05:28 PM
Connect Directly

As Small Business Online Banking Fraud Grows, So Do Efforts to Curb It

Password controls, mobile alerts, stronger authentication and customer PC security scans among the measures that can help.

USA Today has posted an article suggesting that cybertheft activity has made online banking too risky for small businesses to handle. "'Any organization that cannot survive a sudden five- or six-figure loss should consider shunning Internet banking altogether,' says Amrit Williams, chief technical officer of security firm BigFix," the article states. "'Online is a very dangerous place for any small organization to be right now,' he says."

According to the article, the FBI has investigated more than 200 cases, mostly in 2008 and 2009, in which cyber criminals executed $100 million worth of fraudulent transfers and made off with $40 million. The story offers a couple of examples. In one, Western Beaver County School District in Pennsylvania is suing ESB Bank for executing 74 unauthorized cash transfers totaling $704,610 during Christmas break a year ago. In Bullitt County, Ky., in June, unauthorized transfers totaling $415,989 were moved out of the payroll account the county kept at its bank, First Federal Savings Bank of Elizabethtown.

But the article fails to recognize that there's much small businesses and banks can do and are doing to prevent such unauthorized transactions.

While the FBI and the ABA have recommended that small business owners do their online banking on a separate PC to prevent hackers from accessing banking accounts, that's just one tool in the toolbox, says Doug Johnson, vice president of risk management at the American Bankers Association, who spoke to Bank Systems & Technology in an interview this afternoon.

Small business owners can request that their bank limit the dollar value associated with transactions, he says. They can put password controls in place such that they change their passwords on a continual basis and don't share user name and password information with third party providers. They can ensure their firewalls are properly managed.

"When the forensics are done [on small business online banking fraud] that's been where the failures have been found, in standard computer hygiene at the business location, where they're not keeping their signature files up to date, maybe they don't have spyware protection on the machine," he notes.

Johnson says small business owners need to engage in basic "blocking and tackling" security measures such as dual controls. "If a business puts in dual controls so that one person has to oversee another person in the process of conducting wire and ACH transactions, then you can defeat, in large part, these types of exploits."

Another simple precaution small businesses can take is to activate mobile alerting for ACH transactions, so that they'll see every transaction in real time on a mobile device.

For their part, banks are considering stronger online banking authentication mechanisms, Johnson says. They're examining each component within their network and system infrastructure to make sure they have the proper levels of security at each point of entry. Some are scanning the customer's PC at the point of authentication to make sure the customer has the proper levels of security on their PC and not allowing access if they don't.

"In earlier times we might have thought that was too intrusive" and banks might have been concerned that their small business customers wouldn't accept it, Johnson notes. "There's always that challenge of achieving balance between proper levels of convenience and proper levels of security."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.