Security is a top priority for us all at Bottlepay. It is an ever changing baseline, moving tactics of adversaries, as well as the possibility of vulnerabilities in the range of technologies we rely upon. So this article will outline what we do here at Bottlepay to help ensure the security of our services and therefore you.
We make use of multi-factor authentication both when employees authenticate to our systems but also as part of our consumer mobile application. We require you to verify your phone number and email address when you first log in to authorise and verify your phone. After this is complete you require your pin/password/biometric (we allow you to pick what you wish to protect your app), to log in. To mount a successful attack, an attacker would need to know your Bottlepay registered email address, password and access to your phone/SIM card.
We do want to expand the factors we support for multi-factor authentication and these are on our roadmap including additional 2FA methods such as OTP and U2F.
We take bugs seriously, and this includes security bugs. Each new app update and feature is tested internally to squash those bugs before general release. We conduct regular security testing both internally, and involving external companies to ensure we are identifying all the bugs we can.
We monitor the security of our systems routinely, identifying any weaknesses and instances of attempted fraud.
In the unlikely event of an incident which impacts the confidentiality, availability or integrity of any data, our incident response team will follow our incident response process. This helps define the severity of incidents, how they should be handled, investigated and if/when we need to notify ICO and customers about an information security incident.
We also understand that nothing is 100% secure, we do everything we can to maintain the security of our systems. However in the event that an external party notices a vulnerability in one of our systems, we do have a coordinated disclosure policy to report this to us, this can be viewed on our Coordinated Vulnerability Disclosure page, https://bottlepay.com/legals/disclosure-policy .
*Lastly we want to remind you that Bottlepay will never contact you asking you for your PIN or password.