Web 2.0 Financial Services Online & Mobile Widget Strategy: A Roadmap by jstorres

VIEWS: 980 PAGES: 12

More Info
									Web 2.0 Financial Services Online and Mobile Widget Strategy: A Roadmap

 Seven Point Checklist  Case Study

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

Executive Summary
The recent economic downturn presents new challenges to retail financial services institutions. Yet, it also affords new opportunities. One of today’s fundamental business challenges is how to engage increasingly-skeptical customers in meaningful interactions in order to generate business, while at the same time reducing customer service costs. The corresponding opportunity is to employ new Web 2.0 tools and services to reach customers anytime/anywhere, in the places where they already spend their time. This document examines key issues that financial services institutions must explore when they plot their Web 2.0 strategies. Widgets, which are simple interactive tools that provide single-purpose services such as presenting news or weather updates, represent a key technology that financial institutions need to investigate as part of their Web 2.0 strategy. Widgets are available on the desktop, on personal web pages, on social networks such as Facebook, on blogs, even on mobile devices through widely-available services provided by major technology vendors such as Microsoft, Google, Yahoo, Apple, RIM, Adobe, and others. However, since widgets were originally designed for consumer services, there are a number of adaptations that financial services institutions need to apply, before they can safely embrace widgets for business. This document answers seven questions financial services institutions need to ask before embarking on a widget project:

1. How can publicly-available, non-secure consumer technologies provide the requisite degree of security that retail financial services need? 2. What kind of services can you support via widgets? Can you provide the ability for customers to perform secure transactions or are the widgets limited to information updates? 3. How does the solution scale to support millions of customers? 4. How do you integrate with the proprietary enterprise applications and systems that contain the financial information and transaction data, so that you can leverage your existing IT investments? 5. How can you support the multitude of widget frameworks available through desktop operating systems, personal homepages, social networks, blogs, and mobile devices, without doing custom development for each framework? And how can you easily support new frameworks as they become available? 6. How can you monitor and audit operations performed via widgets? For example, how can you track which functions customers are using and to which promotions they are responding? 7. And perhaps, most importantly - how do you address the first six questions and get to market quickly, and within budget?
At the end of this document, a case study is presented that details how one retail bank successfully addressed these 1 concerns and reaped the business benefits afforded by secure widgets.
1 Two companion documents provide background to common Web 2.0 trends as they apply to business in general and to retail financial institutions in particular. These documents are: • Web 2.0 for Business: Trends, Statistics and Recommendations for Businesses paper, presents industry data and statistics related to key Internet and Web 2.0 trends that impact business in general. • Secure Widgets for Business: An Industry Spotlight on Retail Financial Services discusses the specific business case for secure widgets in the retail financial services market. www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

Introduction
A huge number of people today use Web 2.0 consumer tools on a daily basis. Widgets represent one of the most widely-used of these tools. In fact, comScore noted that 615 million people, representing 65% of the worldwide 2 Internet users, have already viewed or engaged with a widget. Consumers use widgets to stay current with news, weather, flight delays, stock prices, and many other types of rapidly changing information.

What is a Widget?
Widgets are interactive virtual tools that provide single-purpose services such as presenting news, the current weather, the time, a calendar, a dictionary, a map program, a calculator, or many other things. Major technology providers such as Microsoft, Google, Facebook, Yahoo, Apple, RIM, Adobe, and others provide free widget frameworks for consumers to install and display a personalized set of widgets wherever they are – including on their desktop, on personalized web pages, and on mobile devices. Some examples of widget frameworks include the following: Platform
Computer desktop

Widget Framework Provider
• • • • • • • • • • • • • • • • • • • • • • Google Desktop Gadgets Yahoo! Widgets Microsoft - Vista Sidebar Gadgets Apple – Apple Dashboard Adobe – Adobe Air iGoogle My Yahoo Microsoft – Windows Live Netvibes Microsoft – IE Mozilla Firefox Apple – Safari Google – Chrome Facebook MySpace Wordpress Typepad Blogger Vox Apple - iPhone RIM Blackberry Nokia Widgets / Widsets

Personalized web homepages

Web page

Social Networks Blogs

Mobile platforms

Why Widgets?
Widgets are uniquely suited for the business purposes of providing consumers with rapidly-changing information, and to facilitate simple financial transactions, without the complexity of navigating to, and in logging in to a fullservice customer portal. Several key advantages of widgets include the following: • • • • • Widgets are readily available in the places consumers already spend time (desktop, web, mobile) Distribution is free and widgets can be distributed virally – consumers easily share “cool” widgets with friends and colleagues Widgets are trivial to install and use – no training or support is necessary Widgets allow institutions to provide a uniform user experience across many platforms, including desktop, web, and mobile. Widgets are selected and installed by consumers so that they represent a receptive, opt-in channel through which financial institutions can reach customers. “Opt-in” means that the channel can be used effectively for marketing purposes as well.

