Wednesday, January 31, 2007

Mobile banking a target for criminals?

The Tower Group recently produced a report highlighting the danger of mobile banking and how criminals will now start to target mobile banking users:

"The success mobile banking and payments, as well as the concept of the mobile wallet, will be measured against the industry's ability to effectively contain the malware problems to a level that is at least on par with that of the existing Internet channel", said Bob Egan, Chief Analyst at TowerGroup and author of the research.

Of course analysts must prove their worth by coming up with new thoughts in order to sell their reports. To label some of the ideas presented as "absurd" would be to complement the analyst. The best case in point is the fear created in humankind about the "Y2K-problem". This will probably go down in history as the biggest analyst scam ever.

To be able to write a full report on how criminals will target mobile banking users by means of "malware", is not on the same scale, but falls in the "Y2K" category. Sure, bad deployments of mobile banking solutions (especially if it is a porting of an Internet banking site onto a browser on a phone) may be exploitable. This is definitely possible, but will only be applicable if mobile banking was implemented without due consideration of state of the art techniques and by contracting professionals.

Because of the nature of mobile phones and the design available to specialists in mobile banking, it is possible to deploy mobile banking solutions that is more secure than any other means commercially available today. As a matter of fact, we at Fundamo have deployed the first three-factor authenticated banking solution commercially (it is being used successfully by a major bank). This means that a customer interaction is authenticated on "something he/she has" (the SIM card in his/her phone), "something he/she knows" (a PIN that is never in the clear), and "something he/she is" (a digital voice print).

In a recent test, we gave access to a professional hacker to a test environment running Fundamo software. The conclusion was that mobile banking (implemented correctly) is "un-hackable".

Mobile banking a target for criminals? - you be the judge.

Saturday, January 27, 2007

Interchange Fees

Interchange fee is an interesting animal. This is the fee that flows from the payer's bank to the payee's bank (or in the opposite direction). This is supposedly to cater for the "imbalances" of capital required to build the payment infrastructure. This is a remnant of the past where the cost of a POS and an ATM (and the maintenance of this equipment) was expensive. Nowadays, with everything turning more and more into electronic on-line transactions and where transactions are running off personal devices (like mobile phones), the capital cost for the banks have just about disappeared.

It is therefor interesting that a number of regulators are considering the impact of interchange fees. See for instance (, and

The question is: When will the cost of leveraging the interchange fee be bigger than the actual fee? This would be the time to totally abolish interchange fees, and maybe the time is near?

Friday, January 26, 2007

More secure Internet Banking

"A recent survey of nearly 1700 customers in eight countries found that the majority of account-holders - 82% - want banks and brokerages to monitor online and telephone banking transactions for suspicious activity - similar to the way that credit card transactions are monitored.

Furthermore, a masssive 91% are willing use a new authentication method, beyond the standard username-and-password procedure, if their banks decided to offer stronger security. Over two third of respondents (69%) say banks should replace the standard username-and-password log-in procedure with stronger authentication."

This is very encouring and shows an awareness in consumers that Internet banking is not as secure as they would like , but more important that they would be happy to use a more secure mechanism for Internet banking. Of course, the challenge for banks is how to do this effectively. The only way to really increase security is to distribute "something" to the client: either a random number generator, or a once use password booklet, or a digital certificate stored on something... and this is going to be a costly exercise.

The most obvious way to distribute a secure digital certificate is by means of mobile phone distribution channels. The SIM card in GSM phones is an ideal vehicle to distribute digital certificates. As a matter of fact these certificates have already been distributed in many markets.

The Fundamo mobile payment technology has been designed to make use of these digital certificates, not just to increase the security of mobile banking, but also Internet banking.

Wednesday, January 17, 2007

Mobile Banking Profitability

Notwithstanding the fact that banks operate much the same way in different markets, it seems that some banks (in some markets) are just more profitable than others. Banks issue credit cards and provide loans (usually at a healthy interest differential to the Central Bank), banks finance cars and homes and support payment systems. Yet, the profitability of banks in some markets are just higher:

For instance Korea: "Encouraged by record-breaking third-quarter earnings at South Korean banks, analysts expect profits there to grow strongly into 2006. ,

Or South Africa: "Banks profitability increased significantly from already healthy levels in 2003" IMF Worldbank

I was looking for a reason, when I realised: mobile banking penetration is big in both Korea and South Africa, and people actually use it.

