Category Archives: Online Banking Security

Smartphones and Online Banking Apps – New security vulnerabilities and tips to stay protected

The recent InformationWeek article exposing new bugs in online banking applications that are utilized by various Smartphones really peaked my interest. Two of my biggest focus areas have been to highlight the risks of online banking along with some recent advice on how to keep your iPhones secure. The primary issues highlighted in the InformationWeek article include improperly configured security certificates, lack of encryption, and improper saving of sensitive credentials without user approval.

As a result of the findings many banks and other payment companies like Paypal are issuing new versions of their applications that are or will soon be available. This is an important reminder that helps reinforce a few important security principles we have already covered recently.

Smartphone Security Tips

#1 – Online Banking is risky enough when performed on a machine that is physically secure from theft. Performing online banking on mobile devices adds an additional element of risk that is not recommended. If you lose your device or it is stolen you are at an increased risk of having your credentials compromised.

#2  РApplication updates occur regularly and are often issued as a result of security vulnerabilities. You must regularly check for updates for any installed applications on your Smartphone device and ensure that you have the most recent version of software. Failing to do so will put you at an increased risk for compromise and financial loss.

#3 – Be discreet about which applications you choose to install on your Smartphone. By installing new applications you potentially expose yourself to additional security vulnerabilities so your security is only as trustworthy as the vendor providing the application.

FBI advisory for Businesses – Online Banking Accounts at risk

Online banking security related risks have received more attention from me then any other information security topic and rightfully so! Not many other business related risks can quickly put a company out of business, but the fraudulent theft of an entire bank account could force closure if invoices and payroll can not be paid. After analyzing a lot of recent frauds the FBI has acknowledged that online banking is risky for businesses and has issued a fraud advisory detailing typical fraud methods and ways to protect your business from becoming a victim.

The fraud advisory begins by mentioning that cyber criminals are targeting financial accounts of owners and employees of small and medium sized businesses and that the result has been significant disruption and often unrecoverable lost funds (as we have mentioned previously here since regulations do not adequately protect businesses right now). Several examples are also provided very similar to other cases we have previously highlighted. The highlighted method of compromise is targeted phishing emails that either have an infected attachment or link the victim’s click that sends them to a malicious site that compromises their machine. Once their machine is compromised key logging software is installed to record keystrokes and online banking credentials are obtained when the victim logs into their account on the compromised machine. The cyber thieves then strike at an opportune time to drain the accounts of their contents often in increments of $10,000 or less to avoid suspicion.

What does the FBI Advisory recommend to avoid becoming a victim?

1. Educate your users to not respond to unsolicited emails and to never open up documents or click on links. If it appears to come from a financial institution or government agency and you feel it is legitimate engage that institution directly and avoid the suspicious files or links.

2. Secure Your computers and networks

3. Enhance the security of your business banking processes. The FBI recommends dual control where it requires one person to authorize a payment creation and another to authorize the release of the payment from a separate system. This is a good protection to segregate the duties and also helps to mitigate typical non cyber fraud but you should be warned that often times multiple accounts at a given company are targeted so it is not a full proof control (but a useful additional security step). The FBI also recommends SMS text payment notifications or direct phone notifications which can help detect a fraud early in the process and limit the damage.

4. Monitor accounts daily – The sooner you detect a problem the sooner you can work on correcting it and recovering your losses.

5. Pay attention to any warning signs that your machine may be compromised including anti virus system warnings, pop up alerts, sluggish response, or if you can not shutdown or restart properly.

6. Understand your responsibilities and liabilities – This recommendation is useful because many businesses have a false sense of security and believe that personal banking laws also apply to their business. They often do not so find out now so you can make an informed decision if the risks of online banking are worth the risks that it entails.

Online Banking Security – Another Town Bites the Dust

Just in case you thought I might have been crying wolf over the risks of online banking and the need to implement online banking security measures here is another report that proves the risks are very real. Another New Jersey city has become a victim of online banking fraud because they failed to implement adequate information security measures. The city feels confident they will recover most of the $400,000 that was lost but if I was a taxpayer in that area I would be very concerned about the lax information security practices that put the funds at risk to begin with.

