Business eBanking Best Practices Business ... - Presidio Bank

Download PDF
5 downloads 258 Views 36KB Size Report
Comment
If you are initiating an ACH or wire transaction, the hacker may be able ... To ensure further security for transactions initiated through eBanking, two-factor ...
Business eBanking Best Practices

Business computer hacking has quickly gone from a growing threat to becoming a more common activity. The current version involves malware placed on your business PC that is activated when you log onto your eBanking service with the bank. At that moment, the hacker has become you and assumed the ability to take control of your access levels. If you are initiating an ACH or wire transaction, the hacker may be able to change the information that you have entered after you think you have completed this transaction. This includes changing the account number, Bank routing number and/or the dollar amount after you think you have signed off. We have provided the following Best Practices to assist you in mitigating the risk of loss due to your computers being hacked. We strongly encourage you to follow all of these practices. General eBanking Best Practices: 

        

   

Be suspicious of e-mails purporting to be from a financial institution, government department or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. Opening file attachments or clicking on web links in suspicious emails which could expose the system to malicious code that could hijack their computer. Install a dedicated, actively managed firewall, especially if you have a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and computers. Prohibit the use of “shared” usernames and passwords for online banking systems. Use a different password for each website that is accessed. Limit administrative rights on users’ workstations to help prevent the inadvertent downloading of malware or other viruses. Install commercial anti-virus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product. Ensure virus protection and security software are updated regularly. Ensure computers are patched regularly particularly operating systems and key applications with security patches. It may be possible to sign up for automatic updates for the operating system and many applications. We recommend you install an industry standard spyware detection program. We recommend clearing the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared will depend on the browser and version. This function is generally found in the browser's preferences menu. We recommend you verify use of a secure session (https not http) in the browser for all online banking. Avoid using an automatic login feature that saves usernames and passwords for online banking. We recommend that your users sign off, shut down, and disconnect when their computer is not in use. Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.

      

You should familiarize yourself with the bank’s account/services agreement(s) relative to the liability for fraud under the agreement(s) and the Uniform Commercial Code of the State of California. Make sure you and your staff are aware of potential threats i.e. phishing attacks. Do not use business machines to surf social sites (e.g. Facebook). Never use passwords that include birthdays, names, pet names or social security numbers. Educate staff regarding these Best Practices so all are aware. Immediately escalate any suspicious transactions to the bank particularly, ACH or wire transfers. Stay in touch with other businesses to share information regarding suspected fraud activity.

Transaction & Monitoring Best Practices:    



Only allow specialized and trained key staff members to process ACH and Wire transactions. Establish transaction dollar limits for employees that vary by authority levels. Utilize balance level and any other appropriate alerts within Business eBanking. If possible, and in particular for clients that do high value or large numbers of online transactions, we recommend you carry out all online banking activities from a stand-alone, hardened and completely locked down computer system from which e-mail and Web browsing are not possible. Business owners / managers should run Activity Reports daily and scan network access for unidentified IP addresses, after hour attempted access and other suspicious activity.

eBanking Dual Control Best Practices:  

Dual User Administration – all administration changes are processed in two steps: 1. One individual performs the maintenance 2. A second individual must approve it before the change(s) is effective. Dual Transaction Control – Transactions (especially ACH and wires) are initiated through a two step process for increased security: 1. One individual initiates a transaction 2. A second individual must approve the transaction before it is processed.

Two-Factor Authentication: To ensure further security for transactions initiated through eBanking, two-factor authentication is encouraged. In two-factor authorization, a change/transaction is approved using two pieces of information: · Something you know (Sign on and Password) · Something you have (a token) - now available through the Presidio Bank by contacting your Relationship Services Manager We recommend that the individuals assigned as the transaction approvers each have a token. Coupling the use of this token with the dual administration and transaction control recommendations, which prevent the approver from being able to initiate transactions, will prevent a hacker from being able to modify the ACH or wire transaction. The process is fairly simple: · The token contains a clock and a unique serial number, coupled with an algorithm to produce a new Token Code every 60 seconds. · Each token is registered to an end-user and synchronized with Business Banking server. · The system validates the Token Code entered using the synched clock, serial number and the same algorithm each time it is used and the code is entered. Positive Pay:

The Positive Pay function is part of Business eBanking and allows you to view any checks that were presented for payment to the Bank during yesterday’s business that differ from what you reported to have issued. The items are then reviewed and you are able to authorize the Bank to not pay a particular check that may be fraudulent. This security feature will detect fraud and in particular prevent another newer fraud practice called Accounts Payable fraud: 



A fraudster convinces an individual that they work for your company and you want to hire them to send payments to a number of people that have performed work for you. The employee is given checks with your company name, address, and account number and “innocently” performs this service. The next thing you know is that 25 checks are all presented for payment against your account. If you are not paying close attention you may not notice that this has occurred for a couple of months and then it is legally too late to request a recovery for these fraudulent checks from your financial institution.

We recommend that you contract your Relationship Service Manager for this feature and/or implement an every day, first thing in the morning, practice of viewing the transactions that have posted to your account via Business eBanking. General Financial Management Best Practices    

All business and not-for-profit organizations should perform periodic account reviews that are independent of the account’s authorized signer(s). Such reviews are needed to reduce the risk of embezzlement and to verify the validity of the actual transactions being processed. Dual control account reconciliation: One person can make deposits and write checks and another reconciles the account. Educate your staff to not give out your account number to anyone unless you initiated the call. Immediately escalate any suspicious transactions to Presidio Bank particularly, ACH transactions or wire transfers.

Presidio Bank Data & Network Security Protections Presidio Bank from its beginning has had a strong commitment to protect our client’s vital data and in that regard has built a comprehensive system of policies and procedures, including both physical and software controls within the bank and through the service vendors the bank utilizes, to mitigate risk. The Bank has also designed our systems to provide multiple layers of security and protections to provide an even more secure environment. As an eBanking client you are aware that late last year we implemented an enhanced password configuration that exceeded government standards and most recently the bank launched Multi-Factor Out of Band which is a leading edge fraud protection service. We have provided the above eBanking and General Financial Management Best Practices to assist you in protecting your company’s confidential and financial information. Please be sure to implement these practices to mitigate your risk of loss. Presidio Bank is not responsible for losses related to security weaknesses within your company.