Tag Archives: Online Bank Security

FBI advisory for Businesses – Online Banking Accounts at risk

Online banking security related risks have received more attention from me then any other information security topic and rightfully so! Not many other business related risks can quickly put a company out of business, but the fraudulent theft of an entire bank account could force closure if invoices and payroll can not be paid. After analyzing a lot of recent frauds the FBI has acknowledged that online banking is risky for businesses and has issued a fraud advisory detailing typical fraud methods and ways to protect your business from becoming a victim.

The fraud advisory begins by mentioning that cyber criminals are targeting financial accounts of owners and employees of small and medium sized businesses and that the result has been significant disruption and often unrecoverable lost funds (as we have mentioned previously here since regulations do not adequately protect businesses right now). Several examples are also provided very similar to other cases we have previously highlighted. The highlighted method of compromise is targeted phishing emails that either have an infected attachment or link the victim’s click that sends them to a malicious site that compromises their machine. Once their machine is compromised key logging software is installed to record keystrokes and online banking credentials are obtained when the victim logs into their account on the compromised machine. The cyber thieves then strike at an opportune time to drain the accounts of their contents often in increments of $10,000 or less to avoid suspicion.

What does the FBI Advisory recommend to avoid becoming a victim?

1. Educate your users to not respond to unsolicited emails and to never open up documents or click on links. If it appears to come from a financial institution or government agency and you feel it is legitimate engage that institution directly and avoid the suspicious files or links.

2. Secure Your computers and networks

3. Enhance the security of your business banking processes. The FBI recommends dual control where it requires one person to authorize a payment creation and another to authorize the release of the payment from a separate system. This is a good protection to segregate the duties and also helps to mitigate typical non cyber fraud but you should be warned that often times multiple accounts at a given company are targeted so it is not a full proof control (but a useful additional security step). The FBI also recommends SMS text payment notifications or direct phone notifications which can help detect a fraud early in the process and limit the damage.

4. Monitor accounts daily – The sooner you detect a problem the sooner you can work on correcting it and recovering your losses.

5. Pay attention to any warning signs that your machine may be compromised including anti virus system warnings, pop up alerts, sluggish response, or if you can not shutdown or restart properly.

6. Understand your responsibilities and liabilities – This recommendation is useful because many businesses have a false sense of security and believe that personal banking laws also apply to their business. They often do not so find out now so you can make an informed decision if the risks of online banking are worth the risks that it entails.

Online Banking Security Tips

Another day and another report of a big online banking information security incident. At this point you have to be asking yourself if your business can securely online bank or if it is best avoided altogether. The FDIC offers some limited online banking guidance that primarily deals with not doing business with fake banks and how to validate if your bank is FDIC insured. While these measures are important they are not sufficient to ensure that your online banking is done in a secure manner.

Step 1 – Decide if the benefits of online banking are greater then your potential exposure from loss due to fraud. For individuals this is an easier decision as you have more protection but a business should fully evaluate the risks and implement controls recommended below prior to online banking.

Step 2 – Ensure the computer(s) that you will be online banking with are regularly patched (both operating systems and other general applications), utilize up to date anti virus control, and have a personal firewall installed. I will cover all of these items in more depth with recommended options in a future article but if you are using an all in one suite like Mcafee or NortonĀ  you are on the right track.

Step 3 – Strongly consider dedicating a single machine used only for online banking. That means no internet surfing, no email usage etc… The most common method of compromise is via malware from internet surfing or infected email attachments so avoiding these activities via a dedicated machine greatly reduces your risk. That being said you must be consistent and do this 100% of the time for it to be effective.

Step 4- Never perform online banking transactions on a shared PC or on a network that you do not own. Shared PCs or strange networks could be capturing your online banking credentials and could lead to the compromise of your accounts.

Step 5 – Practice good password management practices with your online banking credentials.

Step 6 – Implement automated account monitoring that will automatically alert you of key changes to your account such as security setting changes, adding of a new payee, as well as low balance alerts set on your desired threshold. I recommend getting these alerts sent to your mobile phone as this will offer some additional protection vs. being sent to a traditional email account.

Step 7 – Not many banks have implemented advanced controls to replace passwords (such as password tokens that change every minute) but if you are considering different banks I would lean towards one with greater security measures vs. those that only offer static passwords.

Step 8 – Check your online bank balances once or twice a week to ensure that nothing suspicious has occurred and if you do detect an issue promptly report it to your bank and document all the follow-up you have performed to help minimize your chances of financial loss (keep detailed records of dates and individuals you have talked to). In addition, no amount of error is too small to follow up on as thieves often start with a small test transaction to set the stages for a bigger heist later.

Online banking is convenient but you must be vigilant and implement the recommendations above to stay secure and protect your business.