Mobile Payments Security

May 2011

Jennifer Windh: Welcome to the Federal Reserve Bank of Atlanta's Payments Spotlight podcast. Today, we're joined by Soren Bested, managing director of Monitise Americas.

Monitise Americas is a mobile service provider with products spanning debt and credit cards, prepaid cards, health care accounts, electronic benefit transfer accounts, bill payments, and proximity payments. Prior to his current role, Soren spent more than 10 years in various high-tech industries, most recently leading operations for Monitise Americas, and prior to that, Monilink.

Soren will be speaking to us about mobile payments security. Soren, thanks for joining us.

Soren Bested: Good morning, Jennifer. Thank you so much for inviting me.

Windh: So, we've spoken before about mobile security and how that is top-of-mind for Monitise. Can you tell me some of the things Monitise has been doing to reduce risk in mobile financial services?

Bested: Certainly. Mobile banking and payments, commerce is very much a new industry. A lot of the services we are going to see emerging over the next 5 to 10 years we believe are going to be services that are going to originate from what we are doing today, what we have been doing the last couple of years in terms of simple mobile banking services. What we are doing today is to align the foundation for mobile payments and mobile commerce. But, as it often is the case, when you have an emerging industry, the industry standards around security and protecting security are somewhat vague, and that has led to a little bit of industry confusion. So, over the last number of years, what we feel we have seen in the market is that there has been very much a focus on consumer appeal of the reputation you are making, or you may say the "sexiness," instead of really focusing on the valid banking security behind what is being developed and implemented.

We are really a group of people with a background in banking. That said, well, we are going to set out to apply everything we know about banking and banking transactions for mobile banking and payments. What that really means is, we said, we need to apply the same security standards as being applied for any other financial services. The fact that it's new, it's trendy, it's on a mobile phone, doesn't mean that we can start cutting corners or that we don't need to apply the same standards as we do for everything else we do. In our case, that really means looking at what are the key industry standards that we should adhere to. And what we have identified today is, as a great starting point, the PCI DSS guidelines—the Payment Card Industry Data Security Standards, the SAS70 [Statement on Auditing Standards no. 70] operational standards, and also the FFIEC [Federal Financial Institutions Examination Council] standards for two-factor authentication. I am proud to say that, since inception, Monitise has really worked according to these guidelines, and I believe we are the only mobile vendor today that is certified to all three standards.

But one of the things we need to think a little bit about is, when we talk about mobile banking and payments, it is still unclear to a number of people what we are specifically talking about. And I think it would be fair to say that we are at a point now where any comprehensive mobile banking payment service will be leveraging all three service channels—what we like to refer to as mobile service channels. That, is SMS [Short Message Service], it is secure browser, and it is native applications. It is of course worth thinking about that you could argue that it is a subset of SMS, where there's in-application notification delivery—like the iPhones, the Androids, the Blackberry Super Apps—that all have the capability of having a message delivered to within an application—really very similar to the SMS standard, but gives some security benefits.

But once you have built a service that allows you to do mobile banking, mobile payments, and potentially mobile commerce, it is very, very tempting to look at your service and say, "Well, we are leveraging SMS, we are leveraging browsers, we are leveraging application—let's make payments available across all three channels." I do think that is an approach we need to be very, very cautious about because the fact that you can do something technically doesn't mean that you should be doing it.

We have therefore said that our service strategy is one of combining the benefits of the various channels. So, in a scenario you would receive a SMS notification, but if you want to take action, you need the added security you can get through a browser or through a mobile application.

Windh: That makes a lot of sense. Do you think there's any room for the industry to work collaboratively on security measures for mobile? Are there any risks on people going their own direction on this topic?

Bested: Oh, absolutely. Collaboration in an emerging industry is absolutely imperative. Understand that there are a number of companies in the industry now really jockeying for positions, and all of us are of course are trying to get ahead of each other. But one point where we can't afford to not join forces is around security. So this clearly is in all of our collective best interest. To establish collaboration starts with creating an industry standard for mobile banking, payments, and commerce.

