By this time even banks are now aware that social media is big and is here to stay. But just how do banks leverage the trend to their advantage? In this post, I will discuss some of the challenges faced by banks in creating an effective social media program.
Here are some of the banks challenges and counters to them
Bank Executives Don't Understand Social Media
There is still true fear on the part of many bank executives that someone will say the wrong thing in a post or Tweet that may damage their reputation or put them in regulatory trouble in the strictest regulatory environment ever.
Counter: While there is always a possibility of offending someone nowadays when you say anything, staying silent is not really a strategy. As we all know in social media people will be talking about you anyway so why not at least voice your viewpoint. If you are dilligent enough to put the proper controls in place the risk can be mitigated. Besides, remember social media is here to stay so you need to figure this out and get good at it.
ROI Difficult to Prove
Depending on the social media program it can be very difficult to measure the hard benefits to the bottom line. In a business environment where costs are closely scrutinized this is a barrier to implementing any program. While the start up costs can be done very inexpensively since many of the tools are free going it alone without experienced professionals doesn't leave much chance for success.
Counter: ROI is always difficult to calculate not just in social media. The best approach is to define your goals for the project and establish metrics to measure it. The main problem occurs when your not sure what the benefit will be. If this is the case, don't do it.
One strategy I am seeing regularly is companies (not just banks) trying to buy their friends. Offering free iPads or other prizes if you like them. This works from the standpoint of getting followers since most people will comply to get something for free but it doesn't build a loyal following for long term value. These same people will unlike you quickly when the marketing begins. Giveaways should be used strategically.
The good news is that for Social Media the tools have come a long way as the market has matured. Companies like Raven's Social Media Tools can provide real time data to help you monitor and participate in the conversation, as well as insight to help you spot trends and report on them. In short, there are more tools readily available to help you measure your goals. If you can tie those together, with internal data on products, sales or other indicators you should be able to get a better picture.
Boring and untrusted
Banking is a boring business and for the most part banks do a great job of making it even sleepier. On top of that the bigger banks are not trusted or even hated which represents risk for them. What do they use for content on their tweets or posts that is interesting and won't offend the masses?
Counter: Taking two examples of big banks on facebook. If you go to Chase they have a boring page with their basic information and history and no posts on their wall.not much value here, it is a case of just establishing a presence only. If you go to Bank of America on facebook it is a lot more lively. It wisely plays on Building Opportunity from Bank of America slogan and has posts about the activities they are involved in the communities. I see some negative comments lashing out but also counter points from people responding about the negativity on a positive story.
Regulatory Concerns
In this harsh regualtory environment, there is definite concern that banks could take a hit from regulators for many reasons. To truly leverage the more advanced analytics where you go beyond matching targeted ads to basic criteria to leveraging demographic data collected via social media there is risk with potential for issues when profiling customers and sending them to specific products.
Counter: For advanced social analytics beyond the basic seek the guidance of experienced professionals. Even at the basic level, don't go it alone. Find an expert to help you set up a program if your going to do more than establish a basic social media presence.
Wednesday, December 7, 2011
Monday, October 31, 2011
Will Bank Transfer Day Succeed in sending a message to Big Banks?
This Saturday, November 5th is Bank Transfer Day. This is the day where all those customers who have been complaining about big banks and their costly policies and fees are slated to take action by moving their money out of big banks and over to a non-profit credit unions.
The movement is not associated with the occupy Wall Street movement but is certainly well timed to take advantage of the anti Wall Street sentiment. It was started by a small business owner in Los Angeles named Kristen Christian who was fed up with big bank fees and her view that big banks are taking advantage of the impoverished and working class. She is calling for all those who feel the same way to move their money out of big bank accounts on or before November 5th.
Kristen is calling on Americans to use one of their greatest powers available to them. The ability to vote with their pocketbook. When large numbers of people simply boycott or put there money elsewhere it can be very effective. If you don't believe me ask Netflix who recently just lost 800,000 subscribers in the last few months over big price increases.
Bank of America's plans to charge $5 a month for the use of a debit card seemed to be the straw that broke the camel's back. All this was started by the Durbin Amendment that limited debit card fees that cut into big banks profits (see OLBB blog on Durbin Amendment). Due to the strong backlash BOA is now considering at least some changes to allow customers to avoid the fee such as using direct deposit.
This is not the first time that a similar campaign has been tried. The Move Your Money campaign started by Arianna Huffington and friends earlier this year (see OLBB previous post on this) called for the same action with some effectiveness but didn't change the big banks lives.
So the big question is if Bank Transfer Day will be effective?
So far the Bank Transfer Day Facebook page has 31,779 likes and 11,897 talking about it at the time of this writing. The answer is it depends on the goal. Remember, we are talking about BIG banks and the response would have to be significantly bigger than it is right now to truly put a dent in big banks profits. The fact that these are large publicly owned institutions that are beholdent to their investors to create profit the behavior cannot change.
However, if the goal is to make a statement and bring awareness to the fact that there are other choices and they can benefit the local communities then the answer is a resounding yes. While it might not hurt big bank profits significantly it may still be a boost for smaller banks who need the help. This could bring more money into local communities for investment perhaps better then some of the US governments attempts.
The fact is that Americans have always had a choice and it is hard to listen to the complaints when there truly are other options, especially for non-commercial banking for individuals. Since moving your money is never easy, you need to weigh the advantages and disadvantes of doing so, something we blog about here a lot.
The movement is not associated with the occupy Wall Street movement but is certainly well timed to take advantage of the anti Wall Street sentiment. It was started by a small business owner in Los Angeles named Kristen Christian who was fed up with big bank fees and her view that big banks are taking advantage of the impoverished and working class. She is calling for all those who feel the same way to move their money out of big bank accounts on or before November 5th.
Kristen is calling on Americans to use one of their greatest powers available to them. The ability to vote with their pocketbook. When large numbers of people simply boycott or put there money elsewhere it can be very effective. If you don't believe me ask Netflix who recently just lost 800,000 subscribers in the last few months over big price increases.
Bank of America's plans to charge $5 a month for the use of a debit card seemed to be the straw that broke the camel's back. All this was started by the Durbin Amendment that limited debit card fees that cut into big banks profits (see OLBB blog on Durbin Amendment). Due to the strong backlash BOA is now considering at least some changes to allow customers to avoid the fee such as using direct deposit.
This is not the first time that a similar campaign has been tried. The Move Your Money campaign started by Arianna Huffington and friends earlier this year (see OLBB previous post on this) called for the same action with some effectiveness but didn't change the big banks lives.
So the big question is if Bank Transfer Day will be effective?
So far the Bank Transfer Day Facebook page has 31,779 likes and 11,897 talking about it at the time of this writing. The answer is it depends on the goal. Remember, we are talking about BIG banks and the response would have to be significantly bigger than it is right now to truly put a dent in big banks profits. The fact that these are large publicly owned institutions that are beholdent to their investors to create profit the behavior cannot change.
However, if the goal is to make a statement and bring awareness to the fact that there are other choices and they can benefit the local communities then the answer is a resounding yes. While it might not hurt big bank profits significantly it may still be a boost for smaller banks who need the help. This could bring more money into local communities for investment perhaps better then some of the US governments attempts.
The fact is that Americans have always had a choice and it is hard to listen to the complaints when there truly are other options, especially for non-commercial banking for individuals. Since moving your money is never easy, you need to weigh the advantages and disadvantes of doing so, something we blog about here a lot.
Tuesday, September 20, 2011
Big Week for Online Banking and Mobile Payments
Some big steps forward this week toward the future of Online Banking and Mobile Payments. It is always interesting to hear the announcements of exciting new technology to be developed but even better to see actual progress toward making it a reality. Two events marked legitimate progress on the reality scale.
Google Wallet Google Wallet was released yesterday (Sep. 19th, 2011). While there are currently a limited number of merchants able to accept NFC payments and only one phone capable and supported (Sprint Nexus S 4G) for now it real technology in the real world officially. Right now the wallet can be backed by a MasterCard or a Google prepaid card but will expand to VISA and American Express over time. This is a huge accomplishment for Google and could have big benefits for Google targeted advertising in the mobile space along with Google offers, its Groupon clone.
Bank Simple Bank Simple has been discussed at OLBB before but it seemed like it would never happen. Bank Simple which will strive to create an entirely new banking experience has gone into private beta. Once again, while not released to the masses, it represents another step forward to hopefully having an alternative to the way banks operate today. Bank Simple promises a Mobile experience built from the ground up, improved service and support, simple communication, putting people first and no surprise fees. We are all hoping for its success.
Google Wallet Google Wallet was released yesterday (Sep. 19th, 2011). While there are currently a limited number of merchants able to accept NFC payments and only one phone capable and supported (Sprint Nexus S 4G) for now it real technology in the real world officially. Right now the wallet can be backed by a MasterCard or a Google prepaid card but will expand to VISA and American Express over time. This is a huge accomplishment for Google and could have big benefits for Google targeted advertising in the mobile space along with Google offers, its Groupon clone.
Bank Simple Bank Simple has been discussed at OLBB before but it seemed like it would never happen. Bank Simple which will strive to create an entirely new banking experience has gone into private beta. Once again, while not released to the masses, it represents another step forward to hopefully having an alternative to the way banks operate today. Bank Simple promises a Mobile experience built from the ground up, improved service and support, simple communication, putting people first and no surprise fees. We are all hoping for its success.
Friday, September 2, 2011
HSBC’s Secure Key: an eBanking milestone or a step too far?
This article is a guest post for the Online Banking Blog(OLBB) by John Ahlberg of Gemalto.
HSBC has come in for some criticism in the UK in recent weeks for its introduction of new security keys for its online banking customers. The credit card-sized keys generate a unique PIN for each time a customer wants to log on to their account, meaning they add an extra, second factor of authentication. This is obviously a good thing for customers’ security, yet it has attracted condemnation from customers frustrated by the lack of mobility it offers.
