How will the elimination of one-time passwords make online transactions more secure?

SINGAPORE – From November, UOB, DBS and OCBC customers who have enabled their Digital Banking Token will no longer receive one-time passwords (OTPs) when logging in.

The move, jointly announced by the Monetary Authority of Singapore and the Association of Banks in Singapore on July 9, is likely part of broader efforts to prevent phishing scams.

Hardware token customers can still use OTP. However, authorities are urging physical token users to switch to digital tokens.

Is a digital token more secure than OTP and hardware tokens as a means of second-factor authentication? Are there limits to the effectiveness of digital tokens in protecting customers from major types of fraud? The Straits Times answers these and other questions.

Q: What is a digital token?

The digital token authenticates logins and transactions in the mobile banking app and essentially replaces the physical token issued by the bank.

Once the digital token is set up, customers no longer need to use their physical token. With the digital token, users will only authenticate via an app-generated prompt that users must tap to approve the transaction.

OTP option will be removed by November in all major banks.

Q: How will eliminating one-time passwords make banking services more secure?

One-time passwords were introduced in the 2000s to strengthen online security, but since then social engineering tactics and technological advances have allowed fraudsters to extract one-time passwords from customers via fake banking websites.

Victims of phishing scams are often tricked into revealing their login credentials, such as username and password, as well as one-time passwords, which can be generated by hardware tokens and software tokens.

One of the biggest problems with SMS OTP is that SMS messages can be mistakenly shared or, in rare cases, intercepted. Fraudsters can use OTP to perform unauthorized transactions without the knowledge of the victims.

Removing the OTP option on the digital token will force users to rely solely on the app-generated prompt, which will have the details of the actual transaction clearly displayed on the authorization prompt. This will alert unwitting victims to any unusual activity. This is also why authorities are urging users of physical tokens to switch to digital tokens.

Q: Is using a digital token completely safe?

Phishing sites can still lull unsuspecting victims into clicking on digital token-generated prompts to unknowingly approve the transfer of their digital token. This way, fraudsters can gain ownership of the digital token after 12 hours and perform transactions on their device.

In addition, digital tokens can speed up the confirmation of any transaction, including suspicious ones, because authentications are performed with a single touch. On the other hand, OTPs must be copied and pasted into a text field.

Users should therefore always carefully analyze the content of prompts generated by digital tokens and only confirm a transaction if they are sure of its purpose.