..and lo and behold....the neighbor is Lionel de Souza...:(:(
Woman's bank shock: Info sent to neighbour
DBS Net banking user ID, PIN, security token sent to wrong address
By Mavis Toh
IMAGINE the anxiety you would feel if, after applying for an Internet banking account, you are told that the bank has sent your user ID, personal identification number (PIN) and security token to the wrong address.
In the case of a 35-year-old housewife, these items were mailed to her neighbour's home by DBS Bank.
She lives in unit #01-20 in a Bedok condominium, but her documents were addressed and delivered to #01-02 in the same development.
Fortunately for her, the neighbour who received her user ID and security token alerted The Straits Times when the sealed mailer containing the password arrived some days later.
The housewife, who declined to be named, insisted she gave the bank the correct address when she filled out the application form at its Suntec City branch.
When contacted, DBS did not want to comment on the case, citing customer confidentiality, but urged customers to check that they have provided the right address when signing up.
Its spokesman added: 'As with any other banking documents, the tokens are sent to the mailing address that is authorised by the customer.'
DBS and POSB have 1.35 million customers who bank online.
Security experts contacted said the security breach could have led to monetary loss.
The neighbour who received the housewife's Internet banking documents, private investigator Lionel De Souza, did not open the sealed password mailer. He said: 'This is dangerous. If it lands in the wrong hands, money will be lost.'
An individual who receives another person's user ID, PIN, registration code and security password token device can log into that person's account and make Internet transactions.
Bill payments can be easily made, although fund transfers involving large sums will not go through, because a one-time password sent to the cellphone of the rightful owner of the account will still be needed.
Mr Gerard Tan, the president of the Association of Information Security Professionals said it is important for DBS to investigate what went wrong.
'To get this mix-up, someone may have updated the wrong address or keyed the wrong information into the system,' he said.
He said the window period, before the customer realises that his or her documents have gone astray, gives opportunity to those with criminal intentions. 'It is clearly an invasion of privacy and a breach of confidentiality,' he said.
The Monetary Authority of Singapore's (MAS) Internet Banking and Technology Risk Management Guidelines stress that the bank must ensure a customer is properly identified and authenticated before giving access to sensitive information or online banking functions.
Mr Tan suggested banks call customers within two days of sending out the documents or get them to pick them up in person so their identities can be verified.
The housewife said that, to beef up security, the bank could also get customers to call in when they receive the token so their details can be verified; the password should only be sent to them after this.
On its part, DBS said there has not been a case in which a token sent to a wrong address was used unlawfully for banking transactions; it added that its Money Safe guarantee protects its customers from unauthorised transactions.
DBS was censured by the MAS for a systems breakdown in July which crippled its Internet and branch banking and ATM network for seven hours.
For now, the housewife, already stung, has decided to stick to paying her bills at ATMs.
She said: 'It's dangerous, what has happened. I've definitely lost confidence... and as convenient as Internet banking can be, maybe it's not for me.'
Woman's bank shock: Info sent to neighbour
DBS Net banking user ID, PIN, security token sent to wrong address
By Mavis Toh
IMAGINE the anxiety you would feel if, after applying for an Internet banking account, you are told that the bank has sent your user ID, personal identification number (PIN) and security token to the wrong address.
In the case of a 35-year-old housewife, these items were mailed to her neighbour's home by DBS Bank.
She lives in unit #01-20 in a Bedok condominium, but her documents were addressed and delivered to #01-02 in the same development.
Fortunately for her, the neighbour who received her user ID and security token alerted The Straits Times when the sealed mailer containing the password arrived some days later.
The housewife, who declined to be named, insisted she gave the bank the correct address when she filled out the application form at its Suntec City branch.
When contacted, DBS did not want to comment on the case, citing customer confidentiality, but urged customers to check that they have provided the right address when signing up.
Its spokesman added: 'As with any other banking documents, the tokens are sent to the mailing address that is authorised by the customer.'
DBS and POSB have 1.35 million customers who bank online.
Security experts contacted said the security breach could have led to monetary loss.
The neighbour who received the housewife's Internet banking documents, private investigator Lionel De Souza, did not open the sealed password mailer. He said: 'This is dangerous. If it lands in the wrong hands, money will be lost.'
An individual who receives another person's user ID, PIN, registration code and security password token device can log into that person's account and make Internet transactions.
Bill payments can be easily made, although fund transfers involving large sums will not go through, because a one-time password sent to the cellphone of the rightful owner of the account will still be needed.
Mr Gerard Tan, the president of the Association of Information Security Professionals said it is important for DBS to investigate what went wrong.
'To get this mix-up, someone may have updated the wrong address or keyed the wrong information into the system,' he said.
He said the window period, before the customer realises that his or her documents have gone astray, gives opportunity to those with criminal intentions. 'It is clearly an invasion of privacy and a breach of confidentiality,' he said.
The Monetary Authority of Singapore's (MAS) Internet Banking and Technology Risk Management Guidelines stress that the bank must ensure a customer is properly identified and authenticated before giving access to sensitive information or online banking functions.
Mr Tan suggested banks call customers within two days of sending out the documents or get them to pick them up in person so their identities can be verified.
The housewife said that, to beef up security, the bank could also get customers to call in when they receive the token so their details can be verified; the password should only be sent to them after this.
On its part, DBS said there has not been a case in which a token sent to a wrong address was used unlawfully for banking transactions; it added that its Money Safe guarantee protects its customers from unauthorised transactions.
DBS was censured by the MAS for a systems breakdown in July which crippled its Internet and branch banking and ATM network for seven hours.
For now, the housewife, already stung, has decided to stick to paying her bills at ATMs.
She said: 'It's dangerous, what has happened. I've definitely lost confidence... and as convenient as Internet banking can be, maybe it's not for me.'