Security

The ClairMail System employs a multi-layered approach to ensure maximum security. These layers include:

• Validated Identity: A customer using the ClairMail System must enroll his mobile device with the financial institution offering the service. The point of enrollment provides the mechanisms to authenticate the customer before enrolling the mobile phone number and thus establishes a "trusted path" of communication between the financial institution and its customer. For user-initiated requests, there is a base level of authentication that takes place by mapping the mobile number that the message is from to an enrolled user of the ClairMail System. This is adequate authentication for many transactions, given that cloning has been virtually eliminated for all digital mobile phones and that only private (not secret) data is being sent.
• Multi-factor Authentication: Higher risk transactions use an escalated, multi-factor authentication system which has been designed to meet and exceed FFIEC requirements. "Something I have" (the first factor) is the enrolled mobile device itself. "Something I know," (the second factor) would be a PIN number or a onetime password. This transaction-level authorization can occur out-of-band for an additional level of security.
• Encryption: Encryption is used throughout the ClairMail System, for both data in flight and data at rest. SSL and HTTPS encryption is used for data in flight; users' mobile profile data and message data at rest are always stored encrypted.
• Confidential Data Protected: The ClairMail System never transmits or stores any confidential data on customer phones, and ensures that all private information sent shields personal details. All confidential information is maintained in an encrypted database on the ClairMail System server and is protected by additional layers of security. Finding a lost or stolen phone would be akin to finding an ATM receipt.
• Multi-Modal Integration: Mobile web banking sessions can be launched by sending and responding to a text message, assuring that the customer reaches the correct – and not a fraudulent – website.