Friday, August 29, 2008

Phishing

Wikipedia defines "phishing" as "the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. ". (see here). The most usual mechanism to achieve this is by means of fraudulent e-mails, websites or downloadable applications.

Based on what has been reported in the media, this is quite a prevalent activity, with many examples and activities. During the past month, this is a sample of the things that crossed my desk:

  • A warning published by FNB in South Africa for their customers to be awar of a phishing attempt. (see here)
  • A youngster sent to prison for seven years for phishing attacks. (see here)
  • ClearmyMail reporting that the biggest target for Phishing attacks in the UK is RBS (probably because they are the biggest anyhow, or because they report this better? Anyhow must have a lot of statistics to get to 42.7%) (read more here)
  • The UK Association for Payment Clearing Services (APACS) reports an increase of 180% in phishing attacks year on year (more here).
This is just a sample. What is interesting to me (once again) is how many instances are not reported? So why do I publish this on a mobile banking blog? Simply because so many mobile banking suppliers are deploying solutions on mobile phones with major holes for phishing attacks. It is easy to apply the same principles in a text message (re-routing to a harmfull URL or downloading a trojan application). However (if deployed correctly and making use of the unique characteristics of mobile phones) mobile banking can be designed in such a way that the channel is not prone to phishing attacks. This is the opportunity to do it right (most mobile banking industries are still in its infancy) before take-up is so big that technology decisions cannot be changed.

Yet, many banks merely port their Internet banking solutions to mobile, without due considerations of the additional security that mobile can provide... such a pity. Consider speaking to the experts before you do this.

The Visa alerts deal

A recent announcement made by Visa (read here) was very interesting to me. Visa is teaming with eight US banks to offer a SMS alert solution. Card holders of these banks can subscribe to this service by registering their Mobile phone number with VISA. This ties the number to the credit card. Whenever the card is used (and according to settings managed by VISA), a text alert is sent to the mobile phone informing the cardholder of a transaction (immediately). The advantages are of course multiple. It would be interesting how this services is promoted and how big the take-up will be.

Just as an afterthought, who is prepared to enter into a bet with me that the technology utilised for this service were built in South Africa?

Remote Check Deposits


I have always found the US economy's dependency on checks fascinating. In a modern world with connectivity and all kinds of electronic payment options (even mobile payments quite prevalent), the biggest economy in the world's payment infrastructure is still paper based. This is quite ironic.

When I saw this article, I realised how difficult it is to change a massive payment eco-system. The check-based payment eco-system in the US must have many players all playing an important part. A lot off them would (of course) loose big time, if check systems are replaced by something much more modern, cheap, convenient and secure. If we picture a US where all check payments are replaced by electronic payments (mobile based and/or Internet-based) this would require many participants to change their behaviour (consumers, mercahnts, banks, payment switches) etc. This would of course have major ramifications on all of these participants. The sheer size of the change required makes this highly unlikely. It is true that in many countries checks have almost totally been replaced by modern, convenient electronic payment systems. In South Africa checks have just about disappeared in ten years since the deployment of Internet based payments (and also in the past five years with mobile payments). Today it is almost unthinkable to write checks for payments in South Africa.

Yet, if US consumers would embrace the shear convenience, security and ease of use of electronic payments, would the eco-system not change on the strength of consumer demand? How do we tell consumers in the US about a new, better way of paying?

Market segmentation for mobile banking

It is absolutely true that mobile banking is experienced different from one market to another. It is often the source of a lot of confusion when different people discuss mobile banking from different contexts. Before we discuss mobile banking it is therefore important to first define the markets that one target swhen deploying mobile banking.

The most obvious first segmentation of the market for mobile banking is to look at those consumers with a strong, existing relationship with banks, and those that do not have a relationship with a bank. This segmentation should range from some-one without any banking relationship (some-one that does not have a bank-account and also never had one), to (on the extreme right) a sophisticated user of banking services. This would typically be some-one with a relationship with more than one bank, have multiple bank accounts and/or credit cards.). Another dimension should be an indication of the degree in which a consumer is connected to other consumers. Some consumers because of their work or role in society have a bigger need to interact with a more diverse group of consumers, others are much more localised in their interaction.


