I refer to the article, “Banks to beef up e-banking security after spate of scams” (Jan 20).
While it is a good step in the right direction, it is also a sad reflection of how it is society’s relentless pursuit of convenience that makes the various phishing attacks so effective to begin with.
If not for society’s ever-increasing demands for “faster, easier”, businesses would not have implemented interactive methods to communicate with customers that attackers can take advantage of. Globally, businesses often implement end-user convenience measures because enough customers demand them.
Similarly, the degree to which other financial industry-related entities implement basic security features should be reviewed.
I offer two examples, one personal and one corporate, for the Monetary Authority of Singapore (MAS) and other regulatory agencies to consider.
I recently used an online payment processor, whose website states that it is licensed by MAS as a major payment institution under the Payment Services Act, to pay a bill.
However, when I logged in to its website, I saw no two-factor authentication (2FA) being implemented, and my account was secured only by username and password.
I also saw no option inside the interface or dashboard which allowed 2FA to be enabled.
I would have thought that MAS would mandate all major payment institutions to have at least 2FA as an added layer of protection against unauthorised access.
For the other example, my employer recently applied to a major local stock brokerage for a corporate securities account.
However, it was informed that 2FA was available only for personal accounts – corporate accounts did not have any 2FA and could be secured using only username and password.
My employer cancelled the application and went with another brokerage that at least offers 2FA via SMS, which is better than no 2FA at all.
It is surprising that some brokerages do not offer any form of 2FA for corporate accounts. An attacker wanting to ruin a corporate client could potentially log in using just a compromised username and password, and execute intentional trades to cause the company massive financial loss.
I have often said that security and convenience are inversely related.
It should not take suffering financial or reputational loss to make regulators, businesses and customers start to appreciate how an ounce of preventative inconvenience is much better than a ton of reactive rectification.