Blog article
See all stories »

Mobile Payments and Banking - The 'Real' Security Risk

Let me start by saying what wonderful things mobile payments and mobile banking are. You can’t deny the convenience of being able to bank, pay for goods and services, and perform P2P payments while “on the go”.

It is these little conveniences that help turn train and bus travel into something more useful than simply reading the newspaper.

With the introduction of mobile wallets and new security innovations, many companies are making big promises that your mobile is becoming the most secure means of banking and payments.

But is it?

Companies have spent a lot of time and money addressing security issues. And with large banks, PayPal, Google, MasterCard, Visa and many more active in the area, people can be forgiven for thinking that it must be a safe means of transacting. Even if they lose their phone, their security credentials will remain safe and unexposed.

Maybe – but what if that individual then gave their security details to someone else? What if they made payments or transfers to someone they didn’t want to?

Of course that shouldn’t happen, but the problem with the mobile phone is that it makes it very easy for a physical attacker to force their victim to do just that

ATMs have built-in security cameras and only dispense limited amounts of cash. Stores have security cameras and security guards – as well as lots of people around. eCommerce and online banking are mainly done from the safety of your own home or workplace.

Mobile transactions, however, are done outside – walking in the street, going to the coffee shop, sitting on a park bench or coming home from the nightclub.

Now on your way home you don’t have to worry about someone stealing your phone or your handbag. Instead worry about them stealing every penny from your bank account or spending up to the limit on all the cards associated with your mobile wallet.

The real security issue is not the phone or the means of securing the transactions. The real security issue is the individual.

Traditionally, it needed sophisticated fraudsters and hackers to take your money, particularly since the introduction of EMV and PCI. Now any thug can rob you of much more than the cash in your wallet or purse.

Multi-channel transactions would help (started on one channel and finished on another), as would lowering transaction limits - although for NFC/Contactless there’s constant talk about increasing them. Nationwide recently introduced a new online banking app which prevents the adding of new payees from the mobile. This is the sort of step that can help limit the risk.

Right now though, you’re walking about with potentially all the money you have in your pocket. Not a good idea.

I’m interested to see how the world of mobile banking and payments address this security gap.

6302

Comments: (8)

Brett King
Brett King - Moven - New York 19 March, 2013, 03:11Be the first to give this comment the thumbs up 0 likes

Eric,

I appreciate what you are saying and this is an industry problem to address, however, we had the same concerns and issues when Internet Banking and Internet Payments and Settlements started. Granted there were a few teething problems, but in the end consumers opt for efficiency, ease of use and seamless customer experience over unwieldy, staid (but secure) processes.

In the end, once ease of use comes to the fore, baring a total meltdown on bank security - the concerns you've raised won't effect adoption one iota.

This is a hygiene factor only.

Brett King
BANK 3.0 

Eric Smith
Eric Smith - Dynamic Partners - London 19 March, 2013, 07:26Be the first to give this comment the thumbs up 0 likes

Brett,

Thanks for your comments.

I agree that the momentum behind mobile is huge and the convenience factor is the main reason. What we haven't seen yet is the "fear factor". It's important that this is considered and addressed or it could drive people away from mobile just as fast as it attracted them to it.

For sure security issues were a real concern for Internet Banking and Payments, but these could be addressed purely through improved IT security measures. The risk with mobile that I've pointed out is that it's not just an IT issue. There's more to it.

Some of the options I've highlighted (like multi-channel transactions) highlight how this could be addressed. If this doesn't happen I see mobile banking and payments being forced to reduce its scope and transaction limits. Still good for 80% of what we need, but the other 20% having to be done through another more secure channel.

Eric.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 19 March, 2013, 18:13Be the first to give this comment the thumbs up 0 likes

Mobile banking only supports A2A transfers and, somehow, I can't imagine a typical streetside mugger having a bank account, let alone knowing about a/c #, sort code and things like that. Criminals with that level of sophistication would've left the streets long ago, graduating to the much richer pickings possible with ACH and wire transfer frauds. 

As I'd highlighted in If This Is Mobile Banking, mobile banking will really take off only if leverages Bluetooth, camera, GPS, accelerometer and other basic smartphone specs to deliver new functionality that are not possible on Internet Banking. Once that happens, we'll see security rapidly fading away from the background. Mint, BillGuard and a few others have proved that security is not even a hygiene factor when a service provides compelling value. 

Eric Smith
Eric Smith - Dynamic Partners - London 19 March, 2013, 20:20Be the first to give this comment the thumbs up 0 likes

Ketharaman,

Thanks for your comment.

I don't agree that muggers know nothing about bank accounts. Equally now with P2P payments possible directly to an anonymous mobile number it's all too easy to transfer funds to someone.

