April 6, 2010

One bit of criticism I’ve heard about my stories on small businesses losing their shirts over online banking fraud is that I don’t often enough point out what banks and customers should be doing differently to lessen the chance of suffering one of these incidents. As it happens, a source of mine was recently at a conference where one of the key speakers was a senior official from the Office of the Comptroller of the Currency, one of the main banking industry regulators.

The official had been asked to speak about steps that banks and businesses can take to stem the rash of online banking fraud against small to mid-sized businesses. The speaker was trying to get across to financial institutions the types of security measures that bank examiners will be looking for in upcoming inspections. But the highlights of his talk offer sound advice for businesses as well, and they give company owners some ideas about key questions to ask when shopping around for a bank that takes customer security seriously.

According to my source, the OCC official stressed the following points:

  • Authentication (including token based/one-time password generators) is only one layer of control. Out of band (also being called 3rd factor) verification such as call backs, fax, etc…  is still highly recommended.
  • Businesses and banks should require dual controls.
  • Establish and monitor exposure limits.  You may want to consider 2 limits – lower limits for authentication only, higher limit with out-of-band verification.
  • Set up alerts to your customers so they know when a transaction has been initiated.
  • Have a relatively low limit (less than 9K) for daily reporting.
  • Monitor for “money mule” activity, typified by the presence of one or more of the following:
    • New accounts that are opened by a customer with a small deposit, followed shortly by one or more large deposits by ACH credit or wire transfer.
    • An existing account with a sudden increase in the number and dollar amounts of deposits by ACH credit or wire transfer.
    • A new or existing account holder that withdraws a large amount of cash shortly after a large deposits (often 5%-10% less then the deposit).
  • Examiners will be looking at this hard at your next exam: They will be looking for a combination of controls; authentication, verification, limits, risk management and monitoring.
  • Educate your customers but do not rely on customer controls.
  • Recommend to customer that they set up a single use computer specifically for online banking and nothing else.
  • Don’t let marketing “over promise” and “under deliver”. For example, “Business banking on-line, anywhere, anytime at the touch of the key” encourages customers to not worry about security (i.e. connecting onto unsecured wireless networks).
  • Have an Incident Response plan specifically for situations of this type.
  • The FBI is interested. There are currently more than 250 ongoing investigations. If your bank/customer experiences an ACH attack, contact the Cyber Supervisor at the local FBI office. They have been given guidance in how to respond and report.

Additionally, Gartner fraud analyst Avivah Litan says banks should be moving to adopt one or more of the following measures to defeat today’s attacks against online banking customers:

-Fraud detection that monitors user access behavior and alerts customers to activity that deviates significantly from their normal online banking activity, such as unusually high transaction values.

-Out-of-band user transaction verification, such as sending the customer a one-time passcode via mobile phone (SMS) text message.

Finally, the U.S. Department of Justice, the New York State Intelligence Center, the New York State Police, the U.S. Secret Service and others issued a joint alert last month entitled Information and Recommendations Regarding Unauthorized Wire Transfers Relating to Compromised Cyber Networks, which contains a great deal of useful information and security tips.

Further reading:

Online Thieves Take $205,000 Bite Out of Missouri Dental Practice
Organized Crooks Hit NJ Town, Ark. Utility
eBanking Victim? Take a Number.
Cyber Crooks Leave Traditional Bank Robbers in the Dust

Crooks Crank Up Volume of E-Banking Attacks
Victim Asks Capital One, ‘Who’s in Your Wallet?’
Regulators Revisit E-Banking Security Guidelines
N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss
IT Firm Loses $100,000 to Online Bank Fraud
Comerica Phish Foiled 2-Factor Protection
Hackers Try to Steal $150,000 from United Way
A Tale of Two Victims
Texas Bank Sues Customer Hit by $800,000 Cyber Heist
Cyber Crooks Cooked the Books at Fla. Library
Money Mules Helped to Rob W. Va. Bank
FBI Investigating Theft of $500,000 from NY School District
Buried Warning Signs

14 thoughts on “e-Banking Guidance for Banks & Businesses

  1. Rob

    Good to read that the OCC is preaching a layered approach. An OCC contact of mine recently told me that he was not aware of any issues or vulnerabilities with token based security systems. He further stated that his fellow examiners were also under the impression that token based authentication was generally the most secure method available.

