From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.
This raises questions such as: What happens if a mobile banking customer loses or changes their phone? How does upgrading devices impact a person’s mobile identity?
Here are the answers to these common questions – based on an interview with Zhifeng Koh, Senior Product Manager at V-Key.
What happens if a person using V-Key-secured applications loses their phone?
Even when a person loses their mobile phone, all of their critical information in V-Key-secured applications, including those related to mobile banking, stay protected.
Most mobile banking apps have two layers of built-in security – the phone’s lock screen, and the mobile banking username and password. V-Key adds a third and extremely resilient layer of security: a secure container within the mobile app that stores and processes all critical information. Even if the first two layers are compromised, the data within the secure container remains protected.
What’s more, V-Key-secured applications can only be accessed by one person, on one device alone. Cybercriminals cannot use lost or stolen devices to login with other credentials.
When the person gets a new phone, they should contact their service provider to reactivate the application on their new device.
What happens if a person using V-Key-secured applications changes their phone?
The process for changing a phone is similar to replacing a lost phone. If a person changes phones, they should contact their service provider to reactivate the application on their new device. The exact process depends on the business or service provider. For example, some of V-Key’s customers prefer to send their users a secure mailer containing a QR code that, when scanned, will activate the application on the new device, and deactivate the old one.
If the old phone was secured using biometrics, the biometric registration process must take place again. This is to maintain the high level of security that biometric solutions offer. Re-registering an eye print, face print or voice print is similar.
If a customer uses a mobile identity system, what is the security impact of losing or changing a phone?
A mobile identity is a digital profile that corresponds to a real person. To set up a mobile identity, a person needs to provide a trusted source of information, such as a government-issued identity document. Because a mobile identity contains valuable personal data, access should be controlled using biometrics.
Think of a mobile identity as a more secure, convenient and authenticated version of autocomplete services such as Google Auto Fill. When an application needs access to personal information – such as credit card details and a shipping address – the mobile identity system requests permission to provide those details. Authorisation is completed via biometric verification.
Ideally, mobile identities should be protected by biometric verification. If this is the case, the security impact of losing or changing a mobile phone is minimal. If a person does lose a phone with a mobile identity, they can also remotely wipe or lock it.
How are V-Key solutions safer than existing security methods?
V-Key solutions are significantly more secure than methods used by some of the world’s biggest banks and government agencies. Let’s use hardware tokens as an example. When a banking customer loses a hardware token, anyone can press the button and generate a code. If the customer is being targeted by cybercriminals, they may already have the user’s online banking username and password.
In addition, people often don’t pay attention to where they store hardware tokens – they are tossed in bags or drawers and forgotten about. If a token goes missing, security could be compromised for weeks before a customer notices. Then, once they realise that the token is missing, they contact the bank and wait several business days for the new token to arrive in the mail.
On the other hand, it is difficult to pick up a device on the street and gain access to a V-Key secured mobile banking application. With multiple security layers, possibly including biometric verification, hackers cannot conduct banking transactions on a lost or stolen device. What’s more, people check their phones multiple times a day as opposed to tokens which are only taken out only when needed. So if a phone is missing, people notice almost immediately – providing more time to lock or remotely wipe a device as needed.
If a customer uses mobile identity systems, what is the day-to-day impact of losing or changing a phone?
Mobile identity systems are tied to the phone hardware and need to be recreated when moving to a new device. If a person changes phones but has not yet recreated their mobile ID, they will need to fall back to traditional verification methods, such as an SMS one-time password, hardware token or non-mobile channel (i.e. in person at the bank), to access applications that use the mobile identity system. This level of security is critical for protecting a user when they lose their phone, as their identity is at greater risk of being stolen.
With regards to V-Key’s solutions, what steps should a person take if a phone is lost, or they plan to upgrade devices?
A person that uses a V-Key-secured application or mobile identity should inform their service provider. Each service provider has different processes for reactivating mobile banking applications and setting up new mobile identities.
What else can people do to protect their data in case a device is lost?
A person using V-Key-secured applications or a mobile identity does not need to take any additional precautions to safeguard their data, as the safeguard is already built in to the solution. Robust security measures are built into every solution at every step of the digital process. These measures include biometric verification; multiple layers of security; the fact that users can only access an app or use mobile authentication on a single device; remote wiping; and, in the case of mobile banking, automatically verifying transactions to prevent fraud. In turn, this makes protection as convenient as possible – even when a device is lost or replaced.