2

Comscore, June 2008 www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

Widget Examples
Several sample widgets are shown in the following figures:

Bill Pay Widget

Account Summary Widget

The Business Opportunity
Consumers’ positive experiences with widgets are fueling their expectations for banking convenience and availability. For simple operations like checking balances or portfolio holdings, or transferring funds, today’s online portal experience pales in comparison to the ease of widgets. Financial institutions today understand that widget banking provides an effective way to generate revenues, retain the existing customer base and attract new customers. Several specific examples of how widgets can help realize business goals for financial institutions are shown in the following table: Typical Financial Services Offerings That Can Run On Widgets • Account information • Portfolio holdings • Latest transactions • Personalized alerts • Report fraud/errors • Order products/services • Transfer funds • Pay bills using account or credit card • Account application forms (on affiliate sites) How Widgets Generate Business • Customers attracted by convenience • Transaction volume increases as up-to-date information is exposed • Higher conversion rates to marketing offers via receptive, opt-in channel How Widgets Save Costs • Customer-driven fraud detection reduces losses • No distribution costs • Free to deploy – widget framework suppliers provide infrastructure • Stickiness – continuous customer interaction lowers defection rates • Promotions are lower cost/more effective than ads

Financial institutions that embrace widgets for business stand to reap the benefits of better customer engagement, such as increased transaction volume and higher customer satisfaction. Plus, they can lower customer services costs as they improve business performance.

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

Mobile Banking Goes “Internet”
Despite enormous investments by financial institutions, mobile banking has been a huge disappointment. Today, 3 only about 5%-7% of mobile subscribers regularly use their bank’s mobile offering. Several reasons for poor adoption include awkward navigation, cumbersome interfaces, and a dearth of security. These deficiencies are partially eliminated in new, widget-enabled smart phones, which will become pervasive over the next two years. In fact, one analyst group predicts that over 1 billion widget-enabled smart phones will be sold by 2010. However, security and ease of deployment across multiple widget frameworks will continue to remain a challenge for secure applications running on mobile devices. As described in a companion paper, banks and other financial services institutions will use widget technology to unify the online and mobile banking experiences into a single, rich Internet experience, while lowering customer service costs.
4

Seven Questions You Need To Answer Before Beginning a Web 2.0 Widget Project
This section raises seven essential questions you need to answer before embarking on a financial services widget rollout to consumers. The next section provides a case study describing how a retail bank answered these questions and rolled out a successful offering.

1. How can publicly-available, non-secure consumer technologies provide the requisite degree of security that retail financial services need?

Security
The issue of security is by far the most concerning for financial institutions reaching out to customers via public, nonsecure Web 2.0 services. Addressing security concerns involves many different efforts; the top security concerns include verifying that: • • • • • Consumers see only information they are authorized to see Consumers are not able to share data with unauthorized users Information en-route to customers is not visible to third parties, is not stored on third-party servers and does not traverse public infrastructure un-encrypted. Attackers cannot comprise sensitive information by exploiting open, consumer technologies Attackers cannot initiate new phishing schemes

While a detailed security review is beyond the scope of this document, each of the following security capabilities must be incorporated into a solution, to the satisfaction of the financial institution’s security and risk management groups: • • • • •
3 4

Authentication and identity management Access control Widget provisioning and preventing phishing attacks Defending against Web 2.0-specific threats, such as new variants of Cross-Site Scripting and Request Forgeries Securing client vulnerabilities, such as Injection Flaws and Anti-automation attacks

Higdon, E., Consumers Are Apathetic About Mobile Banking, Forrester Research, July 2008, and Compass Intelligence, October 2008 Secure Widgets for Business: An Industry Spotlight on Retail Financial Services, WorkLight, 2009. www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

Each of these is discussed briefly below. For a more detailed treatment of Web 2.0 security threats, refer to the recent Top Web 2.0 Security Threats report, published by the Secure Enterprise 2.0 Forum.