This once again brings up the age-old trade-off between security and convenience.
Banks are in a precarious position on this issue. On the one hand, they are under greater pressure than ever to do more to ensure the security of their customers, yet on the other are only too aware that these very same customers are averse to any changes which make it more difficult to use the service. Ideally, they need to strike a balance between the two which will provide an adequate, increased level of security, but without it being so inconvenient that customers decide to take their business elsewhere (as is proving to be the case with HSBC’s latest venture).
This is, of course, is easier said than done, but one option for banks moving forward may be to offer a secure mobile app to complement their token authentication systems. One of the criticisms of HSBC’s new system is that it removes much of the freedom that online banking customers have come to expect and enjoy. Offering an additional mobile option would respond to this demand.
However, from a security point-of-view it is hard to criticise HSBC’s efforts to up its game. Vocal though they may be at present, one suspects that, given time to experience the new system, most of those opposed to this heightened security will eventually accept the changes. And those opposed would no doubt be significantly more annoyed were their account to be emptied due to a lack of such stringent measures. That said, there is little point in bringing in these measures if all they achieve is to discourage eBanking altogether.
Given the number of organisations which appear to be adopting a ‘laissez-faire’ attitude towards online banking security, HSBC’s efforts are a breath of fresh air. But they must be mindful that their customers understand this, rather than simply searching for a simpler, and less secure, option.
Tags: HSBC, Secure Key, authentication, online banking, eBanking, security
HSBC has come in for some criticism in the UK in recent weeks for its introduction of new security keys for its online banking customers. The credit card-sized keys generate a unique PIN for each time a customer wants to log on to their account, meaning they add an extra, second factor of authentication. This is obviously a good thing for customers’ security, yet it has attracted condemnation from customers frustrated by the lack of mobility it offers.
This once again brings up the age-old trade-off between security and convenience.
Banks are in a precarious position on this issue. On the one hand, they are under greater pressure than ever to do more to ensure the security of their customers, yet on the other are only too aware that these very same customers are averse to any changes which make it more difficult to use the service. Ideally, they need to strike a balance between the two which will provide an adequate, increased level of security, but without it being so inconvenient that customers decide to take their business elsewhere (as is proving to be the case with HSBC’s latest venture).
This is, of course, is easier said than done, but one option for banks moving forward may be to offer a secure mobile app to complement their token authentication systems. One of the criticisms of HSBC’s new system is that it removes much of the freedom that online banking customers have come to expect and enjoy. Offering an additional mobile option would respond to this demand.
However, from a security point-of-view it is hard to criticise HSBC’s efforts to up its game. Vocal though they may be at present, one suspects that, given time to experience the new system, most of those opposed to this heightened security will eventually accept the changes. And those opposed would no doubt be significantly more annoyed were their account to be emptied due to a lack of such stringent measures. That said, there is little point in bringing in these measures if all they achieve is to discourage eBanking altogether.
Given the number of organisations which appear to be adopting a ‘laissez-faire’ attitude towards online banking security, HSBC’s efforts are a breath of fresh air. But they must be mindful that their customers understand this, rather than simply searching for a simpler, and less secure, option.
Tags: HSBC, Secure Key, authentication, online banking, eBanking, security
Wednesday, August 24, 2011
The fall of the Lydian Empire: Lydian Private Bank Closes
Last Friday, Aug 19th, 2011 was a sad day in Palm Beach County Florida for Lydian Private Bank aka VirtualBank when it was closed by regulators. The banks assets were sold to Sabadell United located in Miami.
Lydian originally opened as a pure online bank in April, 2000 as VirtualBank during the Internet boom and was once a technology and service leader winning best online bank by Money Magazine.
The bank changed its name in 2002 to Lydian Bank and entered the private banking market in Florida with high service boutique style offices. While still maintaining the VirtualBank brand online the bank grew to over $2B in assets.
The failure will cost the FDIC about $293 million dollars. As of today (8/24), the VirtualBank web site has not changed and makes no mention of Sabadell yet however the Lydian website does display a notice.
Lydian of course is not alone, even innovator and leader online bank ING Direct voluntarily sold it's US business to Capital One earlier this year due to cash trouble with its parent company. It has been quite a year for online banking.
It is a sad situation for Palm Beach County with Lydian once employing over a 1000 employees and a bright future. The fall of the Lydian empire closes the story on what was once an online banking innovator and great company.
Lydian originally opened as a pure online bank in April, 2000 as VirtualBank during the Internet boom and was once a technology and service leader winning best online bank by Money Magazine.
The bank changed its name in 2002 to Lydian Bank and entered the private banking market in Florida with high service boutique style offices. While still maintaining the VirtualBank brand online the bank grew to over $2B in assets.
The failure will cost the FDIC about $293 million dollars. As of today (8/24), the VirtualBank web site has not changed and makes no mention of Sabadell yet however the Lydian website does display a notice.
Lydian of course is not alone, even innovator and leader online bank ING Direct voluntarily sold it's US business to Capital One earlier this year due to cash trouble with its parent company. It has been quite a year for online banking.
It is a sad situation for Palm Beach County with Lydian once employing over a 1000 employees and a bright future. The fall of the Lydian empire closes the story on what was once an online banking innovator and great company.
Monday, August 8, 2011
Small Banks Not Safe for Business/Commercial Accounts
OLBB mainly blogs about retail online and mobile banking but this is an important issue. As a follow up to our last blog post on the new government (FFIEC) online security authentication guidelines one theme is that the Feds are very worried about commercial/business account protections.
Read Carefully:
It is not required by law that your bank guarantee your money if it gets stolen from a commercial bank account. Therefore, almost no one does (Chase the only exception). Not only is there inadequate protection but the risk is high, because of the large amounts of money and transactions in these type of accounts.
Hackers already know this and have been targeting smaller banks because they are lucrative and vulnerable. In fact, small to mid size banks are getting raided at the pace of $1B a year. See the Bloomberg article link at the bottom of this post for some interesting reading.
Hackers are targeting the small banks commercial accounts because the smaller banks don't have the same security that the big guys have. Most of the small banks are still using security guidelines from 2005 as their security model. Not effective at all in a 2011 world of risk. If you have commercial/business accounts at a small bank and you use online or mobile banking, your money is at risk. This is a big problem for small business as a big hit in capital can shut them down. This hurts our economy in the ripple effect.
I believe that if a law was passed mandating that the bank guarantee losses to commercial/business bank accounts that you would see security significantly improve since the risk would be on the bank and not the business customer. Granted there may need to be fees added to pay for the additional security but a monthly fee seems like a better option that shutting your business down because you lost it all to a hacker.
For the full article from Bloomberg go here. ALso check out the blogpost on the new agency guidelines just released from OLBB.
Read Carefully:
It is not required by law that your bank guarantee your money if it gets stolen from a commercial bank account. Therefore, almost no one does (Chase the only exception). Not only is there inadequate protection but the risk is high, because of the large amounts of money and transactions in these type of accounts.
Hackers already know this and have been targeting smaller banks because they are lucrative and vulnerable. In fact, small to mid size banks are getting raided at the pace of $1B a year. See the Bloomberg article link at the bottom of this post for some interesting reading.
Hackers are targeting the small banks commercial accounts because the smaller banks don't have the same security that the big guys have. Most of the small banks are still using security guidelines from 2005 as their security model. Not effective at all in a 2011 world of risk. If you have commercial/business accounts at a small bank and you use online or mobile banking, your money is at risk. This is a big problem for small business as a big hit in capital can shut them down. This hurts our economy in the ripple effect.
I believe that if a law was passed mandating that the bank guarantee losses to commercial/business bank accounts that you would see security significantly improve since the risk would be on the bank and not the business customer. Granted there may need to be fees added to pay for the additional security but a monthly fee seems like a better option that shutting your business down because you lost it all to a hacker.
For the full article from Bloomberg go here. ALso check out the blogpost on the new agency guidelines just released from OLBB.
Wednesday, July 20, 2011
Insight on the New FFIEC Online Authentication Guidance
THE FFIEC
The FFIEC (Federal Institutions Examination Council) issues guidelines for online banking which is followed by all the major regulatory agencies such as the FDIC, OCC, OTS, NCUAA and others. If you don't know who the FFIEC is then you probably wont find this article very interesting. If you do know who the FFIEC is, then you are probably aware the FFIEC has just released (June 28th) new guidance for financial institutions regarding Authentication in an Internet Banking Environment. This article discusses the new guidance and offers some insight on the supplement.
GUIDANCE OVERDUE
This new supplement is the first update since October 2005. In Internet time 6 years is the equivalent of a lifetime, so some new guidance was long overdue. Since then the threat level has significantly increased with the sophistication of the attacks reaching a very high level of advancement (Think Zeus or the software hacking kits now available to the less talented hackers). The hackers have also become organized crime gangs that work together to sell credentials and share technology. The number of online users has also significantly increased since 2005 with online banking having gained major acceptance which increases the threat pool size. Additionally, the type of devices or channels such as smart phones and tablets did not even exist in 2005. The iPhone was not even released until June 2007 followed by the iPad in Jan, 2010 which started the revolution.
WHAT DOES THE NEW SUPPLEMENT SAY
The 12 page supplement offers the increased threat level as the reason for the update discussing organized crime groups, root kits and malware. I do find amusing the understated sentence:
The new guidance reiterates the importance of performing a risk assessment and updating it when new information becomes available, when implementing new electronic financial services or at least once a year.
As a part of the risk assessment the FFIEC expresses particular concern over business/commercial banking due to the higher use of ACH and Inter-Bank transfers along with higher frequency and dollar amounts. There is a specific recommendation to use multi-factor authentication for business banking.
Not only is the risk assessment critical to identifying the threats, risks and controls but it is the key to understanding where a bank should spend their money. Given the high volumes of transactions a great part of the science and art of implementing new security technology is where and when to apply it. Too much and it can be very expensive. Too little and you can compromise your controls and render it ineffective. These are the hardest decisions to get right when enforcing security policy.
