Friday, October 31, 2008

Collaboration between Banks and Mobile Operators

Call me a skeptic, but I have seen it too many times in the mobile banking industry to not believe it this time. The latest attempt at collaboration between banks and mobile operators was announced in France recently (see here and here). While it is a logical way to go for the industry to really get traction, history is cluttered with many failures for banks and mobile operators working together in a formal way. At the risk of being contradicted, I will not list the many attempts here, but readers are welcome to search the web for examples.

I believe that the differences between these types of organisations are so fundamental that it is not possible for them to collaborate formally. Of course, it is important that they work together, but the most effective is by working through defined interfaces that exist already. (for instance clearing and settlement interfaces already exist in banking, standard API's to connect to network services already exist). By establishing organisations to formally collaborate nobody will benefit and a lot of time and money will be lost.

Provisioning of Handsets

The process of provisioning an electronic payment instrument is probably the most critical step and the most onerous from a fraud perspective. Provisioning is the process of connected the payment instrument with a central database so that payment instructions are routed in the correct way. This provisioning process for cards are completed prior to distributing the cards (especially chip based cards).

In all of the deployments that we have done with mobile phones the provisioning is also done prior to distribution of the SIM cards (effectively by injecting a key or keys into the SIM card). In this way the process is much more secure and controlled. The idea of provisioning a payment instrument over the air (OTA) is of course very attractive as this would enable clients to sign up for a mobile payment service with very light authentication. This is why a lot of work is done in this space. For instance, see the following patent.

Mastercard recently announced specifications for OTA provisioning for a PayPass payment instrument on suitably equipped handset. The process as described on the MasterCard is sketchy and it is not clear how a number of hurdles have been overcome. (For instance initial identification of the handset, management of the application on the phone etc.), but it is a step in the right direction.


POCit is a new mobile payment service launched in South Africa recently. The service allows anyone with a credit card to send money to anyone (with a cellphone). Because of the background of the company backing the service, POCit also allows a subscriber to pay medical bills. A subscriber must download a Java application in order to get access to the service.

This is good news as it shows that the degree of activity in the industry, but is also worrying because of the proliferation of services and the lack of integration and coordination. It would be interesting how many subscribers POCit would gather in a very competitive South African market.

Increased security for Internet Banking

One of the potential advantages of mobile banking is access to the crypto keys on the SIM card. If utilised correctly (and by the way, a small number of suppliers actually have the expertise to do this), banking solutions can be delivered with the same security than EMV (chip and PIN) cards. The reason for this, is that the banking application has access to cryptographic keys available on the SIM card. Internet banking deployments do not have access to crypto keys on the subscriber PC/laptop. Internet banking can therefore (through first principles) never be as secure as mobile banking.

With the launch of laptops with SIM card slots integrated into the machine (I blogged about this previously), I thought that this would enable much more secure Internet banking solutions. This did not materialise (up to now), as the SIM card in the laptop is only being used to create connectivity access to 3G networks. Opportunity lost?

Now two products have caught my attention with the potential of significantly improving online banking. These products (both) plug into the USB slot on the PC and provides the cryptographic capabilities on the PC platform:

  • IBM recently announced the Zone Trusted Information Channel (ZTIC) (read more here). This is a hardware device with crypto security that can be utilised for online banking and that plugs into your PC's USB slot.
  • Gemalto ships a similar product called the USB Shell Token (see here). With the relationship between Fundamo and Gemalto, we are investigating ways to leverage our experience in mobile banking to increase security of online banking by making use of this hardware device.
Maybe online banking security will ultimately be improved by means of USB devices and not through the SIM card on the PC?

Wednesday, October 22, 2008

Pres Sarkozy and Phishing

I must congratulate Pres. Sarkozy. I am sure that he is not the first public figure that have been hit by an Internet scam, yet he allowed information about the event to become known. (Read here). And I think that this is a first. It is important that mere mortals should be made aware of the risks associated with Internet crime.

