The Importance of Mobile Security – Techstrong TV

The emergence of mobile ‘super apps’ bring with them a new threat landscape and security posture. Organizations must ensure they operate safely in untrusted environments while providing a convenience/seamless user experience. Sam Bakken, OneSpan Director of Product Marketing, discusses mobile security, how attackers may look to exploit users, and how super apps can offer endless opportunities for banks/organizations to build upon their trusted reputation with customers. The video and a transcript of the conversation are below.

 

Mitch Ashley:            We have great pleasure being joined by Sam Bakkan. Sam is director product marketing with Onespan. Welcome Sam.

 

Sam Bakkan:            Hey, thanks. So much really excited to talk to you today.

 

Ashley:            Great to talk with you too. Let’s start out if you’d just introduce yourselves, tell us a little bit about Onespan, too.

 

Bakkan:            Yeah. So, you know, long story short, Onespan protects the world from digital fraud. You know, the majority of our customers are financial institutions and we help them make sure that they are, you know, implementing authentications securely in a user friendly way. And you know, whether that’s web banking, but it’s really remote in digital channels that we’re helping them protect. And, you know, we’ve helped prevent billions of dollars in fraud and, you know, over half, I think of the top 100 financial institutions in the world are our customers. So, that’s kind of what Onespan does.

 

Ashley:            Excellent. Well, our topic that we want to talk about is super apps. And particularly in the context of financial institutions, there’s a lot of super apps around. Maybe, could you kind of give us a working definition of what a super app is in the context of, you know, financial transactions, financial institutions, you know, we don’t need to go into, you know, WeChat or whatever, but-

 

Bakkan:            Yeah, well but you know, it really does help set the stage a little bit to at least kind of talk about where they’re coming from. But I definitely understand why you can kind of phrase it that way, but great question. Right. So really what it kind of boils down to is it’s sort of an all in one mobile app, that’s like the epitome of a super app. And, you know, you mentioned WeChat in the east and, and those sorts of experiences have existed for a long time, but it’s- Where it else came from was let’s think about Alipay and Alipay had this marketplace online and they allowed people to make, to purchase goods. But some people did not exactly trust remote payments at that time. And don’t get me wrong. This was like a decade ago when this was really starting out. So Alipay said, right, what we’re going to do is we’re going to institute a system where the consumers that are using our app to shop, they’re going to send their funds to us and we’ll hold onto them until the vendor themselves actually sends the goods and the person receives them themself. And so people, you know, users of the app quite liked that. It was convenient. The user base was there, there were a ton of people there using these, these payment services. And so it started to turn into a thing where it was like, well, why not let people pay each other through this app? And then that also extended into, you know, why don’t we allow people to pay brick and mortar merchants as all through this app, because people were, you know, they enjoyed the convenience of that experience, right.

 

And, you know, as some listeners may or may not know in China specifically, they really kind of leapfrogged over credit cards. They were not using payment cards like we do here in the-

 

Ashley:            It sounds like they’re bypassing the whole merchant system and credit cards.

 

Bakkan:            Right. Yeah. Right, right. Yeah. So they didn’t have the plastic. And then the other thing to, you know, I should have mentioned too, is they didn’t start accessing the internet in the same way that we did. They never really had time with a laptop and a desktop. It was like they were on their mobile phone. And I don’t know, you know, if you do this, but I love making payments just with my mobile phone, the convenience of that, not having to carry the card around, but again, the point is, this is how Alipay kind of started. And, you know, they’ve been extending services since then, you know, people can you know, WeChats another example people can make you know, doctors’ appointments. They can make appointments to have their dry cleaning picked up and you know, dropped off and that sort of thing. So some people can run their whole lives through these apps in the east. So just, you know, I’ve been talking a little bit there, so that’s kind of where it came from. Right.

 

But then in terms of these apps and sort of what they mean, maybe for us in the west and why, you know, financial services institutions are thinking about this you know, first of all, you and me being in the west, I don’t know about you, but one of my favorite kind of examples of you know, a use for a super app here is I live in Iowa City. I have to use a parking meter app in order to pay for my on-street parking. That’s a single use app. That’s the only thing I use that app for. It’s many screens back in the sort of catalog of, you know, 80 or more apps on my phone. And the other thing is not only is it single use, not only is it taking up a little bit of space on my, on my device, I don’t necessarily trust the security practices of that app, right. I don’t really know who that developer is. You know, I look at their website and I download the app and stuff, but there’s not a lot said there about security.

 

And so I guess my point is where it comes to be something that’s sort of relevant to financial services and stuff is I’d much rather have my bank offer me a feature like that, that works out in the real world, kind of no matter where I am. There’s a payment involved. I trust my bank than I know that they’re held to a higher standard probably than some of these other developers. And so, you know, integrating you know features like that into a banking app starts to make a lot of sense to me. And it makes things more convenient and I definitely feel safer as a consumer myself.