The guidance goes on to discuss the benefits of layered security, enforcing the idea that putting up a big steel front door as a complete security solution as flawed. It specifies that a layered program must contain at a minimum the ability to detect and monitor to suspicious activity and control of administrative functions.
I think they do a really good job here of pointing out that they have looked in depth at numerous previous incidents and determined that much of it could have been prevented by simply applying existing technology that would have flagged and stopped many ACH\WIre transactions as anamolous. I realize that they would never dare to make an estimate on how many or much this one control could have prevented or saved. It could provide benefit to all of us to have an idea.
This is true for many other controls as well. While the level of attacks has become more sophisticated many attacks would not have succeeded had some additional basic controls be put in place.
The supplement goes on to discuss the effectiveness of certain authentication techniques. It rightfully calls out the obvious that using a cookie to stamp a device as verified as inadequate since the cookie can easily be copied. The recommendation here is to use more sophisticated device identification as signatures.
Challenge questions are also addressed as ineffective especially as a back door for some forgot password or similar scenario. These type of questions can be compromised by the same keyloggers that capture authentication credentials or be easily defeated by someone who knows the target or is easily discovered online through social media or other sources. The "Out of Wallet" questions are offered as an alternative which typically uses credit or other less available data to construct questions. While this is more difficult it is also easily defeated by anyone willing to pay for the data. The best part of this for me would be the elimination of the silly and irritating questions that you are forced to answer by almost all banks. It backs up my long standing complaint that this only enhances the appearances of security while providing little benefit to the user and actually inflicts pain instead. Could those silly questions finally go away someday?
The guidance ends with a discussion on a customer awareness and education program. What stood out here for me in this section was that the financial institution suggest to its commercial customers to conduct their own risk assessments. For most small to medium businesses this is not practical. Most people do not know how to conduct a risk assessment or have the time. Maybe a clever bank could come up with an online simplified process to walk then through some questions to make it feasible.
THE APPENDIX
The most interesting part is the Appendix which provides narratives on the threats and potential controls that are available today. Here they further discuss transaction monitoring capability, out of band authentication, malware and layered security. While interesting I would hope that the risks and controls discussed in this section are not news to any of the security people at the bank.
Opinion
Overall I would give the new guidance a B. They loose a grade alone for not at least mentioning mobile banking and the new devices. They also waited way too long to provide guidance since so much has changed.
But that is not the important part. I believe that the guidance is often misunderstood as to its purpose. I use the word purpose because it is the first section in the document. I often read and hear that it does not go far enough in providing more guidance, discussing the threats or recommending controls. I have heard the comment many times that regulators will tell you a control is inadequate but won't tell you what you should do to fix it.
I believe the intent is to only provide high level guidance and not to recommend specific solutions or hard requirements. And lets face it, they couldn't do that if they wanted since there is no single answer and every situation is different. Any in depth details would quickly become obsolete since the threat and technology changes so quickly.
Given that criteria, I believe the new guidance does a good job of providing guidance and increasing the expected level of security in future audits.
Most importantly, I would argue that any financial institution that relies on this guidance as a basis for a security strategy is in trouble. An institution must take it on itself through hiring or security consulting experts to guide the strategy and implementation. I see too many banks satisfied that they are meeting the 2005 guidelines.
As mentioned before, I believe that the FFIEC waited way too long in releasing an update. Not only because even high level guidance can quickly become obsolete but because it sends a message in apathy. If a bank must perform a security assessment once a year then the guidance should be updated at least once a year. Doesn't hacking present a threat to our commerce and therefore our economy?(check out link at end about viruses have become new 21st century weapon) Why give the banks any additional reasons to delay strengthening their security?
You can read the new FFIEC guidlines here
Scary story about viruses as the new 21st century weapon
The FFIEC (Federal Institutions Examination Council) issues guidelines for online banking which is followed by all the major regulatory agencies such as the FDIC, OCC, OTS, NCUAA and others. If you don't know who the FFIEC is then you probably wont find this article very interesting. If you do know who the FFIEC is, then you are probably aware the FFIEC has just released (June 28th) new guidance for financial institutions regarding Authentication in an Internet Banking Environment. This article discusses the new guidance and offers some insight on the supplement.
GUIDANCE OVERDUE
This new supplement is the first update since October 2005. In Internet time 6 years is the equivalent of a lifetime, so some new guidance was long overdue. Since then the threat level has significantly increased with the sophistication of the attacks reaching a very high level of advancement (Think Zeus or the software hacking kits now available to the less talented hackers). The hackers have also become organized crime gangs that work together to sell credentials and share technology. The number of online users has also significantly increased since 2005 with online banking having gained major acceptance which increases the threat pool size. Additionally, the type of devices or channels such as smart phones and tablets did not even exist in 2005. The iPhone was not even released until June 2007 followed by the iPad in Jan, 2010 which started the revolution.
WHAT DOES THE NEW SUPPLEMENT SAY
The 12 page supplement offers the increased threat level as the reason for the update discussing organized crime groups, root kits and malware. I do find amusing the understated sentence:
The Agencies are concerned that customer authentication methods and controls implemented in conformance with the Guidance several years ago have become less effective.Less effective should be changed to nearly useless. The document also fails to mention mobile banking or any of the new devices as a concern.
The new guidance reiterates the importance of performing a risk assessment and updating it when new information becomes available, when implementing new electronic financial services or at least once a year.
As a part of the risk assessment the FFIEC expresses particular concern over business/commercial banking due to the higher use of ACH and Inter-Bank transfers along with higher frequency and dollar amounts. There is a specific recommendation to use multi-factor authentication for business banking.
Not only is the risk assessment critical to identifying the threats, risks and controls but it is the key to understanding where a bank should spend their money. Given the high volumes of transactions a great part of the science and art of implementing new security technology is where and when to apply it. Too much and it can be very expensive. Too little and you can compromise your controls and render it ineffective. These are the hardest decisions to get right when enforcing security policy.
The guidance goes on to discuss the benefits of layered security, enforcing the idea that putting up a big steel front door as a complete security solution as flawed. It specifies that a layered program must contain at a minimum the ability to detect and monitor to suspicious activity and control of administrative functions.
I think they do a really good job here of pointing out that they have looked in depth at numerous previous incidents and determined that much of it could have been prevented by simply applying existing technology that would have flagged and stopped many ACH\WIre transactions as anamolous. I realize that they would never dare to make an estimate on how many or much this one control could have prevented or saved. It could provide benefit to all of us to have an idea.
This is true for many other controls as well. While the level of attacks has become more sophisticated many attacks would not have succeeded had some additional basic controls be put in place.
The supplement goes on to discuss the effectiveness of certain authentication techniques. It rightfully calls out the obvious that using a cookie to stamp a device as verified as inadequate since the cookie can easily be copied. The recommendation here is to use more sophisticated device identification as signatures.
Challenge questions are also addressed as ineffective especially as a back door for some forgot password or similar scenario. These type of questions can be compromised by the same keyloggers that capture authentication credentials or be easily defeated by someone who knows the target or is easily discovered online through social media or other sources. The "Out of Wallet" questions are offered as an alternative which typically uses credit or other less available data to construct questions. While this is more difficult it is also easily defeated by anyone willing to pay for the data. The best part of this for me would be the elimination of the silly and irritating questions that you are forced to answer by almost all banks. It backs up my long standing complaint that this only enhances the appearances of security while providing little benefit to the user and actually inflicts pain instead. Could those silly questions finally go away someday?
The guidance ends with a discussion on a customer awareness and education program. What stood out here for me in this section was that the financial institution suggest to its commercial customers to conduct their own risk assessments. For most small to medium businesses this is not practical. Most people do not know how to conduct a risk assessment or have the time. Maybe a clever bank could come up with an online simplified process to walk then through some questions to make it feasible.
THE APPENDIX
The most interesting part is the Appendix which provides narratives on the threats and potential controls that are available today. Here they further discuss transaction monitoring capability, out of band authentication, malware and layered security. While interesting I would hope that the risks and controls discussed in this section are not news to any of the security people at the bank.
Opinion
Overall I would give the new guidance a B. They loose a grade alone for not at least mentioning mobile banking and the new devices. They also waited way too long to provide guidance since so much has changed.
But that is not the important part. I believe that the guidance is often misunderstood as to its purpose. I use the word purpose because it is the first section in the document. I often read and hear that it does not go far enough in providing more guidance, discussing the threats or recommending controls. I have heard the comment many times that regulators will tell you a control is inadequate but won't tell you what you should do to fix it.
I believe the intent is to only provide high level guidance and not to recommend specific solutions or hard requirements. And lets face it, they couldn't do that if they wanted since there is no single answer and every situation is different. Any in depth details would quickly become obsolete since the threat and technology changes so quickly.
Given that criteria, I believe the new guidance does a good job of providing guidance and increasing the expected level of security in future audits.
Most importantly, I would argue that any financial institution that relies on this guidance as a basis for a security strategy is in trouble. An institution must take it on itself through hiring or security consulting experts to guide the strategy and implementation. I see too many banks satisfied that they are meeting the 2005 guidelines.
As mentioned before, I believe that the FFIEC waited way too long in releasing an update. Not only because even high level guidance can quickly become obsolete but because it sends a message in apathy. If a bank must perform a security assessment once a year then the guidance should be updated at least once a year. Doesn't hacking present a threat to our commerce and therefore our economy?(check out link at end about viruses have become new 21st century weapon) Why give the banks any additional reasons to delay strengthening their security?
You can read the new FFIEC guidlines here
Scary story about viruses as the new 21st century weapon
Thursday, July 14, 2011
MoveNBank Startup Planning Bank 3.0
Online banking expert and innovator Jim Bruene of NetBanker made us aware this week that a new bank startup is getting ready to offer a new way of banking for those of us who are tired of the way banks operate today. The startup is named MoveNBank which is a reference to it's intent to create a banking platform built from the ground up for Mobile and Online Channels.
