back to article Singapore's banks to ditch texted one-time passwords

After around two decades of allowing one-time passwords (OTPs) delivered by text message to assist log ins to bank accounts in Singapore, the city-state will abandon the authentication technique. The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) announced on Tuesday that "major retail …

  1. Pascal Monett Silver badge

    Easy solution : a physical OTP token

    LuxTrust uses that. To connect to my bank account, I need to know my user name, my password and have the fob available to get the OTP at the right time.

    Sure, there's a smartphone app, and there are other solutions as well, but the fob works fine. There is no reason to force people to have a smartphone.

    1. Khaptain Silver badge

      Re: Easy solution : a physical OTP token

      Expense, those OTP are great but are expensive, and they usually have a limit of around two years

      1. Anonymous Coward
        Anonymous Coward

        Re: Easy solution : a physical OTP token

        I had card reader for 15 years and when that went wrong had it replaced with another card reader even thought the bank was pushing people to use SMS. The card reader is supplied free to the customer.

        1. Charlie Clark Silver badge

          Re: Easy solution : a physical OTP token

          And, more importantly, card readers usually involve the bank assuming liability, ie. they think the system is safe.

          1. John Robson Silver badge

            Re: Easy solution : a physical OTP token

            Many of them are utterly horrible to use if you have any disability affecting vision or fine motor control though.

            1. Alumoi Silver badge

              Re: Easy solution : a physical OTP token

              So are smartphones.

              1. Anonymous Coward
                Anonymous Coward

                Re: Easy solution : a physical OTP token

                Not necessarily. From my perspective, that of a blind user, I have never once seen a non-phone OTP generator that included an audible or tactile way of getting the code out. It's always a small screen and that's the only option. Meanwhile, with a smartphone, I have a screen reader which can read OTP codes from the app concerned, and if I also couldn't hear, I can connect a Braille output device to read them that way. There are some problems with that approach. A smartphone is likely at least a bit more expensive than the standalone token generator and a Braille device is extremely expensive in comparison, but if you can't see at all, a smartphone is likely to be the chosen option because nothing else works*.

                In the area of physical disabilities, things are probably quite different. I do not have one myself, so I'm going on the experiences of acquaintances I know who have them. There may be some standalone tokens with buttons large enough for people with limited but some dexterity to operate more conveniently than a touchscreen, so they might be more likely to use them.

                * Theoretically, an OTP program running on a desktop or laptop would be sufficient as well, but less portable.

                1. druck Silver badge

                  Re: Easy solution : a physical OTP token

                  The unfortunate fact is, if a screen reader on a device can read the secure code from an application, so can malware.

                  The smartphone ecosystem can be more tightly controlled meaning that in theory only signed screen reader applications can access certain APIs. On a desktop this is not so easy to enforce.

                  1. LybsterRoy Silver badge

                    Re: Easy solution : a physical OTP token

                    In theory there is no difference between theory and practice, in practice there is!

        2. VBF

          Re: Easy solution : a physical OTP token

          I still have one - Nationwide in UK offers me the choice of that or an OTP on each login

          1. Beeblebrox

            Re: Easy solution : a physical OTP token

            > I still have one - Nationwide in UK offers me the choice of that or an OTP on each login

            Not available for card purchases. Which is a shame.

    2. Anonymous Coward
      Anonymous Coward

      Re: Easy solution : a physical OTP token

      Many months ago Bank of Ireland announced that they were upgrading their smartphone app to require Android 11 as of July 1st, and customers whose phones didn't meet that requirement could order a physical security key (PSK). I don't plan to change a working phone just to keep BoI happy, so I ordered a PSK, but never received it. The app is now issuing warnings, so I've tried again. I'd guess that a Singaporean bank is more competent, though.

    3. sedregj Bronze badge
      Gimp

      Re: Easy solution : a physical OTP token

      KeepassXC can do TOTP too.

      Very handy if multiple people need access to the same account

    4. Alumoi Silver badge

      Re: Easy solution : a physical OTP token

      There is no reason to force people to have a smartphone.

      Constantly tracking, checking for 'think of the children', advertising... There are a lot of reasons to force people to have a smartphone.

      Oh, and don't forget shifting responsability from the bank to the sucker.

  2. teomor

    "digital tokens –apps running on smartphones that produce OTPs" but why can't they run on computers as well?

    1. Yorick Hunt Silver badge

      Given the number of people swindled into establishing a remote connection for scammers, OTP authenticators on desktops might be a giant leap backwards security-wise.

      If the banks weren't so aggressive in seeking ever-more profit, they'd maintain physical branches where the elderly could comfortably go to partake in personal banking - but of course we've long ago as a species drifted away from personal interaction.

      1. anonymous cat herder

        According to BBC scam interceptors program, establishing a remote connection to the phone with e.g. anydesk is a fairly standard part of the script. OTP authenticators on a phone can be set to require a fingerprint before they generate the code; this is much harder to obtain without the local user's interaction and unlikely to be enforceable on a pc. The scammers then presumably use social engineering to bully the user into providing it anyway, but it gives the bank a plausible excuse to claim the user is culpable.

    2. itsthemonkey

      Channel separation! That is why certificate based MFA is also often a security risk - if the certificate or OTP application is installed on the laptop being used for access then compromising the password for the laptop (factor 1) automatically gives you factor 2 (the certificate or OTP app). That negates MFA, as the second factor is actually just the password for the device which is the same factor twice. And no, having a different password for the OTP app does not work, as that means both factors are passwords

      Just saying...

      1. Anonymous Coward
        Anonymous Coward

        So it's a good idea to have the banking software and OTP software on the same phone, right?

