Mobile payment technology offers exciting prospects, but several considerations inhibit consumer acceptance, according to The Wall Street Journal.
Financial institutions frequently spend a great deal of money in creating and implementing innovative payment technologies. Problem is, they don’t always pan out as expected.
That’s true of contactless readers, for instance, which allowed shoppers to tap a card rather than swipe it. Lack of consumer enthusiasm for that option serves as a reminder that “the final frontier” of mobile payments might not be readily accepted by consumers.
Consumers need clear incentives to adopt new payment options.
Phones now allow consumers to pay with a tap of their phone at a reader installed near the register, performing debit or credit transactions without needing to swipe a card. Smartphones can make payments a breeze via the ability to store data such as credit card information.
But can such innovation create enough appeal for the consumer to dump cards and cash? Doubts remain, according to analysts.
Technology-research firm Gartner puts mobile payments in a category called “peak of inflated expectations.” Unfortunately, the firm believes it’s likely the category will move into the “trough of disillusionment” within the next year.
The issue with mobile payments is that these technologies don’t make payments significantly easier or more convenient, and thus fail to change consumer purchasing behaviors.
What’s needed for both consumers and merchants to explore and adopt new payment technologies are substantial benefits to both parties.
Financial institutions encouraged merchants to install contactless card-payment readers for checkout convenience. Unfortunately, these same financial institutions didn’t educate consumers well and, consequently, the technology sputtered.
“The entire industry completely dropped the ball on contactless payments,” remarks a representative of technology research firm Yankee Group. Their analysts predict mobile payments will suffer the same fate without bigger efforts by financial institutions to explain benefits for merchants and consumers alike.
Meanwhile, contactless cards are still around. MasterCard, for example, still promotes them, but the U.S. falls well behind other countries in usage rates. “The lesson in all of this is that you need critical mass and you need something that works well,” says a MasterCard spokesman.
When you control the pipes, you control the ecosystem. At the very least, you can impose your will on a good portion of the environment. This is what the mobile industry has come down to in the United States. Verizon, AT&T, T-Mobile and Sprint have as much or more say about the devices that eventually reach consumers hands than the platform providers or manufacturers.
Why do Android device updates take so long? Ask the carriers. Why are there half a dozen different skins for Android smartphones? Ask the carriers. Why do high-end smartphones cost what they do? Ask the carriers. Why did Nokia have to wait to enter the U.S. market with its new Lumia line? Ask the carriers. Why are there a ton of different versions of the Samsung Galaxy? Ask . . . you get the picture.
Motorola Mobility CEO Sanjay Jha sat down with The Verge at the Consumer Electronics show this week and made the comment that "Verizon and AT&T don't want seven stock ICS devices on their shelves . . . The vast majority of the changes we make to the OS are to meet the requirements of the carriers."
Think about that last sentence for a second: "The requirements of the carriers." Like it or not, the carriers are the gatekeepers to the entire mobile ecosystem in the United States. Hence, the carriers can make almost any demands and the original equipment manufacturers are forced to comply. This is why we see the skins on various Android smartphones like TouchWiz for Samsung and Sense from HTC.
The problem for Android and carrier-driven differentiation is fairly simple. Most OEMs are not very good at software. Motorola, for instance, has struggled for years in coming up with useful, dynamic and functional user interfaces. HTC is a lot better and Sense is actually an enjoyable interface on its Android smartphones. Samsung is a different story altogether.
Samsung is on a course to be the largest smartphone manufacturer on the planet. How have they done this? Outside of the bland argument that "they have copied everything Apple has ever done," the answer is easy to understand. Samsung is completely willing to do whatever Google, Microsoft, or the carriers want. More than any other company, Samsung plays the current mobile ecosystem to great success. Be everything to everybody. It is a brilliant strategy.
Samsung wanted to launch the original Samsung Galaxy S on every carrier in the U.S. That was not going to happen though if every device was exactly the same. That is why we have four different devices that are ostensibly the same hardware. Sprint wanted its Galaxy S to have a keyboard and use WiMax "4G." Hey, no problem. AT&T wanted a slimmed down version that looked like an iPhone. This can be done. Verizon wanted something similar but looked different than AT&T's. That should not be a problem.
By being pliant to their wishes, Samsung gives the carriers power and to a certain extent hamstrings the rest of the OEM and mobile operating system ecosystem. To keep up with Samsung, the rest of the Android OEMs have to attempt to play the same game.
In The Verge's interview with Jha, it sounds like he is fed up with trying to match Samsung and the rest of the OEMs and the carrier requirements. Jha understands that to make money in the Android ecosystem, Motorola smartphones are going to need to be different. Jha said this week that Motorola is going to make fewer phones and, presumably, think outside of the rat race that Android has become.
