Since mid-September 2012, distributed denial-of-service (DDoS) attacks have led to online outages at several major U.S. banks. During a DDoS attack, a website is
Consumer online bank accounts are protected under Federal Reserve Regulation E, which requires financial institutions to reimburse a customer for certain fraud losses. But Regulation E does not apply to commercial accounts. Instead, business bank accounts are covered by the Uniform Commercial Code (UCC) and its state counterparts. Under the UCC, businesses have shorter reporting timelines, less protections and significantly higher liability than consumer banking customers. Additionally, financial institutions can elect to shorten the fraud reporting timelines further and even disclaim certain obligations through their online commercial banking agreements. This means much of the responsibility for the protection of your business bank account rests squarely on your shoulders.
An easy and relatively cost-effective solution for companies looking to ensure protection from cyberfraud is to cease the use of Microsoft Windows when accessing company bank accounts online. Nearly all malware in circulation today is designed to infiltrate and steal data from Windows-based computers. Malware that is built to steal passwords and banking credentials from Windows-based systems will simply not load or work on computers that do not run the Windows program.
A company that currently conducts its online banking with a Windows-based computer should consider purchasing a Mac laptop and dedicating this laptop to online banking transactions only. This laptop should never be used to browse the Web, and it should never be used to receive, send or access email. The laptop should only be used to conduct the company’s online banking. At all other times, it should remain powered off and kept in a secure location.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) echoes these suggestions. It has published guidelines recommending that businesses conduct all online banking activities from “a standalone, hardened and completely locked-down computer system from which regular email and Web browsing is not possible.”
Companies should educate and continuously remind employees who are responsible for conducting online banking transactions about the dangers associated with accessing personal or work emails from the dedicated laptop. Do not allow employees to freely access the Internet from the dedicated banking laptop, and do not allow employees to check personal email or to connect any personal USB-type storage device to the dedicated laptop.
Companies should also establish rules, preferably confirmed in writing, with their financial institutions that limit the company’s ability to initiate online wire transfers to certain restricted business hours. Online wire transfers should not be allowed during non-business hours, when cyberthieves may launch their attacks. In addition, if appropriate for your particular business, establish rules stating that your commercial account can only initiate domestic wire transfers and set dollar limits on the daily amount that can be transferred online.
Another precaution is to create strong password policies for online banking. A simple, common password like “orange” or “StateBank” can be cracked almost instantaneously. Similarly, all possible permutations of a password with up to seven characters including a mix of letters, capitalization, numbers and punctuation can be cracked in less than a day with advanced password-cracking software. Caution employees not to use anything personally related to them, like a license plate number, telephone number, pet’s name, etc., as these can be tested automatically after a simple investigation into the target.
Instead, password policies should encourage your employees to use the strongest passwords possible without creating the need or temptation to reuse passwords or write them down. That means passwords that are random, complex and long (at least eight characters), that are changed regularly, and that are closely guarded by those who know them. Choose a mixture of upper- and lowercase letters, numbers and, if permitted, special characters such as “!”, “@” or “#.” A sentence unique to the user works well, in which you take the first letter of each word and substitute vowels for numbers or symbols and add punctuation. Make sure the password is easy to remember and do not write it down or save it anywhere. For example: A long time ago in a galaxy far, far away = @Lt@I@gF,f@!
Companies should also review and adjust existing insurance policies to confirm that they provide coverage for cyberliability. If there is no coverage, companies should seriously consider obtaining cyberliability protection and raise coverage amounts, since online attackers often target accounts with high balances.
Although companies may be focused on investing corporate assets into projects that generate revenue, resources should also be used to protect the company’s assets. An 11-inch MacBook Air retails for $999—in the long run, that might be a worthwhile investment. If your company is attacked, the loss could be many times more than the cost of a dedicated laptop.