Skinning the CAT: Reduce your risk for a Corporate Account Takeover

In 2009 hackers stole the online banking credentials of Choice Escrow and Land Title Company of Springfield, Missouri and ordered a $440,000 wire transfer to a bank in Cyprus.

 Choice Escrow sued their bank for their loss, but surprisingly, the Missouri court denied their claim. According to news reports, the company had twice refused to adopt a dual control security measure despite the urging of the bank.

Corporate Account Takeover (CAT) is a cybercrime that has been on the rise ever since banks began offering online cash management services. Cyber thieves have some pretty ingenious methods for stealing the valid credentials from online banking customers. It is reported that some of the largest CAT criminal organizations have succeeded in installing malware on thousands of computers. These malicious programs use logging software to record every keystroke and to upload the data to clandestine servers. The keystroke data is then analyzed by computer to search for possible online banking credentials.

These criminal organizations can be operating from anywhere in the world. They steal money from businesses and their banks by authorizing fraudulent bill payments, wire transfers, or automated clearing house (ACH) transactions. The stolen money may be transferred through multiple institutions and will end up offshore where it is difficult or impossible to retrieve. Once the money is gone, the unpleasant business of determining who bears the loss must be decided. A customer who has not complied with the security standards in the cash management agreement could end up on the short end of the stick.

Fraudsters will typically target their attack to what they see as the weakest link in the chain: the corporate customer. Fortunately, there are some simple best practices that any online cash management user can adopt that will greatly reduce the chances of being a victim.

The first thing to do is to comply with the security requirements in the cash management agreement. This will typically require that an anti-malware program be installed and maintained and that the operating system be kept up-to-date with the latest security patches. It may specify the types of browsers to be used, and their versions.

Another best practice is to use a dedicated computer for all cash management activities. This machine should not be used for web browsing, e-mail, or other routine business. Only authorized cash management users should have access to it, and it should be locked or logged out when not in use. This will greatly reduce the risks of unauthorized use and infection with malware.

Online cash management programs allow different levels of security to be granted to each authorized user. Make sure that authority to originate and authorize transactions is given only to those employees who need it. Transaction dollar limits should be set appropriately, and dual control procedures implemented where possible. Users should be trained and made aware of cyber security risks. There is a list of government and industry resources at the end of this article that provide a wealth of information on best practices.

Finally, the sunset of the Microsoft XP operating system is another issue that must be addressed. After April 8, 2014 Microsoft will no longer issue security patches for XP, and computers using this operating system will become increasingly vulnerable to attack. Businesses that continue to use these machines for cash management (or for any other purpose) will be playing a game of Russian roulette, with more bullets being added all the time!

At Business Bank of Texas, we are constantly looking for ways to improve our security processes. In addition to technical security measures, we also leverage the experience of our operations staff, using their knowledge of each customer’s business to detect unusual or suspicious transaction activity. Call back confirmations of transaction requests are an everyday routine to make sure that payment instructions are authentic. We believe that the best way to keep the CAT in the bag is to know our customers and to work closely with them.

For more information about best practices, check out the following resources:

1. The Better Business Bureau’s website on Data Security Made Simpler: http://www.bbb.org/data-security;
2. The Small Business Administration’s (SBA) website on Protecting and Securing Customer Information:
3. http://www.sba.gov/community/blogs/community-blogs/business-law-advisor/how-small-businesses-can-protect-and-secure-cus
4. The Federal Trade Commission’s (FTC) interactive business guide for protecting data: http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html;
5. The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf;
6. The jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” from the U.S. Secret Service, FBI, IC3, and FS-ISAC available on the IC3 website (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf )
7. NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers: http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm .