May 07, 2012
Regulating mobile: Distinguishing the payment from the channel
The handset is just a device, not a payment
Policymakers and regulators are just beginning to discuss the regulatory environment for mobile banking and payments in the United States. The added dialogue to existing industry conversations can lead to mixed messages about where regulatory and policy action may be needed. Recently we've heard from industry and regulatory agencies that the payments industry should carefully consider introducing new regulations and supervisory guidance.
The mobile handset is "just a device, not a payment," noted Mallory Duncan, senior vice president and general counsel at the National Retail Federation. Duncan, who spoke at the workshop "Paper, Plastic...or Mobile," hosted by the Federal Trade Commission, also said that regulation should be no more stringent than that of the underlying payment. In essence, the laws, regulations, and rule sets associated with a payment type—be it a credit card, debit card, or online payment—should follow that payment through the mobile channel for clearing and settlement. I offered similar conclusions in a previous Portals and Rails post on dispelling myths in mobile payments, adding that "while new networks...may emerge in the future, at present, the payment network systems remain the same."
Fragmented framework on an expanded landscape
One problem the payments industry faces as technology enables new intermediary payment methods (they all start off as something we already use: cash, checks, or cards) is that the legal and regulatory framework includes different consumer protections, disclosure requirements, and error resolution provisions depending on the payment type. While all these payments are used in an Internet environment—whether the Internet is accessed by phone or a traditional PC—the addition of the mobile channel and its telecom partners has seemingly created a tipping point for confusion and speculation. Many of the issues raised about consumer protection for prepaid cards, for example, exist now and have nothing to do with a consumer's ability to use a prepaid account with a mobile device.
Can existing regulatory infrastructure handle new mobile payment business models?
The United States has a more complicated banking system than most countries. National laws, for example, govern national banks, which are preempted from state law. State-chartered banks and nondepository money service businesses (like payday lenders and money transmitters), on the other hand, are responsible for complying with the laws of every state in which they do business. These laws are different from state to state, and sometimes even conflict.
Industry players in each of these separate chartering authorities are stepping into the mobile channel as a way to expand their footprint. While telecoms and technology firms are entering into partnerships with banks to establish new business models in the delivery of mobile payments, so far they're sticking to their knitting and leaving the clearing and settlement, and the extension of credit, to the financial services industry. As long as banks remain the payment issuers in these still nascent business models, caution in rethinking the regulatory infrastructure is probably a good idea as well.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
May 7, 2012 in innovation, mobile banking, mobile payments, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168eb46b266970c
Listed below are links to blogs that reference Regulating mobile: Distinguishing the payment from the channel:
Comments
April 16, 2012
Online and mobile banking create many front doors
"The vulnerability is the front door of the bank." I've heard that quote many times over the years. With online banking continuing to grow, and mobile being the latest channel to access bank accounts and services, the bank suddenly has many more "doors" to worry about.
An August 2011 Consumer Trends Survey by Fiserv shows that 79 million households use online banking, and businesses are following suit. With this kind of competitive environment, most banks must offer online or even mobile banking to stay relevant. As banks strive to remain relevant, they must also stay safe.
The Federal Financial Institutions Examination Council (FFIEC) published the timely Supplement to Authentication in an Internet Banking Environment in June 2011 to address electronic banking security. As financial institutions enter the mobile banking world, the FFIEC's guidance helps banks to protect against risk in electronic access channels. NACHA also recently reviewed its existing policies and operating rules to ensure it has similar helpful guidance for financial institutions originating ACH transactions in this increasingly connected environment.
Whether it's FFIEC guidance or NACHA rules, these five sound business practices can go a long way toward safe electronic banking, whether through the Internet or mobile channel.
Customer Awareness and Education is ongoing, and one-time notices are not as effective as repeated messages on specific security concerns. Describe potential threats in language understood by the average consumer and business. Consider requiring business customers to perform risk assessments around online banking access and practices.
Layered Security Programs include the practice of tailoring different security tools to the type of account and activity and establishing appropriate controls over account activities based on typical account use patterns. Stay up to date on new layered security technologies and regulatory requirements.
Effectiveness of Authentication Techniques—not all techniques are equally effective. Use complex device authentication methods. Change those methods as technology changes. And establish challenge questions that have answers not readily available on the Internet or through social media sites. Incorporate "red herring" questions into the challenge questions, and use different challenge questions in different sessions.
