FNB send (me) money (please).. just kidding, it’s the name of a new service from FNB Mobile Commerce.
They chatted to a few bloggers today. I was invited. Nice format.. 1-on-1 sessions with the CEO of the eMoney business unit.
They did a demo where they sent me R50. The system created a “wallet” for me, which I could access via USSD. I then generated a PIN to use at an ATM. I walked over and withdrew R50 in cash. Pretty slick.
- The product makes sense. It’s pretty obvious that people want to move money via their mobile phones. The target market seems to be people who don’t earn a lot of money or who may not have a bank account.
- The brand could be a bit better, “Send Money” is simple, but it’s not very unique, which may actually make it hard to remember.
- They use a USSD (GSM) interface, simple, not very sexy or intuitive, but reliable I guess.
- Seems to be designed and driven by cool people (well, at least one).
The system is VERY dependent on the security of the phone and everything seems to link back to a mobile phone number (MSISDN). This is fine if they use more than one path/way to authenticate the transaction (like web + mobile phone, in online banking).
In the demo I received a PIN via SMS. So anybody who could read or intercept that SMS could withdraw the money.
We know there are a few potential problems with mobile network security:
- We don’t trust the SMS gateway operators (mobile phone company staff). They can read the SMS’s.. crypto is not end-to-end.
- We don’t really trust the way SIMs are issued. Any mobile phone shop can request a “SIM swap” and get your number on the new SIM. Maybe not trivial, but certainly a known problem.
- GSM crypto is not that safe. You can buy devices that do GSM call-interception (and SMS).. or have fun with a DIY solution.. you can snoop GSM traffic with something like OpenBTS and you can crack A5/1 like this guy with his.. GSM has more security holes than Swiss cheese project.
So, the idea is very good, but I’m not too comfortable with relying on the GSM networks for the security of the transaction.