Digital Tokens for online transaction

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS) announced on Tuesday that major retail banks in Singapore will progressively phase out the use of One-Time Passwords (OTPs) for bank account login by customers who are digital token users within the next three months, an official news release stated.

This will better protect them against phishing scams, which were among the top five scam types last year, with at least SGD 14.2 million lost to these scams, as per the Singapore Police Force Annual Scams and Cybercrime Brief 2023.

Customers who have activated their digital token on their mobile device will have to use their digital tokens for bank account logins via the browser or the mobile banking app. The digital token will authenticate customers’ login without the need for an OTP that scammers can steal, or trick customers into disclosing. MAS and ABS have urged customers who have not activated their digital tokens to do so, to lower the risk of having their credentials phished.

The use of OTP was introduced in the 2000s as a multi-factor authentication option to strengthen online security. However, technological developments and more sophisticated social engineering tactics have since enabled scammers to more easily phish for customers’ OTP, for example through setting up fake bank websites that closely resemble the genuine websites. This latest measure will strengthen the authentication process, making it harder for scammers to fraudulently access a customer’s account and funds without the customer’s explicit authorisation using his mobile device.

Phishing scams remain a concern in Singapore, and banks continue to work closely with MAS and the Singapore Police Force to develop and introduce solutions and measures to strengthen our collective resistance in the ever-evolving scam landscape.

Ong-Ang Ai Boon, Director, ABS, said: “This measure provides customers with further protection against unauthorised access to their bank accounts. While they may give rise to some inconvenience, such measures are necessary to help prevent scams and protect customers.”

What is token-based authentication?

Token-based authentication is the process of verifying?identity?by checking a token. In?access management, servers use token authentication to check the identity of a user, an?API, a computer, or another server.

A token is a symbolic item issued by a trusted source — think of how law enforcement agents carry a badge issued by their agency that legitimizes their authority. Tokens can be either physical (like a USB hard key) or digital (a computer-generated message or digital signature).

Token-based authentication can refer to a couple of different processes:

1. Verifying identity via a physical token.?This is a widely used authentication factor for logging in: users are asked to present their token when signing in to an account or a device. (Authentication factors are described in more depth in?What is authentication)
2. Reconfirming identity via a web token.?Web tokens are purely digital. A web token is generated by a server and sent to a client. The token is attached to each client request so that the server knows the identity of the client and knows what data the client can access.

?

5 reasons digital tokens are the best option for online banking

First things first: what's a digital token and what's a physical security device? A digital token or software token is a digital key that is installed on an online platform or an electronic device. Conversely, a physical security device, or a hardware token, is a physical device or dongle.

Both digital and physical security tokens are part of a 2-factor authentication process as they generate security codes that you can use to log on to online banking and authorise other banking functions. The other component of 2-factor authentication is your regular online banking username and password.

Increasingly, as technology digitises our lives, digital tokens are becoming the way to go, with more banks offering the option of replacing their physical dongles with digital ones. Here's why it's a good idea for you to make the switch too, if you haven't already done so.

1. It's safe and secure

Digital tokens are available virtually on banking apps you use on your smartphone, which means that only you have access to your accounts and banking transactions. Add the biometric authentication or 6-digit PIN you have to enter before you get your security code, and you'll stay doubly protected that way.

2. It's always up to date

Updates to your digital token take place remotely and virtually, so there's no need for you to apply for a replacement physical security device when your existing one has been phased out or runs out of battery. These virtual updates ensure that your digital token is always going to be up to date, much like the way your smartphone will automatically update to the latest operating system. This means you won't have to wait for new physical security devices to be sent to you or go through more cumbersome steps to reactivate a new dongle.

3. It's convenient and always by your side

Let's face it - most of us could leave our wallets at home these days and still survive a day out. If you're out for dinner with friends, you'll be able to?pay thempay them with PayNow?for your share of the meal with?PayNowPayNow to transfers paynow, as long as you've got your mobile phone with you. It's the same with your digital token. You'll enjoy a world of convenience without having to always keep track of where your physical security device is. No more worrying about misplacing it and not being able to log on to online banking until you get a physical replacement either.

4. It's ready to use in a jiffy

Remember how you had to wait for your physical security device to be sent to you and then go through quite a few steps to get it activated? You won't face this issue with a digital one.?Setting up your digital token is a task that can be done in a matter of minutes. Once you've activated it with just a few taps on your banking app, it's ready for you to use. Instantly.

5. It's environmentally friendly

Physical security devices involve quite a hefty carbon footprint because of all the manufacturing, shipping and packaging involved in producing them. Their limited shelf life also creates an additional waste management problem after they run out of battery or are phased out for newer versions. You can do your part in going green by using digital tokens and taking your banking completely virtual.

?