Title: Extending the Franchise of Trust to the Mobile Channel Financial Institutions, Mobile Finance, and the Hard Problems Ahead
1Extending the Franchise of Trustto the Mobile
ChannelFinancial Institutions, Mobile Finance,
and the Hard Problems Ahead
- Zachary Tumin
- Executive Director, FSTC
- April 1, 2003
2Contents (More or Less)
- The Vision
- The Challenge
- The Requirements
- The View From Planet Earth (Banks)
- The Prospect
3About FSTC
- Consortium of leading US financial institutions
and technology companies bringing forward secure,
reliable, interoperable technologies in proof,
test, and pilot - Active initiatives underway in web services,
disaster recovery/business continuity, voice and
biometrics authentication, payments system
innovation, check security and imaging - FI members include Citigroup, JPMorgan Chase,
Bank of America, Wells Fargo, National City,
Fidelity, BBT, Comerica, Zions, Huntington,
Wachovia - Technology members include IBM, Sun
Microsystems, Computer Associates, Hewlett
Packard, Diebold, Unisys, Sungard, Motorola - See projects, membership at www.fstc.org...
4VISION STUFF Where We Could Be and Where We Are
5The Current Landscape Vision of the Mobile
Channel for Financial Services
- A fully connected world
- All communicate with all instantly
- From anywhere, to anyone or any service
- All types of transactions
- Utilizing small devices easily carried or worn
- Trusted, secure, reliable just like all the
other channels
6The Current Landscape Multiple Channels, All
Trusted (More or Less)
- The bar of perception is set high for the mobile
channel, benchmarked against current trust,
reliability, security in other proven channels - Branch (Teller)
- Telephone (Voice)
- US Mail (Letter Carrier)
- ATM (Networks)
- On-Line (Web)
- Can still be pretty variable across and within,
but - No surprises here Financial institutions and
consumers think they have fully documented the
inventory of risk for each channel, mitigated
them (FIs) and accepted them (consumers), and
made their choice of comfort and convenience - Mobile????
7The Current Landscape Multiple Channels, All
Trusted (More or Less)
- For the consumer, trust, reliability, security
KNOWLEDGE - where your money is
- how much is there
- who can do what with it (no one except you)
- how you can get to it and do things with it
(walk, punch, surf) - what to do if theres a problem
- Not I think, but I know
- Tremors/channel confusion exist, rattle trust
e.g. balance disparities irk, bug, bother, but - Can mobile services post- Dot.Com hype, just
another channel ever come close? When? What
investments should financial institutions make
next?
8Mobile Financial Services Taxonomy Transactions
- Account Balance Inquires and Inventory (Pull)
- Transaction Initiation and Execution (Pull)
- Data Message Exchange
- Personalized Alerts (Push)
- Account Service (Push and Pull)
- Wireless Information Synchronization
- Portal Information Access
- Aggregation Services (Push and Pull)
- Promotion Cross Selling (Push and Pull)
- Financial Advice (Push and Pull)
- Bill Presentment and Payment (Pull)
- Loan Application/Prequalification
- Mobile Commerce (Push and Pull)
- Location Based Financial Services (Push and Pull)
- E2E Marketplace
- Registrations for Financial Service Credentials
- Mobile Electronic Payments (mPayments)
- Withdrawal of Electronic Cash to Mobile Devices
- Secure Delivery of Financial Documents
- Financial Transaction Authorizations
- (Source FSTC and BITS)
9Mobile Financial Service Taxonomy Scenarios
- Mobile User to Financial Institution
- Mobile User to Physical ATM or PoS Terminal
- Mobile User to Cyber Merchant
- Mobile User to Mobile User
10Mobile Communications Options for Financial
Service Delivery
- via Immediate Proximity Communications (RFID,
infrared) - via Wireless LANS (e.g., 802.11)
- via Public Wireless Carrier
- via Intermediate System (e.g. POS system)
- via Mobile Platforms (cars, planes, trains)
11Use of the Mobile Channel The Observed As-Is
(What the FIs See)
- Customers not clambering for mobile finance
- Low Fewer than 1 of leading brokerages have
rolled out wireless services - High interest by PDA users ownership 5 of which
25 interested - Low interest by cell phone users ownership 39
of which 5 interested - Pagers small ownership 7, low interest
- Experience in Britain Of the 3MM Britons with a
WAP phone, only 100K signed up for WAP services - 590 millions GSM users worldwide - 30 Billion SMS
messages projection - over 100 Billion SMS
messages per month for the next two years - (Source Gartner, Forrester)
12Where We Stand/As-Is From Financial Institutions
Perspective
- As far as the mobile channel is concerned
- Primary appeal is anytime, anywhere access to
accounts - Lack of urgency plagues all devices
- Most consumers not very interested, although they
seem technologically prepared - Most do not consider financial transactions
urgent enough to execute on a mobile device - Primary interest via traders - checking
portfolios (Stock quotes 1) Low priority Loan
and bill payments - WAMU - Use of wireless in branches
- (Source Forrester)
13Factors Contributing to a Lack of Zeal for the
Mobile Channel
- In sum Happiness with other channels doubts
about this one - Issues of service/connection quality
- Device friendliness
- Bandwidth constraints
- Security holes and glitches
