Tag Archives: Online Banking Security

FBI advisory for Businesses – Online Banking Accounts at risk

Online banking security related risks have received more attention from me then any other information security topic and rightfully so! Not many other business related risks can quickly put a company out of business, but the fraudulent theft of an entire bank account could force closure if invoices and payroll can not be paid. After analyzing a lot of recent frauds the FBI has acknowledged that online banking is risky for businesses and has issued a fraud advisory detailing typical fraud methods and ways to protect your business from becoming a victim.

The fraud advisory begins by mentioning that cyber criminals are targeting financial accounts of owners and employees of small and medium sized businesses and that the result has been significant disruption and often unrecoverable lost funds (as we have mentioned previously here since regulations do not adequately protect businesses right now). Several examples are also provided very similar to other cases we have previously highlighted. The highlighted method of compromise is targeted phishing emails that either have an infected attachment or link the victim’s click that sends them to a malicious site that compromises their machine. Once their machine is compromised key logging software is installed to record keystrokes and online banking credentials are obtained when the victim logs into their account on the compromised machine. The cyber thieves then strike at an opportune time to drain the accounts of their contents often in increments of $10,000 or less to avoid suspicion.

What does the FBI Advisory recommend to avoid becoming a victim?

1. Educate your users to not respond to unsolicited emails and to never open up documents or click on links. If it appears to come from a financial institution or government agency and you feel it is legitimate engage that institution directly and avoid the suspicious files or links.

2. Secure Your computers and networks

3. Enhance the security of your business banking processes. The FBI recommends dual control where it requires one person to authorize a payment creation and another to authorize the release of the payment from a separate system. This is a good protection to segregate the duties and also helps to mitigate typical non cyber fraud but you should be warned that often times multiple accounts at a given company are targeted so it is not a full proof control (but a useful additional security step). The FBI also recommends SMS text payment notifications or direct phone notifications which can help detect a fraud early in the process and limit the damage.

4. Monitor accounts daily – The sooner you detect a problem the sooner you can work on correcting it and recovering your losses.

5. Pay attention to any warning signs that your machine may be compromised including anti virus system warnings, pop up alerts, sluggish response, or if you can not shutdown or restart properly.

6. Understand your responsibilities and liabilities – This recommendation is useful because many businesses have a false sense of security and believe that personal banking laws also apply to their business. They often do not so find out now so you can make an informed decision if the risks of online banking are worth the risks that it entails.

Online Banking Security – Another Town Bites the Dust

Just in case you thought I might have been crying wolf over the risks of online banking and the need to implement online banking security measures here is another report that proves the risks are very real. Another New Jersey city has become a victim of online banking fraud because they failed to implement adequate information security measures. The city feels confident they will recover most of the $400,000 that was lost but if I was a taxpayer in that area I would be very concerned about the lax information security practices that put the funds at risk to begin with.

The article linked above from Brian Krebs is a great read because it shows fascinating detail into the other end of the criminal process, how do the criminals get the money out without getting caught? Cyber thieves are utilizing social networking, job boards and a high unemployment rate to their benefit to recruit “money mules” that help move the money around quickly and minimize the likelihood of them getting caught. This is a good example of how the scam works and shows you what kind of thieves you are up against.

Remember online banking is convenient but a lot can go wrong if you are not taking information security seriously. Just as Brigantine, New Jersey could not rely on their bank to stop unauthorized transactions neither can you. The security of your financial health is reliant on you so get started today.

Online Banking phishing scam – Information Security Awareness

I received this online banking phishing scam in my email account today so it provides a good example of what you need to be on the lookout for. This one was not ideally targeted for me since I do not bank at HSBC but no matter these type of scams impersonate all types of banks and online financial service accounts. If this had been from your bank what would you have done? If you clicked on it you would have likely been asked to provide your login and password information or your machine would have been infected with malware and in either scenario your account would be at extreme risk.

Here are some tips on dealing with phishing emails from banks or other financial companies requesting you to click on them:

1. Legitimate companies will not email you requesting you to take immediate action or threaten immediate suspension of your account. That is a threat that real businesses will not make so you should take that as a warning sign that this is a scam.

2. If you point your cursor over the intended link (but don’t click on it) you’ll notice it is often not the actual company it is pretending to be. I say often because there are techniques that will make it appear as such so do not use this as a fool proof measure.

3. If you do need to check on your account status never do it via an email link but instead do it from a saved link to the site that you know to be legitimate. In the example above that means having your own link to your HSBC account and not clicking on the link bait provided.

4. Always be skeptical of unsolicited emails and treat them as untrusted and revert to step 3 above for accessing sensitive accounts.

Don’t fall for the bait avoid phishing scams and keep your online accounts secure!

Online Banking Security Tips

Another day and another report of a big online banking information security incident. At this point you have to be asking yourself if your business can securely online bank or if it is best avoided altogether. The FDIC offers some limited online banking guidance that primarily deals with not doing business with fake banks and how to validate if your bank is FDIC insured. While these measures are important they are not sufficient to ensure that your online banking is done in a secure manner.

