American Bankers Association’s warning to small firms comes as a surprise

My editors were not the only ones surprised that the very conservative American Bankers Association has come out with a warning for  small and mid-sized businesses cautioning them  to only use a dedicated PC for online banking.

Jennifer Bayuk was also shocked. Bayuk is the former chief information security officer at Bear Stearns. She is  well-known and well-respected as a security consultant, speaker and author on tech security topics.  I’m just finishing reading her latest work, Enterprise Security for the Executive: Setting The Tone From The Top.

After reading my report on how cyber-robbers are intensively targeting small business online banking accounts, Bayuk went hunting for  copy of the ABA’s new guidance at the organization’s  Web site.  She could find nothing.

“I was actually surprised to see that the ABA put out this type of warning because member banks don’t usually publicly address this issue,” says Bayuk.

Also hard to find — unless you know a banker willing to share –  is an official  copy of the source document of the ABA’s warning, which was issued last August by the Financial Services Information Services and Analysis Center.  Senior ABA officials sit on the board of directors of FS-ISAC. The strongly-worded advisory cautions  small and mid-sized organizations never to use a PC dedicated to Internet banking for e-mail or Web browsing.

Getting the banking industry to go on-the-record

The existence of the FS-ISAC document was revealed in a scoop by Brian Krebs, formerly of the Washington Post’s Security Fix blog, now writing independently at Gartner banking security analyst Avivah Gartner subsequently cited the  FS-ISAC warning in  her 31Aug2009 white paper, Major Financial Services Firms Call Online Banking Dangerous.

But it wasn’t until LastWatchdog asked the ABA to clearly state whether Internet banking is considered safe for small and mid-sized organizations that the ABA –  whose member banks control 95% of the $13.5 trillion in assets held by  the U.S. banking industry –  issued a carefully worded public  stance. Here’s the full response from Doug Johnson, Vice President and Senior Advisor for Risk Management:

  • “ABA serves on the FS-ISAC board and helped develop the recent NACHA/FS-ISAC/FBI alert regarding unauthorized ACH transfers affecting small and medium sized businesses, agencies and organizations. ABA, along with the financial services community, developed precautions that we have communicated with all member banks. Small- and medium-sized businesses are strongly advised to heed the guidance issued by their banks. The fraudulent transactions represent a very small portion of the millions of safe and successful ACH transactions conducted daily by businesses across the country. However, ABA is actively monitoring the situation and believes that commercial bank customers can safely utilize online banking by taking the precautions outlined in the alert.”

Keep in mind that the ABA’s public stance has long been that online banking is completely safe and, in fact, makes banking safer since customers do not have to wait for a monthly statement to arrive in the mail to monitor for suspicious activity.  The major safety benefit, according to ABA, is that customers can  check their account balances in real time via the Internet.

LastWatchdog also asked the ABA to elaborate on the rationale that it should be largely left up to small and mid-sized organizations to take full responsibility for keeping any  PC used for Internet banking free of banking Trojans. Johnson’s full answer:

  • “Each bank sets its own policy regarding a business customer’s liability related to unauthorized electronic transfers. The banking industry is committed to protecting all customers – including businesses – from the fraudulent activities of criminals. Therefore, banks urge business customers to be aware of their responsibility to keep computers used for online banking free of malicious programs. The American Bankers Association has encouraged member banks to distribute to their business customers guidance developed by the FBI and the financial industry on how to guard their computers against unauthorized security breaches. Specifically, ABA recommends that business customers always initiate ACH or wire transfers under dual control, with one person initiating the transaction and another person approving it. Such controls can greatly reduce the risk of unauthorized transactions made possible by a breach of computer security.”

The reality is small organizations  have “no clue that they,’re not protected, and that’s the problem,” says Litan. The threat is so great that Litan as been counseling her aquaintances who  operate small businesses to go a step further that dedicating a PC to online banking. Litan advocates small bujsiness owners to drop commercial online accounts and move to an individual consumer account.

The services that come with a consumer account will be limited; you won’t be able to do administer payroll online, for instance. But if you do get victimized by a cyber-robber, the banks are compelled by consumer protection laws to make you whole. Not so with a commercial account.

“The bottom line is even if it’s a one in 1,000 or even one in 20,000 chance of your accounts getting ripped off, the  chances of you getting the money back using a commercial account is about 50% , because the banks simply do not have to reimburse you,” says Litan.

Anomalous transfers overlooked

Hillary Machinery, a heavy equipment manufacturer based in Dallas and Houston, recently  learned this the hard way.blogging about the details of your case, if you’re willing to provide.

In  November 2009 cyber-robbers  executed multiple wire transfers and ACH transactions destined for Russia, the  UK and elsewhere, says company spokesman Troy Owen. ” Several hundred thousand was taken, internal transfers made, and multiple ACH’s made before the bank had any clue.”

The unauthorized transfers were “completely out of the range of our normal banking activity,” he says. “Several of the wires were sent overseas and our accounts were specifically set up NOT to wire overseas.”

The crooks used a staging bank or clearing house bank in New York before wiring the stolen funds to offshore accounts. Hillary Machinery’s bank managed to stop transfers of, and retrieve, most of the fund, except for $200,000. Thus far the bank  has refused to take responsibility for any losses, says Owen.

— By Byron Acohido

small business have no clue that theylre not protected, that’s the problem, I ve been telling all my friends with small biz aaccount. To move them immedieatley to consumer account s if they can….because you don’t get that many benefits from a small biz account, you just got a lot of angst,…unless you need to run payroll , or something like that….the bottom line, is even it’s a 1 of a thousand or one out of 10,000 chacne youre accounts going to get ripped off..the chances of you getting the money back are 50% becaseu the banks don’t have to reimburse you…

if they think you were negligent, they just don’t have any obligation to pay you back. So its time for small biusiness to wake up and understand the risk of online banking.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone