What is the Financial industry thinking about these days? Symantec sponsored a lunch at Net.Finance, where we invited attendees to have lunch and talk about how to increase traffic to and usage of eCommerce as a way of doing business and conducting transactions. In attendance were a variety of guests ranging from very large commercial banks to small vendors working on new transactional solutions as a service. We posed a few set questions to open up the floor for discussion, with some thoughtful responses.
For an opener, and because it’s always most fun to start with current challenges to get people talking, we asked our guests about their obstacles to convincing customers to use online services. Demographics were the first point that came up instantly: Users over 50 are slow to embrace new technology and slow to trust unfamiliar new ideas. There was some laughter at my table, as a couple of the participants said their internal organizations functioned much the same way. They cited management unfamiliarity with new technology, and discussed methods for overcoming internal political resistance with the aim of abandoning old ‘kludgy’ authentication techniques in favor of newer, simpler methods that were equivalent in security.
A second problem brought up is one of perception in the other direction. There are customers that believe that their mobile device is automatically safe, where they do not necessarily trust ‘the web’ from a home computer or laptop. Everyone nodded to that, reviewing how plastic in the hand with a signature was often LESS secure than an electronic connection, as vendors tend toward insufficient secondary ID (signature, photo ID) checks. Terminals or ATMs often do not have real-time confirmation of security and authentication, which allow a stolen card to do damage before it can be reported, discovered, or shut down. Then my table went on to expand on other damage sources, particularly the impact caused in reputation and business by breaches. It was largely agreed that breaches have a big impact, but a fast drop off for larger the financial organizations. It is the smaller entities that can go out of business after the initial customer perception of insecurity, as they lose business too long to financially recover.
The second official question we posed was asking about the biggest security technology challenges with web and mobile security. This was another in-depth conversation starter for sure! Foremost, information security departments were cited about as having limited mobile experience. This included issues with correct security implementation both through partnerships and vendors, and in mobile apps. (For those of reading that were in attendance at my table, here is the link to the blog and whitepaper I mentioned regarding SSL for APPS)
A problem brought up at the other table was the practice of the random integration of vendors and solutions. Every security solution for mobile seems to be a stitched-together Frankenstein of a solution (my visual image) where companies like Symantec were the SSL/TLS backbone combined with X company doing a cloud based security transaction with Y providing the authentication side and Z owning the root-entity credit card revocation check, etc.
Customers also are having problems with “auto-ban”, aka checking your identity the first time you log into your account from a new device. Example: You log into your bank account from your phone for the first time – but you are nowhere near your computer. How do you authorize your phone then and there? Customers have apparently had problems negotiating this system, if they don’t have that secondary device handy. Policy did not account for mobile-specific issues like international roaming charges and other issues prohibiting effective email checking and validation of transactions. This made me think about possible new applications for our PKI solution with a VPN app. A customer could hook into a password for a 1-time code for that transaction or login. Cloud-based security and transactions as suggested as needing to become seamless as a user moves from device to device, in order to become more universal.
At both tables, people brought up a big challenge in abandoning brick-and-mortar structures, in context of the issuance of initial identity validation. New customers have to walk in with a government-issued ID in hand to open an account. How do you verify your identity in a cloud-based world, in sufficient fashion for traditional financial guidelines and compliance? Verified individual identity solutions may indeed be something more universal in the years to come, once this is sorted out. But is policy and practice for one country good on a global basis? FFIC guidelines are not universal, providing challenges for global financial entities, and PCI guidelines are certainly not adhered to at every merchant level. Again, the PKI solution with a VIP app might become adopted in time.
A final technology challenge was the whole problem of creating and enforcing security standards in mobile vendors. Where browsers have joined the CA/B Forum and determined best practices and standard to which they will all adhere, there is no such cooperation on the part of the mobile device vendors. Android, iOS, RIM etc. do not kiss and make nice for how their screens demonstrate a secured connection vs. an app with insecure connections, policy implementations, or even whether an app might be malware-free. Wouldn’t it be nice, everyone agreed, if the app on your tablet or phone had a green outline the same way an authenticated website has the green EV bar?
So what is an innovative, security-minded finance organization to do about Mobile? How do they think they can overcome some of these limitations?
There was a glimmer of good news about online finance in an anecdote at my table. One of the major US banks said they’d done a survey of their customers regarding their top concerns about doing business online. The first time they surveyed, customers said security was the #3 concern in online banking. They subsequently implemented a padlock security icon on their mobile app and figured a trust mark more firmly on their main web page. The following customer survey moved security from 3 in concern to barely in the top 10. Perception of trust is a clear driver for user adoption, as we’ve discovered in our Norton Secured Seal testing.
A proposal in use by one of the attendees was the standardization of Tokenization – the transactional security model instead of session security. Another self-proclaimed smaller vendor described their product of using a Facebook login and identity verification, a mobile passcode, and receipt verification after the transaction including an approval; offering up 3-factor authentication as a secure and fast alternative. (Business cards were exchanged.)
Clearly there’s a market opportunity for the VPN app in financial applications, combined with a PKI product that helped authenticate identity. Perhaps we’ll see more partnerships where companies with specialties work together to offer up solutions that work on all platforms, supporting transactions of all kinds in a global economy. Each networking opportunity is a good step in the right direction. Thanks Net.Finance, and to all our guests for their thoughtful, creative dialogues!