California CPA: June 2012
Avoiding Small-business Identity Theft and Online Banking Fraud
By Susan E. Bradley, CPA
Online transactions are easy, convenient and allow us to purchase and obtain items we’d never be able to purchase in the past. They allow us to more easily obtain our tax refunds, as well as transfer funds and process transactions. But as with most things, there’s a dark side: What is convenient for us is convenient for attackers.
We had several clients during tax season that suffered identity theft. We found out when we went to e-file their tax returns and were informed that one of the taxpayers had apparently already filed their returns. The IRS indicated that identity theft is massively increasing. We were told to file an affidavit of identity theft, Form 14039, and to contact one of the three credit bureau agencies to begin tracking and monitoring the credit history of the taxpayer. We obtained a report of Social Security earnings to confirm the amounts paid in the past are accurate. Clients impacted by identity theft will receive a PIN number from the IRS, which must be included on future tax returns that are filed.
We’re also seeing an increase in online banking fraud, especially among small businesses. Brian Krebs, a former Washington Post journalist, has been tracking many online banking frauds and has watched as small businesses have had their bank accounts wiped clean by fraudsters who were able to obtain the credentials for the accounts.
Think a fraudulent withdrawal of funds to your commercial or business banking account is limited to $50, like a fraudulent credit card transaction? Think you are protected by FDIC insurance? Think again. FDIC insurance does not protect your bank account from fraudulent withdrawals. You have no protection other than attempting to obtain the funds from the criminals that withdrew the funds. In many cases these criminals are located overseas and it would be difficult, if not impossible, to prosecute.
Do you do everything you can to protect your online banking? Do you dedicate a computer for online banking and only use this computer for sensitive transactions?
Do you ensure that you do not open email from this computer? Keep in mind that criminals have used targeted phishing emails and java and browser exploits to plant keyloggers on computers.
Consider the following tips to help you get started on a more secure online road.
Dedicate a computer to be used for business purposes to ensure that you won’t pick up a keylogger from random web surfing. Take the recent case of 500,000 Wordpress-based websites that were used to infect Apple computer users recently. These sites were injected with malicious code many times
—unknowingly—by the Wordpress site owners. Wordpress, while being one of the major blogging and website platforms, suffers from a community coding model where someone’s miscoded plug-in may be an attack vector to gain access into the website. The website owner as well as the plug-in owner has no idea of this sort of attack vector.
Junk the Email
Never open unexpected banking emails. Many successful attacks start with phishing—the act of sending an email to someone and tricking the person into opening the email or attachment, which then infects that computer or tricks the person into handing over a user name and password to the other party. Cyber criminals are targeting small businesses using specific phishing attacks to gain access to systems.
Keep Your Balance
Regularly check your bank balances for unauthorized transactions and reconcile your bank balances. Do not wait until the end of the month to review your transactions. In this case going online more will actually allow you to be more secure. Check with your bank, too, if it offers additional protection, such as maximum limits on transfers that can be made.
Protect your Windows systems when they go online. The computer you use to go online and do your business banking and accounting transactions should not be the most out-of-date and unprotected computer you own. Ensure that you have an up-to-date operating system and an up-to-date browser to do online banking. On a system that you dedicate for online banking, install an alternative browser like Chrome and ensure it’s up to date. Ensure that your antivirus is up to date and not the original one that shipped with the computer, which could now be months or years out of date. Maintain the updates on that system by setting your computer to automatically download and install updates, as well as by ensuring your computer is opted into Microsoft update for Windows machines. For Windows, click on the Start Button> Control Panel> System and Security. Click on Turn Automatic Updates On or Off and then ensure that Give Me Updates for Microsoft products is selected. This will ensure you have updates for Windows, as well as other Office patches.
Newer is Better
Ensure everything else is up to date. There are third-party programs, such as Java, Quicktime, Flash, Adobe Acrobat and Reader, that need updates and these programs have been used in past attacks. I recommend a free tool called Secunia PSI that will scan your computer and offer updates for a majority of the third-party programs used in online attacks.
Keep Your Cool with a Firewall
Consider a security suite that monitors for more than just viruses. While I’m not a fan of firewalls that constantly alert you to outbound connections from your machine and give off confusing alerts, you may wish to install one on a computer that you use for online banking. On a normal computer they typically perform too much alerting—reacting to any sort of connection a website may have on your system. But on a computer dedicated to online banking, you may wish to be reviewing outward connections to ensure that only those you authorize are the ones connecting.
Wary of Wireless
Be cautious when connecting to wireless access points. How many times have you connected to a wireless connection in a hotel or an airport and not taken the time to ensure the connection is the actual wireless access provided by the airport and not a rogue access point? Do you have any assurance that the connectivity is secured? Wouldn’t it be better to use the wireless access point to merely provide you access so you can then VPN or tunnel back to a secured connection and use that location to do any sort of banking transaction? Or, better yet, wait until you get back to a more secure connection before performing any sensitive transactions?
Don’t assume that another platform will be more secure. Too many computer users believe a non-Microsoft platform will be more secure. A recent malware attack that led to Apple releasing a tool to remove the malware from systems shows us that the days of fewer attacks on alternative systems are coming to an end. As we move to electronic payment systems on mobile platforms, and toward more use of non-Microsoft platforms, thinking that this alone will ensure you are safer is fast becoming a myth. Check that the security systems on your devices, from mobile phones to laptops to tablet devices, are updated.
More and more of our clients could face these online threats. And more and more of us CPAs could suffer these same online security issues. Be diligent, vigilant and always on guard.
Susan E. Bradley, CPA, CITP, MCP, GSEC is a partner with Tamiyasu, Smith, Horn and Braun.