Obopay Mobile Payments - A First Look
We've posted a first look at Obopay's just announced mobile payments service. Click here to read the full text.
First Pass: A Look at Obopay's Mobile Payment Service
Palo Alto-based Obopay announced its new mobile payments service on Thursday. The Obopay management team includes CEO Carol Realini, VP Marketing & BizDev Howard Gefen, CTO John Tumminaro, and CFO Pete Hosokawa. According to Gefen, Obopay will be exhibiting at the upcoming CTIA show in Las Vegas in the Qualcomm and Nokia booths. A few weeks ago, the company announced it had closed a $10 million financing round from investors Redpoint Ventures, ONSET Ventures and Richmond Management. Obopay says it will begin taking user registrations on its web site later this month.
In this article, we take a first look at Obopay's new mobile payments service - based upon information currently available on the Obopay web site (including this PDF white paper), in its Thursday announcement press release (PDF), and from discussions we had with the Obopay management team.
The Obopay Account - A Mobile-enabled MasterCard Prepaid Debit Card Account
Obopay is more than just a mobile payment service - it's actually a prepaid debit card account that is enabled for mobile payment functionality. The company calls this approach "Obolizing" the account. In the future, other kinds of accounts might also be "Obolized" - for example, a bank might "Obolize" its checking accounts, enabling them for mobile payment and mobile banking applications.
Once you've successfully opened and funded an Obopay account, you'll soon receive an Obopay MasterCard Debit Card in the mail - which can be used to spend the funds in your Obopay account (or to withdraw cash at ATMs) everywhere that MasterCard is accepted.
Obopay's Most Convenient Mode Requires An Application On Your Phone
To use Obopay, you first need to create an account on Obopay's web site (scheduled to be open for registrations later in April) and then download an application to your mobile phone. Unlike TextPayMe and PayPal Mobile, Obopay is not primarily SMS-based (although it optionally supports SMS) but works best (i.e., is more convenient with richer functionality) when using the Obopay application software resident on your mobile phone.
Loading Funds Into Obopay Accounts
Loading of funds into an Obopay account will also be possible by linking the account to an existing bank checking account, by using a credit card to fund the Obopay account, or using cash at what Obopay is calling a "load network center" in your neighborhood (details about where you can load cash into your Obopay account haven't yet been released). The Obopay web site currently says it will be depositing $10 free into the Obopay account of each new user who registers for the service. Presumably having to register the phone number avoids some of the difficulties that PayPal had years ago when it offered similar "bounties" on new user registrations tied to email addresses (that can be easily obtained in quantity!).
Obopay Mobile Payment Transactions
Using the Obopay application on your mobile phone, you can perform a number of payment functions including:
- Check the balance in your Obopay account - available for spending using either the phone or the Obopay MasterCard Debit Card
- Request payments from others (they must become Obopay accountholders to actually send you the funds)
- View your Obopay payment history
- Send money (optionally including an associated text message) to other Obopay subscribers
In addition to being able to view payment history, etc. on your phone, you'll also be able to do the same functions using the Obopay web site.
Glenbrook's Quick Analysis, Commentary
Obopay is the first serious mobile payments company to have publicly launched that is based primarily upon rich application functionality resident on the mobile handset itself. This approach could allow Obopay to take the lead in delivering a graphically rich, more convenient user interface as compared to the SMS-based approaches of TextPayMe, PayPal Mobile and others. Motorola's M-Wallet announcement earlier this year appears to be rooted in the same philosophy as Obopay - although details about M-Wallet remain sketchy.
The downside of the mobile phone-resident application is getting the support of the mobile carriers to certify it and make it available to their subscribers. The mobile carriers generally play a gatekeeper role with respect to what applications they make available inside their "walled gardens". Obopay says it is "currently engaged in working trials with major wireless carrier companies and expects to complete those trials and the ensuing qualification programs in time to be offered by major wireless operators before the end of the year." Obopay also says that, on the GSM-based mobile networks (Cingular, T-Mobile), certification will actually not be necessary for the majority of mobile handsets on those networks.