More than any other force, the carriers are responsible for the "fragmentation" of Android. The individual skins are not a specific requirement, but not having several stock Android devices on the shelves (at least one with that option would be nice) forces the OEMs' hands. When it comes to device updates, such as what phones will get Android Ice Cream Sandwich, the carriers dictate how much data will flow through their pipes. The OEMs are not outside of blame for updates but the fact of the matter is that the carriers are the primary drivers of the fact that each OEM has to come out with a new Android device seemingly every other week. That puts a huge burden on the software integration departments of the OEMs that have to update each device.
Google chairman Erik Schmidt says that Android is not fragmented and argues that differentiation is a good thing. Hey, variety is the spice of life, yes? To a certain extent, he is not wrong. Personally, I do not want seven stock Android devices to choose from either. The problem comes when the skins, screen sizes and lack of updates make it difficult for developers to support several different types of Android.
Microsoft, Windows Phone, and its biggest champion, Nokia, are not immune from the whip of the carriers either. One of the reasons that the Lumia line was not released to the U.S. before the end of 2011 was that Nokia had to navigate the individual wishes of every carrier. T-Mobile made it easy for Nokia by basically saying, "We do not mind taking a stock Windows Phone Lumia 710." It is likely that no other carrier is going to sell the Lumia 710, so that is differentiation in and of itself. But AT&T was not having any of it. The Lumia 900 is what Nokia delivered and it is different from not just T-Mobile's 710, but also the Lumia 800 that most of Europe got. Verizon will likely take something akin to the 900, but it will not want it to be exactly the same thing that AT&T got. Nokia is willing to play this game because it does not have much of a choice. Samsung set the precedent with the carriers and Nokia does not have the U.S. clout or the hype of Apple's iPhone to defy what the carriers' want.
Apple is the one OEM that stands outside of all these politics. The smartphone revolution was started when Apple released the original iPhone. It was such a revelation that it has become a symbol as much as a smartphone. Apple can dictate terms whereas the other OEMs cannot. It would be interesting to go back into a deviant version of history and replace Apple with Motorola or some other OEM and see if Apple's strategy remained the same or if it would be forced to carrier whims.
The gatekeepers set the terms. Until a real alternative is created and realistically implemented, this is the way the mobile industry in the U.S. will continue into the future. Outside of Apple and Google creating their own data networks, terms will be set by Verizon, AT&T, T-Mobile and Sprint for years to come.
ReadWriteWeb (www.readwriteweb.com) is a weblog created by Richard McManus that provides Internet technology news, reviews, and analysis covering web apps, web technology trends, and social networking. Reprinted with permission.
Workflows are the satisfying conclusion to a long journey that began with a paperless project at Alliant Credit Union in Chicago, said Heather Lally, senior manager, business process improvement.
"We've been doing a good job with imaging since 2005 and more than 95% of the credit union’s documents are now electronic,” said Lally. "But we wanted to do more than store document images."
In April, Alliant deployed OnBase ECM from Hyland Software, allowing the credit union to stop printing documents and instead access them electronically from multiple systems, she said.
Workflows were the logical next step, but something stood in the way: Alliant's culture lacked a commitment to process improvement, according to Rudy Pereira, recently senior vice president of technology and operations at Alliant and now CEO at Royal Credit Union in Wisconsin.
Alliant didn't have the talent or the organizational culture to drive quality and automation" until 2009, said Pereira. "We started up Six Sigma and service-level agreements across the organization. We created a business process improvement department. We were then ready and committed to continuous process and quality improvement."
Credit unions may hesitate to spend money moving beyond document imaging into ECM and workflows.
"Workflow is a huge part of the value that ECM provides," said Steve Comer, credit union industry manager for Hyland Software. "But it's more difficult to justify the spend for workflow" than for paperless.
Credit unions that have evaluated the cost savings and member service benefits know that a workflow solution is worth the price tag, he continued.
"For example, it may cost $50,000 for a workflow solution to automate invoice processing," Comer explained. "But if it currently takes three AP clerks to do the daily processing at an average salary of $35,000 a year, and you're able to reallocate one of those employees by automating the process, then your complete ROI on that solution is less than two years."
This article appeared at www.cujournal.com and is reprinted with permission.
As we begin 2012, financial institutions still have a long way to go in their fight against online fraud, says Phil Blank of Javelin Strategy & Research.
In its annual Banking Identity Safety Scorecard, Javelin identifies three weaknesses in online banking:
During an interview with Tracy Kitten, Blank discusses:
Blank provides central leadership to Javelin's Security, Risk and Fraud Practice areas. He has an extensive background in security, information technology, forensics and investigations. His perspectives on information technology and security have been presented at international conferences and published in numerous IT-related publications. He has more than 20 years of experience in both domestic and international organizations, with deep expertise in SAAS operations, security, networking, high availability systems, business continuity planning, customer service and internal support.
