Mobile Users Want More Security Control
Empowering Consumers Can Improve Mobile Payment StrategyConsumers are ready to assume more responsibility for the security of their mobile devices, especially when it comes to mobile banking.
According to research conducted by Javelin Strategy & Research, consumers want to have the ability to act and respond when they suspect they've been hit by a mobile attack that results in fraud.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
So what's holding them back? Jim Van Dyke, Javelin's president and founder, says banking institutions are the problem. They've been reluctant to release too much control, he says in an interview with BankInfoSecurity's Tracy Kitten (transcript below).
"We see very few banks deploying [solutions] that really empower the customer," Van Dyke says.
Almost no banks are connecting their mobile-customer empowerment strategies with real-time alerts and authentication, two features that can improve security and fraud detection, Van Dyke explains.
In the interview, Van Dyke discusses:
- How banking institutions can use industry research to benchmark their security programs;
- How mobile can be central to any security compliance strategy, even it is not explicitly noted in the updated FFIEC Authentication Guidance;
- Why banking and security leaders have to involve end-users in risk mitigation practices.
Van Dyke is a thought leader in electronic commerce with more than 20 years of experience. He has held key management assignments in strategic planning; market research; product management; market analysis; product and service launches; communications; technology evaluation; alliance and partner management; and distribution channel development with organizations ranging from start-ups to Fortune 100 corporations. Van Dyke has made presentations to the U.S. House of Representatives and at numerous industry events.
Mobile Landscape
TRACY KITTEN: Questions about mobile security are cropping up more and more these days as more financial institutions launch mobile platforms and offers. Can you give a general overview of the mobile landscape from a fraud and security perspective, as you see it today?
JIM VAN DYKE: Mobile security and protection from fraud is a fascinating area compared to other channels, not just because it's the newest channel, but for a couple of other reasons as well. Mobile's really unique among all channels because it's the potential remote control in the hands of the consumer or business customer of the bank to actually control fraud that happens to the individual account holder in any other channel.
We talk a lot about what can go wrong with mobile security: how people can be victimized and businesses can be victimized through mobile transactions. ... People worry about lost phones and the fact that most mobile devices are not inspected for malware. There are any number of things that can go wrong.
(But) what we've been saying from the beginning is that mobile is also the way that things can go more right and be safer as well. It's the only channel in which you have that degree of variance between things going horribly awry and the bank getting huge losses and seeing themselves in their local paper or nationwide paper as being the place where fraud happened - and a lawsuit. Or they could also build up a reputation, like Chase has done, for example, with their ads that talk about mobile security. What we've seen is they're actually getting more new customers and quite probably drawing lower losses because of how they're deploying mobile as a proactive security mechanism for all channels.
Common Concerns
KITTEN: What seem to be the common concerns or questions that you hear from banking institutions when it comes to mobile banking?
VAN DYKE: I'll answer that question in two ways. First, I'll give you the exact answer to your question and then I'll tell you what I'm concerned about in terms of what I'm not hearing from bankers because, frankly, I think the banking industry is a little bit disconnected, and it stands for reason. In order to be a great security or fraud executive, you've got to be so great at reacting and then having a holistic strategy that involves people, processes, systems, compliance and all those things. It's an incredibly difficult job, and I don't know how people sleep at night at times.
Here's what I'm hearing. People are really tuned in to the things that can go wrong. They're probably a little calmer now than they were a year ago when we started to see this explosion in mobile banking. There's such a strong tie-in between social media and mobile devices as well, with people updating information through the geo-location capability of a phone. What we're finding is that bankers are probably actually a little more calm on mobile security. Just this week, I presented in front of about 300 bankers at three different events, and they're actually a little calmer than they were a year ago.
However, we just surveyed a number of banks, the structured Javelin survey, and what concerned us is that really no bankers were talking about security as something that they could deploy proactively in their mobile strategy. And what I mean by that is bankers could be actually using their mobile services when they partner up with the people that run mobile channels or even marketing to say, "How do we educate and then empower the customer so that the mobile becomes the proactive tool that cuts fraud everywhere?"
Let me give you some of the evidence for this and why I think this could set the stage for mobile payments. Somebody listening to this says, "I want to be a major player in mobile payments at point-of-sale a few years down the road." I think there's a tie-in between mobile security right now and setting the most likely path to mobile-payments.
