Phishing for trouble: The returning physical bank token is no silver bullet
Singapore is looking to implement what would be a world-first national roll-out of bank tokens
[SINGAPORE] Physical banking tokens are making a comeback.
The Monetary Authority of Singapore (MAS) is working with banks on a Fast IDentity Online (Fido) hardware token that must be connected to a customer’s device to approve high-value online banking transfers – in what would be a world-first nationwide roll-out.
The return of the physical token brings back memories of the pocket bulge of the early 2000s, when banks here issued a similar device with a number pad for generating one-time passwords (OTPs) to offer an extra layer of protection for online access.
Customers of multiple banks had to carry multiple tokens until 2017, when the industry shifted to digital tokens embedded in mobile banking apps.
Is Singapore reversing years of digital progress?
MAS often alludes to more friction to manage expectations. As recently as August 2025, the authority was quoted as saying in The Straits Times: “While banks will do their best to minimise the inconvenience and give time for customers to get used to the new measures, there will be a need to prioritise security over convenience in the ongoing fight against scams.”
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
It is hard to argue with that, but there are two potential issues with the upcoming token.
One, it will not be easy to register, especially for those who are not tech savvy.
Two, even after the token is registered, it will not provide an ironclad guarantee against scams unless all websites support the technology.
Scarred by phishing
This is not to downplay the scale of the problem. Singapore’s wealth and high Internet penetration make the country a profitable target for transnational syndicates.
What’s more, phishing scams have been growing at an alarming rate. They accounted for losses of S$7.3 million in the first six months of 2023. This shot up to S$13 million in the first six months of 2024. The first half of 2025 has already seen S$30 million lost to phishing scams.
Concerned that phishing could undermine public confidence in Singapore’s digital banking systems, MAS has worked with banks to tighten security over the last few years.
A kill switch now lets customers freeze all banking accounts if they are suspected to have been compromised. Banks have also introduced a delay of at least 12 hours before a new soft token can be activated on a mobile device.
A money-lock feature now allows customers to lock away specified sums from online transfers. Customers can withdraw from the locked-away stash only when they show up in person at bank branches or at automated teller machines.
Banking apps have also been upgraded to restrict customers’ access to online banking if risky activities are detected on users’ phones. This is to combat malware scams, where people are tricked into downloading malicious apps that give hackers control of their phones. Hackers then steal victims’ credentials to wipe out their bank accounts.
These measures have come after a spate of phishing scams in 2021 and 2022 that targeted OCBC customers and caused losses of about S$13.7 million.
The Fido imperative
Fido tokens are the latest in banks’ arsenal of tools to counter phishing.
The Fido industry standard is designed to help online services authenticate users without passwords, making online access resistant to phishing.
Fido authentication involves a pair of matching cryptographic keys to unlock one’s online account. One key is kept by the user, and the other by the online service provider – a bank, social media or e-commerce platform. Each pair of user-service provider keys is unique.
The user’s key is stored in the Fido token. When connected to a laptop or smartphone that initiates a transaction, the token allows the user to authenticate the transaction without entering any passwords or OTPs.
Passwords offer weak protection. Users can be socially engineered to share passwords and OTPs via text or enter them on fake bank websites operated by hackers. With the stolen passwords, hackers can easily access victims’ banking accounts to steal funds.
With Fido security, the attacker needs to steal the victim’s physical token to authenticate fraudulent transactions, and that is not easy.
Another plus: each token can store many pairs of keys for accessing multiple services, including those from banks and non-banks. This means users need not carry multiple tokens.
Over the past decade, savvy users have been using Fido tokens widely sold online to secure their online accounts, following increased support from the likes of Facebook, Amazon, Apple iCloud, Google and Microsoft.
It could be the one key to secure everyone’s digital way of life. Plus, people can finally say goodbye to pesky passwords, which can be easily phished.
But this utopia hinges on an entire ecosystem of banks, online merchants and website operators supporting Fido authentication.
Without the ecosystem, users will still fall prey to phishing scams when they enter, say, their credit card details on fake e-commerce websites. As most merchants have yet to enrol in Fido authentication, there is no sure way of telling the fake merchant apart.
Card-based fraud is already a big problem. Police said that phishing scams in the first half of 2025 involved mostly victims submitting their card details and authentication codes to scammers to complete seemingly legitimate purchases. This problem remains.
Here comes the friction
Here’s the other rub: Fido authentication will require users to jump through hoops initially.
First, users need to register their tokens through an onboarding process that varies from service provider to service provider.
The website of Microsoft, one of the biggest proponents of the standard, offers the most simplified instructions compared with the “computerese” elsewhere. Even so, there are at least 13 steps – enough to put off most users.
MAS and banks have not disclosed how users can register their soon-to-be-issued tokens. If tech vendors’ websites offer any indication, it will be an obstacle course that requires tech support.
Second, token manufacturers have a separate set of instructions for changing the default PIN, and storing fingerprints.
Hardware makers the likes of Google, Yubico, Thales and Feitian Technologies require users to download specific apps on their smartphones, and then connect the phone wirelessly to the tokens, to reset PINs and register fingerprints.
Users can also plug the tokens to their computers for PIN reset and fingerprint registration using Windows settings.
Again, this process may not be easy for the uninitiated.
Third, it is unclear who foots the bill.
A basic Yubico Security Key C NFC device equipped with the most common near-field communication wireless standard and a USB-C connector costs US$29 on Amazon. Add a fingerprint reader and the price can go up to US$90.
Fourth, there is a recovery process that involves deactivating a lost or stolen token on every service provider’s website. It is similar to reporting and cancelling a lost bank card to prevent abuse, except that a lost token is more troublesome, depending on how many services it authenticates.
Fifth, many vendors also advise users to set up a backup token to avoid disrupting their digital lives if they lose the primary token. This means double the cost.
Sixth, who can customers call to get help if they encounter hardware or authentication issues? Is there a universal helpdesk?
Lastly, banks may need to front the tech desk for their millions of customers to handle queries ranging from how to set up or use a token to deactivating lost tokens and recovering online access.
Will this mean a longer waiting time at bank branches or on hotlines for other banking matters?
Given these challenges, it is little wonder no bank has rolled out Fido tokens to every customer.
Bank of America gives savvy customers the option of securing their accounts using Fido tokens, but the bank does not issue the tokens.
In 2022, Citi piloted Fido authentication that involved using biometrics or a QR code on a mobile device to access banking accounts. But the pilot is for commercial customers only.
Among the biggest proponents of Fido authentication are Google and Microsoft, whose helpdesks are managed internally. The firms have moved away from using passwords for all sign-ins for employees, using Fido tokens instead, to better protect them from phishing attacks.
In many ways, Singapore will be entering uncharted zones with its nationwide roll-out plans. It is not clear if the new Fido tokens are meant to replace only banking OTPs, or all passwords.
Consumers may be more receptive if the tokens offer them a way out of the frustrations of managing passwords. A password-less future is one sure way of measuring digital progress in Singapore.
A lot of convincing is also needed to get an entire ecosystem of service providers and merchants – not just banks – to support Fido authentication, for phishing scams to be totally disabled.
Until then, many may not be happy with the return of the physical token. THE STRAITS TIMES
Copyright SPH Media. All rights reserved.