As former Chief Software Architect and CIO at VirtualBank and having built an online only bank from the ground up back in 2000 during the initial revolution I can tell you it is not easy. One major difference from then is that Mobile Banking was only a ToDo sometime in the future at that point since the technology was not ready yet.
MoveNBank was founded by banking pioneer Brett King author of the book Bank 2.0. When Bank 2.0 was published back in March 2010 I was excited to have an ally in my efforts to move banking into modern times and considered it the bible of the future of banking. At the time, I was floating the idea of a new bank account for mobile and online only. This may help explain my excitement for MoveNBank.
While details are still limited at this point we do know that a private beta is to begin soon with a soft launch around July 2012. It will be exciting to see what the experience will be and how the vision is executed. I must applaud Brett King for not just writing a book about how to make banking better but actually stepping out to the edge and making an effort to move it forward. We all know that big business moves slow until some innovator or revolution comes along and makes it happen.
Bank Simple is another one of those start ups working to improve online and mobile banking experience and they are reportedly beginning to test a small batch of bank cards with their employees after announcing it a year ago. We all have our eyes on that launch as well.
We will keep you posted as we monitor MoveNBank and Bank Simple progress in their efforts to drive the future of banking.
As former Chief Software Architect and CIO at VirtualBank and having built an online only bank from the ground up back in 2000 during the initial revolution I can tell you it is not easy. One major difference from then is that Mobile Banking was only a ToDo sometime in the future at that point since the technology was not ready yet.
MoveNBank was founded by banking pioneer Brett King author of the book Bank 2.0. When Bank 2.0 was published back in March 2010 I was excited to have an ally in my efforts to move banking into modern times and considered it the bible of the future of banking. At the time, I was floating the idea of a new bank account for mobile and online only. This may help explain my excitement for MoveNBank.
While details are still limited at this point we do know that a private beta is to begin soon with a soft launch around July 2012. It will be exciting to see what the experience will be and how the vision is executed. I must applaud Brett King for not just writing a book about how to make banking better but actually stepping out to the edge and making an effort to move it forward. We all know that big business moves slow until some innovator or revolution comes along and makes it happen.
Bank Simple is another one of those start ups working to improve online and mobile banking experience and they are reportedly beginning to test a small batch of bank cards with their employees after announcing it a year ago. We all have our eyes on that launch as well.
We will keep you posted as we monitor MoveNBank and Bank Simple progress in their efforts to drive the future of banking.
Thursday, June 30, 2011
Fed Eases back limit on Debit Card Swipe Fees
OLBB has been following the Durbin Amendment that was scheduled to go into effect July 21st which will limit the amount banks can charge retailers for Debit Card transactions. Yesterday the Fed decided to change the limit from 12 cents to 21 cents (banks are currently charging 44 cents). Some additional incentives would allow the fee to go as high as 24 cents. More importantly the go live date was delayed back to Oct 1.
The new date gives the banks time to continue challenging the new law and prevent or soften it further. Since the impact of this is big on retailers, banks and consumers we will continue to follow and post on this as it progresses. For more details look at our previous posts on this subject in the Archive section of this blog.
The new date gives the banks time to continue challenging the new law and prevent or soften it further. Since the impact of this is big on retailers, banks and consumers we will continue to follow and post on this as it progresses. For more details look at our previous posts on this subject in the Archive section of this blog.
Thursday, June 23, 2011
USAA Adds Security Zone Stamp to Help Against Phising Attacks
Online bank USAA has added a new feature to its email correspondence with its bank customers. The stamp will be located in the upper right corner of every email and identify your first name, last name and last 4 of your account number to help you determine if an email was legitimately sent from the sender and is not a hoax trying to glean your information or passwords. The stamp looks like the image shown below:
Learn more about phising at this government site
I applaud any bank for continuing to improve Online Security, even with small changes. USAA states that all bank emails will carry this stamp by August. Adding the stamp makes it harder for the less sophisticated Phisher to succeed which seems to be the intent. While the more sophisticated hackers can easily duplicate this stamp. This would require a targeted attack with a hacker discovering the last 4 of your acct number which they could get by getting access to one of these emails.
Given the recent breaches such as the major email provider Epsilon it is certain possible. This seems like the perfect time to remind online users of the basic security rules regarding potential Phising emails.
1. Cardinal Rule: Never click on a link from an unsolicited email. If for example USAA sends you an email, you know that you can simply go to USAA.com directly or through an existing bookmark.
2. Remember that a bank or financial institution will never call, email or contact you to ask for your password or other authentication credentials.
3. Keep Your Antivirus Software Up To Date
4. Use Anti-Spyware software
5. Keep your operating system, Internet browser up to date. If you are still using IE6 you are asking to be hacked.
6. Use a personal firewall on your computer
7. Do not use public computers for sensitive transactions, computers that are shared by kids who may infect your system with spyware. When in doubt mobile devices are a good option.
There are other measures that can be taken but these basics are a good start.
Learn more about phising at this government site
Thursday, June 16, 2011
PayPal Mobile Check Capture Supplements Your Bank's Lack of Features
Do you wish your bank offered the ability to deposit checks by taking a picture of it through your smart phone for that occasional paper check you get a few times a year? You are not alone. While paper check usage is drastically dropping, most people get a few checks a year in the mail or from a personal friend or family member that are a hassle to deposit.
Currently only 9 banks in the US offer this feature and many more banks still don't even have a mobile banking application.
The 9 banks at the time of this writing who offer Mobile Remote Deposit Capture (deposit check with a smartphone) are USAA, Chase, PNC, State Farm, Charles Schwab, Digital Federal Credit Union, Randolph Brooks Federal Credit Union and WV United Credit Union. Some of these banks offer only iPhone while others such as USAA offer Android and Blackberry versions as well.
Fortunately, there is a way to use PayPal to supplement the lack of this feature from your bank to save a trip to your bank or even worse having to mail the check. PayPal offers this feature in its mobile app that then can be linked to your checking account and transferred. The PayPal app was first released for iPhone and Blackberry about a year ago but in May it was finally released for Android addressing just about all smart phone users except WIndows Phone 7. Although the total time to receive the funds may take up to a week it is acceptable for most scenarios.
To make it work just download your PayPal mobile app from your mobile platform's app store or marketplace. Then sign up for for your PayPal account if you don't already have one and link your bank account to your PayPal account.
Currently only 9 banks in the US offer this feature and many more banks still don't even have a mobile banking application.
The 9 banks at the time of this writing who offer Mobile Remote Deposit Capture (deposit check with a smartphone) are USAA, Chase, PNC, State Farm, Charles Schwab, Digital Federal Credit Union, Randolph Brooks Federal Credit Union and WV United Credit Union. Some of these banks offer only iPhone while others such as USAA offer Android and Blackberry versions as well.
Fortunately, there is a way to use PayPal to supplement the lack of this feature from your bank to save a trip to your bank or even worse having to mail the check. PayPal offers this feature in its mobile app that then can be linked to your checking account and transferred. The PayPal app was first released for iPhone and Blackberry about a year ago but in May it was finally released for Android addressing just about all smart phone users except WIndows Phone 7. Although the total time to receive the funds may take up to a week it is acceptable for most scenarios.
To make it work just download your PayPal mobile app from your mobile platform's app store or marketplace. Then sign up for for your PayPal account if you don't already have one and link your bank account to your PayPal account.
Friday, June 10, 2011
2011 Shaping Up to be Bad Year for Online Security Breaches
With the year only half over it has been a bad start for big security breaches. The latest is Citi, announcing this week that a major breach of customer account information has occurred. We don't know the extent of the damage yet completely it has been reported to be about 200,000 credit card customers but apparently Citi waited a month before disclosing the breach to its customers.
The security breaches this year go beyond consumers being compromised and extend deep into our nation's security. This is mainly due to a big breach at RSA Security owned by EMC.
The big breaches have been coming so often that it is easy to forget. Here is a recap so far for 2011:
April - Epsilon, over 40M email addresses exposed (blogged about on OLBB here),
April 19th - Sony PlayStation Network - personal data and credit card information of tens of millions, shutting Network down for almost a month
May 21 - Lockheed Martin, the biggest provider of information technology to the US government including F-22, F-35 and other weapon systems. Actual damage not disclosed, but critical to the security of the US since it holds many military secrets. China is the main suspect.
May 26 - Northrop Grumman, shuts down its remote access to its network, damage unknown but it was described as a significant and tenacious attack on its information network.
May - L-3 Communications - major attacks due to the RSA Security compromise, details not known
Reported in June but hacked in April or May - Citi, ~200M credit card accounts
The security breaches this year go beyond consumers being compromised and extend deep into our nation's security. This is mainly due to a big breach at RSA Security owned by EMC.
The big breaches have been coming so often that it is easy to forget. Here is a recap so far for 2011:
Reported in Feb - Nasdaq, malware on their network, damage unknown but critical to the exposure of the US economy
March 17 - RSA, even the big security company who plays a role in securing the US government and most of the top companies in the US had their network breached by the use of a phising email. Information regarding RSA Secure ID tokens was compromised. This now calls into question the long term effectiveness of this defense. Specifically RSA dual factor authentication algorithms may have given attackers a way to defeat the protection. Other breaches summarized below such as L-3 and Northrop Gruman were believed to be related to this breach.
April - Epsilon, over 40M email addresses exposed (blogged about on OLBB here),
April 19th - Sony PlayStation Network - personal data and credit card information of tens of millions, shutting Network down for almost a month
May 21 - Lockheed Martin, the biggest provider of information technology to the US government including F-22, F-35 and other weapon systems. Actual damage not disclosed, but critical to the security of the US since it holds many military secrets. China is the main suspect.
May 26 - Northrop Grumman, shuts down its remote access to its network, damage unknown but it was described as a significant and tenacious attack on its information network.
