tag:theconversation.com,2011:/ca/topics/online-banking-8021/articlesonline banking – The Conversation2023-05-02T14:06:01Ztag:theconversation.com,2011:article/2034352023-05-02T14:06:01Z2023-05-02T14:06:01ZNigeria and digital banking: a revolution still waiting to happen<figure><img src="https://images.theconversation.com/files/520775/original/file-20230413-26-hhkl4x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cash is still king in Nigeria. </span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/this-picture-taken-on-january-28-2016-in-lagos-shows-naira-news-photo/507489912?adppopup=true">Pius Utomi Ekpei/AFP via Getty Images </a></span></figcaption></figure><p><em>At the end of 2022 the Central Bank of Nigeria <a href="https://punchng.com/just-in-buhari-unveils-new-naira-notes-at-aso-rock/">launched</a> new banknotes. At the same time it also <a href="https://www.pensionnigeria.com/blog/cbn-imposes-new-cash-withdrawal-limits-on-nigeria-bank-accounts-full-circular-to-banks/">capped</a> withdrawal of the new banknotes. The rollout of the currency change was <a href="https://www.premiumtimesng.com/news/top-news/585737-timeline-naira-redesign-policy-from-inception-to-supreme-court-judgement.html">shambolic</a>. But it also led people to turn to digital financial services such as the use of <a href="https://nibss-plc.com.ng/news/4xapzv7015vgjryewfn8e2wd50">point of sale (PoS) machines for payments</a> in their transactions. <a href="https://pubdocs.worldbank.org/en/230281588169110691/Digital-Financial-Services.pdf#page=12">Digital financial services</a> are financial services which rely on digital technologies for their delivery and use by consumers. The Conversation Africa’s Wale Fatade asks Iwa Salami, an expert in financial technology regulation and financial regulation in emerging economies, to explain the increase and its implications.</em></p>
<p><strong>How did the botched currency changeover affect the way Nigerians used the banking system?</strong></p>
<p>The Central Bank <a href="https://www.cbn.gov.ng/Out/2022/CCD/Naira_Redesign.pdf">set a deadline of 31 January 2023</a> for all old notes to be deposited in banks in exchange for new. The country was <a href="https://www.premiumtimesng.com/news/top-news/585737-timeline-naira-redesign-policy-from-inception-to-supreme-court-judgement.html">plunged into a currency crisis</a> when all old notes were out of circulation and the new notes were hardly circulating. The ensuing scarcity of cash made life unbearably hard for Nigerians.</p>
<p>One outcome was that Nigerians sought alternative ways to pay for goods and services using digital alternatives, such as point of sale machines. Between 2017 and 2022, the number of point of sale terminals in Nigeria grew significantly. </p>
<p><a href="https://www.statista.com/statistics/1178109/number-of-pos-terminals-in-nigeria/">In 2017, there were around 155,000 terminals</a>, and this number has increased to roughly 1.1 million as of April 2022. Merchants and PoS operators handle the machines. Their operations are <a href="https://www.cbn.gov.ng/cashless/POS_GUIDELINES_August2011_FINAL_FINAL%20(2).pdf">regulated by the Central Bank</a>. </p>
<p>It also resulted in a <a href="https://www.nibss-plc.com.ng/news/4xapzv7015vgjryewfn8e2wd50">surge </a>in point of sales transactions in Nigeria. There was a 40.69% year-on-year increase from the N573.72 billion (US$1.24 billion) transactions that was done in January 2022 to N807.16 billion (US$1.75 billion) in January 2023. Total cashless transactions also rose by 45.41% year-on-year to N39.58 trillion (US$85.96 billion) in January 2023.</p>
<h2>What are the most developed forms of electronic transacting in Nigeria?</h2>
<p><strong>Point of Sale (PoS):</strong> These devices are installed both by traditional banks as well as by payment service banks. They are now ubiquitous throughout Nigeria - in supermarkets, large retail outlets as well as in small-scale businesses set up for this purpose only. </p>
<p><strong>Payment service banks:</strong> These <a href="https://www.mondaq.com/nigeria/financial-services/1188262/payment-service-banks-psb-in-nigeria">are technology driven companies</a> licensed by the Central Bank to engage in banking activities. Examples are Hope and MoneyMaster.</p>
<p><strong>Fintechs:</strong> This <a href="https://plaid.com/resources/fintech/what-is-fintech/">includes</a> any app, software, or technology that allows people or businesses to digitally access, manage, or gain insights into their finances or make financial transactions. A number of companies offer these services in Nigeria. They include Flutterwave, Piggyvest, OPay, Interswitch, Kuda and Remita. </p>
<p><strong>Online banking offered by traditional banks:</strong> All Nigerian banks offer online services. However, the services aren’t always reliable. During the currency crisis, for example, platforms collapsed and customers were unable to transact. Digital platforms didn’t have the ability to cope with the deluge of online transactions.</p>
<p><strong>Mobile money:</strong> <a href="https://datahelp.imf.org/knowledgebase/articles/1906552-fas-what-is-mobile-money-how-is-it-different-fro#:%7E:text=It%20is%20a%20financial%20service,is%20a%20basic%20mobile%20phone.">Financial service offered by a mobile network operator</a> and can be independent of the traditional banking network. A bank account is not required to use mobile money services – the only pre-requisite is a basic mobile phone.</p>
<p>Those offering this service include MTN and Airtel Africa. As with most other countries on the continent, mobile money uptake in Nigeria has been slow. The exception has been <a href="https://thedocs.worldbank.org/en/doc/4fff8526d366d112cd9fd96eaf4adbb1-0050062022/original/FindexNote1-062419.pdf">Kenya,</a> where the <a href="https://www.vodafone.com/about-vodafone/what-we-do/consumer-products-and-services/m-pesa">launch of MPesa in 2007 </a> led to a massive uptake in mobile financial services. </p>
<p>In 2022, the Central Bank of Nigeria issued MTN the first license to operate mobile money services. It started <a href="https://www.mtn.ng/wp-content/uploads/2022/05/MoMo-Payment-Service-Bank-commences-Commercial-Operations.pdf?_ga=2.69147735.751641338.1681378566-391186901.1681378566">operations in May</a>. MTN is the largest mobile network operator in Nigeria.</p>
<h2>Can you paint a picture of the banking landscape?</h2>
<p><a href="https://www.statista.com/statistics/1182094/number-of-bank-customers-in-nigeria/">In 2021 Nigeria had 122.3 million active bank customers</a>. According to February 2022 data only <a href="https://www.statista.com/statistics/1139751/popularity-of-financial-products-or-services-in-nigeria/">39% of Nigerians</a> use the formal banking system.</p>
<p>As has been shown elsewhere, <a href="https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2015/03/SOTIR_2014.pdf#page=14">mobile money offerings</a>, as well as other digital services, can extend banking to the unbanked. </p>
<p>In 2022 the volume of transactions performed electronically in Nigeria surged to the highest in five years. The total volume of the Inter Bank Settlement Scheme Instant Payment Platform transactions<a href="https://www.nibss-plc.com.ng/news/4cy2cqt4g9bkj44n75n4ete3x9#:%7E:text=A%20latest%20Mastercard%20survey%20said,websites%20to%20make%20financial%20transactions.">rose by 613.1% to 5.2 billion in 2022 from 729.2 million in 2018</a>. <a href="https://www.nibss-plc.com.ng/news/4cy2cqt4g9bkj44n75n4ete3x9#:%7E:text=A%20latest%20Mastercard%20survey%20said,websites%20to%20make%20financial%20transactions.">Its value also increased</a> by 381.5% from N80.4 trillion (US$174.6 billion) as at 2018 to N387.1 trillion (US$840.67billion) in 2022. </p>
<p>In my view, the spike in the value of transactions carried out at point-of-sale devices in Nigeria in January 2023 – they went up by <a href="https://nibss-plc.com.ng/news/4xapzv7015vgjryewfn8e2wd50">40.7% higher compared to the same month in 2022</a> – shows a wider adoption of digital payments. It is also an indication of the huge opportunities that mobile money operators and other forms of digital payments have in Nigeria. </p>
<h2>How does Nigeria’s digital currency eNaira fit into the picture?</h2>
<p>eNaira was <a href="https://www.cbn.gov.ng/out/2021/ccd/enaira%20launch%20press%20release%20%20231021.pdf">launched by the Central Bank in October 2021</a>. However, <a href="https://www.bloomberg.com/news/articles/2022-10-25/shunned-digital-currency-looks-for-street-credibility-in-nigeria?leadSource=uverify%20wall">less than 0.5% of Nigerians</a> were recorded as using it a year after its launch. </p>
<p>The Central Bank didn’t have an adoption strategy for the eNaira planned ahead of the currency change over. This was clearly a missed opportunity. </p>
<p>Although the aim of the currency was to <a href="https://enaira.gov.ng/assets/download/eNaira_Design_Paper.pdf#page=4">facilitate financial inclusion</a> and shrink the size of the informal market, it’s fallen short of the mark. It is currently only accessible to those with bank accounts. So, despite a <a href="https://www.bloomberg.com/news/articles/2023-03-21/nigeria-digital-currency-transactions-jump-63-on-cash-shortages?leadSource=uverify%20wall&sref=3REHEaVI">reported increase in the number of e-Naira wallets</a> to 13 million since October 2022, and an increase in the value of transactions in 2023, a lot still needs to be done to drive widespread adoption by the financially excluded. </p>
<p>Rethinking its architecture and policies to drive its adoption could include: </p>
<ul>
<li><p>making it accessible to all with a mobile phone; </p></li>
<li><p>incentivising people to use it such as granting significant discounts when used to pay taxes and for other public services; and </p></li>
<li><p>embedding mobile network or payments apps into Central Bank Digital Currency wallets for the wallets to be inter-operable with mobile network operators’ infrastructure. </p></li>
</ul>
<p>A lesson of the currency crisis is that fintech offers a solution to the limitations of legacy financial institutions, and at the same time, they can help address the financial exclusion challenge in Nigeria.</p>
<p>Had Nigeria appreciated the value of digital finance and particularly the key role to be played by mobile money operators, the impact of the crisis would not have been as painful.</p><img src="https://counter.theconversation.com/content/203435/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Iwa Salami does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Nigeria’s Central Bank didn’t have an adoption strategy for its digital currency. It was a missed opportunity.Iwa Salami, Reader (Associate Professor) in Law, University of East LondonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1411412020-06-23T14:13:32Z2020-06-23T14:13:32ZElectronic banking fraud in Nigeria: how it’s done, and what can be done to stop it<figure><img src="https://images.theconversation.com/files/343219/original/file-20200622-54985-15pc17f.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A warning sign advising users to be aware of their surroundings while playing a video game. </span> <span class="attribution"><span class="source">Stefan Heunis/AFP via Getty Images</span></span></figcaption></figure><p>Six years ago, a <a href="https://www.cbn.gov.ng/cashless/">cashless policy</a> became fully operational in Nigeria. The aim was to encourage electronic transactions with a view to reducing the amount of physical cash in the economy. The logic was that this would minimise the risk of cash-related crimes. </p>
<p>But a major downside of the policy has been <a href="https://nairametrics.com/2019/10/24/fraud-cases-hit-major-payment-channels-across-nigerian-banks/">pervasive</a> electronic banking fraud (e-fraud). Although the cashless banking system was designed to foster transparency, curb corruption and drive financial inclusion, it’s threatened by the growing perpetration of fraud. </p>
<p><a href="https://ndic.gov.ng/wp-content/uploads/2019/09/NDIC-2018-ANNUAL-REPORT.pdf">About N15.5 billion</a> was lost to bank fraud in 2018. About 60% of the fraud was perpetrated online owing to available internet-based and tech-rated banking services. </p>
<p>Our <a href="https://journals.sagepub.com/doi/full/10.1177/0306624X20928028">research</a> investigated dimensions of electronic fraud in Nigeria. We found three: internal fraud carried out by banking staff; external fraud carried out by ordinary Nigerians; and collaboration between fraudsters and banking staff. </p>
<p>We found that inefficient supervision, non-performance of oversight by regional heads of banks, and poor follow-up on customers’ addresses (Know Your Customer) accounted for the fraud that took place.</p>
<p>Our study provides the banking industry, banking public and investors with critical pointers on how to reduce fraud. </p>
<h2>Different types</h2>
<p>Our study involved collecting data as well as conducting interviews with 30 people. These included victims of bank fraud, bank customers who did not subscribe to the cashless policy and fraud detectives at the Economic and Financial Crimes Commission (EFCC). </p>
<p>These were the common patterns we uncovered.</p>
<p><strong>Insider fraud:</strong> By insider, we mean those working with banks or those in a relationship with account holders. Here, the fraud was exclusively executed by members of staff in the banking system who exploited the strategic position they held in the system and their grasp of how it works. Banking institutions and customers were their victims.</p>
<p>An example we came across during our research was the case of a N90 million (US$452,261) fraud perpetrated by an account officer of a major eatery in Lagos State. The job of this account officer was to collect the eatery’s takings and deposit them at the bank. A fraud detective told us that:</p>
<blockquote>
<p>As the account officer he would collect money on a daily basis and was expected to credit the company’s account. However, he would collect money on Monday and lodge it and collect on Tuesday and not lodge it. He was missing one day out. He did this continuously until he was able to rake in N90 million. At this time, when the eatery management raised the alarm on their account, he ran away and could not be found. We however used his sister to arrest him. We were only able to recover N8 million naira from him. He had used part of the money to organise his wedding, had a baby and almost completed a four-bedroom bungalow at another area in Lagos.</p>
</blockquote>
<p>Bank fraud is often successful because many Nigerians don’t subscribe to transaction alerts. The eatery management trusted their account officer but did not know that he was dishonest.</p>
<p><strong>Outsider fraud:</strong> These perpetrators were external to the banking system. They thrived on their internet skills and sometimes on their understanding of the victims’ routine and identity.</p>
<p>An example we came across was the fraudulent use of <a href="https://www.cbn.gov.ng/Out/2017/BPSD/Circular%20on%20the%20Regulatory%20Framework%20for%20BVN%20%20Watchlist%20for%20Nigerian%20Financial%20System.pdf">bank verification numbers</a> (BVN). These were made compulsory by the Central Bank of Nigeria in 2014. All bank account holders had to undertake biometric registration. The intention was to ensure security and check fraud. </p>
<p>But fraudsters have found a way to cheat the system by sending bank customers false emails asking for their bank verification details. As one victim explained to us:</p>
<blockquote>
<p>I needed to make some transactions and I headed for my bank. I had called my account officer ahead of time. On getting to the bank, I connected my computer and got a mail from a supposed same bank. I was asked to click on a link and supply my BVN details for update of my account or face service suspension on the account. I just clicked the link and supplied my details and behold, N1 million debit alert came on my phone within five minutes! I was shocked and devastated but before we could do anything they had withdrawn everything.</p>
</blockquote>
<p><strong>Collaborative fraud:</strong> This involved collaboration between bank staff and fraudsters outside the banking system. Banks and individual account holders were the victims. For example, bank staff could provide account details of customers to the collaborating fraudster.</p>
<h2>Governance gaps</h2>
<p>Despite this weak governance architecture, which is still not fraud proof, bank executives reported having in place mechanisms which had limited the incidence of fraud. One was sending out information to customers who subscribed to electronic alerts. Through this, banks contact and send anti-fraud messages to their customers. </p>
<p>Owing to reputational risk, banks try to refrain from public prosecution of erring staff. We found that banks adopted shaming as a mechanism for instilling discipline within their organisations while attempting to ease out “bad eggs” through flagging of their images on computers and across the banking industry.</p>
<p>There is a need to check fraud through customer awareness and financial literacy education. </p>
