Mobile Payments and Banking - The 'Real' Security Risk

Eric,

I appreciate what you are saying and this is an industry problem to address, however, we had the same concerns and issues when Internet Banking and Internet Payments and Settlements started. Granted there were a few teething problems, but in the end consumers opt for efficiency, ease of use and seamless customer experience over unwieldy, staid (but secure) processes.

In the end, once ease of use comes to the fore, baring a total meltdown on bank security - the concerns you've raised won't effect adoption one iota.

This is a hygiene factor only.

Brett King
BANK 3.0 

Brett,

Thanks for your comments.

I agree that the momentum behind mobile is huge and the convenience factor is the main reason. What we haven't seen yet is the "fear factor". It's important that this is considered and addressed or it could drive people away from mobile just as fast as it attracted them to it.

For sure security issues were a real concern for Internet Banking and Payments, but these could be addressed purely through improved IT security measures. The risk with mobile that I've pointed out is that it's not just an IT issue. There's more to it.

Some of the options I've highlighted (like multi-channel transactions) highlight how this could be addressed. If this doesn't happen I see mobile banking and payments being forced to reduce its scope and transaction limits. Still good for 80% of what we need, but the other 20% having to be done through another more secure channel.

Eric.

Mobile banking only supports A2A transfers and, somehow, I can't imagine a typical streetside mugger having a bank account, let alone knowing about a/c #, sort code and things like that. Criminals with that level of sophistication would've left the streets long ago, graduating to the much richer pickings possible with ACH and wire transfer frauds. 

As I'd highlighted in If This Is Mobile Banking, mobile banking will really take off only if leverages Bluetooth, camera, GPS, accelerometer and other basic smartphone specs to deliver new functionality that are not possible on Internet Banking. Once that happens, we'll see security rapidly fading away from the background. Mint, BillGuard and a few others have proved that security is not even a hygiene factor when a service provides compelling value. 

Ketharaman,

Thanks for your comment.

I don't agree that muggers know nothing about bank accounts. Equally now with P2P payments possible directly to an anonymous mobile number it's all too easy to transfer funds to someone.

I do agree that the trend will be to leverage the features of a mobile phone via native apps to further strengthen the added value of the mobile channel and differentiate it from other channels.

You say that "security is not even a hygiene factor when a service provides compelling value". That may be true when we're talking about small amounts. If we are talking about larger amounts of money, that's another story. I still like the have a locked door on the front of my home.

@EricS:

Since you'd written only about mobile banking apps, I specifically didn't bring in P2P apps. If you're referring to Barclays PingIt type of mobile app, they continue to be A2A, just that they add a layer on top which uses mobile / email as a proxy for a/c #, sort code, etc. By no stretch of imagination are they anonymous.

Study after study has shown that people ascribe different strengths to different channels and that there's a strong case for coexistence of multiple channels working together to deliver omnichannel banking (more on that in my personal blog if you're interested). "Adding Payee" is not exactly the strength of mobile banking. Too many keystrokes, not done so often that it must be done while coming home from nightclub - these factors inhibit this transaction on a mobile phone, whether secure or not. So, security is not the deciding factor. 

While I can't cite any studies in support, I'm sure most of the 5M+ subscribers of Mint and BillGuard do have a locked door in front of their homes. Point is, perception of functionality-versus-security varies from channel to channel.

Katharaman,

Thanks for your comments.

You are right that offerings such as Barclays Pingit link to
peoples bank accounts and for that matter are limited to the UK only. This
provides some level of security.

Regions such as Africa and the Caribbean are seeing strong
growth in the mobile space and one drive here is to offer something to the
unbanked or under-banked. In much the same way as Prepaid before it, the rigour
around KYC is much less. Equally international transfers, whilst not anonymous
certainly make it easier for money to “disappear abroad”.

I think your point that adding a payee is “not exactly the
strength of mobile banking” is a fair one. If it’s not easy to do, then it
makes sense to do this via another channel and then the mobile app is
restricted to only transferring or paying known recipients. Much better.

I think you also touch on an important point when you say that
the “perception of functionality-versus-security varies from channel to channel”.
You are right, though the perceived security and available functionality don’t
always align.

The main point I wanted to make in this is that part of the “perceived
security” when it comes to mobile banking and payments should include personal
security.

Clearly there are ways of dealing with this. They simply
need to be considered otherwise the mobile channel could quickly gain a
reputation for being unsafe even if technically secure.

@EricS: 

(It's 'Ketharaman' BTW).

Talking about unbanked, there's no risk of using a mobile app "stealing every penny from your bank account" since there's no bank account in the first place. 

If you're referring to M-PESA type of mobile wallet, it's a closed-loop, prepaid method of payment. The mugger can only make the victim transfer whatever money the victim put into that account before getting mugged. I don't see this as a great risk. 

While risks to the customer stem from various factors, the real risk posed to a consumer by a mobile banking service would be if the said service could pull out money from a credit card and / or bank account on demand and permitted P2P transfers to anonymous mobile numbers, especially cross-border. I can't think of a single service like that but I could be wrong.

These are all good points. The last thing we want is for technological progress to make crime any easier. However, it would be unfortunate if we had to impair the functionality of mobile banking due to concerns about crime, as that's really letting the criminals win. Equally, we're seeing the rise of mobile-only customers (in developed nations, not just the developing world), who may not have easy access to a traditional large screen online banking service. To offer a functionally limited experience may well exclude them from fully interacting with their bank.

I can think of a couple of potential solutions that would be fairly straightforward to implement:

• Safe WiFi networks. The customer can only conduct "riskier" transactions, such as adding a new payee, when using a trusted wireless network in a known safe location (like the home or a workplace, coffee shop, etc).
• Safe locations. Using the handset's GPS, denote safe zones in which risker transactions may occur.
• Safe mode for the app: imagine that you have 2 access codes for your mobile banking. One presents a view of your entire account and all your funds. The other shows a view with much more limited funds (effectively as much as you'd be prepared to have stolen). If mugged, access the safe mode. You'd probably find people would use this mode to just manage their money and spending too.

There are doubtless many more potential solutions to this problem. The key will be for the industry to find a robust solution before the mainstream press decides to have a mobile security hysteria moment. It's taken long enough for people to get over all the press about phone hacking (a huge topic for about 6 months whenever we did research with banking customers).