TRACY KITTEN: Javelin released its annual banking identity safety scorecard report. What can you tell us about the scorecard, such as the number of institutions that were surveyed for the report?
PHIL BLANK: This is our seventh annual banking identity safety scorecard. We've done this every year for the past seven years so it gives us a pretty good view of what's been going on in the industry. The way we approach the scorecard is we look at the top 25 financial institutions, a combination of credit unions and traditional banks, and we look at the top 25 by deposit size. It's important to note in this study, we're really looking at consumer-facing security measures. We do that for two reasons. One, most FIs won't disclose to us what goes on in the backend of their security with their analytics and two, we would have a very, very difficult time validating and verifying what they're telling us. These are items that are relatively easy for us to validate and take into account how the bank deals with the consumer directly when it comes to security.
KITTEN: The study notes that financial institutions continue to struggle to stay ahead of fraud trends in the online space. What vulnerabilities or security weaknesses seem to pose the greatest challenges?
BLANK: We've seen, over the past three years in particular, a really bad drop-off in our prevention detention resolution model. Some of the challenges that the FIs face today are challenges in authentication, the use of what we call layered authentication. A lot of FIs rely on device ID as well as log-in and password. By the way, log-ins and passwords, they've been with us since the '60s and if you think about how much other technology has changed, it's coming time where the creaky old passwords will soon no longer see the light of day.
We're also seeing an increased use of social security numbers. As you know, you have to provide your social security number to provision the account, but FIs really need to move away from the use of SSN when it comes to authenticating the user to the account. We don't see enough FIs incenting the use of the security software. Some of the FIs provide it for free, but many of them don't incent the consumer to use it and therefore lose the advantage of it.
Finally, we see a deficit in alerts. A lot of FIs have alerts but they're either not comprehensive or they are not two-way and actionable. Those are some of the key areas that we've seen in this year's scorecard that are really weaknesses in bank security.
KITTEN: Is the industry just not doing enough to keep up with the ever-evolving malware and Trojans like Zeus or are there deeper security concerns at the core here? It sounds like maybe some of the practices that institutions are using are really more of the problem.
BLANK: I think you've hit the nail on the head. It's really a combination of issues. Man-in-the-browser protection is very well known, but it's really a technical solution and over time as more and more people get updated software and get man-in-the-browser protection, it will prevent that specific vulnerability. The problem really comes into the fact that most fraudsters are performing what we call "crimes of impersonation." When you perform a crime of impersonation, it's much more difficult for analytics or software to pick that up because as far as the FI knows, it's a legitimate person approaching the FI. It's really incumbent upon the FI to look at a broader range of security issues and that's why a point-technical solution against a Trojan like Zeus or SpyEye isn't really going to solve the total problem.
KITTEN: What trends have been consistent then if we look over the last seven years where online security gaps are concerned? Where do you still see the same problems?
BLANK: Probably the most consistent trend has been a U.S.-based trend. Due to the competitive marketplace in the U.S., the U.S. has never really taken into account prescriptive security measures. The FFIEC guidance is probably the closest we have to those prescriptive measures, and many FIs have a philosophical bent that the consumer really doesn't want to be involved with security. So they try and handle everything behind the scenes. Because of that, there's some amount of fraud that simply is going to continue forever and ever. We've been seeing a very slow change of heart in many of the FIs where they're beginning to realize the value of partnering with the consumer in the fight against fraud, because frankly no one knows your financial habits better than you. No software analytics program can know it better than you can, so by deputizing the consumer, by enlisting the consumer in the fight against fraud, the fraud can have a material difference. That's been a pretty consistent thing we've seen for the past seven years.
KITTEN: Now I've asked about some of the vulnerabilities and some of the gaps that have been consistent over the last seven years. What about areas of improvement? What stood out this time that might be worth noting?
BLANK: The areas of improvement this time have really been around education and providing tools to the consumer. On the other hand, the FIs are not providing the incentives for the consumer to use those tools. So the consumer sees the tool, looks at it and says, "I wonder what that does," and then moves on. For example, several large FIs in the United States provide man-in-the-browser protection for free. It's a free download, but they don't incent the consumer to use it and without having that incentive the consumer isn't likely to go out there on their own.
KITTEN: That's a great point, and I wanted to note also that the report mentions the forthcoming updated FFIEC guidance for online banking authentication. Where did Javelin find that institutions were perhaps lacking when it came to FFIEC conformance?
BLANK: In terms of the consumer-facing security, there's clearly the issue of static versus dynamic KBA [knowledge-based authentication]. With a proliferation of social media, static KBA is really going by the waste side and we're seeing many FIs still rely on it. There has to be an expanded use of multifactor authentication, true multifactor authentication, and that's another area that FIs really need to think about when the factors are too close to each other. They also need to look at things like out-of-band signaling and items that can really enhance the security of their institution.
