The distinct threat model for business banking
Consumer fintech attacks tend to be high-volume and low-value: many accounts, small amounts per account, automated exploitation. Business banking attacks are low-volume and high-value: one well-placed compromise of a company's payment approver can redirect a single bulk payment of millions of naira. The attacker's return on investment in social engineering a business banking account holder is orders of magnitude higher than in compromising a consumer wallet.
Business banking platforms also have more complex user permission models. A single organization account typically has multiple users with different roles: view-only access for accountants, payment initiation for finance officers, and final approval for directors. The correctness of this role hierarchy and the security of the role-switching and approval workflows are the most important things to audit on a business banking platform.
1. Maker-checker bypass testing
The maker-checker (dual control) workflow is the primary fraud prevention control for business payments. We test it systematically by attempting to approve a payment using the same account that created it, by directly calling the approval endpoint without going through the initiation flow, by escalating a view-only account to initiator through role manipulation, and by submitting a payment approval request with a modified payment amount that differs from the amount the approver reviewed.
The approval endpoint must validate all of the following independently: that the approver is a different user than the initiator, that the approver has the required approval role, that the payment details in the approval request match the payment details in the database record (not the client-submitted parameters), and that the payment has not already been approved or rejected.
2. Bulk payment file injection
Business banking platforms typically allow companies to upload bulk payment files (CSV or Excel format) that disburse to multiple beneficiaries in a single transaction. We test the bulk payment upload flow for: file parsing vulnerabilities (formula injection in Excel files that execute in the reviewing interface), beneficiary account substitution after file upload but before approval review, total amount manipulation between upload and execution, and the ability to process the same bulk file twice (idempotency failure).
3. Sub-account and multi-entity access control
Many Nigerian business banking platforms support multi-entity structures where a holding company and its subsidiaries each have their own accounts under a shared organizational profile. We test whether a user with access to subsidiary A can access the account data or initiate payments from subsidiary B by modifying the entity ID in API requests. We also test whether a parent company admin can view sub-account data without explicit delegation, and whether sub-account users can access parent company data through upward traversal.
4. API key management for programmatic access
Business banking platforms increasingly offer API access for businesses to integrate banking operations into their own ERP and accounting systems. We audit the API key issuance and management system: are keys scoped to specific operations (read-only, payment initiation, bulk upload), can API keys be revoked immediately without revoking other keys on the account, are API key operations logged to an immutable audit trail, and does the API key have its own transaction limits separate from the account's overall limits?
Maker-checker bypass via direct approval endpoint call
During a penetration test of a Nigerian business banking platform, we created a payment instruction as a standard user (maker role) and immediately called the payment approval endpoint with the same session token without switching to an approver account. The approval endpoint checked that the payment existed and that the calling user had an active session, but did not verify that the approver was a different user from the initiator. The payment was approved and executed with one user account performing both roles. Fix priority: critical. The platform processed bulk payments worth millions of naira daily. Remediated by adding a database constraint that rejects approval requests where the approver user ID matches the initiator user ID, enforced at the service layer before any database write.
Running a business banking or B2B fintech platform in Nigeria? Book a security assessment before enterprise clients ask you for your pentest report.
Book a Business Banking PentestFrequently asked questions
Why are business banking accounts higher-value targets than consumer accounts?
Business accounts hold operating capital, receivables, and payroll funds. A compromised SME business account on a platform like Brass or Sparkle typically holds ten to a hundred times more than a consumer wallet. Business accounts also execute bulk transfers — a single authorized bulk payment file can disburse millions of naira. Compromising the person authorized to approve bulk payments is more valuable than compromising thousands of individual consumer accounts.
What is maker-checker authorization in business banking?
Maker-checker is a dual-control workflow where one user creates a payment instruction and a second, separate user must approve it before it executes. This is a standard fraud control in business banking. The security test question is: can the maker bypass the checker by manipulating the approval API directly, or can a single compromised account both create and approve its own payments?
Do enterprise clients demand security testing from their business banking providers?
Yes, increasingly. Enterprise procurement teams in Nigeria now include a security questionnaire in their vendor due diligence for any financial services provider. A business banking platform that cannot produce a penetration test report conducted within the last 12 months is being removed from shortlists by enterprise clients who have their own regulatory and audit requirements.
Related reading
Blog: BOLA in financial APIs · Proving security to enterprise clients · Rate limiting and anti-fraud
Services: Penetration testing · API security