KUALA LUMPUR – In its bid to mitigate the spike in online banking scams, Bank Negara Malaysia (BNM) has recently instructed financial institutions to cease using SMS one-time passwords (OTPs) and migrate to more secure methods of authenticating transactions.
Although there is no official data released on scams, Bukit Mertajam MP Steven Sim Chee Keong pointed out a recent news report indicating that between 2020 and May 2022, almost 72,000 scam cases involving online fraud were detected, contributing losses of up to RM5.2 billion to bank customers.
According to Wultra, a Prague-based solutions company for digital banking and finance, transaction authentication via SMS-OTP is considered outdated due to the overall costs, low user convenience, insufficient regulatory compliance in certain regions, and security reasons.
In a blogpost, Wultra suggested a move from OTPs towards other authentication methods that can be carried out on mobile apps.
Moreover, a recent report by a national daily noted that fraudsters have software capable of reading OTPs and deleting SMS sent by banks.
Addressing a litany of complaints on the matter, BNM governor Tan Sri Nor Shamsiah Mohd Yunus yesterday said its latest instructions apply to transactions relating to account opening, fund transfers, and payments, as well as changes to personal information and account settings.
Noting that major banks have begun adopting more secure forms of authentication, Shamsiah also announced additional measures for banks, including stricter detection rules to block scam-related transactions, as well as a cooling-off period for first-time online banking enrolments and secure devices.
While the central bank governor did not elaborate on the newer methods for secure transactions, The Vibes explores some measures on the cards for banks and customers:
One-tap approval
Major banks such as Maybank and CIMB have already introduced the Secure2u and SecureTAC one-tap approval features on their MAE and CIMB Clicks apps respectively. Unlike regular OTPs, which send six-digit passwords to customers via SMS (which could unwittingly be relayed to scammers), the one-tap approval involves users receiving a six-digit Secure TAC or Secure Verification via push notification to approve transactions. It may sound similar to the OTP method, but transactions can only be approved from a customer’s phone through apps such as MAE and CIMB Clicks, and not from any other device or app.
Bio-metric approval
Some banks such as RHB have already incorporated biometric features to their RHB Mobile Banking app, which only allows users access upon the scanning of their fingerprints. A former senior banking officer, who spoke under the condition of anonymity, told The Vibes that customers could soon be seeing banks implementing biometric features, such as fingerprint and face scanning, for a variety of online transactions moving forward.
Location and multi-factor authentication (MFA)
In certain instances, the biometric feature can also complement the one-tap approval method for authentication. Credit card and other purchasing or fund transfer transactions made on other devices by an account holder would also need verification via the customer’s mobile phone.
According to Incognita, a “privacy-first” location identity company that provides frictionless mobile authentication to banking and fintech companies, 90% of the legitimate logins and 95% of the legitimate high-risk transactions occur at a trusted location such as a user’s home, office or favourite restaurant.
The company proposed passive authentication such as behavioural biometrics that identified a user based on their gestures with a mouse or touchscreen, how they type, and how they hold their phone. For high-risk transactions, Incognia suggested the introduction of multi-factor authentication (MFA), which may include more than one way of verifying a legitimate user.
Bank tokens
Appearing similar to a calculator, a bank token is simply a hardware security device that displays a single-use pin for financial transactions, according to business consultancy consultants KMS Solutions.
The former senior banking officer who spoke with The Vibes said this was a “gold standard” method for secure transactions and has been used for some time, but mostly for companies that carry out large transactions daily, adding that it would be costly and impractical for regular consumers to have such a device. – The Vibes, September 26, 2022