Quick. Easy. Efficient. Who doesn’t love online banking? Be aware, though, of the danger: Hackers can access your account, drain your funds and threaten the survival of your business.
The risk’s growing.
Cyber attacks increased some 24 percent in the first half of 2012 over the same period the previous year according to a new report from security firm Symantec. Reason? “Any time the economy goes down, white collar crime goes up,” says Bill McDermott, CEO of Atlanta-based McDermott Financial Solutions (mcdfs.com). “We’re seeing an increase in corporate account takeovers. It’s a huge problem.” Banks commonly refuse to indemnify companies for funds stolen from commercial accounts.Banks commonly refuse to indemnify companies for funds stolen from commercial accounts. “A lot of people have the misunderstanding that banks offer to business accounts the protection offered to consumers,” says McDermott. “In fact, banks will not hold business account holders harmless for losses from cyber-fraud.” In simple terms, your loss is YOUR problem!
Target: You
Think fraudsters only go after big corporations? Not so. “There seems to be a trend toward hackers targeting smaller businessesThere seems to be a trend toward hackers targeting smaller businesses ,” says Brian Krebs, a cyberfraud investigative reporter in suburban Washington, D.C. (krebsonsecurity.com). “Perhaps that’s because larger businesses tend to have protective systems in place so the bad guys have to jump through more hoops.” The numbers tell the tale: Some 36 percent of attacks during the first half of 2012 were directed at businesses with 250 or fewer employees, according to Symantec. That’s a big spike from the 18 percent over the same period during the previous year. “There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” says Paul Wood, Symantec’s cyber security intelligence manager. “It almost seems attackers are diverting their resources directly from one group to the other.”
Secure systems
Why won’t banks protect business accounts?Why won’t banks protect business accounts? One reason is legislative: Only consumers are protected by the Federal Electronic Funds Transfer Act, also known as “Regulation E.” If timely notice is given by the victimized consumer, almost all of the stolen money is reimbursed. Here’s another reason: Banks expect business owners to perform due diligence. “In the area of cybersecurity, banks expect businesses to possess a level of expertise higher than that of consumers,” says McDermott. “For example, businesses are expected to maintain protection against malware and to train employees to avoid Internet sites where they can pick up viruses.” A cyber attack most often begins when a hacker installs a rogue program on the computer of a targeted business. Called “malware,” this program captures usernames and passwords for the company’s online bank accounts. From there it is an easy step for the hacker to access the account and wire funds to other financial institutions. And here’s the really bad news: Computers give little indication they are infected with malware. Software designed to detect rogue programs are often unable to identify the code written to hack financial data. “Once on your system, sophisticated malware may keep itself patched faster than your antivirus software updates itselfOnce on your system, sophisticated malware may keep itself patched faster than your antivirus software updates itself ,” says Krebs. As a result, the only way to really cure a sick computer is to reinstall the operating system.
What to do?
Even small businesses without IT staffs can take basic security steps. “Make sure your computers have virus protection and the appropriate firewalls,” suggests McDermott. “From the business practice standpoint, if you send out ACH [Automated Clearing House] transactions set up a system of dual control so that one person initiates the transaction and a second person approves it before the bank accepts it. And look at accounts on a daily basis to spot unauthorized transactions quickly.” Some experts suggest dedicating one computer solely to the task of online banking. Keep infections off the computer by prohibiting its use for email or for web surfing other than bank related sites. “Strip down the computer to whatever software you need and nothing else,” says Krebs. “And keep it up to date with the latest patches every day; don’t fall behind.” That last bit of advice, adds Krebs, applies to all your computers. Hackers constantly write new programs that exploit vulnerabilities in software such as the Windows operating system, Java, and the Adobe Acrobat reader of PDF files.
Update Your Software and Operating System
An excellent powerful, but simple-to-use, free tool for finding and updating your operating system and programs is available from Secunia.An excellent powerful, but simple-to-use, free tool for finding and updating your operating system and programs is available from Secunia. Secunia is a computer security software firm that offers a broad range of solutions for individuals, small firms and corporate giants. Once installed, this program makes finding obsolete, out-of-date programs and either removing or replacing them simple with a one-button solution to install the patch or update. Individuals and small businesses will likely opt for the Secunia PSI desktop program. Secunia runs invisibly and lets you know any changes to programs. It also gives you a full report at whatever frequency you set, showing any obsolete programs, ones that need to be updated and any missed operating system updates. One final thing: Install the most up-to-date computer operating system, because each iteration provides better security. “According to recent reports, 43 percent of the market is still on Windows XP,” says Stephen Sims, senior instructor at the Bethesda, Md., SANS Institute, a security training organization (sans.org). “We all have to move off these outdated operating systems to take advantage of the much better security features of modern releases.We all have to move off these outdated operating systems to take advantage of the much better security features of modern releases.”
Modern operating systems, with their native security features, can do only so much. Employees must be trained on good computing habits. Here are some of the best: Avoid email attachments. “Three out of four malware attacks come from emails with links that are clicked on by recipients,” says Krebs. “If the browser is not fully patched one click can do it: The computer is infected and there is no warning.”
How Safe is Your Bank Account?
How secure are the funds in your commercial bank account?
Find out by taking this quiz. Score 10 points for every “yes.”
You are in good shape if your total score is between 80 and 100; vulnerable if between 60 and 70; and courting disaster if below 60.
Are you. . .
Using the latest operating system with an active firewall?
