What if you checked your business banking account and found it seriously depleted, with thousands of dollars missing? Call your bank. Query your employees? Call the police? You could do all the above but it is most likely that the bank will report that the money was wired from your business banking account using your company’s banking credentials. Malware installed on computers used to access your business banking account may have captured your business account credentials, and these could be used by thieves to move funds out of your business accounts.
How does this happen?
Malware is installed on computers via direct downloads (someone opening an attachment in an email or electing to download an application from a website) or via a drive-by download, wherein the software is installed on your machine just by browsing a website or clicking on a pop-up window. If the machine is unpatched or does not have anti-malware software protecting it, the odds are much greater that the downloaded malware will not be stopped and will install and lurk on your machine.
Malware designed to run and monitor website activity for banking or investment websites will use a keystroke logger to capture banking credentials such as a user ID and password. The malware will send the credentials back to the attackers, to be used by the thieves to log in to your business banking account and wire funds out of your bank to their own offshore accounts.
What is my recourse with the Bank?
Shocking, but my bank will make me whole again, right? My personal credit card was stolen before and I only had to pay 50.00. My personal debit card was lifted from a big box retailer hack, and I didn’t lose any money. The protections that consumers enjoy are not transferable to the business world. Regulation E, of the Electronic Fund Transfer Act, provides consumers protection from theft, should their cards or accounts be compromised. Consumers are protected from liability, not businesses.
The electronic funds transfer component of the Uniform Commercial Code, UCC-4A, does limit liability if a sending customer did not authorize the funds transfer, but it is difficult to gain protection. For example: If the bank’s security procedure is a “commercially reasonable method of providing security against unauthorized entries” and the Bank acted in “good faith” in compliance with security procedure, meaning honesty in fact and observance of reasonable commercial standards of fair dealing. The funds transfer validated by the Sending Bank with security procedure is deemed authorized, even if the Sending Business did not in fact authorize the fund’s transfer, as it was a hacker who actually did the transfer.
The Sending Business Customer is not liable for an unauthorized transfer if the Business proves that the wire transaction was not directly or indirectly caused by the Business Customer or its employees or agents; a person with access to Sending Business Customer facilities; or a person who obtained information from a source controlled by Sending Business.
This is extremely difficult for the Business to prove if the Business Banking credentials (user ID and password) were used to initiate the funds transfer, and if it happened on the machine normally used by the customer. How the Bank will ask, were we supposed to know if it wasn’t the business user? The compromise occurred with the Sending Business Customer, not at the bank.
Legally, the Bank is not required to make your business whole. Your credentials were compromised, the bank’s wire/ACH funds transfer system worked as required—it wasn’t hacked—and your money is gone.
Has this really happened?
Unfortunately yes, many, many times. Here are just a few of those publicized:
December 2014: $374,000 from a PNC bank account belonging to a plastics company in Pennsylvania, and $190,800 from the bank account owned by an assisted-living facility in Pennsylvania.
http://www.cnbc.com/id/101730783
August 2011: $561,000 lost from Sterling Heights, Michigan-based Experi-Metal Inc., $63,000 from Green Ford Sales of Kansas
May 2012, Kingsport, Tenn.-based Tennessee Electric Company, Inc. (now TEC Industrial) was the target of an account takeover that saw cyber thieves siphon $192,65654 out of the company’s accounts at TriSummit Bank.
http://krebsonsecurity.com/category/smallbizvictims/
The list of affected businesses is long. Many are not publicized. While some companies have successfully sued their bank to recover their losses, most have not won, and the legal fees and time may be enough to deter many business owners from contemplating lawsuits.
How do I protect my company?
What your Bank can do for you
If you’re not doing business with a financial institution that offers security protections against malware and credential loss, switch to one that does. Banks that offer tools such as Trusteer, a product that creates a virtual secure sandbox space on customers’ computers to access and execute business banking transactions, are the gold standard to seek out. These are usually downloaded to your machines free of charge, with instructions on how to run the program to safely access your business banking applications without fear of malware.
Some financial institutions offer tokens, sometimes called multifactor authentication, to log in to their business banking site. In addition to a user ID and password, the token will generate a code, which the user is required to enter to log in. The code changes every few seconds and if grabbed by a malware keystroke logger, is useless.
Banks can also provide user-controlled limits on wires and funds transfer, requiring a phone call or a second person to authorize the action.
What you can do to protect your business
- All your company machines must have up-to-date, running, and configured antivirus and firewall software installed. There are many free and low-cost products available. There is really no excuse not to properly protect your business machines from malware.
- Keep operating systems and software applications patched and up to date on all business machines by enabling automatic security updates.
- Do NOT use a smartphone to do your business banking. Malware is rampant on smartphones and many people do not update their phones with patches, or phone providers are slow to provide them. Anti-malware software is not as sophisticated as PC software, given the limitations of the platforms. Social engineering via texts and emails is easier on a phone, and people seem to be less suspicious. While many banks will send email or text alerts of banking activity, don’t respond to these. They could be fake messages designed to direct you to a website loaded with malware. http://blog.kaspersky.com/faketoken-2014q1/
- Do not do business banking from a wireless hotspot, such as a hotel, coffee shop or airport unless you are using a wireless security VPN which encrypts all your traffic.
- Never use a shared machine or kiosk at a hotel, airport or other business. If you don’t control the machine, don’t bank from it.
- As a best practice, isolate business banking, financials, accounting, etc. to one machine, one that is patched and protected with firewall and antimalware software and do not access the internet for mail or web from this machine. Watch YouTube videos and check Facebook from a personal PC, not a business machine.
- Train your employees not to download attachments, either in email or from a web page from new and unknown sources.
- Purchase Cyber Liability Insurance from a reputable insurance company to protect your business from losses due to hacking.
You work hard to grow and support your business. Don’t lose your hard earned money to a thief. Take similar steps to protect your assets in the cyber realm as you would with physical locks, bars and alarms for your business. Understanding the limitations of your business banking relationship is the first step.
Melissa McCoy