Security is a top priority for us all at Bottlepay. It is an ever changing baseline, with moving tactics of adversaries, as well as the possibility of vulnerabilities in the range of technologies we rely upon. So this article will outline what we do here at Bottlepay to help ensure the security of our services and therefore your security as a user.
We make use of multi-factor authentication, both when employees authenticate to our systems and also as part of our consumer mobile application. This means:
We require you to verify your phone number and email address when you first log in to authorise and verify your phone.
After this is complete you will need your pin/password/biometric to log in. (We allow you to pick whichever method you wish to protect your app.)
To mount a successful attack, an attacker would need to know your Bottlepay registered email address, password and have access to your phone/SIM card.
We do want to expand the factors we support for multi-factor authentication and these are on our roadmap including additional 2FA methods such as OTP and U2F.
We take bugs seriously, and this includes security bugs. Each new app update and feature is tested internally to squash those bugs before general release. We conduct regular security testing both internally, and involving external companies to ensure we are identifying all the bugs we can.
We monitor the security of our systems routinely, identifying any weaknesses and instances of attempted fraud.
In the unlikely event of an incident which impacts the confidentiality, availability or integrity of any data, our incident response team will follow our incident response process. This helps define the severity of incidents, how they should be handled, investigated and if/when we need to notify ICO and customers about an information security incident.
We also understand that nothing is 100% secure, we do everything we can to maintain the security of our systems. However in the event that an external party notices a vulnerability in one of our systems, we do have a coordinated disclosure policy to report this to us, this can be viewed on our Coordinated Vulnerability Disclosure page, https://bottlepay.com/legals/disclosure-policy .
*Lastly we want to remind you that Bottlepay will never contact you asking you for your PIN or password.