Using a capable antivirus and malware program?
Utilizing automatic updates for the operating system, antivirus and malware programs?
Utilizing security programs offered to business accounts by your bank?
Checking bank account transactions daily?
Isolating the financial transaction computer from other activities?
Training your employees on handling email attachments?
Restricting staff access to questionable web sites offering gambling and pornography?
Using strong passwords?
Maintaining a quick response plan, with names and numbers of people to contact, in the event of a fraudulent wire transfer. Surf safely. Undisciplined surfing can also be dangerous, points out Krebs. “Visit certain web pages with a browser that is not fully patched and you can get infected by code in an ad banner or elsewhere on the page.” Bank securely. When visiting your bank’s web site, use a bookmark that points to the institution’s secure “https” page. In other words, go directly to "https://www.bankname.com." In contrast, going to "www.bankname.com" can allow attackers to exploit your unencrypted connection, making your data easier to capture. Review bank statements. Monitor your monthly bank statement closely for unexplained financial activity. “Many attacks involve scraping small amounts from many accounts versus large amounts from a few accounts,” notes Sims. Go offline. When finished with a computer for the day, shut it down completely rather than put it in sleep mode. “While a computer is in sleep mode the encryption keys used for anything from web sessions to hard disk encryption are likely to be resident in memory,” cautions Sims. “An attacker can use special tools to dump the memory from a system that is not completely shut down and potentially steal this information to gain unauthorized access.”
Security experts have long championed the virtues of strong passwords. A mix of letters and numbers is much safer than using an easily guessed word such as “qwerty” or even “password.” Too often, though, employees don’t get the message. They often complain about the difficulty of remembering complicated strings of characters. That’s because most people end up with dozens, even hundreds, of accounts and rely on a few simplistic passwords or just as bad: write them on sticky notes and put them on their computer. (Yes, they really do that!). Today, you can forget doing things the way you used to if you want to be hard to hackToday, you can forget doing things the way you used to if you want to be hard to hack says Atlanta business consultant and coach, Chris Dekle. Help is at hand. It’s not really necessary to commit passwords to memory. Password managers make it simple to use random 8, 10 even 15-digit letter, number and symbol combination passwords that defy hacking by anyone short of the National Security Agency yet require you to remember only one password. “For secure internet use, you simply must use password manager software.” As a bonus, you’ll have free text fields to keep account information right with the site logon, so you can always find information you previously had on lost sales slips, buried or lost activation codes, etc. Beyond managing the logins, it makes connecting to a site one-click simple. Automation takes you to the website and automatically logs you in. “There is a lot of good software to help you manage your passwords, But you could also use something as simple as keeping your passwords in a notebook locked in your desk.”
Vet your bank
Businesses are not always to blame when cyberfraud hits. Sometimes banks drop the ball. There is some motivation for financial institutions to maintain a minimal level of security: Good internal practices are encouraged by government agencies charged with overseeing bank activities. “The bright side of enforcement is that financial institutions are having to architect and deploy solutions that hopefully increase the security of customer accounts,” points out Sims. Even so, you will want to subject your own bank to some due diligence. “Perform risk assessments when evaluating potential banksPerform risk assessments when evaluating potential banks ,” suggests Sims. “Draft a list of questions with your biggest concerns and run them by each organization.” How good are the bank’s Internet defenses? How do the bank’s practices, and the security features it offers business accounts, compare with other institutions? For example, does it offer a two-step validation, in which an ACH transfer must be approved by a second representative at your office? There are other forms of what is called “multi-factor authentication,” in which the bank must receive a back-up confirmation from your business, in the form of a voice phone call or email, before honoring a wire transfer. Sims suggests researching each prospective bank using publicly available tools such as Google, SEC, Dun & Bradstreet, and others. “Analyze each bank’s stock performance if publicly traded,” he says. “Read through some of the comments in public message boards. Hint: Many of the posters are employees.” Sims suggests visiting websites such as www.darkreading.com to see if there are any reports regarding incidents at your prospective bank. Use specially crafted Google searches to find breaches. For example, try using: intitle:"bank name" intext:hackers or breach. Big bank, small bank: Which is better?Big bank, small bank: Which is better? Each has its benefits. While all financial institutions are required to abide by federal regulations, larger banks may have more security resources and experience. However, smaller banks may have fewer accounts to monitor and may give each one more attention. Since no banks of any size indemnify business accounts you may want to look into getting your own coverage. Ask your broker for information about fraud insurance that has a rider for fraudulent bank transfers.
When hackers strike
Suppose that despite your best efforts and smart practices, a hacker siphons money from your account. Can you get any back?Suppose that despite your best efforts and smart practices, a hacker siphons money from your account. Can you get any back?
While it’s highly unlikely that a victimized business will recover all of its stolen money, portions can often be saved. “Fraudulent transactions frequently are reversed, so most victims get some money back,” says Krebs.
The secret to recovering your cash? Act fast. “Time is your enemy,” says Krebs. “The longer the time that elapses since a breach, the more money you are likely to lose.The longer the time that elapses since a breach, the more money you are likely to lose. ” Don’t wait until the last minute to figure out whom to call in the event of a money loss. Put together a list of vital financial and legal contacts and keep it handy. Quick action on your part, though, must be matched by your financial institution. “You have to have a cooperative bank that pulls things together quickly,” says Krebs. Once your funds have been withdrawn as cash—often at overseas money transfer offices—they are gone for good.
Posts