Authentication and Identity Management
Today, online bank customers are authenticated before they can access financial data or perform transactions. When looking to widgets to display financial data, it is not easy to use existing customer portal security infrastructure to authenticate customers, since widget frameworks are not secure and information traverses public networks, servers, and widget framework storage facilities. To be viable however, it is absolutely necessary to apply all existing security controls such as digital certificates, one-time passwords, hardware tokens, biometric solutions, and others directly to widgets running on desktops, personal web pages, and mobile devices. And it is imperative that security credentials are secured end-to-end. Since widgets by nature are not secure, there are also challenges in providing appropriate visual cues to customers, so that they can be sure the connection is secure and that they can safely enter username and password information, analogous to the secure browser experience (the lock symbol displayed on SSL-encoded web pages, etc.)

Access Control
Consumers must be able to access only the data they are authorized to view, as per the financial institution’s security policy. Control of access from Web 2.0 interfaces must be at least as strict as access control that is enforced within the native information systems and via the existing customer web portal.

Widget Provisioning
Typically, informational widgets like those that provide news, sports, and weather update, are readily available from publicly-accessible widget galleries, such as those provided by Google, Yahoo, Apple, and Microsoft. The accessibility of useful widgets is part of what makes them so appealing. However, for secure widgets, provisioning via public widget galleries without implementing additional security measures is highly problematic. For example, attackers can easily create “look-a-like” widgets that perform pernicious activities, such as stealing user credentials or worse. It would be extremely difficult for a consumer to ascertain whether the widget was authentic or not. The challenge of making secure widgets readily accessible, yet secure, is not a simple one to solve.

Web 2.0 Threats
Two security threats particularly relevant to Web 2.0 tools like widgets are “Cross-Site Scripting” and “Cross-Site Request Forgeries.” Cross-Site Scripting (XSS) is an attack that where malicious input sent by an attacker is stored and then displayed to other users. Systems that allow users to input formatted content, such as HTML, are especially susceptible to XSS, since malicious input can be easily created, via scripts for example. If this input were to be displayed in a widget or web-browser, the malicious code would be executed. Cross-site scripting attacks are often used as a platform to launch cross-site request forgery attacks. These attacks use injected scripts to send requests to the origin server of their execution context. Requests are sent along with any cookies associated with the origin domain and therefore look like legitimate authenticated requests to the server. As a result, they can perform all the actions of an authenticated user, including potentially, banking transactions. Protections against these and other Web 2.0-specific threats must be addressed in order to provide a secure business environment.

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

Client Vulnerabilities
Secure information, such as account balance information, served through Web 2.0 interfaces may be viewed through a wide variety of clients. Examples include widgets running in a web browser, desktop widgets, or mobile apps. Web 2.0 clients expose the consumer to an additional set of vulnerabilities, including the following examples: • Widgets are typically small JavaScript applications that are interpreted and executed by a web browser or other Javascript engine. As a result, their source code is easily accessible, making it easy to write malicious applications that accurately impersonate the original applications and can be used for phishing attacks. Widgets that run in web browsers often run within a personalized homepage, side by side with widgets from other sources. Such widgets rely on services provided by the personalized homepage environment to retrieve data. These services are not secure and allow the personalized homepage provider to view and in some cases cache the data.

•

2.

What kind of services can you support via widgets? Can you provide the ability for customers to perform secure transactions or are the widgets limited to information updates?

Available Services
To be engaging, it is imperative that financial institutions provide widgets that not only display information, but also offer services deemed valuable to a large number of customers. While many customers want to view account updates, receive personalized alerts, and track recent financial transactions, the customer audience can be vastly extended if consumers were also able to perform transactions, securely, without having to log into the customer portal and navigate to the relevant web page. On the other hand, allowing two-way interactions via widgets introduces many additional security challenges, more complex integration with enterprise systems, and an addition burden of logging transaction activities performed via the widgets. Surmounting these challenges, however, will provide a financial institution with a huge competitive differentiator in the marketplace. 3.

How does the solution scale to support millions of customers?

Scalability
The user dynamics of Web 2.0 differ significantly from those of Web 1.0. With traditional Web 1.0 sites, users navigate to a web site, issue a request, and receive a response. When applied to online banking, this usually involves checking bank balances or paying bills, which customers usually do once every week or two. However, in Web 2.0, where interactions are much more “real-time,” information refresh occurs at much more frequent intervals. For example, a desktop widget that shows a customer’s latest bank transactions, (such as the one shown below) would either need to be triggered via transaction record updates on the bank’s systems or it would need to refresh many times a day. When multiplied across the millions of people using this widget, the load on the bank’s servers would be crushing. In order to scale to service millions of users, the financial institution has to architect the widget to mitigate the impact of this enormous load.

