Pay it forward

Play the word association game with the people in your office; offer the phrase "business electronic banking" and note the proportion that responds with "security". It will be a fairly hefty majority, as recent BMI-TechKnowledge (BMI-T) research into the subject shows.

Electronic banking in the corporate sector, an analysis published annually by BMI-T, shows that products on offer have matured, particularly in the past two years, according to co-author and senior analyst at BMI-T, Althea Bacchialoni. "The banks have put a tremendous amount of effort into their products and they are now well-embedded.

"They`re secure, safe and stable and they`ve become an integral part of the day-to-day running of finances in a business."

Business electronic banking has become a commodity, she says. "Companies are now saying: 'We now want more relationship management and we want more hands on services`."

Electronic banking products are secure, safe and stable, and they`ve become an integral part of the day-to-day running of finances in a business

Althea Bacchialoni, BMI-T

A commodity it may be, but 85% of BMI-T`s 600-odd respondents indicated they had no intention of changing banks. No reasons were asked for or given, but Bacchialoni believes businesses are not keen to change banks because of the integration factor - a lot of time and effort has gone into integrating their ERP and accounting systems with their bank`s electronic banking systems. "If they are with Absa or FNB, they`ll stay there because it has become such an integral part of their company," she says.

Businesses have embraced electronic banking primarily for reasons of efficiency, says Hilton Briner, group distribution centre and corporate systems manager at Spar. "Asking me about it is like asking: 'What do you think about the wheel?` We have the wheel and it works for us. Maybe the tyres could be a little bit safer in the wet..." he jokes.

BMI-T`s research identified the most critical issues regarding electronic banking: Security is the top concern for 74% of the respondents (down slightly from a constant 76% in 2003 and 2004), followed by performance or responsiveness (40%) and availability (51%).

Not surprisingly, Briner agrees: "Security, clearly, is of paramount importance. You 're dealing with big numbers, you want to make sure that when you`re paying somebody, it`s getting into their account, not somebody else`s.

"The business case for electronic banking in terms of accuracy and efficiency is clear - it doesn`t take rocket science to understand that proposition. The risks are associated with the security and a secure link is crucial," he adds.

Christo Vrey, GM of digital channels at Absa, puts this in perspective: "Security will always be an important factor because if it goes wrong, it can have significant impact.

"It controls the access to your funds and that`s the most important thing in a business."

Despite the acknowledged importance of security, 69% of the BMI-T survey respondents listed passwords as a preferred security measure.

Vrey isn`t surprised by the apparent disconnect between rating security highly and being content to rely on passwords. "Customers are not necessarily technically minded," he says.

It`s about striking a balance between convenience and security, believes Roland le Sueur, head of Internet banking at FNB. "Passwords are perceived as secure from a convenience point of view. The minute you add an additional layer of security, as FNB did with it`s DigiTag, the inconvenience factor comes into it."

Consequently, FNB has introduced an alternative security mechanism. "We use digital certificates together with the user name and password to provide an extra layer of security and most customers feel that it`s an acceptable balance," he says.

Vrey believes it critical to consider three main elements of electronic banking security: customer-side security, connectivity and bank systems (see diagram). "All three components of this security continuum need to be dealt with individually," he says.

"The risks are largely internal to the customer`s business," Herman Singh, director of technology engineering at Standard Bank, is unequivocal. "We have zero instances of having a compromise at the bank. The compromise is always on the client side," he says.

Technically, hacking the actual SSL encrypted pipeline is highly improbable, Vrey notes. There is not enough processing power and just not enough time to do so successfully. "What remains is vulnerability at the client side," he says.

You want to make sure that when you`re paying somebody, it`s getting into their account, not somebody else`s.

Hilton Briner, Spar Group

Standard Bank has approached the challenge in part by managing the banking process with rigour at the client`s site, according to Singh. "The process is managed using good governance principles. If you allow one person to do all the banking, that`s bad governance. So we have what we refer to as segregation of duties (one individual loads, another authorises)," he explains.

Absa also uses the segregation of duty mechanism as an additional protection, as does FNB. "We look at providing convenience to the client," says Le Sueur. "The client has an administrator who sets up multiple operators or users and limits access in terms of segregation of responsibility. It`s fully customisable to the customer`s needs. The administrator can set up as many operators as necessary, provide the functionality they need, and set parameters on the value and limit the company entrusts to that operator."

There is still a perception in business that the Internet is not secure and never can be.

This is perhaps best illustrated by Briner`s view that electronic banking is fine provided infrastructure links are secure and controls are in place - in other words, bypassing a service provider where an interception or a change could take place.

