This October, in India and Bangladesh, there is a planned roll out of a technology that will enable anyone to transfer money between bank accounts, credit cards and phones via text messages from a cellular (mobile) phone. Using Obopay, you can sign up for an account, and start moving your money around like its nobody’s business.
From the article:
Grameen Solutions, an affiliate of Nobel Prize winner Muhammad Yunus’ Grameen Bank, this week teamed with Obopay Inc., a for-profit mobile payment company based in California, to bring banking to a billion poor people using cellphones.
“Today, it’s difficult to reach these people,” Obopay India Executive Director Aditya Menon said at a news conference in India’s financial capital, Mumbai. “If you solve that problem, you are enabling them to enter the economy.”
The question is, however, will security be an afterthought or will it be a primary focus of this offering? Enabling the access to, and money transfer between, accounts from a mobile platform will require rigorous security safeguards. Surely Obopay has thought of this right? Well, the Obopay website states that it indeed secure as you are required to specify a PIN number upon the creation of your account. This PIN is used any time you send money so “even if you lose your phone your money is safe”….safe?….SAFE?
Why isn’t multi factor authentication a requirement? How easy would it be for someone to pick up your cell phone and empty out your bank account if they knew your super-secret PIN number? How easy would it be for someone to beat your PIN number out of you?
These are all questions that I would have expected to be addressed during the design and implementation of this new technology integration. Alas, it appears that this is not so. Why is that again?
More from the article:
The payoff could be big for companies providing these services. People who are now “unbanked” in China, India and Brazil alone could generate $85 billion in banking revenue by 2015, according to an estimate by the Boston Consulting Group.
Ahhh…that’s right. Money. I often forget that making boat loads of money is always justification for poor application security planning.