Tuesday, July 20, 2010

Internet banking

It was quite a big hassle to make an internet banking transfer for a one-off payment of $100 for the purchase of a book.

I have to register the payee and authenticate it with my mobile phone. The DBS web application did not show the correct verification page (due to a bug in their system), so the first attempt failed. I have to recreate the payee details a second time (including entering 5 error-prone items of information), and this time the verification went through.  I proceeded to make the transfer and have to enter the 2FA again.

This transfer took 20 minutes to make this transfer, event though I am an experienced user. I have received 3 SMS messages, enter my 2FA 2 times, receive 2 verification code by SMS (one was due to a mistake) and enter the correct one into the DBS system. It is really a lot of hassle for an one-off payment of $100.

I have raised this issue many times with DBS but nothing was done to simplify or improve the system. I believe that their hands are tied, due to MAS requirements, all in the name of security. With so much hassle, it is easy for me to make a mistake, such as entering the wrong account number or amount. Instead of improving security, it is likely to cause mistakes.  When will MAS wake up and come to the real world?

Tan Kin Lian

7 comments:

hongjun said...

2FA is here to stay and yes, it is in the name of security.

In the early days before 2FA, there were cases of intruders gaining access to other people's accounts, resulting in financial losses through social engineering techniques like phishing, etc.

With the introduction of a second token, security is significantly tightened. Do note that 2FA is not implemented only in Singapore; it is a well researched field and is applied in many countries especially the banking sector.

Not unless someone can think of a better idea without a second authentication, 2FA is here to stay.

Tan Kin Lian said...

It is the hassle of opening a payee record (for one-off payment) that I complain against - including SMS authentication. After going through this troublesome process, I have to delete the payee.

With 2FA, there is already sufficient security.

Why have so many layers of security? I have to login with my id and password, use 2FA and then my mobile phone to authenticate the payee record. Three levels of security for a one-off payment? Things can get out of hand.

In fact, I hesitated for two weeks before making this payment, as I knew it would be very troublesome.

Unknown said...

I don't agree with you Mr Tan. I am quite happy with the 3 levels of security on internet banking. It is better to be slightly hassled rather than to have somebody else hacking in.

Many other online banking from overseas bank only have the basic UserID and password. I think 2FA implementation is something that this country can be proud of.

Tan Kin Lian said...

For people who love the hassle, it is fine. But don't put the hassle to other people.

NumberOneHo said...

I like HSBC internet banking Its great for all over the world I use it all the time and have done so for years I service payments standing orders, direct debits, transfers, savings etc etc. Just a password system and a key fob... Easy!! I have no idea about DBS but there is a balance bewteen safe and simple surely. HSBC seems to get that right (and NO I am not an HSBC employee!)

AB said...

2FA is necessary and is a must in my opinion for login security. And Mr Tan is not voicing out against 2FA per se but the whole process, which does seem excessive from what Mr Tan described.

It is quite common for security to be over done to the point of hindrance, inconvenience and frustration.

Personally, I find the singpass online change password process to be similarly excessive and becoming a hindrance.

Many sites nowadays require you to read some words or graphic and type in a response, a security feature to ensure it is a human responding. But they make the graphic so unreadable that it becomes a real frustration.

Yet another overdone example is many buildings security requiring us to give and retained our IC in exchange for a pass. It is reasonable to require to show our IC but to retain our IC is bullying.

Vincent Sear said...

I notice that Mr. Tan has stopped requiring us to decipher some graphically rendered letters in order to post. That's practising what one preaches responsively. Kudos!

Blog Archive