Extending the Franchise of Trust to the Mobile Channel Financial Institutions, Mobile Finance, and the Hard Problems Ahead

1
Extending the Franchise of Trustto the Mobile
ChannelFinancial Institutions, Mobile Finance,
and the Hard Problems Ahead

• Zachary Tumin
• Executive Director, FSTC
• April 1, 2003

2
Contents (More or Less)

• The Vision
• The Challenge
• The Requirements
• The View From Planet Earth (Banks)
• The Prospect

3
About FSTC

• Consortium of leading US financial institutions
  and technology companies bringing forward secure,
  reliable, interoperable technologies in proof,
  test, and pilot
• Active initiatives underway in web services,
  disaster recovery/business continuity, voice and
  biometrics authentication, payments system
  innovation, check security and imaging
• FI members include Citigroup, JPMorgan Chase,
  Bank of America, Wells Fargo, National City,
  Fidelity, BBT, Comerica, Zions, Huntington,
  Wachovia
• Technology members include IBM, Sun
  Microsystems, Computer Associates, Hewlett
  Packard, Diebold, Unisys, Sungard, Motorola
• See projects, membership at www.fstc.org...

4
VISION STUFF Where We Could Be and Where We Are
5
The Current Landscape Vision of the Mobile
Channel for Financial Services

• A fully connected world
• All communicate with all instantly
• From anywhere, to anyone or any service
• All types of transactions
• Utilizing small devices easily carried or worn
• Trusted, secure, reliable just like all the
  other channels

6
The Current Landscape Multiple Channels, All
Trusted (More or Less)

• The bar of perception is set high for the mobile
  channel, benchmarked against current trust,
  reliability, security in other proven channels
• Branch (Teller)
• Telephone (Voice)
• US Mail (Letter Carrier)
• ATM (Networks)
• On-Line (Web)
• Can still be pretty variable across and within,
  but
• No surprises here Financial institutions and
  consumers think they have fully documented the
  inventory of risk for each channel, mitigated
  them (FIs) and accepted them (consumers), and
  made their choice of comfort and convenience
• Mobile????

7
The Current Landscape Multiple Channels, All
Trusted (More or Less)

• For the consumer, trust, reliability, security
  KNOWLEDGE
• where your money is
• how much is there
• who can do what with it (no one except you)
• how you can get to it and do things with it
  (walk, punch, surf)
• what to do if theres a problem
• Not I think, but I know
• Tremors/channel confusion exist, rattle trust
  e.g. balance disparities irk, bug, bother, but
• Can mobile services post- Dot.Com hype, just
  another channel ever come close? When? What
  investments should financial institutions make
  next?

8
Mobile Financial Services Taxonomy Transactions

• Account Balance Inquires and Inventory (Pull)
• Transaction Initiation and Execution (Pull)
• Data Message Exchange
• Personalized Alerts (Push)
• Account Service (Push and Pull)
• Wireless Information Synchronization
• Portal Information Access
• Aggregation Services (Push and Pull)
• Promotion Cross Selling (Push and Pull)
• Financial Advice (Push and Pull)
• Bill Presentment and Payment (Pull)
• Loan Application/Prequalification
• Mobile Commerce (Push and Pull)
• Location Based Financial Services (Push and Pull)
• E2E Marketplace

• Registrations for Financial Service Credentials
• Mobile Electronic Payments (mPayments)
• Withdrawal of Electronic Cash to Mobile Devices
• Secure Delivery of Financial Documents
• Financial Transaction Authorizations
• (Source FSTC and BITS)

9
Mobile Financial Service Taxonomy Scenarios

• Mobile User to Financial Institution
• Mobile User to Physical ATM or PoS Terminal
• Mobile User to Cyber Merchant
• Mobile User to Mobile User

10
Mobile Communications Options for Financial
Service Delivery

• via Immediate Proximity Communications (RFID,
  infrared)
• via Wireless LANS (e.g., 802.11)
• via Public Wireless Carrier
• via Intermediate System (e.g. POS system)
• via Mobile Platforms (cars, planes, trains)

11
Use of the Mobile Channel The Observed As-Is
(What the FIs See)

• Customers not clambering for mobile finance
• Low Fewer than 1 of leading brokerages have
  rolled out wireless services
• High interest by PDA users ownership 5 of which
  25 interested
• Low interest by cell phone users ownership 39
  of which 5 interested
• Pagers small ownership 7, low interest
• Experience in Britain Of the 3MM Britons with a
  WAP phone, only 100K signed up for WAP services
• 590 millions GSM users worldwide - 30 Billion SMS
  messages projection - over 100 Billion SMS
  messages per month for the next two years
• (Source Gartner, Forrester)

