We all expect our bank to indemnify us against criminal activity: but that’s being challenged now, and we may not be protected at all in the future.
The Wall Street Journal recently led with a story about Sign Designs, a small company in California who’d had their on-line account just about emptied: $100k sent to 17 mystery people, all added illicitly as payees the previous day. By the time their bank could react, $48k had already been picked up by “money mules,” people recruited to shuttle money for on-line crime groups, typically in Eastern Europe.
However the bank said it isn’t responsible for the losses, because the bank’s security had not been breached: the hackers had planted a Trojan inside Sign Designs’ systems that stole their online-banking credentials.
Sign Design’s President wasn’t pleased: “[How am I] going to solve this? I’m going to take on these Russian thieves ? Clearly I’m not going to do it.”
“Small businesses are really in a bind,” says Avivah Litan, an analyst at Gartner Inc. “They need to protect themselves.”
Fotec Advice: Take this opportunity to review your IT security policies. Here are some questions to ask of your IT Manager or supplier about basic IT best practice:
- Are our Firewall and Anti-Virus tools are properly configured and up to date ?
- Is our browser security set to high ?
- When did we last remind employees to never respond to phishing emails ?
- Do we have a computer that does nothing but access our bank account ? (Best practice is that it should do nothing else: no email, no Web surfing, and not connected to the local network).
- Could we use an obscure computer operating system such as Ubuntu or Web browser such as Opera (because attackers rarely create malware for them) ?
And further, here are some questions to ask about your specific banking controls
- Is it possible (or practical) for each transaction to require the approval of two people ?
- Is it possible to put a daily limit on how much money can be transferred out of our account ?
- Is it possible to insist that all transfers are prescheduled by phone or confirmed via phone call or text message ?
- Is it possible to impose restrictions on adding new payees ?
And finally, just in case, how much is our insurance cover for fraud losses ?
For more details, just call 0845 601 6480 or just click here.