 

Ashley:            I don’t know if this makes it more complicated or I doubt it simplifies it, but PayPal introduced right. They’re a super app. And how is that viewed as part of this whole ecosystem, when you have sort of what’s happening the, you know, Eastern part of the world now, PayPal introduced there is that a, I don’t know, the word uses of threat to the financial institutions. Is it, you know, partner to work with? How does their super app fit into this whole set?

 

Bakkan:            Yeah, for sure. For sure. So PayPal definitely making inroads here, you know, a lot of press releases going out saying that you want to release a super app, et cetera, et cetera. You know, I sometimes think to myself that I’m not sure that, you know, consumers care about that term super app. What they care about is an app that helps them get things done. PayPal is really making inroads here for sure. You know, they’re starting to accept direct deposit, bill pay you know, have some digital wallet capabilities, peer-to-peer payments, shopping tools, and you can buy crypto and that sort of thing. So those are all, you know, features that we, you know, associate with kind of, you know, fintech’s or banks. And that’s, you know, PayPal is a big, big player. I don’t actually know what their user base numbers are right now. But some people like using PayPal and they’ll probably like to use PayPal for some of those other features as well now that they’re made available to them.

 

Ashley:            I think there’s a data science term for their user base called really big.

 

Bakkan:            Yeah. Oh yes. That is. I’m. I’m glad to hear that you are a data scientist.

 

Ashley:            I just play one on TV, but anyway, yeah. That’s beside the point. Well, so let’s talk about then, you know, from a Onespan perspective obviously in working with financial institutions, how do you go about securing those transactions and super apps, whether they’re, you know, wherever they’re coming from, the tie into, you know, what banks have to think about, what financial services institutions have to consider.

 

Bakkan:            Yeah, for sure. And, you know, we’re, because we, you know, we’ve helped there’s one customer of ours Belviest bank that started to get into this, right. They’re expanding the features and services that they offer in their app. Now, whenever you’re doing something like that, when you’re opening up a new service, you’re potentially partnering with a third party to enable that and stuff. And anytime you’re doing that, you know, it’s just a fact that you’re expanding your attack surface, right? You’re, you’re opening up the possibility of attack because you’re doing more than you previously did. So, you know, in a lot of cases that sometimes worries banks because you know, they maybe worry about that mobile channel you know, the devices that people use, they’re not necessarily all up to date the bank doesn’t manage those devices themselves. They can’t, you know, require certain security aspects.

 

Ashley:            Well, we see it’s security, but it’s trust ultimately. Right. that’s what you put your money where you do, because you trust the bank, you trust the organization, if that’s gone, it’s all gone.

 

Bakkan:            Right. Well, right. For sure. Yeah. And if you, you know, like you said, for decades, that’s where we’ve put our money and we’ve, you know, done digital transactions and stuff because we trust that bank and yeah, like you said, if their reputation were somehow harmed because of a scalable attack and they’re in the headlines or something like that, that’s going to, you know, affect consumer’s perspective there. So you want to prevent that. But you need to also these banks, you know, and they do, and our customers do this, but you know, you can’t go hide in the corner. You still have to offer more features. You want to grow. You want to have more customers, you want to retain your customers with the new cool features. And this can be done in a secure way.

 

You know, I always say that you know, in a lot of these cases, a lot of the sort of super apps, they’ve really nailed user experience and what user experiences, you know, it’s like a delightful experience of course. But it’s also like don’t get in the way of someone trying to do something. You know, regardless of how sort of risky or not it is. And then you can kind of step up the actions you take. If someone’s going to send, you know, $5,000 to someone they’ve never sent money to before. Obviously you want to take note of that and potentially say, is this really you on your device making this payment? Of course. But you know, what I’m trying to get to is a lot of times I think of the authentication process is kind of the front door to a mobile app in a lot of cases.

 

I have apps on my phone in a similar situation where they tend to be a little bit more well let’s just say they’re a financial services app as well, but I have to like enter in a username. I have to enter in a password. I have to get an SMS, that has a, you know, a onetime password in it for me to enter it in. I’ve told you three things that I have to do so far versus maybe another app that I have where I just can look at the camera and via facial recognition, I’m logged into the app.

 

I’m not saying that everybody wants that facial recognition feature. My point is the fact that that app, all I have to do is look at it to get in there. I’m going to choose that app when I need to get something done quickly, rather than the other app, where that experience is such a sort of hassle really when it comes down to it. So you know, authentication is definitely again, it’s sort of a continual or well, it’s a continual first impression. Every time someone’s using their app, you’re kind of hitting some signal in their brain and they’re remembering whether it was frustrating or whether they maybe even didn’t even notice. So again, what Onespan can do there is we can help you implement and modernize your authentication practices on your app so that you’re, you know, both increasing security and providing a better user experience.

