Businesses enjoy several financial perks when it comes to taxes and profit. However, they also get railroaded when it comes to financial security. For small businesses, those shortcomings can lead to layoffs and even closure. Yet, do they have only themselves to blame?
Security author and analyst Brian Krebs is at it again, with yet another story of a small business owner who was raked over the coals by criminals online.
Krebs’ latest report centers on a business owner who normally did most of the company banking via a Macintosh computer. The story took an evil twist, when while at home sick, the owner used a Windows system to approve a few wire transfers. The result was a criminal takeover of the bank account and a loss of almost $100,000 USD.
The criminals gained access to the bank account because the Windows system was infected with Malware designed to capture usernames and passwords. [Read the full report from Krebs here.]
This report sparked a debate over Windows security vs. Macintosh security, yet that wasn’t the point of the story. Krebs’ comments that users and business owners should avoid banking on a Windows system is not a knock at Microsoft’s security efforts, it is acknowledgement that, as he wrote, all of the Malware targeting banking credentials “simply fails to run on anything other than Windows.”
Krebs is a strong supporter of using LiveCDs (Linux distributions that run fully from the CD-ROM) as an alternative to using Windows systems for banking. In addition, he has also supported using OS X. Both are viable options, and both would limit the attack surface caused by Malware designed for financial crime such as the Zeus Trojan.
He has written countless tales of school systems, city governments, and businesses who have all been victimized by financial Malware. In each story, the larger point is that the business owner who waits for or counts on the banks to provide better online security are fooling themselves and setting themselves up to be the next victim.
So should the responsibility fall to the business or to the bank for better protection? The problem is that businesses seem to face a double standard when it comes to financial security. When a consumer is the victim of fraud, the banks are for the most part quick to respond and help recover most of the cost, if not return all of the missing funds outright.
For businesses however, that friendly help is lacking in some cases, and completely missing in others.
When the Duanesburg Central School District was stripped of almost $3.8 million USD, the bank helped recover all by $497,000 USD. Yet, in the case of Little & King LLC, TDBank flatly refused to help recover more than $164,000 USD after the company’s owner was hijacked via the Zeus Trojan. The stance taken by TDBank was that since the owner’s computer was compromised, that absolved them from responsibility.
The Tech Herald spoke to Karen McCarthy, owner of Little & King LLC, and she said that to date, there has been a bit of a dispute with TDBank over the help they actually offered. While the bank did recover some of the lost funds, the exact amount recovered is debatable. Still, the ordeal is fresh in her mind, as it almost closed her business down completely.
Recently, TDBank sent her a letter explaining that her case related to the loss was closed. She’s investigating her options, but at this point there are no concrete decisions concerning legal action.
For some background information, and a different perspective on things, we talked to AirPatrol's CEO, Ozzie Diaz. He told us that the security market when it comes to SMBs is growing, and that there is a lot of solid research going on to protect small businesses, not only from financial attacks, but other threats as well that can target any given infrastructure.
“Small business is the most underserved entity in commerce,” Diaz noted. He explained that most of the businesses simply cannot afford the protections that many Fortune100s deploy, and when it comes to the security market as a whole, while vendors have small business units, the focus is really on the bigger companies.
At the same time, he also mentioned that many SaaS offerings some of the larger companies are moving to offer a scalability that both SMBs and financial institutions can benefit from.
When it comes to the common protections mentioned in relation to financial crime, things like one-time passwords or tokens are trivial for criminals to bypass. They help to a degree, but it only goes so far. If there is any ray of hope for the small business however, it will come from the research Diaz mentioned during our conversation.
Behavioral or information analytics “is huge” he said, adding there has been a good deal of research going on between private and public entities that are increasing the defensive posture against a lot of the threats small businesses face.
“Improving the defensiveness is the first goal,” Diaz explained, speaking to the aims small businesses need to focus on to prevent attacks.
There is a continual race between the time of attack and response. The researchers looking into the problem are focused on two areas. Limiting the time it takes to respond to a threat, and hardening defenses to prevent it in the first place.
From there, the analytical research will combine a defensive posture with a reactive one. Models for this are already in place, thanks to companies like 41st Parameter, which uses patterns and behavior to spot fraud as it takes place, if not prevent it altogether.
So there is hope down the road for SMBs worried about financial fraud, and banks worried about liabilities, but what about the here and now? Should banks be responsible to small businesses in the same way they are for regular consumers?
“Yes,” Diaz said when asked, adding that “but to what extent is the problem.” The fact remains that banking is a business, and with that comes risk, profit and loss. While banks need to protect their business clients just as well as they do normal clients, there are so many factors involved in the liability aspect of finance related crimes that it boggles the mind.
Frustrated SMBs need only to look to the regulators and lawmakers, perhaps to take a stand and demand action, as they are the ones who set policy and created the rules.
However, there are some patterns in the financial fraud reported by Krebs and other journalists that should be addressed by the banks immediately. Most notably is the fact that ACH (Automated Clearing House) transfers are simply too easy.
ACH transfers and BWT (Bank Wire Transfers) essentially refer to the same thing. Yet they are different. ACH transactions can take up to three days or so to complete, while BWT transactions can complete the same day.
Criminals use these processes within the banking industry to their advantage. ACH transfers, which allow money to move from one account to another, need only the account owner’s say so to transfer funds. There is some security in this process, but the criminals know that if the transferred amounts are under $10,000 USD or smaller, then they are less likely to be flagged.
Once they hijack an account, the criminals will send ACH transfers to other business accounts where mules - people who either knowingly or unknowingly work for the criminals - will move funds to other accounts or withdraw the received cash and forward it on.
Yet, how is it that a bank doesn’t notice when a business breaks their patterns? For example, ACH transfers to accounts that are either brand new or have never associated with a business before. When a new account processes volume transactions, and then starts shifting funds using BWTs or ACH transactions, why isn’t this questioned? Moreover, while some banks would flag these actions, why is it that there is no requirement for all banks to do so?
Krebs put it best when he said, “…any commercial banking security system that doesn't start with the premise that the customer's machine is already compromised doesn't stand a chance of defeating today's attacks.”
The banks will defend their monitoring and their security measures as a meeting in the middle. If a customer cannot move money with ease, they will go to a bank that will allow them to do so. So flagging every transaction will not work in the banks favor, yet something should be done. Banks are aware of the financial attacks on small businesses, but at the same time, the response to tighten the reigns has been painfully slow.
Have your say:
If you have read Krebs’ articles on financial attacks against small businesses, what do you think the banks should do? Is it fair to have them assume liability for the attacks? At what point should there be a cutoff where the bank is blameless and the business takes total ownership of the financial theft?