Skip to main content

Many password security systems still rely on single-factor authentication, typically comprising of a user identification and password, which is proving inadequate in light of technology advancements and the rise of digital crimes.

There have been more cases of hacking incidents involving local trading accounts that have led to unauthorised trades. Hackers have different means to steal passwords and take control of trading accounts. Passwords can be cracked by brute force with software, and it is possible for hackers to generate more than 500,000,000 passwords per second, with powerful processing hardware. They can also trick people into providing personal details and passwords via social engineering tactics including phishing e-mails, fraudulent websites, suspicious mobile apps and messages on social media. Even the strongest passwords will be useless if people give out their passwords.

What is 2FA?

Two-factor authentication (2FA) strengthens security by requiring the user to provide a combination of two different types of authentication to login to an account. The first step of authentication is to provide the login ID and password followed by the second step, such as providing a one-time password obtained from SMS or security token. Digital certificates and biometric authentication can also be forms of authentication.

Online banking users may already be familiar with 2FA which provides an additional layer of security when making certain banking transactions, such as transferring funds to an unregistered third party account. 2FA serves as a deterrent and makes it harder for the hackers. Even though hackers may have stolen the login credentials of users, they will need the required second factor authentication to complete the login process.

two-factor authentication, 2FA, login ID and password, one-time password, mobile phone sms, security token, digital certificate, biometric authentication

 How to use itSpecial features
One-time password

Enter a one-time password sent via SMS to your mobile phone, or use your security token to generate the password. The password expires within a very short time.

Security tokens are provided by the banks or brokers. They can be a physical device or virtual software installed on the mobile phone, i.e. hardware or software tokens.

Users can proceed with authentication anytime and anywhere with their hardware token or mobile phones with the software installed.

For users who receive the one-time password from SMS, do not use the SMS forwarding service offered by the mobile operator or download any SMS forwarding app to forward the one-time password to another mobile device or email address.

Biometric authentication It refers to authentication based on the unique biological features of each user, which could be a thumb print, voiceprint, iris or facial scan. Your smart phone has to support biometric reading.
Digital certificates

Digital certificates used for identity authentication can be stored on a smart card, e.g. ID card, or on an electronic key, e.g. USB authentication key.

During authentication, the user would insert the smart card or the key into a smart card reader or a USB port.

Digital certificates are not widely compatible with mobile devices.

A one-time 2FA login

2FA as an extra layer of security can help to prevent hacking. As such, the Securities and Futures Commission has made it a requirement for intermediaries, including brokers and banks, to implement 2FA when clients log-in to their online investment accounts. The regulator will not mandate any particular 2FA solution and intermediaries can choose to use any 2FA solution they deem appropriate. 2FA is only required once at the time of login, and there is no need for further authentication for each and every online order placement. By doing so, there will be no compromise to security or efficiency in online trading.

2FA alone cannot eliminate hacks

2FA can offer additional protection for online securities transactions but it cannot fully eradicate hacks. In fact, through various social engineering tactics, hackers are able to trick people into providing their login IDs and passwords, as well as the information required for the second authentication, such as stealing your mobile phone and security token.

It is important to maintain good online habits even if 2FA is in place. You are advised not to root or jail break your mobile devices, download apps from unauthorised sources and use public Wi-Fi and public computers to access your online account. Pay attention to your online investment account transactions at all times and keep your mobile phone and security token safely. For further details, please refer to the following articles published in our website: Security tips for online trading and Keep a close eye on your account.

 

27 October 2017