What can be done about this. First education (see one of my blogs on this), and mobile banking of course. (Read here). Someone should subscribe Pres. Sarkozy to a well-designed mobile banking solution.

People transact more in time of uncertainty

Ukash recently reported a major shift in people buying Ukash vouchers to shop online. (Read more here). I must congratulate my friend Mark Chirnside on this good growth. Some of our customers also told us that their money remittance business tripled during the money crunch period as exchange rates started going mad.

This made me wonder if one could not look at the world of financial transactions in the following way. The more uncertain life becomes the more people do financial transactions. (See the graph). We are living in extremely uncertain times - this is a fact. Does this mean that people will have a need to do more and more financial transactions?

Is USSD for mobile banking a cul de sac?

I was recently asked to elaborate on my statement in a previous blog that USSD is a cul-de-sac. (Read the blog here.)

At the outset, I need to emphasise that I do believe that USSD is an excellent channel to deploy mobile banking solutions. It should always be considered in designing mobile banking solutions and is best suited for deployments where the mobile operator is involved in setting up the solution, but is not prepared to allow banking applications on their SIM cards. It is also well-suited for countries where a culture of "short-code" based solutions are entrenched. I have previously blogged on some of the mis-conceptions of USSD. (See here)

My statement about a "cul-de-sac" was based on my view of where different consumer access channels will evolve to over the next few years. In other words to what extend USSD applications and architectures will be suited for new generation platforms and user-interfaces. I believe that USSD mobile banking applications will not easily evolve to benefit from improved user-interfaces that will become more entrenched in new-generation handsets/phones. I also cannot see how USSD applications can evolve to benefit from the expected advances in improved security paradigms that will more and more be based on certificate and encryption paradigms. Also, the inherent architecture of USSD applications (predominantly based on sessions and grabbing hold of an array of network resources in order to complete a transaction), will not be able to benefit from improvements in network architecture and particularly 3G designs. As data-connections reduce in cost and increase in accessibility, USSD applications will slowly get replaced by applications based on GPRS and IP-protocol.

In summary, I do not believe that USSD designs are positioning mobile banking providers well from a strategic perspective. I would urge banks and mobile operators to work with suppliers that provide USSD applications in such a way that mobile banking can evolve as new technologies become available. These new technologies (3G, new handsets, new security paradigms) are less likely to enhance investments in USSD.

Tuesday, October 21, 2008

Biometrics and mobile payments

As is common knowledge, electronic security should be based on one of the following components (preferably a combination of these):

> Something you know. (Typically passwords, PIN's etc.)
> Something you have. (Typically a chip card, your phone etc. - all of these should preferably be based on some cryptographics in order to stop the ability to copy)
> Something you are. (Typically a fingerprint, retinal scan etc.)

Better mobile banking solutions (from a security perspective) are usually based on at least the first two (E.g. your SIM card and a PIN, a key in a Java application on the phone and a password). A number of interactions with innovative companies this week made me wonder about the possibility of implementing workable biometric solutions in mobile banking applications.

The limitations, of course, are the current input capabilities available on the mobile phone today. The only options that I can see is the possibility of voice-prints built on the voice (microphone) capabilities of a mobile phone. We at Fundamo have worked on one such implementation. It proved extremely problematic to get to work - predominantly because of the digital compression on mobile networks. The other alternatives would be to utilise the camera that is built into the phone for things like retina scans or fingerprints. Would this be possible? Maybe some-one have some ideas on this.

Thursday, October 09, 2008

How $20 turned into $2000

When Johannes Maartens paid with a cheque for the maintenance on his Ford truck, he never thought that this would turn into a nightmare. The $20 cheque that he gave to the electrician that fixed the indicator on the truck turned into a $ 2000 withdrawal when the cheque was offered to his bank. It took Johannes a lot of time and effort through the courts to get the matter resolved. (Read the full article here)

I was just thinking when I read this article: Would this type of fraud been possible if he made a mobile payment (as he could have done today in South Africa). and the answer is absolutely not - because it is virtually impossible for the electrician to change the payment instruction. Episodes like this should convince people to start doing more of their transactions via their cellphones.