<p>While fraudsters continue to design new ways of working on customers’ vulnerabilities, Nigerian banks need to use the <a href="http://www.nigerianlawguru.com/legislations/STATUTES/CYBERCRIME%20ACT%202015.pdf">Cybercrime Act </a> to prosecute offenders as a way to boost confidence in the banking sector and deter fraud in the future.</p><img src="https://counter.theconversation.com/content/141141/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Oludayo Tade receives funding from the Regents of the University of California, Institute for Money, Technology and Financial Inclusion (IMTFI), Irvine, USA.</span></em></p>Nigeria’s cashless policy seeks to minimise cash-related crimes, but it seems to have replaced that risk with another: electronic fraud.Oludayo Tade, Researcher in criminology, victimology, electronic frauds and cybercrime, University of IbadanLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1309382020-02-19T14:00:40Z2020-02-19T14:00:40ZGrowing up in a banking desert can hurt your credit for the rest of your life<figure><img src="https://images.theconversation.com/files/316009/original/file-20200218-10976-1d3pxr0.jpg?ixlib=rb-1.1.0&rect=137%2C245%2C4974%2C3157&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">It's lonely out there.</span> <span class="attribution"><span class="source">Winslow Productions via Getty Images</span></span></figcaption></figure><p><em>The Research Brief is a short take on interesting academic work.</em></p>
<h2>The Big Idea</h2>
<p>A banking desert is an area without traditional financial institutions and services. They are common in rural areas because large financial institutions are reluctant to operate in less populated areas that are less profitable. Two colleagues and I found that people who grow up in a bank desert on Native American reservations are at a <a href="https://www.sciencedirect.com/science/article/abs/pii/S0304405X19301205">financial disadvantage throughout their adult life</a>. They are less likely to use traditional credit, such as a credit card or a mortgage. When they do, their payments are significantly higher than average, and they’re more likely to fall behind on payments. These effects persist even for people who move to areas with more banking services. </p>
<h2>Why it matters</h2>
<p>Young adults who were exposed to the financial system at an early age – for example, when a parent opens up their first savings account – are more likely to become financially literate. This is important because financial illiteracy leads to <a href="https://www.consumerfinance.gov/about-us/blog/credit-mistakes-could-be-costing-you-money/">costly mistakes</a> when navigating the intricacies of financial products. Our results highlight the importance of learning from interactions with local banks and developing a credit history at a young age. </p>
<h2>How we do our work</h2>
<p>In this particular study, we looked at bank deserts in a setting with particularly scarce access to financial services: Native American reservations. A 2001 study of financial access on reservations <a href="https://www.cdfifund.gov/Documents/2001_nacta_lending_study.pdf">found that only half of reservations</a> had a bank within 30 miles. Though a recent analysis shows that access to banking on reservations has improved, someone living in a reservation <a href="https://nni.arizona.edu/application/files/6514/8642/4513/Accessing_Capital_and_Credit_in_Native_Communities__A_Data_Review.pdf">must travel an average of more than 12 miles</a> to reach their nearest bank branch. </p>
<p>For our study, we used Equifax credit bureau data to observe credit outcomes for people who grew up in Native American bank deserts and compared them with those who were raised on reservations with a branch on site. While merely living on a reservation has been linked to <a href="https://www.forbes.com/sites/johnkoppisch/2011/12/13/why-are-indian-reservations-so-poor-a-look-at-the-bottom-1/#2d35fa493c07">poverty and negative consequences for individuals later in life</a>, we found that at least for credit outcomes it was the lack of banking that really mattered.</p>
<p>We also surveyed nearly 1,000 Native Americans to understand how bank deserts affected their attitudes toward finance. We learned that Native Americans who grew up in bank deserts had worse financial literacy and were less trusting of bankers. These differences led young people to develop worse credit histories, a disadvantage that lasts a lifetime.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/316007/original/file-20200218-10991-m4twb8.jpg?ixlib=rb-1.1.0&rect=79%2C172%2C4713%2C3326&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/316007/original/file-20200218-10991-m4twb8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=439&fit=crop&dpr=1 600w, https://images.theconversation.com/files/316007/original/file-20200218-10991-m4twb8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=439&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/316007/original/file-20200218-10991-m4twb8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=439&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/316007/original/file-20200218-10991-m4twb8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=551&fit=crop&dpr=1 754w, https://images.theconversation.com/files/316007/original/file-20200218-10991-m4twb8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=551&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/316007/original/file-20200218-10991-m4twb8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=551&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A deserted bank building in the oil ghost town, Slick, Okla., in 1940.</span>
<span class="attribution"><span class="source">Russell Lee/Underwood Archives/Getty Images</span></span>
</figcaption>
</figure>
<h2>What still isn’t known</h2>
<p>An important question that still hasn’t been answered is whether technology can help solve the problem. <a href="https://www.americanbanker.com/list/10-ways-technology-will-change-banking-in-2019">Online banking has expanded</a> significantly, with numerous apps that make it easier to manage one’s finances without stepping foot in a branch. In theory, this could extend financial access to people in bank deserts. However, we found that bank deserts have long lasting effects despite the recent proliferation of online banking, suggesting that online banking does not fully replace having a local bank nearby.</p>
<h2>What else is happening</h2>
<p>Our research on Native American bank deserts is related to <a href="https://nni.arizona.edu/application/files/6315/2822/4505/Accessing_Capital_and_Credit_in_Native_Communities.pdf">ongoing policy research</a> that seeks to understand how banking can be sustained on reservations. Though we focus on how people are affected by lack of access to finance, there are also important gaps for small businesses that need credit to grow their businesses.</p>
<h2>What’s next</h2>
<p>I am generally interested in understanding how households access and use credit. My latest research studies how receiving large cash windfalls from the discovery of shale natural gas affects households’ access and use of credit. Payments from shale natural gas discoveries can frequently exceed US$100,000. We hope to understand how this money affects <a href="http://gattonweb.uky.edu/faculty/hankins/conf2019/shale.pdf">debt repayment</a> and <a href="https://conference.nber.org/conf_papers/f131649.pdf">self-employment</a> outcomes for households.</p>
<p>[<em><a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=expertise">Expertise in your inbox. Sign up for The Conversation’s newsletter and get a digest of academic takes on today’s news, every day.</a></em>]</p><img src="https://counter.theconversation.com/content/130938/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Tony Cookson does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Banking deserts make it harder for children and young adults to become financially literate, which leads to worse credit and a lifetime of disadvantage.Tony Cookson, Associate Professor of Finance, University of Colorado BoulderLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1235292019-09-17T20:31:55Z2019-09-17T20:31:55ZPayID data breaches show Australia’s banks need to be more vigilant to hacking<figure><img src="https://images.theconversation.com/files/292738/original/file-20190917-19083-1gzkg5k.jpg?ixlib=rb-1.1.0&rect=49%2C0%2C5472%2C3645&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Linking your mobile number to your bank account could have unintended consequences.</span> <span class="attribution"><span class="source">SewCream/Shutterstock.com</span></span></figcaption></figure><p>When we think of a bank robbery, we might imagine a safe with the door blown open. But nowadays it might be more accurate to picture criminals accessing our bank account online from another country. Bank robbers don’t need balaclavas and shotguns anymore.</p>
<p>Australian banks have long provided convenient ways for customers to transfer funds. But the process of remembering and entering BSB and account numbers is prone to human error. Enter <a href="https://payid.com.au/">PayID</a>.</p>
<p>PayID allows customers to attach their mobile phone number or email address to their bank account. They can then simply provide these details to other people, providing a convenient way to receive payments.</p>
<p>It can only be used for incoming payments, rather than outgoing ones. So you might think that makes it less of a tempting target for hackers. But that’s not necessarily the case.</p>
<p><a href="https://www.nppa.com.au/wp-content/uploads/2018/12/New-Payments-Platform-Financial-Services-Media-Release.pdf">Launched in February 2018</a> by <a href="https://www.nppa.com.au/the-company/">New Payments Platform Australia</a>, an alliance of 13 banks, PayID is reportedly available to <a href="https://www.nppa.com.au/wp-content/uploads/2019/02/NPP-One-year-on.pdf">more than 52 million account holders</a> across almost all major financial institutions. By February 2019, some 2.5 million PayID identifiers had been created, and 90 million transactions totalling more than A$75 billion had been processed.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-new-payments-platform-may-mean-faster-transactions-but-it-wont-be-safer-91565">The New Payments Platform may mean faster transactions, but it won't be safer</a>
</strong>
</em>
</p>
<hr>
<p>When entering a PayID mobile phone number to make a payment, the full name of the account holder is displayed, so the person making the payment can ensure they are sending it to the right PayID account.</p>
<p>Shortly after the service launched, Twitter users began pointing out that this means you can enter random phone numbers and, if that number has been linked to a PayID account, the account holder’s name will show up – rather like a phone book in reverse.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=757&fit=crop&dpr=1 600w, https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=757&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=757&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=951&fit=crop&dpr=1 754w, https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=951&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/292436/original/file-20190913-8687-1rizahf.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=951&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Twitter posting of PayID details.</span>
<span class="attribution"><span class="source">@anthonycr0</span></span>
</figcaption>
</figure>
<p>The following day, on February 17, 2018, NPP Australia acknowledged this issue in a <a href="https://www.nppa.com.au/wp-content/uploads/2018/12/PayID-privacy-statement.pdf">media release</a>, but effectively dismissed users’ concerns:</p>
<blockquote>
<p>While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID.</p>
</blockquote>
<p>This is not exactly reassuring for bank customers whose details were publicly posted. And developments this year suggest that the underlying problems persist.</p>
<h2>Better luck next time?</h2>
<p>In June 2019, around <a href="https://www.businessinsider.com.au/100000-australians-reportedly-at-risk-of-fraud-as-hackers-attack-westpacs-payid-platform-2019-6">98,000 PayID details were obtained</a> after hackers used several online bank accounts to carry out <a href="https://www.smh.com.au/business/banking-and-finance/australians-private-details-exposed-in-attack-on-westpac-s-payid-20190603-p51u2u.html">more than 600,000 PayID lookups over the course of six weeks</a>, reportedly by simply entering phone numbers in sequential order.</p>
<p>It is not clear who was to blame, although there are allegations of a <a href="https://www.theage.com.au/business/banking-and-finance/australians-private-details-exposed-in-attack-on-westpac-s-payid-20190603-p51u2u.html">leaked memo pointing the finger at US-based fraudsters</a>. </p>
<p>The exact motive is unclear, but any personal data has value in the underground economy. In this case, the data could potentially be used as part of a more complex phishing scam designed to steal further information from account holders.</p>
<p>Although this is clearly a very simple attack involving nothing more sophisticated than simple trial and error, it appears the PayID system did not detect the large number of lookups – an average of 14,000 per account – or the speed with which they were undertaken. </p>
<p>To give a real-world example, it would be like going into your bank 14,000 times and handing over a different piece of identification each time.</p>
<p>This high volume of lookups should have raised significant security concerns. While legitimate users could be forgiven for needing a couple of tries to punch in the right number, no one should need thousands of attempts.</p>
<p>It should have been a simple security step to add lookup limits and to identify this as highly abnormal behaviour. Yet neither the bank concerned nor NPP Australia had implemented mechanisms to detect or prevent this form of misuse.</p>
<p>After a security breach this size, the banks might reasonably be expected to take urgent steps to prevent it happening again. But it did happen again, two months later.</p>
<p>In August 2019, a further <a href="https://www.canstar.com.au/online-banking/payid-hack-which-bank-accounts-hit/">92,000 PayIDs were exposed</a>. In this case, it was reported that the breach happened <a href="https://www.nppa.com.au/uplifting-cybersecurity-controls/">within the systems of a financial institution connected to the NPP Australia systems</a>. Worryingly, this breach reportedly revealed users’ full name, BSB and account number. </p>
<p>Banks were quick to <a href="https://www.nppa.com.au/uplifting-cybersecurity-controls/">reassure customers</a> that this does not allow transactions to be undertaken. However, it did deliver yet more valuable information into the hands of cyber criminals – further enabling phishing opportunities.</p>
<p>While affected customers have been contacted, the only option to remove this risk is to stop using PayID. This is easily done but removes the convenience factor for most bank customers.</p>
<h2>What’s the real risk?</h2>
<p>Because the system enables payments <em>into</em> accounts, rather than authorising withdrawals <em>from</em> them, the risk may seem minor. Indeed, many in the banking sector have dismissed it as so. But there is a deeper risk. </p>
<p><a href="https://theconversation.com/phishing-scams-are-becoming-ever-more-sophisticated-and-firms-are-struggling-to-keep-up-73934">Phishing</a> is a form of cyber crime in which victims are tricked into revealing confidential information through convincing-looking emails or SMS messages. Unfortunately, there are already examples of this in relation to PayID.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/292438/original/file-20190913-8674-1cbmg07.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/292438/original/file-20190913-8674-1cbmg07.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=337&fit=crop&dpr=1 600w, https://images.theconversation.com/files/292438/original/file-20190913-8674-1cbmg07.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=337&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/292438/original/file-20190913-8674-1cbmg07.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=337&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/292438/original/file-20190913-8674-1cbmg07.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=423&fit=crop&dpr=1 754w, https://images.theconversation.com/files/292438/original/file-20190913-8674-1cbmg07.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=423&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/292438/original/file-20190913-8674-1cbmg07.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=423&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Real examples of PayID-related SMS phishing messages.</span>
<span class="attribution"><span class="source">canstar.com</span></span>
</figcaption>
</figure>
<p>The approach depicted above is not particularly sophisticated. But imagine a more tailored email message quoting examples of identifiable information (PayID, full name) or, as with the most recent breach, BSB and account number. </p>
<p>Coupled with the correct branding and reassuring words of your bank, it would be easy to convince an unsuspecting user of the need to “login to change your PayID for security reasons”. Just a few minutes of creativity on a computer can produce convincing results.</p>