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

4.

How do you integrate with the proprietary enterprise applications and systems that contain the financial information and transaction data, so that you can leverage your existing IT investments?

Integration
In order to provide information to financial services customers, it is necessary to tap into at least the following systems: • • Authentication / Security and Access Control Systems– to uniquely identify a customer and to display highly-personalized information and promotions (see “Security” above). Financial Services applications and information systems – to provide information related to balances, account status, portfolio holdings, transaction updates, outstanding bills, available promotions, personalized information alerts, etc.

Furthermore, if transactions such as bill pay are enabled via widgets, integration with applications and information systems must be bi-directional, with the additional complexities associated with validating data input and processing transactions. Additionally, an increased level of customer identification and security would also need to be applied for customer-initiated transactions. A viable widget solution for banks must provide solutions to these complexities.

5.

How can you support the multitude of widget frameworks available through desktop operating systems, personal homepages, social networks, blogs, and mobile devices, without doing custom development for each framework? And how can you easily support new frameworks as they become available?

Multiple Consumer Platforms
There is a wide range of diverse Web 2.0-style services and technologies that are publicly available. Furthermore, there is significant disparity between them in terms of technical characteristics and user-experience. For example, there is very little overlap in the efforts needed to create and deploy a native iPhone application, a Vista Sidebar gadget, and an iGoogle web page gadget. However, in order to do business with customers “anytime/anywhere,” financial institutions must support them all, and the user experience across all platforms must be identical.

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

As an example, an Account Balance widget, running on multiple platforms, is shown below.

Account Balance Yahoo! Widget (Desktop)

Account Balance iGoogle Gadget (Personalized Homepage)

Account Balance Facebook Application (social network)

Account Balance iPhone App (mobile)

As existing platforms evolve and new platforms become available, it is necessary to support today’s and tomorrow’s platforms. Financial institutions should plan to provide multiple widgets, as customer dynamics shift and new business drivers emerge. Therefore, developing “one off” widgets for each platform is not a scalable option, nor is it cost effective. As such, financial institutions need to develop the capability to write each widget client once, and then deploy it effortlessly across all Web 2.0 frameworks.

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

The following is a partial list of current Web 2.0 frameworks that should be supported as part of customer-facing widget rollout: Platform
Computer desktop

Widget Framework Provider
• • • • • • • • • • • • • • • • • • • • • • • • Google Desktop Widgets Yahoo! Widgets Microsoft - Vista Widgets Apple – Apple Dashboard Adobe – Adobe Air Google Gears iGoogle My Yahoo Microsoft – Windows Live Netvibes HTML Microsoft Sharepoint Microsoft – IE Mozilla Firefox Apple – Safari Google – Chrome Facebook MySpace Blogger Wordpress Vox Typepad Apple - iPhone RIM Blackberry

Personalized web homepages

Web page

Social Networks Blogs

Mobile platforms

6.

How can you monitor and audit operations performed via widgets? For example, how can you track which functions customers are using and to which promotions they are responding?

Monitoring/Auditing
Access to protected financial data and customer information through Web 2.0 services must comply with existing company data policies and they must satisfy the gamut of industry-specific regulatory requirements. Therefore, financial institutions will need to maintain detailed and fine-grained auditing and retention across all widget platforms. Furthermore, financial institutions need to maintain rich and valuable statistics about customer usage patterns for marketing purposes. Understanding how customers are accessing services, which services are used most often, which promotions are most successful, and through which interface information is being transmitted, are critical to measuring the effectiveness and success of a widget rollout.

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

7.

And perhaps, most importantly - how do you address the first six questions and get to market quickly, and within budget?

Time-to-Market
The first six questions introduced in this paper examine the needs of an enterprise-grade secure widget offering. Fulfilling all these requirements is a difficult challenge. Doing it in a reasonable time frame and budget is even more difficult. Trying to build a custom, “in-house” solution requires broad knowledge of multiple disciplines, a sizeable qualified staff, and many months of development and testing. So how can financial services institutions realize the promise of “anywhere/anytime” widget services quickly and cost-effectively? The answer lies in the use of an off-the-shelf Web 2.0 platform that addresses the challenges raised throughout this paper. The WorkLight for Financial Services product is just such a platform.

