Criminals are increasingly attacking the electronic banking activity of small and medium-sized businesses (SMBs). They use methods such as phishing to trick employees—especially comptrollers and others who conduct financial transactions—into opening infectious attachments or visiting dangerous Web sites. That makes it possible for the attackers to plant highly sophisticated malware on SMBs’ computer systems. Through the malware, the criminals capture passwords and other information on Web banking transactions and electronic funds transfers, enabling them to siphon money into their own accounts.
SMBs are often less protected than their larger peers. Moreover, unlike consumers who have a matter of weeks to report a suspicious transaction and be absolved of liability for the fraudulent charge, businesses are only allowed a few days in which to report a problem with a banking transaction and get money refunded.
Experts advise businesses to protect themselves with a layered, defense-in-depth approach. SMBs are strongly urged to monitor their financial statements closely for signs of fraud. Some analysts say SMBs might ask their banking services provider about its antifraud technology, which looks for suspicious transactions based on a host of factors and patterns. Some emerging antifraud programs let customers—in this case, the SMBs—add their own personal risk factors or red flags, which can boost accuracy, according to a recent report by the SANS Institute. But antifraud technology is far from foolproof. A bank might catch “80 percent of fraudulent transactions,” says Avivah Litan, a senior analyst at Gartner. But missed transactions could involve millions of dollars.
That’s why more and more security professionals are advising a novel approach to protecting online financial transactions: the use of a standalone operating system (OS).
For many businesses, online banking “is no longer safe,” says Litan. A few months ago, the Financial Services Information Sharing and Analysis Center, a public-private group established to ensure financial security, said in an alert to members that it “strongly urged” the use of a standalone OS. Such an OS would be free from other e-mail and Web usage and contain only necessary applications. The SANS Institute report, which compared many of the most important computer security methods, called the use of a separate OS the single most important protective measure.
SANS noted a rise in attacks against SMBs in recent months and said the most vulnerable organizations seemed to have between 30 and 150 employees, which puts them on the border between small and medium. “They have serious money to steal,” but haven’t “gotten big enough to lock things down tightly.”
Perhaps the easiest and most secure way to use a separate hardened OS for financial transactions is to use a separate computer, according to the SANS report. Attackers would then have to independently attack the hardened OS. Cost is a disadvantage, but companies could save some money by using the open-source Linux OS in addition to open-source applications.
Another alternative could include placing two OS’s on the same hard drive. When the computer launches, users could pick which OS to use. This approach is less expensive and creates “fairly good” security, but it is not as secure as the totally separate system, because if a hacker is able to access one OS’s administrative privileges, he or she could access the other system.
SANS also strongly recommends using read-only bootable alternative media (ROBAM), or a CD or flash drive with a bootable OS. The advantage of the CD is that it is inherently read-only, meaning that its files cannot be altered. Such an OS could be configured not to access the local hard drive. One downside to this method is that it would require robust updating.
Organizations could keep a master installation on a separate USB drive, which would be used just for that purpose. The USB would be regularly updated and used to make new CDs. Though requiring some extra work, this technique is nearly free.
The ROBAM method does not currently appear to have vulnerabilities, says Litan. It is likely, though, that hackers could eventually discover weaknesses. ROBAM “might work for a year or so.”
For the smallest companies, including ones that might not have dedicated IT staff, using a separate OS may not be realistic, says Richard Kissel, an information security specialist at the National Institute of Standards and Technology. Staff might not have the technological know-how, he says.
But for many SMBs, “it’s almost like [they] don’t have too many other choices now,” says Litan.