<p>The image shown below was created to show how easy this process is. It uses genuine branding, but the “login” button could easily be set to direct users to a website designed to steal login credentials.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/292440/original/file-20190913-8701-1nq3pl8.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/292440/original/file-20190913-8701-1nq3pl8.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=754&fit=crop&dpr=1 600w, https://images.theconversation.com/files/292440/original/file-20190913-8701-1nq3pl8.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=754&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/292440/original/file-20190913-8701-1nq3pl8.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=754&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/292440/original/file-20190913-8701-1nq3pl8.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=948&fit=crop&dpr=1 754w, https://images.theconversation.com/files/292440/original/file-20190913-8701-1nq3pl8.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=948&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/292440/original/file-20190913-8701-1nq3pl8.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=948&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Mock-up of a potential PayID-related phishing email.</span>
</figcaption>
</figure>
<p>With the <a href="https://www.mebank.com.au/news/household-financial-comfort-report/">ME Household Financial Comfort Report</a> indicating that almost 50% of households have at least A$10,000 in savings, there is a clear incentive for cyber criminals to target our bank accounts. As with any phishing attack, it only takes a few people to succumb to make the enterprise worthwhile.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/banks-cant-fight-online-credit-card-fraud-alone-and-neither-can-you-82088">Banks can't fight online credit card fraud alone, and neither can you</a>
</strong>
</em>
</p>
<hr>
<p>Although bank customers can do little more than think twice before responding to messages, the real power is with the banks. Simply being alert to unusual patterns of behaviour would have prevented these security breaches. </p>
<p>This is not new territory for financial institutions, who routinely look for <a href="https://www.cnbc.com/id/46907307">unusual patterns in credit card transactions</a>. Perhaps it is time to apply these same concepts in other scenarios and better protect Australia’s banking customers.</p><img src="https://counter.theconversation.com/content/123529/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>PayID has been misused and compromised in various ways since its 2018 launch. The system deals only in “incoming” payments, not outgoing ones – but that doesn’t mean users are safe from cyber crime.Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1186362019-06-12T23:10:32Z2019-06-12T23:10:32ZThe value of an old-fashioned visit to your bank branch<figure><img src="https://images.theconversation.com/files/278933/original/file-20190611-32356-pu87ny.jpg?ixlib=rb-1.1.0&rect=16%2C0%2C5590%2C3690&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Research shows the benefits of having a face-to-face relationship with your bank.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><p>The rise of online and mobile banking has changed the financial service industry as we know it. </p>
<p>Customers have long been able to trade the onetime weekly trip to their local branch for a few easy clicks from the convenience of their home or workplace. Instead of having a cup of free coffee at the bank, customers are online in a cafe across the street. </p>
<p>As a result, physical bank branches play a less vital role in our financial experiences. </p>
<p>In 2017, the increasing use of online and mobile banking prompted TD, CIBC and RBC to <a href="https://www.cbc.ca/news/canada/saskatchewan/20-rural-saskatchewan-bank-closures-2017-1.4193164">close a total of 20 branches</a> in Saskatchewan alone, and <a href="https://www.cbc.ca/news/canada/thunder-bay/cibc-branch-closure-longlac-terrace-bay-1.4917949">additional closures</a> in northern Ontario were announced in 2018. In rural areas particularly, bank branches — once a Main Street staple — are disappearing from many communities.</p>
<p>As banking services have moved online, customers no longer need to interact with bankers in branch offices to pay bills, deposit savings or renew mortgages. Tech-savvy customers welcome online banking for its convenience, and banks view it as a way of increasing efficiency. </p>
<h2>Hidden costs</h2>
<p>But my research suggests that there are hidden costs to abandoning personalized banking relationships.</p>
<p>Past research shows some lenders and borrowers develop personal relationships. For example, small business owners establish personal <a href="https://doi.org/10.2307/2657252">relationships with bankers</a> in an effort to secure loans, and lenders build personal <a href="https://doi.org/10.1016/S0378-4266(01)00189-3">relationships with borrowers</a> as a way of gaining access to private information that may affect loan repayment. </p>
<p>These relationships can shape the nature of financial transactions — with important consequences.</p>
<p><a href="https://doi.org/10.1086/696214">In a study I conducted on borrowers and lenders</a>, I found that personal relationships between them benefit both parties. My research shows that when borrowers have personal relationships with lenders, they are more likely to repay their loans on time, whereas those with distant relationships miss more payments. </p>
<p>Timely loan repayment is a win-win: it helps borrowers develop strong credit scores and allows banks to earn money on interest. </p>
<h2>Bankers more lenient</h2>
<p>I also found that bankers are more lenient when borrowers hit a rough patch and fall behind on payments if they have a personal relationship. By comparison, bankers are more likely to write off delinquent borrowers when they have only formal, distant ties.</p>
<figure class="align-left ">
<img alt="" src="https://images.theconversation.com/files/278965/original/file-20190611-32366-1oec2gn.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/278965/original/file-20190611-32366-1oec2gn.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=596&fit=crop&dpr=1 600w, https://images.theconversation.com/files/278965/original/file-20190611-32366-1oec2gn.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=596&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/278965/original/file-20190611-32366-1oec2gn.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=596&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/278965/original/file-20190611-32366-1oec2gn.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=749&fit=crop&dpr=1 754w, https://images.theconversation.com/files/278965/original/file-20190611-32366-1oec2gn.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=749&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/278965/original/file-20190611-32366-1oec2gn.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=749&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">George Bailey may not be greeting you at the door of your local bank branch, but nonetheless maintaining a personal connection with the people at your bank is a wise choice.</span>
<span class="attribution"><span class="source">Flickr</span></span>
</figcaption>
</figure>
<p>Of course, it’s unlikely that we’ll revert back to the days of <em>It’s a Wonderful Life</em>, with banker George Bailey greeting each customer by name. But maintaining some form of personal connection is a wise choice for customers and bankers alike.</p>
<p>Those of us who do most banking online should develop a relationship with someone at our primary bank. And this relationship should consist of more than just email or texting — it should start with an in-person meeting. Even the most devout online banks like Tangerine have brick-and-mortar branches in major cities where you can meet with real, human bankers.</p>
<p>My research suggests that, if you and your banker retain this relationship, the banker will cut you some slack when you need it, and you’ll be a more reliable customer. </p>
<h2>Benefits for banks and customers alike</h2>
<p>Building and maintaining personal relationships generates benefits on both sides. </p>
<p>A colleague’s recent experience demonstrates this: when there was fraudulent activity on his account, he described how his bank’s call centre provided immediate assistance by cancelling his bank card and securing the account. However, when his bank continued to reissue and cancel new cards in advance of a trip, it was the familiar face at his local branch who finally resolved the issue before his impending departure.</p>
<p>To many, the machine-like inner workings of financial institutions may appear too formal to be swayed by personal attachments and obligations. My study suggests otherwise. </p>
<p>Personal relationships can have important implications, even within the seemingly cold, impersonal realm of finance. Perhaps it’s time for you to drop into your bank branch for that free cup of coffee.</p><img src="https://counter.theconversation.com/content/118636/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Laura Doering receives funding from the Social Science and Humanities Research Council of Canada and the Michael Lee-Chin Family Institute for Corporate Citizenship. </span></em></p>Research suggests there are hidden costs to abandoning personalized banking relationships in favour of online banking.Laura Doering, Assistant Professor of Strategic Management, University of TorontoLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1017512018-08-28T17:23:51Z2018-08-28T17:23:51ZExploring Cambodian and French attitudes toward mobile banking adoption and use<p>The demand for mobile banking applications (MBA) is on the rise because of perceived advantages in security, usefulness and speed, but what are the other factors that influence their adoption and use, and what are the profiles of those who adopt them? The <a href="http://www.univ-nantes.fr/projet-formation-erasmus-/the-dockside-project-2136562.kjsp?RH=1508488291953">DOCKSIDE project</a>, coordinated by the University of Nantes, aims to explore such questions.</p>
<p>The study focuses on users from two countries, Cambodia and France, by using a research framework extracted from the well-known <a href="https://nhm.org/site/sites/default/files/pdf/contrib_science/CS521.51-114.pdf">Technology Acceptance Model</a> (TAM) and <a href="http://www.icommercecentral.com/open-access/unified-theory-of-acceptance-and-use-of-technology-utaut-modelmobile-banking.php?aid=86597">Unified theory of acceptance and use of technology</a> (UTAUT).</p>
<h2>Banking on mobile banking</h2>
<p>E-banking is both <a href="https://s3.amazonaws.com/academia.edu.documents/33285898/JECR.pdf?AWSAccessKeyId=AKIAIWOWYYGZ2Y53UL3A&Expires=1534666986&Signature=nmjyGq18A1JztZmlP1e%2BQViVGrk%3D&response-content-disposition=inline%3B%20filename%3DMobile_Banking_Adoption_Application_of_D.pdf">growing and become more widespread</a> around the world. This can be explained by three <a href="https://www.sciencedirect.com/science/article/pii/S0747563204000470">interlinked trends</a>:</p>
<ul>
<li>Greater Internet coverage in a growing number of territories.</li>
<li>Higher quality of the operators’ offers.</li>
<li>Higher efficiency of the users’ practices.</li>
</ul>
<p>Nevertheless, the factors that explain their initial adoption and their subsequent use are still interesting to identify and to compare. The object of this article is to compare the <a href="https://www.sciencedirect.com/science/article/pii/S0747563210000154">explanatory factors</a> such as ease of use, utility, security, trust and convenience as perceived by Cambodian (Asia) and French (Europe) users. The full research, with a focus on the economic and entrepreneurship impacts <a href="https://www.researchgate.net/publication/262356195_Entrepreneurship_e-finance_and_mobile_banking">(Ratten, 2012)</a>, will be published in 2019.</p>
<h2>A few words about the Cambodian and French contexts…</h2>
<p>The DOCKSIDE project aims to <a href="http://www.dockside-kh.eu/project-activities/">strengthen multidisciplinary research</a> (economics, management, environment, etc.) as well as cooperation between Cambodians and Europeans, especially in emerging areas. This Erasmus+ project also seeks to confront and adapt research practices, models and methodologies. For example, in the case of this research, the authors began their empirical study in Cambodia (Phnom Penh) in autumn 2017 and then continued in France (Nantes) during spring and summer 2018.</p>
<p><a href="http://num.edu.kh/Research/SERIESVOLUME3_LV05.pdf">Innovative digital payment in Cambodia</a> debuted in 2008 when Wing and <a href="https://www.anzroyal.com/en/about-us/our-company/anz-cambodia/">ANZ Royal Bank</a> launched a money-transfer service for mobile-phone users. As of 2016, 32.4% of Cambodia’s 15.76 million residents used the Internet according to the <a href="https://data.worldbank.org/indicator/IT.NET.USER.ZS?end=2016&locations=KH&start=2016&view=bar">World Bank</a>. Research conducted by the Open Institute in 2016 found that <a href="http://www.open.org.kh/research/phones_2016.pdf">48% of Cambodians</a> use one smartphone or more.</p>
<p>In France, “65% or 34.7 million of the French population has Internet coverage, 61% had declared that they access Internet directly from home using a high-speed connection”, according to <a href="http://www.theibfr2.com/RePEc/ibf/ijmmre/ijmmr-v3n3-2010/IJMMR-V3N3-2010-8.pdf">Sanchez & Gallie, 2010</a>. More recently, in 2017 <a href="http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_bde15cbc&lang=en">Eurostat</a> reported that 62% of the French population used Internet banking, compared to 50% in 2010. France had a population of <a href="https://data.worldbank.org/indicator/IT.NET.USER.ZS?end=2016&locations=KH&start=2016&view=bar">67.12 million in 2017</a>, indicating that approximately 41.62 million used Internet banking that year. Interestingly, <a href="https://www.journaldunet.com/economie/finance/1175949-banque-le-mobile-en-passe-de-depasser-ordinateur/">47% of bank customers</a> used mobile banking services on mobile phones more frequently than computers in 2016.</p>
<h2>… and about e-banking services</h2>
<p>The technological offer of French and Cambodian banks is comparable, but the distribution and the background of the countries’ populations are not.</p>
<p><a href="https://pdfs.semanticscholar.org/2a3e/4a3024bfc4df27db07a1d48f77a6f371b0c3.pdf">Traditional banks</a> have the potential to provide mobile banking access to people in rural area where a few people could have computer without an Internet. They also have the possibility of bringing mobile banking to areas where people do not have Internet due to an extensive cell phone use and the limited capacity of Internet banking. <a href="http://www.sciencedirect.com/science/article/pii/S0268401206001101">The Internet</a> should be added the range of banks’ services while others branch and phone services are kept traditionally to strategise from branch to mobile banking and to capture an adequate market share during this transition period.</p>
<p>The <a href="http://www.sciencedirect.com/science/article/pii/S0957417409002735">trend toward mobile banking</a> has potential for the banking sector. By providing such services, banks can retain their existing client base and transform mobile phones users to mobile banking customers. But it seems increasingly difficult to attract and retain users. With a wide range of service providers, it is difficult for financial institutions to <a href="http://www.iosrjournals.org/iosr-jbm/papers/Vol17-issue11/Version-1/H0171114854.pdf">retain customers’ loyalty</a>. Plus, users have gained rights <a href="http://www.sciencedirect.com/science/article/pii/S0268401206001101">due to recent evolution of legislation and regulation</a>.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/233128/original/file-20180822-149490-9lpvgx.png?ixlib=rb-1.1.0&rect=0%2C0%2C1200%2C732&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/233128/original/file-20180822-149490-9lpvgx.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=368&fit=crop&dpr=1 600w, https://images.theconversation.com/files/233128/original/file-20180822-149490-9lpvgx.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=368&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/233128/original/file-20180822-149490-9lpvgx.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=368&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/233128/original/file-20180822-149490-9lpvgx.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=462&fit=crop&dpr=1 754w, https://images.theconversation.com/files/233128/original/file-20180822-149490-9lpvgx.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=462&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/233128/original/file-20180822-149490-9lpvgx.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=462&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Mobile banking in Cambodia.</span>
