Who's Securing Mobile Payments?
Consumers Expect Banks to Protect the Mobile Wallet
Increased interest in mobile wallets and growing smart phone use are paving the way for more mobile payments, and now is the time for banking institutions to identify what role they'll play in this emerging space.
Javelin analyst Alphonse Pascual, who focuses on financial fraud and security, says institutions can't ignore mobile payments, despite the somewhat peripheral role they play. Banks and credit unions that sit by the sidelines will miss out on revenue-generating opportunities, he says.
Institutions should not try to compete for mobile payments share with social media giants such as Google and Facebook, but they should stake their claims as the experts in transactional security.
"Financial institutions need to ensure that those mobile wallet implementations they're backing and the tools they plan on using have the same degree of security that consumers expect from their mobile banking platforms, or better," Pascual says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
Javelin's mobile research shows consumers are ready to adopt mobile wallets, but they want to be sure those mobile transactions are secure, he says. "If it's done wrong, as far as security, then you could potentially lose not just the mobile wallet customer, but also the banking customer," Pascual says.
Fortunately, banking institutions are taking that worry seriously, Pascual says. But he warns banks and credit unions not wait too long to make moves toward implementation.
During this interview, Pascual discusses:
- How banking institutions can use emerging payments to build loyalty with existing customers;
- Why payments fraud is the new sweet spot for criminals;
- How banks and credit unions can bring emerging payments and non-traditional players together in a way that ensures security.
Pascual leads the security, risk and fraud practice at financial consultancy Javelin Strategy & Research. He began his career with HSBC during the height of the mortgage boom. While working in HSBC's borrower verification department, Pascual performed enhanced due diligence investigations of high-risk loans. He later joined Goldman Sachs' fixed income, currency and commodities division, serving on its mortgage fraud investigations team. Later he joined Fidelity National Information Services, now FIS Global, to oversee data-driven investigations of organized payment fraud groups in the U.S. Pascual is a member of the Association of Certified Fraud Examiners and the International Association of Financial Crimes Investigators.
TRACY KITTEN: Tell us about yourself and the role that you'll be playing at Javelin.
ALPHONSE PASCUAL: My professional experience has primarily been within the world of fraud investigations, and that has taken me to some interesting places. Prior to Javelin, I had spent time working at HSBC and Goldman Sachs while the mortgage market was hot. Those times were exciting for everyone in the financial industry. Working where I had and doing what I was doing definitely provided a unique perspective on just how pervasive fraud could be.
After the bottom fell out, I moved to FIS Global. They're massive, serving merchants and financial institutions throughout the country and around the world. ... Working with payments definitely means being mindful of security. With payment fraud, you're talking about criminals compromising an incredible number of combined identities and accounts. Understanding how they could have obtained those identities and accounts helps shape the investigations; so you have to be mindful of all the ways this stuff can be had. ...
Mobile Payments and Security
KITTEN: What can you tell us about some of Javelin's consumer research into mobile payments?
PASCUAL: There are some great findings that everyone in the field should be aware of, as far as consumer perceptions on mobile and wallets, some of which will be really germane to the financial industry. We know that 63 percent of mobile bankers are interested in using a mobile wallet, which is twice that of all mobile consumers. That's really important to note. And of all consumer segments, which includes all consumers and online bankers, mobile bankers are the most likely to rate security as compelling when selecting a new bank; it wouldn't be much of a stretch to think that they place the same value on wallet security.
Smart phone use continues to increase. More than half of mobile users are now using smart phones, and we're projecting that to increase to three-quarters by 2016. But, so far, only 10 percent of mobile-phone owners have used their device to make a purchase through a contactless payment. The market is really in its infancy. There's a lot of data there in our survey results. But I really think that what we gathered from the mobile-banker perspective, how they feel about mobile wallets, says a lot.
Securing Mobile Transactions
KITTEN: What new or emerging trends are you seeing in mobile security from non-financial players?
PASCUAL: It's really all about the current state of mobile device vulnerability. You combine the increasing adoption of smart phones with the growing threat of mobile malware and low consumer familiarity with mobile anti-malware software, and you have a serious problem in the making. Those third-party solutions you speak of are going to help stem the tide. If that wasn't true, I don't think Microsoft would have recently acquired PhoneFactor [which provides out-of-band authentication via mobile or landline phone].
Survey Results: Primary Takeaways
KITTEN: What would you say are the primary takeaways for banking institutions, where Javelin's recent research is concerned?
PASCUAL: The prime takeaway is that banks need to build on the relationship they have with their existing consumers. That's their in. While the overall consumer perception of banks is mediocre - especially after the past several years - banks' existing consumers have a very strong positive feeling for their banks, and that's really a great opportunity to transition those existing customers to a mobile wallet. They need to hone in on that.
KITTEN: What are some of the fraud challenges surrounding digital currencies, like the mobile wallet?
