Is it time for small businesses to quit using online banking?

It seems that every week Brian Krebs profiles another small business that has had money transferred from their accounts to the accounts of bad guys and money mules. Many of these companies are just plain out of luck when this happens. If the bank can’t reverse the transfers before the money leaves the other account then for the most part the company can just wave bye to their money. I’ll let Brian tell it since he’s done so much research on this.

Businesses do not enjoy the same protections afforded to consumers hit by online fraud. With credit cards, consumer liability is generally capped at $50. Consumers who report suspicious or unauthorized transactions on their ATM or debit card, or against their online banking account within two days of receiving their bank statement that reflects the fraud also are limited to $50 in losses. But waiting longer than that can costs consumers up to $500 (the liability is unlimited if a consumer waits more than 60 days to report the fraud).

Businesses have no such protection from fraudulent transfers. Generally speaking, banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by this type of online banking fraud.

Many, including Krebs, recommend a dedicated PC or a Live CD to do online banking. This is a good idea but has it’s drawbacks. Depending on the accounting program used by the company and the extent of the online banking activities the PC may need access to data that is on the network leading to avenues of attack. A dedicated PC is still on the network and therefore open to attack from other compromised systems on the network during the time they are up and running. Isolating the system on a subnet or VLAN is a good idea but that requires someone who knows how to make that work.

A Live CD is even better if all you do is “traditional” online banking where you log in, transfer balances between accounts, pay bills, etc….

The biggest problem with both of these ideas is the human element. It requires that the people doing the banking take the necessary steps to ensure that they do what needs to be done to be safe. It requires that they care enough to take the extra time and effort required to boot up the dedicated PC or use the Live CD. It requires that they never quickly log in from their work PC “just to check something”.

So considering the fact that small businesses often have less security controls in place, have little or know security staff, don’t have awareness programs in place, and don’t have the same protections as consumers maybe it’s time that they went back to old fashioned face to face banking.

3 thoughts on “Is it time for small businesses to quit using online banking?

  1. Using LiveCDs or dedicated systems are definitely fine; in fact they’re suggestions based on the real issue: don’t use that system for regular web browsing.

    I think these companies have two weaknesses, both of which are rooted in people. First, people choose poor passwords and poor security questions which can be guessed. Second, people go to their banking sites on the same system they browse random sites on the web (or open email-attached PDF files), attracting malware, and exposing their sessions/credentials/system that way.

    I think an attacker popping a network, the accounting app, and then the actual system is a bit exotic, though certainly not impossible. These endpoints are still the easiest target.

  2. Andy:

    one of our OEM partners ( had embedded the WiKID token into a hardened browser. The used WiKID for two-factor session authentication and for mutual https authentication. They have validity checks in the browser to detect tampering, etc. So, right now it stops phishing, network-based MITM attacks and malware such as Zeus.

    It won’t stop Zeus forever, granted, but we are also working on transaction authentication/signing using the public keys in WiKID. This would require the malware to attack both the PC and wireless device. Not undoable, but it sure buys you some time.

    Unfortunately, the banks have to be involved in rolling such a product. In the meantime, a live CD or virtual instance is the way to go.


  3. If a small business was to go back to doing face to face banking, the effort and time it would require would be more than the effort of obtaining, booting from and learning how to access via a live CD. As such, I would recommend the time be spent on learning how to do that if I was queried.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s