<span class="attribution"><a class="source" href="https://tradepractices.wordpress.com/2012/07/03/beyond-smartphones-mobile-banking-in-developing-countries/">Trade Practices</a></span>
</figcaption>
</figure>
<h2>About data collection and analysis</h2>
<p>Our study aims to compare factors that really affect the intention to adopt and use mobile banking applications in Cambodia and France. In all, our field survey collected the opinions and perceptions of <a href="https://measuringu.com/sample-size-designs/">252 representative e-banking users</a> (126 from each country, urban and connected), with parity between men and women and between younger and older users. </p>
<p>Both paper-based and online surveys were used to get a large enough sample for treatment and analysis using the <a href="https://www.ibm.com/analytics/spss-statistics-software">Statistical Package for the Social Sciences</a> (SPSS). Data were collected from October 2017 to July 2018. The questionnaire follows previous research studies including some <a href="http://www3.cis.gsu.edu/dtruex/courses/IB8710/Articles/EJIS-FrenchSMEs-201212.pdf">empirical research</a> by both universities. A seven-point Likert scale, ranging from “Strongly Disagree” to “Strongly Agree” was used to measure and treat all items. Our main results are summarized below.</p>
<h2>About main results…</h2>
<p>The research is divided into two sections. The first compares the conventional factors that affect intention to adopt and to use mobile banking app between the two population. The second compares how gender and age influence (or not) the adopting behaviour.</p>
<p>The research found that both countries share a similarity (mean values > 5 “agree”) of perceptions toward the usefulness, easiness and intention to use mobile banking applications. Concerning self-efficacy, French users have more experience with and knowledge of mobile banking than Cambodians. This result might be link with the <a href="https://www.atkearney.com/financial-services/article?/a/going-digital-the-banking-transformation-roadmap">different periods of Internet network introduction</a> (France around 2000, and Cambodia around 2008) and of smartphone availability (2010 and 2013, respectively).</p>
<h2>… focusing on trust and usefulness</h2>
<p>However, both nations gave a low scores (mean values < 5 “agree”) to their level of trust in mobile banking. Strengthening perceived trust remains a major issue, especially safety, confidentiality of personal information – including the <a href="https://gdpr-info.eu/">GDPR</a>, which is affecting data-privacy laws across Europe – as well as transaction safety, encryption technology and legal protections.</p>
<p>In terms of demographics, men and women in the two countries have similar attitudes about the use, benefits and conveniences of mobile-banking applications. However, both still rate their level of trust lower. In Cambodia, the 26-35 age group has more knowledge and experience with mobile activities than those 16-25 and 36 and up. In France, those 26-35 are more likely to have better knowledge and experience of mobile banking than those 16-25 and 36 and up. The youngest age group, 16-25, does not surpass those 26-36 in self-efficacy due to their income, knowledge, and working experiences.</p>
<p>Finally, we can highlight some interesting differences concerning the influence of <a href="https://data.worldbank.org/indicator/SP.POP.GROW">gender and age</a>. For example, the perceived usefulness is higher in France for women, whereas in Cambodia it’s higher for men. Similarly, perceived trust is higher in Cambodia for women, whereas it’s similar for men and women in France. Lastly, in both France and Cambodia, users 26 and older are more are confident and capable using mobile banking than those under 26.</p>
<h2>A few words about IT globalisation process</h2>
<p>Even if the two countries are different in socio-economic terms, the practices and attitudes of their (young) population are quite similar concerning e-banking. This exploratory study highlights the true similarity among young users (male and female) of the factors influencing the adoption of e-banking technologies, but also – in the course of their learning and appropriation of mobile technology – behaviours and uses that are fairly similar. Research continues by focusing on the economic and entrepreneurial impacts (or lack thereof) of the growing use of e-banking in terms of value, therefore value creation, wealth and <a href="https://www.tandfonline.com/doi/full/10.1080/14479338.2016.1268924">social innovation</a>.</p><img src="https://counter.theconversation.com/content/101751/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Samedy Mey is participating DOCKSIDE Erasmus+ program at both University of Nantes (UN) and National University of Management (NUM) between France and Cambodia. </span></em></p><p class="fine-print"><em><span>Marc Bidan is afiliated with DOCKSIDE Erasmus+ program, in the field of higher education, coordinated by University of Nantes.and directed by Pr. Thomas Vallée</span></em></p>A new study explores factors that motivate users of mobile banking applications in Cambodia and France.Samedy Mey, PhD student in management, National University of Management - CambodiaMarc Bidan, Professeur des Universités - Management des systèmes d’information - Polytech Nantes, Université de NantesLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/813282017-08-10T03:16:43Z2017-08-10T03:16:43ZBanking with a chatbot: a battle between convenience and security<figure><img src="https://images.theconversation.com/files/179772/original/file-20170726-11301-oug465.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Does more convenience mean less security?</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Soon, you will be able to check your bank balance or transfer money through Facebook Messenger and Twitter as banks <a href="http://www.smh.com.au/business/banking-and-finance/ing-direct-prepares-to-unleash-banking-chatbots-on-social-media-20170706-gx6gqr.html">experiment with chatbots</a>. Companies like <a href="https://www.chatbots.org/virtual_assistant/anna_au/">Ikea</a> have used customer service chatbots for close to a decade. But their use in financial services represents a new tension - do we want convenience or a feeling of security from our banks?</p>
<p><a href="http://www.sciencedirect.com/science/article/pii/S0167404808000941#fig1">Research shows</a> that when it comes to online banking, customers are prepared to trade security for convenience. But when customers think there is a threat to their security, this feeling reverses.</p>
<p><a href="https://eprints.qut.edu.au/84674/">Researchers at QUT</a> recently found that a sense of insecurity is one of the reasons consumers do not already interact with financial institutions on social media. And the feeling of insecurity actually increased between 2010 and 2014, as social media became more popular.</p>
<p>This means banks will likely have to design their chatbots to give a sense of security, just like they do with bank branches.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/banks-cant-fight-online-credit-card-fraud-alone-and-neither-can-you-82088">Banks can't fight online credit card fraud alone, and neither can you</a>
</strong>
</em>
</p>
<hr>
<p>The trade-off between the convenience and security of a service comes down to trust. <a href="http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.465.9764&rep=rep1&type=pdf">Trust</a> in the service provider to protect our personal details (“soft trust”) and trust in the platform and infrastructure you use to access the service (“hard trust”). Both types of trust are important to ensure a sense of balance. </p>
<p>For instance, it’s of little use having an impregnable vault if consumers don’t trust the person with the key. Likewise, trusting a staff member is of little value if consumers can see there are safety flaws in the system. Consumers need to know that their trust (both hard and soft) is well placed before they can enjoy the added convenience of emerging technologies.</p>
<h2>Designing a sense of security</h2>
<p>Banks previously used physical design to create a sense of security and trust. This is called <a href="http://journals.sagepub.com/doi/abs/10.1177/0149206310388419">signalling</a> and involved the use of marble floors, metal bars, and imposing vaults in bank branches to reassure us that our money is safe. </p>
<p>As our banking shifted into apps and websites, we faced the same problem as chatbots currently do - the internet was undoubtedly more convenient but at the expense of a feeling of safety. This was also solved with design.</p>
<p>Websites and apps were designed to send similar signals as that of the physical bank branches. For instance, by using security symbols (such as the green padlock next to the URL of this website), logging customers out if they’re inactive for too long, and moving keyboards for entering online banking passwords. </p>
<p><a href="http://dl.acm.org/citation.cfm?id=1057001">Research</a> has found consumers feel more secure when a system generates a unique password for each login, than they do when they are allowed a permanent password. Even seeing the <a href="https://twitter.com/ANZ_AU/status/890750131959738368">initials of an employee in a Tweet</a> can humanise the interaction and instil trust. </p>
<p>All of these design aspects evolved to signal trust and security. But chatbots do not have access to these same design capabilities - you can’t do something as obvious as having a big vault or green padlock. </p>
<h2>So what does all this mean for chatbots?</h2>
<p>Research from <a href="https://www.accenture.com/t20170111T041601Z__w__/us-en/_acnmedia/Accenture/next-gen-3/DandM-Global-Research-Study/Accenture-Financial-Services-Global-Distribution-Marketing-Consumer-Study.pdfla=en#zoom=50">Accenture</a> indicates Australians are ready for artificial intelligence in the financial sector - 60% are open to entirely computer-generated banking advice.</p>
<p>And a World Retail Banking Report <a href="https://www.worldretailbankingreport.com/">found</a> that while 51% of consumers still prefer face-to-face interaction for more complex products and services, they also demand greater levels of digitised customisation and personalisation from financial institutions.</p>
<p>All of this means chatbots could work for banks. On the back end, chatbots can be secured <a href="https://chatbotsmagazine.com/how-secure-are-chatbots-2a76f115618d">just like websites and apps</a> - using two-factor authentication and encryption etc. </p>
<p>It’s important to promote this feeling in users too. A big part of it will be “humanising” the interaction. For instance, chatbots <a href="https://theconversation.com/the-future-of-chatbots-is-more-than-just-small-talk-53293">can be programmed</a> to seem more human - achieving the same thing as staff members’ initials on social media. They can be given names, personalities, and even emotions.</p>
<p>But this will just be the start. As artificial intelligence and chatbots become a part of daily life, the trust signals will need to be built, one digital brick at a time.</p><img src="https://counter.theconversation.com/content/81328/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Banks are experimenting with chatbots, but research shows we may not be ready to give them a go.Kate Letheren, Postdoctoral Research Fellow, Queensland University of TechnologyPaula Dootson, Research Fellow, PwC Chair in Digital Economy, Queensland University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/485612015-11-25T17:25:30Z2015-11-25T17:25:30ZMachine learning and big data know it wasn’t you who just swiped your credit card<p>You’re sitting at home minding your own business when you get a call from your credit card’s fraud detection unit asking if you’ve just made a purchase at a department store in your city. It wasn’t you who bought expensive electronics using your credit card – in fact, it’s been in your pocket all afternoon. So how did the bank know to flag this single purchase as most likely fraudulent?</p>
<p>Credit card companies have a vested interest in identifying financial transactions that are illegitimate and criminal in nature. The stakes are high. According to the <a href="https://www.frbservices.org/files/communications/pdf/research/2013_payments_study_summary.pdf">Federal Reserve Payments Study</a>, Americans used credit cards to pay for 26.2 billion purchases in 2012. The estimated loss due to unauthorized transactions that year was <a href="https://www.frbservices.org/files/communications/pdf/research/2013_payments_study_summary.pdf">US$6.1 billion</a>. The federal <a href="https://www.ftc.gov/sites/default/files/fcb.pdf">Fair Credit Billing Act</a> limits the maximum liability of a credit card owner to <a href="http://www.consumer-action.org/english/articles/questions_and_answers_about_credit_card_fraud/#Topic_07">$50</a> for unauthorized transactions, leaving credit card companies on the hook for the balance. Obviously fraudulent payments can have a big effect on the companies’ bottom lines. The industry requires any vendors that process credit cards to <a href="https://www.pcisecuritystandards.org">go through security audits</a> every year. But that doesn’t stop all fraud.</p>
<p>In the banking industry, measuring risk is critical. The overall goal is to figure out what’s fraudulent and what’s not as quickly as possible, before too much financial damage has been done. So how does it all work? And who’s winning in the arms race between the thieves and the financial institutions?</p>
<h2>Gathering the troops</h2>
<p>From the consumer perspective, fraud detection can seem magical. The process appears instantaneous, with no human beings in sight. This apparently seamless and instant action involves a number of sophisticated technologies in areas ranging from finance and economics to law to information sciences.</p>
<p>Of course, there are some relatively straightforward and simple detection mechanisms that don’t require advanced reasoning. For example, one good indicator of fraud can be an inability to provide the correct zip code affiliated with a credit card when it’s used at an unusual location. But fraudsters are adept at bypassing this kind of routine check – after all, finding out a victim’s zip code could be as simple as doing a Google search.</p>
<p>Traditionally, detecting fraud relied on data analysis techniques that required significant human involvement. An algorithm would flag suspicious cases to be closely reviewed ultimately by human investigators who may even have called the affected cardholders to ask if they’d actually made the charges. Nowadays the companies are dealing with a constant deluge of so many transactions that they need to rely on big data analytics for help. Emerging technologies such as machine learning and cloud computing are stepping up the detection game.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/103208/original/image-20151125-23821-1hjs8kh.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/103208/original/image-20151125-23821-1hjs8kh.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/103208/original/image-20151125-23821-1hjs8kh.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/103208/original/image-20151125-23821-1hjs8kh.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/103208/original/image-20151125-23821-1hjs8kh.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/103208/original/image-20151125-23821-1hjs8kh.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/103208/original/image-20151125-23821-1hjs8kh.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/103208/original/image-20151125-23821-1hjs8kh.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">It takes a lot of computing power.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/airforceone/2472281967">Stefano Petroni</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span>
</figcaption>
</figure>
<h2>Learning what’s legit, what’s shady</h2>
<p>Simply put, machine learning refers to self-improving algorithms, which are predefined processes conforming to specific rules, performed by a computer. A computer starts with a model and then trains it through trial and error. It can then make predictions such as the risks associated with a financial transaction.</p>
<p>A machine learning algorithm for fraud detection needs to be trained first by being fed the normal transaction data of lots and lots of cardholders. Transaction sequences are an example of this kind of training data. A person may typically pump gas one time a week, go grocery shopping every two weeks and so on. The algorithm learns that this is a normal transaction sequence.</p>
<p>After this fine-tuning process, credit card transactions are run through the algorithm, ideally in real time. It then produces a probability number indicating the possibility of a transaction being fraudulent (for instance, 97%). If the fraud detection system is configured to block any transactions whose score is above, say, 95%, this assessment could immediately trigger a card rejection at the point of sale.</p>
<p>The algorithm considers many factors to qualify a transaction as fraudulent: trustworthiness of the vendor, a cardholder’s purchasing behavior including time and location, IP addresses, etc. The more data points there are, the more accurate the decision becomes. </p>
