Debate over how one-time passwords are sent out

An extra layer of security in the form of one-time passwords (OTPs) will soon be required for sensitive e-government transactions, following the breach of SingPass accounts here last month.

But debate has arisen over how these passwords should be sent out.

Usually such OTPs are delivered via SMS, or generated on security tokens like the name-card size keypads that bank customers are familiar with.

They are entered into websites on top of the usual user name and password in a process called two-factor authentication (2FA).

While government agencies have not said whether SMS or tokens would be used, security experts have sounded the alarm over the use of SMS messages, which they say can be easily intercepted.

"There have been cases where cyber criminals change the phone numbers associated with bank accounts, so the SMS OTP is delivered directly to the hacker rather than to the account holder," said Mr Sharat Sinha, Asia-Pacific vice-president of United States-based network security firm Palo Alto Networks.

Smartphones can also be easily infected with spyware that intercepts OTPs and forwards them to computer servers run by hackers.

Spyware is downloaded into smartphones when people click on an infected Web link or a business card typically sent as an attachment to a text message, said Mr Eric Chan, regional solution consulting director of US-based security software firm Fortinet.

"Within seconds, the virus can secretly seize control of the phone," he said.

Security experts said tokens are safer as they are less likely to be intercepted by hackers.

But users say they should have a say in the matter, and some are willing to take the risk for the sake of convenience.

Copywriter Lee Teen Yen, 40, said citizens should be allowed to choose whether to receive OTPs via SMS or tokens - just like how many banks have provided users with that choice.

"Some people may want to use tokens and some people may want SMS for convenience," she said.

Marketing manager Vanisha Lakhwani, 27, said she prefers to receive OTPs via SMS. "I can't imagine carrying another token; I already carry two from two banks," she said.

Marketing manager Aaron Koh, 38, said: "Security does not have to mean inconvenience to the user." He suggested using newer 2FA technologies like the Google authenticator, a smartphone app that generates OTPs.

Another way is to issue new identity cards with keypad tokens embedded, although these are costly.

When contacted, the Infocomm Development Authority said: "Government agencies are currently working (on) plans to improve security for e-services, balanced with usability. More details will be announced later this year."

This article was first published on July 21, 2014. Get a copy of The Straits Times or go to for more stories.