Saturday, July 26, 2008

Misconceptions regarding USSD

Two misconceptions exist regarding the utilisation of USSD for mobile banking.

The first is that it is possible to deploy bank-grade security mobile banking solutions with USSD. All bank-grade electronic banking solutions assume that a certificate based secure token be injected by the Transaction Input Device (POS, ATM, etc.). Typically the bank (or an organisation trusted by the bank) would want to control this input device - this is especially true when transactions are trusted from other banking sources (which is for sure a mobile banking objective). The only way that this is possible in mobile banking is if the bank supply the application on the Transaction Input Device (i.e. on the mobile phone). This can only be achieved by a Java or SIM-based architecture.

This does not mean that USSD can not be utilised to provide mobile banking of an acceptable level of security. By making use of dual factor security, limitation of functionality, limits etc. it is possible to deploy USSD solutions that are quite safe for the consumer.

The other common mis-conception is that USSD is free or not expensive. Whereas it is true that it is difficult to bill for USSD and mobile operators often provide the service for free, it is intrinsically quite expensive to deliver (compared to SMS for instance). The cost to the consumer is a function of what mobile operators bill and this range from free to quite expensive from one market to another. Because USSD is a session based technology and would tie up expensive infrastructure when mobile banking takes off, mobile operators may be forced to charge for it at relatively high levels.

In summary: USSD is a good solution for mobile banking if deployed wisely, but is not the ultimate panacea.

Implications of RBI guidelines

The recently guidelines as published by the RBI is as can be expected from a Central Bank taking their role seriously. The guidelines are on the strict side of what will enable mobile banking services to be rolled-out with very little risk to the monetary system. The RBI should be complemented on this. In reading the guidelines, the following are particularly interesting:

2.2 Restricting the service to proper KYC/AML complaint accounts is wise, but will impact many services based on viral or light wallet type solutions. Also pre-paid debit cards will adversely be impacted. Some schemes currently implemented in India will have to be modified.

2.3. Limiting the service to "only Rupee based services" means that services like money remittance and transactions involving Card Association services will have to be re-evaluated.

3.3 The requirement of a signed document to subscribe to the service have massive impacts. The definition of "Standard Services" should possibly extended to also cater for payments to previously defined beneficiaries and to ad hoc payments.

4.1 The implication of this requirement, if analised properly have major implications. I would argue that none of the services deployed currently comply with confidentiality nor non-repudiation as the bearer channels utilised are all not bank-grade secure.

5.1 The requirement of having all services available on all networks are almost unattainable, unless network operators will be forced to co-operate.

5.2 The requirement to conform to ATM-type 8583 will be very difficult to implement if this requirement requires this to originate on the handset (as one would expect)

Annex II The requirements described in this annexure (especially application level encryption and many of the requirements regarding the management of PIN's) are not deployed in any of the Indian mobile banking solutions based on my limited understanding of what has been deployed. The RBI will have to relax this requirement or all mobile banking deployments will have to be re-designed.

What is of interest for me, is reference in Annex I of countries where regulatory guidelines exist. We at Fundamo have been pioneering mobile payments and banking in all of these countries (and others). We have always worked with the Central Banks, and it seems to be paying off.

Thursday, July 24, 2008

Is Nigeria the new Hotbed for Mobile Banking?

Everyone seems to be getting involved in Nigeria with the best solution for mobile banking in this unique country. Some weeks ago paybox announced their Moneybox initiative in collaboration with local entrepreneurs. A recent announcement from UK company Broca (having won a deal to deploy their SMS platform in Nigeria) also highlighted how their solution would be ideal for Nigeria.

Anyone familiar with Nigeria would be aware that some exellent solutions ar ein production and have been developed in the country itself. Some of these have been in production for some years now. In working in this country, the relationships between different mobile operators and banks should be considered. As well as switching companies and the Central Bank. The environment is extremely complex.

Fundamo have been involved in the market since 2005 and have worked on a number of initiatives. The country is an ideal environment for the deployment of mobile payment solutions, but many problems require solutions - the least of these being innovative technology.

Is Barclay's Hello Money secure?

Barclay's recently launched "Hello Money" in India (See website). Based on face value this is commendable and it seems as if a great job was done. It is always good if progress is made in mobile banking. I wish them many subscribers and of course a positive business case.

The one topic that I do find intriguing and would like to place on the table of discussion is the claim that it is secure. (I assume that this means that Barclay is happy that it conforms to their banking security policy). Based on what I have seen on their website, I would like to argue that this is not the case...

