Article:

How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication. 

This raises questions such as: What happens if a mobile banking customer loses or changes their phone? How does upgrading devices impact a person’s mobile identity? 

Here are the answers to these common questions – based on an interview with Zhifeng Koh, Senior Product Manager at V-Key. 

 

What happens if a person using V-Key-secured applications loses their phone?

Even when a person loses their mobile phone, all of their critical information in V-Key-secured applications, including those related to mobile banking, stay protected. 

Most mobile banking apps have two layers of built-in security – the phone’s lock screen, and the mobile banking username and password. V-Key adds a third and extremely resilient layer of security: a secure container within the mobile app that stores and processes all critical information. Even if the first two layers are compromised, the data within the secure container remains protected. 

What’s more, V-Key-secured applications can only be accessed by one person, on one device alone. Cybercriminals cannot use lost or stolen devices to login with other credentials. 

When the person gets a new phone, they should contact their service provider to reactivate the application on their new device. 

 

What happens if a person using V-Key-secured applications changes their phone?  

The process for changing a phone is similar to replacing a lost phone. If a person changes phones, they should contact their service provider to reactivate the application on their new device. The exact process depends on the business or service provider. For example, some of V-Key’s customers prefer to send their users a secure mailer containing a QR code that, when scanned, will activate the application on the new device, and deactivate the old one. 

If the old phone was secured using biometrics, the biometric registration process must take place again. This is to maintain the high level of security that biometric solutions offer. Re-registering an eye print, face print or voice print is similar.

 

If a customer uses a mobile identity system, what is the security impact of losing or changing a phone?

A mobile identity is a digital profile that corresponds to a real person. To set up a mobile identity, a person needs to provide a trusted source of information, such as a government-issued identity document. Because a mobile identity contains valuable personal data, access should be controlled using biometrics. 

Think of a mobile identity as a more secure, convenient and authenticated version of autocomplete services such as Google Auto Fill. When an application needs access to personal information – such as credit card details and a shipping address – the mobile identity system requests permission to provide those details. Authorisation is completed via biometric verification. 

Ideally, mobile identities should be protected by biometric verification. If this is the case, the security impact of losing or changing a mobile phone is minimal. If a person does lose a phone with a mobile identity, they can also remotely wipe or lock it. 

 

How are V-Key solutions safer than existing security methods?

V-Key solutions are significantly more secure than methods used by some of the world’s biggest banks and government agencies. Let’s use hardware tokens as an example. When a banking customer loses a hardware token, anyone can press the button and generate a code. If the customer is being targeted by cybercriminals, they may already have the user’s online banking username and password. 

In addition, people often don’t pay attention to where they store hardware tokens – they are tossed in bags or drawers and forgotten about. If a token goes missing, security could be compromised for weeks before a customer notices. Then, once they realise that the token is missing, they contact the bank and wait several business days for the new token to arrive in the mail. 

On the other hand, it is difficult to pick up a device on the street and gain access to a V-Key secured mobile banking application. With multiple security layers, possibly including biometric verification, hackers cannot conduct banking transactions on a lost or stolen device. What’s more, people check their phones multiple times a day as opposed to tokens which are only taken out only when needed. So if a phone is missing, people notice almost immediately – providing more time to lock or remotely wipe a device as needed. 

 

If a customer uses mobile identity systems, what is the day-to-day impact of losing or changing a phone?

Mobile identity systems are tied to the phone hardware and need to be recreated when moving to a new device. If a person changes phones but has not yet recreated their mobile ID, they will need to fall back to traditional verification methods, such as an SMS one-time password, hardware token or non-mobile channel (i.e. in person at the bank), to access applications that use the mobile identity system. This level of security is critical for protecting a user when they lose their phone, as their identity is at greater risk of being stolen.

 

With regards to V-Key’s solutions, what steps should a person take if a phone is lost, or they plan to upgrade devices?

A person that uses a V-Key-secured application or mobile identity should inform their service provider. Each service provider has different processes for reactivating mobile banking applications and setting up new mobile identities. 

 

What else can people do to protect their data in case a device is lost?

A person using V-Key-secured applications or a mobile identity does not need to take any additional precautions to safeguard their data, as the safeguard is already built in to the solution. Robust security measures are built into every solution at every step of the digital process. These measures include biometric verification; multiple layers of security; the fact that users can only access an app or use mobile authentication on a single device; remote wiping; and, in the case of mobile banking, automatically verifying transactions to prevent fraud. In turn, this makes protection as convenient as possible – even when a device is lost or replaced.

  

Other articles:
Articles
Why Existing Mobile Software Protections are Insufficient

Recognizing that existing mobile software protections are insufficient against today’s cyber threat landscape, we take a closer look at the main types of software protections in the market.

Articles
V-OS Protection against CPU vulnerabilities

Virtually every computing device in the world is made unsafe by the latest disclosures on Central Processing Unit (CPU) vulnerabilities. Find out how the virtual secure element technology is protecting millions of mobile application users against such vulnerabilities.

Articles
V-OS Protection against Android Plugin malware

There has been a recent surge in Android malware abusing Android Plugin Frameworks for malicious behavior. DroidPlugin, Parallel Space and VirtualApp are several plugin frameworks that have been abused by malware in recent months to spread Android malware.

Articles
Three steps to fight the Mobile Security status quo

Have financial institutions accepted a status quo that sacrifices user experience for increased security? With mobile digital identity quickly becoming central to an entire suite of online services, those who challenge the status quo will set themselves up to prosper and grow. Read more to find out three oft-ignored areas of research.

Articles
Cryptography in V-OS

V-OS is the world’s first virtual secure element. Cryptography plays a dual-role in these; to secure and manage the secrets kept within V-OS, and to provide a lightweight yet comprehensive cryptographic library.

Articles
Building V-OS with HSM

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code. These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

Articles
Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Articles
Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Articles
Mobile Security that works for everyone

Safe, convenient and simple.

Articles
The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.

Articles
Deloitte Partners with V-Key

Deloitte’s Thio Tse Gan, Cyber Security Leader (SEA), shares his views on V-Key’s impressive technology, that brings an end-to-end mobile identity solution.