As small businesses continue to increase their use of technology and mobile access to conduct transactions, the drawback is the shift may potentially widen the space for cyber thieves to strike and drain commercial accounts in one fell swoop.
While consumers have stronger shields to protect their account under Federal Reserve Regulation E, which mandates that banks are required to provide reimbursement for certain fraud losses, that same protection does not apply to business and commercial accounts.
At best, the Uniform Commercial Code offers some relief by potentially holding a bank liable if it did not institute “commercially reasonable” security procedures to protect against fraud. However, there has been some ambiguity on what is considered commercially reasonable and banks tend to have the upper hand in putting together procedures that may shorten fraud reporting timelines.
For many business members at credit unions, what it boils down to is they have to be very proactive when it comes to protecting their accounts.
“The strongest method for protecting an online business bank account accessing authentication or any online account for that matter is to use two-factor authentication,” said Mike Angelinovich, CEO of OHVA Inc., a security service provider in San Jose, Calif. “That means having two of the three factors protecting your account—something you know, have, or are.”
By this, Angelinovich said the user enters something a credit union knows on a screen key pad to access what the same credit union has, which is then automatically generated from the user's client a dynamic and encrypted response that is sent to the authentication server for validation without human intervention.
Layers of firewalled protection are getting thicker as hackers continue to come up with ways to breach business accounts. According to the 2013 Association of Financial Professionals Payments Fraud and Control survey of 625 cash managers, analysts and directors, 61% of businesses reported fraud in 2012. Of those organizations, 87% reported check fraud, followed by 29% reporting corporate and commercial purchasing card fraud, 27% reporting ACH debit fraud, 11% with wire transfer fraud and 8% with ACH credit fraud.
According to the AFP survey, the typical financial loss for payments fraud was $20,300 in 2012. Fraudsters tended to target large companies, the survey also reported. Sixty-seven percent of those victimized had annual revenues of more than $1 billion, compared to half of those with annual revenues less than $1 billion.
Next Page: Common Vulnerabilities
Some of the most common vulnerabilities seen include compromised or weak passwords, malware or virus infected PCs, data stolen from employees, account credential sharing, no internal audit or procedures to minimize the effect of a rogue administrator as well as data leakage when data is extracted and leveraged off premise, said Jon Freeman, president/CEO of Mycroft, a New York-based provider of IT security, identity, access management and regulatory compliance services.
When asked if credit unions and other financial institutions can expect business account breaches to increase, Freeman said unfortunately, yes.
“Many institutions are not meticulous enough in their policies as they neglect to balance user experience with security. As a result, they'll lean heavily towards the overall user experience,” Freeman said. “The security is always an afterthought and there is a larger amount of data to be secured than amount of people who can do the securing.”
Some businesses are also slow in enacting a data sensitivity policy, meaning classifying what types of data requires what kinds of safeguards, Freeman explained.
“Security is a reaction to a breach, not to prevent a breach of data,” he offered.
The $1.4 billion Anheuser-Busch Employees’ Credit Union and its division, American Eagle Credit Union, have used OHVA's services since 2007, according to David Gray, manager of electronic services at the cooperatives based in St. Louis. For security reasons, he did not go into details about how accounts are protected but he did say members are offered the highest level of safety available.
The credit unions use an OHVA service that validates the authentication server and is monitored at both the client and server ends, Angelinovich said. Once validated, the service must return a software token to the original source before granting access into an online bank account, for instance.
“Without this level of multifactor authentication for business accounts, they are sitting ducks waiting to be hacked by today's Malware carrying Trojan exploits that steal everything a user enters to access an account,” Angelinovich noted.
Freeman agreed, saying a good security practice is built on a framework that covers potential vulnerabilities. Some methods to apply include multifactor and risk based authentication, stringent password policies, account certification, firewall rules, separation of consumer and business data, audit tracing and strong data encryption for data at rest, he suggested.
“While these are not in any particular order, these factors along with others should be incorporated within the security practice. Each scenario presents different challenges, thus, the methods deployed will vary,” Freeman said.
Having the necessary protections in place to thwart business account attacks is one thing. Detecting fraud on a business account can be another challenge because the denomination of transactions can, on average, be large, and the velocity of transactions are high, said John Walsh, president/CEO of SightSpan Inc., a Mooresville, N.C.-based global management consulting group and a member of the Association of Certified Financial Crime Specialists Task Force on threat finance in Miami.
With more than 25 years of experience in the financial services sector in the United States, the Middle East, Europe and Latin America, Walsh is considered an industry leader in financial crime risk management, financial institution and corporate security, anti-money laundering and combating terrorist financing.
“If a credit union sees an out-of-state transaction for 10 flat-screen televisions on a bakery business account, that may be suspicious,” Walsh said. “Money wired to high-risk locations like Russia or Eastern Europe may also be uncommon for domestic business accounts.”
A sophisticated transaction monitoring solution or a diligent bank manager at smaller credit unions has to fully understand each individual business account to be able to pick out a single irregularity and potentially fraudulent activity from mountains of legitimate transactions, Walsh said.
“Small business owners are often very busy running their business, not monitoring their accounts,” Walsh said. “They may only reconcile accounts on a monthly or quarterly basis. Analyzing historical behavior and scoring each transaction in real time is the best way to determine the risk any individual transaction may represent.”
Point-of-sale skimming devices and massive data breaches like the ones seen at processors recently pose a difficult-to-detect risk.
“The only way for an individual bank or credit union to detect those types of breaches is, again, through the use of transaction monitoring solutions that can analyze a massive amount of data to find similarities between compromised accounts," Walsh advised.
The most effective way to manage money laundering and threat financing risk is by properly educating and providing ongoing training to staff to make them aware of known techniques for the illicit transfer of funds, have well-documented policies and periodically review procedures to ensure polices are being adhered too, Walsh suggested. The board of directors and CEO need to sign off on the overall approach and need to be engaged, he added.
As simple as it sounds, just ensuring that a business member is not using the same passwords on different sites can go far in protecting their accounts, said Anisha Sekar, vice president of credit and debit products at NerdWallet, a personal finance and credit card comparison website. Credit unions can also offer email alerts if transactions go over a certain, set amount, she advised.
In addition to being a member of a credit union, Sekar said she also has accounts at a couple of banks. What she has noticed is that all of the financial institutions are using the same security questions.
“Probably without realizing it, they're enabling their own fraud,” Sekar said about credit unions and banks. “Users should be allowed to come up with the own security questions. Passwords should be changed every quarter or every half year.”
As an account comparison site that includes nearly 500 credit unions in its NerdWallet search engine, Sekar said the company's team has seen a lot of traditional account hacks and employee fraud.
“Fraud is hard to prevent and has always existed. You just have to stay one step ahead.”