Retail Banking supplement: Money on the move
Written by Justin Quillinan
Paying in cash focuses the mind – handing over a wad of notes to buy something seems to hurt a lot more than piling it on a credit card.
Even more remote from the pain is a growing acceptance of using your mobile phone or other contactless devices to make mobile payments.
Is it safe for the payment providers such as the banks and the merchants who are gradually embracing this technology? And is it safe for the consumer whose mobile device might get lost in a taxi or stolen? Probably, says the industry, provided suitable precautions are taken.
According to Financial Fraud Action UK, which represents banks, the prevalence of smartphones means that the risk of fraud and money laundering for mobile banking and mobile payments is starting to follow the same set of vulnerabilities, such as malware and phishing, that apply to fixed PC internet banking and payments.
Whilst banks have invested considerable time in educating consumers to guard against these attacks with advice such as ‘don’t click on email links or enter web addresses in the address bar’, the same messages should apply in the mobile space.
“Security is always of paramount importance to banks who have a vested interest given that they cover the vast majority of fraud costs,” says Richard Martin, the organisation’s security consultant.
He believes that the banking sector needs to continue working with relevant stakeholders in the mobile space, such as handset manufacturers and network operators, to continually improve the security of mobile banking and payments to cut fraud. He adds that some collaboration is already evident – for example the work between the UK Cards Association, Visa Mastercard and the Telecommunications UK Fraud Forum (TUFF) on the Home Office guidelines for mobile contactless payments drawn up last year.
His ideas are welcomed by the world’s largest handset manufacturer, Nokia. Gerhard Romen, the company’s director of mobile services and money alliances, says: “I think it’s always good when your core competencies add value to each other. You have two regulators in this area – the central bank for the banking industry and the telecommunications regulator on the other angle. And if each side provides value to the other then it’s a perfect fit.”
The two views are echoed in a recent report by analysts Ovum, The malware threat to mobile banking, which somewhat gloomily predicts a big increase in such threats as mobile payments services become more commonplace.
Ovum’s principle analyst Graham Titterington describes mobile banking as an emerging technology with a rapid rate of growth: “This is particularly so in third world countries where the wired infrastructure is not so good and people are finding it attractive to miss one step out of the evolution and jump straight into wireless mode.”
Just as in the hard-wired world, mobile payments services are potentially under threat from big business fraudsters. “The geek in the garage is an almost extinct species even on the internet now because malware needs a lot of computing resources.
“Historically, mobile devices have had much more limited computing capabilities than PCs and laptops but that is changing very rapidly with smartphones.
“The industry needs to be prepared because, if they’re not, they’re going to be facing a big whammy if they’re caught by surprise and have to spend years fire fighting and having to catch up in the way that Microsoft had to do on the PC front,” says Titterington.
Two types of attack could become prevalent in mobile payments – the so-called ‘Man in the Middle’, which means a fraudster intercepting a transaction between a customer and the bank, and ‘Man in the Browser’, which means corrupting an application on the mobile device itself.
Both can result in someone impersonating a genuine customer, perhaps more easily than a typical online internet attack.
Wireless local area networks (LANs) and Bluetooth technology, which offers short-range wireless connections between devices, have had more than their fair share of bad press. Bluetooth, for example, can reach far beyond its intended range – out into a building’s car park and even into the street outside. Such ‘near field’ technology often advertises the range where they are guaranteed to work, but in reality this could stretch to three or four times the distance.
Titterington says that all electronic fraud is a continuous war and a ‘cat and mouse’ game. But he thinks that mobile payments technology is lagging behind in terms of its defensive strategy at the moment.
“I believe it’s living in a bit of a fools’ paradise because it hasn’t been so widely attacked to date and this will change.
“The banks in particular and other players like the network operators need to be thinking ahead of the curve and acting in a more proactive rather than reactive fashion because if we get to that stage they’ll be running for years to catch up!”
While Nokia predicts a gradual uptake in mobile payments services and points out that mobile phones themselves took years to escalate from one per cent in the UK to 105 per cent now (that’s because many people have more than one device) the company’s standpoint begs the question of how big is big?
Juniper Research, however, suggests that the number of mobile subscribers using their phones for mobile banking will exceed 400 million by 2013 – double the number now.
The company’s Mobile Banking Technology Strategies Survey finds that 80 per cent of banks offer some kind of mobile services but others none at all at the expense of limiting their options for users.
