Blog article
See all stories »

I'll Never Login with Facebook or Pay with my Phone!

We're experiencing a massive shift in consumer behavior right now with the explosion of Facebook, Twitter, YouTube, and other community collaboration and social media platforms. A world where Facebook has 800 million inhabitants and a President who is a college dropout (albeit Harvard).

We're seeing the global domination of mobile across the entire world, where before long every person on the planet will have a mobile phone - and soon that phone will be a wallet. Smartphone owners will be the majority in just a few years as smartphones are virtually free on contract, and unlimited data is bundled free. Already the average smartphone user spends more time using Apps than they do using an Internet browser on their computer. 

The traditional players amongst us say that such things don't really change the fundamentals, that "it will take time for people to trust these new mechanisms".

I'll never login with Facebook to my bank.

I won't pay with my mobile phone unless I understand how secure it is. This NFC technology is too new and there's no common standard.

Huh?

The same people who said this probably said...

I'll never use email, there's nothing like calling someone or a face-to-face discussion to solve a problem

I'll never use an ATM machine, I don't trust a machine to give me money.

I'll never get a cell phone - I don't want people to be able to call me whenever and wherever I am. 

I will never put my credit card details on a website online - are you crazy?

I'll never bank online. Not in my lifetime...

I'll never need a Facebook account - it's a waste of time, it's just for college students.

Really?

If you are saying you won't do something that millions of other people are already doing, that's a sure sign that it's going to disrupt the hell out of your business and you're in trouble.

If you're not planning to work differently, if you're not thinking differently, then you're just out of touch, you're just one step away from irrelevance. You're fighting the flow upstream and getting pushed towards disaster.

The one constant of the internet-enabled world is that you have to be ready to change constantly. Resistence is not only futile, it's stupid and very costly in the long run. It's cheap and easy to be social right now, same for mobile - it won't be in the future.

Right now you have two choices. 

Start experimenting with how to adapt to these new methods

Start figuring out what people want to talk about on social media. When they're using their phones at a store, for searching on products, when they check-in, tweet or update their facebook status. 

Start talking to them. Start sharing content that isn't marketing messages pushed down their throat, but helps them.

Start trusting consumers to talk to you about your brand, your products and about what they want from their bank or services provider. Understand you can't control the conversation, but you can and should participate in it.

Open up new products and services based on social media. Get consumers to give voice to their needs and help you form those ideas. OCBC, DBS, First Direct, ASB, Comm Bank are all trying different types of crowdsourcing to develop better relationships with their customer base.

OR... Ignore the obvious, get ready to be displaced

Our customers don't feel safe using Facebook for login!

But some of them might... how long before most of them will? How do you meet your KYC requirements and keep customers safe when allowing them to do this? Are you going to wait till everyone else is doing it, or are you going to learn how to do it properly and securely now. Are you asking your compliance teams to find ways of figuring out how to do this stuff safely?

It will take years for the mobile wallet and NFC to take off!

Right now Google and Apple are eating your lunch and you don't even know it. You are getting ready to write off the one device that is most critical for connections and context with your customers in the later part of this decade. Someone else is going to own your customers, and as banks we're going to be paying the likes of Google to include our branded card in their wallet, or our products and services and messages on their platform.

We already have to ask permission from Google and Apple to give our customers our App. 

Don't want to change! You will... 

The fact is most of the last two decades we've been facing constant change, and no one organization has been able to resist the shift because customers decide how and when you'll engage with them.

Customers have already decided they want their mobile device to be their bank. They've already decided that they want to discuss your brand and your service capability in the open community of social media. 

Now it's time for you to decide that you want to stay relevant to your customers. Or ignore the obvious and go away.

8390

Comments: (16)

A Finextra member
A Finextra member 08 December, 2011, 07:07Be the first to give this comment the thumbs up 0 likes Very well putt Brett. Keep disrupting! Simon Dixon
A Finextra member
A Finextra member 08 December, 2011, 10:21Be the first to give this comment the thumbs up 0 likes

I'm not sure you can treat all those disruptive changes as equivalent, and the doubters may be less conservative, and more informed than you're giving them credit for. 

Mobile payments are going to happen, and any security issues will be solved by the payment providers. But that's not the issue.

Facebook security problems won't go away as Facebook has no driving need to take them seriously. Facebook will never be strong on privacy and trust as their business model doesn't allow them to be.

Strong ties to Facebook for ID may mean a self-selecting customer base who are value-destroying and responsible for a disproportionately high volume of security incidents.

