Sybase Blog – Diarmuid Mallon

Mobile Banking in a multi-channel world
For banks that are either launching or back-filling their product set with SMS banking, what are the implications for what services that can be address in each channel, and what security implications are there?

Whilst the SMS channel utilizes the numerous security features of the carriers (effectively) closed network, there are financial services that require verification of the user’s identity, beyond their MSISDN (phone number), such as payments or transfers.

For simple push services such as balance alerts, verification is performed at registration. With alerts only being send to pre-verified devices. As an extra precaution account names and numbers can be masked or aliased.

It is possible to support transactional and decision based services in the SMS channel. This is typically done by use of an out-of-band PIN request. Typically IVR is used, although WAP-push is an alternative. In our own deployments we also vary the authorisation mechanism by the value of the transaction, so small amounts (<$10) require only the pre-authenticated phone (MSISDN), whilst larger amounts required an IVR call.

For full mobile banking the additional security of either the mobile browser or dedicated mobile application is required. There are alternative solutions such as USSD, but this is no universally available. (USSD for mCommerce will be covered in a future post.)

Clearly there is a compromise between the range of services any one mobile channel can support, and number of customers it can reach today. SMS enables you to reach your entire customer base, but limits you to alerts and simple decisioning services. Mobile browser and application solutions based provide the richest user experience and support more complex services.

What has become clear over the last few years is that it is not an either or situation. But rather a mixed approach will gain the biggest uptake, and so the greatest success.