It seems that every week Brian Krebs profiles another small business that has had money transferred from their accounts to the accounts of bad guys and money mules. Many of these companies are just plain out of luck when this happens. If the bank can’t reverse the transfers before the money leaves the other account then for the most part the company can just wave bye to their money. I’ll let Brian tell it since he’s done so much research on this.
Businesses do not enjoy the same protections afforded to consumers hit by online fraud. With credit cards, consumer liability is generally capped at $50. Consumers who report suspicious or unauthorized transactions on their ATM or debit card, or against their online banking account within two days of receiving their bank statement that reflects the fraud also are limited to $50 in losses. But waiting longer than that can costs consumers up to $500 (the liability is unlimited if a consumer waits more than 60 days to report the fraud).
Businesses have no such protection from fraudulent transfers. Generally speaking, banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by this type of online banking fraud.
Many, including Krebs, recommend a dedicated PC or a Live CD to do online banking. This is a good idea but has it’s drawbacks. Depending on the accounting program used by the company and the extent of the online banking activities the PC may need access to data that is on the network leading to avenues of attack. A dedicated PC is still on the network and therefore open to attack from other compromised systems on the network during the time they are up and running. Isolating the system on a subnet or VLAN is a good idea but that requires someone who knows how to make that work.
A Live CD is even better if all you do is “traditional” online banking where you log in, transfer balances between accounts, pay bills, etc….
The biggest problem with both of these ideas is the human element. It requires that the people doing the banking take the necessary steps to ensure that they do what needs to be done to be safe. It requires that they care enough to take the extra time and effort required to boot up the dedicated PC or use the Live CD. It requires that they never quickly log in from their work PC “just to check something”.
So considering the fact that small businesses often have less security controls in place, have little or know security staff, don’t have awareness programs in place, and don’t have the same protections as consumers maybe it’s time that they went back to old fashioned face to face banking.