November 5, 2014 at 19:17Otkritie Mobile Bank: development from the opposite
“First, a convenient registration mechanism was invented, and then - means of protecting it”Case study on the development of a mobile bank for iOS smartphones
Bank 3.0 - a revolution in banking is in full swing
In the banking sector, important structural changes are underway under the influence of IT. This process is called digital transformation. If earlier IT was used to automate business processes that were formed in the distant pre-IT era, and came down to trying to squeeze percent of efficiency out of them, now IT capabilities give way to new business models that were not there before. And mobility plays a key role.
“The Bank today is not where you go, but what you do,” writes Brett King, author of the best-selling Bank 3.0. Anyone who believes that the branch is the only thing that will bring happiness to the client has already lost the battle for today's consumer. Just ten years ago, 50-60% of transactions were carried out through a cash desk in a bank branch. Now 95% of operations are carried out via the Internet, mobile phones, ATMs, call centers. Clients would like to visit a bank branch no more than 1-2 times a year, but in general they are going to interact with the bank more often than before: 20-30 times a month using a smartphone and 7-10 times using a tablet.
Mobile Bank: profit center, not cost center
In Russia, 6.6 million peoplemake at least one online payment from a mobile device every month. However, many banks still see the mobile application as an unfortunate necessity (and expense) to please the tastes of an overly advanced young audience. There is already an Internet bank - use it! So no, they certainly need a native application! OK, let it be. It was with this approach that most of the first-wave mobile banks were launched onto the market. As expected, they did not give impetus to the growth of the business and fell into expenses. Therefore, customers now have a certain skepticism regarding mobility.
But the role of the mobile channel in the overall structure of banking services has dramatically changed. From auxiliary mobile banking is becoming the main one (according to various estimates, a client using mobile technology brings the bank about five times more income). In addition, when choosing a bank, consumers began to consider the quality of a mobile banking application.
Almost half of the customers (48%) consider the quality of the mobile application an important factor in deciding on a bank change.
When the customer knows what he wants
An ideal customer of an application is a technology-based company that understands the importance of IT in its business. Banks do not just understand this value, they build their entire business specifically on IT. The working group participating in the project on the part of the bank (IT, security, marketing, working with clients, etc.) does not need to explain anything about technology or business benefits.
(The lack of a clear strategy for the customer regarding the development of multi-channel interaction with customers, of which mobile banking is a part, should be considered as a serious risk of the project.)
“Discovery” - a young team of mobility fans who wanted to give their customers cool service, formulated business needs, and they were embodied by Redmadrobot in development.
For Otkritie, a mobile bank is part of a single integrated service system available on various platforms and devices, not only on the iPhone. Work is already underway on the Android version for smartphones (will appear on Google Play this year), as well as on tablet versions. The bank updates all interfaces - the redesign of ATMs and the electronic line has begun, payment terminals are on the way. The mobile app is part of this update concept.
When developing the application, we started from two important tasks: to satisfy the basic needs of private customers of the bank and satisfy the business needs of the financial institution itself (to get an additional channel for selling banking products and increase customer loyalty by transmitting the idea of simplicity and convenience of banking services). For us, a mobile bank is another channel for the sale of services.Alexey Kruglov, Senior Vice President, Marketing and Client
Ideally, we strive to ensure that all of our customers have a mobile application installed. After all, now the smartphone market has reached such a level that devices are no longer impossibly expensive. The main indicator that you need to pay attention to is the number of successful registrations. That is, it was important for us to make the registration process so clear that no one would have a question “how to register?” or "what is there to click?"
Services Director, Otkritie Bank
Design and security are the main advantages
Mobile app developers can’t influence the composition of banking products in any way - a set of services is formed by the financial institution’s specialists (in addition, these services all banks are approximately the same: account information, payments, transfers, statements, currency conversion, etc.). Therefore, it is worth focusing not on WHAT to do, but on HOW.
How is UX and code quality. In the Discovery project, design was seen as a competitive advantage for a mobile product. Particular attention was paid to security - in the sense that it does not interfere with work. Yes exactly. On the one hand, security should be impeccable (just one high-profile incident is enough to compromise the entire system and then no design will help, users will refuse it), and on the other hand, perfection should not be achieved by simplifying the product and its capabilities.
The road to good design is through many iterations
A good design cannot be taken and done right away. Even when everything is clear in principle - business requirements, brand book ... Ten options for one screen - not the limit on the path to excellence. But even the options accepted and approved by the customer had to be changed.
