Toolbox Tips: Security Framework for Mobile Applications in BFS
Security is one of the biggest stumbling block that is slowing down the adoption of mobility in banking and financial services. So, we have devoted a section of this magazine to mobile security. In this first part of what will be a series of articles, we present a framework for understanding and analyzing end-to-end mobile security. We also reveal how this framework can be applied to mobile banking.
By Bala Muthugurusamy, Kaushik Roychowdhary, Vikas Gupta & Gleb Etinzon
Traditionally, BFS is an industry where any new technology must meet exceptionally stringent security thresholds before it is adopted Given the inherent vulnerabilities associated with mobility’s “anywhere, anytime, anyone” capabilities, security is even more for important for BFS applications. From a security perspective, many mobile technologies are quite stable and reliable. However, development practices in mobile applications have not caught up; incorrect design choices often lead to vulnerabilities that result in loss of private data, fraud, or worse. Many such cases have been widely reported in the press. Given the fears surrounding fraud in BFS, it is not uncommon for companies and consumers to over react when such incidents are reported.
In this article, we provide a framework for analyzing security needs of various BFS domains, identify security risks in BFS mobility, and suggest best practices that could alleviate many of these problems. We have also included a list of security standards that are important and function as a useful reference.
This article will be a multi-part series that will analyze use cases and applications in different BFS sub-domains for their security risks. In each issue of this magazine, we will pick one major use case from a BFS sub-domain and analyze its security aspects. In this first part, we analyze mobile in retail banking.
|
|
Mobile Banking : Security Reference
Architecture |
||
|
|
Business Architecture |
||
|
Dimensions |
Characteristics |
Security Aspects |
|
|
What do they do |
Banking institutions executing transactions directly with consumers, rather than corporations or other banks. Services offered include: savings and transactional accounts, mortgages, personal loans, debit cards, credit cards, and so forth. |
Breach or loss of sensitive data results in huge potential loss of money either to bank, customer or both. |
|
|
Who they are |
Most of the big banks operate in retail in one geography or another. For example BOA in "U.S.", Citi outside "U.S.", Dutche in Europe, ABN AMRO in Netherlands, UBS, Credit Suisse in Switzerland etc. |
Reputed institutions, works on trust, needs to comply to security standards and regulations. |
|
|
Which information |
Accounts, withdrawals, deposits, payments. |
Extremely sensitive information : May result in theft, malicious use. |
|
|
Where |
Smart phones, Tablets, WAP, SMS |
Device being mobile are prone to loss or theft. |
|
|
How |
Mobile Registration |
Transactions and use cases security classification,
security requirements and regulations. |
|
|
Why |
Expose essential services to customer via mobile channel, achieve customer proximity. |
Extremely competitive market . |
|
|
|
Information Architecture |
||
|
Dimensions |
Characteristics |
Security Aspects |
|
|
Data |
|
Classification and Modeling, Privacy and Intellectual
property, Metadata |
|
|
Application |
Device Application |
Stringent validation and verification, |
|
|
Integration |
Customer Info : CRM |
Secure integration to ensure breach at one level does not
result in possible breach in the next. |
|
|
|
Technology Architecture |
||
|
Dimensions |
Characteristics |
Security Aspects |
|
|
Data technology |
Server-side Data |
Data encryption; Data masking; Data synchronization;
Secure data transfer over public network; Data validation & integrity |
|
|
Application
technology |
Gateway
Server : WAP / Web presentation tier or Application tier on server-side.
|
Client application footprint management |
|
|
Platforms |
IOS, Android, RIM, Nokia-Symbian, Win Mobile etc. |
Physical Security |
|
|
Integration
technology |
ESB (Middleware), Mobile COTS products. |
Secure transport, seamless integration over occasionally
connected devices |
|
|
Networks |
Transport (HTTPS over 2G or 3G, WIFI, WAP, SMS),
Encryption, LAN/WAN, Intranet/Extranet. |
Data integrity, Prevention of eavesdropping, Data
encryption |
|
|
Providers |
Mobile networks, WIFI service providers. |
Malicious use |
|
Tap hotspots to learn more
| Visions: Projecting Technology Futures for Banking and Financial Services | |
| Payments On-the-Go: Many Options, Much Opportunity Issue 1 | July 2011 |
|
Editorial
We are pleased to bring you the inaugural issue of Visions, a new digital magazine whose mission is to provide insights on emerging technology trends relevant to the banking and financial services (BFS) market. It is our hope that better understanding of these trends will help our BFS clients capitalize on them for competitive advantage. Our first installment covers mobility, across various dimensions.
Although the magazine has several articles in traditional format, it also features interactive trend radars that we use to capture emerging technology and business capability developments and to highlight their likely impact on your business. The interactive format of these radars will hopefully be engaging, and the digital medium will make it easy for us to issue periodic updates.
Every article in this magazine was created by our team of BFS mobility architects under the direction of Hari Subramanian, a Technology Partner within our BFS Business Unit. In this role, Hari is responsible for providing technology consulting and solution architecture services to our BFS clients, worldwide. His mission is to promote technology and thought leadership within Cognizant and to leverage this insight for delivering innovative solutions in areas such as mobility, SOA, enterprise architecture, cloud computing, and user experience. He has more than 22 years of experience in both the communications and financial services sectors. Hari can be reached at harir.subramanian@cognizant.com
Acknowledgements
Dilip Sharma, Yogesh Tamhankar, Rajshree Surwade, Abhinav Kumar Gummaraju, Sudipta Sarkar, Abhijit Thossar, Alan Alper and Nikhilesh Jasuja were instrumental in the creation of this magazine and we sincerely acknowledge their efforts.
Note:
There are several decisions for BFS institutions to consider related to technology choice, application capabilities, middle/back-office interfaces, regulatory compliance and security and fraud prevention, while formulating their mobile payment roadmap.To get this multi-faceted mobile strategy right, financial institutions should consider the following initiatives that could be customized to their specific context:
· Consider segmenting the type of consumers you want to cater in great detail. It is important to take a global view of your business and consider all the markets where you have and will have operations. Defining narrow segments with as much clarity as possible could lead to clarity in the proprietary mobile device platforms to be supported and a sound roadmap for mobile payment applications.
· Financial institutions should pay particular attention to developments in regulatory standards in the markets they want to operate in. Not all markets are evolving at the same rate. While lagging behind China in mobile infrastructure, India seems to have taken the lead in regulations related to mobile payments. Similarly significant differences exist between various countries in AML (anti money laundering) regulations.
· Depending on the type of mobile payment services that they want to offer, financial institutions need to form the right ecosystem by assembling suitable partners.
· Although mobile devices are proliferating, there are still significant differences in the rate of mobile device adoption and type of devices being adopted around the world. While emerging markets significantly lag developed markets in the widespread availability of mobile Internet and smartphones, they are catching up fast with some markets leapfrogging developed markets as they don’t have legacy mobile networks to deal with.
· Mobile Web offers the lowest possible total cost of ownership with acceptable user experience; but it has serious limitations if special device features such as a camera are to be leveraged by the application. While native applications offer the potential to leverage unique device features and applications that leverage all device features, they increase the total cost of ownership due to the need to support multiple dominant devices in the market. We see IT departments having the desire to go for common denominator application features using mobile Web technology while business stakeholders preferring native client applications for superior end user experience. So depending on the mix of business capabilities to be supported for mobile payments, business and IT departments should co-operate to set standard technology platforms as well as devices to be supported.
· Financial institutions should lay clear and elaborate security standards and best practices to prevent vulnerabilities in applications by specifying internal standards that applications should adhere to. For this purpose, Cognizant is creating a security framework for mobile applications that could be leveraged by financial institutions.
The “always-connected” millennials have come to expect virtually everything delivered to them via mobile apps, and payments are no exception. It is important for financial institutions to get their mobile strategy right while minimizing platform operations costs and forge direct relationships with their future customers.
Hari Subramanian is the Technology Partner for one of the strategic business units within our banking and financial services (BFS) vertical. He is responsible for providing technology consulting and solution architecture services to our BFS clients. His mission is to promote technology and thought leadership within our company and to leverage this insight for delivering innovative solutions to our clients in areas such as mobility, SOA, enterprise architecture, cloud computing and user experience. He has more than 22 years of experience in both communications and BFS sectors. Hari can be reached at Harir.Subramanian@cognizant.com.
[1] In-Stat Research: http://www.instat.com/newmk.asp?ID=3012&SourceID=00000501000000000000
2 In-Stat Research: http://www.instat.com/abstract.asp?id=68&SKU=IN1105000SI, March 2011
The table below highlights some of the most popular existing and emerging forms of mobile payment.
|
Mobile Payment Type |
Description |
Current State |
Likely Future State |
|
Mobile bill payments and remittances |
Consumer-to-business payments. |
New applications are emerging but are not yet as popular as online bill payments. |
Mobile bill payments and remittances as well as related alerts will be pervasive within retail banking and lending. |
|
Mobile person-to-person remittances |
Money transfers. |
The World Bank estimates that global cross-border payments (created for emerging markets) were at $305 billion as of 2008[1]. Primarily, such services use WAP or SMS for mobile money transfers. |
Although WAP and SMS are likely to exist in the future, increasing proportion of emerging market consumers are likely to adopt smartphone based applications for mobile remittances by 2015. |
|
Mobile reward redemption
|
Ability to use rewards points as equivalent of cash to pay for goods. |
This is an emerging area; a few mid-size U.S. banks and a large credit card services provider are experimenting with it. |
Mobile rewards redemption for any type of purchase at POS terminals will be widespread. Acquirers will settle credit card transactions with merchants while Issuers will debit equivalent reward points. |
|
Contactless payments |
Use of Near-Frequency Communications (NFC)-based phones/ tags/wristbands to make payments at NFC- enabled POS terminals. |
Several large players including Citi, Visa and Bank of America are conducting NFC-based trials around the world. An NFC trial conducted by Citi Bank in Bangalore, India, during March 2010[2] found that consumers conduct six times more transactions using contact-less methods.
|
NFC-based contactless payments are likely to gain momentum in Europe as EMV standards and certifications for Smartcards are in place already and can be leveraged for NFC. However, it is unlikely to gain momentum in other parts of the world. Note the recent withdrawal of major "U.S." carriers from their consortium. |
|
Contactless payments (non-NFC) |
Suitable for emerging markets, as unbanked mobile consumers can pay using pre-paid/post-paid accounts. Also useful for SMS confirmations. |
Use of mobile phones for payments is gaining popularity in emerging markets. Regulators have taken note of this trend. For example, the Reserve Bank of India (RBI) ruled recently that wireless carriers can hold up to INR 5,000[3] in escrow against mobile phone payments. |
With unique ID’s such as MMID (Mobile Money Transfer Identifier) of India, emerging market consumers will use mobile phones as debit cards to pay from pre-paid accounts for micro payments. Applications will support a combination of smartphone and SMS technologies. |
|
Mobile POS terminals for small merchants |
Field merchants (i.e., plumbers and electricians) can use a mobile phone as a POS terminal to accept credit card payments. |
Some well-known companies, including Intuit and Barclays, have released such solutions. There are applications available at the Apple App store, as well. Some are meant for specific merchant services, while others allow the user to configure any merchant gateway/account.
|
Likely to reach saturation point in developed markets. Growth in emerging markets will be limited to urban areas. Primary barrier for adoption is likely to be field merchant concerns related to fees. |
|
Mobile POS terminals for consumers
|
Use of a mobile phone as a POS terminal to scan items (using camera) and check out (without queues). |
This is an emerging area of popularity among retailers, according to an IHL Group report[4].
