Internet Banking

[Sabian]

No. The token (SecurID) was hacked. The algo is known. Knowing the seed, algo and time, the attacker will be able to generate the number which matches the number generated in the back end server.

It is not not safe anymore.

Only the smartcard type is still safe.

 

Read this if you are interested.

http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/

 

The bank is the one issuing the the token. Not like you can dictate what token they use.

[Spring]

I also use my mobile as the token ie sms will be sent but point to note is that not all banks can do it this way. IIRC, HSBC doesn't issue sms to notify you the no. and insist on using token which I find it strange in this day and age!!!

[Thaiyotakamli]

 

Yes. For my Standchart, my CC is the token. Amazing they can squeeze a battery, display n keypad into a flexible credit card.

 

 

For UOB, u better use the token when overseas. Cause the number sms to you takes some time and by the time u receive it, the website expire liao. Thatz what happened to me when I was in Japan. KNN the number took 30mins to reach me. My token one digit unable to display so was depending on phone. Came back SG, immediately went to UOB bank and changed my token.

Yah took me a few mins to appreciate that Stanchart card. Until now still wonder how it can be done into a card, amazing indeed

 

 

 

When I am in overseas I had not much prob in sms token, maybe i am lucky the line connection quite good

[Lala81]

no need token for UOB internet banking, even to set up new payee. i also dun like to carry any token around, hence only UOB is able to do that and i have stopped using the internet banking for the other banks.

 

I use UOB, still need token what.

But i never use the app.

 

To me, security is still security. Make it too easy/convenient is a security flaw on your side.

[Ben5266]

 

That article is nearly 4 years old though.

Things must've changed since then?

Yes, perhaps.

But many kiasu companies just dump the product and switch to smartcard base PKI for the authentication.

 

The bank is the one issuing the the token. Not like you can dictate what token they use.

Yes. IDA should discourage this type of 2 factor authentication.

Perhaps they are waiting for a major compromise in Singapore before they act.

[Ben5266]

I also use my mobile as the token ie sms will be sent but point to note is that not all banks can do it this way. IIRC, HSBC doesn't issue sms to notify you the no. and insist on using token which I find it strange in this day and age!!!

... because the sms OTP is also having its limitation.

I would say, weaker than the token.

 

Imagine, a lady lost her hand bag.

Inside has the hand phone and purse.

Viola!

[efssc]

Ever saw one; the small rectangular calculator look-alike one from DBS, being sold at the small flea market next to Sim Lim Tower, wonder what sort of damage (if any) could be done if fall into the "wrong hands".

[Spring]

... because the sms OTP is also having its limitation.

I would say, weaker than the token.

 

Imagine, a lady lost her hand bag.

Inside has the hand phone and purse.

Viola!

 

Ya bro that's true also. Guess HSBC more kiasu.

 

At the end of the day, it's a balance between convenience to customers vs security and I guess you can't have it both ways but damn troublesome to carry token around esp us guys!

[Vid]

... because the sms OTP is also having its limitation.

I would say, weaker than the token.

 

Imagine, a lady lost her hand bag.

Inside has the hand phone and purse.

Viola!

 

Same as token. If in the bag and lost, then...

 

HSBC's token needs a PIN to use it. That's an added security.

[Ben5266]

Yah took me a few mins to appreciate that Stanchart card. Until now still wonder how it can be done into a card, amazing indeed

 

 

 

When I am in overseas I had not much prob in sms token, maybe i am lucky the line connection quite good

Na... the OEM factory....

http://www.smartdisplayer.com/index.html

 

 

Ya bro that's true also. Guess HSBC more kiasu.

 

At the end of the day, it's a balance between convenience to customers vs security and I guess you can't have it both ways but damn troublesome to carry token around esp us guys!

.. that's why I don't use internet banking.

 

Like the pharmacist avoid taking medicine.

 

Same as token. If in the bag and lost, then...

 

HSBC's token needs a PIN to use it. That's an added security.

Yes. The PIN you know and the token you have make it 2 factor authentication.

Edited March 18, 2015 by Ben5266

[Nzy]

... because the sms OTP is also having its limitation.

I would say, weaker than the token.

 

Imagine, a lady lost her hand bag.

Inside has the hand phone and purse.

Viola!

IMO the phone can be more secure also. Cuz alot of people also bring their token in their bag. If they use phone then they won't bring the token. Most banks token no need pin so the thief can easily use it. Whereas many people do secure their phone with some sort of lock like a pattern/pin/fingerprint. So the thief can't even read the SMS unless he can unlock the phone.

[Spring]

.. that's why I don't use internet banking.

 

Like the pharmacist avoid taking medicine.

 

My office IT Head also refuse to use Internet Banking and I laugh when he goes over the counter to do his banking. Got a friend in Banking Ops who refuses to subscribe to GIRO, another colleague who use to work in fast food and his children have never tasted a burger in their lives...... The list goes on and I guess those in the know, knows too much till they scared haha!!

[Vid]

Yes. The PIN you know and the token you have make it 2 factor authentication.

 

Like that is 3 factor already. PIN to use token, token to generate code and password+code to access website.

 

[Ben5266]

IMO the phone can be more secure also. Cuz alot of people also bring their token in their bag. If they use phone then they won't bring the token. Most banks token no need pin so the thief can easily use it. Whereas many people do secure their phone with some sort of lock like a pattern/pin/fingerprint. So the thief can't even read the SMS unless he can unlock the phone.

For iPhone, I can see the OTP code on the notification. Need not unlock the phone, if I am not mistaken.

 

as for the token, I believe one needs to key in 6 digit PIN follow by the 6 digits on display?

[Jman888]

For iPhone, I can see the OTP code on the notification. Need not unlock the phone, if I am not mistaken.

 

as for the token, I believe one needs to key in 6 digit PIN follow by the 6 digits on display?

 

 

for sms OTP, you still need to key in the PIN before clicking for OTP code.

[Sabian]

The initial login page user ID is known only to you.

 

The initial login password is also only known to you.

 

For the 2nd factor authentication, it comes in the form of a mobile phone SMS or a token.

 

You need to be seriously careless for someone to be able to break into your internet banking access.

 

And for those who are not comfortable with internet banking, suggest you cut up your credit cards. Those are even easier to fraud.

[Vhtfhwlego]

Talk about security.

 

1 woman lost her handbag in a shopping mall and went to police station to make report.

Few hours/days later, someone call her thru her mobile phone (new phone) saying her handbag was found in the mall.

She went to the mall and as no one was at home during the call, her house was burglared by the thiefs whom took her handbag.

[Latio2005A]

 

 

no need token for UOB internet banking, even to set up new payee. i also dun like to carry any token around, hence only UOB is able to do that and i have stopped using the internet banking for the other banks.

There is always a trade off. Security vs Convenience.