Bill.com is using its business payment technology to help users determine when and where to ask for additional security information, a move designed to spot vulnerabilities that require extra protection.
"You can put extra security at certain checkpoints. You may want to ask for multifactor authentication when a new vendor is added to a payment, or if a payment over a certain bar is made," says Mark Orttung, president and COO of Bill.com.
The security system, which has been deployed at two of Bill.com's client banks thus far, is built into the Bill.com offering for small businesses and accountants. Bill.com, which plugs its cashflow tools into banks' small business software, can also integrate its activity monitoring and analysis with other authentication approaches in place at banks, Orttung says.
For example, some banks use a keychain device to generate a one-time passcode for authentication. "We can integrate with that," Orttung says.
As business payments are routed, Bill.com's technology looks for risk-based triggers for extra security. In some situations, it may send an extra text message to a preregistered mobile device before authorizing a payment or a change to a user's account. In less risky situations, where the triggers are not activated, the payment would go through without pausing for extra authentication.
"The bank has the ability to select where in the process they want to add extra payments security. They can determine how strict they want to be," Orttung says.
Requiring authentication for all changes can be cumbersome, given the number of people that may touch a business-to-business payment, Orttung says. "In the consumer world, only one or two people may see a payment. It's you and your spouse, for example," he says. "But in the business world there can be a three or four people at a small business, or at a large company it can be 30 or 40."
Bill.com's approach is typically known as "step-up" authentication, and can provide a means to weight identity and fraud prevention for payments and other financial transactions, says Eve Maler, an analyst at Forrester Research.
"This approach is becoming more common as a way to mitigate the negative usability effects of authentication, and reserving the trickier user experiences for operations where you need to mitigate more risk," Maler says. "Onboarding new devices, phone numbers, vendors and the like is a particularly risky operation because fraudsters often execute account takeovers at these junctures, so this would be an excellent place to apply step-up authentication or even re-verification of the user's real-world identity."
This type of security technology can also be helpful in isolating certain job categories that are vulnerable to fraud attacks, says Shirley Inscoe, a senior analyst at Aite Group.
"During recent years, there have been many instances of spear-phishing malware attacks, such as Citadel and other variants that targeted controllers, bookkeepers, accounts, etc., who are using online banking or generate payments for small and mid-sized businesses," Inscoe says. "While consumers are susceptible to similar attacks, the dollar amounts involved in business transactions are typically much larger, hence potentially more profitable for the fraudster."
By using technology such as that offered by Bill.com, the user and the user's computer are thoroughly authenticated, and behavioral analysis detects unusual activity.
"One of the best resulting features is that people are not inconvenienced as often by other intrusive authentication methods such as being asked knowledge-based questions or having to carry around a physical hard token device," Inscoe says. "Only in situations that appear atypical would stepped-up authentication come into play, and that could be handled via a text message or telephone call."