Use a dedicated computer for online banking transactions to stay safe says the Federal Bureau of Investigation (FBI) and American Bankers Association – but that alone won’t cut it if businesses really want to protect themsleves from cybercriminals.
Security experts agree that setting aside a computer solely for online banking won’t improve security unless a business takes some other basic measures to protect against Internet threats.
The advice from American authorities was prompted around the New Year because of the relentless rise in the use of trojans, specifically designed to steal money from bank accounts.
The advice was that small and medium-sized businesses set aside one computer for all of their online banking. But that won’t necessarily help, says James Quin, senior research analyst with London, Ont.-based Info-Tech Research Group.
“The likelihood the dedicated banking computer is going to be any more secure than the other devices in the office is low,” he says. “The best solution to keeping online banking safe is keeping anti-malware installed and up to date.”
Cupertino, Calif.-based security vendor Symantec Corp. is giving similar advice. It conducted a worldwide survey of businesses and received 1,425 responses in February 2009, and found one-third of companies did not have antivirus software installed. This despite the importance businesses place on computer security.
“It is kind of shocking when you see those numbers,” says Kevin Haley, director of Symantec Security Response. “When it came right down to taking the time, the effort, and the money, not everyone did that.”
Even antivirus software is just a start, he adds. Symantec has changed the name of its products to reflect that more than antivirus is included. Businesses should also be running anti-spyware, anti-malware, firewalls and e-mail filtering services.
Using a highly-secure computer for online banking might improve security, Haley says, comparing it to a lock box used for petty cash.
But there are cheaper alternatives to get the same effect, such as a virtual session that would secure the transactions, or booting from a system disk to compete transactions.
Small businesses do have real cause for concern. The FBI says it investigated more than 200 cases in 2008 and 2009 of cybercriminals making $100 million in fraudulent transactions. They got away with $40 million worth.
Trojan toolkits, such as Zeus, are freely available on the Web with a simple Google search. A criminal with even a low skill level could use these services to infect computers and steal information or gain access to bank accounts.
“The vast majority of security breaches are the result of the exploitation of known vulnerabilities,” Quin says. “In almost all cases, security patches exist for these known vulnerabilities. Keeping up on security patches is the number one security practice every business should adopt.”
Symantec recommends users set up as much automated updating as possible, Haley says.
For its part, the Canadian Banker’s Association has not issued any such recommendations to Canadian businesses.
It does provide information on its Web site about safe online banking practices. It warns against phishing scams and suggests protecting PCs with anti-virus, anti-spyware, and firewall products from trusted vendors.
Several Canadian banks are recommending customers use Trusteer Rapport when banking online. The software works on a security model that assumes the computer is already infected and protects sensitive information by encrypting it from keyboard to network. Keylogger software reading the information would only receive useless information. Rapport also authenticates banking Web sites to help avoid phishing scams.
Free antivirus software can be downloaded from several companies on the Web, including Microsoft Security Essentials, AVG, and Avira Antivirus. But these free licences aren’t a good option for small businesses, Quin says.
“They also have no central management capabilities,” he says. “Managing even a handful of computers individually can really cause administrative headaches and so business should probably avoid them anyway.”
Many other vendors of business-class products offer software through online downloads.