But, as we do that, I do believe that we will be well-served by looking at the standards that exist for our current financial services. Mobile is new and exciting, but if you think about it, the mobile device is really becoming a remote control to your life. You're able to effectuate what you can already do online or when you walk into a bank branch, but you can do it on the run, you can do it at your convenience. That means that a lot of what we're doing today is a new banking channel, but effectively it's really just a new way of doing something we know how to do. So, with that in mind, I think that it's extremely important that instead of trying to set of standards from scratch, we look around and see, let's leverage, let's benefit from what we have learned over the last 30 or 50 years of doing EFT transactions, doing bill pays, going online, and let's start by seeing how these standards apply to what we do today. Let's start by implementing them. And as we gain more and more traction, as we get newer and more revolutionary services, let's start adopting the right guidelines instead of starting with a white piece of paper.

You mentioned a potential risk of people wandering off in different directions on mobile security. I think, to me, we really have two key risks. The first one is that security has suddenly become opinion-driven, meaning that "I will do what I think is a sensible security, I'll apply what I think is a sensible security model"— and that's really not a sound industry approach. That's evident. We need something that we can measure everybody against. We need a yardstick for everybody to go against.

My second concern is that if you don't have a set of industry standards, you put an enormous pressure on the financial institutions. Where you today can, I won't say rely, but you can leverage industry experts—for example, the people that are certified PCI or auditors for SAS70—or you can leverage all this by FFIEC to assess whether these services are being provided in a secure and sensible manner. If we are saying that there is no industry standard, suddenly we are handing over that accountability and responsibility to the banks and not only telling them that you must be responsible for security of what you do, but also you need to understand that there are more than a thousand mobile devices in the market. You need to understand what it means to build a secure, native Android application or iPhone application. You need to understand when is it most secure, when is it not. What kind of security model can we leverage for mobile browsers etc., etc. And really, we should not put that onus on the banks or financial institutions. A key benefit of having industry standards is really that all the financial institutions, all the players in the market can leverage a common set of expertise. People that have spent 5, 10, 15 years really, really understand the security.

Windh: Soren, do you see anything in the market now that particularly concerns you?

Bested: Well, I would say that we have seen a lot of maturation over the last 6 to 12 months, so right now, there is not really anything that keeps me awake at night, as to say. But it is a very, very young industry. It is evolving extremely quickly. So, I think, the security and mobile banking experiences for consumers are very, very important, and I think that is what companies are going to win or fail by.

As we know, in any business, consumer activity and consumer security is only as strong as the weakest link. So, in the context of mobile security, we really need to have the best-in-class security features, and the businesses need to learn from each other. We need to educate the consumers on what to expect, and more importantly, what to look for. At the same time, we need to educate our consumers on basic security—avoid shoulder surfing, do not use a single password for every single application.

We are working with a new industry, but we have some benefits here. We can look at what we have learned in online banking, we can look at what we have learned in other financial transactions. The mobile device has a terrific potential to become a very, very secure channel. It will take some years, but I think the last 6 to 12 months have made tremendous steps in really looking at mobile banking payments with more critical lenses.

Windh: So, earlier you mentioned that SMS might not be appropriate for all transactions. Can you explain why this channel might not be that secure. And if it isn't that secure, what are some of the other methods we have for financial services on the mobile phone?

Bested: The appeal of SMS is that it is ubiquitous. It is predicted that in 2013, we will globally be sending 10 trillion SMSs, say, nearly everybody uses SMSs. The question we often ask consumers is, As a parent, if you want to contact your children, do you call them or do you SMS them? If you call them, do they pick up? Very often the answer is no. If you SMS them, you can be sure to get a response. So the appeal of SMS is that everybody uses it and it is simple. People understand it, people get it.

Unfortunately, this simplicity is also a key limitation. So while you are in a mobile banking environment on a mobile banking platform, you use, of course, suitable security measures. So you encrypt all transactions, you encrypt all information. But once an SMS leaves your platform and starts going over the air, you lose control of the security. That means you do not own the end-to-end security channel. So SMSs are today being transmitted to the mobile devices in an unencrypted format. That means that there is a risk that a fraudster may potentially "listen in" on SMSs. To us that means that you very much need to think about what kind of information you are providing over SMS—sending bank account details, sending card numbers, sending personal details. SMS is simply not a suitable channel for that.