Customer Authentication for High-Risk Transactions applies to both consumer and business accounts. Monitor accounts for unusual and out-of-pattern transactions on a regular basis. Establish procedures to do something when out-of-pattern transactions are detected.
Risk Assessments and "know your customer" are basic concepts that apply to both consumer and business banking products. Assess threat and risk-related information regularly. Identify types of changes that trigger additional assessments. "One and done" doesn't keep pace in this fast-moving environment. Review experiences with incidents and learn from them. And develop response teams and playbooks to respond quickly to threats or incidents that require immediate action.
With Internet and now mobile banking growing by leaps and bounds, the vulnerability is no longer just the front door of the bank. Following these sound business practices—and it's hard to argue against them—can help to secure all openings from dangers lurking in cyberspace.
By Mary Kepler, director of the Retail Payments Risk Forum at the Atlanta Fed
April 16, 2012 in banks and banking, mobile banking, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ea343547970c
Listed below are links to blogs that reference Online and mobile banking create many front doors:
Comments
April 09, 2012
Mobile payments malware: Assault and low battery
According to Dr. Markus Jakobsson, principal scientist at PayPal, malware is moving to the mobile channel as mobile handsets replace PCs. Criminals are businessmen and subsequently go for market size in their exploits. Within a year, he says we will see more handsets than PCs, and we can also expect to see more mobile abuse trends as a result. An interview of Markus on YouTube provides some startling facts and general insights on mobile security challenges and trends.
I first wrote about the emerging threat of malware migrating from PCs to the mobile channel in a July 2010 post titled "The confluence of payments, social networks, and malware: Elements of a perfect storm?" As Portals and Rails readers well know, mobile banking and payments and accessing payments via social networking were just beginning to take off. The post noted that the rapid pace of mobile application innovation and deployment creates vulnerabilities in payment systems accessed via mobile devices. Markus's interview reveals why malware-related intrusions are expected to become more commonplace in the mobile channel and offers some thoughts on a new paradigm for thinking about mobile security.
Mobile handset is a social device as well as a computer
This is the big issue. While numerous consumer behavioral surveys report that consumers are concerned about privacy and security, they treat the handset as a social device to interact quickly with websites, businesses, and other people. In short, consumers trust their mobile devices and value the ability to access social media. As a result, they often fail to adopt available safeguards such as password locks. Jakobsson says that people tend to dislike passwords because they are slow to enter and it's easy to make a fat-finger error. As a result, they opt to operate without cumbersome passwords. Jakobsson asserts that we need a new paradigm to encourage safe authentication going forward.
The problem with virus protection for mobile phones
Consumers don't think of their handsets as computers, but they actually are computers, except that they don't have equivalent battery resources. This means that mobile handsets lack the capacity to run the most basic anti-malware software. Antivirus software works by constantly scanning for malware intrusion. Jakobsson says this is fine if you have only a few instances of malware, but frequent incidents require more frequent scanning, which drains the battery. This is going to be a problem for mobile devices, a problem that to date has not received much recognition.
The root cause: Spoofing and spam
Some problems are beginning to arise with fraudulent apps that divert the user to an unintended website. Spoofing, the practice of sending forged e-mails or directing users to malicious websites, is a critical risk that is hard to manage. According to Key Findings of the 2010 Email MAAWG Security Awareness and Usage Survey, consumers admit to risky behaviors online, with four out of ten admitting to opening an e-mail they suspected was spam. The Messaging Anti-Abuse Working Group (or MAAWG) also reported that younger users are more likely than older users to open suspicious e-mails and click on links.
Mobile ecosystem will require different assumptions about security
As e-commerce increasingly moves to the mobile channel, handsets and networks will require new protections to protect data used for identity and payments. As consumers share more information via their handsets in social media and broadcast their geolocations to merchants, the mobile channel will become more vulnerable to criminal activity. Malware exposure will occur cross platform through gaming and social applications that are not suitably policed. While mobile malware circulation is not yet prevalent, the projected growth of mobile platforms versus traditional computers will make mobile an attractive target for organized crime. Industry stakeholders should consider the prospective risks of malware in discussions on mobile payments security.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
April 9, 2012 in malware, mobile banking, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016303e2a50c970d
Listed below are links to blogs that reference Mobile payments malware: Assault and low battery:
Comments
February 21, 2012
Security in the mobile wallet: Is it good enough yet?