(It is very important to establish version control in project management.)
The Discovery brand book had to be slightly adapted for iOS - in accordance with Apple guidelines and traditions, the interfaces on mobile devices are brighter.
The native prototype in some cases is not a luxury, but a necessity
In most cases, to evaluate the interface design and transition logic, at the design stage, you can do with a simple HTML prototyping service. However, this method does not allow to fully appreciate the dynamics and feel the interactivity of the future application. If it was decided to make the design an important competitive advantage, it was impossible to neglect such nuances and therefore it was decided to use a native prototype - that is, almost a real application, only without real data and without the server side, to give a complete sense of working with the product at the UX testing stage .
Of course, it is more expensive and more complicated, but in this case the end justified the means. And, of course, this approach will not be justified in any projects.
Usability testing on the side
In the case of usability, there is a risk that the customer and the developer will not come to a consensus on the convenience and understandability of the interface, and this will become the basis for conflict. The subjectivity of the assessment cannot be completely avoided, and the opinions of each of the parties on what is considered a good interface solution and what is bad can vary greatly. And most importantly: they both may be wrong, because users often have their own, completely different preferences.
Therefore, the developer should only welcome, if the customer finds usability experts on the side, this relationship will more likely be strengthened than destroyed. In such a “triangle”, the areas of responsibility can be divided more rationally: the customer deals with business requirements, the developer makes the design, and the usabilityists give feedback.
Otkritie Bank has chosen Usethics as its usability testing partner .
Testing scenarios covered about 70% of the functionality of the first version of the product - registration, re-entry into the application, viewing account information, payment history, payment for services, searching for branches and ATMs. Respondents were selected from among iPhone users and Internet banking.
Designers watched the progress of testing and worried about users - will they find or not find the right button? Sometimes it was not found, then the interfaces were fixed and tested again.
According to the test results, the level of subjective satisfaction from using the application was 92.8%, and in general, 98% of respondents gave a positive assessment to the Otkritie mobile bank.
But you should not fall into euphoria: since usability is tested on model data and does not cover all types of users, anyway, in the real work, some problems in the interface will be identified that will have to be fixed.
The application needs “customization”.
The idea of making the “Pay” action a slider, like that which includes a smartphone, was really liked by all participants in the project. Moreover, it is fully consistent with Apple’s guidelines, and there’s nothing to complain about.
However, this version of the App Store was wrapped up with the wording “the application lacks customization” - you cannot use system components for any of your purposes. That is, the application should look original and different from the system screens. Alas, I had to turn out to be from the slider for payment.
Uniformity and standardization - not always good
It is customary to strive for uniformity in the interface so that similar functions have similar screens. But there are situations where this rule does not work.
To enter the application, the user needs to enter an access code. But first you need to create this code, right? It seemed logical to the developers to make these screens in an identical design. Of course, the inscriptions on the screens were different - “Enter the code” and “Create the code”. In the course of usability tests, it turned out that users are confused and do not understand what the system wants from them, when they ask to create code - the external resemblance to the login screen confused them. Therefore, it was decided to make these screens visually clearly distinguishable, and at the same time add textual explanations.
(Do not count on user attentiveness. If something can be mixed up, they will mix it up. Almost Murphy’s new law.)
Copywriting: “Do not save the file: YES / NO?”
This old joke about the file save dialog is still relevant. Often users are confused by the names of functions, wording of questions, prompts and other text messages found in the application, although the designers themselves think that everything is clear.
Laconic comment "create an access code" users simply did not notice. Therefore, in addition to changing the appearance, I had to give a rather detailed explanatory text that is required of the user in this screen.
Let it be better to have some redundancy and verbosity, it often works as a plus than a minus. Because users read the instructions only as a last resort, when nothing happened, and they get used to not paying attention to the extra text when it became familiar.
Security should be - and not be visible.
It is hardly news to anyone that a mobile application for a bank should be safe. All developers are aware of this, and yet, vulnerabilities are by no means isolated.
Banks often limit the size of transactions through mobile applications in order to minimize their risks, thereby limiting the scope of their application - and their possible income.
Is it possible to create a truly secure mobile bank? Absolutely invulnerable to any attack vectors - absolutely impossible. Because protection methods, as a rule, appear in response to incidents that have occurred and are discovered. And yet - a reliable application with protection against most currently known threats can be created. With a high degree of security due to the correct code and competent interaction with internal systems of the bank.