12
Where We Stand/As-Is From Financial Institutions
Perspective

• As far as the mobile channel is concerned
• Primary appeal is anytime, anywhere access to
  accounts
• Lack of urgency plagues all devices
• Most consumers not very interested, although they
  seem technologically prepared
• Most do not consider financial transactions
  urgent enough to execute on a mobile device
• Primary interest via traders - checking
  portfolios (Stock quotes 1) Low priority Loan
  and bill payments
• WAMU - Use of wireless in branches
• (Source Forrester)

13
Factors Contributing to a Lack of Zeal for the
Mobile Channel

• In sum Happiness with other channels doubts
  about this one
• Issues of service/connection quality
• Device friendliness
• Bandwidth constraints
• Security holes and glitches
• User expectations criteria to use service
  urgency, simplicity, frequency
• Privacy, Security - impact of losing cell phone,
  spoofing, ID theft
• Usability - screen size
• Cost of service

14
The Mobile Landscape From the Industry
Perspective Yet Immature

• Rapid product evolutionThe pace of development
  in personal devices, makes it very difficult to
  build new mCommerce or mobile financial
  applications on platforms that are changing
  radically
• Confused approaches to security there is little
  industry agreement on where security
  functionality should reside, or who should be
  responsible for managing security at a systems
  level.
• Delivering PKI services - slow to emerge who
  will offer PKI services, or will there be
  overlapping PKI service realms?
• Government impact on security developments
  different governments may have radically
  different views on about how security gets
  deployed and utilized in mobile services
• Jurisdictional concerns complicated in a world
  where transactions can take place even while one
  party is traversing a border.

• Lack of industry coordination - The necessary
  working arrangements between the equipment
  vendors, wireless carriers, software developers
  and financial institutions have yet to come
  together.
• Competing technical approaches 802.11 wireless
  LANs, 3G cellular, Bluetooth, and IrDA have
  overlapping capabilities, and increasingly
  compete in the marketplace.
• Global scale Financial services can no longer be
  restricted to national marketsjust as users want
  their cell phones to work in every country, they
  will certainly expect their electronic wallets to
  work wherever they travel.
• Immature mCommerce standardsmCommerce standards
  are even less well developed than eCommerce

15
For Many Financial Institutions Today Definitely
a Hold Recommendation

• Technology still immature
• WAP - poor connections, difficult to use devices
• GPRS impact not until 2004 low bandwidth
• G2.5 available G3 still in development - 16
  times GPRS availability 5 years out.
• Security, reliability, interoperability persist
  as issues
• No killer app
• No burning platform
• No competitive differentiation possible
• Unclear value proposition

16
The Coming Landscape

• The mobile landscape will soon be changing.
• Service/connection quality and bandwidth will
  improve as GPRS networks emerge, followed by G2.5
  and G3.
• PDA-like mobile devices will provide greater
  computing capacity and ease of use for mobile
  transactions.
• As hard drives, batteries, and global roaming
  capabilities expand, the promise of
  anywhere/anytime computing will materialize.
• By 2010, for example, research firms estimate
  that large segments some say as high as 75 of
  European and American users will carry wireless
  computing and telecommunications devices.

17
The Challenge Thing Whats Possible, Practical,
and Expectable
18
The Challenges That Remain What will it take to
get traction in mobile financial services?
Operating (Performance) Requirements for Mobile
Financial Services Networks (Equally long list
for software and devices)

• Ubiquity of coverage (outdoor and indoor, rural
  and urban)
• High transmission rates (144kb/s per active end
  user, 300-400 kb/s for moving (non-stationary)
  end-users
• Device agnostic (end-user)
• Interoperability among carriers transparent,
  seamless services (application look the same
  service uninterrupted)
• End-to-end secure at the application level
• Support for mobile transactions maintain
  service and session continuity
• Mobile apps should meet high-level wireless
  network performance requirements call blocking
  rate, call dropping rate, hand over failure rate,
  frame error rate ALL lt 1
• (Source BITS)

19
Why This is Hard Five Pillars of Security

• Authorization Establish that the other party is
  authorized to use the credentials being presented
  see first registration credentialing
• Authentication The ability for a party to
  utilize their credentials to confirm their
  authorization of a transaction see, first
  digital signatures
• Integrity (message) The ability to prevent or
  detect modification of transactions after they
  have been authorized
• Confidentiality (message) All financial
  transactions must be protected from unauthorized
  disclosure
• Non-Repudiation Detecting and preventing parties
  from denying their participation in transactions
  see, first logging, audit, forensics
• (After were finished with this Reliability,
  Interoperability, Consumer Acceptance)

20
Summing Up The BITS Groups Challenge

• One important consequence of the security
  scenario described above is that the wireless
  network operator should permit an end-to-end
  security solution to be imposed at the mobile
  application level. The wireless network should
  not expose any transaction or identifying details
  of the information flows for secure end-to-end
  mobile applications. This means that the
  individual customer's identity, all transaction
  records, all password, and all authentication and
  authorization sequences should pass through the
  wireless carrier's network intact, without
  decryption. It should not be possible to record
  and decode this confidential information, either
  by listening to wireless channels with commercial
  radio frequency scanner, by tapping into wired
  portions fo the network operator's core network,
  or by recording packet sequences or information
  that is stored temporarily in gateways or
  switches that are part of the wireless network.