We found the FFIEC guidance itself was not particularly robust, especially when it came to mobile applications and some of the newer technologies. We would have much preferred a much more comprehensive document, but unfortunately these things tend to move a bit on the slow side. That by the way is a challenge because the fraudsters move very, very fast and that's why you've seen that drop in prevention over the last three years from 79 percent to 54 percent.
KITTEN: That's a great point. The fraudsters often times are moving at a much faster pace than the industry is. I did want to ask about mobile. Where do you see institutions when it comes to vulnerabilities? Where are some of the greatest risks that surround mobile, whether that's mobile banking or mobile payments?
BLANK: I think some of the risks associated with mobile are the fact that this is a land graph going on right now. And when I say a land graph, everybody is trying to go out and grab market share in the mobile space. This is because the consumers have told us through our surveys that mobile banking is something that they are very, very interested in. In fact, they've indicated to us for example a service called remote deposit capture, where you can deposit checks from your mobile device. If your FI doesn't have that, a fair number of customers would actually change FIs in order to have that particular feature. So a lot of FIs have rushed to market with mobile applications that have not been fully vetted.
We believe that no mobile banking should take place on a device that doesn't have remote-wipe capability, but there are mobile applications out there that don't even have remote-deactivation capability. The good news about that is the mobile environment is still relatively small. The bad news is that it's growing very, very fast. By this time next year, we're going to see a substantial amount of mobile transactions and the fraudsters are really sudden. They're going to go where the money is, so as more and more people continue to do mobile banking, you're going to see more and more mobile Trojans, such as the "zombie" Trojan that we saw in China, targeting specific mobile applications.
KITTEN: You talked a little bit about consumer education earlier and it does sound as if financial institutions are doing better jobs of trying to educate some of the consumers that they work with when it comes to online transactions. What about in the mobile space? Are financial institutions doing a good job about educating consumers about the risks there?
BLANK: Absolutely not. In the mobile space, it's like, "Hey, it's wonderful, it's safe, don't worry about it. Everything's good." And you and I both know, as security professionals, this is really not the case. For example, in our mobile security report we talk about the fact that in the Android market you can now actually purchase software, antivirus software, for your mobile phone. I hate the term smart phone. It's really not a smart phone. It's a PC that happens to be able to make phone calls, and because of that phone-call addition, because of that 3G networking, there's going to be a whole new raft of vulnerabilities and attack vectors that we haven't seen in the past. This is why it's incumbent upon the FIs and the mobile suppliers to make sure that the consumers are equipped with the tools they need to fight those vulnerabilities.
KITTEN: Before we close, what advice could you offer to financial institutions that are working toward FFIEC compliance as well as enhanced security on the mobile as well as online channels?
BLANK: Involve the consumer; involve the consumer. The consumer wants to be very much involved in their own security. And this doesn't mean turn them into security geeks, but provide them with the services that they want. Let me give you a great example. When we did the survey, only 72 percent of the FIs that we surveyed had a specific alert for physical address change. Only 20 percent had an alert for me to add or subtract a user. So if I have access to your account and I put myself on your account as an authorized user, only 20 percent of the FIs out there have the ability or have the service to send you the alert. This is something that FIs have a long way to go on.
In closing, I would say deputize the consumer; use the consumer. They want to be involved in the security. It is part of helping them manage their financial affairs, and if we can create that partnership we will see a significant drop in the fraud rate.
Tracy Kitten is a managing editor with CUInfoSecurity, an information portal for financial industry professionals who want to learn the latest about banking regulations, industry news, events, and opinions. Reprinted with permission.
Despite almost constant reports of data breaches and hacking incidents, many organizations are still not taking even the most basic measures to protect their organization's data. In fact, the password practices in some companies may actually be putting them at greater risk. According to a password security report by Lieberman Software, 48% of the more than 300 IT professionals surveyed have worked for organizations that have experienced a data breach.
But even with such first-hand experience, 42% said that two or more IT staff actually share passwords to access systems or applications in their organizations, 48% allow passwords to privileged accounts (those that contain high-level permission to access files, install programs, and change configuration settings) to remain unchanged for 90 days or more, and 25% admitted that their privileged account passwords were less complex than normal user logins.
Such practices make it easier for hackers—and employees—to gain access to sensitive data. For instance, 26% said that at least one IT staff member in their organization has abused privileged logins to access unauthorized information. This absence of fundamental data protection measures may point to a developing sense of apathy regarding data security, even among those who are tasked with maintaining it.
Morgan O'Rourke is editor in chief of Risk Management of Risk Management Magazine (www.rmmagazine.com). Reprinted with permission from Risk Management Magazine (December 2011). Copyright 2011 Risk and Insurance Management Society. All rights reserved.
| Home | News Archive |