May - L-3 Communications - major attacks due to the RSA Security compromise, details not known
June - Google Gmail, hundreds of emails compromised through a phising attack, significant because it involved US government officials. China main suspect.
Reported in June but hacked in April or May - Citi, ~200M credit card accounts
Wednesday, June 8, 2011
Senate Rejects Delays on Debit Card Swipe Fees
Today the Senate voted not too delay the "Durbin Amendment" for a year. The caps on debit card interchange fees that banks charge are scheduled to go into effect this July. These fees represent a lot of revenue to big banks and will likely hurt their stock prices while they scramble to figure out how to recoup the revenue loss with new fees. Smaller banks and credit unions (under 10B) are excluded.
OLBB (Online Banking Blog) has been following and blogging about this issue for some time because it will have a big impact on big banks and payment systems. Whenever you legislate change like this there will be a lot happening from all sides including big banks, community banks, the merchants who benefit and the consumer who will be affected but doesn't really know it yet.
We will continue to follow and provide updates on this.
OLBB (Online Banking Blog) has been following and blogging about this issue for some time because it will have a big impact on big banks and payment systems. Whenever you legislate change like this there will be a lot happening from all sides including big banks, community banks, the merchants who benefit and the consumer who will be affected but doesn't really know it yet.
We will continue to follow and provide updates on this.
Wednesday, May 25, 2011
Square Hits Home Run with Card Case
Square has announced a new payment service called Card Case that could significantly impact payment processing in the US. With all the payment news lately centering around NFC contact-less payments this out of the box thinking makes a lot of sense.
Let's ignore merchant adoption for a minute and explain how it works. A buyer downloads the free Square application on their smart phone and visits a Card Case participating merchant. The buyer selects the merchant on their phone and hits "Start a Tab" before making a purchase. Since this is the first purchase using Card Case the buyer swipes their credit or debit card to pay as normal. The merchant swipes the card into their Square register (an iPad) instead of the old credit/debit card terminal. After the purchase, the buyer receives a text message with the payment confirmation and associates the transaction with the card to use for future payments.
The next trip to a merchant you can just check in to enable the payment with a single button and tell the cashier your name. The merchant will see you and your picture on their register and charge the account. You get instant notification of the payment all just by telling the merchant your name.
How does it work for the merchant? The merchant sets up an account with Square and downloads the app onto their iPad which becomes the cash register. The swipe occurs in the small Square device that is plugged into the headphone jack of the device. This is consistent with Square's first product in the marketplace to allow anyone to accept payments without a merchant account. You can see more by going to squareup.com,
This is truly out of the box thinking and is simple. When you think about it, why do we need NFC (contactless) payments anyway? Wouldn't it be better to go to the counter and be presented with the total on your phone and approve the payment? Whether you like the way it works or not the idea of somehow connecting the merchant and the buyer directly to make a payment is better. And with merchants rejecting the ISIS NFC approach recently the time may be right.
Another major selling point is that it is available now in select areas and expanding over the next few weeks. Buyers can download the app today and merchants can sign up right now. Square is already used by small businesses or part time vendors who need a mobile solution for occasional payments without requiring a merchant account.
And this brings us to merchant adoption which is critical to the success of Card Case. First, Square has a good track record so far with their original product which has grown to $1B annually and 1M transactions a month. Small by VISA standards but impressive. There are many advantages for the merchant including knowing their customer, using geo-location to reach out to potential buyers nearby and a simple billing method.
Barriers to merchant adoption could be the cost. It requires at least 1 iPad and some form of connectivity for the device whether that is wi-fi or 3G coverage. For larger businesses it may require more than 1 iPad. Ideally it would require a rotating mounting harness to hold the device and have both the buyer and merchant to access it, at least for the first transaction. The fees are the same as credit transactions so that will not be a factor.
For me there are two main points that stand out with Card Case. First, this is version 1.0, so the features they will be adding could change the buyer and merchant experience. This could become not only a new way to pay but a new way to shop. This has a potential to bring change much the way Groupon has brought change in the coupon/offers market.
Second, the new payment paradigm may catch on or at least bring about more innovation with similar but improved models that can truly bring about the digital wallet.
Of course with all new technology there are concerns with security leading the way. It seems as though the security would be improved since you enable the payment right before purchasing. However, this also requires that Square would hold your credit card data which must be protected adequately. And of course, what if someone gets a hold of your phone. All of these issues can be addressed as needed.
Looks like Square founder and Twitter creator Jack Dorsey has another big hit. We will find out pretty quickly as the trial rolls out wider in the next few weeks. Judging by the star ratings and comments on the Apple App store for the free Square download it looks very positive. Almost all ratings were 4 or 5 stars.
Let's ignore merchant adoption for a minute and explain how it works. A buyer downloads the free Square application on their smart phone and visits a Card Case participating merchant. The buyer selects the merchant on their phone and hits "Start a Tab" before making a purchase. Since this is the first purchase using Card Case the buyer swipes their credit or debit card to pay as normal. The merchant swipes the card into their Square register (an iPad) instead of the old credit/debit card terminal. After the purchase, the buyer receives a text message with the payment confirmation and associates the transaction with the card to use for future payments.
The next trip to a merchant you can just check in to enable the payment with a single button and tell the cashier your name. The merchant will see you and your picture on their register and charge the account. You get instant notification of the payment all just by telling the merchant your name.
How does it work for the merchant? The merchant sets up an account with Square and downloads the app onto their iPad which becomes the cash register. The swipe occurs in the small Square device that is plugged into the headphone jack of the device. This is consistent with Square's first product in the marketplace to allow anyone to accept payments without a merchant account. You can see more by going to squareup.com,
This is truly out of the box thinking and is simple. When you think about it, why do we need NFC (contactless) payments anyway? Wouldn't it be better to go to the counter and be presented with the total on your phone and approve the payment? Whether you like the way it works or not the idea of somehow connecting the merchant and the buyer directly to make a payment is better. And with merchants rejecting the ISIS NFC approach recently the time may be right.
The use of geo-location is another big plus. For the buyer they can locate merchants near them to make a purchase and as a security feature to enable the payment capability when they are ready to purchase. They also get to see the menu or products ahead of time to help decide what they want easier. The merchant will be able to make special offers or discounts if they choose to entice buyers nearby to come in for a deal.
Another major selling point is that it is available now in select areas and expanding over the next few weeks. Buyers can download the app today and merchants can sign up right now. Square is already used by small businesses or part time vendors who need a mobile solution for occasional payments without requiring a merchant account.
And this brings us to merchant adoption which is critical to the success of Card Case. First, Square has a good track record so far with their original product which has grown to $1B annually and 1M transactions a month. Small by VISA standards but impressive. There are many advantages for the merchant including knowing their customer, using geo-location to reach out to potential buyers nearby and a simple billing method.
Barriers to merchant adoption could be the cost. It requires at least 1 iPad and some form of connectivity for the device whether that is wi-fi or 3G coverage. For larger businesses it may require more than 1 iPad. Ideally it would require a rotating mounting harness to hold the device and have both the buyer and merchant to access it, at least for the first transaction. The fees are the same as credit transactions so that will not be a factor.
For me there are two main points that stand out with Card Case. First, this is version 1.0, so the features they will be adding could change the buyer and merchant experience. This could become not only a new way to pay but a new way to shop. This has a potential to bring change much the way Groupon has brought change in the coupon/offers market.
Second, the new payment paradigm may catch on or at least bring about more innovation with similar but improved models that can truly bring about the digital wallet.
Of course with all new technology there are concerns with security leading the way. It seems as though the security would be improved since you enable the payment right before purchasing. However, this also requires that Square would hold your credit card data which must be protected adequately. And of course, what if someone gets a hold of your phone. All of these issues can be addressed as needed.
Looks like Square founder and Twitter creator Jack Dorsey has another big hit. We will find out pretty quickly as the trial rolls out wider in the next few weeks. Judging by the star ratings and comments on the Apple App store for the free Square download it looks very positive. Almost all ratings were 4 or 5 stars.
Tuesday, May 10, 2011
BOA to Rollout Text Approval for Overdraft Transactions
Bank of America has announced a pilot program that will allow a customer to approve a declined transaction via text message when there is not enough money in the account. If they approve the transaction the customer will be charged a $35 overdraft fee. In order to participate, the customer must enroll in the program ahead of time. BOA will also not charge the fee if the money is replaced by the end of the day.
Last year regulatory changes went into affect for all banks that prevented overdraft fees without a customer's active consent. In response to this, BOA simply started declining transactions that would overdraft an account. This of course significantly cut into the huge fees that were being racked up by BOA and other banks.
While I don't recommend anyone intentionally opt in to overdraft fees, the approach seems quite fair. The customer is opting into the program and then agreeing to the charge on an individual transaction basis each time. I must give BOA credit for the use of technology to enable options for the customer while generating a new revenue stream for them.
I am sure there will be some who criticize this program as taking advantage of lower income customers who live within thin margins. However, I am a believer in accepting responsibility for your actions. After opting into the program and then approving each transaction this clearly meets the definition of active consent.
If the pilot succeeds I believe we will see this same model roll out at other banks fairly quick. After all, why miss out on another revenue stream. Congratulations to BOA for thinking out of the box.
Last year regulatory changes went into affect for all banks that prevented overdraft fees without a customer's active consent. In response to this, BOA simply started declining transactions that would overdraft an account. This of course significantly cut into the huge fees that were being racked up by BOA and other banks.
While I don't recommend anyone intentionally opt in to overdraft fees, the approach seems quite fair. The customer is opting into the program and then agreeing to the charge on an individual transaction basis each time. I must give BOA credit for the use of technology to enable options for the customer while generating a new revenue stream for them.
I am sure there will be some who criticize this program as taking advantage of lower income customers who live within thin margins. However, I am a believer in accepting responsibility for your actions. After opting into the program and then approving each transaction this clearly meets the definition of active consent.