Specialty retailers Apple, Barnes & Noble, Victoria’s Secret and Urban Outfitters have equipped salespeople with iPads/iPhones for checkout to eliminate POS terminals and queues.
|
Non-NFC versions of this payment application are likely to gain significant momentum in developed markets as they offer significant cost savings in capital and operations costs related to POS terminals for retailers. |
[1] http://www.nfctimes.com/project/citi-tap-and-pay
2 http://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=1902
3 http://www.ihlservices.com/ihl/product_detail.cfm?page=Store
Mobility in BFS: Why We Should Care ...
With planet Earth expected to be home for about 1 billion smartphones by 2015, mobility is a cornerstone technology of the future of work. And that future, to a large degree, is now.
By Hari Subramanian
With planet Earth expected to be home for about 1 billion smartphones by 2015, mobility is a cornerstone technology of the future of work. And that future, to a large degree, is now. Today’s young professionals – known as “millenials” – expect, much less demand, a high degree of mobile computing in their lives. Very soon, that will mean the convenience of conducting various financial transaction types via smartphones. The graphic below provides additional details on the staggering growth experienced and expected in the area of mobility in general and banking and financial services (BFS) in particular.
Mobility is transforming the way banking and financial services such as mobile payments, mobile money transfers, and mobile banking are offered and consumed. Next to the Internet, mobility is the latest catalyst for disintermediation in the payments value chain as it offers the ability to forge a direct connection with the consumer. BFS institutions can create payment applications as a valuable service for their retailcustomers. That, in turn, allows retailers to offer the ease and convenience of mobile payments that consumers, led by the millenials, are coming to expect. For financial institutions, mobile payments are also the first point of entry for rural and unbanked consumers in developing markets. Mobile payments have also opened up new opportunities such as micro payments.
For financial institutions that have not yet jumped on the mobile payment bandwagon, the time to develop a coherent, multi-faceted strategy is now. It will be critical for such companies to develop prioritized business scenarios and customer segments for specific mobile BFS applications and come up with appropriate technology choices. These technology choices can also help contain total cost of ownership even though software/ OS platform and device options are proliferating. Security and compliance considerations are likely to limit technology choices.
Payments On-the-Go:
Many Options,
Much Opportunity
With the explosion in mobile payments, banks and other financial institutions have the opportunity to forge direct relationships with consumers through disintermediation and also reach the under-banked and unbanked segments. However, they need a coherent, multi-faceted mobile strategy that helps them prioritize investment decisions, including which device types to support and how to address thorny technology platform, security and regulatory issues.
By Hari Subramanian
Mobile phones that caught on primarily as instruments of voice communication in the late ‘90s have been transformed into multi-purpose devices that are essential for life and work. There were as many as 174 million smartphones worldwide by 2009; that number is forecast to grow to 1 billion by 20151.
Mobility is a cornerstone technology of the future of work. And that future, to a large degree, is now. Today’s young professionals – often called “millenials” – expect a high degree of mobile computing in their lives. Very soon, that will mean the convenience of being able to make payments and complete other financial transactions via the smartphone. Recent research from In-Stat pointed that there will be as many as 375 million mobile payment users worldwide by 20152.
Mobile payment is any form of financial payment for a transaction made using a mobile phone. It may or may not involve the purchase of goods and services. Examples range from an individual paying bills on his smartphone, to an employee in a retail store checking out customers via an iPhone, to a retailer zapping coupons to customers while they are in the store (see Figure 1). Contactless payment is a fast-growing area in emerging markets, where consumers may not have bank accounts but have cell phones.
Disintermediation and Market Share Growth Opportunities
Against this backdrop of steady growth, mobile payments hold significant opportunity for financial institutions.
Next to the Internet, mobility is the new catalyst for disintermediation in the payments value chain, as it offers the ability to forge a direct connection with the consumer.
For example, money transfer operators who rely heavily on networks of agents for funds collection (from the sending consumer) and funds distribution (to the receiving consumer) have found new ways to provide P2P (person-to-person) services using mobile money transfer.
Types of Mobile Payments
| Mobile Payment Type | Description | Current State | Likely Future State |
| Mobile bill payments and remittances | Consumer-to-business payments. | New applications are emerging but are not yet as popular as online bill payments. | Mobile bill payments and remittances as well as related alerts will be pervasive within retail banking and lending. |
| Mobile person-to-person remittances | Money transfers. | The World Bank estimates that global cross-border payments (created for emerging markets) were at $305 billion as of 20083. Primarily, such services use WAP or SMS for mobile money transfers. | Although WAP and SMS are likely to exist in the future, increasing proportion of emerging market consumers are likely to adopt smartphone based applications for mobile remittances by 2015. |
| Mobile reward redemption | Ability to use rewards points as equivalent of cash to pay for goods. | This is an emerging area; a few mid-size U.S. banks and a large credit card services provider are experimenting with it. | Mobile rewards redemption for any type of purchase at POS terminals will be widespread. Acquirers will settle credit card transactions with merchants while Issuers will debit equivalent reward points. |
| Contactless payments | Use of Near-Frequency Communications (NFC)-based phones/ tags/wristbands to make payments at NFC- enabled POS terminals. | Several large players including Citi, Visa and Bank of America are conducting NFC-based trials around the world. An NFC trial conducted by Citi Bank in Bangalore, India, during March 2010 found that consumers conduct six times more transactions using contact-less methods.4 | NFC-based contactless payments are likely to gain momentum in Europe as EMV standards and certifications for Smartcards are in place already and can be leveraged for NFC. However, it is unlikely to gain momentum in other parts of the world. Note the recent withdrawal of major "U.S." carriers. |
| Contactless payments (non-NFC) | Suitable for emerging markets, as unbanked mobile consumers can pay using pre-paid/post-paid accounts. Also useful for SMS confirmations. | Use of mobile phones for payments is gaining popularity in emerging markets. Regulators have taken note of this trend. For example, the Reserve Bank of India (RBI) ruled recently that wireless carriers can hold up to INR 5,000 in escrow against mobile phone payments.5 | With unique ID’s such as MMID (Mobile Money Transfer Identifier) of India, emerging market consumers will use mobile phones as debit cards to pay from pre-paid accounts for micro payments. Applications will support a combination of smartphone and SMS technologies. |
| Mobile POS terminals for small merchants | Field merchants (i.e., plumbers and electricians) can use a mobile phone as a POS terminal to accept credit card payments. | Some well-known companies, including Intuit and Barclays, have released such solutions. There are applications available at the Apple App store, as well. Some are meant for specific merchant services, while others allow the user to configure any merchant gateway/account. | Mobile POS terminals are likely to reach saturation point in developed markets. Growth in emerging markets will be limited to urban areas. Primary barrier for adoption is likely to be field merchant concerns related to fees. |
| Mobile POS terminals for consumers | Use of a mobile phone as a POS terminal to scan items (using camera) and check out (without queues). | This is an
emerging area of popularity among retailers, according to an IHL Group
report. Specialty retailers Apple, Barnes & Noble, Victoria’s Secret and Urban terminals and queues.Outfitters have equipped salespeople with iPads/iPhones for checkout to eliminate POS terminals and queues. |
Non-NFC versions of this payment application are likely to gain significant momentum in developed markets as they offer significant cost savings in capital and operations costs related to POS terminals for retailers. |
Figure 1
Financial institutions can create customized payment applications as valuable services for their partners, as well as consumers, by exposing a set of payment services through the mobile Internet in a secure manner. This allows the financial institution to focus on its core competency of payment processing while facilitating innovation in how the payment function is integrated into myriads of business use cases related to mobile commerce. That, in turn, allows for proliferation of mobile payment applications while enabling the financial institution to pursue an “ABC Company’s payment processing inside” strategy, similar to the “Intel Inside” strategy successfully adopted by Intel to gain market share for its CPUs within computer hardware.
For financial institutions, mobile payments are also the first point of entry to get closer to the underbanked and unbanked consumers in emerging markets. Many of the citizens in emerging markets don’t have PCs, Internet connections, e-mail accounts or even bank accounts, but they do have cell phones, almost universally. Typically these consumer segments start using money transfer services for cross-border remittances and as they work hard and establish themselves, end up as loyal customers for other banking and lending services.
For financial institutions that have not yet jumped on the mobile payment bandwagon, the time is now to develop a coherent, multi-faceted strategy. The scope of mobile payments is vast, as are the opportunities; you won’t be able to invest in everything. From a technical standpoint, there are crucial decisions to be made related to the device types you will support, as well as the technology platform of choice that minimizes total cost of ownership while maximizing end user experience. And there are significant security and regulatory issues that must be addressed, as well.
Mobile Payment Trends
All types of mobile payments mentioned in the previous section are still evolving, with almost daily
developments and announcements from players. Financial institutions are faced with the challenge of
picking winning combinations of mobile payment capabilities while resolving other technology and
regulatory hurdles. To help you track this fast-changing sector of mobile commerce, we have developed a
set of radars that will help you understand emerging technologies and business capabilities.
Tap on the bubbles in the radar to learn more.
1. Carrier sponsored payments, unbanked consumers
2. Banked consumers
Mobile POS Terminal- Consumers
Mobile Coupons/Gifts
Mobile Alerts(Non SMS)
Mobile Rewards Mgmt
Contactless Payments (NFC)-Open Loop
Contactless Payments (Non-NFC)
Account Management
Contactless Payments (NFC) -Monopolies
Figure 2
These radars track the timing and extent of business impact they are likely to have on your business fundamentals. Timing of trends is classified as emerging, adolescent, and early mainstream. Mainstream trends are not captured in the radar, as they are commonplace already. The extent of impact on your business is characterized by the size of the bubbles that represent the trends (small, medium, large impact), and the nature of the impact is characterized as financial (revenue growth or cost reduction) and market differentiation or customer satisfaction.