    It seems that the bank examiners are catching up. An official written communication to banks would be a nice follow up.

  2. Stephen Northcutt

    I have an experimental boat being delivered next week and they told me I could pay the balance to the driver with a check, but I am 6,000 miles away. They would not take a credit card; wanted a wire transfer. The only online account I could think of to do it was Charles Schwab. They do not have two factor ( RSA) though e-trade does; most of my stock trading was e-trade. However, I noticed a few security steps.

    1.) They had my cell phone on file and noted I was calling from my cell phone.
    2.) They do the standard “mother’s maiden name”, I try to have a different maiden name for each account and try to make them as obscure as possible.
    3.) All transfers done online are one time only and each one is approved by someone.
    4.) They put a delay in the system, you can actually set it up for today or tomorrow, and then they send you an email letting you know you are doing a wire transfer. Since there is a delay, if you check your email if it was fraudulent you would have a chance to stop it.

    And thanks for asking, the boat is a variation on this: http://www.littlerivermarine.com/heritage-18-classic/ in carbon fiber with a sailing rig 🙂 They say the two happiest days in a sailor’s life are the day they take ownership of a boat and the day they sell it, but I am hoping I have found a friend for life.

  3. MGD

    While it would be difficult for most small business entities to function without using online ACH transactions, doing so without the availability of online wire transfers should not be an issue for many. Wire transfers and ACH transfers are not the same. Up to some time ago some regional banks did not even have online wire transfer capability. Small businesses should notify their banks to block the ability to make online wire transfers. In some cases that ability can be toggled on and off from an online menu, so it is vital to notify the bank to have it disabled.

    Also, small business entities should review their commercial insurance to see if they have coverage for this form of fraud. Insurance with limits is available, and should be considered as part of an overall business liability plan.

    Business bank accounts with online capability should be reconciled daily, so that banks can be formally notified of potential fraudulent transactions within the mandated 48 hour period.

  4. Ilo

    I remain shocked that advice can get this involved and detailed but still lack one simple obvious recommendation:

    Do NOT use computers running any version of Windows OS.

    If you aren’t already familiar with alternatives, just get a Macintosh. Avoiding Windows is only part of a layered defense, but in the current environment it is one of the best things you can do.

  5. Mezzrow

    You can go to Bankrate.com to find out the financial condition of your bank. It would be a great service if someone also kept a database of how good banks’ electronic security is–I’d give anything to know how my bank scores on this. From what I’ve read in your blogs, it’s usually sadly deficient.

  6. Chris

    Thank you Ilo for finally stating the obvious!! WHY on earth is this being kept so quiet? It makes me start to wonder if Microsoft really does have a gag on the media. Seriously folks, why is this so complicated? If you run Mac or Linux the odds are highly in your favor. Before all the M$ fans go berserk, I will state the obvious, any OS is exploitable, but, what are the crooks exploiting right now? Monkeys, no, Parrots, no, Linux, no…….Windows browsing the web with Internet Explorer, YES!! If your massively bleeding, first action item is to prevent more bleeding, then worry about how you got hurt. Install Chrome browser, install Ubuntu, buy a Mac, do anything but run Windows/IE at your business.

    BTW, excellent coverage Mr Krebs, you are THE only place I am reading about money being hemorrhaged out of small businesses/Governments bank accounts. Printing out your blog posts and laying them on my potential customers desks is the best selling point I could ever ask for. And yes I am migrating small businesses over to Ubuntu/Google Apps, keep your money in the bank, literally since both are free AND secure.

    1. qka

      Our host, Mr. Krebs, has recommended this solution, and in new articles he frequently includes links back to his articles describing this approach in detail.

      I wonder why folks thought they had to vote down Ilo.

      1. xAdmin

        “I wonder why folks thought they had to vote down Ilo.”

        Simply switching to another OS is NOT a panacea! Most people understand this and thus feel making the suggestion is disingenuous at best or worse view it as fanboyism. Either way, it elicits a negative response.