The concept is very brave (that's the usage of 'brave' as seen in Yes, Minister)

Brett King
Brett King - Moven - New York 08 December, 2011, 11:05Be the first to give this comment the thumbs up 0 likes

Anon,

You might be right, however, the key issue for consumers is not about security - it's about ease of use. The mental load for customers around usernames and passwords is the issue. I'm agnostic to Facebook, versus Twitter, versus LinkedIn or new services like Connect.me. I think that a single-sign on is the way we're going, and the driver isn't security, it's simplicity.

As an industry, we simply have to find a way to make the simple, secure.

Anything else is irrelevant, because if we don't the push towards simplicity could drive a decrease in security as you've said.

Incidentally, there are many ways of making a single sign-in methodology secure. We can do location based, device based (registration), we can incorporate 2FA. It's not as simple as Facebook is not as secure as current UID/PWD methods. That's a very simplistic view.

BK 

A Finextra member
A Finextra member 08 December, 2011, 11:26Be the first to give this comment the thumbs up 0 likes

Facebook users will happily install malware if it looks like a link to Justion Bieber kissing a kittien. So, yes, you can add 'extra' security to Facebook. But since Facebook login details might as well be posted in plaintext for all to see, that 'extra' security is your actual security. Facebook has added nothing, and the simplicity has been compromised by the additional layer required.

A Finextra member
A Finextra member 08 December, 2011, 15:56Be the first to give this comment the thumbs up 0 likes

I'm with Anon here.  Don't care about peer pressure or looking 'old', there's no way that currently I would consider using or recommed using a Facebook login for banking!  As FB cannot even get their own security right, I would not want them anyway near my online banking.

Otherwise I much enjoy online banking, and have been doing it now for over 12 years...

Lastly I *do* understand that usability and security are trade offs.

A Finextra member
A Finextra member 12 December, 2011, 15:03Be the first to give this comment the thumbs up 0 likes

It's about the right balance between risk and trust ...

Can you trust an ATM machine ?

ATM's and the authorisation systems behind them have proven to be pretty secure for decades. I've learned how to migitate the somewhat newer risk of ATM skimming. I do continue to use ATM's

Can you trust your PC ?

I used to do homebanking from my PC, but have stopped doing so years ago as PC's proved to be very vulnerable and attack methods became ever more sophisticated, while the effectiveness of virus scanners is deteriorating. 

When getting hacked, I can expect to have serious trouble getting my money back from the bank. Too much risk for me, I now take the inconvenience to go to the bank branch, to use their own terminal and also to print a statement there to document my transactions.

I still do online shopping using my credit card. I do trust that the credit card company would cover potential fraud losses.

Can you trust your smartphone ?

I can't. If you do trust your smartphone, you might not have followed the dramatic rise in malware attacking those devices ... 

In a nutshell: Risk and trust need to be well balanced. You may call this view oldfashioned. But how to call somebody who puts absolute trust into something that looks very trendy, but has already proven to be pretty risky ?  

Kenneth Kunin
Kenneth Kunin - SunGard - Montreal 12 December, 2011, 16:06Be the first to give this comment the thumbs up 0 likes

Social media presents a lot of opportunities for banks (beyond mere marketing), and no doubt many consumers (especially younger ones) will want to engage with their bank (or any service provider, for that matter) through their social media identities. But at the end of the day, I think they'll instinctively draw the line at handing access to their sensitive financial data over to the likes of Facebook, Twitter or any third-party. (Particularly Facebook, which among them is the worst in terms of their regard for security, privacy and ownership of data.) 

I think consumers have an ingrained separation in their minds of what belongs in the realm of the more "open" social media, and what belongs in the locked vault; most financial services, for most people, tend to fall in the latter.  The challenge for banks  will be in determing how to navigate this divide.  I don't think it can get as simple as you'd like it to be, but certainly it can be simpler than it is today.  I see a sort of two-tiered approach where you can connect your social media identity to your bank ID, and engage in a limited number of services.  For anything transactional or requiring access to sensitive data, I don't see the bank relinquishing their security controls outside of their organization, not now or ever.  The risk is too high, and the integrity of social media companies is too low.

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 13 December, 2011, 18:55Be the first to give this comment the thumbs up 0 likes

Brett,

I reckon it's a bit rough hectoring conservative users and stakeholders into adopting social ID for banking. I think you know that deep down, what you're suggesting is that banks up-end the way they relate to customers.  And why?  Because Facebook's CRM is cool?

Social identities have literally spread like weeds but their sheer abundance doesn't mean they can just cross-bree­d with any native identity species in the banking ecosystem. The problem with logging on to a bank using Facebook isn't trepidatio­n; it's that nobody has yet figured out how to federate identities­ and a reasonable liability arrangement.

