The Role of Security in Helping Treasury Go Mobile

It is hardly a well-kept secret that the world is embracing mobile technology. Even the technophobes among us will have clocked the amount of time that the majority of the population spend on their mobile phones. Apparently, if we were to lose both our mobile phone and our wallet, it is the missing phone that we’d notice first.

Arguably the reason for this comes down to mistaken terminology – mobile phones are not principally phones any longer. Rather, they are mini computers that can also make calls. Already we are able to download and listen to music, take and upload photos and videos, check bank balances and transfer money with these devices. Many believe that smartphones will soon replace the wallet in our pocket by increasingly holding all the data required for buyer and seller transactions, along with electronic versions of credit, debit and prepaid cards, and loyalty coupons, as well as perhaps driving licenses, passport data and car or house keys.

It is of course true that these developments are so far mostly consumer-oriented technologies, and it is also true that the consumer space tends to move faster than many business functions. However, as widespread use of the online channel in business shows, the latter does eventually catch up. Online banking, a tool that may well not have even been considered for use in many treasury departments 10 years ago, is now an important tool. Additionally, as many corporate functions, not least treasury, feel the pressure of both regulatory and profit-margin drivers on operational efficiency, mobile technology will have an increasing role to play.

What is more, middle and senior management positions are becoming populated by ‘digital natives’ or ‘generation Y’ consumers, whose birth dates range from the mid-70s to the late 80s, so the trend towards mobile will only increase. Those joining the workforce today expect to be able to connect with customers and suppliers as easily as friends, to share information and to live a ‘mobile’ lifestyle. It is in the culture and it will be critical to how these employees perform their daily functions in the workplace.

A good illustration of this was the survey conducted among attendees of the Eurofinance 2011 conference, where 50% of respondents said they believed phone companies would be more important than banks for consumer transactions in 20 years’ time. As happened with the online channel, there is no reason why the mobile channel won’t also gain popularity in corporate environments, including among treasurers. For example, what is to stop treasurers managing cash positions, making the most productive use of free cash balances and authorising transactions over their mobile phones and tablets?

In theory, nothing prevents these corporate uses. In reality, however, whether it is banks, corporations or mobile network operators (MNOs) that drive the use of mobile payments in the treasury space, there are certain special factors that need to be considered. The most prominent of these has to be security, which will be crucial to the uptake of mobile use in the sector.

Given the many stories currently circulating about hacking, fraud and low levels of security in relation to the mobile channel, it may seem a pipe dream to be able to use the technology in the treasury space but this doesn’t have to be the case. Only a few months ago (Q311) ValidSoft commissioned some independent research among over 100 chief information security officers (CISOs) to get a better view on the security issues associated with technologies such as mobile banking, payments and authorisations. What was striking was the positive role that respondents felt mobile devices had to play in fraud reduction.

In fact it is possible to secure the mobile channel in a similar way to online banking, through a process of what is called multifactor out-of-band authentication, and at the same time improve the overall transactional experience for users. The first step in this process is to understand the risks involved, which comes back to understanding the nature of smartphones and mobile devices. When securing transactions people need to think of the mobile phone as a computer that can make phone calls, rather than a phone that is capable of handling transactions.

Nowadays most people – and almost all companies – are very conscious of security when using PCs, so any organisation considering rolling out mobile technology in the treasury space, or any treasurer thinking of using a smartphone to make a transaction, needs to adopt the same wariness. With this in mind, the crux of the issue is how one secures any kind of payment or trade authorisation. Banks, MNOs, card schemes, international bodies such as SWIFT, and security technology vendors must all work together to devise a robust but easy-to-use way to embed security in the smartphone. Making the device and the ecosystem secure is crucial.

Securing the Mobile Channel

A two-factor security approach is most common. This means that, for example in the online banking or treasury channel, a customer uses a separate security device such as a card reader or a one-time password (OTP) token to gain access. But as cyber attacks become more complex and intelligent, and as we move towards an increasingly mobile society, two-factor authentication is no longer enough because fraudsters can now circumvent these authentication processes and devices. What’s more, unlike traditional PC-based internet banking, mobile banking or authorisation does not lend itself to the use of separate security devices such as card readers or OTP tokens (unless you have at least three hands and a lot of money to spend on support cost).

The solution is to take an out-of-band, multi-layered approach that is based on risk. You can use real-time, voice-based technologies for example that use up to four factors where necessary. While this may sound complicated, it is quite simple and far better at guaranteeing that the end user is who they claim to be.

A four-factor approach identifies four things about the user:

  1. Something they know – a PIN or password.
  2. Something they have – their smartphone (including checking that no SIM swapping or call-forwarding has taken place).
  3. Somewhere they are or are not – jurisdiction authentication based on a technology called correlation proximity analysis.
  4. Something they are – using their voice as a biometric.

These four factors operate on the premise that whatever personal or company data fraudsters have stolen will be rendered useless because they won’t be able to authenticate themselves as the real user, which will prevent them from being able to intercept a bank transfer, for example, or valuable account records.

Threat Vectors

Attacks such as man-in-the-browser are just as dangerous as they are on traditional PC browsers so transaction verification, the most effective way of combating these attacks, is still required on the mobile channel. Usage of the layers that go over and above the standard two-factor approach is becoming very real and increasingly necessary. For treasurers to be able to fully realise the potential of the mobile channel it is essential.

Voice biometrics, for example, has been around for some time but is increasingly popular as a form of transaction authorisation (instead of using the traditional password). The human voice cannot be easily mimicked in a way that can fool today’s biometric analysis, nor can it be guessed, written down or simply forgotten as a password can. This technology exists and works, and with the number of registered voiceprints set to rise from 10 million globally to 25 million by 20151, customers are going to be using it.

Voice biometrics strikes just the right balance between being sufficiently robust and being practical for the user, whether in an office or treasury environment. It is extremely useful, for example, for verifying a money transfer on the mobile channel. It also removes the need for additional devices for user authentication that are simply impractical for people on the move. This example highlights how taking a multi-layered approach to security not only increases security but also usability. As we move through 2012, I expect to see the focus of those providing mobile solutions to both corporate and consumer customers shift definitively from two-factor authentication to a more multi-layered mindset.

While these are undoubtedly still early days for the use of mobile technologies among treasurers, the potential is being made very real by the burden of both regulatory and business efficiency drivers. Being able to stay up-to-date and authenticate transactions while on the move will help treasurers alleviate these increasing burdens, but one of the most important factors in defining the success of future uptake will be security. Anyone wishing to make a mobile transaction, not least a treasurer, needs to be in a position of knowledge and control. Both parties in the transaction need assurances that the individual at the end point is really the person they are claiming to be.

1Source: Opus Research.



Related reading