The article linked above from Brian Krebs is a great read because it shows fascinating detail into the other end of the criminal process, how do the criminals get the money out without getting caught? Cyber thieves are utilizing social networking, job boards and a high unemployment rate to their benefit to recruit “money mules” that help move the money around quickly and minimize the likelihood of them getting caught. This is a good example of how the scam works and shows you what kind of thieves you are up against.

Remember online banking is convenient but a lot can go wrong if you are not taking information security seriously. Just as Brigantine, New Jersey could not rely on their bank to stop unauthorized transactions neither can you. The security of your financial health is reliant on you so get started today.

Online Fraud – What to do if you are a victim

You can become a victim of online fraud even if you have taken reasonable measures to protect yourself. The natural reaction to being victimized is to be angry but even though it is difficult to do it is best to think with a level head and follow these steps to minimize the damage to your financial health and begin the steps to recovery. Assembled below is a collection of the best advice from major banks and ftc.gov the leading source on responding to these type of incidents.

Stop the Bleeding

Contact your online bank and/and or credit card company (depending on what type of account you are dealing with) and report the incident. Close affected accounts and open new ones with unique identifiers and new passwords.

Contact your local police department and file a miscellaneous incident report to document the event. You are not doing this to necessarily catch the criminal (although that would be nice) but it is more for documentation purposes should you need backup from damage done to your credit or if your financial company is not offering restitution.

Contact one of the big 3 credit bureaus and place a fraud alert on your credit report.

  • Experian: 888-397-3742
  • Equifax: 800-525-6285
  • Trans Union: 800-680-7289

Assess the Damage

Review all of your affected accounts and document and formally document any issues. Follow-up with the financial institutions and document everything so you can show you took prudent measures if you ever have to (in case the companies are not responsive in compensating you for your loss)

Obtain a current credit report from annualcreditreport.com and review it thoroughly. If you notice any unauthorized accounts contact those businesses immediately and notify them on the phone and in writing immediately that they are fraudulent. The link provided above allows you access to a free annual credit report use it instead of freecreditreport.com, who may have catchy slogans but are looking to sign you up for a monthly fee for your credit report.

Live, Learn & Get Secure

Do some self reflection and try to determine the root cause for how you became a victim. Did you fall for an email phishing scam, click on an insecure website, fail to use anti-virus, or not patch your systems? Use this painful event as an opportunity to improve your approach to information security and review our top 10 information security items you need to do. (or better yet be proactive and do these steps to avoid becoming a victim)

Online Banking phishing scam – Information Security Awareness

I received this online banking phishing scam in my email account today so it provides a good example of what you need to be on the lookout for. This one was not ideally targeted for me since I do not bank at HSBC but no matter these type of scams impersonate all types of banks and online financial service accounts. If this had been from your bank what would you have done? If you clicked on it you would have likely been asked to provide your login and password information or your machine would have been infected with malware and in either scenario your account would be at extreme risk.

Here are some tips on dealing with phishing emails from banks or other financial companies requesting you to click on them:

1. Legitimate companies will not email you requesting you to take immediate action or threaten immediate suspension of your account. That is a threat that real businesses will not make so you should take that as a warning sign that this is a scam.

2. If you point your cursor over the intended link (but don’t click on it) you’ll notice it is often not the actual company it is pretending to be. I say often because there are techniques that will make it appear as such so do not use this as a fool proof measure.

3. If you do need to check on your account status never do it via an email link but instead do it from a saved link to the site that you know to be legitimate. In the example above that means having your own link to your HSBC account and not clicking on the link bait provided.

4. Always be skeptical of unsolicited emails and treat them as untrusted and revert to step 3 above for accessing sensitive accounts.

Don’t fall for the bait avoid phishing scams and keep your online accounts secure!

