I’m spending today at the Macroeconomics of Mobile Money conference at the Columbia Institute for Tele-Information (CITI). Columbia University professor Steve Bellovin is moderating the first afternoon session, on security in mobile banking. (Side note: I blogged about Bellovin’s opposition to UN efforts to limit online anonymity for my first-ever post on The Morningside Post.)
Liveblogging. Please excuse misrepresentation, misinterpretation, typos and general stupidity.
Overview of Mobile Banking Threats
Streff begins by talking about the top technology concerns for community banks, including managing risks, protecting data, and detecting fraud. He says a 2008 Independent Community Bankers of America survey revealed that community banks are planning to enter the mobile banking field.
Streff says there’s a solid business case for mobile banking: it improves customer service and reduces costs. The biggest reason, though, is “because they have to.” We saw the same thing with online banking in the past decade — customers are increasingly expecting this new technology, but these expectations cause serious worries for community banks. Is it worth the cost? How will they manage it? Where will they find people who have the necessary skills to implement and run mobile banking services?
Streff divides mobile banking into three types:
- Text systems
- Thin client model: mobile web
- Fat client model: client side applications
Streff asks which model we think is the most risky, and the room is fairly evenly split into thirds. It turns out the fat client model is the most dangerous because you have to download code onto a physical device. This introduces concerns about authentication, stolen devices, viruses, encryption and a host of other security issues.
Streff says it’s difficult for experts, let alone risk assessors at community banks, to accurately determine what level of risk is involved in these systems. (For those who are interested, his paper on information security in mobile banking is available online.)
Demand is high, so banks are implementing mobile systems, and security is an afterthought. For this reason, Streff believes that security professionals are the ones who need to drive the creation of solutions for mobile banking systems.
Securing Mobile-money: The Ugandan Experience
With New York-based MAP International, we are rolling out a system we hope will give 90 per cent of our people access to modern banking services—up from the level of 15 per cent today. The new system will allow people, even in remote rural areas, to access their accounts and pay bills via cell phone.
Landau highlights several problems in Uganda: the lack of electronic banking, the lack of a national savings system, and the lack of a sufficient number of local microfinance branches (making obtaining loans and repaying them difficult for people in rural areas). Salaries and pensions are all in cash, opening up a host of problems with fraud and corruption. Poor infrastructure is also a problem.
MAP’s task was to create a sustainable system that would address these problems while also satisfying their needs as a private company. The solution: biometrics.
Simply, biometric info is entered into MAP’s system, and people are issued ID cards with a magnetic strip that contains this information. This is a fairly fail-proof method of identification. This makes enrolling in MAP’s banking system a 90-second process, rather than a several-week process. It also helps with security.
Another aspect of the program is a Point of Sale (PoS) device: these are handheld and battery-powered devices that run MAP’s proprietary software and can interact with SIM cards. They bring a full suite of banking services — deposits, withdrawals, transfers, account statements — to rural areas and function as “human ATMs.”
MAP partners with Uganda Telecom and Post Bank Uganda. Their goal is to provide a fully integrated platform, and they support themselves by charging a commission on each transaction. (I’m curious how much this commission is. Landau’s attitude strikes me as a bit patronizing overall — a lot of “these people” and “these villagers” — but the system seems to be getting a fair amount of good press.)
Mobile Payment Security: What it means and how to implement it?
PayPal’s Hadi Nahari, whose background is in security, cryptography and identity management, starts out by calling smart phones “stupid phones” — “it’s just a little computer.”
Nahari establishes the importance of mobile systems: in addition to being widely available, they have countless uses. Also:
Mobile is the only digital system many people will ever encounter.
Nahari claims there is a “mobile identity crisis”: everyone has a stake in mobile systems, from those who create the devices to the telecom companies to product retailers to microfinance institutions to banks to a plethora of standardization bodies (“do you see an oxymoron here?” he asks) to the networks themselves. These players don’t always trust each other, making for a complex and difficult landscape.
Nahari displays a graph of mobile usage from October 2008 to February 2010. iPhone usage peaked in May 2009 and has decreased slightly since then (while still maintaining a huge chunk of the market), while Android usage has steadily risen. Other systems (WinMo, etc.) have decreased from about 25% of the market to around 5%.
Nahari uses Marc Andreessen’s definition of a “platform”:
“A ‘platform’ is a system that can be programmed and therefore customized by outside developers — users — and in that way, adapted to countless needs and niches that the platform’s original developers could not have possibly contemplated, much less had time to accommodate.
— Marc Andreessen
He then describes the “mobile app warehousing ecosystem”: development, deployment to app stores, downloading to devices. This ecosystem is both distributed and open. He believes that different app stores will need to cooperate more in the future. Security has to be reasonable and cost-effective as well as usable. The rest needs to be handled via risk management.