Monday, June 7, 2010

How not to sell your product, or: is there really a "Silver Bullet" for Mobile Payments security?



Engineers tend to frown at marketing and BD, but creating leads or closing a deal is never easy. No matter where you are you want to be able to clearly articulate what is the customer’s pain point that you are solving. And you want your solution to be as straight forward as possible, too. If you resort to detailed tables and text you’re bound to lose most of your potential customers along the way. One thing I like about mobile payment companies’ pitch is that it’s pretty straight forward; both Boku and Zong articulate very clearly that yes, they have higher fees, but overall their much higher conversion rates increase revenue. Simple and straightforward; I like that. Other mobile payments vendors follow suit with similar pitches.

Why some Mobile Payments vendors are missing the point

Some of these vendors are veteran companies rebranding for the digital goods space and as such talk the “new” mobile payments talk but do not walk the walk. You can’t, for example, claim you’re providing a seamless experience when you require a three page signup process on first payment; your product must support your value proposition. Still, I have encountered companies that claim exactly that – and fail to understand why a cumbersome sign up process is an issue. I can imagine how some of these products evolved: starting in technologically limiting environments, with little to no data sources available and nothing but premium SMS billing. Faced with these difficulties, the ability to create any sign up flow or get an integration agreement with an operator looked like a huge achievement. And it was. But as depressing as it is to see your market changing, empowering payments in a card-not-present environment is today almost a commodity and operator integration is a limited, narrowing edge. He who wants to survive adjusts, or continues to try to sell payments triggered via, let’s say, IVR call to a landline. I’m sure there’s a need for first-generation payments somewhere on the globe; in most developed markets these look displaced.

Commodities and risk management 

I find this obvious since commoditization also creates pitch and product distortions in my own back yard, risk and fraud management. How did that happen? 5 years ago it was harder to compete with internal risk departments. With the eCommerce boom, however, came the proliferation of fraud as fraudsters (and the average Joes of the world) realized how easy it was. With this came a demand for risk management tools and methods. Many companies emerged in response, and each had to evolve quickly to gain market share and capitalize on an almost vacant market. Since the business was so nascent (and, I would argue, still is far from full potential), little technology innovation was required to reach stellar improvements in any point in the funnel; and since all of these companies provided indicators to help support the retailer’s decision (rather than the decision itself), the sales tactic was geared toward convincing the customer to add your score to the variety of scores they were already using. And it worked: merchants are using on average between 4 to 5 different decision supporting tools and indicators. But the cost was commoditization and an ever degrading technological edge. This has already started to come into effect and change the way risk and fraud are discussed.

Scaring them used to work

Sometimes finding a pain point is complicated since the customer is either unaware of a problem or aware of it but does not think it merits attention. When pitched FraudSciences’ product, even though we offered an insured decision to merchants to expand their business to new markets, often times the initial response was negative. Getting merchants to understand “why now” is always a challenge, and with the growth we see in Digital and Virtual Goods publishers sometimes don’t even have the time to consider (as I noted in the past, zero cost of goods produced is both a blessing and a curse). But it seemed as though for some of the companies the approach changed into forcing customers to realize they have a problem, even when they don’t necessarily have one. This is the “scare pitch”; I recently spent some time with a content publisher that told me about a similar conversation with another payments provider. A good part of the talk was aimed at explaining why fraud is so dangerous while fact of the matter is that currently, content providers aren’t immediate targets (since content is not as easily monetized as other goods). Why try to scare customers into buying your service when they have no actual need? Because most tools and services provide negligible incremental value and this is the only way to get customers to add another one to the pile – like any premium-hungry insurance company, scare them with hell and make sure they sign the policy. The alternative is, of course, enabling an experience that unlocks more revenue rather than catches all the “bad guys”. And that’s exactly where the product is lacking.

Is there really a new silver bullet?

Since the pioneers of risk management in eCommerce were mostly web-security geeks, a fraudulent transaction was (and still is) viewed as a transaction made from a “bad machine” (rather than “by a bad user”, a very important distinction). If we could only map all the bad boxes in the world, says this logic, we can stop fraud. This is what “machine fingerprinting” is about. Most leading companies hence focused on black-list type systems geared at collecting as much anonymous information as possible to be able to identify machines without necessarily identifying its owners. The story repeated itself with IPs, cookies, browser profile and now the latest addition – mobile device ID. As with its predecessors in the role of silver bullet or even better than some of them, mobile device ID is not easily spoof-able, is relatively easy to retrieve and is (supposedly) unique. Problem solved, right? Not so. With so many phones manufactured, stolen and exchanged in a year, it’s easy to see that simply keeping a list of “bad devices” won’t cut it – same as with other devices and boxes, if you base you classification on a “device bad history”, you fail every time you see a new device; and you fail every time good and bad users share a device since one bad user “contaminates” the device for all others. A hacked phone is, like a hacked machine with a proxy set up in it, simply a relay. The real “badness” of a device should always be viewed as probabilistic, in the current context of the actions made on it, and compared to other details we may have on the user allegedly using it. That is why a system without Personal Identifier Information is nothing more than a mildly sophisticated black-list.

This is not a subtle point but it might be lost if all we're looking to gain is that small edge. In dealing with mobile devices I find that creating a pattern to recognize still encounters major issues: geolocation reliability, network topology and new patterns of user usage are just three considerations that make mobile payments more than just an extension of desktop purchases. Focusing on adding device IDs to a device fingerprint, without creating a viable solution to initial encounters or devices being transferred between users is similar to looking at a problem space through a keyhole. It just won't cut it. 

Why this is important

Turning eCommerce into virtual commerce and the mobile phone into a wallet will require a high level of trust between participants, since virtual communities and f2f proximity payments are new ideas and new experiences. Enabling that exchange is one of the best outcomes of effective risk management and user identity and intent assertions, but the current trend isn’t necessarily heading at that direction. I believe it should, but that would require profound pitch, product and point of view change.