I recently attended my first Finovate conference, which also happened to be their first in Europe.  The venue was the Business Design Centre in the Islington section of London.  It’s a great format – 35 different vendors, each with a 7 minute demonstration, and some networking slots mixed in.  It covered a lot of ground in a short period of time, while still affording one the luxury of walking away with some salient points still in mind.  That’s about the right amount of time, at least for those of us in the US, as we’re conditioned to a commercial break every 6-8 minutes.

It appears as though 2011 is the year of the online PFM in Europe as there were 6 PFM providers.  The next major topic was social network oriented services such as LiqPay’s Facebook payment solution, Fidor Bank’s “Bank 2.0,” and a number of investment related applications from eToro, Hopee (BNP Paribas), StockTwits and Uniience, some of which are mobile enabled.  It’s certainly worth taking a look at some of these or onles like them if you’re contemplating a refresh of your online presence.

This being the Mobile Manifesto, however, my primary interest was looking at the mobile solutions, which there were a few.  Even some of the aforementioned products included mobile access/support as that increasingly becomes a baseline channel for any customer facing product, and more than ever, employee facing as well.

The product that caught my attention the most, even before I got there from the obligatory, pre-conference vendor solicitations, was an iPad based Financial Advisor tool from Finantix.  Granted, products tend to show well on the iPad, but this one particularly resonated with me because of recent client inquiries.  It was also one of four participants to be voted Best in Show.  The Finantix product really allows an Advisor to interact not only with the application, but their client as well.  Imagine sitting down with your Financial Advisor, having an interactive discussion, passing the tablet back and forth as you walk through an assessment.  The FA can prepackage content to include video presentations to share with their client in a face-to-face meeting, and even let them manipulate criteria to see what the long term effects would be of certain decisions.  It has the potential to make the whole process much more personal and engaging.

Other mobile oriented companies who showed included:

• Tagit, a “Configure Once, Run Many” mobile platform provider demonstrated their mobile banking solution
• IND Group with their online and mobile banking solutions
• eWise (Secure Vault Payments) demonstrated their mobile and online payments capability
• mPower with their mobile POS solution
• VoiceCommerce with their KYC Secure and VoicePay offerings, using voice biometrics
• SolidPass showed their token based authentication solution using a mobile device in lieu of a key fob.

In any event, I look forward to seeing more creativity and ingenuity at FinovateSpring 2011!

[The following article is running on Mobile Commerce Daily today 10/11/2010.]

Mobile Commerce should get used to security breaches.  They’re a sign of mobile going mainstream. The mobile ecosystem needs to develop security strategies like the computing industry did in response to viruses and phishing.

Recently the U.S. Federal Government declared phone jailbreaking legal. Jailbreaking is the process for unlocking phones, like the iPhone, to do things Apple and the carriers restrict, such as changing to a different carrier or turning an iPhone into a WiFi hotspot.

While jailbreaking unlocks exciting additional functionality, it also increases the risk of a malicious attack. iPhone jailbreaking has become so mature that it now only requires the swipe of a finger after browsing to a particular website (http://www.jailbreakme.com).

Fortunately the iPhone Dev Team, the de facto jailbreak providers, seem to be using their skills for Good rather than Evil. However, the simplicity of the current process exposes an extremely dangerous vulnerability in the iPhone and, by extension, mobile commerce.

Mobile is growing rapidly. My firm, Mobile Strategy Partners LLC, has seen mobile banking adoption across the industry grow 20% per quarter over the last year. However, improving consumer perception of mobile security will drive future adoption.

“Respondents consistently cite security concerns a key reason for not choosing to use mobile technology,” says Tom Wills of Javelin Strategy & Research. “Studies over the last two years have held steady at about 42% to 43% citing security concerns as reasons for not using mobile.”

The latest jailbreak process opens up the possibility that bad guys could jailbreak and infect victims’ phones by simply visiting a web site. Once infected, the bad guys could potentially have ongoing access to confidential information on the phone, including how to access financial accounts.

Highly publicized damage from such an attack could stall mobile adoption across the industry in addition to inflicting significant financial losses.

Viruses, phishing attacks, and fraud in general, arose as computers and the Internet went mainstream. Now that mobile phones increasingly have our attention, fraudsters see the same economics as mobile marketers, and have turned their attention to mobile devices.

Like many readers here, my livelihood depends upon the success of mobile commerce. My firm works exclusively with mobile technology to help companies like banks, retailers, and insurance companies develop and execute their mobile strategy – especially as it relates to their customer facing mobile strategy.