If the pilot succeeds I believe we will see this same model roll out at other banks fairly quick. After all, why miss out on another revenue stream. Congratulations to BOA for thinking out of the box.
Monday, May 9, 2011
ISIS Payment Network Step Back Points to VISA and MAC Win
The mobile payments NFC Joint Venture Initiative by AT&T, Verizon, T-Mobile and Discover has taken a major step back. Their initial plans to build a new NFC payment network will now be scaled back to merely a mobile wallet solution which will allow payments through VISA and MasterCard.
Looks like this setback is courtesy of the US retailers who are not willing to install any new systems at their registers unless their customers can use VISA and MAC to make their purchases. Discover is simply not big enough to draw any interest. Thus the downgrade to a mobile wallet by the partners puts them in competition with the numerous other competitors offering mobile wallets in the space.
The irony of it all is the love-hate relationship with US retailers and VISA/MAC. The retailers hate paying the fees for both credit and debit cards (Durbin Amendment still looming) but know that they must comply to keep selling. So it looks like mobile payments will not likely break the stronghold of the big boys and that the message was delivered by the US retailers themselves.
Looks like this setback is courtesy of the US retailers who are not willing to install any new systems at their registers unless their customers can use VISA and MAC to make their purchases. Discover is simply not big enough to draw any interest. Thus the downgrade to a mobile wallet by the partners puts them in competition with the numerous other competitors offering mobile wallets in the space.
The irony of it all is the love-hate relationship with US retailers and VISA/MAC. The retailers hate paying the fees for both credit and debit cards (Durbin Amendment still looming) but know that they must comply to keep selling. So it looks like mobile payments will not likely break the stronghold of the big boys and that the message was delivered by the US retailers themselves.
Thursday, April 28, 2011
The Challenges of Online Banking Security
In my last blog I discussed the Epsilon breach which affected a large number of customers including banks and many others. The latest breach for Sony Playstation gamers was not specific to banking but was of significant nature and can only affect online bank customers if they were careless enough to use the same usernames and passwords that they use with their banks (yes people do that).
The point is that breaches can come from outside the bank through its partners, vendors and relationships. Banks are required to do significant due diligence to ensure a potential partner has best practices in security which is critical. Coming from someone who has done a lot of due diligence on companies over the years it is difficult to get a true deep picture of a company's security posture. Small details can make a big difference. Also, many times there are simply not that many partners who have the capability you are looking for which limits your options.
Epsilon is a good example. Since they were used by many big banks and other large companies you can assume that a lot of due diligence was done before contracts were signed. Yet there was still a compromise. So this is definitely an achilles heel for bank security.
One final point of interest, a recent article from pc pro (link at end of blog) states that the FBI has tied back recent hack attempts of $20M back to China. Once again from experience I can tell you that hacking comes from all over the world but this does not surprise me because China hack attempts far exceeded all others by a large magnitude making the term "Made In China" take on new meaning.
As I have said before the best security comes from you and your habits but it is important to make sure that your bank uses geo-location risk based assessment with out of band authentication protection. You think it would be required but its not yet. If your bank does not and you use online banking, find another bank.
PC Pro Article
The point is that breaches can come from outside the bank through its partners, vendors and relationships. Banks are required to do significant due diligence to ensure a potential partner has best practices in security which is critical. Coming from someone who has done a lot of due diligence on companies over the years it is difficult to get a true deep picture of a company's security posture. Small details can make a big difference. Also, many times there are simply not that many partners who have the capability you are looking for which limits your options.
Epsilon is a good example. Since they were used by many big banks and other large companies you can assume that a lot of due diligence was done before contracts were signed. Yet there was still a compromise. So this is definitely an achilles heel for bank security.
One final point of interest, a recent article from pc pro (link at end of blog) states that the FBI has tied back recent hack attempts of $20M back to China. Once again from experience I can tell you that hacking comes from all over the world but this does not surprise me because China hack attempts far exceeded all others by a large magnitude making the term "Made In China" take on new meaning.
As I have said before the best security comes from you and your habits but it is important to make sure that your bank uses geo-location risk based assessment with out of band authentication protection. You think it would be required but its not yet. If your bank does not and you use online banking, find another bank.
PC Pro Article
Friday, April 8, 2011
Epsilon Breach Exposes Major Banks and its Customers
You probably have received several alerts from various vendors already about your email being compromised in the Epsilon breach. I know I have received 3 so far which speaks to the magnitude of the breach. Epsilon is currently stating about 2% of their customers. They send out about 40 Billion emails annually for about 2500 customers.
Some of the big banks affected include Citi, Chase, US Bank and Capital One. While no account numbers, ssns or other NPI was exposed it still is a major advantage for phishers because it allows a more personal, detailed and customized attack which increases the rate of success. Of course none of this is a problem if customers simply never respond to any of these emails no matter how legitimate they look. Still we know that a small percentage will and this is what the hackers count on. It is all a game about percentages and having the name or other small bits of information to make the phishing email more legitimate looking which increases the success rate.
For banks, phising attacks become a race against time. From the time they become aware of a phising attack they go to work to let the customers know about the attack and to work with authorities and Internet providers to get the phising sites taken down. This is not as easy as you may think, since these sites may be multiple and are often setup in countries where there are language and response barriers. Meanwhile every day or hour the site stays up the hackers benefit.
So the banks will likely be busy with the new barrage of attacks coming up. Just be sure to remember the security basics to protect yourself.
Some of the big banks affected include Citi, Chase, US Bank and Capital One. While no account numbers, ssns or other NPI was exposed it still is a major advantage for phishers because it allows a more personal, detailed and customized attack which increases the rate of success. Of course none of this is a problem if customers simply never respond to any of these emails no matter how legitimate they look. Still we know that a small percentage will and this is what the hackers count on. It is all a game about percentages and having the name or other small bits of information to make the phishing email more legitimate looking which increases the success rate.
For banks, phising attacks become a race against time. From the time they become aware of a phising attack they go to work to let the customers know about the attack and to work with authorities and Internet providers to get the phising sites taken down. This is not as easy as you may think, since these sites may be multiple and are often setup in countries where there are language and response barriers. Meanwhile every day or hour the site stays up the hackers benefit.
So the banks will likely be busy with the new barrage of attacks coming up. Just be sure to remember the security basics to protect yourself.
Monday, April 4, 2011
Money Moving Away From Big Banks?
An interesting trend in banking is underway with deposits beginning to move from the largest US Banks to local community banks and credit unions. While some of the movement is occurring naturally due to dislike of "too big too fail" banks after the bailout the "move your money" campaign started by Arianna Huffington and friends is having an impact as well.
According to the Huffington Post and Moebs Services Research firm over 4 million accounts have already moved with predictions for another 7-9 million accounts to move by the end of 2011. The Move Your Money Project encourages individuals to divest from the nations largest Wall Street banks to local financial institutions. (MoveYourMoneyProject link)
Since smaller banks tend to lend more to the local community it helps support the local economy and business in the area. This movement seems to be a part of an overall trend not just in banking but in the green movement too. Buy local produce and products to save energy and support your local businesses. Of course online banking is green as well since it means less trips to the branch.
Coming from an online banking proponent I would say that many of the smaller banks and credit unions have improved their technology and services over the years. And in the past, I remember starting with small banks and watching them get eaten up in a food chain that bubbled back up to one of the big boys.
Then there is always the question of security. Are the small local banks as secure as the Wall Street Banks? They certainly don't have the resources to invest in security like the big guys and the recent hacker trends are starting to take advantage of that fact. On the other hand, we still have seen security breaches at the big banks as well.
Finally, what about convenience? Mobile banking apps, iPad apps, P2P payments, Contactless payments... all the exciting changes coming out. Small banks aren't usually the ones to make this happen first. The good news is that the technologies seem to be getting commoditized quicker and are becoming available through third party vendors quicker. For some, this still may be a consideration.
And why not consider someone like USAA? Not really small, but not to big to fail and great services, security and technology and they do good for our service members in the military. (Note: Other than account holder there is no affiliation between USAA and myself).
Overall, we know that moving your money from any bank is not easy . But if you decide to jump on the bandwagon there is a lot to consider. One of the best ways we can make a political statement or really express our opinion is by choosing who we wish to patronize.
According to the Huffington Post and Moebs Services Research firm over 4 million accounts have already moved with predictions for another 7-9 million accounts to move by the end of 2011. The Move Your Money Project encourages individuals to divest from the nations largest Wall Street banks to local financial institutions. (MoveYourMoneyProject link)
Since smaller banks tend to lend more to the local community it helps support the local economy and business in the area. This movement seems to be a part of an overall trend not just in banking but in the green movement too. Buy local produce and products to save energy and support your local businesses. Of course online banking is green as well since it means less trips to the branch.
Coming from an online banking proponent I would say that many of the smaller banks and credit unions have improved their technology and services over the years. And in the past, I remember starting with small banks and watching them get eaten up in a food chain that bubbled back up to one of the big boys.
Then there is always the question of security. Are the small local banks as secure as the Wall Street Banks? They certainly don't have the resources to invest in security like the big guys and the recent hacker trends are starting to take advantage of that fact. On the other hand, we still have seen security breaches at the big banks as well.
Finally, what about convenience? Mobile banking apps, iPad apps, P2P payments, Contactless payments... all the exciting changes coming out. Small banks aren't usually the ones to make this happen first. The good news is that the technologies seem to be getting commoditized quicker and are becoming available through third party vendors quicker. For some, this still may be a consideration.
And why not consider someone like USAA? Not really small, but not to big to fail and great services, security and technology and they do good for our service members in the military. (Note: Other than account holder there is no affiliation between USAA and myself).
Overall, we know that moving your money from any bank is not easy . But if you decide to jump on the bandwagon there is a lot to consider. One of the best ways we can make a political statement or really express our opinion is by choosing who we wish to patronize.
