Wednesday, March 25, 2009

End of independent mobile payment players?

It is difficult to have missed the news (here, here, here) about Obopay receiving $70 million from Nokia. This is on top of the earlier round (Series D) of $20 million in April 2008.

What does this investment indicate:
  • Obopay's CEO is skilled in raising money (you'll find this interview interesting)
  • Mobile payments industry is at an inflection point, and on the verge of take-off
  • Nokia sees Obopay as best suited to take advantage of the opportunity.
  • Nokia is seeing Obopay as its next billion dollar baby?
One of the signs of an emerging industry crossing the chasm is investments from the large players. This happened in the email space (Microsoft buying Hotmail...), Online Advertising (Yahoo/Blue Lithium; Microsoft/aQuantive)... Startups many a times do not have the ability to scale quickly to address the available market efficiently. Alternatively, the economics of the space do not justify a startup building out the sales, delivery and service infrastructure. In such cases, an existing player buys a startup to either move up the value chain or to increase the breadth of their offering.

Does Nokia's interest in Obopay suggest this?

Obopay has alliances with scheme operators (MasterCard), banks (Citi, Yes), carriers (Verizon) and device vendors (Qualcomm, Blackberry, Nokia).

Any of the above partners could have made a large investment. Qualcomm in an existing investor in Obopay. Does Nokia's investment indicate that the device vendors have an inside track to leverage the mobile payments market. Would a payment scheme operator or a telecom operator have been able to grow the mobile payments market better than a mobile device vendor?

In terms of registered users and money flowing thru the system, PayPal mobile seems to be the front-runner in mobile P2P payments in the US. mChek seems to be the front-runner in India.

Does Obopay have strategic alliances or IP that can block these early leaders? Can Nokia help Obopay move ahead. Has there been any development in the recent past to indicate the slumbering mobile payments industry is getting ready to sprint?

Are mChek and PayMate next in line for a bear hug?

What are your thoughts?

Sunday, March 15, 2009

Authenticating online transactions

The payment ecosystem is comfortable with the authentication of a payment card holder at the time of retail transaction (about 1.5 basis points of fraud). In retail transactions, the user is authenticated by the checkout clerk, and the payment session is authenticated by the payment server. Two sets of checks using independent channels.

In online commerce, similarly, multi-factor authentication (MFA) is being used for strong authentication to achieve the same degree of authentication. The authentication factors used, include:
  • What you have (the payment card) [weak as a factor unless a card reader is also involved]
  • What you have (the cellphone / hardware token registered with your card)
  • What you know (the PIN)
  • Biometrics (who you are): This is being used by some, with the potential for increased usage)
  • One-time password / Signature (yet another knowledge factor [what you know])
Banks are deploying hardware in a variety of form factors to enable MFA for [more] secure online commerce. There is lots of debate whether these investments are appropriate or being mis-directed.

Unconnected Chip-n-PIN readers are being endorsed by payments associations and being deployed by European banks to generate OTP (one-time passwords) for secure access to online banking sites. The simplicity of unconnected card reader devices make them secure. They are not connected, therefore are less prone to being attacked by malware. However an additional device to carry around when you travel (or otherwise) is not terribly convenient. There is still the issue of Adversary/Man-in-the-Middle (MITM) attack.

Using SMS as an alternate delivery channel is another alternative (saves cost of deploying readers and hassle of carrying readers around). Cell phones are used to communicate the OTP or Transaction Number (TAN), which the user enters at the online site. For those that don't care for cell phone and/or SMS/text messages, an IVR (interactive voice response) variant of the above is also used.

Hardware token, either the unconnected kind or the USB kind, are also used, but not in the same class of security solution as what you know (PIN) is not involved.

The emerging consensus, including observing the above alternatives, is that a hardware based solution over an alternate channel be used to generate/communicate the additional authentication factor (what you know). See related post here and here.