We plan to continue tracking developments in this and other related sectors and publish periodic updates to these radars. Figure 2 on the previous page depicts the radar related to emerging business capabilities in consumer financial services in general and mobile payments in particular.
The addition of integrated mobile commerce applications enriches the customer experience by providing an even greater level of convenience. The leading mobile commerce developments we are tracking include the following:
m-Wallets
These are hardware- and software-based identity solutions that retain encrypted card and cardholder-related information. Hardware-based solutions can also house an NFC antenna to transform an ordinary mobile phone into an NFC-compatible device. Data encryption and device management (the ability to wipe out device data in case of theft/loss) are essential.
Mobile payment APIs.
These are Web services for payment processing that are exposed by financial institutions. E-commerce partners and third-party application developers can use these APIs to craft novel mobile payment applications. We are seeing an increasing level of interest from several financial institutions in this area. Technology-related concerns regarding performance still prevail, with some adopting JSON-based APIs instead of SOAPbased services. (JSON, or JavaScript Object Notation, is a lightweight protocol alternative to SOAP, or Simple Object Access Protocol, an XML-based messaging protocol frequently associated with Web services.)
Mobile coupons
(consumer preference-based or location-based). These appeal to merchants as well as manufacturers, banks, card issuers and acquirers, as they improve
NFC Trials Around the World
| Trial | Sponsor | Other Players | Comments |
| Malaysia (in production) | Maxis | Maybank, Visa N’ Go Systems, Inc. payWave, Touch | Contactless payment solution for mass transit and merchants with Visa payWave terminals. Cognizant was involved in this NFC project. |
| New York City | Visa | Bank of America | Payments trial in N.Y. at select merchant locations. |
| Ireland | AIB Merchant Services (joint venture between First Data Corp. and Allied Irish Banks) | ZAPA Technology Ltd. (contactless payment technology provider) | This is an emerging area; a few mid-size U.S. banks and a large credit card services provider are experimenting with it. |
| U.S. Carriers | Joint venture between AT&T, Verizon, T-Mobile | Barclays, Discover | Effort by large U.S. carriers to position themselves in the mobile payments landscape. |
| India (Citi Tap and Pay) | Citi | — | NFC-based contactless payment trial – 3,000 consumers, 250 merchants, 50,000 transactions. |
Figure 3
redemption rates. Borrell Associates estimates the market for mobile coupons was $2.7 billion in 2009 but will grow to $57 billion by 2014. 7 Of the 91% of U.S. adults who own a cell phone, 10% use them once a week for location-based services. That number is much higher for iPhone users (63%). More than half of mobile phone users take action on when they are presented, according to a Mobile Marketing Association/Luth Research survey. Retailers can send specific coupons to a customer’s smartphone, depending on where the person is in the store – a coupon for laundry detergent, for example, when the person is browsing in the household cleaners aisle.
Mobile e-receipts.
A leading UK-based bank has reportedly laid out plans to leverage
cloud technology to disperse e-receipts to mobile phones for contactless transactions. Ereceipts
that reduce paper costs can be a vital component of a mobile POS application (as
depicted in Figure 2). After using a mobile phone to complete the purchase of goods, the
retailer or partner facilitating the mobile payment sends an image of the receipt to the
mobile phone, complete with barcode and the items purchased. This barcode is not only
convenient, but it also serves to verify the authenticity of purchases when the consumer
leaves the store or comes back to return any of her purchases.
Challenges in Mobile Payments
Partnerships Among Players
The evolution of mobile payments in the consumer space can be best understood by examining the challenges faced by m-wallet developers. While many players large and small are developing mobile payment applications leveraging m-wallets, a remaining question is whether those m-wallets will host cards from one issuer and one network or multiple issuers and multiple networks. For a consumer, it is simple to slip a credit card from any issuer into their wallet, but it is not quite that simple if they carry an m-wallet.
Support for Multiple Devices
Typically, mobile applications are developed as mobile browser applications (in which the application runs on a mobile Web server, and devices access it through a browser, such as Safari) or as thick-client applications (in which the code is optimized for each device). To reach critical mass, mobile payment must be ubiquitously available on all devices. Fortunately, there are both open source and commercial solutions available to enable
Figure 4
The deployment of applications on multiple devices using a single code base. “Write once, deploy anywhere”is the mantra for all these solutions, and many live up to this spirit, to varying degrees. Until recently, enhanced user experience has been possible only by using thick-client applications; mobile browser applications have paled in comparison. However, recent developments such as HTML5 have the potential to challenge the status quo in mobile application development. HTML5 offers the ability to incorporate interactive graphics (for signatures in the browser itself) and use of local device databases, all of which can be accessed from the browser. Although HTML5 is not yet a standard, popular devices such as the iPhone, iPad, Android and Blackberry Torch support it.
While many players large and small are developing mobile payment applications leveraging m-wallets, a remaining question is whether those m-wallets will host cards from one issuer and one network or multiple issuers and multiple networks.
Data Security
This is an extremely critical aspect of mobile payments, as there is a need to secure data in the device, data in transit and data on the server. While securing data in transit and on the server are well understood, security in the device is still evolving.
Encryption keys can be used to encrypt contents in the device database. However, the key can’t be stored in the device or be part of the HTML5 or JavaScript source, as this represents a potential security gap.
As a result, techniques such as regenerated keys (based on login credentials) or server-supplied on-demand keys need to be employed. It is also important to avoid storing sensitive information such as actual card numbers, CVV codes, PINs, etc. on the device. Another approach is to use pseudo account numbers that map to actual credit card numbers stored on the server.
HTML5 offers the ability to incorporate interactive graphics (for signatures in the browser itself) and use of local device databases, all of which can be accessed from the browser.
Fraud in mobile payments is a major obstacle to its adoption by consumers. Security mechanisms such as multifactor authentication must be a standard in the design of mobile payment applications. Typically, multifactor authentication relies on matching the device identity with that of the user, as well as verification of other security factors that the user must remember.
Looking Ahead
There are several decisions for BFS institutions to consider related to technology choice, application capabilities, middle/back-office interfaces, regulatory compliance and security and fraud prevention, while formulating their mobile payment roadmap. To achieve a multi-faceted mobile strategy, financial institutions should consider the following initiatives that can be customized to their specific context: Consider segmenting the type of consumers you want to address in great detail. It is important to take a global view of your business and consider all the markets where you have and will have operations. Defining narrow segments with as much precision as possible will lead to clarity in the proprietary mobile device platforms to be supported and a sound roadmap for mobile payment applications. Financial institutions should pay particular attention to developments in regulatory standards in the markets in which they want to operate. Not all markets are evolving at the same rate. While lagging behind China in mobile infrastructure, India seems to have taken the lead in regulations related to mobile payments. Similarly, significant differences exist among various countries in AML (anti-money laundering) regulations.
Depending on the type of mobile payment services they want to offer, financial
institutions need to form the right ecosystem by assembling suitable partners.
Although mobile devices are proliferating, there are still significant differences in
the rate of mobile device adoption and type of devices being adopted around the world.
While emerging markets significantly lag developed markets in the widespread
availability of mobile Internet and smartphones, they are catching up fast, with some
markets leapfrogging developed markets as they don’t have legacy mobile networks to deal
with.
Although mobile devices are proliferating, there are still significant differences in
the rate of mobile device adoption and type of devices being adopted around the
world.
While emerging markets significantly lag developed markets in the widespread
availability of mobile Internet and smartphones, they are catching up fast, with some
markets leapfrogging developed markets as they don’t have legacy mobile networks to deal
with.
Mobile Web offers the lowest possible total cost of ownership with acceptable user experience. However, it has serious limitations if special device features such as a camera are to be used by the application. While native applications offer the potential to leverage unique device features, they increase the total cost of ownership due to the need to support multiple dominant devices in the market. We see IT departments expressing a preference for common denominator application features using mobile Web technology, while business stakeholders prefer native client applications for superior end user experience. Depending on the mix of business capabilities to be supported for mobile payments, business and IT departments should cooperate to set standard technology platforms, as well as devices to be supported.
Financial institutions should follow clear and elaborate security standards and best practices to prevent vulnerabilities in applications by specifying internal standards to which applications should adhere. For this purpose, we are creating a security framework for mobile applications that can be leveraged by financial institutions. The “always-connected” millenials have come to expect virtually everything delivered to them via mobile apps, and payments are no exception. It is important for financial institutions to get their mobile strategy right while minimizing platform operations costs and forging direct relationships with their future customers.
Footnotes
1 “More than Half of U.S. Handset Shipments Will be Smartphones by 2012, Worldwide Smartphone Shipments Move Toward One Billion by 2015,“ In-Stat, June 24, 2011,
http://www.instat.com/newmk.asp?ID=3012&SourceID=000005010000000000002 "Mobile Payments Worldwide: Is the Market Ready?" In-Stat LLC, March 2011,
http://www.instat.com/abstract.asp?id=68&SKU=IN1105000SI3 “Winning Approaches to the Cross-Border Remittances Market,“ McKinsey on Payments, June 2009,
http://www.mckinsey.com/clientservice/Financial_Services/Knowledge_Highlights/Recent_Reports/~/media/Reports/Financial_Services/Winning_approaches_to_the_crossborder_remittance_market.ashx4 “India: Citi Goes for Scale with Bangalore Trial,“ NFC Times ,
http://www.nfctimes.com/project/citi-tap-and-pay5 “Draft Guidelines for Issuance and Operation of Prepaid Payment Instruments in India,“ Reserve Bank of India, http://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=1902
6 “North American Retail POS Terminal Market Study,” IHL Group, March 1, 2011,
http://www.ihlservices.com/ihl/product_detail.cfm?page=Store7 "Rimma Kats, “Mobile Coupon Redemption Rates to Rise This Year,” Mobile Commerce Daily , April 21, 2010, http://www.mobilecommercedaily.com/2010/04/21/mobile-coupon-redemption-rates-to-rise-this-year
Mobility Trends in Brokerage
Although online trading is extremely popular, mobile trading has not gained significant penetration. Nevertheless important trends such as the emergence of tablets and the exponential increase in the processing power of mobile devices will soon enable the migration of trading to mobile devices. So, we have designed this radar to capture mobility trends related to brokerage and trading.
By Makarand Pande
Tap on the bubbles in the radar to learn more.
Mobile Trading
Mobile Alerts (OS based)
SMS Alerts
Account Management
Information Services
Mobility Insights in BFS: Trend Radars
Mobile technologies and applications are evolving on a daily basis. Players are continuously jockeying for position, making aggressive moves and countermoves. As BFS financial institutions extend their services to the emerging mobile channel, they face a multiplicity of questions related to the maturity and evolution of various mobile device platforms and technologies.