In our earlier article on PayPal Mobile, we speculated that PayPal might also deliver a phone-based application in cooperation with mobile carriers interested in cooperating to offer the PayPal Mobile service. It feels to us like a horserace is shaping up between Obopay, PayPal Mobile, and perhaps others with respect to garnering the support of the major mobile carriers in the US for mobile payments. If there's really a market here for mobile payments - and that's yet to be demonstrated - it appears we've got that classic situation of an incumbent introducing new features - but really spending most of its management focus on its current business - (that's currently PayPal - amazingly, they're the "incumbent" in this race!) vs. the scrappy entrepreneurial startups of Obopay, TextPayMe, and likely some others yet to emerge who are just running for daylight on this mobile payments field of opportunity.
It seems to us that it would be logical for the carriers to want to "play the field" for a while here - perhaps doing trials with several before deciding whether they want their subscribers to be able to download only one mobile payment application or whether they enable several. Whether there's any economic advantage (beyond just network time, SMS charges, etc.) is also likely to be an important factor in those negotiations with mobile payment providers and the decisions ultimately reached by the carriers. Equally important will be the carriers' assessments of who are the "white hats" vs. the "black hats" here - is PayPal actually friend or foe, for example, from a carrier's perspective? Can a "white hat" startup position itself as the best alternative in the minds of the carriers? The emerging MVNOs could also be real wildcards here as well - as they're able to make their own decisions about the height of their "walled gardens", etc.
With its companion debit card, Obopay enables its subscribers for spending anywhere MasterCard is accepted - without having to wait for any new technology to be deployed at the point of sale. Because card activity is integrated into the user's Obopay account, card transactions will show up in the reporting available on the user's mobile phone once they've been posted by the merchant. PayPal also offers a PayPal ATM/Debit MasterCard -- but only upon request to Premier or Business accountholders who have had their PayPal accounts opened at least 60 days and who have linked their PayPal account to both a credit card and to their their bank checking account. One of our partners trying to understand all of this asks (for both Obopay and PayPal Mobile): "So, is the card attached to the account - or - is the account attached to the card?"
Obopay doesn't offer the IVR-based mobile payment capability that PayPal Mobile will offer. How important that feature will be is frankly anyone's guess.
PayPal Mobile also uses a separate confirmation process - actually calling you back to capture your PIN via DTMF to authenticate a payment request - that on the one hand may provide better security and risk management (especially vs. pure SMS-based mobile payments) but on the other hand is one more step for the user to complete. One important advantage of PayPal's two-step confirmation approach is that there are no SMS messages containing PINs actually logged on your handset - so, if the handset is ever lost or stolen, the user's PIN information is simply unavailable because it's never been sent over SMS and has never been logged on the handset.
Obopay hasn't announced any specific plans with respect to supporting merchants. There's no "Text to Buy" feature like PayPal Mobile has introduced. The companion debit card goes a long way towards maximizing the shopping utility of an Obopay account from a consumer standpoint - and, until carrier certifications actually occur - that may be all that's really available with an Obopay account.
With respect to person to person payments, because of the application requirement, anyone you send money to has to be using a mobile carrier who's agreed to participate in the Obopay system and has certified their application for use. Depending upon the rate at which carriers adopt Obopay, this could be a barrier to adoption - but Obopay's management tells us they've already addressed this by the simple addition of an SMS-based option also linked to the Obopay core account.
It's also worth nothing that carriers can also block SMS short codes from parties they'd prefer not have access to their subscribers - so even PayPal Mobile or TextPayMe could be blocked by a carrier unilaterally. Some say SMS is "ubiquitous" on handsets these days - but like a lot of things in wireless, that's a feature only in the eye of the beholder.