Here's the evidence of why we think this is a sound strategy: No.1, consumer readiness. When we looked at consumer readiness, the proportion of people from a survey of 5,000 people who said, "When I think about who should be primarily responsible for fraud if it occurred in my name, should that be my job, a shared job between me and my bank, or totally the bank's job?" Over the last four years, the proportion of consumers who say, "That's totally my job, I don't even think the banks should have to worry about that; just empower me," that proportion of people has more than doubled, and the growth is up steadily. Who's it doubling with? Higher income people who love technology and young adults who are on Twitter and Facebook, and all those other things.
Meanwhile, you might think banks are rolling out capabilities that empower them, right? Because you have demand, surely you're going to have supply. Unfortunately, our data showed just the opposite. When we mystery-shopped banks to find out what empowerment capabilities they have, we've seen an area of prevention scores that have actually gotten worse. Banks three years ago had 79 percent of the fraud prevention capabilities we called for. We keep raising the bar as we look at fraud methods based on our survey of consumer fraud we took from the FTC. That score dropped from 62 percent a year ago down and the most recent one shows that it's 54 percent of Javelin-recommended prevention features.
Summing up that long bit of guidance on that, what I would recommend a banker do if they really want to nail their compliance conversation and get the consumers more engaged so they get more market share, more share of wallet, is look at our Bank Safety Scorecard. Show the examiner how their bank compares to the way the average bank scored on the Javelin Safety Scorecard and show the examiner that they're actually safer in empowering the customer for protection.
Mobile Payments
KITTEN: Do you see many financial institutions playing an active role in mobile payments? And if they aren't playing an active role now, should they be?
VAN DYKE: Everybody we talk to is focused on that. But focus, what exactly does that word mean when I say it? Well, everybody has it in their strategic plans. They're dabbling in different areas; there's a lot of movement around mobile deposit capture right now; it's moving from an early adopter feature to a mainstream one, where a significant proportion of banks are likely to offer that soon - P2P, features like that, certainly balanced checks, texting of alerts, a lot of movement around that.
Almost nobody is connecting their mobile customer empowerment strategy for protection through real-time alerts, and a lot of people respond and set a parameter, kind of like we've done with positive pay for checks but with all transactions through the mobile device, saying don't allow these transactions or do allow those other kinds of transactions; shut my card off for Brazil for the next 51 weeks, but in the 52nd week I'm going to be there for vacation so by all means don't shut it off then; or global transfers, leave them on/leave them off, and empowering that through mobile.
We see very few banks deploying that where they really truly believe that they can empower the customer and that they can go even further to make that part of a mobile payment strategy. There's a lot of opportunity out there, and we have a very specific roadmap to guide people on what exact features and audience segments and return-on-investment models are required to get the payback they're looking for.
User Behavior
KITTEN: When we talk about mobile security, users are often the unknown security variable, and many institutions note that user behavior on mobile devices raises concern. Users are more likely, for instance, to click on questionable links in e-mails and on websites when viewed via mobile devices. What steps do you see institutions taking to address some of those security concerns and issues?
VAN DYKE: User behavior is often so tricky, and what you want to do as a fraud expert or a security expert is make sure that you're really studying your customers' behavior patterns. Don't go on anecdote. Of course, you're going to have horror stories. We all have them about people putting in incredibly lame passwords or clicking on things they shouldn't click on or whatever. We all have the stories. What you want to make sure you don't allow your team to do is have evidence of disregarding the opposite of that, which is this rapidly-increasing proportion of individuals who will, if properly educated, make very smart and reasoned moves, and these are often people with high balances who are increasingly becoming your highly-desirable customer.
If I were a fraud or security executive at a bank right now, I'd really want to watch the language, the mindset that my team members have. ...If I don't look to find those (opportunities to empower customers), I'm going to let my teams convince one another that customers are just dumb, unmotivated, and I will miss an opportunity to propel myself into being a mobile-payments leader. The data's out there. We see that people are motivated and they're not getting the features from banks they want, but it's not easy to chart that course.
Selling Security Solutions
KITTEN: I wanted to ask about some of the research that Javelin has conducted in this area. You've noted before that you found that consumers would rather invest in security solutions that are offered by their banks than buying a service or an offer from a third party. But do you see banks taking steps to sell security solutions, especially for the mobile channel?
VAN DYKE: Not as much as they should. We really specialize, particularly now more than ever, in helping banks increase their customer profitability, looking at what the bank's customer needs or the merchant's customer is doing and how they're changing in technology trends and all that and then looking for opportunities for acquisition revenue, cost avoidance and loyalty.
