One of the biggest areas that we see attacks on is the business online banking customer. There has been a marked increase in trying to compromise these accounts, primarily to abscond with the funds within the accounts, but also to execute identity theft as well. Many of these attacks are phishing and malware attacks to gain user credentials, because the truth is that while online banking services have many security controls, not all businesses take advantage of them, and the security of the business itself can be a much better target than the financial institution.
We realize that for each company, not every control is feasible or even possible for every situation. The recommendations below reflect what we see in banking environments as best practices. Each recommendation should be reviewed before implementation. The key is to not rely on one security control, but to use an approach called “defense in depth”, where multiple security controls overlap to ensure a lower level of risk to the organization.
o Token Access – Token access will prevent the ability for non-authorized personnel to conduct or even login to online banking, even with a valid username or password. At a minimum they should be used for high-risk transactions but can also be used for logins. If the client wishes to perform transactions at any other location other than the workstations described above, the recommendation is to use token access for login as well as transactions.
o Time Restrictions – If the financial institution offers this ability, you can restrict days of the week or times of the day where access is allowed. This can be a useful function because many unauthorized transactions or access attempts occur outside of regular business hours. Compass realizes that this also means that for those times, legitimate access will also be suspended. The recommendation here is to try this control at a low level and see if there is an impact. For example, when possible, restrict access between midnight and 5AM, and see if there is any business impact. If there is, then remove or modify the restriction.
o Location Restrictions – If the financial institution offers this ability, you can restrict where access is allowed. The advantage here is that with such a restriction in place, only authorized locations would be able to process transactions, eliminating the chance of someone logging in elsewhere. Because of the “always on” nature of business today, this can be a difficult control to implement. If the workstations are kept off the local network, then this control would eliminate the ability to login anywhere but those workstations, and this may not work for things like snowstorms and other events where remote access is necessary. If the workstations remain on the network, then remote access might be granted to employees, and this control would restrict access to the client. In the case of the latter layout, token login access control would be critical to implement.
o System Alerts – Receiving alerts on processed transactions can be a critical security control. Ensure that multiple people are sent these alerts to ensure that vacations do not impact receiving the alert, and that they can be responded to timely.
o Positive Pay – Positive Pay is an automated fraud detection tool offered by the Cash Management Department of most banks. In its simplest form, it is a service that matches the account number, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by the company. Anything not on the list is not processed.
So there you have it, some controls that you can use to mitigate your overall risk when conducting any online banking transactions. If you have any questions or want to discuss your specific situation, contact us!