For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.
But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.
Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.
A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:
"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."
It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.
Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.
Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.
Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
February 21, 2012 in emerging payments, innovation, mobile banking, mobile payments, payments, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016301c7d1b3970d
Listed below are links to blogs that reference Security in the mobile wallet: Is it good enough yet?:
Comments
November 21, 2011
Remote deposit capture: If you expand it, will fraud come?
It has been nearly two years since Portals and Rails focused on remote deposit capture (RDC). In just this short period, the RDC market has grown significantly and changed rapidly. This growth and change has led to approximately 13 percent of checks being deposited as images at the bank of first deposit, according to the 2010 Federal Reserve Payments Study. In addition, financial institutions and banks, which initially offered RDC capabilities primarily to their commercial customers, are now broadening these services to include their retail customers. Even the hardware used for RDC is evolving from desktop scanners to mobile phones. Despite this growth and evolution, RDC fraud has been minimal, much as my colleague, Cindy Merritt, discussed in an April 2009 post.
According to a new Celent report, the commercial RDC market is nearing maturity, with an estimated 75 percent of U.S. banks and 50 percent of U.S. financial institutions offering at least one RDC service. Given this mature commercial market, any future growth of RDC services should be expected via retail consumers. This growth will come from the adoption of retail RDC services by banks and financial institutions as well as the expansion of the service into new payment products—most notably, prepaid cards. As RDC usage expands to more retail consumers and additional payment products, we have to wonder if fraud associated with it will rise or continue to be held under control.
Current risk assessment
According to the 2011 Payments Fraud and Control Survey from the Association of Financial Professionals, only 1 percent of surveyed organizations responded that someone had used their electronic check conversion service to commit fraud. This figure is unchanged from the 2009 survey.
A similar assessment of RDC fraud recently emerged from the Financial Crimes Enforcement Network (FinCEN). FinCEN analysts identified 1,017 Suspicious Activity Report (SAR) filings related to RDC that banks and credit unions filed between January 1, 2005, and July 31, 2011. More than half of these reports were filed after the start of 2010. These 1,017 RDC-related SARs account for only about 0.1 percent of all bank-filed, check-fraud-related SARs. FinCEN found no real differences between the RDC channel and more traditional check depositing channels when it came to fraud schemes (for example, check kiting and counterfeit or altered checks).
Will the low level of fraud be sustainable as the service grows?
To date, banks and other financial institutions have successfully managed risks for commercial RDC services. Whether by restricting the use of the service to only its most vetted commercial clients or limiting the value of allowable remote deposits, banks have implemented risk controls to effectively minimize their risk and fraud exposure associated with RDC.
Banks and financial institutions are now beginning to cast the RDC net into their retail channels. Ally Bank offers its retail customers RDC through the traditional scanner and computer model, while USAA, J.P. Morgan Chase, PNC Bank, and U.S. Bank all now offer mobile RDC for retail consumers. Bank of America is targeting a second-quarter 2012 launch for its retail mobile RDC service. With banks and financial institutions expanding this service to a retail customer base that often undergoes less stringent due diligence than do their commercial customers, is the potential for fraud increasing?
The general-purpose reloadable (GPR) prepaid card market offers a significant growth opportunity for mobile RDC. With this service, GPR prepaid cardholders—many of whom are unbanked—would be able to load funds directly onto their prepaid cards without having to walk into a store, in the same way the service now allows banking customers to deposit checks into their direct deposit accounts.
According to a recent paybefore.com article, several third-party service providers have the risk-management software to enable mobile RDC for the prepaid industry. Interestingly, these third-party software providers will accept the risk of the mobile RDC transactions, taking the responsibility from the prepaid program manager or issuer. However, the inherent dearth of information about GRP prepaid users compared to retail and, especially, commercial banking customers makes RDC services more vulnerable to fraud with this group. In fact, prepaid card users may be unbanked because they have a poor, or no, credit history or they lack appropriate identification and credentials to open a banking account.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 21, 2011 in banks and banking, financial services, mobile banking | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015437308f63970c
Listed below are links to blogs that reference Remote deposit capture: If you expand it, will fraud come?:
Comments
May 16, 2011
Practical tips for enhanced mobile security
We recently sat down to talk with Soren Bested to discuss mobile security. Soren, who has more than ten years of experience in high-tech industries, currently serves as managing director of Monitise Americas, a leading provider of mobile banking and payments in both the U.K. and U.S. markets. Mobile security is a hot topic at Portals and Rails. Recent posts have covered common myths about mobile banking and payments and laid out foundational principles for a successful mobile payments ecosystem in the United States. Continuing in this vein, Soren offers some practical tips on using mobile devices to secure financial transactions today.