It's not for want of trying. The idea of Federated Identity is older than e-commerce but well heeled initiative­s like Liberty Alliance, Cardspace, and the Australian banks' Trust Centre all failed on the launch pad. Fundamenta­l barriers arise because business ecosystems comprise diverse niches that have evolved their own ways of managing risk. The naive efforts of technologi­sts to make IDs interopera­te across niches (usually referred to casually and cynically as "silos") overlook the innate conservati­sm of highly evolved businesses­. Identities such as bank accounts are crystal clear with regards to rights, responsibi­lities and liabilitie­s, but they're also brittle like crystals: they don't bend.

Banks struggle to federate identities even amongst themselves­, even when they all play by the same legislated rules!   It's instructive that the Australian banks recently abandoned their account portability project "Mambo".  The cost and complexity of changing legal and business arrangements to handle a universal account number turned out to trump the benefits.  The Mambo proposition was vastly simpler than changing the way customers are authenticated.

So what hope does Facebook have of breaking into the financial services ecosystem? What promises can Facebook make to a bank about the authentici­ty of its members? 

See also
http://loc­kstep.com.­au/blog/20­11/06/28/h­ow-do-i-kn­ow-thee.html
http://www­.bankingre­view.com.a­u/2011/10/­mambo-miss­es-the-point.html
http://loc­kstep.com.­au/blog/20­11/01/13/n­o-such-thi­ng-as-a-passport.htm­l

Stephen Wilson, Lockstep Consulting­, Australia. 

Brett King
Brett King - Moven - New York 13 December, 2011, 20:15Be the first to give this comment the thumbs up 0 likes

All,

Some great feedback. 

I think the concerns are valid, but I'm really trying to figure out how to reduce the workload for customers on the KYC and IDV side essentially, and we've got a ready made social framework emerging where you've already worked hard to establish an 'identity'. How do we reconcile that social identity with the requirements of the regulator? That's one issue.

I firmly believe if you dramatically reduce a customer's workload, and make the application process simplified by allowing me to trawl basic data like name, date of birth, etc from a central register, that as a customer I'd be willing to make that trade off. After all, I can still verify the data after you've grabbed it - as long as that process is simple and I can trust who is using the data, then most today would accept this as a superior solution to asking me repeatedly over and over for data that is readily available elsewhere.

The second issue is really around the security. Is social sign-in secure? Not on it's own clearly, but are there elements of a relationship that could be managed via SSI? Absolutely. For example, would I allow a bank to send me a fraud alert via a Twitter Direct Message? Why not? So writing off Social-Sign-In as insecure is a mistake. We have to look at the methods of inclusion of social identity, and not just simply classify it as problematic. 

Right now today I can tell you that details from social networks on an individual customer are far more valuable to a bank than a fax number or utility bill, but we're ignoring those because we're threatened by the exposure in the medium. Instead, we should be working out a strategy of inclusion, limiting exposure and making things simpler for customers. 

Simplicity is the new value. The old security and KYC mechanisms are under threat because they add no value to customers. 

Let's ask the question of what is the right thing to do for long-term customer improvement. Let's look for ways to make it work.

Brett King
BANK 2.0 

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 13 December, 2011, 22:40Be the first to give this comment the thumbs up 0 likes

Brett wrote "Right now today I can tell you that details from social networks on an individual customer are far more valuable to a bank than a fax number or utility bill ..."

Is there any empirical evidence for this?  As of now, details on social networks are unvalidated and unwarranted.  We can talk casually about value and social graphs and the way that people express their "identity" but when push comes to shove, a bank needs an identity provider to warrant any personal details that the bank then relies upon.  We're surely a very long way from that point, no matter how rich the social identity appears to be.  I come back to the enormous difficulty that inter-bank identity federation has experienced.  Federating between a social network and a bank is much harder again.

" ... but we're ignoring those because we're threatened by the exposure in the medium."

No, we're "ignoring" social identity because it is not sanctioned by KYC rules.  In Australia, the utility bill technically does have value to a bank, because the Financial Transaction Reports Act sanctions such documents as evidence of identity. 

 

Brett King
Brett King - Moven - New York 13 December, 2011, 23:09Be the first to give this comment the thumbs up 0 likes

Stephen,

The validity of presenting you a Utility bill that actually goes unverified, versus 100 people in social networks verifying that they trust you is very powerful. 

Does the regulator recognize it today? No. Should they - they'll have to is my view. The fact is identity theft today is made easy because traditional KYC is weak. We're seeing governments working on strengthening identity right now (http://www.finextra.com/news/fullstory.aspx?newsitemid=23132) and banks are a good place to start as keepers of secure data. It's just that the things we hold as 'identity' are not as secure or uniquely verifiable as they once were. 

In terms of whether social data can be used in the KYC process. I think you're dead wrong. 

