Written by Scott Thompson
Smartphone uptake is continuing at a blistering rate and these devices are now shaping the way we behave. Yet mobile banking adoption has stalled. As Scott Thompson finds, fraud and security concerns underpin the stalemate
I was recently thrown by a false cover on freebie rag City A.M. It was the actual front cover, lead stories and all, but in code. Turning the page, wondering if I had stumbled upon the mother of all printing foul ups, I found a HSBC advertisement, headlined: ‘In 1918, this is how people kept important information safe.’ The ad contained details of the Hebern Rotor Machine which spawned a class of devices that became the primary form of encryption in World War II. “People have always found ingenious ways to stop information falling into the wrong hands. At HSBC, we’re constantly finding new ways to help keep your information safe. Find out how we’re making online banking safer than ever at: www.hsbc.co.uk/security,” it added.
Whilst HSBC should be applauded for its efforts to promote safe online banking, it would appear that the message is not getting through, particularly when it comes to the mobile channel. Consumers are increasingly embracing smartphones and other mobile technologies which are finally capable of delivering a good mobile banking experience. Yet a recent report from marketing analysis firm Javelin Strategy & Research, based on surveys with over 13,000 consumers, found that adoption in the US saw almost no growth between 2010 and 2011.
The primary reason for this is that consumers don’t feel mobile banking is secure: between 2009 and 2010, more than half of consumers surveyed rated it as “unsafe” or “very unsafe.” “This study is a wake-up call to financial institutions to look into what consumers really want,” says Javelin’s managing director for security, risk, and fraud, Philip Blank. “First and foremost, financial institutions need to address consumers’ needs around security and communicate to consumers their commitment to creating a safe and trusted channel for mobile banking.”
So is the research off the mark or is the security of mobile devices really not up to scratch? And if that’s the case what needs to be done to bring them in line with other payments? Will there, for instance, be a need for a similar standard to PCI DSS compliance? Richard Harris, director of education at 7safe, an information security consultancy, notes that the PCI Security Council already has the Payment Application Data Security Standard (PA-DSS) which did originally include mobile devices and five applications were certified against this standard. However, the council chose to remove these and cease accepting submissions for certification due to uncertainty around the mobile device platforms and possibly due to the number of issues found with varied devices. A new version of the PA-DSS for mobile devices is in the pipeline and due for first release within the year.
“As for the security of mobile devices, it has already been seen that many applications have been reviewed under the strict rules of the PA-DSS audit and found by certified security assessors to be in line with the requirements. Also, Visa themselves have bought into the mobile device by supporting the Square device. So in short, yes, the security is no worse, or indeed better, than any existing payment platforms. Note that the recent Eastern Europe ATM compromise was on Windows platforms which are well established,” says Harris.
Roelant Prins, CCO at payments outfit Adyen, believes that there is no need for new standards or separate scheme legislation, but it would be justified to add a mobile paragraph to existing regulatory articles. “In the end, merchants need to make sure they stick to the same guidelines for mobile as they do on the web to avoid data breaches and to store personal card data in a secure environment. Payments that are sent via API’s on mobiles might be unsecure and a potential security threat. Using a specialised third party for mobile payments processing will reduce potential security flaws. Adyen uses the same tight security mechanisms as on the web, displaying hosted payment pages using HTTPS/SSL. They can be completely branded to match the merchant’s look and feel.”
The problem is…
It’s hardly surprising that consumers feel mobile banking is unsafe. It seems impossible, after all, to pick up a newspaper or turn on the news these days without coming across a scare story. Big banks ‘leaving millions of users vulnerable to online fraud’ screamed a recent Metro headline. That was the lead into a story focusing on a Which? report which found that there are large variations in banks’ levels of security. Meanwhile, the mainstream media fell over itself to report that over in Belgium a PC virus had hit 90 per cent of the country’s internet banking users.
Like any new technologies, there are problems, notes Robin Adams, director of security, fraud and risk management, The Logic Group. The problems the banks
have is supporting multiple operating systems (Android, iPhone, Windows ME, Symbian etc.) which have different bases and different designs and security models, he points out. “As mobile devices become more pervasive, hackers and fraudsters are spending more time looking at how to take advantage of this - and as publicity increases on weaknesses - this increases the perception that the systems are weak. Some will be and some will be secure. Because of the requirement of “speed to market” it is possible that some solutions aren’t being fully tested and audited before release - particularly for security issues,” says Adams.
