Involving Consumers in Mobile SecurityAsian Institutions Offer Important Lessons
When it comes to mobile security issues, U.S. financial institutions and other organizations could learn some important lessons from banks in Asia's most developed markets, including Singapore, says payments fraud expert Tom Wills. For example, Asian banks are more willing than their U.S. counterparts to involve consumers in security measures, he says.
"I've found that financial institutions here [in Asia] are very willing to embrace security and to get their consumers involved in securing their own financial assets," he says during an interview with Information Security Media Group (transcript below).
In the U.S. and other Western markets, organizations are often reluctant to involve customers in security - for fear of resistance. But Wills sees a different mindset in Singapore and other leading Asian markets.
"I've found that they're willing to experiment and try different ways to see what sticks," he says. "And I think that would be a good take-away for U.S. financial institutions as well ... not to worry about trying to new things."
Wills adds: "In more advanced countries in [Asia Pacific], the types of threats that are going on are very similar to what we're seeing in the U.S."
During this interview, Wills discusses:
- The role EMV plays in mobile payments throughout Asia;
- How PCI impacts financial services;
- Mobile application security risks facing every global market.
Wills, who now serves as the director of Ontrack Advisory, a company focused on payments innovation, is an expert in digital trust. For more than three decades, he has worked with companies such as Visa, VeriFone, Intuit, Wells Fargo and Bank of America, as well as multiple startups, to enhance security and compliance. He is a frequent speaker and media commentator on the topics of mobile, identity and security.
Also, see these webinar training sessions featuring Wills:
- Mobile Banking: Emerging Threats, Vulnerabilities and Counter-Measures;
- Fraud Prevention: Utilizing Mobile Technology for Authentication & Transaction Verification.
Asia's Mobile Market
TRACY KITTEN: Would you say that the mobile market in Asia is much more advanced in the U.S. because of adoption, or is there more at play here?
TOM WILLS: There's more at play, absolutely. The mobile market in Asia, just like the market itself in Asia, is a complex thing to describe. Let me just break that down for you a little bit. Asia itself, if you just want to talk about Asia Pacific, which would be Southeast Asia as well as East Asia, the Indian subcontinent and Australia and New Zealand - we're talking about 24 different countries. And you have the whole [range] of economic development of those 24 different countries in that region, from Australia and New Zealand, which have a profile that's similar to the United States, to China and India, which together have a third of the world's population and very unique technology and financial services environments, to countries like Singapore and Hong Kong, Korea and Japan, which are, indeed, very advanced technologically when we're talking about payments.
The answer is going to vary depending on the country that we're talking about. When we say we like to talk about how technology has advanced with respect to payments in Asia, really ... we're talking about a few countries. We're talking about Singapore, Hong Kong, Japan and Korea. Why is that? It's because the smart phone penetration in those countries is very, very high compared to other countries in Asia at the opposite extreme. We could be looking at Bangladesh, Laos or Cambodia where smart phone penetration is maybe only about 5 or 6 percent. And the technology environment is different in those two different types of countries.
KITTEN: Would you say there are unique cyber-risks that threaten some of these different markets in Asia that we don't see threatening markets in the western world?
WILLS: If we divide the world into the smart phone environment versus the legacy phone environment - legacy phones would be your ... types of phones that handle GSM but they're not necessarily on the Internet - yes, it's different. And the threat environment that we see with smart phone countries like Singapore, Hong Kong, Japan and Taiwan is very similar to what's in the U.S., because they're basically running on the same types of technology platforms, so there are only four or five different technology platforms out there. The security issues that are faced by those are going to be very, very similar.
In the more advanced countries, the types of threats that are going on are very, very similar to what we're seeing in the U.S. - Trojan-based attacks on online banking and things of that nature. When we get into the developing countries in Asia - Indonesia, Cambodia, Bangladesh and so on - where the financial services are running on more legacy phone environments, surprisingly enough, we don't see as much fraud and as many hacking attacks in that environment. I would expect to see it different, but it hasn't evolved that way. It seems to be a safer environment in many respects.
