Wearing 2 seatbealt

Just wondering…. anyone here wears 2 seatbelt in a car?

When DBS introduced the second factor authentication (2FA) for their iBanking services, I thought it is meant for customer who requested for it. To me, it is just overkill.

Then I recieved this package few days back.

Damn. I was auto-included in the stupid overkill scheme. Called their customer service to request for opt-out from the 2FA. I was told that I can’t.

It just doesn’t make sense. The idea of internet banking is to allow user access to banking service anywhere conveniently. But now, we need to carry this stupid looking dog tag where ever we go so that we can access internet banking. Why should I be forced to carry this?

Isn’t our existing userid and password safe enough? How can a hacker hack our userid and password? They can’t use brute force because there will be a limited number of tries. They can’t intercept the data transmitted over the internet because it is 128bit encrypted.

Only way is via key logger or phishing. Keylogger is some program installed in your computer that capture all they keys that you press. Phishing is where hacker create a fake website that look exactly the same as your internet banking website to trick you to revealing your userid and password.

So can the 2FA prevent keylogger and phishing? No. It does make it harder for hacker to gain access to your account, but its not impossible. The 2FA generate a new set of number every 60 second. Meaning when hacker got your userid, password and 2FA key, they got less than 60 second to access your account or the password is invalid. Its hard for hacker to do that, but it is not impossible.

But look at it this way, so what if a hacker managed to gain access into our internet banking account? What damage can he do?

Ok, the hacker can look at your bank account balance. See see lor. I suppose most people don’t mind, judging by the number of ATM reciept thrown on top of the machine. He cannot transfer the money to his account or pay his bills. Because you need to set up a new transfer or bill payment arrangement. And to set up the arrangement, the internet banking will sms you a passcode which you need to enter before you can start transfering money.

So basically, a hacker can’t take your money even if he has access to your internet banking account.

So why are we forced to wear 2 seat belt in a car?

From what I understand, it is a Monetary Authority of Singapore ruling. All the banks in Singapore must provide 2FA for their internet banking service.

Ok, then why doesn’t DBS give customer the option of using SMS instead of the stupid looking dog tag? Look what UOB is doing. They are giving customer the option to choose between a dog tag or SMS. I’ll surely choose SMS so that I don’t need to carry an extra device everywhere I go.

I hate the dog tag. I want the freedom to log into my internet banking anywhere I like. Still thinking if I should cancel my DBS account as a sign of protest. The problem is, my company deposit my salary into that account. If I want to close it, I’ll need to inform payroll to change the account too.

I miss that pretty gal sitting on the floor with a iBook.

I’ll miss the feeling of that freedom she is enjoying.

Can someone get rid of that aunty with 2 seatbelts?

PS: Interesting….. the gal using the ibook represent freedom of logging into their internet banking anywhere you like (no wires, sit in a relaxed manner and dress casually), while the gal with 2 seatbelt represent being restricted when logging into internet banking (tied with 2 seatbelt, sitting straight and dress formally).

18 comments

  1. I hate to bring the dog tag out too, but I am just glad that the banks are doing something about the security of using internet banking, although the idea is a rather dumb too.

    Perhaps they should change to a better looking and a tinier dog tag, the current one though is rather ok in looking is a little too large for my comfort…

  2. i’m dreading the arrival of mine. do they come in blue?

    oh yeah I didn’t realize the chic with the iBook’s gone until you mentioned it. sad.

  3. Iris: OCBC outdo all the banks. They are giving customer 3 options.

    1) The dog tag
    2) SMS
    3) A program installed inside your handphone

    I’ll take option 3 for sure.

  4. You obviiously don’t know the purpose of the “dog tag”. It definitely can prevent you from entering a “fake” DBS website.
    Dont you read newspapger? A hacker can xfer your money to someone tat is setup in your account. And by law, you cant get back your money because the money is xfer with your “consent”. DBS cant xfer the money back into yr account.

  5. monkeydevil: I do know the purpose of the “dog tag”.

    And no, the dog tag cannot prevent you from entering a fake website. I’ve already explain that the password is valid for 60sec. It is still possible.

    And why would a hacker want to transfer your money to another person when he doesn’t benifit from it?

    And if your transfer list is only with accounts that you trust, there shouldn’t be any problem right?

    And lastly, I forgot to add that IP address are being logged.

  6. OK… I think I figured out the imagery.

    Auntie is in the four-point safety harness to convey a sense of security. She is *securely* strapped down and her internet banking is *secure*.

    The casual user imagery is intended to convey a sense of freedom and convenience. Look, I can perform banking transactions with no shoes!

    Make sense? 🙂

  7. Fliptrack: I agree with the casual user image.

    But somehow, I keep feeling that the aunty look more like being restricted than secured.

    Haha… Maybe it’s just the way my mind thinks.

  8. dk: have you notice that the same number cannot be use more then once within 60s??
    Meaning, he hacker cannot login using that password that he just hacked. And after 60s, the passwd is changed again.

  9. monkeydevil: maybe you should re-read what I wrote.

    It is very hard for hacker to ‘hijack’ the data you tried to send to the bank as it has been encrypted in 128bit. By the time they manage to break the encryption, its already few days later.

    What I’m saying is, a phishing site. Someone create a webpage that look exactly the same as the internet banking page.

    You enter your id, password n 2FA key into the fake website. The data doesn’t get send to the bank, instead, it is send to the hacker who use the id, password n 2FA to log in within 60seconds.

    Its hard to do it, but not impossible.

    fyi, I study internet security back in school.

  10. dk: maybe you should re-read what i wrote.

    if i entered my info at a phising site, do you think hacker can use that set of info to login to DBS??”

    Answer is no. Why? read my previous comment.

  11. “have you notice that the same number cannot be use more then once within 60s??
    Meaning, he hacker cannot login using that password that he just hacked. And after 60s, the passwd is changed again.”

    When you enter the password in a phishing website, it doesn’t get send to the bank. The password are send to the hacker.

    If the hacker is at the PC at the moment, he can just use it to log into your account.

    Its hard to do, but not impossible.

Leave a Reply

Your email address will not be published. Required fields are marked *