A recent Javelin Strategy and Research study of over 5,000 respondents in the US found mobile banking usage down. The study has caused a lot of head scratching in the industry — myself included.  The report compares this year’s survey to similar surveys in 2009, 2008, and 2007.

Consumers switching for mobile banking reasons doubled and is as important as ATM locations in switching banks

The study also uncovers a number of other intriguing facts that have been less widely reported and which I think are more important to bankers and the mobile commerce industry as a whole. In particular the study finds security increasingly important to adoption and that consumers are switching banks for mobile banking.

Security was cited by 52% of non-mobile bankers as a reason for not using mobile banking. This is up significantly after holding steady around 42%-43% in previous years.

Let’s address the controversial topic first. Javelin found mobile banking usage down (not adoption, as has been reported, but usage in the last 30 days). Javelin has found mobile banking usage rapidly growing from 7% in 2007 to 15% in 2009. In 2010 they found usage down slightly to 14%.

So, what’s going on? Is the mobile banking fad over?

I immediately called Javelin to discuss. I’m seeing mobile banking adoption increasing at banks across the U.S. and Canada. Most banks are tracking their success on how many users enroll for mobile banking services. The Javelin study asks users when they last used mobile banking. The tallied result is the number of respondents that have used mobile banking within the last month. So, users are signing up, but they’re logging in less.

So one explanation may be that users are simply looking at their accounts less. I have seen speculation in that past that the recession would cause people to watch their money more closely. Perhaps the opposite is occurring. Lean bank accounts are painful to look at, so people are avoiding looking unless they must.

Another explanation is that this is a pause in the usage curve, in a technical pattern similar to stock increases. Stock prices tend to rise, then pull back up to 30% then rise again. A drop of over 30% or so would indicate a more bearish shift. A one percentage point decline in usage is only a slight decline, although it surely is a surprising lack of growth. There’s naturally a spike in usage when a service is new, then a pullback as the novelty wears off.

The full impact of the recession may also explain the pullback. Javelin found an overall reduction in mobile phone usage (74% down from 85% in previous years). The financial crisis caused many mobile plans to be put on hold in 2009 which in turn is affecting adoption of the products that would have been rolled out in 2010. Very few mobile banking projects were under active development in late 2009, and activity picked up significantly in early 2010. Those efforts are coming onto the market right now.

It also could be that users tried mobile banking then stopped using it.

Some users undoubtedly tried mobile banking and quit. But, I don’t think mobile banking is a fad whose time has passed. Javelin also found that mobile banking is as much of a factor in consumers switch banks as the convenience of ATM locations (7%). If consumers didn’t like mobile banking, they wouldn’t be switching banks for it.

I think users are abandoning mobile banking at banks with bad mobile banking offerings and they’re going to banks with good mobile banking offerings as soon as they get the chance.

I think users are abandoning mobile banking at banks with bad mobile banking offerings and they’re going to banks with good mobile banking offerings as soon as they get the chance.

That’s a big deal. Banks spend many millions to expand and maintain their ATM network. In comparison, mobile banking can move the needle in every market with far less expense.

Banks with no mobile banking implementation at all should pay attention. Mobile banking is clearly table stakes because consumers will endure the pain of switching banks to get a good mobile banking offering. So it’s not enough to “check the box” and provide a bare bones mobile offering. Customers are leaving banks without mobile banking and they’re leaving banks with poor mobile banking.

Retailers and the broader mobile commerce market should heed this example as well. Shoppers will buy from someone else if their mobile presence is better.

Stephen Janisse at The Software Advice Blog has done some interesting analysis speculating what company Oracle will acquire next. He also polled readers on the topic.

I don’t claim to know the answer. But I do think RIM is an interesting target that Oracle should consider. (Note: I own Oracle shares and recently divested positions in RIM). The unscientific poll points to a more traditional acquisition.

Oracle should consider a mobile acquisition and RIM in particular because of its combination of depressed share price and large global install base.

