≫ e-Banking Guidance for Banks & Businesses

One bit of criticism I’ve heard about my stories on small businesses losing their shirts over online banking fraud is that I don’t often enough point out what banks and customers should be doing differently to lessen the chance of suffering one of these incidents. As it happens, a source of mine was recently at a conference where one of the key speakers was a senior official from the Office of the Comptroller of the Currency, one of the main banking industry regulators.

The official had been asked to speak about steps that banks and businesses can take to stem the rash of online banking fraud against small to mid-sized businesses. The speaker was trying to get across to financial institutions the types of security measures that bank examiners will be looking for in upcoming inspections. But the highlights of his talk offer sound advice for businesses as well, and they give company owners some ideas about key questions to ask when shopping around for a bank that takes customer security seriously.

According to my source, the OCC official stressed the following points:

Authentication (including token based/one-time password generators) is only one layer of control. Out of band (also being called 3rd factor) verification such as call backs, fax, etc… is still highly recommended.
Businesses and banks should require dual controls.
Establish and monitor exposure limits. You may want to consider 2 limits – lower limits for authentication only, higher limit with out-of-band verification.
Set up alerts to your customers so they know when a transaction has been initiated.
Have a relatively low limit (less than 9K) for daily reporting.
Monitor for “money mule” activity, typified by the presence of one or more of the following:
- New accounts that are opened by a customer with a small deposit, followed shortly by one or more large deposits by ACH credit or wire transfer.
- An existing account with a sudden increase in the number and dollar amounts of deposits by ACH credit or wire transfer.
- A new or existing account holder that withdraws a large amount of cash shortly after a large deposits (often 5%-10% less then the deposit).
Examiners will be looking at this hard at your next exam: They will be looking for a combination of controls; authentication, verification, limits, risk management and monitoring.
Educate your customers but do not rely on customer controls.
Recommend to customer that they set up a single use computer specifically for online banking and nothing else.
Don’t let marketing “over promise” and “under deliver”. For example, “Business banking on-line, anywhere, anytime at the touch of the key” encourages customers to not worry about security (i.e. connecting onto unsecured wireless networks).
Have an Incident Response plan specifically for situations of this type.
The FBI is interested. There are currently more than 250 ongoing investigations. If your bank/customer experiences an ACH attack, contact the Cyber Supervisor at the local FBI office. They have been given guidance in how to respond and report.

Additionally, Gartner fraud analyst Avivah Litan says banks should be moving to adopt one or more of the following measures to defeat today’s attacks against online banking customers:

-Fraud detection that monitors user access behavior and alerts customers to activity that deviates significantly from their normal online banking activity, such as unusually high transaction values.

-Out-of-band user transaction verification, such as sending the customer a one-time passcode via mobile phone (SMS) text message.

Finally, the U.S. Department of Justice, the New York State Intelligence Center, the New York State Police, the U.S. Secret Service and others issued a joint alert last month entitled Information and Recommendations Regarding Unauthorized Wire Transfers Relating to Compromised Cyber Networks, which contains a great deal of useful information and security tips.