Spears Legal Technology

Disclaimer

This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Businesses, Viruses & Online Banking Pt. II

This is the second of a two part series discussing how small businesses need to be aware of the threats posed by fraudulent electronic fund transfers (EFTs), and why the banks may not lend a helping hand. To read Part I, click here.

How do the cyberthieves get the authentication credentials again?

Victims of online EFT fraud have generally had their credentials stolen through a virus - often a version of the Zeus trojan - that has infected the computer used to access the business’ online banking system. The infection usually occurs after employees click on a link to an infected website, or open an infected email attachment through a process known as “phishing.”

Once a victim’s computer is infected, Zeus records the keystrokes used when logging into specified online banking websites. After the user successfully logs in, Zeus may intercept and modify the details of the transaction, initiate a new transaction without the user’s knowledge, or use the network connection to transmit the recorded authentication credentials to the cyberthief.

Who do cyberthieves target?

Small and medium sized businesses continue to be the primary targets because they often lack the internal controls of larger businesses. Also, business accounts frequently hold more money at any given time than personal accounts.

How much money is lost to ETF fraud?

Between March, 2010 and March, 2011 the FBI identified
twenty incidents totaling $20 million worth of fraudulent electronic transfers from small to medium sized businesses to China. In each incident malicious software compromised the business’ online banking credentials. $11 million was not recovered.

The total figures are likely much higher, once you account for all businesses and the locations of all cyberthieves. Below is a
chart presented by the FDIC's David Nelson outlining the trends of Electronic Funds Transfer (EFT) Fraud. Approximately $120 million worth of EFT fraud occurred in the third quarter of 2009 alone. [See slide 12.]

chart

Image credit: FDIC

As a matter of comparison, FBI statistics show that thieves stole $43 million from brick-and-mortar banks in calendar year 2010, $8 million of which was recovered.

How can businesses protect themselves?

Brian Krebs, formerly of the Washington Post, has been the loudest and most consistent voice on this issue. Last year Krebs shared some
protective steps recommended by the Office of the Comptroller of the Currency, the primary federal regulator of national banks.

Here’s a sample:

(1) Authentication (including token based/one-time password generators) is only one layer of control. Out of band (also being called 3rd factor) verification such as call backs, fax, etc…  is still highly recommended.(2) Businesses and banks should require dual controls.(3) Establish and monitor exposure limits.  You may want to consider 2 limits – lower limits for authentication only, higher limit with out-of-band verification.



http://krebsonsecurity.com/2010/04/e-banking-guidance-for-banks-businesses/

There is much more fantastic advice in that link, and I recommend reading the entire article. Drawing from my technical days, I can also suggest that business' use a machine dedicated solely to online banking (no surfing!) and booting from an uninfected, read-only Live CD. The Live CD should contain a browser and be able to connect to the Internet, so even if the Zeus trojan has infected the machine it will not be able to write to the Live CD and affect the transaction.

Of course, another easy step would be to contact your banking institution for any additional protective measures.

Online banking is a wonderful tool. But taking a few minutes to conduct your business safely can prevent a lot of headaches later on.

blog comments powered by Disqus