USSD traffic through the GSM network as it travels from the handset via base-stations and the radio network through the IN platform is often in the clear. This means that it can be intercepted by engineers skilled in the art of GSM traffic. It is virtually impossible to defend against such an attack (primarily because the bank does not have any control over this protocol). This means that it is possible to steal security information that would allow some-one to perform a fraudulant transaction.

Usually banks caters for this risk by limiting the functionality available through USSD-based mobile banking. Yet, Barclays have decided to allow fund transfers to unregistered Visa cards on a once off basis. This creates a serious potential security loophole. Am I missing something, or have they been ill-advised?

Wednesday, July 23, 2008

The conference bandwagon

The Mobile Money Transfer Summit arranged by the GSMA in Cairo was a huge success. The speakers speaking at the conference was a whose-who of the industry. The organisers ensured that many of the presenters where pioneers of the industry with clear stories to tell. (Some vendors were also given the opportunity to present). The number of delegates and the distance that they travelled indicated that the industry came of age. (Also see my previous blog-entry)

It is therefore no surprise that conference organisers also climb on the band wagon. This is a compliment to the GSMA and an indication that it is recognised that a lot of interest exist in this industry segment. A case in point is the MMT08 conference organised by Claion Events. In selecting a name for the conference that looks exactly like the name utilised by the GSMA have confused a number of vendors thinking that this conference is endorsed by the GSMA. Clarion also "mined" the speakerslist of the Mobile Money Transfer Summit and used dubious tactics to invite vendors to the conference. (Like advertising speakers not speaking and a vendor shoot-out with vendors not attending).

It is a pity that tactics like these are being utilised by unscrupulous conference organisers.

Recent research

A recent report produced by Juniper, was promoted by the following tagline: "more than 2bn Mobile Users Will Have Bought Digital Goods With Their Phones by 2013". This is huge.

The report seems to be well structured according to specific regions and look at things like transaction sizes and volumes. It seems as if they have done a good job to substantiate the claim. If these numbers materialise, a lot of work will have to be done by a lot of people and - for sure - this would be the biggest revolution since the invention of money.

The Status of Branchless banking

Many advances have been made in the past period towards the dream of branchless banking. Financial services have always been available to lower income earners under trees and in villages. We are all familiar with informal saving schemes and community lending mechanisms. These provided in a need that obviously existed, but were always informal and offered no or limited protection to the consumer. Also, because they are not visible to regulators, it is difficult to work at improving systems to support these. Infrastructure available are also often limited in capacity.

This is now changing with new support from central banks and guidance from the Worldbank. A concerted effort is being made to include previously marginalised people into the formal banking world. This is of course made possible through mobile banking and utilising new types of disruptive banking, but the more important this is being given momentum through support from central banks. The most recent example is clear guidelines recently published by the Pakistan central bank.

A number of major banks also announced initiatives in providing product and services to these markets. Recent announcements came from banks like Tameer Bank in Pakistan, ICICI bank in India, Corporation bank in Mongolia, Pacific and Western in Canada to name a few.

If banks were to be liable for on-line fraud

According to a recent report on Finextra, the UK's House of Lords would like to make banks legally responsible for lasses incurred by customers through electronic fraud. This made me wonder about how banks would act if they were liable and what would the legal rules be that would constitute a customer loss? How will banks ensure that they can eliminate customer fraud made up to look like a loss? Would Internet banking and mobile banking security mechanisms be the same as what they are today?

Maybe if the laws were more strict, one would see more secure electronic banking solutions?

Banks tell us about hackers after they are caught

A number of very interesting stories about how people hacked into banking systems was published recently.

The first was about an arrest of a teenage hacker in New Zealand who supposedly headed up a gang of cyber-crooks that managed to steal about $20 million through fraudulent transactions. Read more here.
Teenage hacker (Finextra). Another one is the story of Alistair Peterson who over a period of two years managed to steal almost R 10 million off South African banks. He used an elaborate mechanism with mules to achieve this undetected for a long time. Read more here. Also the story about the HSBC clerk who got caught in an attempt to steal £ 72 million from the bank. Read more here.

The fact that all three these stories broke almost at the same time, made me conclude the following:

  • Internet banking fraud is alive and well and being practiced everywhere in the world where banks exist
  • Banks tell us about the crooks that they catch so that we know about the loopholes and can defend against them
  • But they don't tell us about the crooks that they don't catch, for obvious reasons: it may lead to a lack of confidence in the banking systems. But how many of them do not get caught and how prevalent is Internet banking hacking really?