WorkLight® for Financial Services
WorkLight for Financial Services is a software-based server that is installed in the financial institution’s data center. It provides the following functionality: • • Security – uses the existing corporate security infrastructure to provide secure access to sensitive and proprietary data and services when accessed through public services, ensuring compliance with existing security policies and regulation Enables Transactions – allows financial institutions to provide customers with account and transaction data, as well as allows them to execute transactions like funds transfers and bill pay, directly from widgets running on the desktop, personal web page, or mobile device. Scalability – using a highly-scalable architecture that incorporates optimized data retrieval, caching, and serving technologies, WorkLight scales to millions of simultaneous users. Integration and Adapters – enables fast, lightweight integration via a host of off-the-shelf adapters that integrate quickly and easily with applications, databases or technologies, through simple adapter configuration. A simple programmatic adapter interface is also provided, allowing customers and third parties to easily develop new adapters. Widget Development Framework – allows financial institutions and third-parties to quickly develop widgets using standard methodologies and technologies, such as AJAX and Flash. A widget is written one time and then WorkLight deploys the widget across a multitude of publicly-available Web 2.0 widget frameworks, for desktop, personal homepages, and mobile devices. Monitoring / Auditing – allows financial institutions to track services accessed via widgets, overall widget usage, transactions executed via widgets and more. This is a necessary component to comply with industry regulations and security policies.

• •

•

•

A detailed description of WorkLight for Financial Services and how it specifically fulfills the requirements of today’s financial institutions is available from WorkLight. For more information, email: info@myWorkLight.com or reach WorkLight via any of the contact points below.

WorkLight Inc. 415 Madison Avenue 14th Fl New York, NY 10017 Tel: 1 (866) WRK-LGHT

WorkLight - European Office P.O Box 698, London EC2A 4RR, United Kingdom Tel: +44 (0)20 70601423

WorkLight Ltd. POB 362, Shefayim 60990, Israel Intl Tel: +972-9-9525600 Intl Fax: +972-9-9525630

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.

WorkLight® For Financial Services Case Study
The Company
A national retail bank

The Problem
As a large retail bank with millions of customers, this institution was looking for innovative ways to engage customers and stand apart from rising competitors. Already having a foothold in Web 2.0 and social media, this innovative bank sought a cost-effective way to extend its business reach across any Web 2.0 service. Initial explorations into the different consumer Web 2.0 platforms showed that adequate security and scalability capabilities were lacking, and the bank was looking for an ironclad, reliable solution to extend its Web 2.0 presence where customers are spending their time online – popular Web 2.0 services, such as desktop and web-based widgets, Smartphone apps, RSS, social networks and more.

The Solution
Motivated to be an innovative leader, the bank selected WorkLight for Financial Services as the central element in a project led by the bank’s Innovation Manager. WorkLight deployed its signature WorkLight Server at the bank’s data center, which maintains enterprise-grade security, scalability, audit and integration with the company’s back-end information systems. With WorkLight’s single platform, the bank rolled out secure widgets on the following Web 2.0 platforms – iGoogle, Netvibes, WindowsLive, Google Desktop, Yahoo! Widgets, Vista Sidebar, Apple Dashboard, the iPhone, and more. The bank allows customers to manage their different accounts, and track account balances and transactions. In an effort to up-sell and cross-sell, the bank includes special offers and promotional banners as part of the widget. None of the information that is available through the widget is ever cached or traverses any 3rd party website.

The Result
The banking institution became a Web 2.0 first-mover. It has secured a competitive edge by offering the first Banking 2.0 widget of its kind to customers in its geography. The bank and its customers have benefitted in the following ways: • Enhanced relationship with customers by meeting them where they spend their time online • Customers save the time and effort of repeatedly logging in and navigating the portal • Reduce, and become aware faster of account errors, through constant access to current account status In addition, the bank is now able to: • Increase activities of existing customers by leveraging a highly-personalized, opt-in marketing channel • Reduce the cost of servicing customers, since more customer transactions are handled via self-service. Customers do not have to navigate to a portal, since the provider “appears” right where customers spend their time online • Improve customer loyalty since the bank is able to maintain constant contact with their customers, and better understand what they want

www.myWorkLight.com l info@myWorkLight.com l Tel: (866) WRK-LGHT
© WorkLight Inc. 2009. All rights reserved.


								
To top