Alibaba-backed S'pore firm has key to new mobile security lock

SINGAPORE - An Alibaba-backed mobile security start-up from Singapore will soon introduce, with a government agency, another form of mobile authentication to tighten security as more transactions are being done online.

This comes amid fears that using the short messaging service (SMS) to receive a two-factor authentication is not safe, with mobile applications out there that can read off your SMS messages, said co-founder and CEO of V-Key Benjamin Mah in a recent interview with The Business Times.

Mr Mah also pointed to research from America's National Institute for Standards and Technology (NIST), which in June said SMS messages can be intercepted by hackers if the messages are sent over the Internet rather than through a mobile carrier.

Separate reports show authoritarian governments can compel state-owned telco companies to pull SMS messages meant for authorisation, as activists in Iran and Russia found out in recent times.

"Plus in India, all your SMS messages will never reach you, because of the telcos' connectivity," said Mr Mah.

These issues prompt a re-look at how mobile transactions should be secured. Many online transactions here and around the world are still authenticated using numerical codes sent via SMS messages that are not in effect verifying a user's true identity.

The focus, according to V-Key, should lie in creating authentic forms of biometric identity and use that information to verify transactions. This identity is mainly captured in fingerprints now, but in time, will include a selfie or a retina scan of a customer.

V-Key's approach is then to have that biometric information secured at the application, or software, level.

This is so that even if a phone - that is, a piece of hardware - is jailbroken or hacked, the biometric information remains encrypted and secured.

V-Key's service is captured in a secure virtual smartcard chip that houses each individual's true digital identity and authentication, and provides the authorisation, said Mr Mah.

"We focus on the mobile applications, where your true identity gets stored within the application," said Mr Mah. "You show me your face, you show me your thumb, you don't need your PIN or your password to get multi-factor authentication."

He declined to identify which government agency will partner with V-Key, which counts DBS and UOB as its clients.

Mr Mah added that V-Key is also in talks to sell its mobile software security services to banks in developing markets such as Indonesia, and Vietnam. This comes as banking security in Asia can now leapfrog traditional forms of authentication, given the blistering surge in smartphone usage.

"The momentum here is very interesting. Asia has become the catalyst of technology innovation," said Mr Mah, whose company already secures AliExpress transactions.

V-Key's mobile security can also bring great financial inclusion, as transactions are no longer limited to consumers with expensive phones.

"The current model is that you need to be smart, fast, and rich, with an issued (credit) card that takes minutes to transact," said Mr Mah.

"Now, as long as you have a front-facing camera with two mega-pixels... we can offer digital identity authentication for everyone.

This article was first published on Feb 14, 2017.
Get The Business Times for more stories.