Published: October 6, 2015
Cyber-attacks represent a growing threat to both banks and corporates, new regulation and the teaming up of companies and banks are generating new platforms and protocols to fight back. Liz Salecka reports.
The recent survey results are in line with research conducted by Mandiant (Mandiant –Trends Report), which found that financial institutions represent the most heavily targeted sector by cyber-attackers. According to this report, hackers are most often seeking user credentials to bank account information in order to make fraudulent payments.
“Financial institutions possess extremely sensitive information about their customers and are therefore prime targets for cyber-attacks,” confirms Mike Spykerman, vice-president of product management at security software company OPSWAT. “They should prepare their defences against a cyber-attack by deploying several in-depth security layers including device monitoring and management; advanced email security; scanning with multiple anti-malware engines; and advanced threat protection. In addition, sensitive data must be encrypted and segregated.”
And George Rice, senior director, payments at HP Security Voltage adds: “The greatest security risks in transaction banking lie in payments. This is because you have financial information that is able to be captured and then used elsewhere, unknowingly to the individual that controls that account.
“There needs to be a multitude of approaches that provide a full layer of coverage across all the different access points that a bank provides to its customers.”
According to F5 Networks, the growing incidence of cyber-attacks against banks has already prompted greater demand for multi-layer web and mobile fraud protection solutions. Its survey found that over fifty percent of respondents have adopted multi-layer fraud prevention solutions. Most budget spend is being allocated towards web channel fraud protection and mobile fraud protection.
3SKey for corporates
But the growth in cyber-attacks is by no means confined to financial institutions. Cyber-threats are being made against companies’ corporate treasury departments, and these attacks represent an emerging and on-going management challenge.
This has puts a greater onus on corporate treasurers to focus on security and safeguarding transactions with their banking partners - particularly payments.
One solution that has rapidly generated interest among corporate treasurers is SWIFT’s 3SKey, a multi-bank, multi-channel digital identity solution, which enables the authentication of corporate to bank transactions such as payments.
Based on Public Key Infrastructure (PKI) technology, the solution relies on the use of a single token and digital certificates, to enable qualified corporate end users, such as treasurers, to authenticate their identity when sending data and instructions to their banks. It provides proof to the banks that the sender is who he or she claims to be, and that the data and instructions have not been manipulated in any way.
“The type of transaction banking security in place varies from bank to bank,” says Christoph Albers, SWIFT’s market manager for 3Skey and SWIFT for Corporates services, pointing out that it can take the form of a user-name and password; a one-time password solution that may involve the use of a physical device; or a PKI-based solution, involving a physical token, digital certificates and electronic signing. “Some banks have developed these solutions in-house while others have approached third party vendors.
“The big difference with 3SKey is that it is a multi-bank solution that involves a device and security token that corporates can use with their various banking partners and regardless of the banking channel – be that the SWIFT network (for signing files with personal signatures), bank proprietary direct channels and e-banking portals or local and domestic networks and protocols.
It pays to cooperate
“For corporates, there is clear value in using one security solution. Before they were using a variety of tokens and devices when accessing the multiple e-banking portals of the various banks they worked with, and in doing so they had to memorise a number of different passwords,” Albers tells EMEA Finance.
Albers explains that the impetus for 3SKey, which was launched four years ago, came from SWIFT, working in conjunction with banks, to develop a multi-bank solution for the corporate segment.
Corporate uptake of 3SKey has been such that over the last two years many banks have decided to extend the use of 3SKey across their wider client base – to those using different direct channels and also on-line web banking services.
“A number of them [banks] had already implemented 3SKey into their file-based channels - in the first instance at the request of corporate customers. They have now decided to proactively extend its use as a transaction banking security solution across their other channels, including proprietary e-banking portals,” says Albers.
Banks that have deployed 3SKey, have achieved considerable cost savings because they can use the shared infrastructure and support services offered by SWIFT. However, they continue to conduct their own corporate end user registration processes, meaning that they stay in full control of user identity.
The banking community’s adoption of 3SKey is also likely to be strengthened by new regulations, such as the new SecuRe Pay recommendations, proposed by the European Central Bank and European Banking Authority (Assessment Guide for the Security of Internet Payments, 2014), which place a greater emphasis on strong authentication of customer details.
“These [regulations] aim to increase the security offered by all payment services providers. They call for the use of a physical device and token as well as strong two factor authentication such as using a physical PKI token,” says Albers.
Securing mobile transactions
With mobile transaction banking now taking off, enabling treasurers to authorise and make payments on the move via a range of mobile devices, additional security concerns are emerging.
HP Security voltage’s Rice points out mobile transaction banking is still in its infancy, but describes it as “a moving target.”
“The goal here is to combine the typical credentialing systems that we are all familiar with, such as user ID and password, with other situational data sets that can provide enhanced trust in that login process,” he says, pointing out that some mobile phone devices do have biometric authentication processes, as well as a pin entry process for logging in.
Corporate treasurers who have implemented 3SKey as a security solution are realising important benefits from the streamlined and standardised approach to securing payments across multiple banks. There are significant time and cost savings. Additionally, using 3SKey eliminates multiple systems and processes.
There is now a single, multi-bank security process.
Corporates have a ‘comfort zone’ knowing that 3SKey digital signature is from the authorized signer, and that the content does not change after the approval process, and it represents proof of signature.
SWIFT itself is already preparing to meet demands for secure corporate mobile banking by working on the extension of 3SKey to mobile devices.
“We anticipate growing demand for mobile banking from treasurers and chief operating officers, looking to authorise transactions and sign files via mobile devices while away from the office,” says Albers noting that about 20% of existing e-banking users are expected to look for this capability in the near future, and request a form of token-based authorisation.
3SKey benefits for banks include:
- 3SKey provides interoperability with other financial institutions while maintaining control of the user identity registration process.
- Lower costs – 3SKey saves banks time and costs in building, maintaining and upgrading their own technical infrastructure for identity management. The solution can be used for any electronic banking channel, including transactions over bank proprietary networks as well as the SWIFT network.
- Improved client satisfaction – it eliminates the need for corporate clients to use numerous authentication processes and security devices for the different banks they work with.