SAP recently jumped into the mobile market with their Sybase acquisition. The Sybase acquisition is also all but certain to end SAP use of Oracle databases in their customer deployments.

Oracle now owns the Sun Microsystems hardware business and the rights to Java. As many of you know Oracle recently sued Google over Java use in Android devices. RIM is flailing and it appears the Blackberry Torch will not be the blockbuster product to save the company.

Regardless of what Oracle does, RIM is in trouble.

RIM’s strength is in their enterprise install base and their ability to provide secure enterprise mobility solutions. Oracle needs a mobility component. RIM provides mobility and an install base of worldwide licenses that will need renewing. Furthermore Oracle with RIM would be competitive in the emerging iPad-clone tablet market.

Tablets provide a variety of enterprise opportunities for vertical markets. Oracle with Java, Sun & RIM are experts in this space which Apple has shown consistent weakness in supporting (think of the early iPhone issues in connecting to Microsoft Exchange servers).

Regardless of what Oracle does, RIM is in trouble. RIM needs to make major changes and is a takeover target. This affects all of us trying to make decisions about the mobile world because the huge Blackberry install base with innovative new features (and a new OS in particular) could rapidly affect mobile commerce.

Meanwhile RIM appears lost and I’ve sold my shares for a significant loss at a price unimaginable just a few years ago.

At eTail in Baltimore today, Abhi Dhar, CTO Walgreens provoked the crowd saying, “Consumers have changed because of mobile. Deal with it.”

This statement sums up what we’ve heard here at eTail this week and what retailers report their customers doing.

While not all retailers offer robust mobile offerings — or even any mobile commerce offering at all — mobile (and social media) are affecting consumer decisions. Customers read reviews and compare prices on social media sites, often while standing in the retail store.

Retailer after retailer asked the question, “Should I do mobile web or native apps?” It was deja vu all over again. It’s the same debate mobile bankers had early last year. Abhi Dahl said “BOTH are very important.” I agree.

In mobile banking, we’ve found that banks must offer all three technologies: Mobile web, SMS, and native applications. Many retailers are still resisting hoping to avoid the fragmentation bankers have resigned themselves to.

David Siegel of 1-800-FLOWERS said, “Don’t try to change customer behavior, market to where they are.”

Customers look for brands using their mobile browser. Retailers should have a mobile site. Customers look for brands in their phone’s app store. Brands should have an app.

Companies resisting building a strategy addressing channel fragmentation are just wasting time and ceding market share to their competitors. Many retailers, including 1-800-FLOWERS said that mobile web accounted for over half their mobile sales. The many mobile web proponents I spoke with seemed to consider this evidence that mobile web is the “right” way to do mobile.

My opinion on this stat is that companies only offering mobile web are potentially missing out on 50% of mobile sales. Maybe these users would buy on mobile web if the native app weren’t available. Maybe. Remember, Apple had to create the App Store in response to overwhelming jailbreaking of the iPhone because Apple insisted mobile web was all we needed.

What do we leave to “maybe” in ecommerce?

In ecommerce, we spend millions in site redesigns because we think it’s affecting conversion by a few percentage points. Mobile is a disruptive, market changing force that is likely to become as big or bigger revenue channel than ecommerce. Turning away 50% of revenue anywhere else gets you fired.

Mobile is not yet a major revenue channel. Retailers rarely share conversion rates, but the consensus guidance seems to be in the low single digits (3-5% seems right). Colin Sebastian from Lazard Capital Markets estimated 2010 U.S. mobile commerce sales would be at $2.5 billion, with eBay and Amazon representing 60% of that total (Sabastian said they represent 25% of the ecommerce market).

Mobile commerce revenue now isn’t tremendous. But, each loyal user now represents hundreds, thousands, or even more users in the future. Choosing not to serve your customers in a particular channel all but drives them to the competition. Now is the time for organizations to learn how best to serve their customers in the mobile channel.

As Jeff Dennes of USAA said, “If you don’t have enough [mobile] budget, get a bigger budget.”

