Monday, January 30, 2012

Business Online Banking Safety: A strong recommendation from the FBI

I present two topics on this subject for your reading pleasure.

1) Why small and medium business owners should be concerned about online banking, and what action steps the FBI, US Secret Service, the Internet Crime Complaint Center and the FS-ISAC recommend you take to reduce your risk exposure.

2) The specific steps for one method to lock down a secure workstation along with how you should use and respond to alerts once that machine is configured for safe use.

Unsafe Online Business Banking

Some time ago a recommendation by the FBI and the Banking Association was circulated to small and medium business owners. It never received much attention from press, but should have.

Banking fraud on business accounts has become rampant. Aside from insider crime, it's happening when the workstation you use to conduct banking via your browser is infected with malware that captures your account log-in credentials and transmits those credentials to an Internet server run by criminals. (It can also happen if you fall for email phishing attempts, but that's another story for another time.)

The really nasty part is if your computer -- the one that you used to access your bank -- was infected then the bank that serves your business accounts may not be willing (and depending on the judge, you might not succeed in compelling them) to cover your losses if criminals drain the account dry.

Go on now please, read this article. I'll wait . ..

Information Week: Who Bears Online Fraud Burden: Bank Or Business?

Back? Onward to the details then.

Here is the FBI press release:
Fraud Advisory for Businesses: Corporate Account Take Over
(Opens in new window, PDF format.)

Cyber criminals employ various technological and non-technological methods to manipulate or trick victims into divulging personal or account information. Such techniques may include performing an action such as opening an email attachment, accepting a fake friend request on a social networking site, or visiting a legitimate, yet compromised, website that installs malware on their computer(s).


Minimize the number of, and restrict the functions for, computer workstations and laptops that are used for online banking and payments. A workstation used for online banking should not be used for general web browsing, e-mailing, and social networking. Conduct online banking and payments activity from at least one dedicated computer that is not used for other online activity.

In short, they are telling us that the risk of malware on a business computer that is used for both online banking and normal web surfing has become too high to afford.

Their recommendation is that you set aside a special workstation that is ONLY used for online financial transactions, to known safe web banking addresses, and that it NEVER be used for email or web surfing anywhere but at your banks.

Do that, plus more:

I'm going to take that a step further and outline how you can further lock down any workstation to mitigate the risk of infection. This method works at home or work and - if your IT department does not already do it -- you should insist they consider the method.

Of note is that this works best with Windows 7, any flavor (Home, Pro, Ultimate).

1) On the designated workstation (or on all workstations if you want to increase safety for all users) create an Administrator account and grant it Administrator access in the Users Control Panel. I don't recommend you name the account Administrator. Call it some variation of AdminXYZ - make it unique to your company. This account MUST have a password, and if you feel safe in your office and trust your peers then it doesn't really have to be a super secure password, but of course . . . I do recommend you consider a strong password. If this is for a local domain, you should create a shared domain account and grant it local administrator permissions on all the member client workstations, but NOT on the server.

2) If you are setting up a new machine, install ALL your required software from that Administrator account. At a minimum, get decent Anti-Virus protection installed at this point.  You should also make sure the operating system is fully patched through current critical updates and service packs.  Finally, in Windows 7 at least, turn on Automatic Windows Updates and turn on the setting to "Allow All Users to install updates on this computer."

3) Log in as AdminXYZ and create your user accounts. Be certain to make the regular user account - the one you will use for work - a "Standard User." If your user accounts already exist, get into the Users Control Panel and DEMOTE all other users to "Standard User." Don't demote the AdminXYZ account . . . bad things may happen.

4) Open User Account Control Settings and make sure the slider is set to the highest level. I know you'll hate this, and you might have to back off a notch if you're running very old applications on Windows 7, but at least for your financial workstation this should be a requirement. For others, the second or third notch from the bottom may suffice.

5) That's it. When you use your workstation, always log into the machine with your normal user account. Only use the AdminXYZ account when you need to install something, or update an application.

Now if you do this on Windows 7 - there's a very cool feature that makes doing an occasional application update relatively easy. When you get the notice that your update requires permission, you'll be presented with the option of entering in an Admin account and password. No need to log off or switch users, Windows 7 will open a shell under that admin account to run the update. Other applications (like your browser) that are open will still be protected by your limited access account.

Usage and preventing social hacks to your system:

Once you have this setup correctly - use your system as recommended for its role. If this is the workstation from which you will access your banking/credit accounts then I strongly recommend you restrict its use as described by the fraud advisory notice I linked above. If this is your normal workstation, then practice safe surfing and smart email habits. Otherwise use as normal for your work.

Once a month or so you might see a request for admin access pop for Windows Update. You might also see such an alert for other updates to your specific applications.

If you know you are updating something, it's generally okay to grant that permission.

But here's where the protection kicks in. In almost every case if you inadvertently land on a malicious website, or open that ill-advised email hosting a virus, you'll see this alert asking for admin level permissions pop up in your face.



Terminate that sucker!

Be mindful of what you're doing when that alert pops. You KNOW you were not installing something. If you see that alert while browsing the web, you can be certain it's something uninvited trying to install itself. But you've got your system set to TELL you before it happens. Click NO. Close your browser or email, and don't go there again.

There are some viruses that can still cause minor damage on a protected account though, what about those?

If you suspect/know that your limited account has been compromised, and you did NOT allow the infection admin access (you did say no to that alert, didn't you?) then the virus is restricted to your profile. Here's what to do:

Restart the machine.

Log into the AdminXYZ account - NOT your user account.

Run a full anti-virus scan and let it clean things up.

Now try logging into your account, should be in good condition again.  If not, then you might have to backup all the documents under the infected profile, erase the profile, and restore the data.  So far at least - in those rare cases where something does infect a profile on a prepared workstation -- this method has prevented me from having to completely reformat and reinstall the infected operating system on that workstation.

No comments:

Post a Comment

Comments are welcome but moderated to prevent spam links. I usually check them at least once a day in the evenings - so please be patient with me if your comment does not appear quickly.

Thank you.