Small Business Online Banking: Universal Precautions

If you’ve been following my blog, you know I’m concerned about internet banking security, particularly for small businesses. I have been tracking well-known security expert David Krebs and his many reports of small business data and $$$ loss.

Remember that people generally have protection from fraudulent online transfers but businesses usually do not. Look at it from the bank’s perspective: What’s to keep a dishonest business owner from wiring a few hundred grand through “money mules” to offshore accounts indirectly owned by them? The stakes are much higher in the business world.

I’m starting a new series of posts reviewing some “best practices” and easy-to-implement countermeasures for the most common online threats. While no banking transaction is 100% safe (online, on paper or in person) we can take a few basic steps to improve the odds.

1. Take advantage of business-grade online features. If your bank offers two-factor authentication (those little key fobs with changing numbers) then take advantage of that. Just don’t become complacent thinking that they’re impossible to “crack.”

2. Least-User-Access. Most business online banking accounts allow you to create multiple users with different access levels. Create different accounts for read/report access, bill-paying access, and administrative access.

For example, I have three online banking accounts. One account that is read/report-only…I use this one to download transactions in to Quickbooks, look up transactions, and check balances. This username has no access to any other functions.

My second account has reporting and billpay access. With this username I can pay bills to existing payees and transfer between already-confirmed accounts. This user ID cannot add new payees or configure new bank accounts for transfer.

The third account has “full” access. This is the way most people use online banking most of the time. I only use this username when I’m creating new online bill payees, setting up new transfer accounts, or configuring the lesser accounts.

By doing this I expose my read-only password most frequently and give a little bit better protection to my full-access password.

3. Look into Positive Pay Exceptions. Positive Pay Exceptions, offered by many banks now, place an automatic stop on specific types of transactions over limits that you specify.

For example, you can place a limit on wire transfers over $1,000, and on ACH transfers over $2,000. When a transaction matching this criteria comes through the bank suspends the transfer and contacts you “out of band,” through SMS/text message or phone call. (Some banks allow e-mail but I don’t recommend that as e-mail is easy to steal from an infected PC.) You must respond to the out-of-band request in order for the item to be paid. Otherwise it’s returned unpaid.

Many banks also allow you to upload a file each day containing details of each check you’ve cut. At the moment I do not know of any attempts to compromise or fake the contents of these files but there is that possibility as these services become more common.

Also highly-recommended are out-of-band e-mail or phone warnings when payees are added or changed. If you get such a notice and you’re not logged in call your bank immediately!

4. Check your transactions EVERY DAY! Most small businesses that have lost hundreds of thousands of dollars were not checking their online balances and transactions on a daily basis. This is critical because the bank’s ability to reverse wire transfers only lasts a few hours in most cases, even where problems are reported immediately.

5. Practice Smart Computing. Don’t visit questionable web sites from your online banking computer. Don’t open attachments. Make sure your antivirus is up to date. Use different passwords for your online banking accounts…after all, your money is more important than your yahoo! email or your Facebook profile, right?

Next time, I’ll review some specific ways to keep your online banking “master keys” safe.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: