Businesses get the short end of the financial security stick

Businesses enjoy several financial perks when it comes to taxes and profit. However, they also get railroaded when it comes to financial security. For small businesses, those shortcomings can lead to layoffs and even closure. Yet, do they have only themselves to blame?

Security author and analyst Brian Krebs is at it again, with yet another story of a small business owner who was raked over the coals by criminals online.

Krebs’ latest report centers on a business owner who normally did most of the company banking via a Macintosh computer. The story took an evil twist, when while at home sick, the owner used a Windows system to approve a few wire transfers. The result was a criminal takeover of the bank account and a loss of almost $100,000 USD.

The criminals gained access to the bank account because the Windows system was infected with Malware designed to capture usernames and passwords. [Read the full report from Krebs here.]

This report sparked a debate over Windows security vs. Macintosh security, yet that wasn’t the point of the story. Krebs’ comments that users and business owners should avoid banking on a Windows system is not a knock at Microsoft’s security efforts, it is acknowledgement that, as he wrote, all of the Malware targeting banking credentials “simply fails to run on anything other than Windows.”

Krebs is a strong supporter of using LiveCDs (Linux distributions that run fully from the CD-ROM) as an alternative to using Windows systems for banking. In addition, he has also supported using OS X. Both are viable options, and both would limit the attack surface caused by Malware designed for financial crime such as the Zeus Trojan.

He has written countless tales of school systems, city governments, and businesses who have all been victimized by financial Malware. In each story, the larger point is that the business owner who waits for or counts on the banks to provide better online security are fooling themselves and setting themselves up to be the next victim.

So should the responsibility fall to the business or to the bank for better protection? The problem is that businesses seem to face a double standard when it comes to financial security. When a consumer is the victim of fraud, the banks are for the most part quick to respond and help recover most of the cost, if not return all of the missing funds outright.

For businesses however, that friendly help is lacking in some cases, and completely missing in others.

When the Duanesburg Central School District was stripped of almost $3.8 million USD, the bank helped recover all by $497,000 USD. Yet, in the case of Little & King LLC, TDBank flatly refused to help recover more than $164,000 USD after the company’s owner was hijacked via the Zeus Trojan. The stance taken by TDBank was that since the owner’s computer was compromised, that absolved them from responsibility.

The Tech Herald spoke to Karen McCarthy, owner of Little & King LLC, and she said that to date, there has been a bit of a dispute with TDBank over the help they actually offered. While the bank did recover some of the lost funds, the exact amount recovered is debatable. Still, the ordeal is fresh in her mind, as it almost closed her business down completely.

Recently, TDBank sent her a letter explaining that her case related to the loss was closed. She’s investigating her options, but at this point there are no concrete decisions concerning legal action.

For some background information, and a different perspective on things, we talked to AirPatrol's CEO, Ozzie Diaz. He told us that the security market when it comes to SMBs is growing, and that there is a lot of solid research going on to protect small businesses, not only from financial attacks, but other threats as well that can target any given infrastructure.

“Small business is the most underserved entity in commerce,” Diaz noted. He explained that most of the businesses simply cannot afford the protections that many Fortune100s deploy, and when it comes to the security market as a whole, while vendors have small business units, the focus is really on the bigger companies.

At the same time, he also mentioned that many SaaS offerings some of the larger companies are moving to offer a scalability that both SMBs and financial institutions can benefit from.

When it comes to the common protections mentioned in relation to financial crime, things like one-time passwords or tokens are trivial for criminals to bypass. They help to a degree, but it only goes so far. If there is any ray of hope for the small business however, it will come from the research Diaz mentioned during our conversation.

Behavioral or information analytics “is huge” he said, adding there has been a good deal of research going on between private and public entities that are increasing the defensive posture against a lot of the threats small businesses face.

“Improving the defensiveness is the first goal,” Diaz explained, speaking to the aims small businesses need to focus on to prevent attacks.

There is a continual race between the time of attack and response. The researchers looking into the problem are focused on two areas. Limiting the time it takes to respond to a threat, and hardening defenses to prevent it in the first place.

From there, the analytical research will combine a defensive posture with a reactive one. Models for this are already in place, thanks to companies like 41st Parameter, which uses patterns and behavior to spot fraud as it takes place, if not prevent it altogether.

So there is hope down the road for SMBs worried about financial fraud, and banks worried about liabilities, but what about the here and now? Should banks be responsible to small businesses in the same way they are for regular consumers?

“Yes,” Diaz said when asked, adding that “but to what extent is the problem.” The fact remains that banking is a business, and with that comes risk, profit and loss. While banks need to protect their business clients just as well as they do normal clients, there are so many factors involved in the liability aspect of finance related crimes that it boggles the mind.

Frustrated SMBs need only to look to the regulators and lawmakers, perhaps to take a stand and demand action, as they are the ones who set policy and created the rules.

However, there are some patterns in the financial fraud reported by Krebs and other journalists that should be addressed by the banks immediately. Most notably is the fact that ACH (Automated Clearing House) transfers are simply too easy.

ACH transfers and BWT (Bank Wire Transfers) essentially refer to the same thing. Yet they are different. ACH transactions can take up to three days or so to complete, while BWT transactions can complete the same day.

Criminals use these processes within the banking industry to their advantage. ACH transfers, which allow money to move from one account to another, need only the account owner’s say so to transfer funds. There is some security in this process, but the criminals know that if the transferred amounts are under $10,000 USD or smaller, then they are less likely to be flagged.

Once they hijack an account, the criminals will send ACH transfers to other business accounts where mules - people who either knowingly or unknowingly work for the criminals - will move funds to other accounts or withdraw the received cash and forward it on.

Yet, how is it that a bank doesn’t notice when a business breaks their patterns? For example, ACH transfers to accounts that are either brand new or have never associated with a business before. When a new account processes volume transactions, and then starts shifting funds using BWTs or ACH transactions, why isn’t this questioned? Moreover, while some banks would flag these actions, why is it that there is no requirement for all banks to do so?

Krebs put it best when he said, “…any commercial banking security system that doesn't start with the premise that the customer's machine is already compromised doesn't stand a chance of defeating today's attacks.”

The banks will defend their monitoring and their security measures as a meeting in the middle. If a customer cannot move money with ease, they will go to a bank that will allow them to do so. So flagging every transaction will not work in the banks favor, yet something should be done. Banks are aware of the financial attacks on small businesses, but at the same time, the response to tighten the reigns has been painfully slow.

Have your say:

If you have read Krebs’ articles on financial attacks against small businesses, what do you think the banks should do? Is it fair to have them assume liability for the attacks? At what point should there be a cutoff where the bank is blameless and the business takes total ownership of the financial theft?

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.