Black hats, white hats and corporate banking

Initiating payments with online treasury management systems has become more prevalent among corporate banking clients in recent years. Businesses of all sizes have gradually migrated some payments from checks to electronic payments in order to gain efficiency and to reduce the risk of fraud that is inherent in the paper check environment.

However, what has become clear is that online treasury management solutions are not as secure as once thought. With various authenticating methods having been compromised in the past few years, these solutions are popular targets for cybercriminals looking to pocket fraudulent payments.

Well organized, well financed, and employing their own technology experts, cybercriminals wield an in-depth knowledge of the leading online treasury management solutions, as well as the inner workings of the larger banks’ proprietary solutions. They use this understanding to capture user credentials, make administrative changes, and move money from client bank accounts to their own offshore accounts.

Various regulatory bodies have acted to contain this criminal activity. For example, in 2011, the Federal Financial Institutions Examination Council (FFIEC) updated their internet-banking security recommendations, prompting banks everywhere to make significant investments in new security technology, including implementing stronger authentication capabilities, hardening browser interactions, and employing pattern-detection solutions to identify potentially fraudulent activities.

As a result, banks have been taking preventative measures a step further. They’ve spent untold millions and countless man-hours educating their corporate clients about the importance of what they can do to minimize online fraud risks, but the fact is that they cannot force their clients to secure their own technology environments.

Meanwhile, the cat-and-mouse game between banks and bad guys continues to escalate, and even though most banks are fighting the good fight, the cybercriminals seem to be staying ahead of the game.

The courts are taking action, too, finding in favor of business clients whose bank accounts have been compromised, and making the banks liable for their customers’ financial losses. Their message to financial institutions is simple: “You haven’t done enough to protect your clients.” This liability has even been cited in cases where banks had client agreements specifying that, in the event of a breach, the client would be responsible for the liabilities as long as the bank offers commercially reasonable security procedures.

Amid the havoc, however, I see a question nobody’s asking.

Given the gravity of the threats, why, I wonder, don’t banks encourage their corporate clients to adopt a more efficient, more secure method for initiating payments, one that doesn’t involve a Web browser?

For decades, banks have offered their corporate clients direct integration for certain types of payments, like direct deposit of payroll. Doesn’t it follow that, as more and more clients invest in automating business processes like accounts payable and treasury payments, banks should take advantage of the leading-edge integration technologies?

Just imagine if:

  • The cost of manually generating payment instructions -- actually keying payment instructions into an online banking system -- could be eliminated.
  • The operational risk that comes with that manual process was reduced to virtually nil, because it was no longer possible for an employee to key in the wrong payment amount, reference number, or account number.
  • The risk of internal fraud -- a fact of life in any transactional scenario where employees are initiating payments online -- was drastically reduced.
  • Vulnerable, browser-based sessions were replaced with encrypted, highly secure transmissions that require digital certificate validation and signatures, thereby providing non-repudiation for payment transactions.
  • Direct-integration solutions were adopted, rendering browser-based solutions obsolete except for ad hoc payments and creating a system for monitoring transmissions against a set schedule, validating payment totals “out of band,” running data integrity checks, and using signed digital receipts for non-repudiation.

Indeed, the cybercriminals are sophisticated -- far more, in fact, than popular novels and films would have us believe. Their potency and ingenuity is only poised to grow in the coming years. Let’s not be daunted by them. Instead, let’s embrace the idea that innovative white-hat tactics will always trump any amount of organization, finances, or manpower black hats can muster. Let’s come up with imaginative applications of the technology that’s available right now, and demote the world’s hackers from major threats to minor pests.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies