DBS Bank experienced unauthorized withdrawal from their customer accounts through the ATM machines. They are now looking for a way to enhance the security measures.
I wish to suggest the following method, which does not involve any change to the current magnetic strip card. I suggest that the ATM machine should ask the customer to use his registered mobile phone to dial a certain number of the bank. The bank will retrieve the mobile number, using caller ID, to "activate" the withdrawal.
For the crook to take out money, the crook needs to have the mobile phone as well. This will be a hindrance to the crook.
Currently, DBS sends a SMS to the customer and ask the customer to enter a PIN from the SMS to confirm the account. My suggested method is more practical and less costly (i.e. does not use SMS) and can also be used for internet banking.
Do you agree with my approach? Can you see any flaws or weakness?
17 comments:
At present, DBS bank goes to a lot of trouble to make their internet banking secure. They require the customer to key in the User ID, password, 2FA and also to send a PIN (received through SMS) to make a transfer.
By comparison, people can withdraw cash at a ATM machine using a faked card and a 6 digit PIN.
Actually, ATM withdrawal is many times more risky as the crook can take cash. For an internet banking transfer, the money has to go to another account, and it is easy to trace the recipient.
So, we need to strengthen ATM withdrawals and reduce the unnecessary security for internet banking transfers.
I suggest to the telcos (singtel, starhub, m1) to offer such a service - i.e. virtual 2FA using mobile phone.
If the customer call a certain number, they can retrieve the mobile number and pass it to the subscriber of that number (e.g the bank) to activate the transaction (e.g. ATM withdrawal).
A new business for the teloc, and cost saving for the business commuinity and the public.
I can think of 2 potential problems. (1) Caller ID spoofing, where a criminal can fake the caller id that is sent. (2) Telcos offer caller number non-display service. This idea will conflict with people with subscribe to this service.
That would take much time and add hassle. As matters stand, some people are already fumbling with the buttons on the ATM machines. Not only would they have to manage their atm card, cash, receipt, now their handphone.
Using the SMS pin which is adopted for the internet banking would solve the problem. In addition, if an unauthorised withdrawal request was made to the account, the owner who received the SMS pin would immediately known someone is mattering with his account.
Slowdown at ATMs
What about those who do not have mobile phones
What if I lose my phone - I lose access to my money also
Passes the cost of authentication directly to consumer -
Think this is ok for those who are based in SG but for those who are based abroad, this is not very convenient/practical
@ Anonymous 7:49 pm. Why is it not practical for those who are based abroad? Is it the cost of a phone call? It may be possible for the cost to be free - i.e. the receiving party did not pick up the call.
@Albert. The SMS PIN is more troublesome. The customer has to receive and enter the PIN.
Asycynic. Customers now have the hassle of receiving and entering the SMS PIN for internet banking transfer. Using a mobile phone to activate the service is easier than the current method of authenticating with the SMS PIN.
"@ Anonymous 7:49 pm. Why is it not practical for those who are based abroad? Is it the cost of a phone call? It may be possible for the cost to be free - i.e. the receiving party did not pick up the call."
Those who are based abroad might not have an active SG cell phone any more and DBS must be able to accept foreign numbers. In my experience, most entities in SG do not allow/accept foreign numbers.
@11:58 pm. It should be possible for the bank to exempt customers, at their option, from the need to authenticate with their mobile phone.
This can apply to customers who need to withdraw money overseas or those who find this authentication to be too troublesome. Perhaps small withdrawals (say less than $500) can also be exempted.
I tend to feel that relying excessively on mobile device authentication could end up to be a problem itself. The reasons are as follows:-
1) Calling the bank line to obtain authentication will also incur cost to the consumer since phone airtime is not free anyway.
2) Breakdown/disruption of mobile network would also mean the disruption of the entire cash withdrawal process.
I guess the banks will have to study in detail to understand the "loopholes" of their current system in order to improve. Security is just a never-ending process.
Hi Mr. Tan,
I guess the system you proposed have a serious problem. In order to serve millions of customers, how many hunting phone line need to be provided? When we want to call customer service of certain company, we already have been put in the waiting line for quite long. Left alone withdrawing money which is more common than mobile phone operation issues.
Even if you have many IVRs serving, it's not as scalable as the current SMS solution.
Hi Daniel,
Under my system, there is no need to talk to the staff. You only need to call the number for you telephone number to be captured and a voice announcement, and you can disconnect. As the time is short, there is no need for so many hunting lines. Even if several hunting lines are required to meet a large volume, it should not pose a problem.
Nice blog with nice post . Keep writing. I would like to visit this blog again
I suggest that it should be better to make online transaction as it is the safest mode and there would not be any chance of getting your pin leaked so, it is better to make net banking while making any transactions.
Post a Comment