Monday, January 24, 2011

Does your bank use Out of Band Authentication? If no then drop it.

The Zeus trojan did its damage to banks and financial institutions and it looks like more threats are on the way. A new trojan construction kit called CarBerp for hackers is laying the groundwork for a more advanced round of general and targeted attacks.

Zeus is a very advanced trojan and gave banks and their customers a tough time. It was particularly effective because it is a Man In the Browser Attack (MitB). Since these trojans work locally on the client side it is difficult for the bank to help prevent the attack as the credentials get stolen and sent off to another site. Unfortunately, CarBerp will allow even more advanced attacks then Zeus.

Those banks that implement out of band authentication have the best chance of protecting their clients. Out of band authentication uses another channel outside the browser such as the telephone or SMS to verify a clients identity before allowing the login. It helps stolen credentials from being used to steal money or data. I would strongly encourage all bank clients to find another bank if their bank does not use out of band authentication to protect their customers.

Out of band authentication protection is only as good as the banks ability to detect and monitor each login from the customer to determine if the login should be "challenged" based on a risk model. The challenge is where the extra automated phone call or SMS message helps protect the customer to make sure it is them logging in. For more information on out of band authentication check out the PhoneFactor link below.

Does your bank care enough about you to help protect your money? If not, drop em.

For more information about out of band and multi-factor authentication check out PhoneFactor.
For more information about Zeus and CarBerp check out TechRepublic article.

Wednesday, January 12, 2011

The Great Debit Card Interchange Fee Debate Rages On

In May 2010 the "Wall Street Reform Bill" was passed by the US Senate in an effort to prevent another financial meltdown. In June 2010, an amendment was added to the same bill called the "Durbin amendment" (after senator Dick Durbin from IL) that allows the fed to regulate debit card interchange fees.

Interchange fees are the fees paid by merchants for each debit and credit card transaction that occurs. By March 2011, the federal government can limit the fees that merchants pay for debit card transactions for big banks (assets above 10B). As a consumer you may not care about this since the fees are paid by the merchants but the merchants pass the expense along in higher prices to everyone somewhere around 2% to 4%.

To simply explain, remember the VISA commercial where everyone is busy swiping as the music plays and the line is moving along in smooth synchronized harmony until someone steps up and wants to pay with cash? The music comes to a screeching halt and everyone abruptly stops, the milk spills and they glare at the customer. That is the perfect commercial to explain what it means to the card providers and the banks. That music stopping is the sounds of cash flow interruption. (See VISA commercial on you tube). According to CNN the estimated interchange fees in 2008 exceeded 48 Billion and that the cost to the average consumer is $427.

The issue is complex and as VISA, MasterCard, other card providers and banks would quickly point out that the payment system is great for the economy by making it convenient to purchase and much safer than checks for fraud purposes. So this is the price for convenience and a faster life style. Opponents point out that these fees have gone up over the last 10 years and that in other countries these interchange fees are significantly lower.

So what will happen if the likely scenario occurs of the Fed limiting the Interchange rates for debit cards? This is the source of raging debate with many opinions. The merchants would be happy but there is debate as to whether they would pass the savings along to the consumer. I think that most would to compete. The consumer might be initially happier if prices are a bit lower until they lose their popular rewards programs which are funded by the fees but never a good deal when you look at the point values. The card providers and banks will have a reduced revenue stream estimated by CardHub to cost them about 3.6B to 9.1B.

My take on it is that it is generally not a good idea for the government to mess with the markets because it often has an unintended affect. Just like with overdraft fees for banks and new credit card rules the industry just changes their strategy to generate revenue in some other way. Any doubt that banks will change their fee structure to make up that revenue? They are in business to make money.

All this assumes that the government regulation will get it right as well which is often not the case. The Durbin amendment doesn't apply to prepaid debit cards, credit cards, institutions below $10B (credit unions for example) so how will that affect the playing field?

Technology often has a way of equalizing the playing field where regulation fails. Perhaps that will be the new mobile payment networks using NFC or other models to make payments and micro-payments. When other options create competition that is when prices drop. As history has shown however, these advances provide great benefit but overtime just like the debit cards once people are hooked the prices go up. Maybe Bill Gates and Warren Buffet and the others can get together and create a payment network that is socially owned for the benefit of all.

As always would love to hear your comments

Wednesday, January 5, 2011

Mobile NFC Payments: PayPal and Google move the ball forward

In my last post 8 Online Banking Trends for 2011, the first trend was that NFC payments for mobile banking would continue to gain traction in 2011 in the United States. Looks like PayPal and Google are moving the ball along.


Bloomberg Business Week has reported that Google is considering building a payment and advertising service using Near Field Communication (NFC) on mobile phones and that it may happen as soon as this year. Even bigger is the report that PayPal may start a commercial service using NFC for mobile payments in the second half of 2011. This system would not only allow mobile payments at vendors but also allow person to person payments (P2P) as well.

This is a significant step toward mobile payments using NFC in the United States but not by banks. PayPal's nimble mobile strategy and rapid adoption of new technology is increasing its market share and influence in the payments industry. And of course, like other PayPal technology they will provide an open application programming interface (API) to make it easy for mobile developers to adopt into their applications.

PayPal has already made in roads to banks for its Person to Person (P2P) payment system based on it's API and ubiquity. USAA bank has signed a deal with PayPal to use it to provide P2P mobile services for it's clients in 2011. USAA is another mobile innovator in the US banking and mobile market.

PayPal has already signed deals with financial service providers FiServ and S1 to integrate their P2P services which will make it widely available to banks. This may be the same route that mobile NFC payments take into banks as they develop the technology. Look for more announcements as the trend continues to heat up.