and distracting the customer, these duplicative tasks actually increases the risk to the customer of making mistakes in entering the wrong bank account or amount. The inconveniences are aggravated when the computer system or internet is slow.

I believe that these security features may have been mandated by the regulator. I hope that the banks and the regulator should re-look at these requirements and simplify the process for the customer, while maintaining an adequate level of security. This will allow the customer to focus on ensuring that the entries are correct.

Tan Kin Lian

10 comments:

Shen Ting said...: My experience with internet banking in the UK (with HSBC) is as follows:

The customer is given a 10 digit login username. Also, the customer has to choose a unique 6-10 digit numerical code. After you enter the username, you are asked for your birthdate and specific 3 digits of your code e.g. they might ask for first, second and last digit.

After you are logged in, you can do any transfer to anyone without having to re-enter your code or PIN. No handphone or token is needed for any transactions.

Imagine my surprise at the relative simplicity when I first started using this in the UK!; July 07, 2009 11:34 AM
Anonymous said...: Try citibank, need to enter only once for multiple payment.

I also find that the internet banking site is well designed.; July 07, 2009 2:20 PM
Anonymous said...: The extra precautions are necessary.

There are ways in which the initial login can be hijacked by someone else and then subsequent transactions done as though came from you.

The additional steps minimise the risk (as the person who hijacked the session does not have the token to respond).; July 07, 2009 2:38 PM
Anonymous said...: Hello here is REX commenting.
I have been using the POSB funds transfer internet banking for a long time. Actually, the requirement to key in the 2FA Token code a second time during a fund transfer transaction is only introduced recently. About 2 months ago i estimate, the procedure was the same as what was described by Shen Ting. When the POSB introdcued the new procedure they didnt even make any announcement. The user just follow the screen instruction on the website and key in the code a second time if a fund transfer is to be done. Perhaps it is necessary to prevent fraud, i do not know. Basically i think the problem is a PR issue. Nobody likes changes in the system without at least a decent explanation. More often then not, customers just follow and are not duly informed, that is typical DBS style.
REX; July 07, 2009 3:59 PM
Anonymous said...: I agree with Shen Ting that the HSBC system is very user friendly.

But they have a clever way to beat the hacker as well:
(1) At each login, the user is asked to provide 3 digits randomly chosen (e.g. first, third and last digits) from his 6-10 digit passwords.
(2) The method of inputing the 3 digits is by means of clicking the mouse on a picture of the keyboard displayed on the screen.
(3) The location of the picture keyboard is slightly on the screen is shifted slightly from one login session to another login session.

The above 3 methods are a clever way to use technology to beat any hacker waiting to capture user login information. They imposes no additional burden on the user to carry any electronic gadgit to generate a random security code or a handphone to receive any SMS password.; July 07, 2009 4:02 PM
Anonymous said...: it's only DBS that does that to you; July 07, 2009 8:05 PM
Unknown said...: i been using internal banking for year(DBS and Maybank). i don't it a hassle at all.

It just took me less than a minute to key in the IB secure,pin and user id to transfer the money. it is more convenient than to queue for hours in bank or ATM; July 07, 2009 8:20 PM
harry said...: Actually, these additional 2FA challenges for monetary transactions are required by MAS. Banks, in an effort to stay compliant with the regulations, have to invest a lot of resources in implementing such changes.

Thus, do spare a thought for the banks as it is a thankless job. It is perhaps better to direct suggestions on 2FA implementation to MAS instead.; July 07, 2009 9:32 PM
Anonymous said...: Not too long ago, DBS token only need to enter once for internet banking. Now, DBS token needs to enter as many times as the transactions you make.

May be this is just to "cover somebody's ass" in case of internet security lapses.

Same for the "water parade" in SAF.; July 08, 2009 11:34 AM
harry said...: as i mentioned earlier, these additional 2FA challenges at transactions level are mainly not banks' own initiatives. it is in response to MAS's internet banking security requirement.

although banks can choose to not follow the guidelines, i'm not sure what the consequences are. perhaps a rebuff from the regulator?

perhaps with additional activities on the token, banks will now have to replace them more frequent, thus spending more $. one day, they may decide to pass costs to consumers.; July 08, 2009 9:47 PM