What people need to be doing is looking at a couple of things that we see in our research, a couple of opportunities, and these are highly specific. You really have to have a focused eye and magnify the hidden opportunity. I'll give you some examples. I'm looking right now at some research from our Bank Safety Scorecard that shows how the institutions that make up more than half of all consumer deposits in the U.S. scored against the specific, 50-plus, criteria for prevention, detection and resolution of fraud. If I were a regulator and a bank were showing me how they're complying against this, I think I would be so much more likely to be willing to give that bank a positive score. Multi-factor mobile authentication is one criterion we added. Another one is mutual mobile off; third, mobile safety education; fourth, social media education. Those are just a handful of the mobile as well as social-related areas that we score these top banks on. And I realize many of your listeners might be in smaller banks, so it's even a better case if they can say, "Here's how we compare to some of the biggest institutions that have deep pockets." And the fact is that the average large bank - in prevention scores - only has only reached 54 percent of the recommended customer-empowered, loss-avoiding, profit-generating features we call for. In the consumer area, we're looking for what consumers are willing to do. And as you said, our research has found that people are willing to buy these solutions, and I have a concern right now that regulators are discouraging banks from making a profit by selling protection services.
Now, protection services need to be marketed fairly. They need to address real solutions. I just think banks should be selling these things. People should be protected. You need to be (protected) as an individual, paying for optional services, and not just for your desktop or laptop, but for your mobile device as well.
Out-of-Band Authentication
KITTEN: I'd like to point to some other research that I shared with you before our call, and that's our Faces of Fraud survey. In that survey we find that many institutions are concerned about mobile, especially within the context of conformance to the FFIEC's updated authentication guidance. What issues are you hearing from institutions where out-of-band authentication, for instance, via a mobile device is concerned when the mobile device is used for banking?
VAN DYKE: What banks need to mostly do is have advanced communication with the consumers about transactions that the consumer feels comfortable with, taking that kind of positive-pay mentality that in that case of positive pay for checks relates to a specific check number or dollar amount that banks should be approving or not approving. With mobile we have such an opportunity to let people have parameter-driven banking. It's kind of a phrase I'm just creating out of thin air here. The idea that people have this desire to check in on the finances all the time - take concepts like out-of-band authentication, they certainly want to use the mobile device for authentication. I mentioned some of the added criteria related to authentication a minute ago. But even go a step further.
And once we really know who we're talking to, once we're sure it's really that consumer, let's allow the consumer to get updates on their finances. You'll quickly find they're completely addicted to alerts that are succinct, that don't have a bunch of regulatory or CYA gobbledygook in the message and that lead them to an immediate opportunity for an action step right within the message itself. It's built from authentication to giving the customer control of their finances.
Banking Online: Using Mobile Device
KITTEN: What about some of the issues that come up when it comes to actually banking online on a mobile device? When we talk about challenge questions, how do those work for mobile? Is this a concern financial institutions are facing when they come into conformance and look at conformance strategies?
VAN DYKE: Banks can certainly deploy challenge questions. It's a great idea to do that with mobile. It works best if, again, the bank had a conversation in advance about saying what questions would you like me to present to you. Give the customer lots of choices around that in advance, limited to only information that the bank got from public sources. ... You also want to let the consumer serve up to you their own challenge questions via mobile. And texting can be a great way to do that. We can also dial back, in specific instances. Sometimes banks have problems because they're core systems and they only have, if you have an account like a DBA account, space for one mobile phone number but there's a husband and wife involved. You want to make sure you allow multiple mobile phone numbers and you identify account holders individually. You could reach out to people and make the mobile line the preferred channel, product features on your roadmap as well as educational strategies for the customer.
KITTEN: Before we close, could you share some final thoughts about what you're hearing in the industry and what you've gleaned from some of the survey results that we've shared?
VAN DYKE: How can we help a banking executive simplify their decision-making process? That's how people need to look at this and say, "How can I compare myself to peers?" I'd say bankers have a real opportunity to move beyond the anecdotal information they hear at cocktail receptions at banking industry groups - I go to so many - but go straight to the source. Go to the consumer, and not just your own customers but your competitors' customers, so you can think about security and fraud through mobile as a two-part strategy - one that lowers the losses as well as making sure you're compliant, but two, allows you to create a great partnership with your friends over in marketing so that you acquire more customers like Chase and USAA are doing so much of right now. Acquire, keep and cross-sell more customers as well using fraud loss as a customer growth and revenue strategy.