There’s a saying that what’s offline cannot be stolen online.
When banks first started handing out physical tokens to users more than 10 years ago, there was the assurance of knowing no one could get into your account unless he got hold of the little plastic fob with a screen.
Thus, reading the news yesterday of banks in Singapore ditching these physical tokens for digital ones must have raised alarm among some users.
DBS says it will stop handing out physical tokens from the second quarter of next year, according to a report in the Today newspaper.
UOB is expanding its digital tokens to Internet banking by the end of this year, while the Oversea-Chinese Banking Corporation (OCBC) is considering biometrics.
Digital tokens can be delivered in a number of ways. Most often, this is through your mobile phone, the device that is as important as your home keys these days.
The question one must ask is whether this device is all that secure. Stories of folks having their phones broken in are common today. As are accounts of people being locked out of their devices by cyber criminals deploying ransomware.
At a time when the Singapore government is taking computers off the Internet to protect against intrusions, banks seem to be doing the opposite – bringing a previously offline process into a connected device.
What this means is that if hackers can find a way into phones, they can find a way into manipulating the digital token that is operated on the mobile device.
Sure, this is simplifying a little because the data will be encrypted and the sensitive information may not even be stored on the device. Still, going digital represents a higher risk than an offline physical token, simply because there’s a link to the Net.
Are the risks worth the trouble? Well, what you do get out of a digital token is convenience. After several years of using two-factor authentication, users in Singapore often end up with a good number of tokens. That’s confusing, not to mention, frustrating to keep up with.
At the same time, there’s been a lot more trust placed in digital transactions these days than before. Mobile payment at cashiers, for example, is a common thing today in Singapore. And digital tokens are already used in many important online services.
You can log in to Gmail with a passcode sent to your phone. Yahoo now lets you log in to an account via a passcode on your phone’s app as well. The big difference, however, is that banking transactions can involve large amounts of money being transferred.
Over the years, Singapore banks have enhanced security features on these online transactions. For example, you have to “sign” again after logging in to your account, should you want to transfer money to a new account, or carry out other “high-risk” transactions.
Now, will digital tokens offer the same multi-layer security? At least DBS thinks so and is moving ahead faster than its local rivals. The largest bank here will make the switch to “soft” tokens for 2.6 million customers using both its mobile and Internet banking services.
Unfortunately, there doesn’t appear to be an option to stay with the old, offline version once your physical token runs out of battery. And besides security concerns, the promise of convenience does come with some caveats.
In future, you’d have to make sure you don’t lose your phone, have it locked out by ransomware or simply run out of juice after a day of playing games on it.