Changing phone number, Lost phone, terrible process


#1

Hi,

My brother lost his phone while on vacation.

We would like to be able to change the number on the app, but when signing in on another phone (as advised) it sends verification to the old phone
…So whoever has that phone also has a verification code.

Who designed a process wherein security issues cannot be resolved via phone call and also if Revolut is attempting to be a bank, making one specific phone critical to id and V is pretty bad design.

Automated chat bots is not really an acceptable solution nor is humans who do not understand the flaws and security exploits in their system.

Please help.

Revolut has the potential to be very special but needs to think with some common sense.

Many thanks.


#2

what other techniques would you propose?


#3

Certainly NOT sending the verification code to the old phone, which might be in possession of a person who could access your Revolut account


#4

how would revolut you no longer have that number, and it’s not someone else trying to access your account?


#5

Tying identity to something that can be replicated easily as a phone number is not a wise security practice. Other companies drop a RSA key on your phone so that you have to pair it and all requests leaving that phone are authenticated, this at least prevents someone from stealing your phone number (note: not your phone) and magically having access to all your money (as they will be able to recover the PIN)


#6

Indeed - the latest attacks on many early bitcoin users involve porting their phone number to a phone the attacker controls… apparently it is almost trivially easy


#7

I would propose a solution as…A phone number that you call then you speak to a human who, in less than three minutes could at least either lock access to the app until a new phone is purchased.

I work on projects like Revolut for a living and I cannot imagine that at no point somebody did not put their hand up and say “what if the phone gets lost” having zero customer service telephone staff is usually an idealogical decision sold as being what “millennials” want but actually being a way to cut the costs of business, a hybrid approach is usually best.

The other alternative would be, have a web based portal, allow the user to change the phone number to …Say a landline … Send the text to that landline so that user at least knows whoever has their phone cannot access all their money as well as their phone.

Or have a device similar to Barclay’s pin sentry…Or use facial recognition or voice recognition, I believe I D and V will soon require, something you know, something you have, something you are anyway.

I am a big fan of Revolut and have used them for years so am not being negative per se, but this is bad design for the sake of business convenience, which sadly is incredibly common.


#8

Any type of ID recognition (facial, fingerprint, etc) can be easily generated. Customer service representative on the phone does not guarantee security, actually quite the inverse.

There are techniques, that are put in place by other companies, to enhance the security of these processes, where you are required to provide more than 1 factor when it comes to authenticating/resetting passwords.

The web based portal might make sense but the point is that you still need a 2 factor authentication to be authenticated there, if that authentication path is not secure, the entire process is not secure.

Again, a phone number can be easily stolen.


#9

+1 on that

web portal with 2FA (which can support multiple phone numbers via SMS, OTP, Authy (or other cloud based OTPs), printed codes, yubikey.

google does it, facebook does it, office365 does it.
there are no lack of proper ways to do this. just lack of interest in helping users do it securely


#10

While there are no guarantees of security in any proposals I made I think it would be fair to say that anything would be better than.

Stage one: chat bot
Stage two: human web chat with no method to resolve issue and slightly sarcastic tone.
Stage three: go to ATM draw out all money.
Stage four: reconsider the amount of commitment that customer is willing to put in Revolut.
Stage five: customer will definitely not use Revolut for Banking needs and only as a currency card.

Web portal is better than no web portal.
Customer service agent is better than no agent.

For verification, I heard one proposal at a recent cifas conference of having a specific arm movement via video (it is unlikely that person who has your phone would want to be on camera and can guess your arm movement pattern) especially if dealing with an actual customer​service rep.

Also re call centers…A lot of companies really cheap out on this it can be very secure… If the security questions are specific enough, eg not just name and address but favourite sports team, movie, cat and so on


#11

A simple security question might be a useful addition in the verification process and indeed I have found this to have the ability to be included as an automated response on other sites.