Bank Hackers and Smartphones: Managing Points of Exposure

by Craig Jeffery | Aug 29, 2016 | Updates

The August 27, 2016, print edition of the Wall Street Journal ran a front-page article by Robin Sidel called Bank Hackers Target Smartphones [view the online article here]. The author provided a general description of how cyber thieves are deploying malware that targets smartphones and is designed to capture the victim’s online banking credentials. Some of these techniques even involve overlay screens allowing them to harvest more confidential data through additional questions.

Knowing that this is not just a possibility but a reality should heighten our senses and force treasury groups to reexamine their security framework. Sidel indicated that this trend is ‘alarming the Federal Bureau of Investigation and U.S. banking regulators’.

While each person will want to be careful with their personal online banking access and device hygiene, every treasury professional will want to review some of their corporate banking controls.

Understanding and mitigating the risks at the various points of exposure and access is vital. When we think about how we manage devices, authentication and overall access, particularly for transaction initiation and approval, we must ask, “What are other corporations doing? How are they restricting access? How are they controlling devices – particularly mobile/phone devices? How would you answer these questions?”

Mobile Initiation 88%; BYOD policy 90%

BYOD. Do you allow a Bring Your Own Device (BYOD) and allow transaction initiation (such as wire transfers)? 90% of the respondents DON’T allow this. [download infographic]
MOBILE. Do you allow mobile devices to initiate transactions (such as wire transfers)? 88% of the respondents DON’T allow this. [download report]

For the 12% of firms that allow mobile devices to be used to initiate transactions, what security do you require on those devices? And, what extra steps, controls, or out of band (OOB) authentication do you require? For the 88% that don’t, how systematic are you with regard to your controls on the devices and access methods used to generate or transmit payments?

Having system-enforced segregation of duties that are typical in corporations provides a better level of security than an individual accessing their personal banking system. Nonetheless, the access to vastly larger amounts of money from corporate accounts is surely in the sights of cyber criminals. The payoff is so large it is worth the extra effort to defeat the level of controls that many organizations currently deem adequate. Let’s agree that it is worth having another look at your security now.

Craig Jeffery formed Strategic Treasurer in 2004 to provide corporate, educational, and government entities direct access to comprehensive and current assistance with their treasury and financial process needs. His 25+ years of financial and treasury experience as a practitioner, banker and as a consultant have uniquely qualified him to help organizations craft realistic goals and achieve significant benefits quickly. He is responsible for overall relationship management and ensuring total client satisfaction on all projects.