Mobile security is top-of-mind for consumers, and their concerns about the safety of the mobile channel have limited mobile banking and payments adoption. Soren suggests, however, that mobile has the potential to be "super-secure," and even to enhance the security of existing financial service channels. Financial institutions and technology providers might consider the following recommendations in approaching mobile to take advantage of this potential security.
Match service channel to function
The mobile channel incorporates several different technologies, or service channels: SMS (text messages), mobile applications, and mobile browsers. Each of these service channels has a unique security profile,and as such is best suited for different tasks. SMS, for example, transmits information over the air in an unencrypted format, and is therefore inappropriate for carrying payment or personal identification details. However, SMS is perfect for sending notifications because it is immediate, inexpensive, and convenient. Banks might insist that customers use a password-protected mobile application when they conduct more sensitive business, like initiating a peer-to-peer transaction or transferring a balance between accounts. These examples illustrate that the mobile channel cannot be approached with a single security protocol, but rather that security practices should be tailored to each channel and its unique risk profile.
Use existing industry security guidelines
Soren advises that financial institutions not reinvent the wheel when they design mobile security. The industry can instead apply established security guidelines. These are the PCI DSS (Payment Card Industry Data Security Standards) guidelines for card transactions, the SAS70 operational standards, and the FFIEC standards for multi-factor authentication. Conforming to these existing standards decreases the burden on banks by allowing them to take advantage of existing industry expertise in developing a secure product. Banks can then outsource some security development and auditing functions, in the same way that merchants rely on vendors to ensure compliance with existing PCI DSS requirements. Not only does this improve the customer's security, it also lowers the upfront cost and shortens the timeframe to launch a mobile product.
Implement true two-factor authentication
Strong authentication requires multiple unique factors. Possible factors for authentication include "something you know," like a password or your mother's maiden name, "something you have," like an RSA token or an ATM card, and "something you are," which could be a biometric identifier like a fingerprint or voice pattern. Currently, most online banking security consists of username and password, and sometimes challenge questions—all things that the user knows. This approach is not two-factor authentication, but is essentially single-factor authentication twice, and as such offers only limited security. Mobile financial services can also incorporate passwords but can also add the "something-you-have" factor with the mobile device itself. A mobile phone is a personal device unique to the user in a way that computers often are not. While families may share a computer, usually each person has his or her own mobile phone. In addition, technology allows for the unique identification of any mobile device, tying the device to the individual user. Some companies have even experimented with adding a third factor to mobile banking by enabling biometric voice authentication of mobile transactions.
Mobile phones can also increase existing online banking security by acting as a second factor for customer authentication. The user's phone will often be only a few feet away when they log into online banking on the computer, and the user could take a call or SMS to authenticate the session. Mobile technology may be the key that allows banks to fully implement multi-factor authentication, a gold standard of security.
These are just a few of the ways that mobile technology might lead us to greater security in financial services. But we know many of our readers are also mobile experts, and have even more ideas about enhancing security with mobile. Leave a comment or send us an e-mail with your tips on improving mobile security.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
May 16, 2011 in authentication, mobile banking, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538e841162970b
Listed below are links to blogs that reference Practical tips for enhanced mobile security:
Comments
April 11, 2011
Dispelling the myths about mobile banking and payments
There is a lot of confusion these days when it comes to mobile banking and payments. Consumer advocates warn that mobile payments will be unsafe and we need to develop consumer protections now to create a harbor from scams and rip-offs. While it's true that payment innovations often introduce new risks, they also create opportunities to create better safeguards that ensure a more secure payments system. So the path forward is best armed with accurate information about how the mobile wallet will work in the future. With so many new product trials and service rollouts for both mobile banking and payment services, it's difficult to separate fact from fiction. Today, we take an opportunity to do just that. We’ll look at some of the myths we hear most often about mobile banking and payments in the United States.