<p>This process makes just-in-time or real-time fraud detection possible. No person can evaluate thousands of data points simultaneously and make a decision in a split second.</p>
<p>Here’s a typical scenario. When you go to a cashier to check out at the grocery store, you swipe your card. Transaction details such as time stamp, amount, merchant identifier and membership tenure go to the card issuer. These data are fed to the algorithm that’s learned your purchasing patterns. Does this particular transaction fit your behavioral profile, consisting of many historic purchasing scenarios and data points?</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/103207/original/image-20151125-23830-1qjsvsa.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/103207/original/image-20151125-23830-1qjsvsa.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/103207/original/image-20151125-23830-1qjsvsa.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=564&fit=crop&dpr=1 600w, https://images.theconversation.com/files/103207/original/image-20151125-23830-1qjsvsa.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=564&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/103207/original/image-20151125-23830-1qjsvsa.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=564&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/103207/original/image-20151125-23830-1qjsvsa.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=709&fit=crop&dpr=1 754w, https://images.theconversation.com/files/103207/original/image-20151125-23830-1qjsvsa.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=709&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/103207/original/image-20151125-23830-1qjsvsa.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=709&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">I buy gas only during daylight hours.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/colorblindpicaso/3502628098">Christopher</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span>
</figcaption>
</figure>
<p>The algorithm knows right away if your card is being used at the restaurant you go to every Saturday morning – or at a gas station two time zones away at an odd time such as 3:00 a.m. It also checks if your transaction sequence is out of the ordinary. If the card is suddenly used for cash-advance services twice on the same day when the historic data show no such use, this behavior is going to up the fraud probability score. If the transaction’s fraud score is above a certain threshold, often after a quick human review, the algorithm will communicate with the point-of-sale system and ask it to reject the transaction. Online purchases go through the same process.</p>
<p>In this type of system, heavy human interventions are becoming a thing of the past. In fact, they could actually be in the way since the reaction time will be much longer if a human being is too heavily involved in the fraud-detection cycle. However, people can still play a role – either when validating a fraud or following up with a rejected transaction. When a card is being denied for multiple transactions, a person can call the cardholder before canceling the card permanently.</p>
<h2>Computer detectives, in the cloud</h2>
<p>The sheer number of financial transactions to process is overwhelming, truly, in the realm of big data. But machine learning thrives on mountains of data – more information actually increases the accuracy of the algorithm, helping to eliminate false positives. These can be triggered by suspicious transactions that are really legitimate (for instance, a card used at an unexpected location). Too many alerts are as bad as none at all.</p>
<p>It takes a lot of computing power to churn through this volume of data. For instance, PayPal processes more than <a href="http://blogs.wsj.com/cio/2015/08/25/paypal-fights-fraud-with-machine-learning-and-human-detectives/">1.1 petabytes of data for 169 million customer accounts</a> at any given moment. This abundance of data – one petabyte, for instance, is more than <a href="http://www.computerweekly.com/feature/What-does-a-petabyte-look-like">200,000 DVDs’</a> worth – has a positive influence on the algorithms’ machine learning, but can also be a burden on an organization’s computing infrastructure.</p>
<p>Enter cloud computing. Off-site computing resources can play an important role here. Cloud computing is scalable and not limited by the company’s own computing power.</p>
<p>Fraud detection is an arms race between good guys and bad guys. At the moment, the good guys seem to be gaining ground, with emerging innovations in IT technologies such as <a href="https://theconversation.com/chip-enabled-cards-may-curb-fraud-but-consumers-will-be-picking-up-the-tab-48410">chip and pin technologies</a>, combined with encryption capabilities, machine learning, big data and, of course, cloud computing.</p>
<p>Fraudsters will surely continue trying to outwit the good guys and challenge the limits of the fraud detection system. Drastic changes in the payment paradigms themselves are another hurdle. Your phone is now capable of storing credit card information and can be used to make payments wirelessly – introducing new vulnerabilities. Luckily, the current generation of fraud detection technology is largely neutral to the payment system technologies.</p><img src="https://counter.theconversation.com/content/48561/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jungwoo Ryoo receives funding from the National Science Foundation (NSF). Eun-Kyeong Kim, PhD candidate in Geography at Penn State, assisted with a literature review for this article.</span></em></p>The end-of-year shopping whirlwind is underway. How does your credit card issuer watch out for fraudulent purchases on your account amid all those transactions?Jungwoo Ryoo, Associate Professor of Information Sciences and Technology at Altoona campus, Penn StateLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/369962015-02-04T05:59:00Z2015-02-04T05:59:00ZA wave of financial tech firms is shaking up the world of banking<figure><img src="https://images.theconversation.com/files/70968/original/image-20150203-25561-rypua0.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Technology is changing finance in ways Jefferson would never have imagined.</span> <span class="attribution"><span class="source">Marie Shearin Images/Shutterstock</span></span></figcaption></figure><p>Digital technology and pervasive access to the internet have reshaped many industries, and banking is no exception: <a href="http://www.hampdenandco.com/">Hampden and Co</a> is the latest in a short but growing list of <a href="http://www.computerweekly.com/news/2240238535/Six-challenger-banks-using-IT-to-shake-up-UK-retail-banking">digital-only banks</a> built not of bricks and mortar, safes and strongboxes, but which instead operate entirely virtually in the realm of cloud computing.</p>
<p><a href="http://thefinanser.co.uk/fsclub/2012/06/fidor-bank-from-one-extreme-to-another.html">Fidor Bank</a> in Germany implements web 2.0, e-commerce and gaming features together with mobile internet access to provide a seamless service. From the adoption of <a href="http://www.coindesk.com/fidor-becomes-first-bank-to-use-ripple-payment-protocol/">virtual currency payments</a> to <a href="http://www.ft.com/cms/s/0/4eea4798-81c6-11e3-87d5-00144feab7de.html">Facebook campaigns</a> to increase interest rates for savers, Fidor Bank is a great example of how the banking industry is being shaken up.</p>
<p>Historically the banking sector was innovative, but has become moribund. Mainstream banking in developed economies has dragged its heels to adopt new services, in part due to the inflexibility of their legacy information systems. </p>
<p>But the wave of changes that followed the 2008 financial crisis has put pressure on the sector to meet more stringent requirements of transparency and consumer choice. At the same time, the availability of increasingly cheap cloud computing and storage, business analytics and speedy mobile internet on smartphones allows for the creation of new businesses that were unthinkable only a few years ago.</p>
<h2>Re-inventing the wheel</h2>
<p>So while the big banks are taken to task for their lack of innovation and dull or unreliable online services, a new landscape is being carved out by smaller competitors and other financial services companies. Known as “fin tech” firms, they are upping the game and driving change faster through the otherwise staid financial services industry. For example, in the UK:</p>
<ul>
<li><p>Crowdfunding sites that help entrepreneurs to raise cash from the public in forms of donation, and rewards (<a href="https://www.kickstarter.com/">Kickstarter</a>, <a href="http://www.indiegogo.com">Indiegogo</a>, <a href="https://www.crowdfunder.com/">Crowdfunder</a>) or even equity (<a href="https://www.crowdcube.com/">Crowdcube</a>, <a href="https://www.seedrs.com/">Seedr</a>).</p></li>
<li><p>Peer-to-peer lending platforms, which matches lenders to individual borrowers (<a href="http://www.ratesetter.com/">Ratesetter</a>, <a href="http://www.zopa.co.uk">Zopa</a>) or companies looking for cash to invest or expand (<a href="https://www.fundingcircle.com/">Funding Circle</a>), or those creating a new marketplace for mortgages (<a href="https://www.lendinvest.com/">LendInvest</a>). </p></li>
<li><p>Online investment tools for wealth management (<a href="http://www.nutmeg.com/">Nutmeg</a>)</p></li>
<li><p>Currency trade systems based on mobile and cloud technology (<a href="https://www.currencycloud.com/">The Currency Cloud</a>, <a href="https://transferwise.com/">TransferWise</a>).</p></li>
</ul>
<p>Take the example of booming crowdfunding and peer-to-peer lending, an industry worth <a href="http://www.computerweekly.com/news/2240239246/UK-peer-to-peer-lending-exceeded-1bn-in-2014">£1.2 billion in the UK</a>. Peer-to-peer lending is a way of obtaining a loan via small contributions from a large number of lenders. It relies on online platforms that, together with powerful algorithms for risk analysis and tools to connect with social media channels, can bring together funders who spread over various geographical locations. In part, its digital only strategy makes this business viable, as this significantly reduces the cost of communicating and accessing information about both lenders and borrowers’ reputation and credit reliability.</p>
<p>These fin tech companies are great examples of how digital tech is being put to new uses, in stark contrast to most established banks. The lack of large legacy systems is an advantage, as adjustments to new features of their products or services can be performed rather quickly and with more agility. Of course they do not also rely on retail locations, large physical offices, or even buying and maintaining their own hardware.</p>
<h2>The future of digital banking</h2>
<p>How likely is all this to shake up the established order? Recent <a href="http://www.nesta.org.uk/publications/understanding-alternative-finance-uk-alternative-finance-industry-report-2014">figures from Nesta</a> show the crowdfunding market more than doubled to £1.74 billion between 2013 and 2014, but this is only 2.4% of the business lending market. </p>
<p>However, even if the niches that fin tech companies colonise do not seem to directly threaten established financial companies, they introduce alternatives to well-established ways of doing business. Perhaps one of the <a href="http://www.computerweekly.com/news/2240234889/80-of-Brits-trust-new-banks-if-they-have-good-technology">biggest threats</a> comes from digital giants such as Apple, Google or Facebook who are moving into the financial sector, either with new products or by acquiring fin tech start-ups.</p>
<p>Technology and new businesses also challenge assumptions about how financial services might be governed and regulated in the future. For the most part the boundaries between regulated and unregulated practices are not disputed. However, recent responses to virtual currencies such as Bitcoin and the financial advisory functions of some firms seem to prompt national and international regulators for a response.</p>
<p>These new businesses and their models could develop in a number of different ways. They could be largely absorbed into established elements of the financial sector, however reformed, through acquisition or by becoming part of a value chain with established firms. Alternatively, fin tech firms could extend their services to challenge the high street banks, aiming to become the answer to the criticisms levelled at today’s financial services sector. </p>
<p>In any case 2015 is, like recent years, shaping up to be a very active and interesting year for a sector where change is not generally kindly regarded.</p><img src="https://counter.theconversation.com/content/36996/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Carla Bonina received funding from the RCUK under the NEMODE programme in 2013-14 to conduct part of her research work into fin tech and new business models in the UK. </span></em></p>Digital technology and pervasive access to the internet have reshaped many industries, and banking is no exception: Hampden and Co is the latest in a short but growing list of digital-only banks built…Carla Bonina, Lecturer in Entrepreneurship and Innovation, University of SurreyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/332942014-10-28T05:55:42Z2014-10-28T05:55:42ZTargeted ‘malvertising’ reveals move towards more sophisticated hacks<figure><img src="https://images.theconversation.com/files/62903/original/x5pqqzk6-1414428704.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">First rule of advertising: don't believe the advertising.</span> <span class="attribution"><span class="source">Bloomua/Shutterstock</span></span></figcaption></figure><p>At the recent <a href="http://www.isse.eu.com/">Information Security Solutions Europe conference</a>, former White House cybersecurity adviser Howard Schmidt claimed that most security threats may be persistent, but are <a href="http://www.itproportal.com/2014/10/14/this-guy-advised-two-presidents-on-cyber-security-heres-what-he-has-to-say/">not as “advanced”</a> as their common acronym <a href="http://www.symantec.com/theme.jsp?themeid=apt-infographic-1">APT</a> (Advanced Persistent Threat) suggests. </p>
<p>In too many cases, Schmidt explained, major security breaches occur because hackers are able to exploit well-known vulnerabilities. These are software flaws that expose security holes, for which manufacturers released a patch to fix the problem – only for IT administrators to fail to act and apply them. It’s the equivalent of pushing on an open, unlocked door.</p>
<p>For the vast majority of successful attacks, he is probably right. </p>
<p>Sometimes these security holes are unknown until they are revealed to be the basis of an attack. These so-called zero-day exploits are researched and traded in a global marketplace, through both official channels and the black market. This is estimated at <a href="http://krebsonsecurity.com/2013/12/the-case-for-a-compulsory-bug-bounty/">a few hundred exploits per year</a> for some of the largest software vendors, and it can be many months before these are patched.</p>
<p>Unpatched vulnerabilities are a problem for some companies more than others. Microsoft, for example, releases updates every month on “<a href="http://www.csoonline.com/article/2134437/malware-cybercrime/ie-zero-day-flaw-shows-kinks-in-microsoft-patching.html">patch Tuesday</a>”, while others like Oracle and Cisco release updates less frequently. </p>
<p>But it’s certainly likely that a lack of attention or competence among those responsible for keeping systems secure is what makes the majority of cyberattacks possible. However, that doesn’t necessarily mean it also causes the most damage.</p>
<h2>No help if you won’t help yourself</h2>
<p>The second <a href="http://www.cybersec.kent.ac.uk/Survey2.pdf">Kent Cybercrime Survey</a> in January 2014 investigated the attack vectors and countermeasures employed in a representative sample of 1,500 UK internet users. Around 20% of those who had been attacked in the past 12 months were still not applying basic internet hygiene and good practice. Defending against internet attacks is a little like avoiding a tiger: there’s no need to outrun it, only to outrun others also trying to escape. Total security is unlikely to be achievable, but “enough” security is required to prevent hackers going for easy targets and the path of least resistance. </p>
<p>For example, do the many people and organisations still running <a href="http://blogs.kent.ac.uk/unseenit/2014/03/14/software-end-of-life/">Windows XP and Internet Explorer 6</a> represent many victims of cyber attacks? Both have long since been declared <a href="http://windows.microsoft.com/en-GB/windows/end-support-help">end of life</a> and unsupported, which means no new security updates for newly discovered flaws. Or it may just be that the stakes are rising, with malware writers deliberately targeting more profitable victims rather than just the low-hanging fruit.</p>
<h2>Taking a harsher line</h2>