Now is the time for companies to aggressively commit to mobile and emerge the market leader.

Customers are making decisions using their mobile phone. It’s up to retailers to decide to serve their customers.

[The following article is running on Mobile Commerce Daily today 10/11/2010.]

Mobile Commerce should get used to security breaches.  They’re a sign of mobile going mainstream. The mobile ecosystem needs to develop security strategies like the computing industry did in response to viruses and phishing.

Recently the U.S. Federal Government declared phone jailbreaking legal. Jailbreaking is the process for unlocking phones, like the iPhone, to do things Apple and the carriers restrict, such as changing to a different carrier or turning an iPhone into a WiFi hotspot.

While jailbreaking unlocks exciting additional functionality, it also increases the risk of a malicious attack. iPhone jailbreaking has become so mature that it now only requires the swipe of a finger after browsing to a particular website (http://www.jailbreakme.com).

Fortunately the iPhone Dev Team, the de facto jailbreak providers, seem to be using their skills for Good rather than Evil. However, the simplicity of the current process exposes an extremely dangerous vulnerability in the iPhone and, by extension, mobile commerce.

Mobile is growing rapidly. My firm, Mobile Strategy Partners LLC, has seen mobile banking adoption across the industry grow 20% per quarter over the last year. However, improving consumer perception of mobile security will drive future adoption.

“Respondents consistently cite security concerns a key reason for not choosing to use mobile technology,” says Tom Wills of Javelin Strategy & Research. “Studies over the last two years have held steady at about 42% to 43% citing security concerns as reasons for not using mobile.”

The latest jailbreak process opens up the possibility that bad guys could jailbreak and infect victims’ phones by simply visiting a web site. Once infected, the bad guys could potentially have ongoing access to confidential information on the phone, including how to access financial accounts.

Highly publicized damage from such an attack could stall mobile adoption across the industry in addition to inflicting significant financial losses.

Viruses, phishing attacks, and fraud in general, arose as computers and the Internet went mainstream. Now that mobile phones increasingly have our attention, fraudsters see the same economics as mobile marketers, and have turned their attention to mobile devices.

Like many readers here, my livelihood depends upon the success of mobile commerce. My firm works exclusively with mobile technology to help companies like banks, retailers, and insurance companies develop and execute their mobile strategy – especially as it relates to their customer facing mobile strategy.

I have a vested interest in the continued success of mobile commerce. Therefore, I also have a vested interest in mobile security.

The entire mobile community has a responsibility to educate customers on safe practices and keep mobile security one step ahead of the bad guys. Attacks will evolve continuously. Companies will face difficult challenges to protect themselves and customers. Security best practices developed from ecommerce experiences must be adapted for mobile, and organizations must stay vigilant for emerging threats unique to mobile.

Platform developers like Apple, Google, and the carriers, also have responsibilities to stay on top of the latest exploits and provide a malware protection framework for mobile commerce.

With the current system, application providers can’t protect themselves because platforms like the iPhone lack – and in some cases actively restrict – methods to detect and fix malware infections.

For example, there is no way to run virus protection on an unjailbroken iPhone, but the very risk to users is that a hacker could trigger the jailbreak at seemingly any time. Users need the ability to determine whether their phone has been compromised.

Similarly, the Google Android application developer identity verification lacks the strength of the Apple App process. Android needs a strong trusted identity authorization and validation system to make it more difficult for criminals to masquerade as legitimate businesses – and malware to masquerade as legitimate applications.

Strong security will ensure mobile thrives. As mobile commerce goes mainstream it becomes simply commerce. It’s already unthinkable to abandon using applications with sensitive information on our phones. We can’t go back to not using mobile banking, mobile shopping, or even viewing confidential email on our phones.

Mobile commerce must be secured.  Mobile platform vendors need to help companies protect themselves and their common customer.