Addressing Emerging Risks
KITTEN: Looking at mobile risks, specifically in Asia Pacific, over the last 12 months, what steps are banking institutions taking to address emerging risks?
WILLS: [It's] very similar to what's emerging in the U.S. Your Trojan-based attacks on online banking are probably the biggest threats, and banks have to react here in exactly the same manner as they are in the U.S., Europe or anywhere else. You have these variants of the Zeus Trojan. You have drive-by attacks or phishing attacks where the Trojan, the malware, is downloaded onto the user's device, whether that is mobile or the PC, and you have a different form of authentication that's being compromised. That's probably the biggest concern right now, and that has multiplied a lot here in these more advanced markets over the last 12 to 18 months. The other thing that we've seen in parallel with the U.S. is an explosion of malware on the Android platform. ...
KITTEN: How have mobile payments evolved, and are the threat risks greater than they were 12 to 18 months ago in Asia Pacific?
WILLS: We can split mobile payments into the smart phone world and the legacy payment world. In the smart phone world in the more advanced countries in Asia, I would say there has been a big push to introducing EMV in countries like Singapore, Australia and New Zealand. That has had the predictable effect, just like it had in the European markets, of reducing certain types of fraud at the point of sale. Card counterfeiting and magnetic-stripe skimming has been reduced because of those initiatives that have been going on, [but] online card fraud, card-not-present fraud, has actually gone up in most of these markets. That's something that we can definitely point to.
KITTEN: Why is adoption within Asia so varied when it comes to EMV?
WILLS: It's because of the variation in the specific markets themselves that I was talking about in the introductory comments. You have countries like China and Japan, a third of the world's population, rapidly growing infrastructure, but not really highly developed yet and a lot of people still not in the banking system in those markets. You have countries like Singapore, Hong Kong and Taiwan which have a very robust and modern banking and financial system. You have others that are in between, like Indonesia, Malaysia and Thailand. That's where the variation comes from. You have different population densities and you have different cultures with respect to how people want to buy and pay for things. That's a big factor as well.
As far as EMV specifically goes, you're going to see quicker adoption in countries that already have a very robust and mature card payments infrastructure. You're not going to see it as quickly in countries that don't. If you go to Bangladesh, Laos or Cambodia, only a very small portion of the population are even using credit and debit cards in this way, and that's why.
KITTEN: Is there a big push within Asia Pacific overall to get banks to consider outlining more PCI adoption in their mobile payment schemes?
WILLS: Growth of PCI can be directly correlated with the growth of e-commerce and so-called card-not-present transactions. That transaction mode has somewhat lower adoption in even the mature Asian markets than it does in the United States and in Europe. Because of that, PCI has been slower take hold in this region than it has in Europe. The PCI Standards Council is very active here. They speak at conferences and they've held workshops around here, but I find that they are more in education mode at this point - trying to educate the market about what PCI is, what the requirements are and why one should embrace PCI. Whereas if you're in the United States or in Europe right now, it's really more about getting it implemented and even taking more enforcement measures. Asia as a group of countries is somewhat behind Europe and the U.S. in that respect.
Lessons for Western Institutions
KITTEN: What lessons could western institutions and organizations touching the payments space learn from Asia Pacific?
WILLS: Especially with respect to security, I found that financial institutions here are very willing to embrace security and get their consumers involved in securing their own financial assets. I found that they're willing to experiment, try different ways and see what sticks. I think that would be a good take-away for U.S. financial institutions as well. [Don't] worry about trying new things. I have a bank account with a retail bank here in Singapore, and they must have introduced five or six different security mechanisms in the online banking and the mobile banking service that they have. Sometimes they'll find that they don't work all that well; they'll take them away and they'll try something new. That's a wise way to do it, given that the threat environment is evolving so fast and the technology environment's evolving so fast as well.