Google's contactless mobile payment application, Google Wallet, has long been thought by experts to be secure due to its use of a hard-to-break secure hardware element for handling cardholder credentials and account information. But the fledgling app has failed a security test conducted by viaForensics, primarily for storing too much of consumers' personal data on the phone. While the app doesn't store the customer's entire credit card number, it does store the user's name, credit card balance, limits, expiration date, and transaction dates and locations on the phone itself (in the application's databases directory). The last four digits of the user's card number and email address are also recoverable from the phone.

Google's response to this test points out that this sensitive information can only be retrieved from a rooted phone, in other words, one whose operating system has been broken into so that system files can be accessed. "The viaForensics study does not refute the effectiveness of the multiple layers of security built into the Android operating system and Google Wallet," says spokesperson Nathan Tyler. "This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including the credit card and card verification value numbers. Android actively protects against malicious programs that attempt to gain root access without users' knowledge."

However, there have been instances of malware, such as Droid Dream, that have let attackers break through Android security and gain root access to the phone.

Once such a break-in occurs, the customer information stored on the phone would be sufficient to launch a social engineering attack, according to Andrew Hoog, chief investigative officer at viaForensics. "You could send someone a message containing information about their transactions and balance and say you need to confirm their card number," Hoog explains. "The fact that the sender knew you had conducted a transaction that afternoon would convince most people that it was legitimate."

Having this information available on the consumer's device does provide convenience, Hoog acknowledges. For instance, once the consumer chooses a credit card to use in the Google Wallet, the app displays the card balance and next payment due. "As a consumer, when that popped up, I thought, that's great, because I can never remember what my balance is and when the payment is due and here it is," Hoog says. "I really liked that feature. The problem is they shouldn't store it unencrypted." Google should either encrypt the information or not store it in the device.

A further security issue is that Google Analytics tracks activity that is stored in the phone log, which again could give a cybercriminal insight into the customer's purchasing and account behavior.

Google's is not the only mobile payment software to fail viaForensics' tests — Square and others also have. But although the Square app stores less personal information than Google's does, the Google Wallet is more secure than Square, Hoog says. "Square has some pretty big issues that we don't look at in the appWatchdog [the company's security testing service]," he says. appWatchdog only looks at what information is securely stored and transmitted. "Square has unencrypted readers and that's a really big deal. Contrast that with what Google Wallet did, which was they invested in near-field communication and a secure element, they put a lot of engineering into controlling access to that data. Square has been going out and capturing market share, so they built cheap, unencrypted credit card readers that they could send out to the masses."

Google does do many things right security-wise with its Wallet app, including requiring a four-digit PIN. This makes it more secure than a magnetic stripe credit card, which any criminal could steal and use. Anyone who stole an Android phone loaded with the Google Wallet app would have to correctly guess the owner's PIN to buy something with it. "Google, to their credit, said I can't give access to your wallet, I'm going to force you to put in a PIN. The critical thing you need to implement encryption is a password that's not stored in the device but in another system, such as the end user's brain. That's that random, unknown piece of information that unlocks it for you."

The Google Wallet thwarted a man-in-the-middle attack viaForensics attempted. In a man-in-the-middle attack, a cybercriminal intercepts messages in a public key exchange and then retransmits them, substituting his own public key for the requested one, so that the two original parties still appear to be communicating with each other. During this test, the path from which the request was made was rejected and provisioning failed.

Google uses a chip hardwired into the phone, called a secure element, to receive cardholder credentials and account information provisioned by First Data and MasterCard PayPass. Although this is generally considered the most secure way to handle contactless payment information, the secure element has been an issue for Verizon, which last week asked Google not to include the Google Wallet app on the Google/Samsung Galaxy Nexus phone, which was expected to ship in early December but has been delayed. Verizon is working with other telecom providers on a competing contactless mobile payment scheme called Isis, for which Gemalto was selected today as a technology provider.

Google has already fixed two issues Hoog discovered in earlier tests. In the first version of Google Wallet, the app displayed a picture of a credit card with the user's information on it. That feature has been removed from the app. Earlier versions also did not properly delete data when the user reset the Wallet app; this too has been addressed by Google engineers.

Overall, the Google Wallet is "probably on par" with comparable mobile payment apps, Hoog says.

"With the amount of data they store about the card and transactions, we couldn't give them a pass," he says.

Mobile payment providers tend to be more concerned with features and deadlines than with the implications of storing data on the devices, Hoog says. Google also may feel the security and controls built into the Android operating system are sufficient to protect people's information.