<p>A look at the approach by banks to internet fraud hints that this may be the case. Banks have always compensated their customers for any money lost through malware attacks or card fraud – presumably to encourage the uptake of online banking and so the massive potential savings the banks stood to gain from closing branches. But there has been a change of heart, as a <a href="http://www.thisismoney.co.uk/money/saving/article-2442642/Small-business-attacked-online-crooks--NatWest-wont-refund.html">bakery business in Surrey</a> found out last year.</p>
<p>The firm’s computer was infected with a piece of malware that circumvented the antivirus software and installed a keylogger. As they had not installed the bank’s recommended additional protection software the bank refused to cover the £19,600 stolen, claiming customer’s negligence. This is disgraceful behaviour from the bank, but it’s likely we’ll see further examples of it in the future.</p>
<h2>Follow the money</h2>
<p>There’s worrying evidence of increasingly sophisticated and well targeted attacks. Imagine you are a cybercriminal, tired of compromising thousands of computers without being able to transform that into cash. Every attack slightly increases the probability you will be caught, so a lower profile with fewer, more profitable targets is a better long-term strategy. You want wealthy victims and you want to know how wealthy they are – this is called <a href="http://time.com/money/3534651/price-discrimination-travelocity-orbitz-home-depot/">price discrimination</a> in economic theory, and it maximises profit. </p>
<p>This is where targeted advertising comes in. The cynical view of “big data” is even that personalised adverts are its main application – to serve you “<a href="http://www.theguardian.com/technology/2014/oct/08/sir-tim-berners-lee-speaks-out-on-data-ownership">ads that make you feel queasy</a>”, as Sir Tim Berners-Lee has said. Advertisers will queue up to pay to display their wares to internet users whose profiles have been suitably analysed for suitability to their products.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/tmzARXwD-Uo?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>Unfortunately the world of cybercriminals and malware has spotted this too. One instance of this has been dubbed <a href="http://www.invincea.com/wp-content/uploads/2014/10/Micro-Targeted-Malvertising-WP-FINAL-10-18-14.pdf">Operation Deathclick</a> by security company Invincea. In this case specialised malware is written that impersonates targeted advertising, aimed at US defence industries, probably to steal trade secrets. This <a href="http://www.infosecurity-magazine.com/news/operation-deathclick-targets-us/">malvertising</a>, taking advantage of lax verification by the companies that serve up adverts embedded in web pages, these micro-targeted attacks are able to reduce the criminal’s visibility by being active only for short times, in varying locations and with different signatures. Consequently, they stand a much better chance of hitting only their intended victims, and evading law enforcement.</p>
<p>Clicking on ads had never been considered to be a good security practice – many implement “<a href="https://www.comodo.com/resources/home/newsletters/nov-10/ask-geekbuddy.php">drive-by</a>” attacks that surreptitiously download malware or do so by disguising it as something legitimate. When there are so many routes into your computer that not even seasoned security professionals are immune, it is obvious that average users will feel more than perplexed.</p>
<p>So with that in mind, it’s really not fair to blame the victim. Organisations such as banks profit handsomely from transferring their operations to the internet – and are thus more able to invest in crime prevention. If they fail to do so, sooner or later we’ll all find our digital pockets picked.</p><img src="https://counter.theconversation.com/content/33294/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Eerke Boiten is a senior lecturer in the School of Computing at the University of Kent, and Director of the University's interdisciplinary Centre for Cyber Security Research. He receives funding from EPSRC for the CryptoForma Network of Excellence on Cryptography and Formal Methods. He is a member of BCS and board member of its specialist group on Formal Aspects of Computer Science. He is also a director (governor) of The John of Gaunt School, a Community Academy.</span></em></p><p class="fine-print"><em><span>Julio Hernandez-Castro does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>At the recent Information Security Solutions Europe conference, former White House cybersecurity adviser Howard Schmidt claimed that most security threats may be persistent, but are not as “advanced” as…Eerke Boiten, Senior Lecturer, School of Computing and Director of Interdisciplinary Cyber Security Centre, University of KentJulio Hernandez-Castro, Lecturer in Computer Security, University of KentLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/255092014-04-10T15:06:42Z2014-04-10T15:06:42ZDon’t panic about Heartbleed but have a spring clean anyway<figure><img src="https://images.theconversation.com/files/46125/original/s57w9hb8-1397135208.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Take a duster to your password collection. It's as good a time as any.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/rbainfo/7010382747/in/photolist-bFu3y4-ixm4T-kCCbJ-55X48y">Karen Blakeman</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc/4.0/">CC BY-NC</a></span></figcaption></figure><p>The web is full of scare stories about the Heartbleed security vulnerability but panicking won’t help. Better to use this situation as an opportunity to clean up our acts. Few of us do it but we should all be in the habit of changing our passwords regularly.</p>
<p>Heartbleed is a bug in particular versions of a piece of software called OpenSSL that, theoretically, enables anyone with internet access to an apparently secure server to steal chunks of data, even if they were previously thought to be secure.</p>
<p>It has attracted attention more because of the scale of the problem than anything else. Initial figures suggest 500,000 websites could potentially be vulnerable, many of which are <a href="http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/">household names</a>. SSL (and its younger sister TLS) are the definitions by which two computers conduct the secret handshake that says how they will communicate securely. There are many versions of SSL but OpenSSL is the most common.</p>
<p>Its popularity is, in part, due to the fact that it is an <a href="https://theconversation.com/open-source-ditching-patents-and-copyright-for-the-greater-good-5302">open source initiative</a> which means that it is updated by a group of like-minded experts who are willing to make the underlying code (the source code) open for scrutiny. Many in the security world think this an excellent idea as it means we can spot security flaws. That said, it doesn’t necessarily mean we can do anything about them. And, if the vulnerability is hidden within an extremely complex set of source code, and it can be overlooked.</p>
<p>The good news about Heartbleed is that once the problem was found, it was quickly made public via channels that are specifically set up to alert the security community, such as the recently launched <a href="http://www.ukcert.org.uk/">UK CERT</a>. The bad news is that it appears it may have been in versions of the software going back up to two years.</p>
<p>The fact that it went unnoticed may not be a problem. The problem is we don’t know if cyber-criminals were aware of the vulnerability before the good guys and whether they were exploiting it. It will take some time to determine if any damage has actually been done, and it may be that we will never know. All we know for certain is that the vulnerability exists and that it is possible to exploit it to grab sensitive information such as passwords. But there is already a fix for the problem which any reputable website operator should be applying if they haven’t done so already.</p>
<p>So, why the advice from many, including me, to change your passwords? It’s not that people are suggesting there is cause for panic. This is a serious security flaw but it may have been caught in time. But in the absence of evidence, it would seem that prudent caution is a sensible approach. Since changing passwords is a simple thing to do and it’s good to regularly change them anyway, you might as well take this as a timely reminder to have a spring clean.</p>
<p>Of course, if someone is exploiting this vulnerability on a site you use then it makes no sense to update your password until the site has been upgraded to using a version of OpenSSL that is no longer vulnerable. This is a tricky conundrum as the majority of users will not really know how to find out if the sites they deal with were affected let alone if they have applied all the necessary upgrades. </p>
<p>The best you can really do is give them a reasonable amount of time to bring in a fix for Heartbleed and then update your passwords. And of course, if you don’t know if the site was affected at all then it seems prudent to assume it was and change your password anyway.</p>
<p>It is for that reason that the blanket advice has been to revisit all of your passwords. If you have the technical savvy to be able to pick your way through the sites and determine which you really need to change then I applaud you but I suspect you probably haven’t and, in the world of online security, it is always better to be safe than sorry.</p>
<p>With any event like this, sites immediately spring up saying they can test if a website you use is vulnerable. I would exercise caution with such online checkers as there is some evidence that their results are not always accurate. Plus of course there are scammers who just love to put up sites that claim to be helping in such a situation but then ask you to supply the very sensitive information that you may be worried has been compromised.</p>
<p>Online security is an area where panic and knee-jerk reactions can sometimes do more harm than good but it is also true that if there is any doubt about sensitive information having been compromised, even if it is a case of not knowing, it is sensible to assume that it is worth changing your password.</p>
<p><em>The Conversation operated on a system that used OpenSSL but fixed the vulnerability at midnight on Tuesday 8 April. As a precaution, we’d recommend users change their passwords.</em></p><img src="https://counter.theconversation.com/content/25509/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alan Woodward does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The web is full of scare stories about the Heartbleed security vulnerability but panicking won’t help. Better to use this situation as an opportunity to clean up our acts. Few of us do it but we should…Alan Woodward, Visiting Professor , University of SurreyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/223572014-01-24T06:58:04Z2014-01-24T06:58:04ZFrom password to 1234, why we still fail the online security test<figure><img src="https://images.theconversation.com/files/39776/original/9s7xztvm-1390494443.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Memorable and secure. Really nailed this one.</span> <span class="attribution"><span class="source">reidrac</span></span></figcaption></figure><p>It’s as easy as “123456”, or so we’ve learned from Splashdata’s annual <a href="http://splashdata.com/press/worstpasswords2013.htm">worst password of the year</a> list. Slipping down to number two in this most recent list was last year’s favourite, the ever-popular password, “password”. It might be funny to laugh at the fools who use passwords like this but is your record really any better?</p>
<p>The top 25 list makes delightful reading: iloveyou, letmein, monkey, shadow, sunshine and princess all feature. If you prefer to lock up your data with numbers, there’s the full range, from 1234 to the ingenious 123456789. Or if you’re feeling powerful, how about admin? That’s a long-time favourite.</p>
<p>There’s a very simple point behind the use of passwords like this: we go online to get things done. We share photos with friends and family, shop, bank, book holidays, read the news, and, of course, work. We don’t go online for the joy of setting up a username and password. All we want is to log in and get on.</p>
<p>Advice to create “strong” passwords like XF8!#Sr fails because we won’t remember these a month, or even minutes, later. We do like passwords that are easy: birthdays, people’s names, pets, the name of the website we’re on. But these are surprisingly easy for other people to work out. And talk about “good” passwords doesn’t make any difference if you’re not convinced it’s worth the effort.</p>
<p>Letting people into your accounts has consequences, from the annoying to the dangerous. They can change information for a <a href="http://answers.yahoo.com/question/index?qid=20130727113846AAxdV1p">prank</a>, like saying your relationship has ended when it hasn’t. But they might also order goods in your name or take your money. They might even send porn to your boss, stalk you or talk about you in the press. There is also information in your accounts about your family, friends and colleagues, so it’s not just you at risk.</p>
<h2>What makes a strong password?</h2>
<p>According to Tony Neate, head of <a href="http://www.getsafeonline.org">Get Safe Online</a>, the government initiative to help the public understand what they you can do to protect themselves, even using a password as simple as <a href="http://www.theguardian.com/technology/2014/jan/20/uk-cyber-security-chief-the-password-abc123-is-better-than-nothing">abc123</a> is better than having none at all. Do note though, he’s not actually saying use abc123. You’ll notice it’s on the worst of 2013 list already.</p>
<p>There are some simple rules to building good passwords that you should follow though. Do use eight characters or more, since short is always weak, and do use phrases. It helps if they’re ones that mean something to you, but other people wouldn’t know. Or make up a nonsense one, like greenideassleepfuriously. Don’t use this exact one; it’s got <a href="http://www.princeton.edu/%7Eachaney/tmve/wiki100k/docs/Colorless_green_ideas_sleep_furiously.html">history</a>.</p>
<p>You could also use abbreviated phrases and, again, they’re better if other people don’t know them. Spot how this, gNdSsPfY, relates to the phrase above. And when you decide on your password, it’s best to use a mix of lowercase and uppercase letters, and numbers and to add in some other characters (like ! @ %).</p>
<p>What you really shouldn’t do is use a single word, not even ones you think no-one else knows. They are all in a dictionary and can therefore be found by potential hackers or thieves, especially when they use automated techniques to test out all the different options in a matter of seconds. Even if you think it’s smart, remember that foreign words are also in dictionaries. So are names of people, places, your favourite club and your company name.</p>
<p>And a note to mobile phone users who connect dots on a screen to produce a shape that unlocks the device: while these can be easier to use, it isn’t yet clear that they’re any safer than a password or code in the long run. Humans like patterns, so we draw simple shapes, like squares, and even use letters, say a big X. We are predictable animals.</p>
<h2>What else can I do?</h2>
<p>Biometrics use fingerprints and face recognition to secure devices and information but their uptake has been limited so far. This type of technology generally still works best in controlled environments, like airports.</p>
<p>Password managers are also an option. These store lots of easier-to-remember passwords in a file or system with one much stronger password. Generally, to use these you have to pay money and indeed, companies such as Splashdata offer services like this and benefit from worst password lists. This isn’t a surprise; they are putting in effort to make something that works.</p>
<p>There’s also research into alternatives to text-based passwords which might offer a ray of hope to those of us who can’t move on from abc1234. Examples include clicking or tapping on different parts of a picture, solving puzzles, and recognising faces. The general idea is that humans are better at remembering images than words or jumbles of characters.</p>
<h2>Blame game</h2>
<p>If you choose easy passwords, sadly, you do leave yourself open to other people’s bad intentions. But it isn’t just down to you as an individual, and blame doesn’t help. The web is becoming part of so much of our lives but is still new to all of us. Being safe and secure online has to be learnt and taught – and not by accident or magic.</p>
<p>Initiatives such as Get Safe Online are part of the education we need as a society. So is accessible education for people of <a href="http://www.youtube.com/watch?v=2k7J2N6SJFM">all ages and backgrounds</a>. Organisations, commercial or not, need to play an active and responsible role in keeping people’s data secure, and making sure that passwords are used well.</p>
<p>In fact, the worst passwords of the year lists are informed by the mistakes that companies, not users, make. Splashdata was able to identify what the most commonly used passwords were in the first place largely because software company Adobe lost data on <a href="http://www.theguardian.com/technology/2013/nov/07/adobe-password-leak-can-check">150 million</a> customers.</p>