PASCUAL: The security challenges are specific to the type of technology implemented, and that's also part of the problem. Mobile wallet leaders are not well-defined, so there's a mix of technologies that haven't been fairly implemented or tested, at least from a security standpoint. An infected device can potentially compromise most mobile-wallet implementations. But beyond that, you have to look at NFC [near-field communications]; for NFC, it's all about controlling the secure element. We actually discuss that in our recent mobile-wallet report. You need to ensure that all sensitive payment information that's being stored on the phone is stored within that element. Google Wallet's recent issues come to mind as an example of what can happen when you attempt to do otherwise.
As we've seen with situations like the Michael's breach, there's always a threat of a payment-terminal compromise, which could also affect EMV [Europay, MasterCard, Visa standard], which has a pretty strong tie-in with NFC. And there's also the cloud.
Consumer credentials could potentially expose all of their account information. You don't need to worry just about the security of the mobile device, you also need to worry about the desktop and laptops they use to manage their wallet in the cloud. Access to those credentials or compromise of those credentials is a kind of scenario that no one wants to see.
KITTEN: What about peer-to-peer payments? What security challenges and money laundering worries come into play?
PASCUAL: A lot of peer-to-peer solutions exist outside the long arm of regulation, which, contrary to the beliefs of some people, is not always the best thing for a functioning market. While there's some benefit from not having an intermediary, at the moment, that's outweighed by a number of issues, the foremost of which is that not having an intermediary reduces the risk of detection of money launderers. That, in turn, is garnering the attention of regulators and law enforcement. In order for any of those businesses involved in this space to survive, they'll need to prepare for that increased attention.
KITTEN: How do you see social media influencing mobile and peer-to-peer payments?
PASCUAL: If you're talking about peer-to-peer, you had things like Facebook credits and even Google's mobile wallet, which never really got off the ground. I think a lot of that had to do with the fear of regulation, and not just in the United States. Facebook was getting far more attention than it liked from international sources. There are a lot of unanswered questions, and considering how hard regulators are looking at both Google and Facebook, I don't know what kind of steps they're going to be taking, if any, just yet.
That obviously leaves a huge opportunity for other social networking players - Four Square, Twitter - anybody who's willing to step into this space. It's just you have to be mindful of potential pitfalls, because government is going to be looking at you pretty hard.
KITTEN: What unique concerns does the connection between mobile and social networking raise?
PASCUAL: Again, I don't yet see much of a progress in the digital currency space. Should they decide to move forward, Facebook and Google would be in great positions to leverage social media to promote the use of digital currencies. Now the same is true of mobile wallet; but our data suggests consumers are not interested in Facebook or Google as wallet providers. They're much more interested in players like Visa or PayPal. That's some of the data we have in our recent mobile-wallets report. But to answer the question, the installed base of mobile devices are pretty vulnerable, and consumers could be exposed to the same types of attacks that have plagued social networking in general, just on a different access device. That's really something that they need to be mindful of.
KITTEN: What security and antifraud solutions are service providers seeking from mobile transactions, whether biometrics or otherwise?PASCUAL: Biometrics gets a lot of interest. I know that a majority of consumers view them very positively, however. I believe it is seven out of 10 who favor biometrics, and those that have used biometrics give the technology really high marks for convenience and effectiveness. I believe the industry is becoming aware of the trend, and the technologies are actually starting to mature to a point where they should be deployed, at least conservatively.
Voice and facial recognition lend themselves pretty well to the mobile space, as the hardware necessary to implement those types of biometrics is built right into the device. They do, however, need to address issues such as false-positives from voice recognition, or the potential for some type of replay attack with facial. You can take a photo of somebody and very often that can be used for verification or authentication; we've seen that. The photo can be used as a proxy for a consumer to gain access. Those things need to be taken care of. But we're at the point where we can address these biometrics concerns, and I think we're going to see some real massive adoption. I honestly see biometrics as a strong future solution in the mobile space.
KITTEN: How can banks and credit unions work now to ensure they have a stake in mobile and emerging payments security?
PASCUAL: Financial institutions need to ensure that those mobile-wallet implementations they're backing and the tools they plan on using, have the same degree of security that consumers expect from their mobile banking platforms, or better. They have a great base of consumers who will make the leap to a mobile wallet if offered by their bank; but if it's done wrong as far as security, then you could potentially lose not just the mobile-wallet customer, but also the banking customer. That's a pretty serious concern.
KITTEN: Do you have any upcoming projects that broach some of these mobile concerns?
PASCUAL: Not upcoming, but we just had our Battle for the Mobile Wallet report, and that's a great place to start. ... I think the findings will surprise a lot of people.
Our annual Mobile Security report is actually due out before the end of the year, and with the state of mobile security, it's going to be a must-read for anybody with a vested interest in mobile as a financial tool. Of course, that's pretty much where it's all going.