Yesterday, DBS Bank announced that they would be ditching the physical token (what many of us know as “dongles”) and replacing it with a digital one instead.
“Think of it as the digital version of your physical token.”
The digital token would be embedded in DBS’ current banking app, and will be personalised for every user. It will generate one-time passwords (OTPs) needed for accessing accounts currently on the app.
This comes after a “successful trial” conducted by the bank with over 200,000 DBS customers.
The batch-by-batch rollout started yesterday (11 Apr), and the bank aims to convert its 2.6 million online and mobile banking customers over to the new system by June 2018, where the digital (or ‘soft’) token would be upgraded to take over all functions of the dongle, even generating OTPs for customers accessing their accounts via their computers.
“It’s part of our innovation drive so that banking becomes simpler for customers,” said Mr Jeremy Soo, head of Consumer Banking Group Singapore at DBS to The Straits Times.
To assure Singaporeans that this won’t mean a decreased layer of security, he also mentioned that the bank is “committed to provide the highest level of security”, [and] its digital token is encrypted and protected against phone malware.”
The Straits Times estimated that the new initiative could save DBS Bank more than $12 million in hardware costs, as the tokens (costing $10 and up) are typically replaced every five years when their battery runs out.
What Singaporeans Are Saying
Needless to say, this drew a mix of reactions from Singaporeans, some of whom rejoiced in the convenience of having one less item to carry around (and misplace), but most of whom expressed their worries that it would make digital banking less safe, and thus defeats the purpose of a 2FA system in the first place.
Screening through the comments questioning the move, many brought up the concern that having all levels of security accessed on a single device is probably the embodiment of the phrase “putting all your eggs in one basket”.
And to be honest, as inconvenient as it is to search for the tiny dongle whenever I need to make a transaction to a new recipient (oh how spoilt we’ve all become), it does give me some sort of assurance that there is that extra step that blocks any potential unwanted transfers.
Security Experts Say That ‘Soft Tokens’ Can Be Equally Safe
To address the concerns that many have raised about its safety, The Straits Times reached out to security experts for their opinion.
According to Mr Clement Lee of Check Point Software Technologies, “most soft tokens are securely designed with anti-tampering capabilities and their functions are compartmentalised”.
He added, though, that users should still install mobile threat protection software in their phones to prevent any potential hacks.
It is also advised that digital tokens incorporate fingerprint recognition as an added layer of security.
Mr Dick Bussiere of Tenable Network Security, though, stated that physical tokens/dongles are still the safest option.
“A soft token running on a general-purpose computing platform connected to the Internet can never be as secure as a dedicated hardware device.”
Digital Tokens Are Nothing New
Perhaps being the largest bank in Singapore, this announcement drew much more attention as compared to the relatively quieter launch of competitor UOB’s Mighty Secure app late last year, which also aimed to ditch the dongle for digital.
DBS isn’t a freshie in this aspect, either.
It launched the digital token system for DBS IDEAL (for corporate accounts) customers in October last year.
Just like the impending digital token, IDEAL users can generate the necessary codes for Login and Authorisation solely using their phones.
The added layer of security comes with the integration of fingerprint recognition in the process, or a 6-digit PIN on devices that don’t have Touch ID features.
What We Hope The New Digital Tokens Would Have
While there is much said against the new initiative, it’s actually still too early to tell if we’ll end up embracing the convenience it provides or not.
If you think about it, there must have been similar concerns of security raised whenever any processes are automated or digitised.
Just imagine: We’ve come from hiding our savings under our beds, to depositing them into banks like it’s the most natural thing to do.
What we do hope, though, is that there’ll be more transparency on how banks are keeping these new processes safe for users. (Perhaps also using fingerprint recognition?)
Ignorance is never bliss when it comes to security matters, and saying that something is “secure” is honestly never enough in the face of widespread hacking.