Tuesday, March 29, 2011
Deadline looms for Fed to Regulate Debit Card Interchange Fees
Back in Jan I blogged about the Wall Street Reform Bill and particularly about the "Durbin Amendment" which allows the fed to regulate the fees banks charge to merchants for debit card transactions. Previous article here. Time is running out and this is a big game changer if it goes through, so I thought I would provide an update.
Over the last few weeks there has been intense lobbying by big banks to at least delay the limiting of the interchange fees and so far at least 9 senators have signed on to delay the bill for at least 2 years. The amendment is scheduled to take effect this July (with a ruling on fees April 21st) so the senators (led by Sen, John Tester) are pushing to pass the delay quickly. We are talking about $16B in fees a year so there is a lot at stake.
If the delay is passed it may very well end up eventually killing the amendment. So the $16B race is on before it takes effect. My money says they will pass the delay and put it off for another day. I think they have even bigger issues to work out like a federal budget don't they?
In the meantime, the big banks are planning to raise other fees to recover the revenue loss if needed. Stay tuned to see what happens over the next few weeks.
Over the last few weeks there has been intense lobbying by big banks to at least delay the limiting of the interchange fees and so far at least 9 senators have signed on to delay the bill for at least 2 years. The amendment is scheduled to take effect this July (with a ruling on fees April 21st) so the senators (led by Sen, John Tester) are pushing to pass the delay quickly. We are talking about $16B in fees a year so there is a lot at stake.
If the delay is passed it may very well end up eventually killing the amendment. So the $16B race is on before it takes effect. My money says they will pass the delay and put it off for another day. I think they have even bigger issues to work out like a federal budget don't they?
In the meantime, the big banks are planning to raise other fees to recover the revenue loss if needed. Stay tuned to see what happens over the next few weeks.
Thursday, March 10, 2011
ING to sell US Online Banking Unit
Looks like the "We the Savers" and "Save your money" innovators are taking a huge blow. Due to problems in Europe the Dutch giant ING has agreed to sell the ING Direct US online bank in order to receive a European bailout of 10 billion Euros (14B US). The sale will happen by 2013 and include their US insurance and investment management operations.
This has got to be a big disappointment for Arkadi Kuhlmann, the brain child and founder of ING direct. Arkadi pioneered online banking in Canada and the US subsequently, developing a savings culture for its clients. For some great insight into Arkadi and ING Direct check out the book the Orange Code. This interesting read is a lesson how to develop a corporate culture and motivate your employees. Arkadi has been well known for his outspoken view of banks and their motivations often criticizing them when speaking at their own banking events.
This is a big change for online banking and leaves a lot of open questions. Who will buy ING Direct in the US and what will they do with it? Will it end up in the hands of a BOA or JP Morgan Chase? That would be ironic.
Does this open up the way for a new online banking leader to take the lead in the online banking space or is it the end of an era? Way too soon to say since this all just happened yesterday but I do think it is a set back for online banking and one of its greatest brands and innovators.
Full article: Bloomberg Article
This has got to be a big disappointment for Arkadi Kuhlmann, the brain child and founder of ING direct. Arkadi pioneered online banking in Canada and the US subsequently, developing a savings culture for its clients. For some great insight into Arkadi and ING Direct check out the book the Orange Code. This interesting read is a lesson how to develop a corporate culture and motivate your employees. Arkadi has been well known for his outspoken view of banks and their motivations often criticizing them when speaking at their own banking events.
This is a big change for online banking and leaves a lot of open questions. Who will buy ING Direct in the US and what will they do with it? Will it end up in the hands of a BOA or JP Morgan Chase? That would be ironic.
Does this open up the way for a new online banking leader to take the lead in the online banking space or is it the end of an era? Way too soon to say since this all just happened yesterday but I do think it is a set back for online banking and one of its greatest brands and innovators.
Full article: Bloomberg Article
Thursday, February 10, 2011
Is JP Morgan Chase an Evil Bank?
The news has not been good for JP Morgan lately. Let's start with the lawsuit filed against JP Morgan Chase in December 2010 (revealed in Feb 2011) by trustee Irving Picard on behalf of Madoff defendants such as the owner of the NY Mets, HSBC Holdings and UBS AG.
JP Morgan was the main banker for Madoff's firm for more than 20 years. The suit accuses JP Morgan of having significant doubts about Madoff by top level members of the bank including a risk officer as much as 18 months before Madoff was arrested. Worse yet, the suit alleges that the bank sought to make money by offering financial products tied to Mr. Madoff even though the bank had concerns about the legitimacy of his returns.
Does this make them evil? Anyone who has ever worked in banking knows about the principle of "know your customer" to help defend against fraud. There is significant oversight and training that is in place to make sure every employee knows the warning signs. Even though the suit alleges there were alarms going off internally why did it take them so long to report it? Without knowing the details yet we can't speculate but it will be an interesting trial and insight into the bank.
Next let's take the NBC news reports that JP Morgan Chase has admitted overcharging 4,000 military families for their mortgages and improperly foreclosing on 14 service member families. These families are supposed to be protected by the Servicemembers Civil Relief Act.
Marine captain and pilot Johnathan Rowles tells the story of a 5 year battle with JP Morgan even though they had sent copies of active duty orders and never missed a mortgage payment the bank failed to credit them for payments and launched collection agency campaigns that resulted in collector calls 3 times a day including after midnight and even at 4am. Can you imagine treating our countries heroes like this?
Does this make them evil? I would say that to be evil it needs to be intentional and that has not been proven yet but it does appear to make them too big to prevent themselves from committing evil like acts that hurt customers and their own image. Incompetence and poorly run areas would be the alternative if it is not intentional. So is it too big to fail or too big to succeed?
JP Morgan Chase does fund many programs that provide benefit to military families such as the Wounded Warrior Project, Military Warriors Support Foundation and others and yes they will be sending out refunds for the overcharges but all of the good is easily wiped out by every day actions. You also have to wonder if they overcharge military families isn't it still wrong and does it happen to regular citizens?
JP Morgan was the main banker for Madoff's firm for more than 20 years. The suit accuses JP Morgan of having significant doubts about Madoff by top level members of the bank including a risk officer as much as 18 months before Madoff was arrested. Worse yet, the suit alleges that the bank sought to make money by offering financial products tied to Mr. Madoff even though the bank had concerns about the legitimacy of his returns.
Does this make them evil? Anyone who has ever worked in banking knows about the principle of "know your customer" to help defend against fraud. There is significant oversight and training that is in place to make sure every employee knows the warning signs. Even though the suit alleges there were alarms going off internally why did it take them so long to report it? Without knowing the details yet we can't speculate but it will be an interesting trial and insight into the bank.
Next let's take the NBC news reports that JP Morgan Chase has admitted overcharging 4,000 military families for their mortgages and improperly foreclosing on 14 service member families. These families are supposed to be protected by the Servicemembers Civil Relief Act.
Marine captain and pilot Johnathan Rowles tells the story of a 5 year battle with JP Morgan even though they had sent copies of active duty orders and never missed a mortgage payment the bank failed to credit them for payments and launched collection agency campaigns that resulted in collector calls 3 times a day including after midnight and even at 4am. Can you imagine treating our countries heroes like this?
Does this make them evil? I would say that to be evil it needs to be intentional and that has not been proven yet but it does appear to make them too big to prevent themselves from committing evil like acts that hurt customers and their own image. Incompetence and poorly run areas would be the alternative if it is not intentional. So is it too big to fail or too big to succeed?
JP Morgan Chase does fund many programs that provide benefit to military families such as the Wounded Warrior Project, Military Warriors Support Foundation and others and yes they will be sending out refunds for the overcharges but all of the good is easily wiped out by every day actions. You also have to wonder if they overcharge military families isn't it still wrong and does it happen to regular citizens?
Friday, February 4, 2011
USAA Bank Releases iPad App
Online bank USAA once again stays on the leading edge by releasing a new iPad application. While USAA is not the first bank by any means to come out with an iPad app they add another mobile application to their mobile line up which includes iPhone, Android, Blackberry, Windows Phone and non smart phones.
The iPad app is full featured providing a very complete set of bank functions, transfers and bill payment in a ver attractive, easy to use interface. Add the amazing form function of the iPad and you have a great experience. They also provide information on auto, home, retirement and financial management, insurance, investments and a complete list of contact us information. It was somewhat disappointing I must say however that after some basic information the learn more just pops you out to Safari.
As with their iPhone app USAA also supports the Quick Logon feature that allows a secure and fast login.
As you may know USAA was one of the first banks to roll out mobile remote deposit capture. So it will be interesting to see if they support remote deposit when the next generation iPad is released containing a built in camera. Since the next iPad will also have a front and rear camera and will support face time will USAA be the first to provide face time customer support? That would be impressive.
One thing is clear, USAA gets how important mobile banking is becoming to banks in the US. USAA is high on my list of very good online banks.
The iPad app is full featured providing a very complete set of bank functions, transfers and bill payment in a ver attractive, easy to use interface. Add the amazing form function of the iPad and you have a great experience. They also provide information on auto, home, retirement and financial management, insurance, investments and a complete list of contact us information. It was somewhat disappointing I must say however that after some basic information the learn more just pops you out to Safari.
As with their iPhone app USAA also supports the Quick Logon feature that allows a secure and fast login.
As you may know USAA was one of the first banks to roll out mobile remote deposit capture. So it will be interesting to see if they support remote deposit when the next generation iPad is released containing a built in camera. Since the next iPad will also have a front and rear camera and will support face time will USAA be the first to provide face time customer support? That would be impressive.
One thing is clear, USAA gets how important mobile banking is becoming to banks in the US. USAA is high on my list of very good online banks.
Monday, January 24, 2011
Does your bank use Out of Band Authentication? If no then drop it.
The Zeus trojan did its damage to banks and financial institutions and it looks like more threats are on the way. A new trojan construction kit called CarBerp for hackers is laying the groundwork for a more advanced round of general and targeted attacks.
