One of the biggest areas that we see attacks on is the business online banking customer. There has been a marked increase in trying to compromise these accounts, primarily to abscond with the funds within the accounts, but also to execute identity theft as well. Many of these attacks are phishing and malware attacks to gain user credentials, because the truth is that while online banking services have many security controls, not all businesses take advantage of them, and the security of the business itself can be a much better target than the financial institution.

We realize that for each company, not every control is feasible or even possible for every situation. The recommendations below reflect what we see in banking environments as best practices. Each recommendation should be reviewed before implementation. The key is to not rely on one security control, but to use an approach called “defense in depth”, where multiple security controls overlap to ensure a lower level of risk to the organization.

• Segregation of Online Banking Workstation(s) - One of the biggest threats to online banking is a compromise of local PCs and laptops to steal information and credentials. In many cases, attacks can come across a network and just “watch” the PC in question until online banking systems are accessed to grab information via malware such as keyloggers. Because of this, we recommend that any station used to access online banking accounts be dedicated to that single purpose only, and that the machine be segregated from the rest of the network to avoid contact with general purpose machines. Because there are cases where reports need to be generated and exported, the recommendation is that the machine be set up to export information, but that the access is limited to exporting rather than importing information. Programs such as Excel and other necessary tools for performing duties may be installed. Remove all software not needed, such as Java and Flash. Consider running the workstation on Linux if it can run the online banking systems. We realize that there can be a cost to provide and maintain a separate system just for online banking, but taking this step avoids the pitfall of having information compromised because of a network issue or compromise.

  Download a copy of our Critical Security Controls eBook Today!

• Implementation of dual controls – Almost all business online banking systems at this point offer a form of dual controls for processing transactions. Dual controls require that for a particular transaction, the person that enters the transaction must have another person approve the transaction. The goal in this case is to eliminate fraud and errors in multiple ways. With dual controls, someone processing a transaction who is not authorized will not have the ability to do so. In addition, any errors in a transaction will get a second set of eyes prior to going through. Compass does not recommend this practice on all transactions but suggests that it be implemented on any transaction classified as high-risk. This would include transactions over a certain dollar amount, especially for ACH and Wire Transactions.

• Remote Access to Online Banking – As discussed, there may be a need to access information and online banking outside of the offices of the client. In that case, just as with the access within the office, the access should be only allowed on a company-owned machine. It is very difficult to secure a home system with the same security as a system controlled by the IT department. The system should be configured to only access online banking and related services. Although it is an inconvenience, avoid setting up email access on this remote system, as this is a primary way to install malware and other phishing attacks. Ensure the system is patched and updated on a regular basis. Use a VPN connection for any access to ensure the traffic is encrypted, especially when not used in places where the internet is a public offering, such as hotels, airports, and restaurants. Ensure there is a local firewall installed and running on the machine, and that the system has full-disk encryption in the case of being lost or stolen.
• Access Level Reviews – At least twice a year, request access levels of every employee that has system access to online banking. Some systems allow users to do this on their own. Confirm that the access levels for all staff are appropriate. Ensure that employees who have left or changed positions do not have access.
• Implementation of online banking security functions – Many of the financial institutions offer additional security controls above and beyond standard control settings. For each one, they should be reviewed and implemented if feasible. Many of these controls can restrict access to online banking accounts based on certain criteria. They include, but are not limited to:

          o Token Access – Token access will prevent the ability for non-authorized personnel to conduct or even login to online banking, even with a valid username or password. At a minimum they should be used for high-risk transactions but can also be used for logins. If the client wishes to perform transactions at any other location other than the workstations described above, the recommendation is to use token access for login as well as transactions.

           o Time Restrictions – If the financial institution offers this ability, you can restrict days of the week or times of the day where access is allowed. This can be a useful function because many unauthorized transactions or access attempts occur outside of regular business hours. Compass realizes that this also means that for those times, legitimate access will also be suspended. The recommendation here is to try this control at a low level and see if there is an impact. For example, when possible, restrict access between midnight and 5AM, and see if there is any business impact. If there is, then remove or modify the restriction. 

          o Location Restrictions – If the financial institution offers this ability, you can restrict where access is allowed. The advantage here is that with such a restriction in place, only authorized locations would be able to process transactions, eliminating the chance of someone logging in elsewhere. Because of the “always on” nature of business today, this can be a difficult control to implement. If the workstations are kept off the local network, then this control would eliminate the ability to login anywhere but those workstations, and this may not work for things like snowstorms and other events where remote access is necessary. If the workstations remain on the network, then remote access might be granted to employees, and this control would restrict access to the client. In the case of the latter layout, token login access control would be critical to implement. 

          o System Alerts – Receiving alerts on processed transactions can be a critical security control. Ensure that multiple people are sent these alerts to ensure that vacations do not impact receiving the alert, and that they can be responded to timely.

          o Positive Pay –  Positive Pay is an automated fraud detection tool offered by the Cash Management Department of most banks. In its simplest form, it is a service that matches the account number, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by the company. Anything not on the list is not processed.

So there you have it, some controls that you can use to mitigate your overall risk when conducting any online banking transactions. If you have any questions or want to discuss your specific situation, contact us!