By Hari Subramanian
Mobile technologies and applications are evolving on a daily basis. Players are continuously jockeying for position, making aggressive moves and countermoves. As BFS institutions extend their services to the emerging mobile channel, they face a multiplicity of questions related to the maturity and evolution of various mobile device platforms and technologies. Common inquiries include:
· Is it sufficient to support iPad/ iPhone/ Android for mobile
applications? Or do we need to support other legacy devices as well?
· Which device to support first – iPhone or other?
· What are the game-changing mobile devices emerging next and how
should we gear up for them?
· What about pros and cons of HTML5?
Will it overtake native clients?
· Is there one development approach that supports multiple devices
(both mobile Web and thick clients)?
· Are mobile enterprise application platforms from small companies
viable? What are the big players like Microsoft, IBM, etc. doing?
· Do consumers prefer mobile Web applications or thick client (same as native client) applications?
· How are financial institutions leveraging the mobile channel for
their business needs?
· What type of experience do consumers want when they switch from
one channel to the other?
· What are the emerging application trends in various sub-domains
within BFS?
We are refining a set of radars to track trends in the mobile marketplace to help us as well as our BFS clients build competitive advantage through deliberate planning to capitalize on upcoming trends. To develop deeper insights on how mobility can impact BFS, we are tracking trends in mobile technologies as well as in business capabilities related to various BFS sub-domains. Results have been captured in various radars such as:
· Mobile technology trends
· Emerging business capabilities and use cases in:
o Mobile payments
o Retail banking and lending
o Capital market services
§ Investment banking
§ Commercial banking
§ Brokerage
§ Asset and Wealth management
As it evolves, we intend to closely track mobility trends in the aforementioned areas and publish updates to these radars as appropriate.
Word Definitions
HTML5- Developing version of HTML (hyper text markup language), the universal text based language of the Web. HTML5 promises advancements such as offline use (the ability to use a Web application even without connection to the Web server using data stored in a local device database) and interactive graphics within the browser itself (no need for add-ons such as flash).
Native clients- Mobile applications developed using API’s of proprietary operating systems in various devices. Such applications attractive look and feel and performance but lead to higher total cost of ownership and delays in supporting multiple devices over time.
Mobility Trends in Asset and Wealth Management
Mobility adoption needs in this segment of banking and financial services seem to have a lot in common with those in investment banking. Nevertheless, we have devised a separate radar as it is too early to tell if, how, and when the convergence will happen.
By Makarand Pande
Tap on the bubbles in the radar to learn more.
Leads Management
Account Management
Research Information
Mobility Trends in Investment Banking
Investment banking is among the segments (within banking and financial services) that has been quite aggressive in the adoption of tablet-based applications for the front office. Expect to see a lot more activity in this space in the coming years.
By Makarand Pande
Tap on the bubbles in the radar to learn more.
Leads Management
Mobile Alerts
Research Information
"Tap the bubbles in the radar to learn more."
Mobility Trends in Retail Banking and Lending
Retail banks have accumulated a high degree of trust with consumers over the years, For them mobility can help disintermediation and accelerate business transformation, personalization, and competitive advantage to drive customer retention.
By Makarand Pande, Sanjay Garde & Hari Subramanian
Although trends in mobile payments were captured in a separate radar (see previous article), these developments apply equally well to banking and lending institutions. Consumer financial services firms (traditional players such as retail banks, home lenders, card issuers, card acquirers, and money transfer operators) are quickly consolidating.They recognize that mobility can help prevent dis-intermediation and, importantly, enable the delivery of integrated financial solutions.
Tap on the bubbles in the radar to learn more.
Loan Origination
Remote Cheque Capture
Mobile Alerts (non SMS)
X-Finders
Account Management
BFS Mobility: Technology Trends
Our technology trends radar seeks to capture major developments in mobile technologies and how they could impact your business. Given the dynamic nature of developments in this space, we will continue to monitor the trends and update this radar, periodically.
By Bala Muthugurusamy, Kaushik Roychowdhary, Vikas Gupta & Moinak Bhattacharya
The following guidelines were used to analyze various mobile device platforms, vendors, and frameworks:
Companies offering packaged solutions / COTS (Commercial off-the-shelf) products remain emergent and churn is likely to be high in this space. So we have captured these in a separate radar on COTS trends in mobility. The following interactive exhibit depicts the radar related to mobile technology trends in BFS.
Although mobile device innovations from Apple, Blackberry, and Google have rocked the consumer and enterprise worlds, they have also contributed to the proliferation of mobile operating systems and thus have led to an increase in costs for financial institutions to support multiple device platforms. Over the next few years, therefore, we believe that thick client-based applications to support these proprietary devices will be limited to special application requirements that demand them, As such, we see three dominant themes arising in mobile Web:
· Mobile Web (especially HTML5) applications with rich user experience on Webkit API (technology used within browsers to support HTML5) compatible mobile devices using a single code base.
· Mobile Web applications that are online-only versions of Websites on mobile devices with support for Flash. Success here would be limited to tablets with larger screens. However, this approach is attractive as it offers the ability to cost-reduce mobile Web development.
· Mobile Web applications on legacy devices that can run HTML versions 3 or 4 or WAP 1 or 2.
New technologies such as Windows phone 7, an ARM processor-based version of Windows for mobile devices, Nokia's MeeGo operating system, and trends such as Nokia’s recently announced partnership with Microsoft, are still in nascent form and therefore it would premature to assess their impact. Hence, we have placed them under watch for now and may be able to provide updates in future issues.
"Tap the bubbles in the radar to learn more."
iPhone
Android
iPad
BlackBerry
Symbian
Titanium
MobileWeb
PhoneGap
Sencha Touch
JQuery Mobile
Dojo Mobile
Rhodes
PC-like Tablets(Flash Support)
How was this radar created?
We evaluated several mobile device platforms and solution frameworks along the following five high- level criteria:
» Years of availability in market
» Size (as measured by number of employees)
» Number of customers
» Market share
» Location-based service (GPS support)
» Local device storage
» Device movement detection (accelerometer)
» Graphics support
» Processing capabilities
» Support for third- party software (e.g., Flash)
» Security
» Usability
» Performance
» Reliability
» Maintainability
» Development platform features
» Ease of application development
» Cost of application development
» User segments served
» Popularity among end users
» Challenges / limitations
» Cost to end users
All data collected was analyzed and compared before predictions were entered in the radar. The following guidelines were used to enter technology trends in the radar.
» Years in Market: Number of years plus revenue
· < 1 Year ( Emerging)
· 1 - 3 years -(Adolescent)
· 4 and more ( Early Mainstream)
» Number of customers - (User segment and number of users)
» Small: Limited evidence that substantiates ability to influence revenue growth, cost reduction, or market reach
» Medium: Tangible evidence that substantiates an ability to influence revenue growth, cost reduction, or market reach
» Large: Significant evidence that substantiates ability to influence revenue growth, cost reduction, or market reach
»
Financial impact (i.e., revenue growth)
»
Financial impact -(i.e., cost reduction)
» Ability to extend market reach and consumer satisfaction
Word Definitions
Webkit API - Open source API, originally from Apple, that is part of Safari, Chrome and other browsers that are HTML5 compatible. It can be used to support advanced HTML rendering capabilities (e.g. interactive graphics, advanced manipulation such as drag and drop) in the browser itself using Java scripting engines that are built into such browsers.
ARM Processor - RISC (Reduced Instruction Set Computer) based CPU's that consume lower power due to their simplicity and limited instruction set when compared to x86 CPU's from Intel that typically consume more power. ARM processors are more suitable for mobile devices and appliances while x86 processors are more suited for PC's that have less power supply limitations.
Mobile technologies are evolving on a daily basis and vendors are constantly jockeying for positions with moves and countermoves. As banking and financial services (BFS) institutions extend their services to the emerging mobile channel, they are often faced with questions related to the maturity and trends in various mobile devihttps://ch1workspaces/sites/SW03/bfstcgsg/mobile/Shared%20Documents/Techinsights/HTML5/digitalhandbook-v1.9/images/whyshdcare.pngce platforms and technologies. Common questions that they ask include:
Cognizant has developed radars to track trends in the mobile marketplace. These can help Cognizant as well as its BFS clients build competitive advantage through deliberate planning to capitalize on upcoming trends. To develop deeper insights on how mobility can impact BFS, we have attempted to track trends in mobile technologies as well as in business capabilities related to various BFS sub-domains. Results have been captured in various radars such as:
Mobility being an evolving space, Cognizant intends to track trends in the above areas closely and publish updates to these radars so that both Cognizant and its BFS clients can act on them in a timely manner.
Although mobile technology trends might apply to all industries, we have tried to focus on those that are more significant from a BFS perspective.
Following guidelines were used to select various mobile device platforms, vendors, and frameworks: » Device platforms that offer mobile application development capabilities relevant for BFS » Frameworks that offer cross platform development capabilities » Platforms offering solutions for Banking & Financials services and used widely used by BFS institutions
Companies offering packaged solutions / COTS (Commercial off-the-shelf) products are still emerging and churn is likely to be high in this space. So we have captured these in a separate radar on COTS trends in mobility. Following interactive exhibit depicts the radar related to mobile technology trends in BFS.
Although mobile device innovations from Apple, Blackberry, and Google have rocked the consumer and enterprise worlds, they have also contributed to the proliferation of mobile operating systems and thus led to increase in costs for BFS institutions to support multiple device platforms. So in the next few years, we believe that thick client based applications to support these proprietary devices will lose popularity. Instead, mobile Web (especially HTML5) is likely to gain significant foothold due to its promise on the ability to support variety of mobile devices using a single code base. For example, all mobile devices that are Webkit API (technology used within browsers to support HTML5) compatible, are able to run HTML versions 3, 4, and 5.
Some of the technology battles related to Adobe flash support are still being fought out with manufacturers taking different positions. For example, Apple does not support Flash but Android Honeycomb, the new OS from Google for tablet devices claims support. New technologies such as Windows phone 7, ARM processor based version of Windows for mobile devices, Nokia’s MeeGo operating system, and trends such as Nokia’s recently announced partnership with Microsoft are still too early to determine impact. Hence we have put them under watch for now and may be able to provide updates in future issues.