In looking at the different segmentations, one would be able to identify an individual that are typically employed in a low income position or survives off grants, pensions or money sent from family working in the city or abroad. Life’s routine is predictable for this individual with activities organised around the work and family. The rural citizen would typically live in a low cost abode. Credit worthiness is low with access to expensive micro lending as a source of lending only. All transactions are in cash and almost no savings exist. This is an individual that either living in a village in some rural area or in slums in or around cities. These people are the masses that turn the economy with their labour. Their need for banking services is limited to small savings, money remittance and some electronic payments. They usually get access to these financial services in a very expensive way, often with high risks as all of their transactions are in cash. They are often referred to as the bottom of the pyramid, but yet they are active in the economy and represent a large portion of the population in many countries and can be reached by mobile banking with the right product or service.


Another segment would consist of individuals that ar emuch more affluent. They are the people that always has the latest gadgets and are more expansive in their exposure to financial products. They typically have the latest phones, have more than one bank relationship and travel extensively for work and pleasure. Their assets include stocks and bonds and they use the Internet extensively to transact electronically. They are often aware of transactional risks associated with card transactions and the Internet and are often uncomfortable about their exposure to fraudulent activities. In addition to providing more control and improved security, mobile banking also delivers an alternative mechanism for the Power User to pay. Transactions not usually available can now be performed. Some of the transactions that the Power User requires and now becomes available are person to person payments, proximity payments, enhanced security for “card-not-present” transactions to name a few. All of these features are available in some format or another.


It is clear that different market segments would require vastly different mobile banking offerings.

Core Mobile Banking Processes

I have been emphasising the importance of mobile banking processes in a previous blog-entry. Some-one recently asked me to expand a bit on this. This is one level deeper, describing in words some of the business processes that must be available at a minimum and some of the considerations when designing these processes.

So, as a minimum. you should have the following business processes defined and supported by your mobile banking system before you launch into production (These are just a sample, to serve as an illustration):
  1. Customer registration - this is usually the most complex, but also the most important process. This is the point at which the system can be designed to comply with regulatory requirements. Many different approaches can be implemented, ranging from the filling in of forms that must be captured, to online registration off the mobile phone or on an ATM network or (sometimes) all of the above.
  2. Change security information - it is common practice that a subscriber select security information at the point of registration. But what happens when this information is compromised or lost? Process must be available to (for instance) reset a PIN or password in a secure way. The system may have to cater for secondary authentication (maybe through memorable questions) to cater for this.
  3. Block/Suspend/Un-suspend a service - The system should cater for the ability to suspend a services when a subscriber feels that their access have been compromised (for instance their phone was stolen). The mechanisms to suspend or again un-suspend a service must be designed beforehand.
  4. Release pending transactions - the nature of mobile banking is such that some transactions do not complete because (for instance) of other systems not being available. The back-offices must be capable to release these transactions in a way that does not compromise integrity.
  5. Close an account - it must be possible to close an account if a subscriber wishes to do so. A number of aspects must be considered in this case. For instance, what happens to any positive balance available on the account.
  6. Perform batch services - many batch services must be performed in a properly designed mobile banking system: raise subscription fees, pay interest, apply payments from an external system etc. All of these must be available.
  7. Register a support employee - the process of registering a bank employee must also be available. This process must cater for a registration that is secure, authorise the employee to only have access to portions of the system and enable the selection of security information etc.
Hope the above goes some way towards a better understaning of the complex nature of mobile banking back office systems.

Monday, August 11, 2008

Manyy new vendors


This is the most facinating thing about this space - the number of vendors that suddenly appears from no-where. I was recently sent this article by some-one asking me what I think of this invention. According to the article, a guy called Conrad Sheehan explains that he has come up with a way to provide the mobility factor in the formula for ecommerce success. He calls his product MPayy.

Well here is my take: I see these kind of inventions literary every week. In a small town like Cape Town (population 2 million), I am aware of at least five mobile payments initiative at this time. New technology and an "innovative" invention with the potential of changing the way that people pay. What I do know, having worked in this industry for ten years, is that it is hard work to get these things to work. It is probably harder than any other industry, because of the deep impact on so many players in the eco-system of payments.

I obviously wish these entrepreneurs best wishes, but am wondering, why they don't try something easier...