<p>We should work to inform ourselves and share information with those around us about how to keep our information secure. Just don’t share your password.</p><img src="https://counter.theconversation.com/content/22357/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Peter Norrington received funding from The Engineering and Physical Sciences Research Council (EPSRC) and Kinetic Solutions Ltd. under Industrial CASE Training Grant 4302508.</span></em></p>It’s as easy as “123456”, or so we’ve learned from Splashdata’s annual worst password of the year list. Slipping down to number two in this most recent list was last year’s favourite, the ever-popular…Peter Norrington, Researcher, University of BedfordshireLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/219342014-01-13T06:11:10Z2014-01-13T06:11:10ZUK trails European neighbours on cyber-security<figure><img src="https://images.theconversation.com/files/38852/original/v59wfk5t-1389370557.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cyber-security takes more than cautious laptop ownership.</span> <span class="attribution"><span class="source">sridgway</span></span></figcaption></figure><p>To my amazement, the latest <a href="http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf">Eurobarometer survey</a> on Cyber Security across Europe received very little attention in the UK, despite its quite revealing findings.</p>
<p>The report shows in no uncertain terms that, notwithstanding what politicians like Francis Maude MP <a href="http://news.sky.com/story/1181481/cybercrime-strategy-has-made-uk-secure">say</a>, the UK is doing quite poorly in comparison to our neighbours. Much more needs to be done to meet the cyber security standards of countries like Denmark, the Netherlands, France or Germany. </p>
<p>The Eurobarometer findings might come as a shock to ingenuous readers of a recent <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/265384/Progress_Against_the_Objectives_of_the_National_Cyber_Security_Strategy_December_2013.pdf">Cabinet Office report</a> announcing that two years after launching the national strategy, it has resulted in “making the UK one of the most secure places in the world to do business in cyberspace”. This seems to be quite of an overstatement, as the report shows the UK is in fact the worst place in Europe on a number of crucial areas, and there was no sign of improvement in the 12 months since the last survey, even with heavily publicised government <a href="http://www.businesscloud.co.uk/tech-talk/government-invests-extra-pound260m-into-uk-cyber-security">investment in cyber security.</a></p>
<h2>A failing strategy</h2>
<p>One of the most notable areas in which the UK is trailing its neighbours is identity theft. The barometer reveals that 11% of UK citizens have been a victim of this type of crime, the highest rate in Europe, where the average among member states is just 6%.</p>
<p>UK citizens are also the most likely to suffer the consequences of online banking fraud. Only 3% of Germans experience this crime, while 16% of UK citizens were affected. The EU average here is 7%. </p>
<p>Another sore point is online fraud. A total of 16% of the surveyed UK citizens (again the worst rate in Europe) have experienced fraud of this kind, whereas the EU average is 10%. </p>
<p>The UK also performs badly in email account hacking, given that 19% have fallen prey to it (surprise, surprise, the worst figure again across the 27 European countries), where the EU average is 12%.</p>
<p>These are all quite troubling findings, and make for an unequivocal assessment of a cyber security strategy that is, to put it mildly, not working.</p>
<h2>Plugged-in individuals</h2>
<p>If the record for suffering from a variety of cyber crimes is shamefully high in the UK - compared with countries like Germany, Denmark, the Netherlands or even France - it is certainly not UK citizens to blame. </p>
<p>The barometer shows that 63% of individuals changed their online services password in the past year, placing us in a creditable 4th position in Europe.</p>
<p>UK citizens also have a praiseworthy record for changing their passwords for social media accounts and shopping websites. The survey discovered that 36% had done the former in the past 12 months, and 27% had done the latter. An impressive 60% of UK people said they felt informed about cyber crime, and 48% were concerned about online payments. </p>
<h2>Putting the law on the side of the citizen</h2>
<p>So why has the UK performed so badly on cyber security? The figures don’t admit any trivial explanation. Its shortcomings can be attributable to a complex combination of multiple factors including poor governmental policies, a lack of access to cyber security education, and weak laws for data processing that favour banks and large companies rather than the rights of individuals.</p>
<p>We have, for example, recently witnessed a worrying increase in the number of cases where banks have not returned customers’ money <a href="http://www.thisismoney.co.uk/money/saving/article-2442642/Small-business-attacked-online-crooks--NatWest-wont-refund.html">stolen online</a>. They will conveniently blame them of negligence or fraud. For the banks, which can fall back on their own legal teams, this is the easiest and cheapest solution for addressing the problem of sophisticated attacks against their customers. Clients are left with almost no options to fight this cynical but profitable approach. Only new laws can stop this abuse. Laws to protect customers in these and similar cases would additionally force banks <a href="http://theconversation.com/ancient-it-makes-a-banking-meltdown-inevitable-21866">to seriously invest in IT</a> to curb down losses, which, in turn, would improve overall security. If these laws are not introduced, banks will have no motivation at all to invest in extra security, and customers will continue to pay for balance discrepancies. This is clearly an open avenue for abusive behaviour, and we will in all likelihood see more of it in the near future if nothing is done.</p>
<p>We can unquestionably improve security by passing laws that force banks and other private companies to invest more extensively in security products and technology. They could be required to take responsibility for at least some of the losses, or pay more hefty fines in case of a mishap. But these companies are the main beneficiaries of the status quo, so this won’t happen, or not at the needed pace.</p>
<p>So perhaps we should turn to citizens once again. Over the past few years, Massively Open Online Courses have started to offer individuals the chance to improve their understanding of all kinds of subjects. MOOCs aimed at informing people on how to protect themselves online could raise awareness and contribute to even better cyber security practises. In a rare example of wisdom, it seems this is currently being done with NCSP funding and the cooperation of the Open University. It is expected to run for the first time on the summer. Another good governmental initiatives are the development of cyber security modules at GCSE and A-level, of a cyber security Higher Apprenticeship scheme, and some awareness campaigns. </p>
<h2>The Future</h2>
<p>The survey, which involved 1,314 UK citizens, was carried out between May and June last year. Any later and perhaps we might have found quite different results, given the impact of the revelations by Edward Snowden about the extent to which the US government spies on people around the world. </p>
<p>I hope the next Eurobarometer will attract more attention from the media, and will be acknowledged by our politicians. I expect funding in cyber security to become more accountable for in the future, in order to evaluate whether we are making the right investments, and external inputs like the Eurobarometer and <a href="http://www.cybersec.kent.ac.uk/Survey1.pdf">others</a> to be taken more seriously. </p>
<p>What I don’t expect anytime soon, for a variety of reasons highlighted before, are better UK results.</p><img src="https://counter.theconversation.com/content/21934/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Julio Hernandez-Castro does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>To my amazement, the latest Eurobarometer survey on Cyber Security across Europe received very little attention in the UK, despite its quite revealing findings. The report shows in no uncertain terms that…Julio Hernandez-Castro, Lecturer in Computer Security, University of KentLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/218662014-01-09T06:22:26Z2014-01-09T06:22:26ZAncient IT makes a banking meltdown inevitable<figure><img src="https://images.theconversation.com/files/38694/original/s9zgdpcz-1389197684.jpg?ixlib=rb-1.1.0&rect=10%2C6%2C1007%2C649&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The shoulder pads are gone but the IT infrastructure remains.</span> <span class="attribution"><span class="source">Phagan photos</span></span></figcaption></figure><p>A <a href="http://www.kpmg.com/UK/en/IssuesAndInsights/ArticlesPublications/Documents/PDF/Market%20Sector/Financial%20Services/uk-banks-half-year-results2013.pdf">KPMG</a> report warned last year that the next systemic shock to UK banking could come from an as yet unforeseen event, such as a massive payment outage or a cyber attack. Since the IT systems in most banks are complex and some essential parts of these systems are very old, a system outage is almost inevitable. The IT systems that hold up our every financial move are a disaster waiting to happen. </p>
<h2>A few days to disaster</h2>
<p>In the summer of 2012, a routine <a href="http://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/9358252/RBS-computer-failure-caused-by-inexperienced-operative-in-India.html">software update in India</a> caused an IT meltdown at the Royal Bank of Scotland. As a result, 17 million customers were locked out of their accounts for days. This was followed by a <a href="http://www.bbc.co.uk/news/business-21694704">hardware failure</a> in March 2013 that prevented millions of customers from accessing online services and ATMs for hours. While the bank is still under investigation by the Financial Conduct Authority over these incidents, it suffered a third embarrassing system outage on the busiest online shopping day before Christmas last year, followed by yet another IT failure a few days later.</p>
<p>Catastrophic IT failures such as these can lead to financial chaos, create financial hardship for both businesses and families and, if not quickly addressed, may even lead to social breakdowns. If employers are unable to pay employees and people are unable to pay their rents, buy their groceries and medicine or pay for their transport, utilities and credit card bills, social unrest may ensue.</p>
<p>Due to the enormous number of transactions that take place every day in the financial sector, a major bank only has a matter of days to recover after suffering a catastrophic IT failure. If it fails, the backlog of financial transactions would simply become unmanageable, and the bank would be overwhelmed. This is of course an Armageddon scenario, but it is highly probable given that some of the core IT systems used by all UK banks were developed in the 1960s and 70s. We should be prepared for more problems like this to strike in the coming years.</p>
<h2>IT legacy systems in UK banking</h2>
<p>The term “legacy” in IT describes software applications, operating systems and occasionally hardware and network infrastructure developed and implemented before the early 1990s. Legacy IT systems form the core of a daily processing cycle in UK banking, much of which is still overnight batch-based processing rather than in real time, despite significant technological advances in recent years.</p>
<p>These systems have been at the very core of payments transmission, bank transaction processing and account maintenance and management for more than 40 years. They were initially designed in the 1960s to automate branch accounting, and by the 1970s and 1980s the range of software applications expanded to help banks improve services, reduce costs and speed up transaction and payment processing. Many of these systems remain in operational use today.</p>
<h2>New wine in old wineskin</h2>
<p>Despite significant annual IT investment by most banks (from hundreds of millions of pounds to multi-billion-pound investments), almost <a href="https://www.techuk.org/component/techuksecurity/security/download/240?file=Financial_infrastructure_-_can_banks_afford_no_to_change_WEBSITE.pdf&Itemid=181&return=aHR0cHM6Ly93d3cudGVjaHVrLm9yZy9pbnNpZ2h0cy9yZXBvcnRzL2l0ZW0vMjQwLWZpbmFuY2lhbC1pbmZyYXN0cnVjdHVyZS1jYW4tYmFua3MtYWZmb3JkLW5vdC10by1jaGFuZ2U=">80% of that investment</a> goes towards maintaining and improving the existing core applications base – including legacy systems. The remaining 20% has historically been devoted to a range of short-term and medium-term IT developments.</p>
<p>Typically, more than half of that 20% is spent on projects that either meet a immediate product or service demand or are needed to respond to new regulatory reporting requirements.</p>
<p>That leaves just 8-9% for medium-term – and occasionally long-term – strategic programmes. To match the astonishing speed of IT development, this level of investment is pitifully inadequate. The impact is most noticeable where game-changing technologies are applied, and is particularly pronounced in retail banking where consumer expectations are changing rapidly. For example, people increasingly expect to have access to a range of banking services not only via their PCs but also via their mobile devices. </p>
<p>For many UK banks the only practical response is to use the legacy systems as a launch pad for new applications. The front-end applications are newly developed but all the back-end processing remains within the legacy system.</p>
<h2>Unwilling to change</h2>
<p>For most senior banking executives, IT is viewed as a cost. The pressure to reduce cost has led to an increasing dependence on IT outsourcing and offshoring over the past 20 years. Often this process means that systems fail to meet client expectations and many of these projects are questionable in terms of return on investment.</p>
<p>Still worse, IT is often viewed by senior executives as a “basket case”, plagued with missed project deadlines, budget busting overspends and an astonishing track record of project failure. This has often led to an unforgiving bias towards IT which militates against long term investment.</p>
<p>One result is a pronounced lack of economic will by senior executives to sponsor – or even be seen sponsoring – strategic IT initiatives. This is further exacerbated by the short tenure for key executives and CIOs in major banks and frequent structural and personnel upheaval. The outcome is a lack of credible medium to long-term strategic planning for IT in most banks.</p>
<h2>The solution</h2>
<p>The likelihood for any UK banks to overcome the legacy IT degenerative problem at an individual level is very slim. Even some of the new entrants to the market have decided to use licensed IT systems which are essentially legacy applications.</p>
<p>Senior leaders from UK banks need to get together urgently to systematically explore the challenges and opportunities associated with upgrading the IT infrastructure for UK banking. This is not an issue for the IT professionals alone. It is a strategic issue that calls for the full involvement of senior business executives. The alternative is to continue to bury our heads in the sand, waiting for the next inevitable disaster to strike. </p>
<p><em>Ian Marshall, senior advisor to Sopra Group Financial Services, also contributed to this article.</em></p><img src="https://counter.theconversation.com/content/21866/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The views expressed in this article are those of the author and not of Cass Business School.</span></em></p>A KPMG report warned last year that the next systemic shock to UK banking could come from an as yet unforeseen event, such as a massive payment outage or a cyber attack. Since the IT systems in most banks…Feng Li, Associate Dean for Research and Enterprise, Cass Business School, City, University of LondonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/201772013-12-04T06:31:21Z2013-12-04T06:31:21ZHard evidence: how much is your data worth to you?<figure><img src="https://images.theconversation.com/files/36810/original/vfktftrv-1386075670.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Data protection may soon come at a price.</span> <span class="attribution"><span class="source">Randomskk</span></span></figcaption></figure><p>Data privacy is on our minds like never before. In a relatively small amount of time many of us have gone from carrying out our daily transactions in person to conducting them digitally. We pay energy bills online, conduct banking online and interact with friends online. All these transactions leave a trail of data as we go. While it is often promised that this data is secure, it can often also be used by undisclosed third parties.</p>
