By WINSTON CHAI

(SINGAPORE) Banks in Singapore will soon introduce a new security measure that could help prevent credit card crooks going on an online shopping spree at your expense.

Over the next six months, both local and foreign banks with retail banking operations here will introduce a new requirement called dynamic authentication for all credit card transactions over the Internet.

This means consumers will have to go through the additional step of keying in one-time passwords before online purchases can be processed.

The scenario takes a page out of the two-factor authentication (2FA) system that has been in use locally since 2006 under a directive from the Monetary Authority of Singapore (MAS).

Banks now use a combination of hardware tokens and text messages to generate passwords for customers to bank online, but usage will soon be broadened to include card-not-present transactions such as Internet shopping.

Web merchants typically require a user's credit card number, expiry date and CVV (card verification value) to complete a Web purchase.

Security experts have long highlighted the loophole with this approach - a lost or cloned card can easily be used for an online shopping bonanza.

The additional requirement of a one-time password will help plug this security gap.

'The risk in the current system is still quite high, given that key information required for undertaking an online transaction is all in the card itself should the card fall into the wrong hands,' said Michael Araneta, an associate research director with IDC Financial Insights.

Paul Ducklin, head of technology at IT security firm Sophos Asia-Pacific, said: 'Two-factor authentication doesn't completely solve the problems of online phishing and fraud, but it makes things much harder for the bad guys.'

Besides card-holders, merchants are also falling prey to online credit card scammers.

For example, the United States Commercial Service, the trade promotion arm of the US Department of Commerce, issued a website notice in December last year warning of an increase in bogus orders originating from Singapore.

'The US Commercial Service, American Embassy Singapore, has received multiple complaints from US merchants reporting fraudulent credit card transactions committed by companies or individuals purporting to be in Singapore,' it said.

'Investigation of the fraudulent transactions has revealed that the shipments are actually being sent to freight forwarders in Singapore and diverted to unknown consignees in neighbouring countries.'

It urged merchants to check the legitimacy of Singapore-issued credit cards before shipping goods.

Experts say the adoption of 2FA for online card transactions will help protect merchants against such incidents.

The new dynamic authentication requirement is again mandated by MAS as part of its latest efforts to deter cyber crime and card fraud.

Besides the use of passwords for online purchases, other measures such as transaction alerts and mandatory activation of new and replacement credit cards will be introduced later this year.

By the end of 2011, more secure microchip-based credit cards will replace all magnetic-strip cards now in circulation.

This article was first published in The Business Times.