I have a vested interest in the continued success of mobile commerce. Therefore, I also have a vested interest in mobile security.

The entire mobile community has a responsibility to educate customers on safe practices and keep mobile security one step ahead of the bad guys. Attacks will evolve continuously. Companies will face difficult challenges to protect themselves and customers. Security best practices developed from ecommerce experiences must be adapted for mobile, and organizations must stay vigilant for emerging threats unique to mobile.

Platform developers like Apple, Google, and the carriers, also have responsibilities to stay on top of the latest exploits and provide a malware protection framework for mobile commerce.

With the current system, application providers can’t protect themselves because platforms like the iPhone lack – and in some cases actively restrict – methods to detect and fix malware infections.

For example, there is no way to run virus protection on an unjailbroken iPhone, but the very risk to users is that a hacker could trigger the jailbreak at seemingly any time. Users need the ability to determine whether their phone has been compromised.

Similarly, the Google Android application developer identity verification lacks the strength of the Apple App process. Android needs a strong trusted identity authorization and validation system to make it more difficult for criminals to masquerade as legitimate businesses – and malware to masquerade as legitimate applications.

Strong security will ensure mobile thrives. As mobile commerce goes mainstream it becomes simply commerce. It’s already unthinkable to abandon using applications with sensitive information on our phones. We can’t go back to not using mobile banking, mobile shopping, or even viewing confidential email on our phones.

Mobile commerce must be secured.  Mobile platform vendors need to help companies protect themselves and their common customer.

[Editor's Note: The following is a guest blog by John Britton an engineer at Good Technology and formerly at mFoundry. The following is John's personal commentary and does not represent the opinion of any organization or individual]

Last week the U.S. Federal government blessed mobile phone jailbreaking as legal — that is, unlocking a phone without carrier and/or manufacturer approval.  Everyone that has ever jailbroke their iPhone said “Thank you.”

Earlier this week the Unofficial iPhone Dev Team, the de facto iPhone jailbreak providers, released a new method for jailbreaking iPhones. The simplicity of their last jailbreak set off proverbial alarms across the mobile security and risk management community.

Previous jailbreak methods were cumbersome and idiosyncratic. Previously, users wanting to jailbreak their phone would have to download a file, jump through some hoops and 30-40 minutes later their Phone would be free. Unfortunately, after the jailbreak, all of their applications were gone and they would have to reinstall everything from scratch. Each upgrade required repeating the entire painful process.

The old process worked by bypassing Apple’s signing process. It was not something my mom would have ever attempted to try on her own.

The new jailbreak method exploits a vulnerability in Safari and is super simple. You can now jailbreak your phone by simply connecting to a website and swiping your finger. (If you want to see it, the site is: http://www.jailbreakme.com)

The whole process takes about 3 minutes and leaves all of your applications in place. It is a no fuss no muss approach and something my mom could do to be one of the cool kids.

To the credit of the jailbreak team they also included a patch to warn jailbreakers that encounter this exploit in the future.

Apple has currently released a rather vague statement about the approach:

“We’re aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update.”

The exploit is huge. It is only a matter of time before someone with sinister motives decides to exploit the issue for their own gain.  These bad guys could simply trick iPhone users onto navigating to their site or attaching a file to an email that once opened, quietly jailbreaks their phone.

Once the process is complete the phone would look and feel just like nothing happened at all. Except now, maybe the iPhone secretly has key logger software installed that steals usernames and passwords from mobile banking. Or maybe the hacker can hijack a browser session to go where they want it to go and not where users expect to go. Usernames, passwords, financial information including balances and name of banks can all be siphoned off to someone who wants to take money. The bad guy could even look at your anti-phishing site keys.

I hate to state the obvious but this is really, really bad.

Banks and software vendors can do little in their applications to prevent these types of attacks, but they are left to foot the bill for the attack. The bad guy would look and act just like the authentic user.

This problem isn’t just with native iPhone applications.  It also affects browser-based banking on the iPhone. The really advanced bad guy will also find ways to manipulate some of the more advanced SMS based banking.

I have now stopped mobile banking from my iPhone.

Bankers and consumers need to let Apple know that mobile banking and mobile payments need secure platforms. Apple wants to take advantage of mobile payments on their devices. They want to provide the next generation tools for all of us. Apple needs to provide strong protection for the sensitive data passing through iPhones around the world.