Zeus is a very advanced trojan and gave banks and their customers a tough time. It was particularly effective because it is a Man In the Browser Attack (MitB). Since these trojans work locally on the client side it is difficult for the bank to help prevent the attack as the credentials get stolen and sent off to another site. Unfortunately, CarBerp will allow even more advanced attacks then Zeus.
Those banks that implement out of band authentication have the best chance of protecting their clients. Out of band authentication uses another channel outside the browser such as the telephone or SMS to verify a clients identity before allowing the login. It helps stolen credentials from being used to steal money or data. I would strongly encourage all bank clients to find another bank if their bank does not use out of band authentication to protect their customers.
Out of band authentication protection is only as good as the banks ability to detect and monitor each login from the customer to determine if the login should be "challenged" based on a risk model. The challenge is where the extra automated phone call or SMS message helps protect the customer to make sure it is them logging in. For more information on out of band authentication check out the PhoneFactor link below.
Does your bank care enough about you to help protect your money? If not, drop em.
For more information about out of band and multi-factor authentication check out PhoneFactor.
For more information about Zeus and CarBerp check out TechRepublic article.
Zeus is a very advanced trojan and gave banks and their customers a tough time. It was particularly effective because it is a Man In the Browser Attack (MitB). Since these trojans work locally on the client side it is difficult for the bank to help prevent the attack as the credentials get stolen and sent off to another site. Unfortunately, CarBerp will allow even more advanced attacks then Zeus.
Those banks that implement out of band authentication have the best chance of protecting their clients. Out of band authentication uses another channel outside the browser such as the telephone or SMS to verify a clients identity before allowing the login. It helps stolen credentials from being used to steal money or data. I would strongly encourage all bank clients to find another bank if their bank does not use out of band authentication to protect their customers.
Out of band authentication protection is only as good as the banks ability to detect and monitor each login from the customer to determine if the login should be "challenged" based on a risk model. The challenge is where the extra automated phone call or SMS message helps protect the customer to make sure it is them logging in. For more information on out of band authentication check out the PhoneFactor link below.
Does your bank care enough about you to help protect your money? If not, drop em.
For more information about out of band and multi-factor authentication check out PhoneFactor.
For more information about Zeus and CarBerp check out TechRepublic article.
Wednesday, January 12, 2011
The Great Debit Card Interchange Fee Debate Rages On
In May 2010 the "Wall Street Reform Bill" was passed by the US Senate in an effort to prevent another financial meltdown. In June 2010, an amendment was added to the same bill called the "Durbin amendment" (after senator Dick Durbin from IL) that allows the fed to regulate debit card interchange fees.
Interchange fees are the fees paid by merchants for each debit and credit card transaction that occurs. By March 2011, the federal government can limit the fees that merchants pay for debit card transactions for big banks (assets above 10B). As a consumer you may not care about this since the fees are paid by the merchants but the merchants pass the expense along in higher prices to everyone somewhere around 2% to 4%.
To simply explain, remember the VISA commercial where everyone is busy swiping as the music plays and the line is moving along in smooth synchronized harmony until someone steps up and wants to pay with cash? The music comes to a screeching halt and everyone abruptly stops, the milk spills and they glare at the customer. That is the perfect commercial to explain what it means to the card providers and the banks. That music stopping is the sounds of cash flow interruption. (See VISA commercial on you tube). According to CNN the estimated interchange fees in 2008 exceeded 48 Billion and that the cost to the average consumer is $427.
The issue is complex and as VISA, MasterCard, other card providers and banks would quickly point out that the payment system is great for the economy by making it convenient to purchase and much safer than checks for fraud purposes. So this is the price for convenience and a faster life style. Opponents point out that these fees have gone up over the last 10 years and that in other countries these interchange fees are significantly lower.
So what will happen if the likely scenario occurs of the Fed limiting the Interchange rates for debit cards? This is the source of raging debate with many opinions. The merchants would be happy but there is debate as to whether they would pass the savings along to the consumer. I think that most would to compete. The consumer might be initially happier if prices are a bit lower until they lose their popular rewards programs which are funded by the fees but never a good deal when you look at the point values. The card providers and banks will have a reduced revenue stream estimated by CardHub to cost them about 3.6B to 9.1B.
My take on it is that it is generally not a good idea for the government to mess with the markets because it often has an unintended affect. Just like with overdraft fees for banks and new credit card rules the industry just changes their strategy to generate revenue in some other way. Any doubt that banks will change their fee structure to make up that revenue? They are in business to make money.
All this assumes that the government regulation will get it right as well which is often not the case. The Durbin amendment doesn't apply to prepaid debit cards, credit cards, institutions below $10B (credit unions for example) so how will that affect the playing field?
Technology often has a way of equalizing the playing field where regulation fails. Perhaps that will be the new mobile payment networks using NFC or other models to make payments and micro-payments. When other options create competition that is when prices drop. As history has shown however, these advances provide great benefit but overtime just like the debit cards once people are hooked the prices go up. Maybe Bill Gates and Warren Buffet and the others can get together and create a payment network that is socially owned for the benefit of all.
As always would love to hear your comments
Interchange fees are the fees paid by merchants for each debit and credit card transaction that occurs. By March 2011, the federal government can limit the fees that merchants pay for debit card transactions for big banks (assets above 10B). As a consumer you may not care about this since the fees are paid by the merchants but the merchants pass the expense along in higher prices to everyone somewhere around 2% to 4%.
To simply explain, remember the VISA commercial where everyone is busy swiping as the music plays and the line is moving along in smooth synchronized harmony until someone steps up and wants to pay with cash? The music comes to a screeching halt and everyone abruptly stops, the milk spills and they glare at the customer. That is the perfect commercial to explain what it means to the card providers and the banks. That music stopping is the sounds of cash flow interruption. (See VISA commercial on you tube). According to CNN the estimated interchange fees in 2008 exceeded 48 Billion and that the cost to the average consumer is $427.
The issue is complex and as VISA, MasterCard, other card providers and banks would quickly point out that the payment system is great for the economy by making it convenient to purchase and much safer than checks for fraud purposes. So this is the price for convenience and a faster life style. Opponents point out that these fees have gone up over the last 10 years and that in other countries these interchange fees are significantly lower.
So what will happen if the likely scenario occurs of the Fed limiting the Interchange rates for debit cards? This is the source of raging debate with many opinions. The merchants would be happy but there is debate as to whether they would pass the savings along to the consumer. I think that most would to compete. The consumer might be initially happier if prices are a bit lower until they lose their popular rewards programs which are funded by the fees but never a good deal when you look at the point values. The card providers and banks will have a reduced revenue stream estimated by CardHub to cost them about 3.6B to 9.1B.
My take on it is that it is generally not a good idea for the government to mess with the markets because it often has an unintended affect. Just like with overdraft fees for banks and new credit card rules the industry just changes their strategy to generate revenue in some other way. Any doubt that banks will change their fee structure to make up that revenue? They are in business to make money.
All this assumes that the government regulation will get it right as well which is often not the case. The Durbin amendment doesn't apply to prepaid debit cards, credit cards, institutions below $10B (credit unions for example) so how will that affect the playing field?
Technology often has a way of equalizing the playing field where regulation fails. Perhaps that will be the new mobile payment networks using NFC or other models to make payments and micro-payments. When other options create competition that is when prices drop. As history has shown however, these advances provide great benefit but overtime just like the debit cards once people are hooked the prices go up. Maybe Bill Gates and Warren Buffet and the others can get together and create a payment network that is socially owned for the benefit of all.
As always would love to hear your comments
Wednesday, January 5, 2011
Mobile NFC Payments: PayPal and Google move the ball forward
In my last post 8 Online Banking Trends for 2011, the first trend was that NFC payments for mobile banking would continue to gain traction in 2011 in the United States. Looks like PayPal and Google are moving the ball along.
Bloomberg Business Week has reported that Google is considering building a payment and advertising service using Near Field Communication (NFC) on mobile phones and that it may happen as soon as this year. Even bigger is the report that PayPal may start a commercial service using NFC for mobile payments in the second half of 2011. This system would not only allow mobile payments at vendors but also allow person to person payments (P2P) as well.
This is a significant step toward mobile payments using NFC in the United States but not by banks. PayPal's nimble mobile strategy and rapid adoption of new technology is increasing its market share and influence in the payments industry. And of course, like other PayPal technology they will provide an open application programming interface (API) to make it easy for mobile developers to adopt into their applications.
PayPal has already made in roads to banks for its Person to Person (P2P) payment system based on it's API and ubiquity. USAA bank has signed a deal with PayPal to use it to provide P2P mobile services for it's clients in 2011. USAA is another mobile innovator in the US banking and mobile market.
PayPal has already signed deals with financial service providers FiServ and S1 to integrate their P2P services which will make it widely available to banks. This may be the same route that mobile NFC payments take into banks as they develop the technology. Look for more announcements as the trend continues to heat up.
Bloomberg Business Week has reported that Google is considering building a payment and advertising service using Near Field Communication (NFC) on mobile phones and that it may happen as soon as this year. Even bigger is the report that PayPal may start a commercial service using NFC for mobile payments in the second half of 2011. This system would not only allow mobile payments at vendors but also allow person to person payments (P2P) as well.
This is a significant step toward mobile payments using NFC in the United States but not by banks. PayPal's nimble mobile strategy and rapid adoption of new technology is increasing its market share and influence in the payments industry. And of course, like other PayPal technology they will provide an open application programming interface (API) to make it easy for mobile developers to adopt into their applications.
PayPal has already made in roads to banks for its Person to Person (P2P) payment system based on it's API and ubiquity. USAA bank has signed a deal with PayPal to use it to provide P2P mobile services for it's clients in 2011. USAA is another mobile innovator in the US banking and mobile market.
PayPal has already signed deals with financial service providers FiServ and S1 to integrate their P2P services which will make it widely available to banks. This may be the same route that mobile NFC payments take into banks as they develop the technology. Look for more announcements as the trend continues to heat up.
Subscribe to:
Posts (Atom)