Preliminary indications are that the sender will be charged 10 cents by Obopay to send money - although presumably that could change if you're sending money to merchants who might pay Obopay to receive payments.
Next Steps
Once Obopay has begun accepting user registrations, we expect to learn more details about their service. At the moment, there are no terms of service or specific pricing details yet posted - and often the details of these services don't become fully clear until you understand those terms.
We'll continue to monitor Obopay's progress - along with PayPal Mobile and others - and provide an update once registrations have begun or whenever the company makes new news. April is shaping up to be a most interesting month for mobile payments in the United States.
Stumble It!
There are a couple of things you mention in your review that I'd like to provide counterpoints on. The first is the risk/safety of pure SMS versus IVR/DTMF. The second is this issue of lost phones.
First, it's not entirely accurate to say that IVR/DTMF systems are more secure than pure SMS. IVR/DTMF solutions don't use the encrypted mobile network through the entire call chain: PayPal and TextPayMe make those calls from a POTS switch or via VoIP. Tapping a POTS line is trivial (ask the President!) and DTMF is not encrypted. VoIP in most flows must also use POTS at some point to call a mobile.
Even if the IVR system was end-to-end on the mobile network, it actually CREATES a hole for hackers. The best way to defeat GSM/CDMA encryption (this is obviously very simplified explanation) is to send a message with content you know to a number and use the knowledge of the content to break the code. You need a few seconds of call time to do this. Since PayPal and TextPayMe's system says exactly the same thing each time it calls you...
By contrast, there is no session with SMS; it doesn't provide an easy opportunity to analyze. It's also easier to randomize in content (changing the sequence of words or using synonyms.) That's not to say there aren't weaknesses in the chain, particularly to criminal employees inside a carrier's network; but that's no different than DTMF or phone banking or credit card customer support (when you enter your card number on a support line.)
The DTMF model was used by SimPay, which failed mostly due to carrier spats, but it didn't get sparkling reviews from initial users. Pure SMS based systems have operated in the Philippines (G-Cash) and the EU (LUUP) without any (reported) security incidents for longer than any DTMF system. Neither requires new hardware or software. Plus, the user doesn't have to switch modalities (text vs. IVR) or learn a new application.
I should point out that doing any of the above hacking is very, very difficult on voice or SMS and I do not suggest that Paypal or TextPayMe are not secure. Note also that telephone banking hasn't resulted in major security breaches, even though none of that is encrypted.
To the second point: I don't get why a lost phone, even if it has a PIN stored on it, poses any more risk than a lost credit card or debit card, both of which can be used illegally via signature at POS. Signatures provide exactly zero security. I can't even remember the last time a merchant compared my signature to the back of the card (I've been testing this using a different signature of many months now and not once has it been noted.)
The real issue is converting credit/debit to cash instead of buying a product you have to fence. A PIN does prevent cash access at an ATM, but that's almost as irrelevant to mobile payments as it is to signature card transactions. A PIN can help counter spoofing attacks (also hard to do) but it's also simple to offer users the same kind liability protection they get on lost credit/debit cards. Report it in 24 hours and most banks don't hold you responsible (not all banks, for sure, but many.) Finally, I'll bet you that you'll notice your phone is missing a LOT faster than your wallet!
Most mobile payment systems, unlike credit/debit, can't be skimmed; you have to steal the phone too. While a fake ATM can capture card numbers and PINs, with mobile, even if you do clone it (easy on old AMPS phones not on GSM/CDMA) and also get the PIN, it's pretty hard to prevent the real phone from getting the SMS/IVR confirmation request, which the real user can reply to. Also, this means that systemic fraud (i.e. when thousands of card numbers are stolen from a database) is much harder to perpetrate.
It's much simpler for a crook to pick your pocket or mug you. Or for someone to open a card in your name and steal your identity. Or for your wife to empty your bank account and abscond to Bermuda with her Latin lover. Not that that ever happens.
Posted by: neet | April 03, 2006 at 05:14 AM