But mobile malware is growing, Hoog says. There have been about 30 or 40 instances of malware discovered targeting Android devices. "Some of them have the ability to escalate privileges and get root access to the system," he says. "If I were a criminal who was trying to make money off of malware and I had an exploit that would work on Android, I would say I have access to this device, what information do I want to pull out? I know on the device where to go to find out the user's information, and I can just pull that information and upload it to a server. Malware is the storm that's on the horizon."

For banks, free checking is many things — but it isn't free.

Despite a public perception that taking deposits is a can't-lose business, maintaining a checking account costs banks between $250 to $450 a year. In many cases those accounts aren't even turning a profit.

The average checking account cost banks $349 in 2011, says Mike Moebs of Moebs Services Inc, a research firm. But the average revenue per account is just $268, implying a loss of $81.

That equation helps explain the thinking behind some of the recent, highly-controversial steps banks have taken to raise the prices their customers pay for checking accounts.

"Banking is a subsidized business," says Hank Israel, a partner at New York-based consulting firm Novantas LLC, pointing to the fact that the profitable accounts balance out those accounts maintained at a loss. "When the plane flies full, coach covers the whole cost and first class is the profit," Israel says.

But thanks to new regulations, including the Durbin amendment in the Dodd-Frank Act, which caps fees on debit interchange, the number of profitable customers is falling. Those fee caps, which went into effect on Oct. 1, are expected to eliminate more than $5 billion in annual bank revenues.

"Since Durbin, the coach class isn't breaking even, so the profit [on checking accounts] is being cross-subsidized by [deposit] balances, and with interest rates so low that's not covering costs either," Israel says.

He estimates that one third to one half of checking account customers are now unprofitable for banks.

The single biggest cost, Israel says, is the cost of bank branches and ATMs. Another 20% is spent on back-office functions, including maintaining call centers and payment operations.

Overhead costs, including executive salaries along with security and compliance expenses, also account for about 20% of the costs. The last 10% covers product development and sales.

The mismatch between the costs and the returns of checking accounts is untenable for the industry at large. But as banks consider what the new regulatory landscape means for their account offerings, analysts caution that the solution is not likely to be one-size-fits-all.

This is in part because the costs to maintain checking accounts can vary widely across institutions of various sizes.

For the largest banks with assets greater than $50 billion, the average checking account costs between $350 and $450 a year, according to Moebs. Overhead, or the institutional costs not associated with a specific division or service, is what weighs down some of the largest banks, making it more difficult to cut costs, he says.

But he adds that for some of the smaller banks with less than $5 billion in assets, the costs are much lower — around $175 to $250 a year.

The sweet spot for breaking even or squeezing out a profit on free checking is likely to be among the mid-sized institutions.

The issue comes down to efficiency and economies of scale. The banks likely to fare best are those that are big enough to support a sizeable base of checking account customers, but which are not loaded down with ancillary costs.

"The community banks and the credit unions will offer free checking and will get revenue — the major item is from overdrafts — and that revenue and other revenue, such as transaction revenue, it's enough for them to break even," says Moebs.

For those institutions, offering free checking brings more customers in the door — giving the banks an opportunity to turn a profit eventually.

"They've got a free name and address and telephone number and hopefully an email address," he adds. "What that they can do is cross-sell and get more business. That's the true purpose free checking."

Such a strategy is not likely to be sustainable for megabanks like Citigroup Inc. and Bank of America Corp. Those are the companies that reacted to the Durbin amendment by adding or raising monthly checking account fees, or by trying to start charging customers for using their debit cards.

"The big guys are operating checking at a loss," says Moebs. "The big guys have to get out of this business because with [cuts to] interchange and overhead revenue, they don't have enough to cover their costs."

But Israel of Novantas cautions that free checking may not be a winning solution for all smaller institutions. He notes that those customers who are likelytransferring accounts in the current environment are more likely to be the unprofitable customers.

"Based on the work that we've done, the accounts in motion tend to be lower in deposit levels and less complex relationships," in part because those accounts are the easiest to move from one financial institution to another, says Israel.

In addition, "with so many offers on the market as larger banks try to improve account quality, only the accounts impacted by [checking account] fees are moving banks," he says.

Those checking account fees are designed to recoup the costs of serving customers who keep small deposits with the bank, complete few transactions each month, or have not bought other, higher-margin bank services like mortgage loans.

If small banks offer free checking without considering these factors, there could be a "deluge of customers seeking free checking whether or not [the bank has] capacity to service them along with their more profitable customers," Israel says. "They can definitely move volume, but are they moving value?"

