Commonwealth Bank's announcement yesterday that it'll launch a Kaching for Facebook app before the end of the year marks a phase shift in the relationship between banks and the entire rest of the internet – from a societal as well as a security standpoint.
The banks' traditional internet security message was simple. Check the website address in the URL to make sure it's the bank's. Check for the padlock icon in the web browser to make sure it's locked, indicating a secure encrypted data link. Good. You're connected to the right spot.
No-one can listen in. Please proceed.
CommBank's childishly-named Kaching app for iPhone, launched nine months ago, extended this trust model in a logical way, as does the "normal" CommBank smartphone app. You trust the app because it was created by the bank itself. You trust that you in fact have the legitimate app because it came via Apple's trusted App Store or Google's Play Store.
It's not as easy to see what's going on – you can't see specifically which URLs the app is connecting to, for example – but at least it's easy to understand. You assume that the bank's own app is smart enough to know that it's connecting to its own mothership. Please proceed.
CommBank claims that Kaching has been downloaded more than 365,000 times so far and has handled more than $1 billion in payments. And why not.
Yesterday's announcements included further logical extensions to the Kaching brand. A Kaching for Android app, which should work on around 80 per cent of the many different Android devices out there. And Bump payments for Kaching for iPhone, where funds are transferred by physically bumping the two phones together – with GPS and the phones' accelerometers confirming that they were indeed in the same place and bumped together at the same time.
There were immediate whinges that Kaching for Android didn't support near field communication (NFC). Kaching-running Android phones can't just be waved over a payment terminal. Android users must continue to suffer under the burden of keying their PIN.
CommBank says the finger of blame should be pointed at Google and the device manufacturers for failing to support the NFC chips' security elements that banks need to enable phones to send data securely as well as receive it. It seems there's no timeline for that.
Commbank friends Facebook
Kaching has always had a pay-to-Facebook option, whereby Kaching users can pay someone known to them only through their Facebook identity.
It's not as dodgy as it sounds. The recipient's Facebook login is only used to authenticate with Facebook so they receive notice that there's a payment waiting. They still need to log in to an existing CommBank Kaching account, or provide their BSB and account number along with a unique payment code that the payer has had the sense to send them securely, before funds are transferred.
Having spoken with someone in a position to understand the security model in detail, I'm satisfied that the risk would be no more than asking the payee to tell you which account to transfer funds into and a fraudster giving you the wrong details. Hacked Facebook account, hacked email, it's all much the same.
But a Kaching for Facebook app is a whole different thing.
Especially when the app will "[make] it possible for customers to do all their banking without ever leaving Facebook."
A Facebook app is served into the user's web browser in real time from...somewhere. From wherever the app developer has set up their technology, in a way that makes it difficult for the non-technical user to see what's going on. And anyone can register to be a Facebook app developer.
Now Facebook certainly puts effort into stamping out rogue apps, but they haven't been 100 per cent successful. They can't be. No-one could be. The continuing threat of drive-by malware downloads shows that rogue apps – and rogue advertisers, inserting bad content into web pages by similar means – are likely to be with us for some time. And you don't need to mock up the entire Kaching app to be a threat, just the login screen.
Tweaking the security message
Nevertheless, CommBank's effective security message has changed from "Make sure you're connected securely to the bank" to "Just trust this completely unrelated business because the pixels look OK on screen".
So what's different?
"We've invested billions of dollars in our IT infrastructure, our real-time banking core, our security and our risk, and so we have a much better way now of managing security around those platforms," David Lindberg, CommBank's executive general manager for cards payments and retail strategy, told yesterday's well-catered media briefing.
"We've become far more sophisticated in our security monitoring," he said.
Even the diversity of banking platforms, from iOS to Android, Kaching to website, makes it relatively more expensive for the bad guys to set up an attack. Organised criminals care about market share and ROI too.
The bank is confident they've got it covered. "Commonwealth Bank offers a 100 per cent security guarantee meaning it will cover any losses should someone make an unauthorised transaction on a customer's account," says the media release.
That confidence seemed best expressed by Drew Unsworth, general manager of online banking. "People have been trying to steal money from banks for a long time," he told Technology Spectator. Indeed.
Is Kaching the future?
CommBank is well aware it's leading the pack here.
"There are a number of banks including some of the Big Four here [in Australia] that have said, no, we don't think we should do it," said Andy Lark, the bank's chief marketing officer.
"We've chosen not to stick our heads in the sand. We've talk to, particularly, the youth segment of the market, up into that mid-range segment of the market, and they are passionate about Facebook.
But are young Facebook users the people best placed to make the security choices about their online banking? Particularly if having to "leave Facebook", something that's as easy as opening a new web browser tab, has become a factor?
And that points to the wider societal issue.
Banks are clearly no longer seen as the be-all and end-all of dealing with money. CommBank has presumably seen that it can no longer command people to come to the bank. Instead the bank must go to where the people are, only a browser tab away, in Facebook – a place where security, or at least privacy, is far from the first consideration.
Case in point, Facebook's latest outrage, silently rewriting smartphone address books to divert personal email into its own servers.
Banks seem happy to do business in this new environment and cover the losses. Is it confidence? Or sheer necessity?
The other driving force is "social banking", the ability for people to handle their funds online in the same informal ways they've been used to doing offline with cash. Think of a group of friends chipping in to cover the ski lodge rental, or a colleague's birthday present, or the office coffee fund.
While the banks, at least so far, can't create the online equivalent of that brown envelope full of small change, they can start staking out the territory. And that's precisely what CommBank is doing.
The existing Kaching apps allow you to post a note about a Facebook payment to the recipient's Facebook wall. "I've just paid my share of the holiday." The Kaching for Facebook app will further associate CommBank with Facebook with money in people's minds. Eventually a Facebook group for your ski holiday might naturally form an ephemeral financial entity as well.
With the bank involved, of course, so they get a piece of the action.
This is also presumably why CommBank is calling Kaching-to-Kaching payments "peer-to-peer" when they're nothing of the sort.
These payments still involve a central entity, the bank, just like any other bank transfer. True peer-to-peer transactions would see the funds go directly from payer to payee without involving anyone else.
Offline that's done with cash. Online that's only possible with emerging systems such as BitCoin or perhaps Canada's MintChip digital cash.
CommBank, like all banks, needs to ensure people still see all this as "banking", not as digital cash stored on a smartphone and coordinated by any number of potential new players – including Google, Apple or Facebook itself. Game on.