- RBC recently announced that it has partnered up with a firm called Bionym. Bionym offers a wearable device, the Nymi Band, that can be used for authenticating you to all kinds of products, devices and services (see this video for potential use cases). The device will take the user’s electrocardiogram and use it for authentication purposes. RBC and Bionym are going to test ECG authenticated payments at the point of sale. Sounds pretty cool to me! The Nymi band is a $79 product that can be ordered on Kickstarter.
- Last week, at the AFP Conference, Online Banking Solutions (OBS) showed me a demo of how they are using a smartwatch to authenticate corporate online banking transactions. When the user performs a certain function, an alert is sent to the smartwatch (the demo was shown to me on a Moto360). The user then has to interact with the watch in order to confirm or reject the transaction.
- Alerts and notfications. The alerts that pop up on a watch should in theory be the same ones that appear on your smartphone. Most day to day banking alerts may not be that critical, however there are some that the user may want to have access to at a glance. Security at the point of sale is also a possible use case. If a credit card is swiped an alert can be sent – it’s simpler and faster to have this appear on your wrist then in your pocket.
- Authentication. These devices, particularly the smartwatch, represent an interesting authentication alternative. The Android platform can be configured to allow for a “trusted device” to unlock the phone or an app. In other words, the phone or app can be unlocked if the device detects the presence of a smartwatch. If the device is lost or not in the hands of the user, the smartwatch won’t be detected and the user will be prompted for a password. The Moto X smartphone currently has this software feature incorporated into its build of Android, and it can be used to unlock the device. Celent believes that devices like the smartwatch can act as a solid form of authentication and enhance the user experience. Additionally, banks have been challenged to come up with new methods of providing authentication for mobile banking, particularly since classic multifactor authentication involves something you know and something you have.
- The toll free number provided was nowhere to be found on the bank’s web site
- The message left was with regards to “my profile and information”
- The reference number left on the voicemail was my online banking user ID
- You can have great data, but it’s useless if you don’t master things like privacy and security
- Customers should always be directed to call back a primary telephone number that can be easily validated. Banks are so cautious about email communication with clients – they should be just as cautious with telephone communication
- Under no circumstances should a user ID ever be divulged. It’s a key piece of an authenticated login. It of course takes a couple of other pieces to login but that’s not the point – why give away any pieces of the puzzle? Furthermore, if a bank or customer were to suffer a breach, a fraudster could attempt to gain access to other account credentials by leaving a convincing voicemail containing a user ID (that obviously did not happen here).
Figure 1: Number of Presenter Products with Aspects of Each CategoryHere are some key takeaways after watching most of the presentations:
- PFM is still going strong: Banks have been declaring the end of PFM for years now, yet the topic is still one of the most talked about at every Finovate. At Finovate Europe, PFM was the most prevalent. What does this mean for the institutions? Well, first off, it’s obvious that entrepreneurs still see the value in PFM tools. Banks, many of which adopted PFM solutions long ago, have shrugged at the lackluster adoption, subsequently declaring PFM a failed experiment. Financial institutions themselves are partly to blame, hiding these platforms in menus, barely showing any desire to market the products. Yet the biggest problem with PFM is shared by all, vendors and banks alike. PFM doesn’t add value! Let’s just assume most people want to know how much they spend on coffee each month (I don’t!). What comes next? Where’s the action? The fundamental problem with PFM is that the way the data has been leveraged to truly provide value has been disappointing at best. Until the quality of the data is there, PFM won’t be in the mainstream. A secondary concern—the misconception that most vendors buy into—is that PFM can be fun, succeeding through cleverly designed games and well-designed UIs. I hate to say it, but PFM will never be fun! Nevertheless, there were some interesting takes on PFM this year that could offer some new ways to think about it going forward. A company called Tink takes financial data and creates insights for the user like where you spent the most money in the last year, largest one-time purchase, most frequent spending location, and others. The difference is that these are non-intrusive ‘stats’ that show up only if a user scrolls down from the landing page on the mobile app. Three takeaways from Tink’s product: everything is done on the bank side, it’s is more interesting than visualizations of spending categories, and the analysis requires nothing from user. Meniga, a PFM success story in Europe, uses demographic data to help small businesses find market opportunities. It provides competitors’ sales data, locations, profitability, among other things. It’s not PFM is the strictest sense, but that’s probably a good thing. PFM needs a little shaking up
- Moving Mobile Banking Beyond Transactions: While not a new topic, this was a common theme across a variety of presentations. The most common involved using the camera to assist in account opening or paying bills (see Kofax, Top Image Systems, and Axa Banque). Mitek and US Bank have been at this for some time, but the rush of new start-ups looking to fill the gap in the market is telling. As mobile banking becomes more common, and adoption increases, consumers’ appetite for mobile-based interactions will broaden. Banks are not only beginning to offer consumers the ability to do more complex transactions via the mobile device, but they’re opening up ways for financial institutions to monetize the channel. This will effectively make ROI much more tangible, doing away with the misconception that the value of digital channels is ambiguous
- Replace the Password: Is the password dead? That was the question asked by Wired Magazine in November of 2012, and something that has been on the mind of Celent for quite some time. Finovate produced no shortage of companies looking to innovate on financial security. Finovate veterans, Behaviosec, continue pushing their gesture-based biometric product that learns how the user moves and interacts with the device to create a confidence score for use behind the scenes. Encap uses the mobile phone as an authentication device for approving transactions or logging into digital banking. This was the second most discussed topic at Finovate. While biometrics is already used in some places globally, the practicality of such solutions is dubious at best. Security needs to start becoming a little more practical. One of my favourite presentations was from Feedzai, where they use social media data scraping to assess fraud risk. For example, if I just checked in at a restaurant in San Francisco, then it’s likely that a transaction from somewhere else is fraudulent. A few took to twitter to question whether customers would be ok granting banks access to their social media lives. If Citibank starts poking people, then maybe I could see the point, otherwise, it’s a practical application for enhancing security. Besides, most social media information is already public anyway