Cognizant evaluated several mobile device platforms and solution frameworks. During the evaluation process, vendor and product related parameters were captured along the following five high level criteria:
All data collected was analyzed and compared before predictions were entered in the radar. Following guidelines were used to enter technology trends in the radar.
| » Financial impact : Revenue growth |
|
| » Financial impact : Cost reduction |
|
| » Ability to extend market reach and consumer satisfaction |
|
|
Criteria
|
Antenna | Pyxis |
|
Vendor Profile
|
http://www.antennasoftware.com/ | http://pyxismobile.com/ |
|
Brief Description
|
The Antenna Mobility Platform™ (AMP) powers the real-time mobile enterprise – a must for today’s fast-moving, always-connected and customer-driven world. Delivered as a hosted service, AMP makes going mobile simple, secure and cost effective with end-to-end management and reporting of wireless messages, network connections, users, applications and devices. Antenna’s broad portfolio of industry-focused mobile applications streamline and improve processes and can be easily configured to meet unique needs. AMP applications run on any mobile device platform, including Apple iPhone, BlackBerry, Windows Mobile, Windows, Symbian and Google Android. | Pyxis Mobile’s platform is composed of three core elements: Application Studio Lab for building, deploying, and maintaining applications; the Pyxis Mobile server for integrating data sources, managing security, and providing core services such as usage tracking and auditing; and native applications that fully integrate with BlackBerry, iPhone, Android, and Windows Mobile devices. Pyxis Mobile’s Application Studio Lab features a drag-and drop interface that does not require coding. |
|
Maturity Level (Years in Market)
|
12 |
12 |
|
Revenue
|
N/A | N/A |
|
Number of employees
|
N/A | 100 to 249 |
|
Number of customers
|
300 | 250+ |
|
Financial Services Customers
|
Sharebuilder, e*trade | New York Life, Deloitte, Deustche Bank, Putnam Investments, The BlackStone Group, Thomson Reuters |
|
Other customers
|
AT & T, Walmart, Carrier | AT & T |
|
Research (Analyst) Rating
|
Leaders - MEAP Magic Quadrant 16 Dec 2009 | Niche Players - MEAP Magic Quadrant Dec 16 Dec 2009 |
|
Industry Association
|
Unavailable | Unavailable |
|
Technology Partners
|
Device Partners - HP, Microsoft, Blackberry, Motorola, Palm SI Partners - Accenture, Wipro, Infosys, CSC, TCS, Capgemini |
RIM, Apple, Microsoft, Google, Rogers, O2, Oracle, CSC, Infosys |
|
Technology Offerings
|
||
|
Multichannel (Device and Application Platform Agnostic)
|
Yes | Yes |
|
Supported Devices
|
The mobiScaler runtime allows mobile apps to be built once using the powerful mobiStudio IDE and deployed across multiple smartphone platforms simultaneously. The apps are graphically rich, intuitive to use, and can fully leverage the capabilities of each device—such as taking pictures and videos, GPS, signature capture, click to call and email, and much more. | Once configured, applications run natively across BlackBerry, iPhone, Android and Windows Phone devices. Version 7.1 introduces Android and iPad support as well. No custom coding required. |
|
Supported OS
|
Apple iPhone OS, RIM OS, Microsoft Windows Mobile, Google Android and Symbian. | Apple iPhone OS, RIM OS, Microsoft Windows Mobile, and Google Android |
|
Tooling/Frameworks
|
AMP - Antenna Mobility Platform mobiScaler |
Application Studio 7 - Designing application is a visual, drag-and-drop experience with Application Studio 7. Drag data elements from any source onto the workspace and create screens with a single click. Building apps with Pyxis Mobile does not require any hard coding, which cuts development time by as much as 80% |
|
OpenSource Tools
|
N/A | N/A |
|
Development Environment / IDE
|
AMP Studio (version 4.0) has greatly improved as an IDE, covering a wide variety of developers and adding significant application management capabilities. | Application Studio 7 - Designing application is a visual, drag-and-drop experience with Application Studio 7. Drag data elements from any source onto the workspace and create screens with a single click. Building apps with Pyxis Mobile does not require any hard coding, which cuts development time by as much as 80% |
|
Mainstream Language Support Available?
|
Yes | Yes |
|
Mainstream Languages Supported
|
Java, .NET | Java ME, .NET CE |
|
Other languages
|
Objective C | Objective C |
|
HTML5 support
|
||
|
Deployment Model
|
Hosted (SaaS) + Native = Build-once-and deploy-to-many | One application, all devices. |
|
Deployment Environment
|
Develop application model once and automatically generate native applications across multiple device platforms | Once configured, applications run natively across BlackBerry, iPhone, Android and Windows Phone devices. Version 7.1 introduces Android and iPad support as well. No custom coding required. |
|
Solution Offerings
|
||
|
Built-in solutions
|
Yes | Yes |
|
Markets Served
|
Consumer Packaged Good, Financial Services, Life Sciences, Manufacturing, Retail and Telecommunications | Financial Services, Health & Life Sciences, Consumer Goods, Manufacturing, Education, Government, Real Estate |
|
Mobile Banking
|
||
|
Mobile Payments
|
||
|
Mobile Self Care
|
||
|
Other Solutions
|
||
|
Application Store
|
||
|
Email
|
||
|
Personal Information Management (PIM)
|
||
|
Carrier / Mobile Network Operator (MNO) Partnerships
|
Yes | |
|
Preload Support with Carriers/MNO
|
Yes | |
|
Carriers supported
|
AT& T, Verizon, Sprint, Rogers, Vodafone, Telstra | |
|
Integration with backoffice systems
|
||
|
Social Networking Integration
|
||
|
Non-Functional Attributes
|
||
|
Security
|
A few of the key safegaurds against data theft that are provided are: 1. DataGuard: Assures that all Pyxis Mobile data on a lost or stolen device will erase from the device completely after a configurable inactivity period 2. Cache Encryption: Assures that all data stored on the device is encrypted, and can be read only with a valid login 3. Real-Time Only: Assures that what you determine as the most critically sensitive data (such as financial records or reports) will be available only via over-the-air requests, and never stored on the device |
|
|
Usability
|
||
|
Performance
|
||
|
Scalability
|
||
|
Maintainability
|
||
|
Cost/TCO
|
||
|
License Model
|
With some customers, we observe a relatively higher long-term TCO for AMP, driven by the combination of slightly larger professional services costs coupled with recurring monthly fees and, in the case of Concert-based solutions, higher-than-industry-average upfront customization costs. (Source: MEAP Dec 2009 - Gartner) | Commercial per user runtime |
|
Benchmark startup cost
|
||
|
Hardware and Infrastructure
|
||
|
Implementation and Customization
|
||
|
Support Model
|
||
|
Product Support
|
||
|
Product Enhancements
|
||
|
References
|
http://www.antennasoftware.com/customers/overview Magic Quadrant for Mobile Enterprise Application Platforms - 16 Dec 2009 |
Forrester - Define Your Mobile Development Strategy - 24 Aug 2010 Magic Quadrant for Mobile Enterprise Application Platforms - 16 Dec 2009 |
|
Criteria
|
Openstream | M-Com |
|
Vendor Profile
|
http://www.openstream.com/ | http://www.mcom.co.nz/ |
|
Brief Description
|
Openstream is a leading provider of secure mobile Internet infrastructure platform and applications. Openstream offers Enterprises, Service Providers and SMB Financial Institutions worldwide a suite of cost-saving and brand-loyalty-enhancing mobile applications that implement personalized services in a multi-modal environment, using wireless and speech technologies. Openstream's Smart Messaging Platform (SMP) mobilizes businesses and increases productivity by mobile-enabling business critical data for customers and employees. Openstream offers innovative multi-modal mobile platform. Built on Open W3C and OSGi standards, our platform leverages the path-breaking Context Delivery Architecture(CoDA), which intelligently adapts to the end-user's context-of-consumption, mode and device. Cue-me+Smart Messaging CoDA Platform is the only context-aware multimodal platform, built on open standards, that facilitates single-authoring of rich-mobile applications that can run on all popular mobile phones, PDAs, tablets in the market-place. |
M–Com is the global leader in mobile banking and mobile payment solutions and focused on delivering that innovation to consumers in partnership with blue chip financial institutions – retail banks and payment processors. |
|
Maturity Level (Years in Market)
|
12 | 9 |
|
Revenue
|
Unavailable | Unavailable |
|
Number of employees
|
Unavailable | Unavailable |
|
Number of customers
|
Unavailable | 42 |
|
Financial Services Customers
|
Unavailable | Key Bank, FiServ, Rabo Bank, First Data, ANZ Group |
|
Other customers
|
Unavailable | Unavailable |
|
Research (Analyst) Rating
|
Unavailable | Unavailable |
|
Industry Association
|
Unavailable | Unavailable |
|
Technology Partners
|
IBM: Openstream is an IBM Business Partner for developing & delivering applications and solutions on IBM Pervasive Computing (PvC) Wireless and Voice software platforms in "U.S."/Canada and Asia/Pacific. Motorola: In partnership with Motorola, Openstream offers its mobile solutions on a variety of Motorola devices. Openstream has deployed many field-force solutions on Motorola mobile products. Loquendo: In partnership with Loquendo, Openstream offers cue-me™multimodal solutions with Loquendo Automatic Speech Recognition(ASR) and Text-to-Speech Synthesis (TTS) engine on various Smartphone platforms and languages. MotionComputing: As an alliance partner of MotionComputing, Openstream offers several field-force solutions on MotionComputing's ruggedized tablets & mobile devices. BroadSoft: Openstream's alliance with BroadSoft enables service providers to rapidly offer new packet-based telephony services to their customers. |
FiServ, FirstData and Microsoft |
|
Technology Offerings
|
||
|
Multichannel (Device and Application Platform Agnostic)
|
Yes | Yes |
|
Supported Devices
|
Unavailable | Supports Device / Rendering Optimization. It maintains device capabilities database. RenderRight is a propietory rendering engine that optimizes the presentation, navigation and functionality for each mobile device. |
|
Supported OS
|
Apple iPhone OS, RIM OS, Microsoft Windows Mobile, Google Android, Symbian and Linux | Apple iPhone OS, RIM OS, Microsoft Windows Mobile, and Google Android |
|
Tooling/Frameworks
|
Openstream's multimodal technology platform is based on Context Delivery Architecture (CoDA) and follows the open standards from the W3C (www.w3c.org) and OSGi(www.osgi.org). Central to the approach is the ability to adapt to the delivery and preference context of the users in facilitating interactions that are rich and meaningful. Following these design objectives, applications built using this context-aware technology platform will allow user-interaction through speech, gesture, type & tap. Applications can be designed to leverage rich context-based interaction and peripheral access and will be able to adapt to the network-connectivity, presence and other ambient conditions. | Unavailable |
|
OpenSource Tools
|
N/A | N/A |
|
Development Environment / IDE
|
cue-me™ is a context-aware multimodal mobile platform that enables natural interaction with applications in a device independent way. Users can take advantage of simultaneous multimodality, through the convenience of speech, touch and key press to naturally interact with applications and be more productive. Cue-me Studio includes Eclipse based tools for rapidly developing, deploying and managing secure, portable, scalable multimodal mobile applications. |
N/A |
|
Mainstream Language Support Available?