Myth #1: Mobile banking and mobile payments are one and the same
We often hear people use the term mobile financial services to refer to banking and to payments, as if they were the same thing. The fact is, they are different services that appeal to consumers in different ways, and they are accompanied by very different types of risk. As a recent position paper published by the Atlanta and Boston Federal Reserve Banks defined it, mobile banking refers to a service that accesses bank information such as account balances and transaction history and that facilitates transfers between accounts and online bill payment. Mobile payments, on the other hand, refers to the use of the phone either to make a payment for purchasing goods or services at a merchant's point-of-sale—a transaction also known as a proximity payment—or to transfer money to another person or a business. The latter transactions, domestic and remittance payments, are referred to as mobile money transfer (MMT) payments and occur remotely either within a country or cross-border. Because mobile banking services are merely extending online functionality from the PC to the cell phone, the risk profile for the mobile phone is not markedly different.
Myth #2: Mobile payments represent digital money and lack regulation
While emerging markets are experiencing some remarkable advances in mobile commerce using text messaging to send a payment via prepaid airtime, the U.S. experience, as with other developed countries, is very different. Text-message-based mobile payment systems work for those emerging markets because they are clearly safer than cash. Here and in other developed countries, we have safe payments already, so the mobile device would merely be another channel to access existing payment instruments and their networks for clearing and settlement. All the rule sets, laws and regulations, and consumer protections that govern retail payments today will simply migrate to the mobile channel. While new networks, or rails, may emerge in the future, at present, the payment network systems remain the same.
Myth #3: Mobile payments are less secure that other payment methods
First of all, the security functionalities resident in the mobile handset provide authentication capabilities that don't exist in the current payments environment. The ability to add passwords and GPS location functionality to the handset represent additional security controls to accessing payment instruments in the future mobile wallet. Today, there are no locks on your leather wallet to preclude a bad actor from stealing your credit and debit cards and using them for illicit activity.
Moreover, the technologies that enable our current payments are becoming increasingly obsolete and vulnerable to fraud. Card payments grow riskier every day as the United States remains reliant upon mag-stripe technology, which is very easy for criminals to breach and then use to clone cards for illegal payments. Because mobile devices will use contactless technology in the form of an embedded computer chip, the mobile phone will be a much more secure payment device than the plastic cards we use today.
Conclusion So maybe the idea of mobile banking and payments isn't that scary—and maybe these things aren’t even that trendy any more. When you get right down to it, the cell phone is just another form factor for a payment.
But that's not to say that a lot of new ideas aren’t percolating out there. We know that telecoms are taking small steps with micropayments by allowing consumers to pay after-the-fact for digital goods—things like avatar accessories, ringtones, and even cows and corn in online games like Farmville—on their regular phone bills. Facebook credits are reportedly evolving into Facebook payments for physical venues outside of virtual online games and stores. And we all are waiting expectantly to see if Apple will make use of its extensive iTunes network as a more open payment system whenever the next iPhone is released.
At the Retail Payments Risk Forum we'll continue to keep an eye on emerging payment developments such as these, and work toward clearing up confusion. So don't wait for a blog post, feel free to send an e-mail to any one of us in the Risk Forum if you have a question. We’d love to hear from you.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
April 11, 2011 in mobile banking, mobile money transfer, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e608baa3e970c
Listed below are links to blogs that reference Dispelling the myths about mobile banking and payments:
Comments
Posted by:
Knud - San Francisco |
April 13, 2011 at 12:44 AM
July 12, 2010
The confluence of payments, social networks, and malware: Elements of a perfect storm?
Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?
More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.
|
|
| ENLARGE |
Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.
|
|
| ENLARGE |
Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.
Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.
Conclusion
Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
July 12, 2010 in fraud, identity theft, malware, mobile banking, mobile payments, risk, social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485620cfb970c
Listed below are links to blogs that reference The confluence of payments, social networks, and malware: Elements of a perfect storm?:
Comments
March 29, 2010
Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models
The folks engaging in the early stages of the mobile payments industry have coined the term "mobile ecosystem" to describe the environment into which they are trying to merge the traditional roles of telecommunications with those of payments and banking. While some in this fledgling industry are already becoming disenchanted with the grandeur of the "ecosystem" terminology, the concept does suggest a useful model for thinking about the challenges faced in this new arena.