Wednesday, October 01, 2008

Armageddon and mobile banking

This was without doubt one of the most defining moments in the history of financial services. The bail-outs, the lack of trust and the lack of liquidity all initiated a new world where money will never be the same again. We all lived through this week of financial imploding and we all speculated on how the world would be different where most banks are nationalised.

Of course I tried to put this new world in the context of mobile banking and I came to the following conclusions:

  • Regulations will change and probably become more tough and rigorous, this is bad news for companies that had an intention to launch transformational banking on the back of mobile telephony
  • Solutions based on positive balance (rather than credit) will become more attractive. This would require on-line, always available solutions - much easier to deliver using mobile banking.
  • Consumers would require real-time banking systems that place them in control of their money. They would want more up to date information, more control over moving money and more access to information in context. It is much more easy to deliver this via mobile banking than through any other channel.
  • Banks would become more conservative, but companies on the fringe (MFI's, MNO's etc.) may see this as an opportunity to start offering alternative banking services.
The recent financial Armageddon may just lead to a far more aggressive deployment of mobile banking solutions.

The end of Bank branches?

A recent report out of New Zealand made for interesting reading. According to the local media transactions at ANZ conducted at branches have fallen 23 per cent since 2003. according to the report this is because of simpler processes, fewer forms, more use of call centres and more use of Internet banking. (Read more here). This is contrary to many papers and reports that seems to indicate the opposite (for instance here).

Question is, who is right. All these reports or ANZ's findings. My view is that most of the reports are based on US data, which is not applicable in many markets. If I just take myself and how Internet and Mobile banking changed my behaviour. I definitely visit bank branches significantly less than I used to in the past. However, I do much, much more transactions than I used to. Bank branches also started changing in what they do. In the past branches were a place where one did financial transactions (deposit money, change a cheque etc.) Nowadays they have become support centers for electronic channels. If I look at my local branch, the help and info counter personnel work much harder than the tellers.

Of course, if the measurements of ANZ were accurate this trend would surely be accelerated by the take-up of mobile banking applications, especially if these applications were well designed and clear in its objectives. Also, if this trend is truely the case, then surely mobile banking business cases can claim the savings that can be realised in closing branches. This would make mobile banking business cases a "no-brainer".

The Android of Mobile Banking

So the first Google-phone is here (Read here). It seems to be a well-made phone with many features and something that a lot of people would want to have. (at least it is made by some-one that have been making great PDA-like phones for a long time - I am sure they re-used some of their old designs.) The thing that I am the most intrigued in is the operating system: Android.

As one could expect from some-one like Google, Android is different to all operating systems that phones run on and this is what is really interesting (Read more here). Some of the characteristics of the operating system in this case have major implications for mobile banking and I would like to highlight a few.

First, let me just describe the biggest differences in Android and other existing mobile phone interfaces. I would argue that the biggest differences are the following:
  • Android is much more open than any other operating system. Developers have much more control and access to phone resources than with other operating systems. This will enable more people to write applications for the phone.
  • The operating system allows individual applications to access other applications. The interaction of applications with each other is much more powerful, allowing for the activation of one application of another and the passing of data between the two applications.
These two characteristics are good and they are bad from a mobile banking perspective:

This is great news for bona-fide developers of mobile banking applications. It is now possible to deploy much more powerful banking applications and also allowing for third party developers to release applications that can interact with banking and payment applications on the phone. As a case in point, VISA announced (Read more here) recently that they have developed and are in the process of developing a whole new host of applications for the Android.

The downside of the openness of the Android platform is of course that much more developers can now apply themselves to build applications with harmful intent. The ability to craft phising applications and other attack applications have now increased significantly. Developers of mobile banking applications will have to work twice as hard to ensure that consumers are protected.

Much more discussion is needed on this topic.