|
Unavailable | Yes |
|
Mainstream Languages Supported
|
Unavailable | Microsoft's .C# / .Net |
|
Other languages
|
Unavailable | N/A |
|
HTML5 support
|
Unavailable | Hosted (ASP, SaaS), Downloadable client |
|
Deployment Model
|
Unavailable | Windows2003 / 2005 / 2008 as the operating system. Microsoft SQL Server 2005 / 2008 as the database server. IIS for access to Internet services. Any standard industry hardware that supports Windows 2003 / 2005 / 2008. |
|
Deployment Environment
|
Unavailable | |
|
Solution Offerings
|
||
|
Built-in solutions
|
Yes | Yes |
|
Markets Served
|
Healthcare, Financial Services, Media & Entertainment, Utilities & Transportation | Financial Services - Banked segment |
|
Mobile Banking
|
Yes | |
|
Mobile Payments
|
||
|
Mobile Self Care
|
||
|
Other Solutions
|
||
|
Application Store
|
||
|
Email
|
SmartMail provides intelligent mobile access to Email, contacts directory and calendar. Interaction with SmartMail is multi-modal providing hassle-free access to the user. SmartMail alerts the users based on their alert rules. Users can access SmartMail through any mode/device of their choice to read, reply, compose, forward emails and attachments. Further, SmartMail integrates with Enterprise contacts directory and enables users to call contacts and Fax the attachments. | |
|
Personal Information Management (PIM)
|
SmartAssistant is a context-aware "mobile vitual personal assistant", that provides intelligent multimodal interaction through a service that combines the services of call-manager, calendar, alerts, social-networking and other custom applications. | |
|
Carrier / Mobile Network Operator (MNO) Partnerships
|
No | |
|
Preload Support with Carriers/MNO
|
No | |
|
Carriers supported
|
N/A | |
|
Integration with backoffice systems
|
BankAnywhere's host proxy architecture (i.e. a separate proxy or 'interface adaptor' for each integration requirement) abstracts the code for each integration point outside the BankAnywhere's core software. | |
|
Social Networking Integration
|
M-Com has successfully integrated into over 20 core or host systems, including those provided by: Oracle / i-Flex Fidelity Fiserv Temenos Harland Infosys Jack Henry First Data and others, including numerous business intelligence, risk / fraud management, CRM, authentication, preference / identity management solutions. | |
|
Non-Functional Attributes
|
||
|
Security
|
At a high level, M-Com's products offer the following security safeguards: Authentication. Mobile banking end-customers and administrative users are authenticated for every interaction with any M-Com application. Authentication can be by username / password or utilize single sign-on technologies. |
|
|
Usability
|
||
|
Performance
|
||
|
Scalability
|
||
|
Maintainability
|
||
|
Cost/TCO
|
||
|
License Model
|
||
|
Benchmark startup cost
|
||
|
Hardware and Infrastructure
|
||
|
Implementation and Customization
|
||
|
Support Model
|
||
|
Product Support
|
||
|
Product Enhancements
|
||
|
References
|
Not available | Gartner : Competitive Landscape: Mobile Payment Vendors, Worldwide, 2010 - 16 Mar 2010 |
|
Criteria
|
Clairmail | Kony |
|
Vendor Profile
|
http://www.clairmail.com/ | http://www.konysolutions.com/ |
|
Brief Description
|
ClairMail is the leading provider of mobile solutions for banking, payment and card services. ClairMail provides a technology platform designed to help financial institutions realize the strategic potential of mobile banking, driving new levels of customer trust and loyalty, facilitating cross-sell opportunities and enabling near term, measurable cost savings. Financial institutions of all sizes now have an opportunity to reach 100% of their customer base and proactively deliver personalized content through multi-level alerting and triple-play convergence capabilities via a central customer interface. ClairMail's platform also offers multi-channel enrollment options to maximize mobile adoption and ROI, regardless of mobile device, carrier or back-end financial system. | The Kony Mobile Application Platform enables a mobile application to be designed and developed, just once, in a device-independent manner, and deployed across multiple channels and mobile operating systems. By using a single application definition and code base, companies can drastically reduce development time and cost, thereby increasing ROI for each application launched. |
|
Maturity Level (Years in Market)
|
6 |
3 |
|
Revenue
|
N/A | $15 to $29 million |
|
Number of employees
|
N/A | 100 to 249 |
|
Number of customers
|
40 | 24 |
|
Financial Services Customers
|
PNC Bank, BB & T, Bank of the West, City Bank Texas, USA Federal Credit Union | Unavailable |
|
Other customers
|
Unavailable | Unavailable |
|
Research (Analyst) Rating
|
N/A | N/A |
|
Industry Association
|
Unavailable |
CTIA-The Wireless Association® is an international nonprofit membership organization that has represented the wireless communications industry since 1984. Membership in the association includes wireless carriers and their suppliers, as well as providers and manufacturers of wireless data services and products. The GSMA represents the interests of the worldwide mobile communications industry. Spanning 219 countries, the GSMA unites nearly 800 of the world’s mobile operators, as well as more than 200 companies in the broader mobile ecosystem, including handset makers, software companies, equipment providers, Internet companies, and media and entertainment organizations. The GSMA is focused on innovating, incubating and creating new opportunities for its membership, all with the end goal of driving the growth of the mobile communications industry |
|
Technology Partners
|
VISA: ClairMail and Visa signed a development and deployment agreement which allows ClairMail to integrate Visa mobile services into the mobile banking and payments infrastructure that ClairMail provides to leading financial institutions. Diebold will distribute and provide managed services for ClairMail's mobile banking and payments platform, which can be deployed either on-premise or as a managed service Other include Fidelity National Information Services, WAUSAU Financial Systems, TELUS, MiSys, Mitek systems, ebpSource, CashEdge, MBlox, Verisign, Attevo |
Apple, RIM, Microsoft |
|
Technology Offerings
|
||
|
Multichannel (Device and Application Platform Agnostic)
|
Yes | Yes |
|
Supported Devices
|
ClairMail platform provides an intelligent layer of page renderers which use real-time device detection and an extensive database of device capabilities to provide the best possible experience for each device (including specialized devices like the iPhone, where it renders an "application-quality" result). | Intelligent device detection and optimization with a database of over 8,000 combinations of devices, operating systems and mobile Web browsers. |
|
Supported OS
|
Apple iPhone OS, RIM OS, and Google Android | Apple iPhone OS, RIM OS, Microsoft Windows Mobile, Symbian Foundation, Google Android, Oracle Java ME, QUALCOMM’s Binary Runtime Environment for Wireless (BREW), and Linux |
|
Tooling/Frameworks
|
Unavailable | Kony Studio, Kony Mobile Server and Kony Extensible Clients |
|
OpenSource Tools
|
N/A | Unavailable |
|
Development Environment / IDE
|
Unavailable | Kony Studio is an integrated development environment (IDE) for rapid development and deployment of mobile applications. It is provided as a plug-in to Eclipse, an open-source environment. |
|
Mainstream Language Support Available?
|
Unavailable | Yes |
|
Mainstream Languages Supported
|
N/A | Java |
|
Other languages
|
Unavailable | Unavailable |
|
HTML5 support
|
Yes | |
|
Deployment Model
|
SMS, Mobile Web and Downloadable Client | Write Once, Run Everywhere |
|
Deployment Environment
|
Unavailable | Kony Solutions support direct distribution of mobile applications from the Kony Mobile Application Platform (Kony or Client data centers), as well as through specific application stores like iTunes, Android Marketplace etc. |
|
Solution Offerings
|
||
|
Built-in solutions
|
Financial Services - Banks, Credit Unions, Card Services and Payments | Airlines, Autorentals, Hotels, Financial Services, Automotive, Retail, Media |
|
Markets Served
|
With ClairMail's multi-channel enrollment, financial institution customers can sign up for mobile banking via online, contact centers, branches, ATMs and directly on mobile phones, allowing financial institutions to achieve 100 percent coverage | A hosted mobile software application, Kony Mobile Banking is available |
|
Mobile Banking
|
||
|
Mobile Payments
|
Same as Above in Mobile Banking | |
|
Mobile Self Care
|
Unavailable | |
|
Other Solutions
|
|
|
|
Application Store
|
No | Unavailable |
|
Email
|
||
|
Personal Information Management (PIM)
|
||
|
Carrier / Mobile Network Operator (MNO) Partnerships
|
No | |
|
Preload Support with Carriers/MNO
|
No | |
|
Carriers supported
|
N/A | |
|
Integration with backoffice systems
|
||
|
Social Networking Integration
|
Unavailable | Yes, Facebook, Twitter, LinkedIn and most other Web 2.0 communities |
|
Non-Functional Attributes
|
||
|
Security
|
The ClairMail System employs a multi-layered approach to ensure maximum security. These layers include: Validated Identity: A customer using ClairMail must enroll his mobile device with the financial institution (FI) offering the service. The point of enrollment provides the mechanism to authenticate the customer before enrolling the mobile phone number, thereby establishing a "trusted path" of communication between the FI and its customer. Once a customer is authenticated, the mobile device is uniquely identified and associated with the customer. This important relationship is maintained as part of the customer's mobile profile in the ClairMail solution. Multifactor Authentication: ClairMail's transaction-level, multifactor authentication system is designed to meet and exceed FFIEC requirements. "Something I have" (the first factor) is the enrolled mobile device itself. "Something I know," (the second factor) would be a PIN number or a onetime password. This authorization can occur out-of-band for an additional level of security. Escalating Authentication: The ClairMail System supports automatic, escalated authentication or authorization. Higher-risk transactions, such as transfers over a FI-specified or customer-specified threshold amount or between specific accounts, take advantage of this escalation. Out-of-Band Authentication: For added security, escalated authentication can cross communication channels to perform out-of-band verification of a transaction. Depending on the use case, this dial-back may use an outbound IVR call requesting a PIN, a WAP push message sent to accept a PIN or password in an SSL-secured connection, a voice call from a customer service representative or a secure push notification (e.g. Apple iPhone APNS). Anti-Tampering Technology: By definition, the mobile Web server is open to the Internet and must be protected from attacks. The ClairMail mobile Web solution always uses encrypted HTTPS sessions and further increases security with its sophisticated anti-tampering technology, including: SMS "Dial-Back" Apple Push Notification Service Message Authentication Codes (MACs) URL Parameter Validation Form Data Validation Session ID Timeout Delegated Authentication: The FI can opt for the ClairMail solution to delegate authentication to the FI's existing authentication system. This is a good practice when the FI has centralized control over the customer's credentials, including password policies and procedures for managing lost credentials. Extended Authentication: The ClairMail solution can integrate with risk-based authentication systems in place at the FI, such as RSA/Passmark and Voyager IA. This provides stronger device identification and mutual authentication to assure the customer that he is connected to the FI's website rather than a phishing site. Confidential Data Protected: The ClairMail solution never transmits or stores any confidential data on customer devices and ensures that all private information sent shields personal details. Customer-defined nicknames, masked account numbers and other security measures ensure that the device never contains more information than can be found on a typical ATM receipt. Encryption: ClairMail implements encryption throughout the solution. For all data in flight, ClairMail uses multiple encryption techniques, including SSL, HTTPS and WS-Security. All operations and transactions conducted in the ClairMail solution are logged beginning-to-end and migrated to a reporting database in order to provide a complete audit trail. | Comprehensive data encryption using application level authentication and industry standard mechanisms such as SSL, multi-factor authentication, OFX, PKI, Symmetric Cipher and is PCI certified. |
