Who do you trust? Should banks or mobile operators be entrusted with m-commerce security?

Telecommunications International, Dec, 2001 by Sanjima DeZoysa

Banks and mobile operators have similar agendas, which explains the financial 'tug of war' over control of security and payment methods. Both want a close relationship with the end-user to increase customer satisfaction and drive revenues. Both also want a method for m-commerce payment solutions that is easy and manageable for their business.

"The relationship between banks and mobile operators is one of mutual distrust. Banks see mobile operators trying to control the financial transaction," claims Nick Norman, wireless strategy manager, Gemplus, an international supplier of smart cards. "One telco in Germany already has a banking licence and banks are nervous about their position, while mobile operators want to retain their independence."

At first glance it seems obvious that mobile operators should dominate m-commerce development. Creating mobile applications and services for end-users is their 'bread and butter' after all. But, looking closer, security of financial transactions is the critical issue and it is banks that are traditionally connected to it. Are mobile operators trying to imitate the role of banks without the financial know-how to support them or are banks encroaching on the territory of operators in the mobile applications arena?

Who knows best?

"Mobile operators are experts in developing applications and value-added services for consumers. There is no need for them to get embroiled in the payment process, since banks are willing to enable m-commerce" argues Liisa Kanniainen, workgroup executive, Mobey Forum, a financial industry-driven group that encourages the use of mobile technology in financial services. "The most important factor in enabling in-commerce is the perceived 'trust' element for end-users. When it comes to transactions, banks are legally responsible for security and consumers would expect banks to provide it. They always have done, why should it be different now?"

Security is also a fundamental element for mobile operators. In the same way banks face the loss of money and credibility through fraud and ineffective security mechanisms, mobile operators risk losing subscribers and therefore valuable business.

"Banks will absolutely have an important role to play with their financial experience," confirms David Geal, product manager, (digital signatures) for mobile operator, Vodafone. "But they will struggle with security in the context of deployment of applications and creating a suitable end-user experience."

He points to evidence that banks have had difficulties implementing fixed solutions using smart cards and informing users how to install software and use the smart card application with their PC. "It has been a real challenge for them," he says.

The debate about which method of deployment is best continues and is one which sees different relationships between the mobile operator, bank and end-user.

"Whether it is the bank or mobile operator that steers its [m-commerce] development and manages the customer relationship, depends on where the banking application resides," explains Nicolas Raffin, marketing manager e-payment, Schlumberger Test & Transactions. The global technology services company is currently involved in a range of mobile banking service and commerce projects with banks and their mobile operator partners. These fall into three broad categories:

* WAP-based services using a dual chip phone, where the applications are held on the bank-issued chip;

* STK (SIM toolkit) services, where applications are held on the SIM card; and

* STK services which use a dual slot phone and distribute applications across the SIM card and the bank card (credit card or smart card).

These are not the only permutations but are the most common examples found today in the in-commerce market.

Banks in control

In the WAP-based services model, the extra chip sits alongside the conventional SIM card and is dedicated to authorising and executing electronic transactions through the WIM (wireless identity module) application incorporated onto it.

"It is the WIM which secures the wireless part of the transaction and provides the trusted environment for the consumer, and enables the all-important non-repudiation essential for merchant confidence," explains Schlumberger's Raffin.

The integration of the WIM on the bank chip offers greater control for banks as it transforms it into the consumer's secure gateway to the mobile internet.

This is the model supported by the Mobey Forum in its in-commerce preferred payment architecture (PPA) A key element is encouraging an open architecture so consumers are not forced to select a specific operator or bank to use the services.

"The only way to get m-commerce up and running is through non-proprietary technology and an open architecture. Otherwise we will have a fragmented market with numerous dispersed one-to-one solutions," insists Kanniainen. "International interoperability is important for roaming, for example."

There are currently trials in banks across the globe, including Nordea Bank in Finland, UBS (United Bank of Switzerland) and DBS (Development Bank of Singapore) in Singapore.