With the rise in popularity of mobile payment and banking services, how can providers leverage strong security whilst maintaining a positive customer experience?
The popularity of mobile payment and mobile banking services looks set to soar, giving users greater choice, flexibility and convenience. Innovations in technology and the subsequent advances of mobile handsets mean that they are fast becoming an established platform through which we can make payments.
Financial organisations are queuing up to release their own versions of these platforms. Visa and Barclays are the latest to join the line, and it's certainly getting longer.
When it comes to mobile payments and mobile banking, it is important to make a clear distinction between the two, as the services they provide are very different. They do both share the same central issue balancing security with a positive customer experience.
Every player in the ecosystem; whether financial institutions, carriers or handset vendors, must ensure that they can deliver the new mobile services in order to enhance their brand and maintain an advantage over their competitors. But this must be done without compromising security.
The threats and challenges of mobile banking are reasonably well understood as it is a technology that has already been widely adopted. Services whereby users can access standard banking services, such as account information and payments, are currently in use in the UK. They are also very popular in emerging markets such as Kenya, where users have enjoyed these systems for around five years.
This technology is increasing in popularity and as a result, there are a rising number of threats and security concerns emerging. Where the customers go, cyber crime will be sure to follow. The mobile channel is fast becoming a prime target for criminals, which was illustrated in McAfee's recent report that found nearly 450 samples of mobile malware in the last quarter of 2011 alone, by far the busiest period of mobile malware recorded.
With all online transactions there is an element of risk, and it is sensible that users approach these services with a healthy degree of concern for security. The challenge for providers is finding a way to provide strong enough security to reassure the user, but to do so without alienating them through onerous security checks.
One way of doing this is by providing an e-digi code. When the user enters their username and password, a unique one-time passcode (OTP) is transmitted transparently directly to their bank and authenticates their identity with zero impact on user experience.
Transaction fraud detection is another method, which works by monitoring user activity to detect anomalies or unusual behaviour, and verifying with the customer that the transaction is legitimate. However, as banks have adopted these methods of security, criminals have developed a new way of bypassing it; the man-in-the-mobile attack. This malware operates by living in the device, hijacking transactions and changing both the amount and recipient.
A combination of fraud monitoring of user behaviour, SMS with transaction details, out-of-band transaction verification and signature techniques on a mobile application are the most effective ways to defend against these attacks.
The other side of the coin is the more recent emergence of near-field communication (NFC) technologies, whereby the device itself can be used as the credit card. This exciting new technology opens up numerous possibilities for handsets and for users, and its popularity looks poised for take-off.
Almost every mobile vendor is lining up to provide NFC-enabled handsets to give users added functionality and ease of use. In fact, Juniper's 2011 research showed that by 2014, half of all mobile devices will be equipped with NFC technology.
Unlike mobile banking services where the challenges are largely understood, NFC is a very new and relatively unused technology, so many of the security challenges are yet to be discovered. There are still widespread consumer anxieties about NFC, which was shown in a recent survey from Vouchercodes.co.uk, that reported 60 per cent of users would avoid using NFC to buy goods, with security being the overriding concern.
Yet using your mobile phone to make payments is actually no more risky than using a chip credit card. The infrastructure, other than the card reader on the vending machine, already exists and the challenges and risks remain the same.
The main security challenge with NFC, as with all transactions is authenticating the user's identity, and the 'weak link' often comes down to the password and PIN combination. Users can set up their NFC-enabled devices in a way that ensures that they won't respond to random requests, but this will require a specific app to be running or some sort of verification to be used before a payment is made.
This being said, it is possible to provide security that is more robust on a mobile device than with a credit card, and this can be designed in a way that maintains a user experience of convenience. The innovations that we have seen over the past few years in mobile devices have opened up user's worlds to numerous capabilities, novelties and conveniences, and this trend is set to continue.
As providers develop the ability to offer new services to customers, there will inevitably be criminals whose sole aim it is to exploit them. Organisations cannot simply stop innovating and competing, so they must strive to offer these services, whilst maintaining a safe environment for their customers.
The threat landscape is ever-changing so security needs to be strong and agile, but not to the detriment of customer experience. Only then can the transition to mobile money really take off.
Mark Reeves is senior vice president of Entrust