<p>The data can be used to improve the service we get but we also know that sometimes it is used to sell us more things. While almost all of us carry out digital transactions, few of us have got to grips with what it actually means to let our data out of our sight.</p>
<p>Companies usually won’t share our identifiable data without telling us but many of them profit by either using it themselves or selling it off to others, whether aggregating it with other people’s data or after performing some analysis on it. By combining different types of data, such as spending and GPS location, these companies gain valuable insight into our habits.</p>
<p>We are moving towards a world in which companies could spring up with offers to manage our data on our behalf. But how much would you be willing to pay to keep that data under lock and key? </p>
<p>In our research <a href="http://www.horizon.ac.uk/Current-Projects/becoming-dataware">project</a>, we asked a group of participants to think about different types of data, including physical location GPS, electricity bills, broadband usage, mobile phone bills, loyalty cards, internet browsing, demographics, social networking and bank statements. We wanted to find out whether people see these different types of data differently and how concerned they were about their information being protected.</p>
<h2>Fear and function</h2>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/36811/original/mzqhpp5v-1386076673.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/36811/original/mzqhpp5v-1386076673.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/36811/original/mzqhpp5v-1386076673.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=215&fit=crop&dpr=1 600w, https://images.theconversation.com/files/36811/original/mzqhpp5v-1386076673.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=215&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/36811/original/mzqhpp5v-1386076673.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=215&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/36811/original/mzqhpp5v-1386076673.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=271&fit=crop&dpr=1 754w, https://images.theconversation.com/files/36811/original/mzqhpp5v-1386076673.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=271&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/36811/original/mzqhpp5v-1386076673.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=271&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">How do security concerns weigh up against benefit?</span>
<span class="attribution"><span class="source">University of Nottingham</span></span>
</figcaption>
</figure>
<p>62 participants commented on what they thought about different pieces of personal data and whether each was associated more with security concerns or potential benefits. Security is an important theme when people talk about their physical location, mobile phone bills, social networking or bank statement data. Participants were recorded as saying that data like this was personal and should only be shared when it is necessary to do so. </p>
<p>But it appears the benefits far outweigh security concerns when it comes to loyalty card data. Participants said there are benefits in sharing this type of information and even that the information contained on loyalty cards “can’t harm me or anyone”. When participants said they wouldn’t share personal information on social networks, their motivation appeared to be related to security.</p>
<p>Participants also said that some of their data was connected to other types of information. The types of data considered to be linked to others included physical location, broadband usage, internet browsing history and social networking data. Bank statement data was not considered to be particularly linked to other types of data, which might mean that people don’t see bank statement information as reflecting any other aspects of their life other than spending money. But that is not necessarily true. Our bank statement data can be used in conjunction with other types of data such as electricity bill information to better understand our habits and even predict our future behaviours, such as the likelihood that we will pay off a credit card bill. </p>
<h2>How much are they willing to pay?</h2>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/36831/original/7mm3cgpw-1386092812.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/36831/original/7mm3cgpw-1386092812.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/36831/original/7mm3cgpw-1386092812.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=394&fit=crop&dpr=1 600w, https://images.theconversation.com/files/36831/original/7mm3cgpw-1386092812.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=394&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/36831/original/7mm3cgpw-1386092812.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=394&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/36831/original/7mm3cgpw-1386092812.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=495&fit=crop&dpr=1 754w, https://images.theconversation.com/files/36831/original/7mm3cgpw-1386092812.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=495&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/36831/original/7mm3cgpw-1386092812.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=495&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Coughing up for data protection.</span>
<span class="attribution"><span class="source">University of Notthingham</span></span>
</figcaption>
</figure>
<p>Next we asked another group of 60 participants to imagine they had a new smartphone app that would collect their personal data from transaction such as those described above. They were given the choice of either paying a fee to stop their data being shared anonymously with the company that provided the service in the first place or to use the “free” version of the app, which would allow their data to be shared. They could decide to pay either £20 or between 50p and £15 in cases where they would agree to a fee. </p>
<p>Nearly 70% said they would pay up to £20 to protect their bank statements and digital communication history data but only 20% of participants were prepared to pay the same amount to protect data from household bills, online purchasing history, internet browsing and search history, and demographic information.</p>
<p>Again, the lack of security concerns about loyalty card data shows through, with 70% of participants saying they would not be willing to pay anything to protect this kind of data. There was also limited interest in paying to prevent web browser search history or demographic information being shared. Again, protecting social networking info is a priority, with 80% of participants willing to pay to have it kept private and 50% agreeing to pay the £20 premium.</p>
<h2>Which data is most important?</h2>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/36832/original/4pvzfns9-1386092988.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/36832/original/4pvzfns9-1386092988.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/36832/original/4pvzfns9-1386092988.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=424&fit=crop&dpr=1 600w, https://images.theconversation.com/files/36832/original/4pvzfns9-1386092988.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=424&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/36832/original/4pvzfns9-1386092988.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=424&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/36832/original/4pvzfns9-1386092988.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=533&fit=crop&dpr=1 754w, https://images.theconversation.com/files/36832/original/4pvzfns9-1386092988.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=533&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/36832/original/4pvzfns9-1386092988.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=533&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Different values for different data.</span>
<span class="attribution"><span class="source">University of Nottingham</span></span>
</figcaption>
</figure>
<p>A third study involving a questionnaire filled out by 853 participants reinforced the findings of the first two. People were found to be willing to pay the highest amount to protect bank statement data, which was shown to carry a value of up to £30. The second most important type of information seems to be social network profiles and history and physical location data. People care a little bit less about broadband bills, mobile phone bills, loyalty cards, internet browsing history, demographic information, but they will still pay something to protect it.</p>
<p>The least important data for our participants was electricity bill data – which is surprising, given how much value energy companies are leveraging from this kind of data about individual behaviours at home.</p>
<p>All in all, the figures show that participants were well aware of the security risks associated with their bank details. However, loyalty card information or household energy data does not seem to be a particularly significant concern for most, even though this type of information is used by shops and energy companies on a very granular level to make decisions that affect our purchasing on a daily basis. It’s a sign of the changing times we live in that many appear to see this as a benefit.</p><img src="https://counter.theconversation.com/content/20177/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Anya Skatova does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Data privacy is on our minds like never before. In a relatively small amount of time many of us have gone from carrying out our daily transactions in person to conducting them digitally. We pay energy…Anya Skatova, Research Fellow, Horizon Digital Economy Research Institute, University of NottinghamLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/204402013-11-21T03:28:53Z2013-11-21T03:28:53ZBarclays is closing branches, but Aussie banks slow to follow<figure><img src="https://images.theconversation.com/files/35537/original/m3cfd22c-1384822002.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Bank of Melbourne relaunched its new look branch network in 2011 as part of a broader push to build customer relationships.</span> <span class="attribution"><span class="source">Joe Castro/AAP</span></span></figcaption></figure><p>UK banking giant Barclays has revealed <a href="http://www.ft.com/intl/cms/s/0/e90e3854-4fa6-11e3-b06e-00144feabdc0.html#axzz2l2nS3EXo">plans</a> to lay off 1700 branch staff and shrink its branch network as customers embrace online and mobile banking.</p>
<p>The street faces of banks are changing quickly. Where once banks had big buildings, strong walls and lots of marble facings, all designed to impress users with strength, solidity and safety, new branches can look more like pop-up shops. Certainly outside Australia, pop-up banks located in shopping malls are becoming common. Even here, bank sales sites are cropping up in shopping malls without any cash handling facilities at all.</p>
<p>The drivers are the standard ones. Branches are costly to run. Even the smallest branch will have four staff, with two or three of them not busy most of the time. A new branch also takes about three years to become profitable so branch expansion can put a drag on the business.</p>
<p>Patronage is also changing. As facilities to do banking by desktop or mobile device and online payments become easier to use, the need to visit the bank declines. Exponential <a href="http://www.smh.com.au/business/mobile-banking-rings-up-net-victory-20130203-2dslw.html">growth</a> in mobile banking has exceeded that of early internet banking, surpassing the expectations of the major banks. </p>
<p>But despite the growth, bank points of presence have only been declining slowly in Australia. The latest APRA data suggests that they have fallen from 7975 in 2004 to 7725 this year. The drop for credit unions has been from 1485 to 783 over the same period, and from 550 to 286 for building societies. But the big drops for credit unions and building societies are misleading since a number of them have converted to banks, nine in the last two years. If we take the total points of presence for all financial institutions, the number of branches has fallen from 13059 to 12036 between 2004 and this year (about 8%).</p>
<h2>Branch politics</h2>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/35543/original/tw5fjkwk-1384822735.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/35543/original/tw5fjkwk-1384822735.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=916&fit=crop&dpr=1 600w, https://images.theconversation.com/files/35543/original/tw5fjkwk-1384822735.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=916&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/35543/original/tw5fjkwk-1384822735.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=916&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/35543/original/tw5fjkwk-1384822735.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1151&fit=crop&dpr=1 754w, https://images.theconversation.com/files/35543/original/tw5fjkwk-1384822735.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1151&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/35543/original/tw5fjkwk-1384822735.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1151&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">In 2002 NAB announced the planned closure of 56 rural branches in a bid to save $370 million.</span>
<span class="attribution"><span class="source">Joe Castro/AAP</span></span>
</figcaption>
</figure>
<p>Since there is usually a public outcry when communities lose a bank, politicians and banks treat the risk of complaint seriously. Potential closures are usually subject to substantial community consultation, and closures where banks are scarce are scrutinised particularly carefully. This might be one reason why the decline in branches in remote and very remote regions has only declined from 209 to 204 over the last decade.</p>
<p>Bank attitudes to branches have <a href="http://www.couriermail.com.au/business/bank-of-queensland-eyes-trimmer-branch-network-says-majors-get-more-market-share-for-presence/story-fnihsps3-1226760204537">changed</a> over time. Branches were cut back sharply in the 1990s, as EFTPOS, credit cards and ATMs were seen as the wave of the future. This caused a consumer backlash which damaged bank reputations. </p>
<p>Through the 2000s, banks took a different approach, realising that having good relations with customers was important both to help raise deposits and to sell additional products. But now the underlying economics of branches is changing: demand for standard services in branches is falling off as a result of customer choice rather than bank initiative.</p>
<p>So how do banks adapt? Essentially the bank branch is being reinvented. Branches are being made cheaper to operate with videoconference access to specialists, coin sorting machines, and internet facilities, and much reduced floor space. </p>
<h2>Keep the branch, move the cash</h2>
<p>Branches are also being made safer by under-floor cash repositories which means tellers do not have drawers bulging with cash. These strategies can reduce the cost of a branch while maintaining its operations so that it is not necessary to close them or to upset the local community.</p>
<p>The Australian banks are also changing the function of their branches to incorporate wealth management, insurance or share trading facilities. The modern branch is being refocussed to offer the full suite of financial services and self-service, allowing the considerable overheads to be spread across a wider range of services. So far none as gone as far as some of the Spanish bank branches where you can buy a ham or a bicycle as well as making a deposit.</p>
<h2>The regulator in the room</h2>
<p>Regulation can reinforce this transition. Under the Basel III reforms, the regulators are encouraging banks to have more stable funding. Term and other stable deposits will probably bear a higher interest rate as a result. And banks will respond by chasing harder for stable retail deposits, with branches playing an important part in their retail strategy.</p>
<p>Where the history of bank runs has images of people queued up in the street to withdraw deposits, this is actually much less of a problem than funds that can be withdrawn at the press of a button.</p>
<p>Regulation will make standard retail deposits more valuable to banks than say online deposits – because they are stickier. Banks will find retail and transactional customers more valuable, and so will do everything they can to keep customers returning to their branches, meaning the range of services bundled into your local branch is only likely to expand further.</p><img src="https://counter.theconversation.com/content/20440/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Rodney Maddock does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>UK banking giant Barclays has revealed plans to lay off 1700 branch staff and shrink its branch network as customers embrace online and mobile banking. The street faces of banks are changing quickly. Where…Rodney Maddock, Vice Chancellor's Fellow at Victoria University and Adjunct Professor of Economics, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.