|
|
by Kevin Roddy, First Vice President, Information Technology
Business banking has benefited in the last 10 years from technological innovation. Without ever leaving their desks, business owners can deposit checks into their accounts, move money between accounts within a financial institution, move money between accounts at different financial institutions and pay their employees. With each new innovation, the banking industry introduces new security measures to ensure that this increased access and convenience is achieved in a secure manner. But of all the aspects of security with which banks concern themselves, customer education is the most important.
There are two recent, disturbing trends that make the timing of customer education relevant. One is that cybercrime is increasing, and the other is that small businesses are increasingly the target of these attacks.
One thing businesses can do to protect themselves is to provide information to their staff members on a “need-to-know” basis. The recent disclosure of classified U.S. government documents through the WikiLeaks website illustrates the importance of restricting access to sensitive information to staff members. The following is a list of additional best practices businesses can follow to protect themselves while banking online:
Monitor and reconcile all banking transactions on a daily basis.
The sooner fraud is discovered, the better the chance of minimizing the loss associated with that fraud. Monitoring and reconciling banking transactions on a daily basis enables a business to detect fraud quicker.
Initiate Automated Clearing House (ACH) and Wire Payments under dual control with a transaction initiator and a separate transaction authorizer.
ACH and Wire Payments have the highest risk of any online banking transaction. Dual control is the best way to mitigate the risk associated with these transactions. Dual control simply requires that an ACH or Wire Payment is originated or initiated by one staff member and approved or authorized by a second and separate staff member in the business.
Implement a multichannel verification process for ACH and Wire Payments.
Multichannel verification requires that a customer confirm an ACH or Wire Payment request through an additional channel other than the online banking channel. If a malicious user steals the online credentials associated with a business and initiates a fraudulent ACH or Wire Payment, he or she may not know that the request must be accompanied by a fax, phone call or e-mail verification. This lack of a second verification would cause the financial institution to avoid processing the transaction.
Use dedicated machines for online banking transactions where possible and/or where high risk transactions (ACH and/or Wire) are initiated. Do not surf other internet sites with those machines.
Many web sites that seem innocent and innocuous often contain software that downloads malicious software to a user’s PC. There have been numerous examples of legitimate web sites that have been infiltrated with malicious software. The pervasiveness of this issue, combined with the high level of risk associated with ACH and Wire Transfer Payments, has led to the recommendation that ACH and Wire Payments be performed on a PC that does not engage in web surfing.
Be suspicious of e-mails with links and/or attachments.
We all receive them. The e-mail enticing you to click on the link contained in the e-mail or to double click on the attachment attached to it. The problem is that you can never be sure that the person listed as the sender actually originated the e-mail. Phishing is defined as an e-mail sent to a large number of recipients in an attempt to trick them into downloading malware by clicking on a malicious link and/or attachment. Spear phishing is defined as a targeted phishing attack that appears to come from a friend or family member. Whaling is defined as a phishing attack targeted to the top tier officers in a business who, more than likely, have rights to perform high risk transactions. All of these practices result in the recommendation to be suspicious of e-mails with links and/or attachments. Avoid them when you can. Go directly to the web site in question or use your favorite search engine to find the right site if you are not sure.
Install a dedicated, actively managed firewall.
A firewall limits the potential for unauthorized access to a network and computers.
Create a strong, complex password with at least 10 characters.
Research has shown that passwords that contain alpha characters that form names or words in the dictionary are easier to guess than passwords based on acronyms. A password based upon the first letter of the names of the planets (mvEmjsunp) is better than a password comprised of my pet’s name (Sally123). A password that contains upper case letters, lower case letters, numbers and special characters is even more secure. The password of mvEm928jsunp would be an improvement on the one previously mentioned. The numbers 928 represent the fact that the number of planets was reduced from 9 to 8 when we demoted Pluto.
Due to increased processing power, the tools used to crack passwords have improved as well. You need a ten character password today to provide the same level of protection as a seven character password provided in 2004.
Prohibit the use of “shared” usernames and passwords.
This one is critical and also easy to implement. Most systems are designed to enable businesses to have multiple users with multiple usernames and passwords. It is impossible to implement dual control if staff members are sharing usernames and passwords.
Use a different password for each website that is accessed.
If you use the same password for multiple sites and your credentials get compromised, it multiplies the potential exposure caused by the compromise. You can use a similar password at multiple locations and add a couple of characters at each location that would make it unique. For example, you could incorporate the first or last three characters of the site name into your password which would make it similar enough to remember but different enough to protect you and your business.
Change your password a few times a year.
This is another one that is easy to implement. Changing your password a few times a year makes it less likely that it will be compromised. Never share username and password information with 3rd party vendors.
3rd Party Vendors have access to your account information without you having to provide them with your username and password. You should never have to share this information with them.
Limit administrative rights on user’s workstations to prevent inadvertent download.
Malicious users often rely on the ability of the user to download malicious software onto the PC to infect it. Limiting the rights of the user can mitigate this risk.
Install commercial anti-virus and desktop firewall software on all computers.
Installing anti-virus and desktop firewall software on all computers is an important layer of protection that all business must deploy.
Ensure virus protection and security software are updated regularly.
In addition to installing anti-virus software on your computers it is also important to set the system up to automatically download the latest anti-virus signature versions available from the vendor.
Ensure operating systems and applications receive security patches regularly.
It is important to set the system up to automatically receive operating system and other application security patches from the vendor as well. Remember to include all vendors including your operating system vendor in this process.
Back to Fraud Alert articles
|
|
