End user security psychology, part I: Are small mobile computers less secure than larger mobile computers?
Posted by Bill Nagel on March 27, 2008
In the course of researching mobile authentication and mobile signatures -- using a cell phone as the alternative to a token for identity, authentication, and signing purposes -- this post from Finextra’s Chris Skinner on why mobile banking and payments don't work (yet) caught my eye. Hint: People don't want them. But why?
Given that my colleagues serving eBusiness, channel, and product marketing professionals are also officially skeptical about the prospects of mBanking and mPayments, I expected him to trot out one of the usual rationales for this, including:
- When it was first tried several years ago, mobiles simply didn't support a usable (Web) interface. Screen real estate was lacking, mobile Net browsers were beyond clunky, data plans were prohibitively expensive: all of the annoyances of online banking in an even less usable format.
- The lack of a broad use-case across the entire range of transaction values. To minimize risk, there are often limits to what can be done on the mobile: caps on transaction amounts, no payee setup, etc. But this can put the squeeze on many mobile banking systems: Consumers then need to use the online channel anyway for large transactions, and small everyday transactions (like micropayments) are easily handled by debit cards (contact and contactless), NFC chips, and even good old-fashioned cash.
- Problems with compatibility between Java-based OTP generating apps and "Java-enabled" phones that hinder OTP generation on the mobile.
- The difficulty of switching back and forth between mobile phone apps to copy an OTP received, say, via SMS and the mobile browser.
Instead, Skinner thinks it's primarily due to "th[e] psychology of a mobile device being insecure." In other words, you're using something small, in public, that's easily grabbed or shoulder-surfed. He admits that mobile banking is often more secure than online banking, but it just doesn't feel that way. And a recent survey of Americans gives reason to think that he might be right.
The online channel is a fatter target at the moment, but fraudsters will eventually follow the ever-widening trail of breadcrumbs to mobile, so from a security standpoint, there's little reason to privilege either the Internet or mobile channel as more secure in the long term.
But from a consumer adoption standpoint, if this feeling is indeed widespread, it causes problems. I suspect, though, that if this is a common view and not just an artifact of how survey questions are framed, it's also one that will shift on its own in a few years. If the benefit is clear and the system convenient, people will use it and not worry too much about the security (much to our professional chagrin). Note that the survey cited above mirrors those done on online banking several years ago, and look at what a failure online banking has been since!