Brian Krebs (http://www.krebsonsecurity.com/) talked about bank fraud and security. This generally starts with an email attachment (ZeuS) and ends with a company’s money in the Ukraine or Russia. Brian talked about both the computer issues and the human issues – with a fascinating discussion of the mules used to move the money.
Some of the common attacks (in Europe, at least, not seeing it in the US yet) include form field injection, session riding, balance manipulation, and attacks hitting consumers, rather than heavily secured commercial accounts.
Red flags for banks – 10-20 new employees added to payroll, IP address weirdness.
Advice – disallow batches that deviate from standard format (revise banking contract), request low-tech verification, access accounts only from non-windows machine (excellent idea-get a dedicated Netbook with Mac or Linux installed), get involved and write your lawmaker, require 2 signoffs for wire transfers.
What’s coming? more litigation between banks & victims, lots of smaller cases coming up, guidance from FFIEC on transaction monitoring/analysis guidelines, Bill from Rep. Schumer -S3898 to offer schools & consumers same protections as companies.
Online banking is not secure for small organizations. Banks need to inform customers of risks and sell risk mitigation services.
Categories
