Protection through Collaboration in Mobile Payments
Where there’s innovation, there’s often danger, a phenomenon well-recognized by the financial services industry as it ventures into the emerging technologies of mobile banking and payments. Fraud and security issues have the potential to derail promising initiatives unless financial institutions protect their use of these technologies in an aggressive, proactive manner.
One individual tasked with helping the industry pilot through these dangerous shoals is John W. Carlson, executive vice president of BITS, the technology policy division of the Washington, D.C.-based Financial Services Roundtable. Carlson will discuss these issues during a general session presentation at the upcoming BAI Payments Connect 2012 Conference & Expo entitled “Hardening Payment Systems for the Next Generation.”
One key problem, as Carlson explained in a recent interview with BAI Banking Strategies, is how mobile banking and payments sets itself apart from previous financial services technologies by the degree to which banks must collaborate with outside providers, such as cell phone carriers, handset manufacturers and non-bank payments companies. “Increasingly, institutions are not relying upon their own infrastructures for the delivery of services,” Carlson says. “Instead, the infrastructure is provided by outside parties or is owned by the customer.”
Given the financial services industry’s lack of control of the basic technologies, any realistic approach to mitigating the security and fraud problem in mobile banking and payments must include close collaboration with outside constituencies, both private and government, says Carlson, who outlines some of the planned and ongoing efforts of BITS to accomplish that.
Q: Looking at the payments industry specifically, where do you see the most vulnerable areas right now?
Carlson: We haven’t necessarily ranked these in terms of priority so I would characterize them instead as areas of concern. We are in the process of working with our member companies and a number of partner organizations, such as telecommunications companies, to identify potential vulnerabilities in mobile payments in terms of controls, educational campaigns or standards that might be needed. We assume that, even though our losses in that channel right now are very low, mobile could be the target of the future for fraudsters.
Beyond that, we’re continuing a dialogue around fraud that’s associated with prepaid cards, an area that’s been growing. We’re trying to understand the impact of some of the regulatory changes, such as some of the rules imbedded in the Dodd-Frank law, particularly the Durbin Amendment. We’re trying to understand where there may be a shift in fraud as a result of some of those changes.
In the past, we focused a fair amount on account takeover, particularly, commercial account takeovers, and that’s been a collaboration with the Financial Services Information Sharing and Analysis Center (FS-ISAC), the American Bankers Association, NACHA and others. We’ll also look at what more can be done in terms of improving the relationships with law enforcement agencies, particularly on the investigation side.
Q: With so many moving pieces and different players in mobile, is collaboration ultimately the key to solving these problems?
Carlson: Yes. That’s one of the things and what’s really changed in recent years. Increasingly, institutions are not relying upon their own infrastructures for the delivery of services. Instead, the infrastructure is provided by outside parties or is owned by the customer.
The mobile phone is a great example. The bank doesn’t own the mobile phone; they may have been involved in developing the application for an iPhone but they don’t own the network or telecommunications system that connects the bank to the customer. It’s very different from dealing with, say, an ATM network which is either owned by the bank or by a service provider with a very clear contract and relationship with the bank.
While this makes the environment a lot more complicated, it also provides great benefits, in terms of the incredible convenience and innovation that obviously is driving a lot of what’s occurring in the marketplace.
Q: What is BITS itself doing right now in the security/fraud area?
Carlson: We’re focusing on a combination of emerging risk areas and ongoing industry concerns. In terms of emerging risk, we’re looking at mobile payments and the impact of EMV, which are the chip-and-PIN standards that are used in Europe and just starting to be implemented here in the U.S. We’re trying to look at the potential evolution of fraud, based on the impact of those standards.
We’re also concerned about so-called “synthetic identities,” which is where identity proofing becomes important, particularly in the account-opening process. As more bank customers use social media, personal information is much more accessible through, say, Facebook, LinkedIn or other types of social media applications. Then you also have the FFIEC’s updated guidance on authentication to consider.
With regard to identity proofing, we have underway a project that is jointly sponsored by several government agencies, including the Homeland Security Department, the Commerce Department and the National Institute of Standards and Technology, with input and involvement from many financial institutions through the Financial Services Sector Coordinating Council. So, we’re trying to improve the process of automating and validating the identities of individuals, particularly at the account-opening stage. This is part of a government-wide initiative that has been called the National Strategy for Trusted Identities in Cyberspace (NSTIC).
We’re continuing to focus on trying to reduce fraud in a number of more traditional business lines, such as check, mortgage and cards. Most of that work is taking place through information sharing – discussions with our member institutions, which are 100 of the largest U.S. financial services companies – as well as some updates to papers and advisories that we’ve published in the past.
In the security area, we are looking at cloud computing and how social media is impacting the security landscape, with a particular focus on botnets. Part of that is being driven by the government looking very closely at botnets and what can be done in order to reduce those, which are often the vehicles for either denial-of-service attacks or malicious software that would infect a user or a company’s computer systems.
And we’re trying to improve information sharing between government and financial institutions, as part of what’s called “critical infrastructure protection.” Within the financial services community, we have FS-ISAC, a very good information sharing and analysis center. And we’re looking to share information with other sectors, in particular, Internet service providers and other Internet stakeholders.
Finally, there’s been continued focus on email security and email authentication. That’s particularly important because much of the malware gets transmitted through email, plus you have incredible amounts of spam. We’re trying to educate employees and contractors of financial institutions about safe computing practices, as well as retail and commercial customers.