- User expectations criteria to use service
urgency, simplicity, frequency - Privacy, Security - impact of losing cell phone,
spoofing, ID theft - Usability - screen size
- Cost of service
14The Mobile Landscape From the Industry
Perspective Yet Immature
- Rapid product evolutionThe pace of development
in personal devices, makes it very difficult to
build new mCommerce or mobile financial
applications on platforms that are changing
radically - Confused approaches to security there is little
industry agreement on where security
functionality should reside, or who should be
responsible for managing security at a systems
level. - Delivering PKI services - slow to emerge who
will offer PKI services, or will there be
overlapping PKI service realms? - Government impact on security developments
different governments may have radically
different views on about how security gets
deployed and utilized in mobile services - Jurisdictional concerns complicated in a world
where transactions can take place even while one
party is traversing a border.
- Lack of industry coordination - The necessary
working arrangements between the equipment
vendors, wireless carriers, software developers
and financial institutions have yet to come
together. - Competing technical approaches 802.11 wireless
LANs, 3G cellular, Bluetooth, and IrDA have
overlapping capabilities, and increasingly
compete in the marketplace. - Global scale Financial services can no longer be
restricted to national marketsjust as users want
their cell phones to work in every country, they
will certainly expect their electronic wallets to
work wherever they travel. - Immature mCommerce standardsmCommerce standards
are even less well developed than eCommerce
15For Many Financial Institutions Today Definitely
a Hold Recommendation
- Technology still immature
- WAP - poor connections, difficult to use devices
- GPRS impact not until 2004 low bandwidth
- G2.5 available G3 still in development - 16
times GPRS availability 5 years out. - Security, reliability, interoperability persist
as issues - No killer app
- No burning platform
- No competitive differentiation possible
- Unclear value proposition
16The Coming Landscape
- The mobile landscape will soon be changing.
- Service/connection quality and bandwidth will
improve as GPRS networks emerge, followed by G2.5
and G3. - PDA-like mobile devices will provide greater
computing capacity and ease of use for mobile
transactions. - As hard drives, batteries, and global roaming
capabilities expand, the promise of
anywhere/anytime computing will materialize. - By 2010, for example, research firms estimate
that large segments some say as high as 75 of
European and American users will carry wireless
computing and telecommunications devices.
17The Challenge Thing Whats Possible, Practical,
and Expectable
18The Challenges That Remain What will it take to
get traction in mobile financial services?
Operating (Performance) Requirements for Mobile
Financial Services Networks (Equally long list
for software and devices)
- Ubiquity of coverage (outdoor and indoor, rural
and urban) - High transmission rates (144kb/s per active end
user, 300-400 kb/s for moving (non-stationary)
end-users - Device agnostic (end-user)
- Interoperability among carriers transparent,
seamless services (application look the same
service uninterrupted) - End-to-end secure at the application level
- Support for mobile transactions maintain
service and session continuity - Mobile apps should meet high-level wireless
network performance requirements call blocking
rate, call dropping rate, hand over failure rate,
frame error rate ALL lt 1 - (Source BITS)
19Why This is Hard Five Pillars of Security
- Authorization Establish that the other party is
authorized to use the credentials being presented
see first registration credentialing - Authentication The ability for a party to
utilize their credentials to confirm their
authorization of a transaction see, first
digital signatures - Integrity (message) The ability to prevent or
detect modification of transactions after they
have been authorized - Confidentiality (message) All financial
transactions must be protected from unauthorized
disclosure - Non-Repudiation Detecting and preventing parties
from denying their participation in transactions
see, first logging, audit, forensics - (After were finished with this Reliability,
Interoperability, Consumer Acceptance)
20Summing Up The BITS Groups Challenge
- One important consequence of the security
scenario described above is that the wireless
network operator should permit an end-to-end
security solution to be imposed at the mobile
application level. The wireless network should
not expose any transaction or identifying details
of the information flows for secure end-to-end
mobile applications. This means that the
individual customer's identity, all transaction
records, all password, and all authentication and
authorization sequences should pass through the
wireless carrier's network intact, without
decryption. It should not be possible to record
and decode this confidential information, either
by listening to wireless channels with commercial
radio frequency scanner, by tapping into wired
portions fo the network operator's core network,
or by recording packet sequences or information
that is stored temporarily in gateways or
switches that are part of the wireless network.
