Mobile for treasury is often on the agenda of conferences, frequently discussed in trade publications and always predicted as the next big thing. So what’s stopping you?
The one form of technology that seems to crop up at every conference, and which has vendors proudly declaring their commitment to its future, is the mobile channel. Yet despite the noise generated by the industry, anecdotal evidence suggests treasurers are still wavering when it comes to taking their activities on the road. One of the main causes of their reticence, quite understandably, is mobile security. Is it safe?
“As happened with the online channel, there is no reason why the mobile channel won’t also gain increasing popularity in corporate environments, including among treasurers,” says Pat Carroll, founder and Chairman of digital and online authentication technology vendor, ValidSoft. So, what is to stop treasurers managing cash positions, making the most productive use of free-cash balances and authorising transactions over their mobile phones and tablets? “In theory, nothing,” states Carroll. “In reality, however, whether it is banks or mobile network operators that drive the use of mobile banking and payments in the treasury space, there are certain factors that need to be considered and pre-eminent amongst these is security.” Whether real or imagined, assuaging the treasurer’s fear will be crucial to the uptake of mobile use in the sector.
The key weapon in the battle for hearts and minds is the fact that the mobile channel can be secured in a similar way to online banking, through multi-factor, out-of-band authentication. The process starts with a change of mind-set.
When securing transactions, users need to think of their mobile phone as a computer that can make phone calls, rather than a phone that is capable of banking transactions. Almost all companies are very conscious of security when using PCs, so any organisation considering rolling out mobile technology in the treasury space, or any treasurer thinking of using a smartphone to make a transaction, needs to adopt the same level of awareness. But the providers must align their efforts too. For Carroll, it is vital that the banks, mobile network operators and security technology vendors work together to embed security in the mobile device.
“In banking security, currently a two-factor approach is most common,” he explains. “In the online banking channel, a customer uses a separate security device such as a card reader or a token. But as cyber-attacks become more complex and intelligent, and as we move towards an increasingly mobile society, two-factor authentication is no longer enough.” But unlike PC-based internet banking, mobile banking does not lend itself to the use of separate security devices such as card readers or tokens.
The solution, Carroll believes, is to take an out-of-band (i.e. one that is separate from the data or voice stream), multi-layered approach, based on risk, and using real-time, voice-based technologies that use up to four factors. This may sound complicated but, he insists, it is “really quite simple and far better at guaranteeing that the end-user is who they claim to be”.
A four-factor approach identifies, as the name suggests, four things about the user: something they know – a PIN or password; something they have – their smart phone (including checking that no SIM swapping or call-forwarding has taken place); somewhere they are or are not – jurisdiction authentication based on a technology called correlation proximity analysis; and something they are – using their voice.
“Attacks such as Man-in-the-Browser are just as dangerous to M-banking as they are on traditional PC browsers so transaction verification, the most effective way of combating these attacks, is still required on this channel,” says Carroll. “Usage of the layers that go over and above the standard two-factor approach is becoming very real and increasingly necessary. For treasurers to be able to fully realise the potential of the mobile channel, it will be essential.”
Although the technology has been around for some time, voice biometrics is increasingly being adopted for transaction authorisation instead of the traditional password. “The human voice can’t be easily mimicked in a way that can fool today’s biometric analysis, nor can it be guessed, written down or simply forgotten as a password can,” notes Carroll. This technology exists and works and, according to Opus Research, with the number of registered voiceprints set to rise from 10 million globally to 25 million by 2015, it is set to take off in a big way.
Anyone wishing to make a mobile transaction – not least a treasurer – needs to be in a position of knowledge and control. Both parties in the transaction need assurances that the individual at the end-point is really the person he or she is claiming to be. Vigilance will always be necessary whatever the channel, but with real security advances being made for mobile, perhaps it is time for banks and the wider corporate world to fully embrace its potential?
The following chart, from the Treasury Today 2013 European Corporate Treasury Benchmarking Study, shows the degree to which mobile is currently accepted by the treasury community, compared to other forms of technology.