B Quillen – Banks: Save your Clients from Cyber Attacks

by Bennett Quillen

The best way to prevent one of your commercial clients becoming a victim of a “cyberheist” is not to let computer crooks into the computers they use to access the organization’s bank accounts online. The surest way to do that is to have the company maintain a clean computer: start with a fresh install of the operating system and all available security updates, or adopt a “live CD” approach.
Make sure that the client uses a dedicated system to access the Bank’s site. The dedicated machine should be restricted from visiting all but a handful of sites necessary to interact with the Bank and manage the organization’s finances. This can be done using custom firewall rules and hosts files, or services like OpenDNS. Remember that the dedicated system approach only works if the company only accesses the Bank’s site from locked-down, dedicated machines. Making any occasional exceptions undermines the whole purpose of this approach.
If possible, install an operating system other than Microsoft Windows. Most malware only runs in a Microsoft Windows environment, so using a different operating system for the dedicated machine is an excellent way to drastically reduce the likelihood of becoming a “cyberheist” victim. Have a “live CD” available, as it is a free and relatively painless way to temporarily boot a Windows PC into a Linux environment. The benefit of this approach is that even if the company fails to maintain a clean Windows PC, malicious software can’t touch or eavesdrop on its banking session while the company is booted into the Live CD installation.
If the company must use a multi-purpose machine on which it checks email, avoid clicking links in email. Also, set email to display without HTML formatting if possible.
Make sure that the client keeps the operating system up-to-date and necessary third-party software with patches. This includes browser plugins. One leading cause of malware infections are exploit kits, which are attack tools stitched into hacked Web sites that exploit unlatched or undocumented vulnerabilities in widely-used browser plugins. Tools such as File Hippo’s Update Checker and Secunia’s Personal Software Inspector will alert as to new security updates available for third-party programs.
Remove any unneeded software from dedicated systems used to access the Bank’s site. In particular, unneeded plugins (such as Java) should be junked.
Avoid opening attachments in email that the client is not expecting. Be particularly wary of emails that warn of some dire consequence unless action is taken immediately.
Provide the client with a bookmark to access the Bank’s site. Have the client avoid “direct navigation,” which involves manually typing the bank’s address into a browser; a fat-fingered keystroke may send the client to a look-alike phishing Web site or one that tries to foist malicious software.
Remember that antivirus software is no substitute for common sense. A majority of today’s cyberheists begin with malware that is spread via email attachments. Many of these threats will go undetected by antivirus tools in the first few days.
Provide the client with ACH Positive Pay. Any item that meets the established criteria will automatically post to its account. The company will be notified via email and/or text message of any rejected electronic item(s) that does not meet the company’s filter criteria. Upon receipt of the rejected items, the company can then return (or have the Bank) them or conveniently add filter criteria for future electronic transactions.
Require two people to sign off on every transaction. This fundamental anti-fraud technique can help block “cyberheists” (and employee fraud).
Additionally, the Bank can provide its clients with multi-factor authentication for its transactions.