Online Banking Security Tips

Another day and another report of a big online banking information security incident. At this point you have to be asking yourself if your business can securely online bank or if it is best avoided altogether. The FDIC offers some limited online banking guidance that primarily deals with not doing business with fake banks and how to validate if your bank is FDIC insured. While these measures are important they are not sufficient to ensure that your online banking is done in a secure manner.

Step 1 – Decide if the benefits of online banking are greater then your potential exposure from loss due to fraud. For individuals this is an easier decision as you have more protection but a business should fully evaluate the risks and implement controls recommended below prior to online banking.

Step 2 РEnsure the computer(s) that you will be online banking with are regularly patched (both operating systems and other general applications), utilize up to date anti virus control, and have a personal firewall installed. I will cover all of these items in more depth with recommended options in a future article but if you are using an all in one suite like Mcafee or Norton  you are on the right track.

Step 3 – Strongly consider dedicating a single machine used only for online banking. That means no internet surfing, no email usage etc… The most common method of compromise is via malware from internet surfing or infected email attachments so avoiding these activities via a dedicated machine greatly reduces your risk. That being said you must be consistent and do this 100% of the time for it to be effective.

Step 4- Never perform online banking transactions on a shared PC or on a network that you do not own. Shared PCs or strange networks could be capturing your online banking credentials and could lead to the compromise of your accounts.

Step 5 – Practice good password management practices with your online banking credentials.

Step 6 – Implement automated account monitoring that will automatically alert you of key changes to your account such as security setting changes, adding of a new payee, as well as low balance alerts set on your desired threshold. I recommend getting these alerts sent to your mobile phone as this will offer some additional protection vs. being sent to a traditional email account.

Step 7 – Not many banks have implemented advanced controls to replace passwords (such as password tokens that change every minute) but if you are considering different banks I would lean towards one with greater security measures vs. those that only offer static passwords.

Step 8 – Check your online bank balances once or twice a week to ensure that nothing suspicious has occurred and if you do detect an issue promptly report it to your bank and document all the follow-up you have performed to help minimize your chances of financial loss (keep detailed records of dates and individuals you have talked to). In addition, no amount of error is too small to follow up on as thieves often start with a small test transaction to set the stages for a bigger heist later.

Online banking is convenient but you must be vigilant and implement the recommendations above to stay secure and protect your business.

Information Security – Who Needs It? Financial/Escrow Firms Do!

Village View Escrow Inc learned the hard way that online banking is not an activity that should be taken lightly by a business. Poor email discipline led to the company’s systems being compromised and sensitive online banking credentials being compromised. The thieves then utilized their network to wire the money across the world causing significant financial loss to the company.

Of particular note is the bank was no friend to the business and also failed in several critical controls including:

1. Not following up on suspicious account security changes

2. Allowing suspicious international wire transfers without validating with the business.

3. Allowing excessive irregular financial transactions to occur.

An important thing to note is the bank is not assuming any of the responsibility for the loss so it is up to you to protect your business if you choose to partake in online banking. Trusting that the bank will protect you can put you out of business!

Company Exposure: Catastrophic financial loss of nearly half a million dollars that threatens the survival of the company

Lessons Learned & Possible Preventive Measures:

1. Online banking for small/mid size businesses is a risky proposition and should not be engaged in without risk mitigation steps. And don’t count on your bank to be your advocate even though they should be on your side.

2. Practice safe email usage and only click on expected documents from known individuals. Scan the attachments prior to launching them on your machine for additional protection.

3. Certain online banking controls that could have helped mitigate the risk include:

  • Use of a dedicated PC for online banking that does this and nothing else (no email, no surfing, ever..)
  • Get written confirmation that only certain customers should be receiving payments and any international phone calls require verbal approval.
  • Configure bank balance and security change notices to go to a mobile device that will give you an additional safeguard if your other systems have been compromised.

Look for additional protection mechanisms in our upcoming online banking security guide.