21
Deconstructing Authentication/Gap Analysis As-Is

• Its been defined, particularly in consumer
  purchasing PIN/Password
• Somewhat restrictive and device dependent
• High security is device dependent, the least
  secure PIN is not device dependent but is
  insecure
• An interruption of the experience of online
  buying, etc. disruptive
• Overhead of managing certificate/ people ignore/
  validity disappears/fatigue sets in/no one cares
• Static statedepth of our relationship is
  defined by this security level for this
  particular transactions
• (Source FSTC)

22
Authentication To-Be

• Ubiquitous
• Needs to be obvious to whoever needs to know it
  cant be an assumed activity
• Needs to be seamless
• Needs to be evolutionary, dynamic negotiation of
  security levels for particular transactions,
  needs to grow as the relationship between the two
  entities grow
• Must cover all players within the transaction
  (each member of the transaction needs to be
  covered in the authentication)each party, all
  parties to the transaction must be authenticated
• Needs to be modular
• Needs to be extensible

23
Authentication Gap

• High overhead, requires too much maintenance,
  everything is password dependent I have to
  manage the new account relationship
• Levels of trust could be communicated across
  parties
• Problems in the chain of trust different
  authentications how do you pass that trust
  around risk of illigitimate/incorrect/mis-authent
  ication

24
Authentication Action

• Build a system that will be a single source
  authentication system that is secure
• Manage the scaleable distributed delegation of
  trust
• Create a protocol between that allows the
  negotiation of a security or trust level for a
  particular transaction type
• Put a standard API around it expose that to a
  web services API for authentication and
  authorization

25
Authentication Benefits

• Methodology reduces cost prohibitive nature of
  authentication
• Increases reliability/interoperability of
  authentication
• Leverages existing and future authentication
  capability
• Allows delegation of authentication and
  authorization

26
Why This is Hard Bringing the Five Pillars
Together WITH Interoperability
Imagine a Statement of Work.To Implement, Test
and Validate an Authentication and Security
Framework for Mobile Financial Services That

• Provides secure authentication services,
  accessible at the end points of the network, not
  built into the network
• Can work over unreliable, insecure networks
• Can be accessed by any number of devices, ranging
  from ID RF Tags, to palm devices, to PC's, to
  servers
• Can support a number of autonomous and
  distributed, but trusted, authentication services
  that can interoperate and cooperate
• the authentication services include certifying
  various attributes of both personal and corporate
  profiles, as well as electronic documents
• Assures that the information and certification is
  handled, transmitted, shared and stored according
  to the FTC privacy principles

27
not finished yet SOW continued

• Where the certification of a single individual or
  corporation can split their attribute
  certification across different authentication
  services (e.g. enrolled college student -
  university bank account financial institution
  health - doctor)
• The system is robust and able to operate under
  denial of service attacks, viruses, system
  failures, etc.
• That system risks and compromises are manageable
• Where system is technology neutral - not
  dependent upon any particular authentication
  technology or encryption technology, but can
  support all current prevailing models and
  accommodate future technologies
• (Source FSTC)

28
The Promise Thing Where FIs See This Thing
Headed Compared to Everything Else They Have To
Worry About
29
Evaluating and Comparing Competing Alternatives
for FI Attention and Investment
Dan Schutzer of Citigroup/FSTC

• Although no one can predict with certainty which
  innovations will succeed and which will fail,
  certain attributes can provide insights into
  their likelihood of success. The innovation is
  more likely to succeed if
• The channels it opens up are heavily used, is
  experiencing high growth, but e.g.,payments
  over the channel are not yet established.
• The innovation addresses current shortcomings.
• The innovation is perceived to offer value.
• The technology and business innovations are
  intuitive to use and does not require behavioral
  change.
• The technology is not overly costly or complex to
  implement.

30
More

• Contact
• Zachary Tumin
• EXECUTIVE DIRECTOR
• Financial Services Technology Consortium
• 44 Wall Street, 12th Fl.
• New York, NY 10005
• www.fstc.org
• zachary.tumin_at_fstc.org
• V 914-576-7629
• F 978-336-8302