 

And then, you know, in addition to that also like I was talking about, you know, the mobile devices themselves, you, you don’t manage them. You don’t know exactly what’s going on there in terms of security hygiene. But what you can do is actually secure the app itself. So you kind of, you put a border around that app. So when it’s on the app store and someone downloads it, you have security controls that are implemented around that app, so that it itself is secured even on, you know, in a hostile environment. So maybe a jailbroke or rooted phone, which are typically less secure. You can, you know, be confident that nonetheless, that app that you’ve created and is facilitating payment transactions is still secure because there is this technology that’s detecting malicious behavior that might be interfering with it to shut it down before any damage is done. So those are a couple of the big ways that Onespan helps in these situations.

 

Ashley:            So if I understand you right, it’s, since things are happening inside these super app, inside the apps involving all these kind of transactions, financial transactions, sort of keeping the front door secure, like the way you get in to be able to do all that stuff and not adding like yet again, more you have to do to perform those transactions. Now, inside the app, you’re relatively, you’ve taken the steps to identify yourself, get access to it, et cetera. And you can, you have more freedom for a positive experience for the customer rather than, oh, I’m going to this provider for this financial transaction and they do it this way. Versus this one, does it a different way. Well, let’s just kind of take care of that. Provide an easy common interface upfront. Am I getting it? Am I in the right track?

 

Bakkan:            Yeah. For sure. For sure. And I mean, it’s like, you know, it’s definitely kind of as simple as you said, it’s just us thinking our as ourselves as humans and how we want to do these things ourselves and yeah. That’s what users want, is that convenience there, like you said.

 

Ashley:            Yeah, totally makes sense. So, as you work with customers, are you finding you have to kind of re redesign that front end experience, are you kind re replacing or putting your process in place of how to provide that front door and sort of protect the exterior of the app? How do you work with customers to do that?

 

Bakkan:            Yeah, I mean, we say that we’re really helping some banks modernize authentication. A lot of them maybe haven’t updated their, their processes in a long time. And, you know, now is a good time to do it. Technology has gotten to this place where you know, there’s things like behavioral biometrics where you can as a person is sort of interacting with the app, a profile has been built of that person’s behavior and where they hit the buttons and at what angle do they hold their phone and that sort of thing. And so that’s an opportunity to be doing this authentication without getting in the way at all.

 

Now it alone is not enough, but it just helps you only ask for that additional challenge when absolutely necessary. But yeah, it’s a modernization thing. It’s, Hey, let’s try to get away from SMS at this point. You know, there are some vulnerabilities there. Of course, I always want to say this. SMS is better than nothing at all. It absolutely is. However, there are still some weaknesses there. So I think it’s time we try to start moving away from that. And like I said, implementing biometrics at the front door is a great way to start with that. And so we, you know, we sell tools that allow banks to integrate this functionality into their existing mobile apps so that they can modernize that authentication. And then of course, you know, we have our professional services teams where, you know, in certain cases, if people are trying to get more done, we can also help them with that.

 

But in addition that this other technology that I was telling you about that kind of wraps the app and protects it in hostile environments that’s, we act actually do in a way that’s called low code where you don’t have to be a developer and coding and ones and zeros and integrating code into these apps. You can just take an existing app. You go to a cloud interface, you know, a customer portal. You go there, you upload your app, you configure it based on the security that you want, and then you essentially hit go. And then you get that app back and it’s wrapped with this advanced security. And that can literally people typically don’t believe me when I say it, but you can do that in five minutes. I mean, the configuration, you have to think about it, of course, but once you got that down, it’s just up and down in like five minutes. So that ease of use a big deal too, because it helps our customers, you know, get to market with that new innovation faster with the confidence that they are protected as well.

 

Ashley:            Oh, very good. Well, it’s interesting times. I mean, especially with the acceleration of everything going digital, you know, that evolutionary step has become almost evolutionary how fast we’ve advanced into it. Sometimes it’s a little hard to keep up with, I think for everyone, whether financial institution or person using the apps. What’s a way that someone get, can get started working with Onespan?

 

Bakkan:            You know, I think going to Onespan.com is going to be a great way kind of see what we have to offer and read stories about how we’ve helped a number of financial institutions. Some just like I’m sure some of our listeners here. So yeah, I just I’d really recommend getting, getting to the website to take a look at what we have; a bunch of great content there. And yeah, white papers, but also, you know, short videos talk about what you can do quickly to do a better job, protecting your apps and that sort of thing. So Onespan.com. That’s my recommendation.

 

Ashley:            Okay. Excellent. Sounds simple enough. I’ve suspected that might where we need go. Didn’t take too much to get that leap of faith there. Well, Sam Bakken, director of product marketing with Onespan. Good to talk with you day. Thanks for joining us.

 

Bakkan:            Hey, thanks so much, Mitch. This was great.

 

Ashley:            Take care.

 

[End of Audio]