Banking in a Time of Cybercrime

Any small business, educational organization or local government needs to be wary these days. In the past year, cybercriminals have increasingly targeted these less-than-security-savvy groups with malicious software tailored to facilitate bank fraud.

In one case, which I documented for an article in Technology Review, online thieves targeted the accountant at a small California firm with a banking trojan. When the worker signed into the company’s bank account, the thieves initiated 27 fraudulent transactions totaling approximately $447,000. Former Washington Post reporter Brian Krebs has reported on over two dozen such cases.

In total, the government estimates that businesses have lost more than $100 million as of early November.

Now, financial institutions and the government are preparing to advise businesses and other organizations on how to better bank online in these treacherous times.

In a memo currently circulating in the financial community, the Financial Services Information Sharing and Analysis Center (FS-ISAC), a group formed to help its members better respond to threats, is promoting a series of steps that firms can take to secure their online banking.

William Nelson, CEO of the group, maintains that the steps would make the current type of fraud much more difficult, if not impossible. “If you implemented all the procedures, I frankly think it would be failsafe,” he says.

Here are the recommendations:

• Dual control over bank transactions
  Companies should require that each transaction require two people’s authorization. The accountant could initiate the transaction, for example, and the CEO of the company would have to release the funds. “Even the smallest business should have two people who can release payment,” says Nelson.
• Limits on transferable amounts
  Businesses should work with their banks to put limits on the amount of money that can be transferred in a single transaction and per day. If your company never sends more than $2,000 and no more than $10,000 a day, then setting those limits could save your business.
• Dedicate a computer to banking
  This recommendation has surfaced before. Businesses should dedicate a single computer to online banking and no other function.
• Allow only limited users
  If you give administrative rights to everyone on the system used for banking, then a misstep can result in attackers gaining complete control over the system. Allow users only limited rights. They should not be installing any new applications in any event.
• Out-of-band authentication
  Banks should start offering small businesses and clients with significant funds in their accounts a manual callback or an SMS message to confirm that a transaction is legitimate. Even a notice by fax after the fact would help limit damages.

The memo is currently being circulated among members of various banking and financial associations, Nelson says.