TODAYonline

Shutting out the middlemen

:MAS updates guidelineson cyber-banking security

Esther Fung

esther@mediacorp.com.sg

IT USED to be an issue of hackers guessing or digitally “eavesdropping” on your Internet banking password — these days, their methods are more sinister.

Even after logging in securely with your password and one-time Pin, you could fall prey to a “middleman attack” in the midst of a transaction, with the hacker able to modify messages between yourself and the bank.

That is why the Monetary Authority of Singapore (MAS) is urging banks to implement more controls to minimise these emerging cyber-threats.

“The popularity and world-wide accessibility of Internet banking have attracted a growing list of Internet hacking threats and exploits,” said the MAS, which has updated the Internet Banking and Technology Risk Management guidelines for banks.

This includes tightening processes and applications for fund transfers, such as not allowing the one-time Pin time-window to exceed 100 seconds. OCBC, for one, currently has a 10-minute window for the end-user to key in the second login pin after the first pin is entered.

More :verification layers have also been recommended, such as the customer’s signature from a bank-verified “manual procedure”.

“When two-factor authentication was introduced, it was to ensure that you are who you say you are. What is now introduced are fine tweaks to further secure online banking,” said Mr Ronnie Ng, manager for Systems Engineering, Singapore, Symantec.

He added that while there have been no reported cases so far of middleman attacks in Singapore, “these attacks are very real”.

Two-factor authentication requires — besides the standard user ID and password — the entering of a one-time Pin sent to the customer’s mobile phone or generated on a token.

But Internet user Emelynn Wong was confused by the call for a handwritten signature. “Isn’t it online banking?” she asked. And while there is software that can capture handwriting electronically, “it could be costly”, she noted.

The MAS also recommended that banks enhance technology-risk managements, and have stronger procedures for system and security development. This includes testing for information leakages, in which hackers can find loopholes through search engines.

Banks should also be wary of internal sabotage — one of the most serious risks. Said MAS: “Current and past employees, contractors and vendors and those with an intimate knowledge of the inner workings of the banks’ systems, operations and internal controls have a significant advantage over external attackers.”

An OCBC spokesperson said the bank has implemented some measures — such as SSL server certificate warnings — and OCBC will assess the new guidelines and implement them progressively.

But end-users should practice good security habits. Mr Ng suggests avoiding using Internet kiosks for banking transactions, as malicious software may be installed by other users.

For wifi-users, the risks depend on how secure one’s laptop is: Hackers can detect an ongoing online-bank transaction, which can be compromised if not protected.