New Security Feature in

Maybank, one of Malaysia’s top bank now with their Online Banking service called, is heavily combat for phishing attack on their clients. As this bank already been hit with too many phishing attack, they had finally imposed their so called ‘New Security Feature’ for their online banking user. It is not the out-of-band transmission to fight against Man in the Browser, but it is another form of security level to help their clients fight against phishing attack.

What’s New?
Three things that had been added. One is that the client need to select an image icon with their challenge phrase under that image that they selected. Now the user will save additional information to the server. This image with its challenge phrase will appear each and everytime before you specify your password for login (Not too sure for transaction though). The reason of this feature added, it to ensure that the bank knows something that the user know. Thus, in order for the user to trust the bank, the user gotta know whether the bank knows what the extra information the user kept. This can temporarily keep phishing attack away. Sometimes you might wonder that you do not need this feature as you can identify phishing from the URL, but bear in mind that not all user are so careful and in addition to that, there is a phishing attack that does not change your URL much.

Next, is the challenge questions. You need to set three challenge questions with your own answers. I am not too sure though when this challenge questions will use. Perhaps during the transactions? But in general, this is a challenge and response feature and it is quite common. But to have three challenge and response, I am not too sure. It could be during when you change some of your profile information such as password, you might need the Transaction Authorization Code (TAC) together with the challenge questions.

The third, is when you do a login, you will no longer directly specify your username and password together for the bank to verify you. Instead, you will specify your username first, then the bank will show you the image where you can trust, then only you send your password to them for authentication. If you realize this step to login is quite similar to HSBC login system.

What is the Outcome?
Security – 3/5
Not having the out-of-band transmission will take out one point out from the rating and also not fully protecting Man in the Middle will take out another point. However, it still deserve a 3 points out of 5 points as this new security feature will help a little to certain users who are aware of this.

Convenience – 4/5
There is not any extra inconvenience added after this security feature. Not really much. Still the transaction can be done at normal flow. Just the login section now required two steps but it is not a big trouble in bringing any inconvenience. However one point out as the SMS TAC is used for normal user which will cause inconvenience during peak hours as it is hard to receive SMS TAC at that time.

Learning Curve – 4/5
It is not hard to learn to setup and use this new security feature. All the steps are provided in detailed. Even there is another web page to guide the users on how to setup the new security feature. This user friendly web page deserves a full points rating.

Information – 4/5
The information provided for this new security feature is not so complete. There is also mentioned that it will increase the security, but did not mentioned by how. Even the security challenge was not mentioned on when and how they implement it. It keeps me in a question mark cycle. However, due to it is a banking web application, not much point will be deducted as possibly, the untold items are private and confidential

To close up this entry, I would say that this new security feature do help out a little in the battle against phishing attack. It does not boost your security environment by much, but still something out there to crack. Apart from the security, others such as the easiness of using it and the convenience are pretty up to the standard. It is a good security feature implemented and it does not change much of the operation flow from the previous one.

Build Your Own Security
Subscribe to my newsletter and get a copy of my eBook for free.
We hate spam just as much as you

Related posts:

  1. Tatanga, Trojan That Robs Bank Account
  2. Man In The Middle
  3. Man In The Browser
About Alan Tay

This blog is owned and operated by myMediaInc. My Media operates content based online portals for IT professionals, technology managers and decision makers as well as business leaders. We publish original quality content focused in Software Development, IT Security, SaaS, Cloud Computing, Outsourcing, Project Management and Mobile and Wireless. Our mission is to explore how to help you optimize your resources in each of these areas.

Find us here IT Security Column.

Speak Your Mind


CommentLuv badge

This blog uses premium CommentLuv which allows you to put your keywords with your name if you have had 3 approved comments. Use your real name and then @ your keywords (maximum of 3)