[Editor's Note: The following is a guest blog by John Britton an engineer at Good Technology and formerly at mFoundry. The following is John's personal commentary and does not represent the opinion of any organization or individual]

Last week the U.S. Federal government blessed mobile phone jailbreaking as legal — that is, unlocking a phone without carrier and/or manufacturer approval.  Everyone that has ever jailbroke their iPhone said “Thank you.”

Earlier this week the Unofficial iPhone Dev Team, the de facto iPhone jailbreak providers, released a new method for jailbreaking iPhones. The simplicity of their last jailbreak set off proverbial alarms across the mobile security and risk management community.

Previous jailbreak methods were cumbersome and idiosyncratic. Previously, users wanting to jailbreak their phone would have to download a file, jump through some hoops and 30-40 minutes later their Phone would be free. Unfortunately, after the jailbreak, all of their applications were gone and they would have to reinstall everything from scratch. Each upgrade required repeating the entire painful process.

The old process worked by bypassing Apple’s signing process. It was not something my mom would have ever attempted to try on her own.

The new jailbreak method exploits a vulnerability in Safari and is super simple. You can now jailbreak your phone by simply connecting to a website and swiping your finger. (If you want to see it, the site is: http://www.jailbreakme.com)

The whole process takes about 3 minutes and leaves all of your applications in place. It is a no fuss no muss approach and something my mom could do to be one of the cool kids.

To the credit of the jailbreak team they also included a patch to warn jailbreakers that encounter this exploit in the future.

Apple has currently released a rather vague statement about the approach:

“We’re aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update.”

The exploit is huge. It is only a matter of time before someone with sinister motives decides to exploit the issue for their own gain.  These bad guys could simply trick iPhone users onto navigating to their site or attaching a file to an email that once opened, quietly jailbreaks their phone.

Once the process is complete the phone would look and feel just like nothing happened at all. Except now, maybe the iPhone secretly has key logger software installed that steals usernames and passwords from mobile banking. Or maybe the hacker can hijack a browser session to go where they want it to go and not where users expect to go. Usernames, passwords, financial information including balances and name of banks can all be siphoned off to someone who wants to take money. The bad guy could even look at your anti-phishing site keys.

I hate to state the obvious but this is really, really bad.

Banks and software vendors can do little in their applications to prevent these types of attacks, but they are left to foot the bill for the attack. The bad guy would look and act just like the authentic user.

This problem isn’t just with native iPhone applications.  It also affects browser-based banking on the iPhone. The really advanced bad guy will also find ways to manipulate some of the more advanced SMS based banking.

I have now stopped mobile banking from my iPhone.

Bankers and consumers need to let Apple know that mobile banking and mobile payments need secure platforms. Apple wants to take advantage of mobile payments on their devices. They want to provide the next generation tools for all of us. Apple needs to provide strong protection for the sensitive data passing through iPhones around the world.

Without Apple-provided protection, the only recourse would be to remove their iPhone apps from the App Store and demand that Apple use the kill switch to remotely remove mobile bank apps from end user iPhones. Banks would also need to block all iPhone based browser traffic.

Of course, this is impossible. Mobile banking has already gone mainstream. Mobile commerce has as well. Furthermore iPhones are used by key executives with sensitive information throughout the world’s businesses.

The only true fix to this problem must come from Apple.  They need to patch the exploit quickly.  Apple needs to work with the banks and the security industry to vigilantly protect and continue to grow the opportunities that are in front of us all.

David Eads mentioned previously on this blog that code reviews for mobile applications should be standard fare.  Financial institutions must be vigilant in teaching their customers and members about staying current with software updates.  A couple of steps that you can take to protect yourself and you customers is to encouraged your customers to upgrade to the latest iPhone OS when Apple releases it.  You can also modify your terms of service to require that fraud protection is only valid if their mobile banking devices have the latest versions of the vendors operating systems and are using it in accordance with the hardware and carrier provisions.

Send David questions about this and I will be back next week to answer your questions on mobile security.

Written from my newly jailbroken iPhone 3GS with mobile banking applications uninstalled.