Cashing in on Kaching

Commonwealth Bank's intention to launch its popular banking app Kaching on Facebook before the end of the year marks a phase shift in the relationship between banks and the rest of the internet -- from a societal as well as a security standpoint.

The banks' traditional internet security message has always been simple. Check the website address in the URL to make sure it's the bank's. Check for the padlock icon in the web browser to make sure it's locked, indicating a secure encrypted data link. Good. You're connected to the right spot.

No-one can listen in. Please proceed.

The childishly-named Kaching app for iPhone, which launched nine months ago and has since reportedly handled more than $1 billion in payments, extended this trust model in a logical way.

You trust the app because it was created by the bank itself. You trust that you in fact have the legitimate app because it came via Apple's trusted App Store or Google's Play Store.

It's not as easy to see what's going on -- you can't see specifically which URLs the app is connecting to, for example -- but at least it's easy to understand. You assume that the bank's own app is smart enough to know that it's connecting to its own mothership. Please proceed.

The bank's latest announcements highlight further logical extensions to the Kaching brand. A Kaching for Android app, which should work on around 80 per cent of the many different Android devices out there. And Bump payments for Kaching for iPhone, where funds are transferred by physically bumping the two phones together -- with GPS and the phones' accelerometers confirming that they were indeed in the same place and bumped together at the same time.

Commbank friends Facebook

Kaching has always had a pay-to-Facebook option, whereby Kaching users can pay someone known to them only through their Facebook identity.

Surprisingly, It's not as dodgy as it sounds. The recipient's Facebook login is only used to authenticate with Facebook so they receive notice that there's a payment waiting. They still need to log in to an existing CommBank Kaching account, or provide their BSB and account number along with a unique payment code that the payer has had the sense to send them securely, before funds are transferred.

Having spoken with someone in a position to understand the security model in detail, I'm satisfied that the risk would be no more than asking the payee to tell you which account to transfer funds into and a fraudster giving you the wrong details. Hacked Facebook account, hacked email, it's all much the same.

But a Kaching for Facebook app is a whole different thing.

Especially when the app will "[make] it possible for customers to do all their banking without ever leaving Facebook."

A Facebook app is served into the user's web browser in real time from... somewhere. From wherever the app developer has set up their technology, in a way that makes it difficult for the non-technical user to see what's going on. And anyone can register to be a Facebook app developer.

Now Facebook certainly puts effort into stamping out rogue apps, but they haven't been 100 per cent successful. They can't be. No-one could be. The continuing threat of drive-by malware downloads shows that rogue apps -- and rogue advertisers, inserting bad content into web pages by similar means -- are likely to be with us for some time. And you don't need to mock up the entire Kaching app to be a threat, just the login screen.

Tweaking the security message

Nevertheless, CommBank's effective security message has changed from "Make sure you're connected securely to the bank" to "Just trust this completely unrelated business because the pixels look OK on screen".

So what's different?

Well, CBA's executive general manager for cards payments and retail strategy, David Lindberg,

"We've invested billions of dollars in our IT infrastructure, our real-time banking core, our security and our risk, and so we have a much better way now of managing security around those platforms."

"We've become far more sophisticated in our security monitoring," he says.

Even the diversity of banking platforms, from iOS to Android, Kaching to website, makes it relatively more expensive for the bad guys to set up an attack. Organised criminals care about market share and ROI too, you know. 

The bank is confident it has all the bases covered and boasts a "100 per cent security guarantee", which promises to cover any losses for unauthorised transactions on a customer account.

This confidence is seemingly best expressed by Drew Unsworth, CBA's general manager of online banking. "People have been trying to steal money from banks for a long time," he told Technology Spectator. No arguments there Drew.

Is Kaching the future?

CommBank is well aware it's leading the pack here. It's always had somewhat of a headstart against its peers when it comes to IT and is obviously keen to extend that dominance. If nothing else, it certainly lets the bank score some handy publicity points against its Big Four rivals.  

"There are a number of banks including some of the Big Four here [in Australia] that have said, no, we don't think we should do it," CommBank's chief marketing officer Andy Lark says.

"We've chosen not to stick our heads in the sand. We've talk to, particularly, the youth segment of the market, up into that mid-range segment of the market, and they are passionate about Facebook. 

But are young Facebook users the people best placed to make the security choices about their online banking? Particularly if having to "leave Facebook", something that's as easy as opening a new web browser tab, has become a factor?

And that points to the wider societal shift underway. Banks are clearly no longer seen as the be-all and end-all of dealing with money. CommBank has presumably seen that it can no longer command people to come to the bank. Instead the bank must go to where the people are, only a browser tab away, in Facebook -- a place where security, or at least privacy, is far from the first consideration.

Case in point, Facebook's latest outrage, silently rewriting smartphone address books to divert personal email into its own servers.

Banks seem happy to do business in this new environment and cover the losses. Is it confidence? Or sheer necessity?

Don't forget "social banking"

The other driving force is "social banking", the ability for people to handle their funds online in the same informal ways they've been used to doing offline with cash. Think of a group of friends chipping in to cover the ski lodge rental, or a colleague's birthday present, or the office coffee fund.

While the banks, at least so far, can't create the online equivalent of that brown envelope full of small change, they can start staking out the territory. And that's precisely what CommBank is doing.

The existing Kaching apps allow you to post a note about a Facebook payment to the recipient's Facebook wall. "I've just paid my share of the holiday." The Kaching for Facebook app will further associate CommBank with Facebook with money in people's minds. Eventually a Facebook group for your ski holiday might naturally form an ephemeral financial entity as well.

With the bank involved, of course, so they get a piece of the action.

This is also presumably why CommBank is calling Kaching-to-Kaching payments "peer-to-peer" when they're nothing of the sort.

These payments still involve a central entity, the bank, just like any other bank transfer. True peer-to-peer transactions would see the funds go directly from payer to payee without involving anyone else.

Offline that's done with cash. Online that's only possible with emerging systems such as BitCoin or perhaps Canada's MintChip digital cash.

CommBank, like all banks, needs to ensure people still see all this as "banking", not as digital cash stored on a smartphone and coordinated by any number of potential new players -- including Google, Apple or Facebook itself. Game on.