Security

The ClairMail System employs a multi-layered approach to ensure maximum security. These layers include:

• Validated Identity: A customer using ClairMail must enroll his mobile device with the financial institution (FI) offering the service. The point of enrollment provides the mechanism to authenticate the customer before enrolling the mobile phone number, thereby establishing a "trusted path" of communication between the FI and its customer. Once a customer is authenticated, the mobile device is uniquely identified and associated with the customer. This important relationship is maintained as part of the customer's mobile profile in the ClairMail solution.
• Multifactor Authentication: ClairMail's transaction-level, multifactor authentication system is designed to meet and exceed FFIEC requirements. "Something I have" (the first factor) is the enrolled mobile device itself. "Something I know," (the second factor) would be a PIN number or a onetime password. This authorization can occur out-of-band for an additional level of security.
• Escalating Authentication: The ClairMail System supports automatic, escalated authentication or authorization. Higher-risk transactions, such as transfers over a FI-specified or customer-specified threshold amount or between specific accounts, take advantage of this escalation.
• Out-of-Band Authentication: For added security, escalated authentication can cross communication channels to perform out-of-band verification of a transaction. Depending on the use case, this dial-back may use an outbound IVR call requesting a PIN, a WAP push message sent to accept a PIN or password in an SSL-secured connection, a voice call from a customer service representative or a secure push notification (e.g. Apple iPhone APNS).
• Anti-Tampering Technology: By definition, the mobile web server is open to the Internet and must be protected from attacks. The ClairMail mobile web solution always uses encrypted HTTPS sessions and further increases security with its sophisticated anti-tampering technology, including:
  • SMS "Dial-Back"
  • Apple Push Notification Service
  • Message Authentication Codes (MACs)
  • URL Parameter Validation
  • Form Data Validation
  • Session ID Timeout
• Delegated Authentication: The FI can opt for the ClairMail solution to delegate authentication to the FI's existing authentication system. This is a good practice when the FI has centralized control over the customer's credentials, including password policies and procedures for managing lost credentials.
• Extended Authentication: The ClairMail solution can integrate with risk-based authentication systems in place at the FI, such as RSA/Passmark and Voyager IA. This provides stronger device identification and mutual authentication to assure the customer that he is connected to the FI's website rather than a phishing site.
• Confidential Data Protected: The ClairMail solution never transmits or stores any confidential data on customer devices and ensures that all private information sent shields personal details. Customer-defined nicknames, masked account numbers and other security measures ensure that the device never contains more information than can be found on a typical ATM receipt.
• Encryption: ClairMail implements encryption throughout the solution. For all data in flight, ClairMail uses multiple encryption techniques, including SSL, HTTPS and WS-Security. All operations and transactions conducted in the ClairMail solution are logged beginning-to-end and migrated to a reporting database in order to provide a complete audit trail.

For a detailed description of ClairMail's mobile security strategy, download our Mobile Security white paper.