        1. chris

          Yes your correct switching the OS will not give you 100% security against these types of financial attacks, but its something, anything to greatly reduce your vulnerability. Not running your Windows user with Admin privileges also block 100% of IE8 and MS Office attacks, (at least on Vista 7) and who does that? No OS is 100% secure, if it was coded by humans, it can be exploited by humans.

          The better question is if your one of these small businesses or towns that is at risk of losing hundreds of thousands of dollars, why wouldn’t you run your banking on a Linux box? Is it worth 100k to run Windows? What is the logic there? Is Windows the only OS that can get a browser to open? Telling people to run an OS that is at the root of 100% of these exploits, isnt that kinda M$, security blinders firmly attacked to head fanboy?

          Yes migrating an entire organization or city to Linux would be a major undertaking, but simply dedicating ONE Linux box for accessing anything online that is financial, that is a very simple solution to greatly reduce your exposure. How is protecting your hard earned money by running a secure OS fanboyism? Try calling any of the number of small businesses that have been reported on by Mr. Krebs that have lost money they earned, and tell them to continue to run Windows, see what kind of response you get.

          Also, do you have any stats that show any businesses that have been a victim to this type of attack, that were NOT running Windows/IE?


          1. xAdmin

            I’ll be succinct:

            1. Switching to a different operating system or using a Live CD is throwing the baby out with the bath water and does not address the underlying security issues inherent in these cases. It may provide a level of security (one layer), but it’s doing so by obscurity and risks providing a false sense of security. The real solution here involves understanding and implementing a multi-layered defense or what is called defense in depth (which includes the end user). In every one of these cases, I suspect this was NEVER done.

            2. It’s not as simple as just using a browser for online banking as you suggest. Many have invested in accounting software that only works on Windows. So, switching to another OS is not feasible or practical. Considering the investment they have in their current infrastructure, it would be more practical and cost effective to properly secure and operate their existing infrastructure. Again, why throw out the baby with the bath water?

  7. Other Chris


    Why use an anonymous source to report on what an unnamed guy from the OCC said at an unnamed conference?

    When I see two layers of anonymity around what some bank regulator (allegedly) said, my “plausible deniability” detector starts working overtime. What conference? What official? Why the anonymity?

    FWIW, I think the advice you report was said to have been offered is quite good – this comment is entirely about methods.

    1. infosec_pro

      @Other Chris – I think Brian has some good reasons for not going into attribution details.

      I am speaking as someone who has been an anonymous source to Brian on other issues (not this story), whose employer would be extremely sensitive about attribution even though the information I sourced was from prior experience. I’d rather see error on the side of caution over putting well meaning supporters at needless risk just for superficial credibility.

      As far as naming the conference, if Brian did not attend it’s second hand anyway, what does it matter?

      As for naming the OCC guy, if Brian did not talk to him and does not have any public record from the conference to associate him with the information, it seems inappropriate to attribute. It would’ve been nice if Brian could’ve followed up with a personal interview, but a lot of bureaucrats are leery of speaking to reporters (see my comment about my own situation for a clue).

      Personally I think Brian’s handling of the attribution was perfect, given the circumstances. The link to the joint alert seems sufficiently well attributed, if you’re worried that he’s making stuff up.

      1. Other Chris

        Thanks for your thoughtful reply. My concern is that manipulative sources can game the system and inject disinformation, or that honest sources can themselves be manipulated and thus used as conduits for baloney. Obviously, reporters don’t want to burn an honest source (such as yourself), but that needs to be balanced against being a used as an unwitting mouthpiece for The Man.

  8. JCitizen

    For those with questions about solutions to the problem; just keep an eye on Brain’s articles; he has reported several of them already.

    After reading a recent article from Michael Kassner on Tech Republic; I was convinced that we should be watching developments on another promising solution by Invincea, that easily creates a hardware VM to house the Internet Explorer browser for clients both inside and outside banking and business.


    I’m sure you would have to have a supported CPU; but I don’t know what the costs are going to be.

    I do not work for any single individual or company. I only am interested in promoting web-security, however we can acquire it.

Comments are closed.