TECH 101: Online Banking Risk ManagementTim Weidman
Online banking is risky.
Not a statement we are used to hearing as nearly everyone does it, and sometimes we do it every day, all day and with accounts containing significant amounts of money.
There have always been risks associated with online banking but the existence and rapid spread of banking Trojan computer viruses are increasing these risks. These are risks that carry the real potential for loss especially by small and medium size organizations. New versions of these viruses are coming out on an ever increasing basis, and we anticipate this to continue into the future. Why? Because technology is dramatically improving, for both the good guys and the bad guys, and because… “That’s where the money is.”
How the Virus Works
The virus is typically received from malware obtained when an employee enters an infected website or from an email attachment. Anti-virus software has to date demonstrated mixed results in detecting these viruses. If your computer is infected with the virus and it goes undetected, it remains dormant on the computer until a bank or financial site is accessed. At that time, the virus has the ability to take over the online session, lock out existing users and attempt to transfer funds.
How to Protect Yourself
- Stop the loss of funds at the bank – contact your financial institution and determine options available to limit the transfer of funds, including the following:
- Verbal confirmation/callback for any funds transfer or at minimum set a dollar amount which requires verbal confirmation.
- Use an RSA token for all logins and transfers online. This is a thumb drive or mobile device app which generates a one time “token” which is needed to login to the site and/or transfer funds.
- Use location based authentication. Many banks have the ability to activate location-based authentication which requires extra steps if an account is accessed from an unknown computer, network or location.
You might think that would be enough. In my opinion you may be wrong. When we are talking about the level of sophistication involved and what is at stake, one method of protection is just not enough.
In one example we recently witnessed the malware take over a banking session shortly after a failed attempt to open an email attachment. It bypassed the dual RSA token functionality, demoted the rights of all of the users in the organization except one, added “super administrator” rights to the account of which it had assumed control and attempted the first 100K+ transfer out of the country in a matter of seconds. That’s some high tech stuff.
There are examples across the country of companies reporting losses into the millions. And those are just the ones which make the news.
So on to additional measures:
- Limit users to online bank sites – If possible, limit the number of individuals who have access to your bank accounts online or establish “read only” access for individuals that only need limited access (such as downloading bank statements). This will reduce the number of individuals that may forget policies or make poor decisions with internet access.
- Provide training to employees – All employees in your company with internet access, and especially those with online bank and other sensitive access, need to be trained and educated on virus threats and exercising good judgement with internet activity.
- Separate bank online access from other activities – Reducing the number of computers that can access bank accounts online will reduce the number of computers that expose your company to risk and therefore need to be protected. The strongest security would be to:
- Set up an independent workstation with a Mac or Linus computer (or a less secure windows computer)
- Do not allow access to websites other than online banking on this machine and do not allow online banking access on any other machine.
- Do not allow email to be received on this computer.
- Establish very limited connectivity with the remaining network.
- Establish other controls regarding online bank access – While we believe #4 above is the most secure way to access online banking, this may not be practical in all situations. Other less secure options may include setting up a virtual machine to access online banking, and/or limiting workstations that can access banking including restricting internet use on those machines.
What to do next?
We have provided this information because we believe this is a significant and increasing threat, and we have witnessed companies come under attack. All security measures are a balance between safety, cost and convenience. While no security measures will completely eliminate the risk, we believe the steps above can help reduce risk. Each organization needs to decide what risk you are willing to accept. We at Frankel Zacharia Tech Services are available to consult and assist in putting a plan in place.
Tim Weidman is the Director of Information Technology at Frankel Zacharia Tech Services, a department of Frankel Zacharia, LLC. Tim has a technology career spanning over 25 years and holds multiple Cybersecurity certifications including Certified Ethical Hacker and Penetration Tester, CISSP and others.