A few weeks ago I received a new issue of National Geographic that contained a fantastic article (and even more fantastic pictures) of the unique ecosystem of the African island nation of Madagascar. The ecosystem of this large island, located off the southeastern coast of Africa, has yielded an extraordinary collection of plants and animals that live in a tropical setting interrupted by some truly anguished geological formations. The local ecosystem is, of course, actually a collection of subsystems (plants, animals, climate, topography, etc.) that have adapted over time to work seamlessly together. For example, large families of lemurs leap fearlessly and safely among knife-sharp rock formations because their hands and feet have developed coarse, leather-like padding over thousands of years.
In the mobile ecosystem, we see a similar makeup of subsystems that must work together. The technology and operational components, while not trivial, are clearly achievable, and many are in place today. The challenges that lie ahead, however, are in the sub-ecosystems of law, regulation, data security, data privacy, customer care, and profitability. Depending on the nature of some of the mobile payment solution alternatives, the banking and the telecommunications industries find themselves wondering if they can coexist on the same island. Is there enough value to the customer to generate the revenue necessary to fund a mobile payments initiative? Who gets or shares the revenue? Who is responsible for data security and authentication, and how does that credential or certainty get passed along the mobile payment supply chain? Who resolves the customer's problem if a mistake is made? What consumer protection rights exist in case of error or fraud, and do those rights change depending on whether a traditional payments system is used to settle the transaction? Are proven models in other countries transportable, or are the characteristics of the economics and user base too different?
With respect to customer care and protection, I recently asked an audience of representatives from the full span of the mobile payment value chain, "Who owns the customer in a mobile transaction?" Gratifyingly, they agreed they all did. However, the true ownership response may ultimately depend on the nature of the transaction and agreement on who is liable if anything goes wrong. Take the case of a person-to-person payment initiated by Consumer A (Barbara Buyer) to Consumer B (Gloria Girl Scout's Mom) for payment of six boxes of Girl Scout cookies (three Thin Mints and three Trefoils). In a telephone-based clearing model, Barbara would enter the requisite $21 in the payment instruction and designate the phone number of Gloria's mom in the recipient field, and both their phone bills would be adjusted accordingly. Now suppose that Barbara was distracted by her daughter's chiding that she really wanted Samoas and carelessly entered $210. Since the payment never went through the payment system, Barbara Buyer cannot rely on traditional banking regulatory protections or problem resolution processes. She must resolve the problem with her phone provider, who has already credited Gloria's mom. Alternately, given PayPal's March 16 announcement of an iPhone app to send money to another person, PayPal's resolution procedures could be in play.
If, however, Barbara's phone company clears the transaction through a mobile service ACH backend, or Barbara pays Gloria's mom through a P2P service offered by her bank, the error resolution process is likely through normal banking customer service channels, and the adjustment process may be managed differently, assuming an adjustment process is contractually spelled out in either case. In reality, Barbara would probably get Gloria's mom to write her a check for $189 to straighten things out. While this may seem like a trivial example, it does dramatize some of the issues that must be worked out in the new ecosystem of mobile payments to make such services work effectively for the customer's benefit.
Given these difficult challenges, it seems likely that various models will initially emerge within alliance groups (one phone company, one or more application providers, a few partner banks, etc.) before they begin to converge into one or more universal market models. Along the way, one hopes that the key participants can collaborate to anticipate the types of risk issues that could arrive in the real world so that the consumer's experience turns out to be one that encourages growth. In the age of e-mailing, twittering, and facebooking, it is increasingly clear to me that mobile banking and mobile payments are in our future and that they will be a very attractive service to some key sectors of our population. However, they will be extremely slow to develop if critical mass issues such as those mentioned above are not resolved up front. In fact, this would be a good place for banks to try new, customer-friendly approaches to consumer education and disclosure that match the payment channel being used and the customer demographic.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
March 29, 2010 in authentication, data security, fraud, mobile banking, mobile payments, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ec4d8601970b
Listed below are links to blogs that reference Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models:
Thank you Cindy. It is important with this kind of clarification to sift through the confusion between mBanking and mPayment. The various mPayment pilot projects and announcements of mPayment partnerships, while overall encouraging for the industry, unfortunately adds further to the perceived complexities.
You bring up many good points. It is clear that enabling mobile payments for goods and services represents a significant change in the risk and opportunities compared to traditional payments. I firmly believe and agree that appropriately architected mobile payment solutions can provide superior security compared with cards-in-wallet. You list some ways but there are more approaches. I hope you will continue with more clarifying blog posts and share your insight.