TOO MUCH TRUST IN ONE DEVICE
Part of the problem is that the smartphone has become the gateway to everything in a user’s life, including their bank accounts.
Banks have been leaning into phone-based authenticators, which prompt the user for authorisation through SMS or an app notification before proceeding with online transactions. This is convenient, but merges authentication and application into one device. It is a problem if that one device falls under the control of an attacker.
Netizens have suggested that banks could bring back physical security tokens to overcome this problem. However, security tokens are an additional device that you must carry with you if you want to be able to authorise activities. You may need a unique device for each bank or organisation, so they may stack up and become confusing to manage.
In an ideal secure smartphone, banking apps would be able to completely isolate themselves from anything else that may run on the phone, including malware. However, if any holes are discovered in the technologies that provide this isolation, this could still be a problem. So perhaps a re-think about authentication factors is in order.
MALICIOUS APPS AREN’T THE ONLY THREAT
Beyond the smartphone screen, there are other areas of concern. Some may find a phone call to be a more personal – and perhaps safer – method of doing business. That’s not always true, with phone scams being prevalent in recent years.
In fact, receiving a verification phone call from a banking office is jarring in an age of scams. Singapore customers have complained that while banks can authenticate users through one-time passwords or security questions, customers have no way of verifying the legitimacy of a banking officer when one contacts them.
Banks could lean upon their other communication methods, such as notifications within their own apps, to allow the customer to verify the authenticity of requests, and even authorise the sharing of data. At a minimum, a customer should always be able to call back using a publicly verifiable contact number, such as one listed on an official website, before continuing a conversation.
More limits could also be placed on the information businesses can ask from a user for verification purposes. If we look to the regulations in Singapore, the protections of the NRIC are a good example of safer sharing of sensitive data with businesses. The Personal Data Protection Act restricts its collection and storage to cases determined to be necessary under the law, such as seeking medical treatment or getting a new phone line.
Partial recording of the NRIC is allowed in some circumstances, although collecting more than the last three digits and final character are cautioned be too revealing. Given how much of Singaporean life hinges on the NRIC, it’s understandable that it should be strongly safeguarded.