There are varied opinions about the usability and security profile of these offerings, including:
Are the current approaches to securing online transactions adequate? Are there any fundamental lacunae that we need to plug to get a solid foundation on which we can build the necessary security solution? What are your thoughts?

[10Aug09]: Interesting related post from Finextra (link)

Saturday, March 14, 2009

Paypal Mobile: Is it a non-starter?

I was reading Carol Coye Benson's blog about cash going away. Such posts catch my attention and got me thinking. Why are we not using P2P (peer-to-peer) mobile payments when friends/colleagues have to pay each other (splitting a meal tab...)? A related question is why has Paypal not been able to make mobile payments more successful/ubiquitous? This question is topical, in light of Ebay's recent focus on Paypal and its mobile offering (2009 Analyst Day presentation).

First, a background of the offering. Paypal mobile has been around for over 2 years now. Paypal has over 70 million active users. The cost for individuals to make payments to each other is free (other than the cost of the SMS charged by the telco, if you are using SMS/text). Paypal does not charge individuals any fee to load their wallet from a DDA/bank account. They do not charge individuals any fee to withdraw the money back to their DDA/bank account. In summary, Paypal's mobile payment service is free to individuals to pay each other. It is reasonable to assume that most of Paypal's active users in the US have a mobile phone (see Tomi T Ahonen's post). However, I would assume that only single digit percentage of active users have registered for mobile payments.

I suspect we, as consumers, do not use Paypal mobile as we have not made the necessary shift in our lifestyle. There has been no incentive or education for us to incorporate Paypal Mobile into our lives. No major ecosystem player has encouraged the use of Paypal Mobile.

Why is Paypal not pushing their mobile offering? Paypal mobile is an opportunity for Paypal to move from the online payments space to the physical world. Peer-to-peer payments seems to be a low hanging fruit in Paypal's retail payments strategy. Or is it?

Let's look at why physical merchants (the kind Carol visited in Oregon) have not embraced Paypal mobile. The cost of acceptance seems to be the first place to look. For most small vendors, Paypal fees work out to about 3.5%. This is a pretty high cost.

Acquirer/ISO recruit merchants and help them in accepting [new forms of] electronic payments. Is the absence of such a partner in the Paypal Mobile ecosystem affecting adoption?

Are mobile payments still an oxymoron? Is Paypal not interested in physical retail payments (aka Paypal Mobile), as it sees lots more growth in the online world? Would love to hear your thoughts?

Monday, March 9, 2009

Outsourcing product field trials in Web 2.0 world

I came across this news item about Citi being interested in having NFC field-trials in Bangalore, India to help prepare for commercial deployments in the US.

This is an interesting idea. I had heard of outsourcing call centers, development, back office operations... to Bangalore/India. Pharmaceutical companies have been outsourcing field trials of their drug testing to places like India. To Citi, outsourcing NFC field trials was an obvious step in trying to stretch the dollar in trying times.

Would this work though?

How much would a Bangalore merchant promote this new technology while he knows that product/service being tried out is not making its way to his store any time soon? Would the NFC reader be buried somewhere, with the [transient] checkout staff being ignorant of its existence/usage?

I heard that the local transit agency is being roped in for the trial. Makes sense, considering the pivotal role transit plays in the contactless ecosystem. However, would the local transit agency make the effort to actively participate when they know that they are just the lab rats.

The dynamic of India's mobile carriers are very different from that of the US, starting from low ARPUs, to high proportion of prepaid users... I heard that nearly 90% of India's mobile customers are prepaid users.

Would India's cash-based economy, culture... provide Citi the ability to extrapolate results? You get the drift.

Initial reports of the trials came out in September 2008, an update showing up in late Feb '09, with potential start date in Q2'09. It is anybody's guess if and when this trial will happen. What do you think are the odds of Citi being able to pull this off?

Is this the beginning of a new trend/market segment? This question is a little broader one, around innovative ways to field trials and reducing the cost of product development especially in the Web 2.0 paradigm.