By John Ginovsky
In its December report on the emergence of corporate mobile banking, Celent wrote that “a slew of new devices, cheaper data plans, and faster networks are upon us. Business mobile users have the opportunity to take advantage of rich and powerful mobile banking services, provided their bank has an offering,” Sound pretty good. But the report, “Corporate Mobile Banking: Revolutionizing Cash Management,” authored by Jacob Jegher, also raises red flags about security.
ABA Banking Journal Tech Topics recently spoke with Jegher about the report’s finding, particularly emerging security issues.
Tech Topics: What’s the difference between corporate and retail mobile banking?
Jacob Jegher: Corporate mobile banking isn’t for everyone. It’s meant for a specific profile of user. Retail banking services, what you and I would use, is meant for the masses. Anybody can pick it up and benefit. For example, if you spend your day working in accounts receivable or accounts payable, sitting in front of a computer, you have no use for corporate mobile banking.
But if you’re a senior executive who has decision-making capabilities for the business and you need to act on things on the move, corporate mobile banking is for you. The types of positions that would apply would be CFOs and treasurers, senior vice presidents, and vice presidents who would be in charge of finance or money movement. That would be the key difference.
Following along those same lines, the functionality in the corporate space, whether it’s online or mobile, the bank has to have an entitlements structure hierarchy, or things that require separation of user tasks. If you are an employee in operations, you may have authority to send a wire payment up to $1,000, for example. The moment you cross $1,000, you’re required to get approval by someone else up the chain. The work flow to follow these payment approvals have to be built in. Anything involved in decision-making is key. Payment approvals, positive pay, exception items, those types of things would be really critical to corporate mobile.
TT: Your report warns against an upcoming explosion of fraud attempts as corporate mobile takes hold. What would cause such an explosion?
Jegher: Right now there’s little or no fraud in corporate mobile banking, but there are a few things that would cause it to explode.
The first would be prevalence. If this starts to be adopted by the large financial institutions, there’s a lean towards high-value payments by fraudsters. Folks like you and me, we tend to send low-value payments as consumers. But [corporate mobile may involve] very large high-value payments, [and] access to wire transfer capability. Of course, separation of duties will prevent security challenges. But anything that has high value payments attached to it is attractive to a fraudster. It’s quite dangerous.
Also, just the relative freshness of the mobile channel is something that’s really uncharted as far as fraud goes. There have been some instances in the consumer space, but very little. It’s simply only a matter of time before we see rampant, rampant attempts at fraud as mobile becomes more prevalent, whether it’s consumer or corporate.
TT: What new forms of authentication are more appropriate for corporate mobile banking, and would business customers accept them?
Jegher: The first point I want to make is that authentication alone is pretty much useless. The key for any infrastructure is to have a layered environment with different bits of security, so that in the event that piece A fails or is broken, piece B is a safety net. Authentication alone is not good enough.
As far as authentication itself goes, hard tokens will eventually be a thing of the past. You won’t have the token necklaces some people now wear when they have multiple relationships with different clients. You can have something called a soft token, where you may have an app that runs on a mobile device that provides that one-time pass.
The other option is to forego the whole one-time issue and look at other things. An examples I give in the report is a gesture-based authentication, where in order to authenticate yourself you draw a pattern on the screen by connecting different dots. You can force a user to use a strong pattern by connecting the dots, and that strong pattern is a method of authentication.
Eventually we may get to things like voice authentication, as the use of voice becomes more prevalent in the market.
The question about balancing the burden on the customer versus the security of the solution, those two examples are very nonburdensome. [Customers] are not required to carry any hardware.