If I approve you using my data from a social network to fill an application form (for example) and then verify that data is my own - that is warrantable. As long as I back that up with other verification, the original source of data on the form is essentially immaterial.

There's two components here. Simplifying user experience for onboarding, versus verification of identity. You don't need to use social sign in to be a verified identity, but using social data to prefill an application form (for example) would result in a dramatically reduced workload for the consumer, and be no 'less' safer than a traditional paper application form - surely?

There is absolutely a role for integration of social data. To shut it down because you don't know how the regulator's going to respond to that, just means you're not thinking creatively enough about user experience.

Brett King
BANK 2.0 

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 13 December, 2011, 23:44Be the first to give this comment the thumbs up 0 likes

I simply point out that the difference between what IS the case with KYC rules, and what you think OUGHT to be the case, is much greater than what you portray.  You started out lampooning those who don't get the social media craze, as if trepidation is the only thing stopping using Facebook to log on to a bank. Actually the real problem in all federated identity programs is that sharing identity is harder than it looks. I'm not anti-innovation; I am pro-rigor.  Ask yourself why banks haven't managed to federate amongst themselves, and then ask whether Facebook's business model is going to make it federation any less complex.

Please see my detailed critique of federated identity at http://lockstep.com.au/library/identity_authentication/an-ecological-theory-of-digit.html

You say casually that social identity is warrantable, but the fact is today it is not, and I don't think any banks' lawyers have even started to work out serious protocols for how to do so.  I say this pretty emphatically, based on experience of the Australian Trust Centre and another well funded Aussie authentication hub project.  I was involved in developing pro forma legal agreements by which a participating bank's OTP would be brokered by the hub and used to authenticate customers to online retailers.  When we took these template agreements to banks' lawyers, they said "Hmmm, very interesting but we've never seen any contract like this before -- we'll get back to you."  They never did. 

Banks are not used to operating outside their silos.  I wouldn't underestimate the challenge of joining them to the wild and whacky world of social identity.

Brett King
Brett King - Moven - New York 14 December, 2011, 02:02Be the first to give this comment the thumbs up 0 likes

Stephen,

I guess that's another reason why Movenbank is going to be considered a disruptor. It's interesting because we've figured out ways to meet FFIEC and KYC requirements to the regulators satisfaction, with social sign as part of the user experience - all while making the workload for customers dramatically less than existing bank onboarding and being safer than most IB experiences today.

I'm sure that traditional bank lawyers would be mystified, however, our reading of the situation is that our approach is not only compliant, but in reality less risky and less exposed than current approaches which are hopelessly outdated in a digital landscape.

I'm sure there will be plenty watching our moves carefully...

Brett King
BANK 2.0 

A Finextra member
A Finextra member 14 December, 2011, 09:09Be the first to give this comment the thumbs up 0 likes

Again, here's a balance between risk and trust ...

An identity is much more readily trusted, if that identity is difficult and risky to forge. Now, is it difficult to forge a Facebook identity ? And to forge a hundred more Facebook identities supporting the first one ? What are the legal consequences for forging Facebook identities ?

In the vast majority of countries around the globe, even a utility bill isn't very useful for proving identity. You need a passport or other ID document issued by a government agency to prove your identity. And if you forge such a document and get caught, you do go to jail for quite some time. That'a a simple and effective way to underpin identities ...

It might make sense to think about government-issued ID cards that can be used electronically, both in online and offline mode. These identities would certainly be accepted by banks or other risk-aware counterparts. But it's hard to believe that banks or government agencies would put any trust into a Facebook identity ...

A Finextra member
A Finextra member 14 December, 2011, 09:29Be the first to give this comment the thumbs up 0 likes

Just to second Gerhardt's most recent point, with identity, you have to do your thinking from at least two viewpoints: as a bank, how would I secure this; and, as a criminal, how would I attack this?

Thinking as a criminal, Facebook provides no challenge whatsoever - it's a trivial task to setup an arsenal of fake IDs, or to hijack real ones.

So the only upside Facebook seems to offer is the time saved from not having to type name, address, an DOB into a form.

I have to say though that everything Brett writes is entertaining and challenging, and MovenBank will at least change the status quo, even if only incrementally.

So, I can't wait to see what happens next.

 

Brett King
Brett King - Moven - New York 14 December, 2011, 11:50Be the first to give this comment the thumbs up 0 likes

Gerhard,

You're right of course. We ultimately need better digital identity and the banks/government should work on this together.

I'm also delighted that I lift your day with my musings :) That is my intention too.

BK

Brett King

Brett King

CEO & Founder

Moven

Member since

14 Apr 2010

Location

New York

Blog posts

146

Comments

332

More from Brett

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.


See all