July 2012 IT Business Consulting Newsletter

Protect Your Company Bank Accounts

By Tom K

There is no doubt among the experts that Fraud Attacks on Corporate Bank accounts will increase. Small and Medium Businesses (SMBs) are being specifically targeted, as they are considered unsophisticated and relatively unprotected. Industry watchdogs estimate SMB Fraud Losses at more than $2,000,000,000 last year.

Many don’t realize that the protections provided personal bank accounts usually don’t apply to business accounts. Banks have no legal obligation to reimburse businesses for attacks — federal regulations do not cover commercial accounts – so most banks will not take responsibility for unauthorized debits from business accounts.

In this month’s newsletter I review the primary means used to fraudulently access your accounts, and provide best practices you can, and should, employ to mitigate these attacks. I also review programs and processes many financial institutions have available to help you protect your assets.

Why the Threat

Internet banking has become huge, both for personal banking and for corporate banking. Anyone can easily move money between accounts and across borders with the click of a mouse. Wire transfers and Automated Clearing House (ACH) transactions have become a way of life in all business communities. ACH transfers run in the “tens of Trillions of dollars” annually. With numbers this large, even a very small percentage is a LOT of money. And when a lot of money is involved and people (individuals and SMBs) are not properly protected, the bad guys definitely take notice.

How Fraud Starts: Access to Your Accounts

The bad guys have to access your accounts to get your money. To access your accounts, they need your account information and your access credentials. There are two primary means used to get this information, Social Engineering and Malware.

Social Engineering is essentially a con devised to get you to give up this information. Many of these cons today are very well done, and very successful. We’ve come a long way from the email from the deposed Nigerian dictator’s uncle who will give us millions of dollars for a mere $5K!

The most common is called Phishing, where you are directed to a very real looking web site (usually via an email or another site) that convinces you that you should provide them with personal information.

Derivations of Phishing abound, all with cute names, and all designed to get you to give up your personal information. These include Texts (SMishing), Phone (Vishing), and from within Social Media – FaceBook and Twitter.

I’ll discuss Phishing and the derivatives in detail in next month’s newsletter.

You may think you are better than the con artists, but they are very good and, since so much money is at stake, they are very well financed. I am VERY good, but I missed one out of ten in the last Phishing quiz I took (I’ll have links to a few quizzes in next month’s article). The next section of this article provides solutions that relieve the threat of Phishing.

Malware comes in many flavors: viruses, trojans, key loggers, etc. You can get it in any of a number of ways: email attachments, FaceBook links, pop-ups, shareware, freeware, drive-by downloads, etc. The intent is to place a piece of software on your PC that will either send your information to the bad guys, or allow the bad guys to take control of your PC. No matter which anti-virus software you use or how good it is, there is always a slight possibility that something may slip through. The next section also provides solutions that relieve the threat of Malware.

Data interception has also been used in the past to grab data as it flows across the Internet, but since all valuable information these days is (or certainly should be) transferred via secure encrypted sessions (HTTPS or SSL), these attacks have diminished dramatically.

What You Need To Do – Best Practices

Your single best defense is a dedicated PC which is used ONLY for on-line banking and ACH transfers. Some experts suggest that this PC be isolated from your network, but others (including me) believe it is best to keep the PC in your domain so it can receive the benefits of domain management (corporate anti-virus, centralized updates, centralized monitoring, group policy rule enforcement – see links to details at end of this article).

We keep the banking PC very clean... we don’t install Outlook, we don’t install any applications not essential to the on-line banking process, we don’t map drives to data shares, we only install one browser (Internet Explorer), we set the inactivity timer to lock the PC within a few minutes and require a password to resume, and we never use a wireless connection.

We lock down this dedicated PC so that only those users who are authorized to participate in the on-line banking process can log on to the PC. These trusted users understand that the PC is special, and are advised of the critical rules associated with the use of this PC:

  • No email
  • No browsing – access only the specific banking sites set up as Favorites
  • No social network sites
  • No software downloads
  • Log off your session, close your browser, and log off your PC as soon as you are finished
  • Never use “remember my password”

While most of these rules should be in effect for all users on all of your PCs (and should be detailed within your company’s IT Use and Abuse Policy) their enforcement needs to be absolute on the banking PC.

Along with a dedicated banking PC, the following practices will greatly reduce your likelihood of becoming a victim:

  • Limit number of staff having access to accounts and on-line banking PC
  • Teach your staff to NEVER give out access credentials – IDs, passwords, tokens, etc
  • Set transaction limits with your bank, both per transaction and per day
  • Monitor and reconcile account balances EVERY day
  • Immediately escalate any suspicious transactions/activity to your financial institution

A final consideration is to purchase Fraud insurance. Ensure you have specific riders for cyber crime and fraudulent bank transfers.

What Banks Can Offer to Reduce Fraud

Most large financial institutions recognize the threats and have set up systems to help protect their customers. Many have monitoring and pattern-recognition systems in place to look for unusual transaction activity. Unfortunately, we’ve found that the smaller local and regional banks don’t always provide all the security advantages of the “commercial” banks. Check to see if your bank does.

If your on-line banking processes don’t already incorporate these security procedures, check with your bank to see if they are available:

  • ACH and Wire Transfer “Dual Control” or “Dual Custody” - requires a transaction initiator and a separate transaction authorizer
  • Multifactor Authentication - requires multiple means to verify a transaction – email, verbal, text
  • Secondary Authentication – requires two pieces of info, essentially two passwords or verifiers, often a password and a physical token
  • Secure Tokens or Secure ID card
  • IP Address Restrictions – your company's on-line banking sessions must originate from a specific IP address (your office)

Critical Standard Security Practices (that should be) Already In Place

Every reference I reviewed while researching this article included some or all of these Standard Security Practices as being key to your defense against fraud, many of which I mentioned in the course of this article. I consider them to be core to your overall defenses, and have already discussed most of them in depth in previous articles. You have, therefore, included all of these into your company’s security and operational practices, right?!?

If not, the topics and links to the articles are:

Deploy a Firewall at every point where your networks connect to the Internet

Use Secure Passwords - see "Secure Passwords - You need to get this right!"

Centrally managed Corporate Anti Virus Protection - see "Protect Your Company from Viruses and Malware with Enterprise Anti Virus Systems"

Centrally managed Windows Updates - see "Centrally Manage Microsoft Updates Across Your Enterprise"

Centrally managed Corporate Spam Protection - see "Got Spam? Eradicate Spam and Email Viruses BEFORE they get to Your Environment!"

Centrally manage your PC Policies and User Policies - see "Use Group Policy to Centrally Tune YOUR Business Computing Environment"

Company IT Use and Abuse Policy - see "Employee IT Use & Abuse Policy - Retain Control, Reduce Liability"

Employee Exit Procedures (remove access to systems) - see "Departing Employee? How to Process them Gracefully and Securely"

Have staff lock their PCs when they leave their desks - see "Protect your Company’s Data and Reputation... Lock Your PC!"

If you provide public WiFi, isolate it from your business network - see "Securely Implement a Public Wireless Hot Spot"

If you have any questions or comments concerning this article, or would like assistance safeguarding your company’s bank accounts or refining your security procedures and policies, I’d be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.

Many thanks to Claire Reiswerg of Sand 'N Sea Properties, www.SandNSea.com, Galveston, TX for her insistence that I write this article, and her exceptional assistance with the research!

As mentioned, next month I’ll present an in-depth discussion of Phishing and its cousins... what they are, and how to avoid being that big Phish! See "Don't Be the Big Phish"