I do agree that the trend will be to leverage the features of a mobile phone via native apps to further strengthen the added value of the mobile channel and differentiate it from other channels.

You say that "security is not even a hygiene factor when a service provides compelling value". That may be true when we're talking about small amounts. If we are talking about larger amounts of money, that's another story. I still like the have a locked door on the front of my home.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 March, 2013, 10:46Be the first to give this comment the thumbs up 0 likes

@EricS:

Since you'd written only about mobile banking apps, I specifically didn't bring in P2P apps. If you're referring to Barclays PingIt type of mobile app, they continue to be A2A, just that they add a layer on top which uses mobile / email as a proxy for a/c #, sort code, etc. By no stretch of imagination are they anonymous.

Study after study has shown that people ascribe different strengths to different channels and that there's a strong case for coexistence of multiple channels working together to deliver omnichannel banking (more on that in my personal blog if you're interested). "Adding Payee" is not exactly the strength of mobile banking. Too many keystrokes, not done so often that it must be done while coming home from nightclub - these factors inhibit this transaction on a mobile phone, whether secure or not. So, security is not the deciding factor. 

While I can't cite any studies in support, I'm sure most of the 5M+ subscribers of Mint and BillGuard do have a locked door in front of their homes. Point is, perception of functionality-versus-security varies from channel to channel.

Eric Smith
Eric Smith - Dynamic Partners - London 20 March, 2013, 12:05Be the first to give this comment the thumbs up 0 likes

Katharaman,

Thanks for your comments.

You are right that offerings such as Barclays Pingit link to
peoples bank accounts and for that matter are limited to the UK only. This
provides some level of security.

Regions such as Africa and the Caribbean are seeing strong
growth in the mobile space and one drive here is to offer something to the
unbanked or under-banked. In much the same way as Prepaid before it, the rigour
around KYC is much less. Equally international transfers, whilst not anonymous
certainly make it easier for money to “disappear abroad”.

I think your point that adding a payee is “not exactly the
strength of mobile banking” is a fair one. If it’s not easy to do, then it
makes sense to do this via another channel and then the mobile app is
restricted to only transferring or paying known recipients. Much better.

I think you also touch on an important point when you say that
the “perception of functionality-versus-security varies from channel to channel”.
You are right, though the perceived security and available functionality don’t
always align.

The main point I wanted to make in this is that part of the “perceived
security” when it comes to mobile banking and payments should include personal
security.

Clearly there are ways of dealing with this. They simply
need to be considered otherwise the mobile channel could quickly gain a
reputation for being unsafe even if technically secure.

 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 23 March, 2013, 09:07Be the first to give this comment the thumbs up 0 likes

@EricS: 

(It's 'Ketharaman' BTW).

Talking about unbanked, there's no risk of using a mobile app "stealing every penny from your bank account" since there's no bank account in the first place. 

If you're referring to M-PESA type of mobile wallet, it's a closed-loop, prepaid method of payment. The mugger can only make the victim transfer whatever money the victim put into that account before getting mugged. I don't see this as a great risk. 

While risks to the customer stem from various factors, the real risk posed to a consumer by a mobile banking service would be if the said service could pull out money from a credit card and / or bank account on demand and permitted P2P transfers to anonymous mobile numbers, especially cross-border. I can't think of a single service like that but I could be wrong.

A Finextra member
A Finextra member 27 March, 2013, 12:34Be the first to give this comment the thumbs up 0 likes

These are all good points. The last thing we want is for technological progress to make crime any easier. However, it would be unfortunate if we had to impair the functionality of mobile banking due to concerns about crime, as that's really letting the criminals win. Equally, we're seeing the rise of mobile-only customers (in developed nations, not just the developing world), who may not have easy access to a traditional large screen online banking service. To offer a functionally limited experience may well exclude them from fully interacting with their bank.

I can think of a couple of potential solutions that would be fairly straightforward to implement:

  • Safe WiFi networks. The customer can only conduct "riskier" transactions, such as adding a new payee, when using a trusted wireless network in a known safe location (like the home or a workplace, coffee shop, etc).
  • Safe locations. Using the handset's GPS, denote safe zones in which risker transactions may occur.
  • Safe mode for the app: imagine that you have 2 access codes for your mobile banking. One presents a view of your entire account and all your funds. The other shows a view with much more limited funds (effectively as much as you'd be prepared to have stolen). If mugged, access the safe mode. You'd probably find people would use this mode to just manage their money and spending too.

There are doubtless many more potential solutions to this problem. The key will be for the industry to find a robust solution before the mainstream press decides to have a mobile security hysteria moment. It's taken long enough for people to get over all the press about phone hacking (a huge topic for about 6 months whenever we did research with banking customers).