Question:

How to prevent unauthorized first-time TheGRID Beacon activation by a hacker who has already stolen username and password?

Answer:

TheGRID Beacon typically goes through a first-time activation by scanning a prompted QR code after installing the Beacon smartphone application. In order to prevent unauthorized activation, the activation process can be further secured by enforcing additional user verification in addition to QR code scan. Examples below:

• Ask user a verification question that its answer is not immediately available on the protected web application. For example:
• How do you normally make payment?
• What is the answer to the secret question "xxx"?
• What is your ATM / bank card number?
• Please enter the numbers printed on the back of your credit card.
• Please enter the code that has been posted to you.
• Send a verification code to user via SMS, email, regular post mail or any other valid methods.
• Application prompts user to enter verification code after QR scan.
• Get an activation code (one-time-use with expiry) from ATM machine.
• Get an activation code (one-time-use with expiry) from bank branch, IT department, helpdesk, etc.
• Send an alert notification to user via SMS, email, regular post mail or any other valid methods that Beacon has been activated on his account. Advise user to call bank/administrator/helpdesk immediately if he did not perform the activation.
• Do one or more of the above.

More information:

N/A