There is also a very real risk of what we call "phone number spoofing." By spoofing we talk about, or what we refer to as, a situation where I leverage software to initiate an SMS so it appears to be sent from somebody else's phone. For an example, Jennifer, I could be sending an SMS to myself from what appears to be your mobile phone number. If I'm able to initiate a peer-to-peer payment through SMS, that imposes a tremendous risk because suddenly it can be viewed as you having initiated a $5,000 payment to me by SMS, and by the time you realize that a payment has been effectuated, the funds have been transferred to a prepaid phone with no obvious registration.

So the way we really address this is to assign all transactions to specific service channels. So if you want to do informational services potential fraud—you just had an out-of-state transaction or your card balance is $2,400—SMS is absolutely unbeatable. Nothing beats SMS for informational services. But, if you want to start getting into transactional services, you really need to limit that to service channels that can leverage additional security. That means doing bill payments, proximity payment, peer-to-peer payments, funds transfer from within the added security you get from a native browser or secure browser solution.

Windh: So it sounds like some types of mobile transactions can be insecure if they are relying on SMS technology. However, you also mention that the mobile channel has the potential to be more secure than other channels that consumers currently interact with. Can you explain some of the security advantages of the mobile device?

Bested: Absolutely. If you go back a good three to four years, when we started seeing mobile banking, mobile commerce coming into the mainstream here in the U.S., what you very often saw was, effectively, online banking being rendered on a slightly less sophisticated device with a smaller screen. This approach kind of makes sense. It is somewhat simple and appealing to create a web version of your existing online banking site. It does, however, fail to leverage all the benefits of the mobile device. If you think about it, what is it that's so unique on your mobile phone? There are a couple of different things. First thing, you pretty much always have the mobile device with you. It's a device you never leave home without it. It's always on, unless you are on an airplane or so. It is a personal device, and I think that that is very, very important. Laptop computers are seen as being somewhat sociable devices—it may be yours, but other people may have access to it. Your mobile phone is really your device. You really store personal information on that. What that means is that a financial institution suddenly has the opportunity or the capability to reach out to you with a personal message. And, finally, and very, very importantly, more than 90 percent of all consumers have mobile devices. You'd be challenged to find any online banking penetration in excess of 40 percent.

But I'd like to get back to the fact of the mobile phone being a personal device, your own device. That gives us a tremendous opportunity for implementing a security model that, in many ways, could be superior to that of online banking. Many of our listeners, particularly you, Jennifer, you are very familiar with the three authentication credentials you can potentially use when you talk about two-factor authentication. So, basically, there is the something you know, there is the something you have, and there is the something you are. So something you know could be a passcode or a password. The something you have could be an RSA token or, think about it, your mobile device. And the something you are, that could be some kind of bio-infomatics or biometrics, so it could be a fingerprint, it could be a retinal scan, or anything like that. But exactly because the mobile device is personal to you, mobile banking payments services can really leverage the mobile device to enable true two-factor authentication.

So what you can do is, when a consumer registers for a native application you can embed a downloadable application with a unique identifier. That's an obscure, global, unique identifier, something that's not easily accessible or readable, but it becomes as something you have. So when your mobile device connects to the server at the back end, you have the mobile device, the global unique identifier can send to the server—that is something that you have—and once you log in and you have established the secure connection, you can enter a passcode or password, which relates to something you know. So instead of, when I go to my online banking, what I very often see is I get username and password. But if you think about it, that is really two representations of a single factor—two times something I know instead of something I have and something I know.

So by very early on, identifying what the key uniqueness of the mobile device is, Monitise has been able to implement a security model that today really meets all the FFIEC guidelines and regulations pertaining to two-factor authentication.

Windh: Soren, thanks for talking about mobile security with us today.

Bested: Thank you very much for giving us this opportunity to join you and your listeners, Jennifer. We do look forward to working very much with you in the future and helping us all in progressing the industry.

Windh: Again, we've been speaking today with Soren Bested, managing director of Monitise Americas. This concludes our Payments Spotlight podcast on mobile payments security.

You can find more information about the Retail Payments Risk Forum by visiting our website at www.frbatlanta.org.

Thanks for listening, and please return for more podcasts. If you have comments or questions, please send us an e-mail at podcast@frbatlanta.org