|
Usability
|
||
|
Performance
|
||
|
Scalability
|
||
|
Maintainability
|
||
|
Cost/TCO
|
||
|
License Model
|
Per application, licensing of platform, subscription of hosted/management services | |
|
Benchmark startup cost
|
$150,000 to $1 million | |
|
Hardware and Infrastructure
|
||
|
Implementation and Customization
|
||
|
Support Model
|
||
|
Product Support
|
||
|
Product Enhancements
|
||
|
References
|
Gartner - Competitive Landscape: Mobile Payment Vendors, Worldwide, 2010 - 16 Mar 2010 | Forrester - Define Your Mobile Development Strategy : 24 Aug 2010 |
|
Criteria
|
Firethorn | Sybase |
|
Vendor Profile
|
http://www.firethorn.com/ | http://www.sybase.com/mobileservices/ |
|
Brief Description
|
The Firethorn Mobile Commerce Platform is the definitive banking, payments and commerce solution for the present and future generation of mobile services. The preloaded application is easy to find and use to access account information or offers, eventually including other services such as coupons, loyalty programs and gift cards. Global reach via the parent company Qualcomm's global presence. | The global leader in mobile messaging and mobile commerce services. Sybase 365 pioneered mobile messaging interoperability to mobile content delivery, mobile commerce services (mBanking,mPayments,mRemittance), mobility applications (mCRM, mMarketing), and remains the unrivalled global leader for SMS and MMS. (NYSE: SY) |
|
Maturity Level (Years in Market)
|
9 | 9+ |
|
Revenue
|
2009 Revenue: $1.2B (Sybase), $15.3B (SAP). Sybase was purchased by SAP 2010 | |
|
Number of employees
|
over 4,500 employees in 60 Countries | |
|
Number of customers
|
60 | 200+ |
|
Financial Services Customers
|
1st Bank, Bancorp South, First National Bank, SunTrust , USAA, "U.S." Bank | citi, HSBC, Western Union, MasterCard, ICICI, BBVA, ING, Paypal, IXE, Compass Bank "U.S.", paybox Austria, Vodafone and o2 Germany, MoneyBoxAfrica, Royal Bank of Canada, Vodafone Egypt, RedFacil Chile, A1 Vodafone and paybox austria, Celcom Malaysia, Phone1 "U.S.", Globe Philippines, Maxis Malaysia, etc. |
|
Other customers
|
Unavailable | |
|
Research (Analyst) Rating
|
N/A | Leaders : MEAP Magic Quadrant 16 Dec 2009 |
|
Industry Association
|
Unavailable | |
|
Technology Partners
|
Unavailable | |
|
Technology Offerings
|
||
|
Multichannel (Device and Application Platform Agnostic)
|
Yes | Yes |
|
Supported Devices
|
Supports about 400 phone models | |
|
Supported OS
|
Apple iPhone OS, RIM OS, Microsoft Windows Mobile, Google Android, etc. | |
|
Tooling/Frameworks
|
||
|
OpenSource Tools
|
None | |
|
Development Environment / IDE
|
N/A | Java APP but not sure about IDE |
|
Mainstream Language Support Available?
|
N/A | Java |
|
Mainstream Languages Supported
|
N/A | Java |
|
Other languages
|
N/A | |
|
HTML5 support
|
N/A | |
|
Deployment Model
|
Hosted Solution / Preload, downloadable client | Write Once, Run Anywhere |
|
Deployment Environment
|
Firethorn uses a hosting model to provide mobile banking services to its clients. | |
|
Solution Offerings
|
||
|
Built-in solutions
|
Yes | |
|
Markets Served
|
Financial Services, Wireless Carriers, Retailers | Financial Services, banks, Wireless Carriers, Airlines, etc. |
|
Mobile Banking
|
Firethorn uses a hosting model to provide mobile banking services to its clients. It partners with major mobile carriers in the U.S. to preinstall software clients on mobile phones as a way to distribute its services. Consumers can access multiple accounts with different financial institutions by accessing the client on the phone, with a single login password. The service can also give access to over 3,500 financial institutions in the U.S. to check account balances and history. Firethorn focuses on the client approach — either preinstalled or downloaded — which the company believes provides better user experience and security than SMS. It currently supports about 400 phone models. Firethorn also supports SMS access to check account balances and history, for users that demand only basic account information. | mBanking • Account balances • Transaction History • Account details • Card Management • PIN Management • Complaints Management • Notifications/alerts to receive account activity or threshold alerts • User preferences such as languages or limits mRemittance • Manage a Friends-and- Family-Lists • Buy a remittance voucher online, at an agent or in any retail location, • Money transfer from an agent, a wallet or account • Remittance to an agent, a wallet or into an account • ATM cash-outs w/o a card • Airtime Transfer across borders. |
|
Mobile Payments
|
None | |
|
Mobile Self Care
|
||
|
Other Solutions
|
Sybase SMS 365 - Provides focused solutions to meet the SMS needs of virtually any operator around the world. Sybase IPX 365 - Gives Mobile Operator customers access to all of their services, with any device, over any network connection. Sybase MMX 365 - Creates a geographically diverse, multi-nodal MMS ecosystem that offers connectivity to almost 300 operators around the world. Sybase Operator Analytics 365 - Offers service providers unparalleled visibility into their off-network message traffic. Sybase GRX 365 - Allows Mobile Operator subscribers to roam across multiple operators and still access their home network data services. mCRM suite - combines advanced customer engagement tools, including comprehensive reporting and tracking with the power and reach of the mobile phone Mobile Marketing - Helps you create and execute innovative mobile marketing programs with powerful, yet easy-to-use tools. It can also be offered as a stand-alone solution for companies looking for very specific mobile marketing functions or campaigns. | |
|
Application Store
|
||
|
Email
|
||
|
Personal Information Management (PIM)
|
||
|
Carrier / Mobile Network Operator (MNO) Partnerships
|
Yes | Yes |
|
Preload Support with Carriers/MNO
|
Yes | |
|
Carriers supported
|
AT & T, Verizon Wireless, metroPCS, alltel wireless, cellularsouth, sprint | 900 global operators |
|
Integration with backoffice systems
|
Sybase mBanking 365 includes out-of the-box connectors to transfer information to the back-end banking system using Web services, OFX protocol, and ISO 8583 protocol. However, you can configure mBanking 365 to use other communication mechanisms, including your own custom or proprietary methods. | |
|
Social Networking Integration
|
No | |
|
Non-Functional Attributes
|
||
|
Security
|
End-to-end Security Firethorn's PCI DSS compliant environment implements the following security measures to help protect the safety and security of financial data: End-to-end Data Encryption Physical and Logical Data Center security Fraud Detection and Monitoring In addition, Firethorn is one of only a few companies to receive ISO 27001 certification. ISO 27001 is an internationally recognized standard that requires organizations to maintain and continuously improve a formalized information security management system that identifies, manages, and minimizes information security risks. Mobile Handset Security Firethorn has implemented a variety of security measures that are activated on the mobile phone itself to protect consumer data, including: PIN authorization and lockout Multi-factor Authentication for regulatory compliance Deactivation in event of theft or loss Encryption of locally stored data Secure registration of mobile phones | Security requires multiple safeguards at 4 levels: the physical location, network, transaction, and user. Sybase365 supports multiple mobile channels, including SMS, mobile browser, downloadable client, and USSD, and it works for all mobile phones, networks and with all languages and currencies. Security tech or approach used: Activation code, Company ID, Challenge question, Account lockout, Security session timeout, PIN, out-of-band authentication, second-factor authentication (2FA) using IVR or WAP. All SMS transaction apply GSM encryption (A3 algorithm and A8 encryption), asymmetric cryptography at key of 2048 bits, HTTPS/SSL, mobile personal id number (MPIN) using RSA and AES, Application Personal Id Numbers (APINs), One Time PIN (OPIN) via SMS. MSISDN Device authentication, Device registration, Device verification, Compliance Certifications: SAS70, ISO27001, PCI, 3DES, PCI-DSS, FIPS. |
|
Usability
|
||
|
Performance
|
No benchmark provided. | |
|
Scalability
|
good to handle large volume. No benchmark provided. | |
|
Maintainability
|
||
|
Cost/TCO
|
||
|
License Model
|
(from Sybase365 sales rep) both perpetual and right to use software license models. The perpetual option has unlimited number of users and is a one time charge, while the RTU model is priced based on user bands and charged on an annual basis. Depending on features/functionality's from a mBanking perspective budgetary pricing are as follows: Perpetual License start @$400k RTU License User Bands 0 – 25,000 $75,000 USD 25,001 – 100,000 $200,000 USD 100,001 – 250,000 $250,000 USD 250,001 – 1,000,000 $350,000 USD Standard Annual Support is 22% of the license fees | |
|
Benchmark startup cost
|
||
|
Hardware and Infrastructure
|
||
|
Implementation and Customization
|
||
|
Support Model
|
||
|
Product Support
|
||
|
Product Enhancements
|
||
|
References
|
Gartner : Competitive Landscape: Mobile Payment Vendors, Worldwide, 2010 - 16 Mar 2010 | Forrester : Define Your Mobile Development Strategy - 24 Aug 2010 |
|
Criteria
|
Fundamo | Temenos (FE-Mobile) |
|
Vendor Profile
|
http://www.fundamo.com/ | http://www.fe-mobile.com/ http://www.temenos.com |
|
Brief Description
|
Temenos acquired FE-Mobile in May 2010 to accelerate expansion into mobile banking. Temenos lis isted on the Swiss Stock Exchange (SIX: TEMN) FE-Mobile enables banks to offer services over three distinct mobile channels – SMS, XHTML browser and smart client application. | |
|
Maturity Level (Years in Market)
|
10 | 8 |
|
Revenue
|
||
|
Number of employees
|
||
|
Number of customers
|
50+ Deployments | |
|
Financial Services Customers
|
||
|
Other customers
|
||
|
Research (Analyst) Rating
|
||
|
Industry Association
|
Fundamo is a member of the SUN "Independent Software Vendor" program. As a part of the program, Fundamo provides core technologies on Sun software platforms and using Sun software technology. | |
|
Technology Partners
|
||
|
Technology Offerings
|
||
|
Multichannel (Device and Application Platform Agnostic)
|
||
|
Supported Devices
|
||
|
Supported OS
|
||
|
Tooling/Frameworks
|
||
|
OpenSource Tools
|
||
|
Development Environment / IDE
|
||
|
Mainstream Language Support Available?