As has been previously noted, the security of mobile payment applications and devices is already within scope of the work of the PCI Security Standards Council. Historically, mobile payment applications could have been validated against PA-DSS. In November 2010, the SSC announced a review of the mobile payment landscape, with the PA-DSS accreditation of further mobile payment applications not being possible until the review concluded. In June 2011, the SSC released its initial conclusions. They defined three types of “Mobile Payment Acceptance Application Categories.” Category 1 covered all payment applications which “operate only on a PTS-approved mobile device”, Category 3 covered those which “operate on any consumer electronic handled device (e.g. smartphone, tablet or PDA) that is not solely dedicated to payment acceptance” and Category 2 addressed “bundled solutions” where the vendor supplies a payment application on a specific, “purpose built” mobile device, which cannot be used for any function other than payment acceptance and the overall solution can be proven to be PCI DSS compliant. Payments applications in Categories 1 and 2 would now be considered for PA-DSS review. In the meantime, Category 3 payment applications would not be considered for PA-DSS validation. The SSC aims to provide further guidance before the end of the year. In the meantime, if merchants, banks etc. are using Category 3 payment applications, they will need to be subject to specific PCI DSS review (although at this time it is difficult to see how any such solutions would be passed as being compliant).
Adams argues that the security of mobile devices in general is currently insufficient to protect customer data, and the steps taken by the SSC (to initially suspend new PA-DSS accreditation of mobile applications and then to only allow this with strict limitations) are another signal of recognition of this within some parts of the industry. “Fortunately the PCS DSS and PA-DSS will cater for the requirements around mobile payment acceptance (but not with regards other payment methods, such as person-to-person, e-wallets etc.), although there is considerable work still to be undertaken in this area,” he says.
“The problem is as there so many operating systems and solutions it is difficult to find mature solutions. AV, IDS etc. are starting to become available but these do not address all of the issues which can be exploited,” he adds.
All of which brings us to the fraud/security solutions currently available to financial institutions as they look to deliver a good, secure mobile banking experience. A mixed bag, it would appear.
7safe’s Harris comments: “Fraud solutions can only be based on collected information and fraud departments of acquirers worldwide typically cross communicate on threats affecting different areas and use this information along with anomaly testing software that works by transaction location and amounts more so than originating device or platform. Therefore, it is hard to see where mobile banking fraud checks are any better or worse than existing checks and in essence don’t need to be any different. Typically the mobile devices are simply using embedded web browsers so it will all appear as web traffic for fraud checks anyway. Ultimately, the answer comes down to the resources and expertise of the fraud departments of the various institutions rather than mobile banking as a more or less secure platform for banking.”
“For many mobile platforms, more identifying information is available than on the web, making more fraud checks for mobile possible. If mobile apps use embedded HTML pages over HTTPS/SSL, security is of a comparable level as the web can offer. With modern fraud screening techniques such as device fingerprinting and proxy piercing being available, banks and merchants are able to deliver a highly secure mobile experience,” notes Adyen’s Prins.
There are 5.5 billion mobile phones globally and the huge growth in smartphone use shows no sign of abating. Recent research from Ofcom found that over a half of all teenagers, and over a quarter of UK adults now own a smartphone. As a result, consumer demand for real-time access and information is going beyond just social networking and is now expected in all walks of life, including financial services. According to research by digital banking provider, Intelligent Environments*, iPhone users are particularly eager to access banking services via their phones: 69 per cent would check their balance, 46 per cent would pay their bills and 62 per cent wouldn’t mind transferring funds.
There are many iPhone users who will tell you they cannot live without their phone. It’s their communication with the outside world, as well as family and friends, through phone, email and social web-based comms. It’s their diary,
camera, video camera, gaming and music player all rolled into one. And it could also be their link to their bank and other financial services providers. Clearly, the demand for mobile banking is there, but security concerns urgently need
to be addressed. Consumers have put the ball firmly in the banks’ court. Those organisations who heed the wake-up call, who understand and utilise that channel best, will ultimately get closer to their customers.