Working with banks (Otkrytie is not our first banking project), we had to reconsider our approaches to creating secure applications. This concerned not so much the practice of working and, in fact, writing the code - with this everything was fine before, but the documentation and preliminary study of the architecture. The bank’s security service operates on the basis of a threat model and requires a reasoned and clear answer as to how we counteract a particular threat. For example, what do you do with the threat of identity spoofing during a man in the middle attack? We say: "For this we have this-and-such." The result is two documents:Arthur Sakharov, mc_murphy , Technical Director of Redmadrobot
1) formal requirements for application security - requirements for code, architecture, data storage
2) requirements for interacting with the server
In fact, every decision that was made in the project was consistent with security requirements. At the start of the project, security work took up 25% of the time. Then, when the architectural decisions were made, we almost did not spend time on information security issues.
Quality Assurance - From the first stages of the project
, the Redmadrobot QA team joined the project at the analysis stage. This helped to avoid large-scale alterations at the development and testing stages. Test cases and test plans included not only functional and UI \ UX testing, but also security testing.
For the application on the customer side, the same server part was used as for the personal account, and within the framework of testing the mobile bank, defects were identified, the correction of which improved the work of all the Otkritie financial services.
HP Fortify - Hewlett-Packard Fortify Fortify Static Code Analyzer Top-Level Security Check
- One of the most serious Software Security Assurance (SSA) verification tools available in the global market. Independent experts from HP Fortify checked 37,225 lines of the source code of the Otkritie mobile bank - the analyzer did not reveal critical security vulnerabilities.
The analyzer scans the source code of the application and server, and also determines the possible attack vectors and protection scenarios from them, after which it prioritizes the results and provides detailed reports (down to the level of individual lines with the code). The greatest attention is paid to working with data - whether it is stored on disk, transferred in unprotected form, whether screenshots are masked in iOS.
Unique: registration in the application by credit card
To start using mobile banks is often not so simple - you need to get a username and password in the department or in another way, wait for the application to register, etc. The “Discovery” project had a task - to get rid of all the delays and give the client the opportunity to become a user of a mobile bank as simply as possible.
We managed to find an original solution: the client registers with his bank card number, no more logins and passwords are needed. Since the card number itself cannot be stored on the device for security reasons, I had to invent my own mechanism for identifiers used for registration. The application generates a new identifier, sends it to the server. The server sends an SMS with a confirmation code - and that’s it, you can use the mobile bank. Naturally, the interaction with the server occurs in encrypted form, using standard iOS libraries and the HTTPS protocol.
In order to make life easier for the user, the recognition function was built into the application: just point the iPhone camera at a bank card and registration will happen automatically (in case the card is embossed). Then you will need to create a PIN code and subsequently enter the application with it. It is safe enough, because you can block the application if the phone is lost. The identifier is marked as compromised and it is no longer possible to enter the system under it, it is necessary to re-register.
And, yes - Touch ID login in iOS 8 is also supported. By the way, the Otkritie mobile bank is the first in the Russian market with fingerprint identification. We communicate with the server: API with a foundation for the future
On the server side for the mobile client there is a single entry point - middleware, developed by the bank, which is further integrated with all internal systems - CRM, payments, plastic cards, etc.
The application interacts with the server based on our RESTful API, which has been made universal so that other services and web applications of the bank can use it. It was created in several iterations, starting with the data model. And immediately there was a sight for reuse and expansion opportunities. The result is a fairly simple, very convenient and scalable interface.Arthur Sakharov, mc_murphy , technical director of Redmadrobot
Now the API in one and a half to two times overlaps the functionality of the first version of the application. In general, architecture should be created with a foundation for the future, so that during the development of the application you do not have to change any fundamental things.
What has been done and what's next
The first version of the mobile bank supports a standard set of functions:
- Creating an individual access code for easy re-authorization;
- Detailed information about cards, loans and deposits;
- View statements;
- The ability to quickly replenish the card;
- The general history of payments made through mobile and online banking with the possibility of repeating the operation;
- Payment for mobile communications, pay TV, utilities and much more;
- Transfers inside Otkritie Bank;
- Money conversion;
- Quick search for the nearest ATMs and offices;
- Quick contact with the bank support service via a hotline or email.
By the end of the year, the application will include transfers to other banks, online consultations, an extract will be finalized (filters, categories of operations) and much more. The release policy implies monthly updates aimed at improving the stability of the application and adding new functionality, tracking the degree of satisfaction of the business needs of the customer company and updating the product development plan.
Following the iOS version for smartphones, a mobile bank for Android and tablet versions will appear.