|
||
|
Mainstream Languages Supported
|
||
|
Other languages
|
||
|
HTML5 support
|
||
|
Deployment Model
|
||
|
Deployment Environment
|
||
|
Solution Offerings
|
||
|
Built-in solutions
|
||
|
Markets Served
|
||
|
Mobile Banking
|
||
|
Mobile Payments
|
||
|
Mobile Self Care
|
||
|
Other Solutions
|
||
|
Application Store
|
||
|
Email
|
||
|
Personal Information Management (PIM)
|
||
|
Carrier / Mobile Network Operator (MNO) Partnerships
|
||
|
Preload Support with Carriers/MNO
|
||
|
Carriers supported
|
||
|
Integration with backoffice systems
|
||
|
Social Networking Integration
|
||
|
Non-Functional Attributes
|
||
|
Security
|
||
|
Usability
|
||
|
Performance
|
||
|
Scalability
|
||
|
Maintainability
|
||
|
Cost/TCO
|
||
|
License Model
|
||
|
Benchmark startup cost
|
||
|
Hardware and Infrastructure
|
||
|
Implementation and Customization
|
||
|
Support Model
|
||
|
Product Support
|
||
|
Product Enhancements
|
||
|
References
|
|
Security Concern |
ID |
Vulnerabilities / Threats |
Solution |
||
|
Best Practice |
Standards |
Product |
|||
|
Authentication |
AUN-1 |
User registration |
1. Before accessing the native app the user has to register
himself. This registration process will get user's details and device details
and the server will go through device identification steps as mentioned
below. |
NA |
NA |
|
AUN-2 |
Device Authentication |
1. Device identification - Each device is assigned a device id
(could be imea # or server generated) which can be part of every request
(using local storage). |
Digital certificates, PKI |
OpenSSL, oAuth |
|
|
AUN-3 |
Server authentication |
1. Use of SSL for secured communication with server |
Digital certificates, PKI |
OpenSSL, oAuth |
|
|
AUN-4 |
Loss of device |
When the device is lost the device Id which was assigned to the device can be blocked from the server thus preventing furthur application access from the device. Also sensitive data can be deleted remotely. |
Remote data |
|
|
|
AUN-5 |
Theft of password |
1.
Multifactor authentication - |
OTP - One time |
RSA mobile software |
|
|
AUN-6 |
Critical Transaction handling |
Critical transactions (High Value Transactions) can be authenticated by requiring a One-Time-Password being delivered through secondary channel - email or SMS |
SMS, eMail |
|
|
|
AUN-7 |
Forgot password |
1.
New password can be requested online after verifying the user through secret
questions and sent by email or SMS |
|
|
|
|
AUN-8 |
Malicious activities |
1. Proper audit trail and logging should be done so that each
transaction can be identified properly. |
|
|
|
|
AUN-9 |
user entering secure bank information |
1. For the merchant and user to register with a trusted third
party which offers additional protection without requiring the user to enter
bank information directly, instead to use a username/ password and security
code |
Verisign V.I.P. or PayPal |
Verisign V.I.P. or PayPal |
|
|
Security Concern |
ID |
Vulnerabilities / Threats |
Solution |
||
|
Best Practice |
Standards |
Product |
|||
|
Authorization |
AUT-1 |
Improper Access Control: When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform |
Use role-based access control (RBAC) |
Oauth , |
|
|
AUT-2 |
Direct Request ('Forced Browsing'): application fails to adequately enforce appropriate authorization on all restricted URLs, scripts or files |
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files |
|
||
|
AUT-3 |
Access Control Bypass Through User-Controlled Key :the authorization process would not properly check the data access operation to ensure that the authenticated user performing the operation has sufficient entitlements to perform the requested data access, hence bypassing any other authorization checks present in the system |
Use
encryption in order to make it more difficult to guess other legitimate
values of the key or associate a digital signature with the key |
|
||
|
AUT-4 |
Incorrect Permission Assignment for Critical Resource : When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the disclosure of sensitive information, or the modification of that resource by unintended parties |
Reduce the possbility by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly |
|
||
|
AUT-5 |
Exposed Dangerous Method or Function : An API exposed unintentionally to outside application boundary. |
Identify all exposed functionality. Explicitly list all
functionality that must be exposed to some user or set of users |
|
||
|
AUT-6 |
Remote acess to Services- lack of proper autorization. |
Use WS-Security specification to address webservice security |
|
||
|
Security Concern |
ID |
Vulnerabilities / Threats |
Solution |
||
|
Best Practice |
Standards |
Product |
|||
|
Sensitive information management |
SIM-1 |
Lost and Stolen Devices: Vulnerability |
Enforced Password |
Gesture
Recognition |
VIP Access for Mobile |
|
SIM-2 |
In device data stored by one application can be accessed by
another if penetrated. So once a malicious application gets installed the
complete data is available and vulnerable to loss or misuse. |
1. Application specifc certificate used for data encryption. |
PCI Data Security |
|
|
|
SIM-3 |
Accessibility of offline data / browser cache / HTML5 local
storage. |
Tighter plug-in control |
|
|
|
|
SIM-4 |
Device Local Storage: Storing sensitive information on device might enable attacker to access it if the information is not properly secured. |
One simple approach is never store sensitive/user information on
device. This simple approach is being practiced by Wells Fargo as well |
PCI DSS |
|
|
|
SIM-5 |
Cross site scripting: Aims to steal sensitive information, The server replies back the input with checking and that enables XSS type attack |
Server Side: Validate input , take special care in replying , avoiding special character display |
OWASP |
|
|
|
SIM-6 |
SQL Injection: The backend system is being attacked throuhg SQL
statements as inputs |
Server Side: Validating input , using stored procedure, avoiding dynamic query formation are the standard practice. |
OWASP |
|
|
|
SIM-7 |
Disable HTTP TRACE in Web server |
OWASP |
|
||
|
SIM-8 |
Buffer Overflow: The attacked can pass huge data to Server and cause corruption of Web stack if the server code is not written properly; XML Parser Overflow/Large Pay load |
This can be taken care by appropriate size checking on user inputs and code review |
OWASP |
|
|
|
SIM-9 |
Application DoS Attack: This is one of the difficult attack and hard to identify. There is no reliable way to tell where an HTTP request is from, it is very difficult to filter out malicious traffic. |
Consume very minimun resource for each user and use very less data in Session. Avoid using resource for unathenticated user |
OWASP |
|
|
|
SIM-10 |
Data Injection Flaw: Mailicious data or code can be injected along with user submitted data due to weakness in mobile data input environment. |
Stringent and thorough validation of all the inputs on the server-end can be used as a check for this vulnerability |
|
|
|
|
SIM-11 |
Bluetooth Exploits : Bluesnarfing: This is unauthorized access of information through a bluetooth connection. This allows access to a calendar, contact list, emails and text messages, and on some phones users can copy pictures and private videos. |
This weakness has been patched by the bluetooth standard. Currently available programs must allow connection and to be 'paired' to another phone to copy content. There seem to be no available reports of phones being Bluesnarfed without pairing, since the patching of the Bluetooth standard |
NIST Guide to Bluetooth Security |
|
|
|
SIM-12 |
Bluetooth Exploits - Bluebugging: Bluebugging refers to the process with which a skilled hacker is able to access a victim's cell phone's commands using Bluetooth technology without the owner's knowledge or permission. Bluebugging allows the hacker to make phone calls, eavesdrop on phone conversations, connect to Internet, read and write contacts and calendar events. But, for this to happen the hacker must be within 30 foot radius of the intented victim's phone. |
1. Since, bluebugging happens within a limited distance, it is
best to advise users to switch off bluetooth devices in public places such as
coffee shops, restaurants, subways, parks where a hacker can do this
unnoticed. |
NIST Guide to Bluetooth Security |
|
|
|
SIM-13 |
Symmetric Keys for SSL: When using symmetric algorithms, both parties share the same key for enryption and decryption. To provide privacy, this key needs to be kept secret. Once somebody else gets to know the key, it is not safe any more |
It is best to use asymmetric keys. Asymmetric algorithms use
pairs of keys. One is used for encryption and the other one for decryption.
The decryption key is typically kept secretly,and can't be reconstructed from
the public key. |
|
|
|
|
Security Concern |
ID |
Vulnerabilities / Threats |
Solution |
||
|
Best Practice |
Standards |
Product |
|||
|
Application Code Security |
CS-1 |
Infected Application : The application code/resource could be corrupted |
While starting the application do additional checks to identify any infection. The checks are 1, Size of the resources, 2, Checksum of the resources |
|
|
|
CS-2 |
Application Modification: The application code could be decompiled and modified to penetrate any security hole |
Never store sensitive information in client code , do thorough server side validation for user inputs. Handle authorization properly. |
|
|
|
|
MAS-1 |
Masquerading as Auth Agent: An unauthorized agent claims the identity of an authorized agent to gain access to services and resources on the platform to which it is not entitled. |
Each agent visiting a platform must be subject to the platform's security policy. Applying the proper access control mechanisms requires the platform or agent to first authenticate a mobile agent’s identity before it is instantiated on the platform. This is a case for a strong secure platform for agents. |
|
|
|
|
MAS-2 |
Denial of Service: Mobile agents can
launch denial of service attacks by consuming an excessive amount of |
Again, each agent visiting a platform must be subject to the platform's security policy. The robustness of the security policy will prevent such DOS attacks. |
|
|
|
|
MAS-3 |
Masquerading - duping another agent: An agent may attempt to disguise its identity in an effort to deceive the agent with which it is communicating. An agent may pose as a well-known vendor of goods and services, for example, and try to convince another unsuspecting agent to provide it with credit card numbers, bank account information, some form of digital cash, or other private information |
The security policy surrounding sensitive information available to an agent should be strong to prevent such duping. Addition of external trusted agents to an agents security policy must be done with all identifiable data. Even trusted agents must be subject to authentication |
|
|
|
|
MAS-4 |
Repudiation: Repudiation occurs when an agent, participating in a transaction or communication, later claims that the transaction or communication never took place. Whether the cause for repudiation is deliberate or accidental, repudiation can lead to serious disputes that may not be easily resolved |
An agent platform cannot prevent an agent from repudiating a transaction, but platforms can ensure the availability of sufficiently strong evidence to support the resolution of disagreements. This will deter rogue agents from repudiating properly conducted transactions. |
|
|
|