In an increasingly connected world, technological advancements have impacted almost every facet of our working lives, ushering in the concept of the mobile office and changing the way companies operate forever. With these innovations a number of key concerns have also been raised over how secure these connected solutions really are. Siva Ram, HSBC's Senior Global Program Manager for Security and Fraud, discusses some of the security concerns over corporate banking and what can be done to alleviate them.
The corporate world has changed significantly in the last decade, due in large to vast improvements in technology and connectivity across a host of different mobile devices, platforms and software solutions. This has resulted not only in a significant shift in consumer behaviour but also challenged the confines of the conventional workplace and how companies do business today. As a result, the boundaries between work and life have been blurred, and today almost everyone completes office tasks on their mobile devices.
Despite these advancements, the adoption of mobile technology by corporate treasury departments has been slower than in other sectors. However an increasing number of finance professionals are now taking advantage of an increasingly connected world by using their mobile device outside the workplace to manage corporate banking transactions, improve their accounts payables process and free up time to focus on other tasks. That said, the needs of the treasury department differ substantially from the average consumer, and as such a corporate mobile banking applications (apps) must offer greater control and visibility without compromising on security or allowing sensitive data to be intercepted.
When the topic of mobile banking arises, corporate treasurers typically have some concerns and should be aware of the following issues:
Corporate data on mobile devices
More corporates are now embracing Bring Your Own Device (BYOD) policies, which allow employees to use their personal mobile devices for official purposes. This has the added advantage of reducing the number of devices the organisation needs to manage, while at the same time lessening the amount of time they need to spend training employees on technology.
One of the greatest worries for the corporate treasurer is the protection of corporate data, which might be accessed from personal mobile devices that are used to connect to company systems. Unless they are sufficiently protected, data stored on smartphones or tablets could be accessed by other applications or whoever uses the device, which becomes more of a problem when people use their own personal phones for official banking operations.
Mobile banking apps should try not to store any sensitive data on mobile devices, however if they do, the data must be encrypted using strong cryptography.
Another concern is malware, which is a malicious software program that has been specifically designed to gain access to a computer or a device and perform unauthorised operations without the user's knowledge. Malware is growing in prevalence and sophistication every day, and an increasing number of malicious programs are now targeting financial apps in an attempt to steal credentials and data, which can be used in further attacks designed to misappropriate money.
Recently we have seen a significant increase in the number of sites that serve malware through apps that are designed to look like the original website. In most cases, the original apps are reverse engineered and modified to include malicious code.
In order to limit the spread of malware, Apple and Android encourage users only to visit designated stores. However, a surprisingly large number of people adjust their settings to allow downloads from other sites, destroying the security features of the handset.
Protecting sensitive data on the device with strong cryptography will ensure that malware cannot make any sense of the data, strengthening the security of corporate data.
Secure connections to banking sites
Some mobile banking apps fail to establish secure connections between the device and the site, leaving users vulnerable to attack. Most sites use HTTPS (note the "S" at the end indicating a secure connection) to transmit sensitive data, which ensures that the data transmitted between the mobile app and banking site cannot be intercepted or modified. However, some sites use obsolete cryptographic algorithms and protocols such as Secure Socket Layer (SSL), which has several vulnerabilities. SSL has now been replaced with Transport Layer Security (TLS), and it is important that corporates implement the newer, more secure technology in order to protect their customers.
Another common issue is the failure to validate the identity of the site to which the application is connecting. The identity of sites is established using digital certificates, however some apps have been known to only check for the presence of a certificate, rather than verifying that it actually belongs to the site. This means that any website can present a certificate, resulting in a connection being established with fraudulent sites.
Mobile banking apps should use strong cryptographic protocols and ensure that they validate the identity of the site they are connecting to.
Ensuring authenticated access to banking apps
One of the most common ways for corporates to lose data is actually through the loss of a device, which is a significant problem. If banking apps do not properly authenticate identity before allowing access to functionality and data, a stolen device can result in serious financial and reputational losses for both the bank and the corporate.
As such, banking apps require a higher level of authentication than consumer applications in order to ensure that the right person is logging in, and for sensitive applications such as these, multi-factor authentication is critical. These authentication schemes are based on:
- What you know;
- What you have; and
- Who you are.
Passwords fall under the "what you know" factor, while secure One Time Password (OTP) devices generate passcodes that expire very rapidly and fall under the "what you have" factor. On the other hand, biometrics that utilise a fingerprint, voice or retina scan are "who you are" authenticators. A well-designed banking mobile app will use at least two of these three factors to authenticate identity, otherwise known as Two Factor Authentication (2FA). This prevents the unauthorised person(s) from accessing the app or the data.
When it comes to payment systems or other sensitive operations, many regulators require 2FA, digital signatures, or the ability to lock out whoever is trying to access to app after a specified number of invalid attempts, for example. Failure to comply with these specifications can result in a loss of the license required for the bank to operate the app. In some markets banking regulations are not so strict, so it is critical that the company choose a banking partner that has adopted stringent identity authentication protocols that are globally consistent if they are to properly protect their data.
The weakest link
But in reality, computers and apps will do what they are programmed to do, and the weakest link in the chain is usually the human element. As such, in addition to the above mentioned critical security mechanisms, there is one other factor the corporate treasurer must consider when choosing a mobile banking partner: a dedication to the ongoing education of employees. Secure mobile usage habits should be constantly reiterated and reinforced because security is everyone's responsibility, not just that of the corporate risk or security team.
At the end of the day, the first line of defence for any organisation is awareness and execution, and making sure companies are informed of the latest risks to hit the market will go a long way to allaying the fears of the average corporate treasurer. Using well designed secure applications, a multi-layered security approach and end-user education of secure practices will reduce security concerns and risk substantially, increasing the use of mobile banking and connected solutions by corporates.