Nevertheless, some "small challenger banks… are really in a position to acquire these customers. They have lower cost structures because they either organize themselves online or have very concentrated focuses," says Israel.

The migration to online and mobile banking could be the great equalizer for institutions of various sizes, as more customers look to the internet and smart phones to do their banking.

A 2010 study by consulting firm Javelin Strategy & Research found that the average cost per bank transaction varied hugely depending on how the customer made the transaction.

Javelin estimated that an in-person transaction at a physical branch cost a bank $4.25, while a phone call to a call center or the use of an ATM cost $1.29 or $1.25, respectively.

By comparison, mobile banking transactions cost just 10 cents, and online banking transactions cost just 19 cents.

Overall, Javelin found that customers not using online banking cost banks $359 a year. That was $167 more than the annual cost of $192 for customers using online banking services.

If banks can reduce the number of customer service calls associated with online banking, the cost differences could be even greater, says Mark Schwanhausser, a senior analyst with Javelin.

"If we can move customer service representative calls back to self-service online banking, something that became an added cost [with online banking] becomes an added efficiency," Schwanhausser says.

http://www.bai.org/bankingstrategies/marketing-and-sales/marketing-and-promotion/digital-banking-gets-personal?

Digital Banking Gets Personal 
The digitization of banking, via apps and APIs, will lead to mass personalization. BYCHRIS SKINNER
Nov 29, 2011  |  0 Comments

A bank is a digital business and, as a digital business, can be broken down into pure bits and bytes. More than that, a bank can be seen as three digital businesses in one: a manufacturer of products; a processor of transactions; and a retailer of services.

In this context, the digitization of banking becomes more interesting at a strategic level. First, the products have been deconstructed. Every bank product can be deconstituted into its lowest common denominator of components and then reconstituted into new forms of use and structure.

This component-based bank demands that every bank capability be put into a basic widget form, or object form if you prefer, and then offered to customers to put together as they see fit. In other words, there are no integrated product sets any more, just banking as apps that customers put together to suit their needs. Bank products are just a bunch of apps, manufactured in such a way that customers can put them together to suit their lifestyle.

Moving onto processing, we build upon the app-based product view and begin to consider processes as open source code. The open sourcing of digital processes is rife and has disrupted and changed everything from how operating systems operate, vis-à-vis Linux, to how Google develops its omnipotent reach.

Learning from such open-source processing, PayPal launched X, a developer-based service for PayPal processes as APIs (Application Program Interfaces). APIs allow anyone to pick up and drop PayPal into their systems, enabling PayPal to be reintegrated by third parties into any code and operation desired.

The result is that PayPal’s relevance increased massively overnight and led to Citi following a similar approach, when they announced that their transaction services would be offered as APIs at SIBOS this year. In other words, all bank processing is just open-sourced coding, offered to anyone to plug and play with their offerings through APIs.

Finally, the customer relationship has also changed. The customer relationship used to be human, one-to-one. Then it became remote, one-to-many. Now it is digitized, one-to-one. This is where Big Data comes into its own, as we are now trying to manage remote relationships leveraged through mass personalization.

Mass personalization can only be achieved by offering contextual servicing to each and every customer at their point of relevance. This means analysing petabytes of customer data to identify, on a privacy and permissions basis, what contextual service customers may need as they live their lives. If they are walking past a car showroom, do you promote cheap motor insurance or a car purchase scheme? If they are leaving the casino, do you offer a loan or a referral to an addiction clinic? If they are leaving the maternity clinic, do you offer child investment services or a referral to an abortion clinic?

Some of these may seem controversial, but we are already seeing contextual offers through finance coming into play in the form of Google Wallet. And the aim of such contextual offers is to track your digital footprint, using Big Data analysis, to gain intuitive service offers relevant to your point of living. For example, as Google tracks your searches for plasma TVs, you get an offer for £200 off for the TV you spent the longest time studying online as you walk past the electronics showroom. But the offer is only good for an hour and only when you are in proximity of that electronics showroom.

This is the new augmented reality of customer intimacy through Big Data analysis. And bank retailing will be based upon the competitive differentiation of analyzing mass data to deliver mass personalization.

In summary, the digitization of banking is now mainstream and all bank capabilities will be packaged as digital structures where products will be apps, processes will be APIs and retailing will be contextual, delivered through mobile internet at the point of relevance. Meantime, what happens to the physical structures of banking, as the digitization of everything takes over, will be the biggest challenge of all.

Mr. Skinner is chairman of the Financial Services Club, CEO of Balatro Ltd. and comments on the financial markets through his blog the Finanser. He can be reached at cskinner@balatroltd.com.