        1. itsthemonkey

          Have them all on the same device, with all your passwords stored as well as the PIN numbers for all your accounts and cards if you want - and do not care about security

          I stated the 2nd factor should not be on the same device as the system you are logging in to, why would you think putting them both on a phone is any different or in any way secure? Unless that was a piece of passive aggression? Cannot work it out and don’t really care

    3. doublelayer Silver badge

      Most of the time, they're using one of a few standard and open protocols, so they can run on desktops. All you have to do is identify the protocol in use and get one of the many open source implementations that has a desktop client. There are a few reasons why people generally don't, and that also explains why the most used authenticator apps from large tech companies don't have desktop versions, but you have about ten options with a quick search of GitHub. Finding one you trust can be trickier, but if you want a desktop version, you can have it.

      There is a chance that some business will build their own authentication protocol which is not a standard, and if they do that and force its use, then you will be limited to whatever they allow. However, they often outsource this to something which supports those open protocols and you can use them even if they have a proprietary version.

  3. David-M

    Happy with my tiny physical number generator which lasts virtually forever, HSBC, and must have cost very little to make, no doubt less than all those OTP texts added up.

    Benefits: not hackable, and you don't carry it around with you so won't get it lost or stolen like a phone.

    As I don't have a smart phone it also suits me well compared to app use.

    1. Chris Evans

      .. you don't carry it around with you..

      " physical number generator... you don't carry it around with you..." how does that work? I don't work on the move myself but I do do 2FA at home and work, on the same accounts.

      1. John Robson Silver badge

        Re: .. you don't carry it around with you..

        I might have had one held up with a USB webcam pointing at it, available over a vpn so that I could log in to a different VPN, and then use it again four times to gradually hop into the system I needed access to.

        But i couldn't possibly confirm when that was....

    2. Mike 125

      > it also suits me well compared to app use.

      First Direct here, so same deal.

      BTW mine showed LOBATT after about 3 years- that's what I call efficiency. Shame it's made in China, like the bank, but hey, what can you do...

      I feel much safer logging in via their website than via *any* stupid app, on any pocket computer-with-phone (although do have one).

    3. eionmac

      Likewise no smartphone

      The assumption all persons have a smartphone is not a good assumption. Hard of hearing and bad eyesight make a dumb phone with large text messages better.

  4. Mockup1974

    Well, if they're going to push for mandatory apps to access your bank account, I hope they also make it mandatory that these apps:

    (1) work on degoogled Androids without Play Store or Play Integrity API

    (2) work on systems that are not Android or iOS, such as mobile Linux

    (3) maybe even work on desktops, because not everyone wants to have a smartphone?

    Besides that, I still don't see what the problem is with existing 2FA solutions such as SMS OTP, TOTP, or Yubikeys.

    1. Munehaus

      The problem with SMS is it's not secure or encrypted and can be read by anyone who has an SS7 connection.

    2. Anonymous Coward
      Anonymous Coward

      SIM Swap Fraud

      SMS isn't v secure in many ways but as a real-world example that affected me a) your mobile phone provider posts a "replacement" SIM for your number to an address that is not yours and b) your credit card provider allows the criminals to fail two out of four security questions and still be given access to your account.

      Happened to me and both providers (Tesco Mobile and John Lewis) didn't understand why I thought they were incompetent. I only lost £50 which the credit card company eventually refunded but it could have been a lot worse. I noticed the issue reasonably quickly because my mobile's SIM came up with a "SIM not recognised" message whch taking it out and putting it back again/rebooting the phone didn't resolve. All this "We take credit card/mobile phone security seriously" is such a load of baloney (but you already knew that).

  5. Stuart Castle Silver badge

    As my old Software Engineering Management lecuturer used to say, when designing software, you can have "Security, features, ease of use. Pick two".

    That still applies.

  6. Bebu
    Windows

    I wouldn't mind a keyfob...

    compared with the sms/texts currently used.

    A device using hotp could be very low powered and the battery last for years or even charge from ambient light like Citizen's Eco-Drive or Seiko's Solar wristwatches.

    I would even mind if the institution used totp (and permitted the user to supply the secret in a supervised context.)

    Plenty of authenticators for pretty much any platform that support totp.

    Even easy to knock out a linux etc command line version - useful if you want to script a vpn connection that requires this 2FA. Not very secure but was par for that particular course. ;)

  7. Doctor Syntax Silver badge

    When your phone is the security device whoever has your phone is you, even if it isn't you.

    1. Orv Silver badge

      That's also true of TOTP key fobs, except phones these days usually have some kind of biometric authentication, whereas key fobs don't.

      1. Anonymous Coward
        Anonymous Coward

        That's also true ...

        Well, going by the fun I'm having logging on this morning, *nobody* is me today.... :-/

      2. Beeblebrox

        except phones these days usually have some kind of biometric authentication

        Except someone shoulder surfing the device password can just add their own biometrics after they have stolen your device.

  8. Orv Silver badge

    I just wish my bank didn't insist on using Symantec VIP Access as their TOTP system.

  9. Ken Moorhouse Silver badge

    apps running on smartphones that produce OTPs

    So how is that better? You're just adding an extra layer of complexity which, if undermined, actually makes things worse.

  10. Anonymous Coward
    Anonymous Coward

    Back in the day

    Old Ms Bragg at the sub post office knew everyone in town, mothers, fathers and which kids belong to who.

    Easy process: Present your passbook and slip, then get some cash out.

    She did get held up once, but scared the offender off with nothing more than the empty bag the guy shoved at her!

    </>day dream

    1. eionmac

      Re: Back in the day

      Here we can still get cash from local Post Office, by using a bank card. Whether the post office staff 'know me' by sight is doubtful.

  11. CowHorseFrog Silver badge

    So what happens when Google or Apple get hacked ?

    1. Beeblebrox

      So what happens when Google or Apple get hacked ?

      A mealy mouthed apology, without accepting any liability?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like