Best Practices for Safe Online Banking
The best way to avoid becoming a victim of a cyberheist is not to let computer crooks into the computers you use to access your organization’s bank accounts online. The surest way to do that is to maintain a clean computer: Start with a fresh install of the operating system and all available security updates, or adopt a “live CD” approach (explained in more detail below).
Use a dedicated system to access online banking. The dedicated machine should be restricted from visiting all but a handful of sites necessary to interact with the bank and manage the organization’s finances. This can be done using custom firewall rules and hosts files, or services like OpenDNS. Remember that the dedicated system approach only works if you *only* access your bank’s site from locked-down, dedicated machines. Making occasional exceptions undermines the whole purpose of this approach.
Never write down your passwords or user credentials. Post-it notes, index cards, etc. aren’t secure even if you think they might be out of sight under your keyboard or in unlocked drawers.
Don’t re-use your office computer password for other systems and services. Login credentials are continuously being stolen from systems that may be less secure, such as online shopping sites. Those credentials can be used to try to access important systems, like online banking or your office systems.
If possible, use something other than Microsoft Windows. Most malware only runs in a Microsoft Windows environment, so using a different operating system for the dedicated machine is an excellent way to drastically reduce the likelihood of becoming a cyberheist victim. A “live CD” is a free and relatively painless way to temporarily boot a Windows PC into a Linux environment. The beauty of this approach is that even if you fail to maintain a clean Windows PC, malicious software can’t touch or eavesdrop on your banking session while you’re booted into the Live CD installation. For more information on how to set up a live CD for a dedicated machine, see this primer.
Adjust email settings on a shared computer. If you must use a multi-purpose machine where you will check email, avoid clicking links in email (see previous tip). Also, set email to display without HTML formatting if possible.
If you installed it, patch it. Keep the operating system up-to-date with patches. It’s equally important to update the third-party software on your system, especially browser plugins. One leading cause of malware infections are exploit kits, which are attack tools stitched into hacked Web sites that exploit unpatched or undocumented vulnerabilities in widely-used browser plugins. Tools such as File Hippo’s Update Checker and Secunia’s Personal Software Inspector will alert you to new security updates available for third-party programs installed on your PC.
Remove any unneeded software from dedicated systems used to access online banking. In particular, unneeded plugins (such as Java) should be junked.
Avoid opening attachments in email that you were not expecting. Phishing emails with attachments may post as notification from a delivery service, e-commerce resource or law enforcement agency — just to name a few. Be particularly wary of emails that warn of some dire consequence unless you take action immediately. Phishing emails can look like a reputable communication from a person or company and usually include a link to click.
Use a bookmark to access online banking. Avoid “direct navigation,” which involves manually typing the bank’s address into a browser; a fat-fingered keystroke may send you to a look-alike phishing website.
If your financial institution offers it, consider taking advantage of ACH Positive Pay. Any item that meets the criteria you establish will automatically post to your account. Your company will be notified via email and/or text message of any rejected electronic item(s) that do not meet your filter criteria. Upon receipt of the rejected items, you can then return them or conveniently add filter criteria for future electronic transactions.
Require two people to sign off on every transaction. This fundamental anti-fraud technique can help block cyberheists (and employee fraud).
Remember that antivirus software is no substitute for common sense. A majority of today’s cyberheists begin with malware that is spread via email attachments. Many of these threats will go undetected by antivirus tools in the first few days.