USA Today has posted an article suggesting that cybertheft activity has made online banking too risky for small businesses to handle. "'Any organization that cannot survive a sudden five- or six-figure loss should consider shunning Internet banking altogether,' says Amrit Williams, chief technical officer of security firm BigFix," the article states. "'Online is a very dangerous place for any small organization to be right now,' he says."
According to the article, the FBI has investigated more than 200 cases, mostly in 2008 and 2009, in which cyber criminals executed $100 million worth of fraudulent transfers and made off with $40 million. The story offers a couple of examples. In one, Western Beaver County School District in Pennsylvania is suing ESB Bank for executing 74 unauthorized cash transfers totaling $704,610 during Christmas break a year ago. In Bullitt County, Ky., in June, unauthorized transfers totaling $415,989 were moved out of the payroll account the county kept at its bank, First Federal Savings Bank of Elizabethtown.
But the article fails to recognize that there's much small businesses and banks can do and are doing to prevent such unauthorized transactions.
While the FBI and the ABA have recommended that small business owners do their online banking on a separate PC to prevent hackers from accessing banking accounts, that's just one tool in the toolbox, says Doug Johnson, vice president of risk management at the American Bankers Association, who spoke to Bank Systems & Technology in an interview this afternoon.
Small business owners can request that their bank limit the dollar value associated with transactions, he says. They can put password controls in place such that they change their passwords on a continual basis and don't share user name and password information with third party providers. They can ensure their firewalls are properly managed.
"When the forensics are done [on small business online banking fraud] that's been where the failures have been found, in standard computer hygiene at the business location, where they're not keeping their signature files up to date, maybe they don't have spyware protection on the machine," he notes.
Johnson says small business owners need to engage in basic "blocking and tackling" security measures such as dual controls. "If a business puts in dual controls so that one person has to oversee another person in the process of conducting wire and ACH transactions, then you can defeat, in large part, these types of exploits."
Another simple precaution small businesses can take is to activate mobile alerting for ACH transactions, so that they'll see every transaction in real time on a mobile device.
For their part, banks are considering stronger online banking authentication mechanisms, Johnson says. They're examining each component within their network and system infrastructure to make sure they have the proper levels of security at each point of entry. Some are scanning the customer's PC at the point of authentication to make sure the customer has the proper levels of security on their PC and not allowing access if they don't.
"In earlier times we might have thought that was too intrusive" and banks might have been concerned that their small business customers wouldn't accept it, Johnson notes. "There's always that challenge of achieving balance between proper levels of convenience and proper levels of security."