In the corporate market, Vrey notes, not using the Internet is the rule, rather than the exception: "Electronic banking is secure with SLL encryption and will become more prevalent, but only a fraction of our corporate customers [connect via the Internet]."

In truth there is little difference in security and a potentially huge differential in cost between a direct link and an Internet-based connection. In both cases the bank sets up an encrypted virtual private network (VPN) between the customer and itself, through which the transactions are processed.

Even if a criminal is able to isolate and intercept the correct packets for a particular transaction, they would still have to decrypt the packets before they could modify them, by which time the banking application would have resent the original packets anyway.

The risk of using the Internet lies, as always, in the user`s attitude toward the security measures. According to Singh, the constant barrage of news in the retail space has created both hype and anxiety, and valid concerns about viruses, trojans, spyware, phishing, pharming, worms... Little wonder then that many large corporations refuse to take chances with an element that, as Bacchialoni says, has become such an integral part of their company.

However, sooner or later the costs are going to begin to bite. Once broadband connectivity descends to more reasonable levels in SA, the cost of a direct leased line will seem prohibitive by comparison.

The minute you add an additional layer of security, the inconvenience factor comes into it.

Roland Le Sueur, FNB

But as mentioned by Vrey and Singh, the connectivity element is probably a very unlikely point of access into the electronic banking system; the far more prevalent threat lies closer to home.

"If a client keeps his password on a post-it note on his screen, or under the keyboard - that`s innovative, but not smart -the system will be compromised. It doesn`t matter what security measures are in place," says Vrey.

Singh advises clients to check regularly for hardware key loggers. "We`ve been monitoring trends globally and the global experience is that is how people are trying to attack corporations," he says.

Devious practices aside, Absa, FNB and Standard Bank agree with prosaic measures such as password renewal. All three force their customers to change passwords regularly - something that doesn`t necessarily go down well with the customers themselves.

BMI-T reports that, in the corporate sector, 51% of respondents to the survey feel that password renewal once a month is acceptable. A further 18% prefer to do it every second month and, shockingly, a full 15% don`t believe it`s necessary at all.

In the SME sector the numbers are even more frightening: 38% do not need password renewal while 29% are happy with monthly renewal and 14% content with bi-monthly renewal.

Statistics like this are what encourages banks to look for alternative mechanisms for security, but even the best technology can be compromised. Singh offers a prime example, where the bank issued two-tier security: "We had a pilot project using smart cards. [A user] took the smart card, put it in the smart card reader and then used sellotape to keep it in place."

...we have zero instances of having a compromise at the bank... the compromise is always on the client side.

Herman Singh, Standard Bank

Despite the hiccups along the way, banks are constantly looking for ways to strike an acceptable balance between security and convenience. Standard Bank`s corporate solution involves a thick client application that uses a number of security mechanisms, many of which are almost invisible to the user.

All the banks appear to be looking at cellphone technology and the delivery of one-time passwords via prioritised SMS. "One-time password are another brick in the wall that makes the security programme stronger," says Vrey.

However, he notes that such solutions may not work that well in a corporate environment. "There might be a more appropriate application tied to physical tokens, attached to either a workstation, or a particular employee who would be registered," he notes.

Singh believes that, despite his sellotape experience, smart cards, together with some form of biometric identification - fingerprints, retina scans, and so on - would be more acceptable in the corporate world. His description of Standard Bank`s registration process provides some indication of the acceptability more intrusive measures would have in business.

"Registering for [electronic] banking is a very cumbersome process, on purpose. Because you`ve got to fill out the application forms, you`ve got to come in, you`ve got to get IDs of people; it is a governance issue. The business is giving these individuals a mandate to execute transactions on its behalf," he says.

Despite this, Singh claims double-digit growth, both in terms of the number and value of transactions being processed by Standard Bank`s business banking unit. It`s growing faster than retail banking. It has 60 000 users and is the busiest Web site in SA. It switches over R300 billion per month.

FNB also reports strong growth in electronic banking. Chris Kotze, CEO of FNB eSolutions says: "From a transactional volume perspective, the consumer and smaller businesses type platform, saw a 47% growth last year. On the platform that caters to the corporate space, we had a 38% growth."

Le Sueur reports another fairly recent development involving the other banks: "One of the latest facilities we`ve introduced is the ability to do real-time payments between banks at a premium rate. It normally takes overnight, that`s the infrastructure that`s in place, but for high-value transactions, there is a system now where you can pay directly to Standard Bank, for example, at very close to real-time."