Without Apple-provided protection, the only recourse would be to remove their iPhone apps from the App Store and demand that Apple use the kill switch to remotely remove mobile bank apps from end user iPhones. Banks would also need to block all iPhone based browser traffic.

Of course, this is impossible. Mobile banking has already gone mainstream. Mobile commerce has as well. Furthermore iPhones are used by key executives with sensitive information throughout the world’s businesses.

The only true fix to this problem must come from Apple.  They need to patch the exploit quickly.  Apple needs to work with the banks and the security industry to vigilantly protect and continue to grow the opportunities that are in front of us all.

David Eads mentioned previously on this blog that code reviews for mobile applications should be standard fare.  Financial institutions must be vigilant in teaching their customers and members about staying current with software updates.  A couple of steps that you can take to protect yourself and you customers is to encouraged your customers to upgrade to the latest iPhone OS when Apple releases it.  You can also modify your terms of service to require that fraud protection is only valid if their mobile banking devices have the latest versions of the vendors operating systems and are using it in accordance with the hardware and carrier provisions.

Send David questions about this and I will be back next week to answer your questions on mobile security.

Written from my newly jailbroken iPhone 3GS with mobile banking applications uninstalled.

Banks must do better code reviews

The recent Citibank mobile banking security flaw is further evidence that organizations must do more thorough security due diligence.

Code level security reviews apparently discovered and fixed the Citi flaw. The lack of thoroughness in these reviews is what allowed the flaw to get into customer hands in the first place.

I’ve been through many dozens of security reviews with banks and other organizations throughout my career. Unfortunately, I’ve generally seen less due diligence in mobile banking than with more mature and less risky analytics products.

I used to work at mFoundry, the company that provided mobile banking software to Citi. How the flaw got into the code is unclear. I also used to work for analytics & customer experience management provider Tealeaf Technology.

In my experience, the security reviews at banks for Tealeaf were much more detailed than reviews of mobile banking software from any number of vendors. (I am not speaking about mFoundry in particular, but the industry as a whole).

To be clear, mobile banking is safe. Institutions are doing due diligence. My point is that security teams seem to be able to push for deeper security reviews on less visible projects. Similar due diligence will make mobile banking even safer.

Tealeaf is a more mature technology than any mobile solution and by its technical nature presents far less risk. Mobile banking does get security reviews at banks, but they don’t seem to be at the same level.

For example, I have always tried to understand how banks approved one widely used mobile banking software vendor to manage a separate mobile PIN that allows access to data at multiple institutions and stores the data outside a financial institution. Meanwhile the very same security staff take years to approve management software like Tealeaf to operate within a secure area of their institution for select employee usage.

One explanation would be that schedule pressure to get mobile banking in place is overriding the needs of security team. Projects that come into institutions with less of an executive mandate and tight deadlines for product announcement give security teams more ability to say “Stop”.

Many mobile banking vendors are small companies with little banking or financial services experience. In my opinion, big banks should do line by line code reviews of every release of software from small vendors that will handle customer data. Smaller institutions not wanting to go to this expense, should demand that vendors provide references at larger institutions that have done such a review.

To be clear, mobile banking is safe. Institutions are doing due diligence. My point is that security teams seem to be able to push for deeper security reviews on less visible projects. Similar due diligence will make mobile banking even safer.

Bank security teams must be allows to do thorough security reviews on every product that interacts with customer data.

Mobile Hackers target Smartphones

Today Fierce Wireless has two separate reports of mobile vulnerabilities. The attention of hackers is a very strong indicator of the importance of mobile technology. As a (mostly) glass half full person, despite the lurking danger, I see it as a bullish indicator for the industry.

Specifically, security experts warn that the key 3G encryption technology used by most phones and operators is vulnerable to hackers. Experts say the 3G encryption algorithm could be broken in as little as two hours.

What does this mean for mobile commerce and mobile banking? Nothing yet, in my opinion. Any reputable mobile commerce system uses SSL encryption for the traffic between the application and the mobile commerce server. The 3G encryption is around this SSL encryption tunnel. Therefore if someone were to crack the 3G encryption, they’d be stuck with a standard, Internet grade SSL encryption that so far has resisted attacks.

Of course there could be future risks where the vulnerability allows something malicious on the phone that tricks users into doing something dangerous that they think is secure.

The second security alert involves hackers breaking into smartphones to do old-fashioned phone phreaking exploits like using a trojan to dial expensive 900 numbers they’re in control of. As with traditional exploits, trojans such as Swapi.B get installed from porn sites or applications posing as helper apps.

The arms race has begun.