Forum: A small inconvenience a small price to pay for better online security

I refer to the article, “Banks Bolster Electronic Banking Security After Series of Scams” ​​(January 20).

While that’s a good step in the right direction, it’s also a sad reflection of how it’s society’s relentless pursuit of convenience that makes the various phishing attacks so effective in the first place.

If not for ever-increasing societal demands for “faster, easier,” companies would not have implemented interactive methods of communicating with customers that attackers can take advantage of. Globally, companies often implement end-user convenience measures because enough customers demand them.

Similarly, the extent to which other entities linked to the financial sector implement basic safeguards should be examined.

I offer two examples, one personal and one corporate, for the Monetary Authority of Singapore (MAS) and other regulators to consider.

I recently used an online payment processor, whose website says it is licensed by MAS as a major payment institution under the Payment Services Act, to pay an invoice.

However, when I logged into its website, I saw no two-factor authentication (2FA) being implemented, and my account was only secured by username and password.

I also didn’t see any option in the interface or dashboard to enable 2FA.

I would have thought MAS would require all major payment institutions to have at least 2FA as an additional layer of protection against unauthorized access.

For the other example, my employer recently approached a major local brokerage firm to open a corporate securities account.

However, he was informed that 2FA was only available for personal accounts – business accounts did not have 2FA and could be secured using just a username and password.

My employer canceled the application and went with another brokerage that offers at least 2FA via SMS, which is better than no 2FA at all.

It’s surprising that some brokerages don’t offer any form of 2FA for corporate accounts. An attacker wanting to ruin an enterprise customer could potentially log in using just a compromised username and password, and execute intentional transactions to cause massive financial loss to the enterprise.

I have often said that security and convenience are inversely related.

It shouldn’t take any financial or reputational loss for regulators, companies, and customers to begin to realize how much better an ounce of preemptive inconvenience is than a ton of reactive rectification.

Julien Ho

Melvin B. Baillie