Currently the Far East and China look set to be in the vanguard with the highest number of users by 2015 and all regions around the globe will see a surge in the popularity of text messaging (SMS) between banks and their customers and the use of new smartphone ‘apps’ such as iPhone, Android and Java together with the current growth in mobile browsers.
Report author Howard Wilcox explains: “Our survey concluded that banks in all regions are becoming increasingly innovative in their service offerings and that mobile is becoming a ‘must have’ channel.”
The survey’s findings are backed up by a poll by Sybase 365 that nearly a third of mobile phone owners now use their handsets to access banking services, with 24 per cent doing so on at least a weekly basis. In what could prompt the banks to re-examine their strategies, many want to send money overseas through their phone – typically temporary or migrant workers – and nearly half of those questioned would consider swapping their financial institution for free m-banking.
Matthew Talbot, the company’s vice present of m-commerce, says: “As mobile devices become more sophisticated and mobile banking gains traction, at a far higher rate than industry experts predicted, there is a clear opportunity for mobile to become a primary customer relationship management (CRM) channel for many services and industries.”
There seems to be a general consensus that m-banking and mobile payments is the way forward but there remain security concerns.
Over at Monitise, which has launched its own Mobile Money service, there’s a belief that this will be genuinely mass market.
“The potential is not just something for early adopters, who may be less demanding of security in order just to get something cool,” says Richard Johnson, chief strategy officer.
He adds that there should be some security basics, like not storing financial information on the phone and setting sensible transaction limits so that mobile payments are for everyday items bought on the move – and not for buying houses.
There is no reason, he says, that m-payments could not be made even more secure than internet services without the cost of separate authentication devices.
But work still needs to be done. “Collaboration between banks and network operators is key to all aspects of mobile money and security. Wouldn’t it be great, for example, if text messages from a guaranteed source (such as a bank) could be denoted by the equivalent of a padlock?” he asks.
Banks and even building societies see m-payments as an attractive new channel but they are not prepared to take chances just yet.
According to Andy Deeks, managing consultant at Navigant Consulting, recent innovations such as the RBS/NatWest ‘app’ for iPhone and Blackberry devices have focused on 'information' rather than ‘transaction’ functionality, where there is less of a security risk.
“Whilst collaboration between banks, mobile network operators and handset manufacturers is one way of enhancing safety, banks will need to be 100 per cent confident in their own systems, including technologies such as two-factor authentication and advanced fraud monitoring and prevention software and processes.”
Like other industry leaders interviewed by FST, he says that customers want to have access to easy-to-use mobile banking and the banks themselves don’t want to lose a march against their competitors but they are extremely aware of the reputational damage a security breach could create.
If m-payments really take off, as they are likely to, it will mean good business for the software firms behind the new services. And, says Patrick Carroll, chief executive of ValidSoft, there should be nothing to fear on the security front.
Normally banks rely on two-factor authentication: who you are and what you know – typically your credit card and the PIN number only you should know.
ValidSoft has patented Proximity Correlation Logic for m-payments, which has four-factor authentication. Apart from the usual two parameters it can identify where you are (if you’re a fraudster in Spain rather than a genuine customer in Staines, the network knows this) and also voice biometrics. A sample of your voice is taken when setting up a mobile account and the software can match it exactly – not even a professional impersonator can fool the system, claims Carroll.
Branden Williams, director of security consulting at software and systems specialist EMC Consulting, says that data security and transaction authenticity are two of the key customer concerns around mobile banking.
“As customers’ shopping habits evolve new challenges are also being exposed. For example, the increasing trend in shopping via a smartphone also raises issues about how to secure data, which is stored on a device after the purchase has taken place.
“The future holds an array of possibilities for mobile banking in the UK. In the US consumers regularly transfer money, pay bills, check balances and even deposit funds via their mobile devices. It will be interesting to see how near field communication (NFC) technology progresses because it could work out cheaper than processing credit or debit payments, saving retailers money.”
However, it is important to remember that whilst mobile devices can be as secure, and even more so, than your credit card, security is never an absolute and has to be calculated against risk and usability, warns Nokia’s Romen.
Starting in 2011, all new Nokia smartphones will have NFC and contactless technology built-in. “It will become much more commonplace but it will be a gradual thing,” he says.