- Lots of Front-end, Little Back-end: One thing Finovate teaches us all is that there is no shortage of great UI designers. One thing Finovate doesn’t teach us is that banking is messy once you start connecting that nice-looking front-end to the messy back-end. Are most of these front-end products from Finovate really bank-ready? I’m not convinced. Large vendors like Misys, Fiserv, and Temenos may not have won best in show, but with integrated backend products, they’re in a much better position to succeed. One of my favorites was Five Degrees, a Dutch back/mid-office solution that runs in the cloud and offers a truly innovative BPM product. Other than that, good examples of back-end innovation were scant
- Social Collaboration: It was interesting to see different idea behind leveraging crowd-sourcing and social collaboration. Nous presented a product for investments that incentivizes users to play a game that aggregates data based on the players’ outcomes. A company called MyWishBoard uses collaboration, similar to SmartyPig, for goals and wishlists list that can be shared via social media with friends. Leveraging the power of crowds has been difficult to accomplish in financial services, and most social strategies have revolved around marketing and customer support. While some of these ideas may not be the best business ideas, it’s nice to see different takes on leveraging the power of social
- No Branch Channel Innovation: Absent from the Finovate line-up were any innovative ideas around branch technology. Celent has written a number of reports looking at branch technology, and there is undoubtedly still much to talk about in this space. The closest the show came was with JHA’s Luminous, a Dropbox-like secure storage cloud application for bank documents. Branches are changing, but they aren’t going away, at least not anytime soon. Banks have been doing some interesting things in the branch channel, but there are still plenty of innovative ways to maximize the brick-and-mortar experience. Celent did a recent consumer survey showing that branch channel adoption is still very high among consumers, and the first choice for important decisions. Considering the adoption gap between PFM and the branch, the low activity is surprising
- Identifying, assessing and mitigating the specific risks associated with providing mobile payment services.
- Using strong customer authentication and registration controls.
- Implementing a robust data protection mechanism to protect sensitive data wherever it is transmitted, processed or stored.
- Implementing secure processes for authorising transactions, as well as robust processes for monitoring transactions and systems
- Engaging in enhancing customer understanding and providing information on security issues related to the use of mobile payment services with a view to enabling customers to use such services in a safe and secure manner.
- Reassure and communicate regularly with the public. This was a serious issue when Chase had a major web site outage last year. Tweet, get onto Facebook, reply directly to customers. Don’t just listen, watch, or provide generic replies with basic info. Address customers, point them to channels that do work, direct them to nearby branches, have customer service reps call them. This is easier said than done as call centers are overloaded. PNC, the latest bank to come under attack has but a handful of tweets today – all very generic.
- Be prepared for round two. Right now these attacks appear to be concentrating on bank web sites. Could a completely different type of attack (e.g. a data breach) take place in the next round of cyberwarfare? Banks definitely have to be on the lookout for this. It wouldn’t surprise me to see hands try to enter the cookie jar in an attempt to steal customer information and/or assets. This isn’t happening right now, but banks have to be prepared for what could happen next.
No matter how you look at this, these attacks are terrible. We live in a world where consumers have come to rely on digital transactions (and they should). Attacks like these shake consumer confidence, and eat up precious bank IT dollars that are already quite scarce. Please feel free to chime in with your comments.
- Up to 1.5m cards records “may” have been affected;
- The incident is contained to North America only;
- Only Track 2 data has been taken (not Track 1 data and not customer name, address, etc.);
- Visa removed Global Payments from a PCI compliance list;
- The incident does not involve any merchants, ISOs or customers and occurred on some “local servers” at Global Payments;
- Due to the ongoing federal investigation, the company can’t be specific about timelines, but did confirm that “about 3 weeks ago” it discovered that some card data “may have been taken” and immediately contacted federal law enforcement agencies and the schemes;
- Customers are “encouraged to be vigilant”. Also, the company is setting up an information site for consumers which should be operational later today: http://www.2012infosecurityupdate.com/
- Continues to process all card transactions, including Visa;
- Is working with the schemes and other parties to address the situation; “~100 people are working on this”;
- Intends to get its ROC (Record of Compliance) back “as soon as it is humanly possible”;
- Will continue with its planned investments in other areas, but also will “spend even more on security” going forward;
- Expects to come out stronger and more experienced as a result, and believes that their customers will recognise this.
This is a major issue, as no bank wants its customers to be presented with the message, “you may be communicating with an attacker.” This is how the browser (Google Chrome) explains the message:
“When you connect to a secure website, the server hosting that site presents your browser with something called a “certificate” to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party trusted by your computer. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website that you intended and not a third party (such as an attacker on your network). In this case, the certificate presented to your browser has been revoked by its issuer. This usually means that the integrity of this certificate has been compromised and that the certificate should not be trusted. You absolutely should not proceed past this point.”
It’s unclear at this stage what exactly has caused the problem. This is a major concern to customers who use Chase online banking to pay bills and transfer funds. If Chase doesn’t resolve the issue shortly, it could cost them a pretty penny – they would have to reimburse late fees incurred by customers unable to access online bill pay.
The last time the site went down, Chase told customers that the site was down for “scheduled maintenance” when in fact it was revealed much later that the problem was a software error caused by a third party. Twitter was ablaze with irate customers wanting answers. It was a PR nightmare, one that hopefully will not happen this time around. Hopefully Chase will provide some information shortly and notify customers about what is going on.
UPDATE 1:10 pm: It appears the site is back up.