I chanced upon this occurrence a few weeks ago. This may be a silly question but I haven’t found any answer to it (or maybe the crowd I mix with find it an impossibility).
Most of us have our mobile apps on the phone. We unlock our phone, we open the app, we type our credentials, we check our balance - we transfer or buy … blah blah blah …
What if our phone is lost, or even stolen in a crowded place where a near by-stander has overlooked to see our zig-zag phone unlock password while we were too busy!!
Now he steals your phone and unlocks it. He opens a banking app, he sees the user-name saved (for frequent use) but the password field is blank !! He immediately clicks on “forgot password” → a temporary password is sent to him immediately on the same phone via sms (with all the caution in the world stating - “please don’t share”).
Now he has a temporary password … he can log in and do whatever he wants - even change the password to one he wants!! In case the owner hasn’t realized that his phone has been stolen yet, lots of things can be done by then.
This is quite a plausible scenario. How does a neo-bank build additional guard-rails for these types of situations?
Hey Mario, not only neobanks but most banks currently have a robust ‘forgot my pin’ flow. As you’ve described a single forgot my password won’t lead you to getting a password prompt on your phone.
Generally post verifying the phone # and registered device, additional details are asked before a temporary password or setting up a new password is allowed (Eg: Debit Card No. and Pin, Secret Question, etc.)
So I think you should be rest assured it’s rare you will lose your bank details only with a phone lost. Things get a bit complicated if you lose you phone along with a wallet (which may have your cards/ identity cards like aadhaar, PAN)
Thanks. So here is my recommendation - should an individual biometric type of authentication also be used alongside the other methods to authenticate - especially for the loss of a pin?
Sure thing Mario, biometrics could be a possible type of authentication.
As this authentication depends on the type of device and OS you are on it most likely be used as an option with something else?
Think of a forgot pin you as a user want to initiate from your bankwebsite. Biometrics wouldn’t be able to really help in that case.
App only journeys could might as well have biometrics as valid authentication.
You’re right. If you consider multiple digital channels - then maybe face recognition would be a better choice (since the web-cam could be used to authenticate).
However, I guess this is one area that could still have human intervention. In fact in ICICI to authenticate an account, they get on a video call to authenticate you. Getting access back into one’s system would after all the most important critical thing for a customer in case he is locked out, phone lost or stolen.
Here human intervention acts as an act that provides solace. Much needed in times of anxiety (Getting locked out of your account in this case). Interesting to see if there are any other examples where customer anxiety is handled in some otherway (Except Video call).
One such case I can think of is a lost card, you call a hot line (with or without an agent) to directly block your card.
We need something like an IVR no. or website to which we can call on or visit to block/unblock our Jupiter account (temporay freeze only), Debit Card (block permanently or temporarily) in case we loose both our phone and debit card.
By simply putting in our account no. and MPIN (created with Federal Bank) in case of an IVR no. , or registered mobile no. or registered email address and MPIN in case of a website to block/unblock Jupiter account, Debit Card.
I suggest having a website portal of the app as well. In scenarios such as having lost the phone, we need a way to access our account, change password, phone number, block card, and do some transactions, etc. while we are waiting for a new phone.