Saturday, July 7, 2012
How To Save Bank Accounts From Cyberthieves
Despite the many products and services on the market designed to protect computers from getting hacked, many businesses—small firms in particular—are still suffering at the hands of cyberthieves.
Just ask Lloyd Keilson, the co-founder of Lifestyle Forms & Displays Inc., a mannequin maker and importer that had $1.2 million wiped out of its bank account in just hours through online transactions in May. His story was described in a Wall Street Journal article.
So how did the company get hacked?
Mr. Keilson isn't entirely sure, though experts in Web security say that cyberthieves likely covertly installed a virus on one of his company's computers.
The firm's computers run on the Windows 7 operating system and the company uses an internal firewall to connect to the Internet, Mr. Keilson says.
Its computers are Dell Inc. machines that his staff installed with antivirus software called Neatsuite purchased from Trend Micro Inc., a Japan-based security company, he adds.
Michael Sweeny, a spokesman for Trend Micro, says Neatsuite is an older product.
Experts say that it's possible that after one of Mr. Keilson's staffers tried to log onto the website for the company's bank, a virus may have redirected him or her to a fake page that looked identical to the bank's site.
If the employee typed in a username and temporary password provided by a secure-ID token, the virus might have sent that information to a thief who could have quickly logged into the bank's real website to make money transfers before the temporary password changed.
Passwords created by tokens tend to be valid for about two minutes, say Web security experts. It's important to note that Mr. Keilson isn't able to confirm that this is what happened.
Why did the company's bank allow money to be transferred out of its account?
In this kind of scenario, banks commonly aren't aware anything is wrong because they're seeing someone log onto their websites with the correct information. Cyberthieves often transfer stolen funds to account created with stolen identification to avoid detection.
How do viruses get onto computers that have anti-virus software?
Computer users often download viruses onto the machines inadvertently by clicking on a website, advertisement or email attachment embedded with malicious content. Mr. Keilson says he isn't aware that any of his employees did this.
Though anti-virus software is designed to recognize such material, it doesn't always work because hackers are regularly refining their tricks.
"You have to continually evolve your technology approach to security to stay up with the latest threats," says Lawrence Pingree, an analyst at technology research firm Gartner Inc. "What worked yesterday might not work today."
Does it matter what Web browser or operating system you use?
Some Web browsers and operating systems have a reputation for doing a better job of preventing viruses from infecting computers than others.
"We see far more infections on Windows than we do Macs, Unix and Linux," says Wade Baker, author of the Verizon 2012 Data Breach Investigations Report, a study based on cybercrime investigations conducted by Verizon's team, which is comprised of data-breach reports from Verizon and various law-enforcement groups around the globe, including the U.S. Secret Service and the Australian Federal Police.
Mr. Baker says there's long been a debate over which Web browsers are the safest but that all browsers – including popular ones like Safari and Firefox -- are susceptible to viruses when users recklessly click on Web ads, email attachments and other online content.
So what can I do to keep hackers at bay?
Be cautious when downloading any material from the Web and opening email attachments. If you don't trust the source, don't open it.
Also, contact your bank and find out what Web-related protections it offers businesses and what it's liable for in the event of a cyberattack on your firm's account. Set up limits on how much money can be transferred from your account in a day and require verbal authorization from an approved employee to make transactions above a certain amount.