Okay LogoOkay Logo

SCA for corporate transactions

27/03/2020

artifact

One of the biggest challenges when introducing Strong Customer Authentication (SCA) is to render the purchasing experience fast and frictionless to cardholders or bank app users. Looking at the requirements for speed and convenience, corporations would be at the opposite end of retail users: The amounts can be much larger, so security is paramount. Friction does indeed translate into more security when making a corporate transfer to make payment. So how does this all translates to SCA? 

Corporate transfers are an exemption in the PSD2 Regulatory Technical Standards (RTS)

Article 17 of the RTS states that SCA is not required for secure corporate payments as long as the following conditions are met:

  • Dedicated payment processes or protocols are used
  • The dedicated processes or protocols are only made available to payers who are not consumers
  • National competent authorities are satisfied that dedicated corporate processes and protocols are sufficiently secure

Corporate payments are more complex than consumers’ payments, so it is not a surprise that they should constitute an exemption. However, the amounts at stake in corporate transfers are of such value that transfers is a prime target for all the “white-collar” fraudsters of this world. 

In the initial article 17 of the RTS, before the EBA’s June 2019 opinion, corporate payments constituted an exemption as long as they were under PSD2 grade security. As we’ve covered in a previous post, PSD2 requires security which is both two-factor authentication AND authentication process security. Both are necessary to counter the most innovative attacks.

What does corporate payment look like?

Payments at the corporate level most often involve quite a few people. It starts with the purchasing team onboarding new suppliers and their payments details into the corporation ERPs. The treasurer and their team will then prepare the payment orders to settle invoices. These orders will rely on the supplier’s IBAN and company registration number. After preparing the payment order via a corporate portal, banking portal or dedicated corporate payment tool, the treasurer will have to have the payment validated by the CFO, or CEO, Chairman, General secretary etc. depending on the amount and/or the payment validation process of the company. The actual transfer can then take place. 

With thousands or tens of thousands of suppliers, corporate payments can be a headache for corporations and a new bonanza for the white-collar fraudsters. Supplying companies change banks, create subsidiaries, merge etc. There are many occasions that will require the corporation to change the IBAN/registration number couple. 

Where are the security threats?

Hackers focus on stealing the identifier and password of key players in the payment process, i.e. treasurers and CFOs. Passwords – even sophisticated ones – can be broken and is for that reason considered to a weak point in corporate payment security.

Passwords can be stolen by malware delivered by email, or via social-engineering attacks like phishing. Vulnerabilities linked to hardware and software may also be exploited if upgrade routines are not well in place. Last but not least, the increasing usage of IoT offers new vectors of attack to fraudsters to break into the information systems of corporations.  

Where would the fraudsters specifically attack?

Once they get hold of the ‘keys”, they will get direct access to the corporation portal and start to wreak havoc by redirecting payments. As we could see above, there are many points in the process that can be attacked. 

One very subtle attack is to change the IBAN in the IBAN/registration couple. The entire finance team believes it is paying the right company while the money is diverted to another account across Europe. In a matter of a few seconds with instant payment initiatives, the money can be moved out of Europe, with no hope that it will ever be recovered. 

Another attack is to trick a supplier into changing the contact information for a corporation. The supplier will then send the invoice to the attacker who can modify it and then pass it on to the corporation. The corporation will then receive an invoice which looks valid except for the payment details. In situations like that SCA would  be useful to validate the identity of a supplier.

Corporations have to up their game

The amounts at stake and the level of ingenuity of fraudsters are such that corporations just cannot do without strong and innovative security. Although smartphones are not so popular in corporate payments, they are still a good medium to combine possession and inherence factors, for instance, 2 out of three authentication factors as required for strong customer authentication. This verification means could be used at each connection to the enterprise portal, to the “vault” where IBAN/ registrations numbers are kept etc. Corporations may not trust the embedded biometric capabilities of phones and will most likely look for military-grade biometrics solutions as well. 

Security vendors like United Biometrics provide a wide array of patented biometrics solutions to get rid of passwords on PCs and mobiles alike and can enhance security at access points to sensitive information. A smartphone can be used as a second factor at authentication point or used to validate the transaction by the CFO or/ and the CEO who are on the move and cannot access the corporate portal via their PCs. Two factors of authentication might be not enough. Security also has to provide malware resistance at the point of validation, especially on a smartphone. 

Securing the access point or validation point is a must. There are of course other ways to combat corporate payment fraud beyond authentication security. Vendors such as SiS id have created a community of finance directors who share IBAN/ registration couple data to combat supplier payment fraud. Artificial intelligence applied to this data and community sharing effect makes it possible to raise alarms on potential fraudulent data couple. 

Corporate payment is a prime target for fraudsters. Although it is complex to break into the payment process, the stakes are such that fraudster will for sure put their minds to it and make the treasurers of this world paranoid about security. 

At Okay, we are also paranoid about payment security.  We believe that strong dedicated 2FA solutions combined with our malware resistance mechanisms on smartphones can offer near to “bulletproof” security to corporations whenever authentication is required. 

— — —

This is the 8th article in a 8-part series about the challenges in the SCA industry.
Read challenge 7- SCA Enrolment and re-enrolment and follow our blog for future update on the topic of SCA