21Deconstructing Authentication/Gap Analysis As-Is
- Its been defined, particularly in consumer
purchasing PIN/Password - Somewhat restrictive and device dependent
- High security is device dependent, the least
secure PIN is not device dependent but is
insecure - An interruption of the experience of online
buying, etc. disruptive - Overhead of managing certificate/ people ignore/
validity disappears/fatigue sets in/no one cares - Static statedepth of our relationship is
defined by this security level for this
particular transactions - (Source FSTC)
22Authentication To-Be
- Ubiquitous
- Needs to be obvious to whoever needs to know it
cant be an assumed activity - Needs to be seamless
- Needs to be evolutionary, dynamic negotiation of
security levels for particular transactions,
needs to grow as the relationship between the two
entities grow - Must cover all players within the transaction
(each member of the transaction needs to be
covered in the authentication)each party, all
parties to the transaction must be authenticated - Needs to be modular
- Needs to be extensible
23Authentication Gap
- High overhead, requires too much maintenance,
everything is password dependent I have to
manage the new account relationship - Levels of trust could be communicated across
parties - Problems in the chain of trust different
authentications how do you pass that trust
around risk of illigitimate/incorrect/mis-authent
ication
24Authentication Action
- Build a system that will be a single source
authentication system that is secure - Manage the scaleable distributed delegation of
trust - Create a protocol between that allows the
negotiation of a security or trust level for a
particular transaction type - Put a standard API around it expose that to a
web services API for authentication and
authorization
25Authentication Benefits
- Methodology reduces cost prohibitive nature of
authentication - Increases reliability/interoperability of
authentication - Leverages existing and future authentication
capability - Allows delegation of authentication and
authorization
26Why This is Hard Bringing the Five Pillars
Together WITH Interoperability
Imagine a Statement of Work.To Implement, Test
and Validate an Authentication and Security
Framework for Mobile Financial Services That
- Provides secure authentication services,
accessible at the end points of the network, not
built into the network - Can work over unreliable, insecure networks
- Can be accessed by any number of devices, ranging
from ID RF Tags, to palm devices, to PC's, to
servers - Can support a number of autonomous and
distributed, but trusted, authentication services
that can interoperate and cooperate - the authentication services include certifying
various attributes of both personal and corporate
profiles, as well as electronic documents - Assures that the information and certification is
handled, transmitted, shared and stored according
to the FTC privacy principles
27not finished yet SOW continued
- Where the certification of a single individual or
corporation can split their attribute
certification across different authentication
services (e.g. enrolled college student -
university bank account financial institution
health - doctor) - The system is robust and able to operate under
denial of service attacks, viruses, system
failures, etc. - That system risks and compromises are manageable
- Where system is technology neutral - not
dependent upon any particular authentication
technology or encryption technology, but can
support all current prevailing models and
accommodate future technologies - (Source FSTC)
28The Promise Thing Where FIs See This Thing
Headed Compared to Everything Else They Have To
Worry About
29Evaluating and Comparing Competing Alternatives
for FI Attention and Investment
Dan Schutzer of Citigroup/FSTC
- Although no one can predict with certainty which
innovations will succeed and which will fail,
certain attributes can provide insights into
their likelihood of success. The innovation is
more likely to succeed if - The channels it opens up are heavily used, is
experiencing high growth, but e.g.,payments
over the channel are not yet established. - The innovation addresses current shortcomings.
- The innovation is perceived to offer value.
- The technology and business innovations are
intuitive to use and does not require behavioral
change. - The technology is not overly costly or complex to
implement.
30More
- Contact
- Zachary Tumin
- EXECUTIVE DIRECTOR
- Financial Services Technology Consortium
- 44 Wall Street, 12th Fl.
- New York, NY 10005
- www.fstc.org
- zachary.tumin_at_fstc.org
- V 914-576-7629
- F 978-336-8302