Mobile Banking Satisfy People

One of the markets with the highest penetration of Mobile banking is South Korea. The usage of mobile banking services provided by most banks have seen unpresedented growth during the last two years (both in terms of number of subscribers and transaction volumes). It seems to be a good market to review the satisfaction of consumers with mobile banking.

In a recent survey conducted in Korea, looking at convergent services on mobile (Mobile TV, Location based etc.), consumers were by far more satisfied with mobile banking than with any other service. The article conclude in the following way:

"The survey, based on 110,455 mobile users, also said that mobile users are generally satisfied using mobile banking service as only some 10 percent showed negative reactions.

``Consumer satisfaction levels are considerably higher for mobile banking than those for other mobile convergence services. If security and convenience are provided, the future of the mobile banking market looks bright,’’ said Kim. "

This finding is of particular importance in markets where mobile banking deployments have lagged, and banks and mobile operators in these markets should consider the deployment of suitable product to focus on providing in the need of consumers.

People want Mobile Banking

Two surveys conducted by well-known research firms indicated that Britians would want to use mobile banking, if it were available.

The first survey conducted by Forrester Research on behalf of Meridea, surveyed existing online banking users aged between 16 and 34. Some of the interesting findings in this research indicate that more than half of the survey sample would try such a service. Even more interesting is that almst a quarter of the surveyed sample would consider SWITCHING their bank if it did not provide mobile banking! ( )

The second survey conducted by the Henley Centre on behalf of BT on a sample of respondents aged between 25 and 44, had similar results. The survey found that more than a third of the respondents would like to conduct their banking by means of mobile phones. The study also indicate the types of transactions that consumers would like to conduct by making use of their mobile phones. ( ).

These two studies indicate the growing consumer demand for mobile banking services. In both of the reports conclusions indicate that banks must expect this demand to grow into the next year.

Monday, January 08, 2007

Danger-signs for Chip and Pin

It did happen. Some-one did the obvious and showed the inherent weakness in the design for EMV. This "foolproof" payment system can easily be hacked by tampering with the Point of Sale in the hands of merchants.

Researchers at the University of Cambridge have shown how a terminal designed to read an EMV card can be modified to play Tetris with. They have made a video of their work and have posted it on YouTube. See article.
What is the relevance of this? Well this means that some-one can change a terminal to capture your card information and your PIN when you enter it onto some crimally minded merchant's terminal. This may not be a big issue in High Street London, but take the concept to developing economies and the challenges is almost unsurmountable.
If you are however prompted to enter your PIN number on your own phone when you make a purchase, this problem goes away. Mobile payments are so much more inherently safer.

Wednesday, January 03, 2007

The role of Banks and Mobile Operators

It is like wondering if Alcoholic Bread should be baked or brewed. Mobile banking is a similar contradiction in terms. Examples exist of both banks and mobile operators making huge successes of mobile banking. MTN Banking is an initiative with a clear mobile operator branding, whereas Celpay is owned by a bank and have clear banking characteristics.

The fact of the matter is that the aims the approach and the structure of mobile banking differs significantly if provided by banks or mobile operators, but the important fact is that both are capable of deploying mobile banking succsesfully. In considering mobile banking and the role of banks or mobile operators, one should take the following into account:
  • What market segment is the target market (people with mobile phones, but no/little banking exposure, or people with bank accounts looking for additional access channels?)
  • What revenue models is supporting the initiative (how large is the telecommunication revenue in support of the business case?)
  • What are the secondary objective of mobile banking (Retention of marketshare, or brand enhancement or the basis for other services?)
  • The maturity of the banking industry in the specific country/marketplace
  • The banking support and infrastructure (electronic clearing, ATM's etc)
  • regulatory considerations. Dispensations exist in some countries to support electronic money payment systems from a regulatory perspective, for instance.
With the above in mind, it stands to reason that it is impossible to have a one recipe for all mobile banking deployments. It is important to consider different factors before embarking on a course of action.