Step 1 – Decide if the benefits of online banking are greater then your potential exposure from loss due to fraud. For individuals this is an easier decision as you have more protection but a business should fully evaluate the risks and implement controls recommended below prior to online banking.

Step 2 – Ensure the computer(s) that you will be online banking with are regularly patched (both operating systems and other general applications), utilize up to date anti virus control, and have a personal firewall installed. I will cover all of these items in more depth with recommended options in a future article but if you are using an all in one suite like Mcafee or Norton  you are on the right track.

Step 3 – Strongly consider dedicating a single machine used only for online banking. That means no internet surfing, no email usage etc… The most common method of compromise is via malware from internet surfing or infected email attachments so avoiding these activities via a dedicated machine greatly reduces your risk. That being said you must be consistent and do this 100% of the time for it to be effective.

Step 4- Never perform online banking transactions on a shared PC or on a network that you do not own. Shared PCs or strange networks could be capturing your online banking credentials and could lead to the compromise of your accounts.

Step 5 – Practice good password management practices with your online banking credentials.

Step 6 – Implement automated account monitoring that will automatically alert you of key changes to your account such as security setting changes, adding of a new payee, as well as low balance alerts set on your desired threshold. I recommend getting these alerts sent to your mobile phone as this will offer some additional protection vs. being sent to a traditional email account.

Step 7 – Not many banks have implemented advanced controls to replace passwords (such as password tokens that change every minute) but if you are considering different banks I would lean towards one with greater security measures vs. those that only offer static passwords.

Step 8 – Check your online bank balances once or twice a week to ensure that nothing suspicious has occurred and if you do detect an issue promptly report it to your bank and document all the follow-up you have performed to help minimize your chances of financial loss (keep detailed records of dates and individuals you have talked to). In addition, no amount of error is too small to follow up on as thieves often start with a small test transaction to set the stages for a bigger heist later.

Online banking is convenient but you must be vigilant and implement the recommendations above to stay secure and protect your business.

Information Security – Top 10 Items your Business Needs to Do Now

1. Protect your laptops, desktops, and servers

Your companies laptops, desktops, and servers are likely critical for most of your major business processes from customer management to invoicing, accounting, and payroll. If your systems are not available for use you can not perform these activities and keep your business operating effectively. Worse yet, if your devices have been compromised your data is not secure and it can be deleted, manipulated or misused for financial gain by cyber criminals. Simply, keeping your systems secure helps keep your business secure.

2. Separate your network from the Internet

Your network is your businesses pathway to the Internet and interactions with customers, suppliers and other business partners. Your network also enables those seeking to do harm potential access to your company’s systems so it is important to follow good network security practices to prevent unwanted access to your systems. Keeping the bad guys out while allowing needed business activities to happen is the name of the game.

3. Online Banking Security

Online banking is convenient and can be a real productivity enhancer for individuals and businesses alike. It is also filled with perils especially for businesses that are not afforded the same liability limits that individuals enjoy. If something goes wrong with your online banking does the bank really have your best interests at heart?

4. Backup your critical data

Most of the protection areas discussed focus on insiders or outsiders intent on causing trouble but sometimes equipment just fails. Are you prepared if you suffer hard drives failures on critical systems or would you lose critical data that could potentially put you out of business? Back it up and get the peace of mind that you can recover if your hardware has an issue. Systems are easily replaceable but the data often is not.

5. Follow good password practices

Unless you have implemented more advanced controls passwords are likely your primary method for controlling access to various accounts and sensitive data. Despite years of repeated attempts to educate end-users about what makes a good password many people still make easily avoidable errors. Don’t be one of them, follow good password practices and you will come out ahead.

6. Educate your employees about information security

A company may spend a significant portion of its revenue on information security but if it’s end-users have not been properly educated all of that can be easily defeated by a crafty intruder. Fake emails, known as phishing, have greatly improved in quality and can often fool even observant employees. What will your employees do when they receive and email they think is coming from you but is sent from a suspicious email address?

7. Physical security

An information security protection program is only as good as the physical security in place protecting the assets. If someone can steal the device or gain unauthorized physical access to it all other protection measures can be of little value.

8. Secure your wireless networks

Everyone is using wireless these days it is convenient and helps facilitate business. It is also very insecure right out of the box so it is important to implement best practice security solutions to ensure your networks are safe.

9. Encrypt sensitive files

Passwords are a first line of defense but often times they alone are not adequate to truly secure sensitive data such as employee records, customer lists, and credit cards. Loss of this data can subject a company to legal fines and embarrassing customer notification expenses so it is important to take additional measures to protect this data and you’re your business stakeholders comfort that you are doing the right thing to protect their sensitive data.

10. Securely remove data off of old devices

When you get rid of old computers, servers, network devices, and printers your job is not yet done. These devices will walk out the door with sensitive company information on them if you do not put in place proper measures to cleanse them prior to removing them.

Remember keep an eye out for our detailed implementation advice for each of these top 10 items coming soon!