14 DAY TRIAL // Following a flurry of incidents where hundreds of thousands of dollars have been siphoned from the bank accounts of small businesses and public institutions, the Federal Bureau of Investigation (FBI) and the American Bankers Association (ABA) advise using dedicated computers for online banking operations. This unusual security model should severely limit the exposure to malware threats for the PCs in question.
The level of Automated Clearing House (ACH) transfers fraud rose significantly during last year prompting serious concerns from the authorities. These fraudulent schemes are complex and usually leave little evidence behind to help investigators or the victims looking to recover their losses.
Such attacks usually start with a computer trojan infecting a computer used for online banking at an institution. Thousands of different versions of these trojans are released every month in order to bypass the detection mechanisms of antivirus software.
Once on the computer, the malware watches for browsing sessions to known online banking websites and information such as authentication credentials or account balance is captured. Subsequently, the attackers direct the trojan to initiate batches of fraudulent transfers to bank accounts belonging to various U.S. residents that have been tricked to work for them.
The latter are known as "money mules" and are usually recruited by fake foreign companies under the promise of a profitable work-from-home job. Their task is to receive money allegedly coming from customers of the company and wire them out of the country, while keeping a commission for themselves.
Unfortunately for companies, they are not protected by the same laws as general consumers. While banks will reimburse the losses caused by fraud when personal accounts are involved, they are not required to do so for business accounts. They can recall transfers as long as the money has not been withdrawn and wired, but if the later happens, it is almost certainly lost.
USA Today reports that the feds' recommendation regarding the use of a dedicated PC for online tasks is based on reducing possible infection vectors, since apparently browsing to unrelated websites or checking email from it should be banned. The companies are also advised to request receiving out of bank payment confirmation.
We'll go even further and suggest that the dedicated computer use Linux, FreeBSD, or even Mac OS X, if that suits you better. We're not trying to start a controversy over which operating system is better or more secure. In fact, this has nothing to do with the security of the operating system itself, but the fact that 99.9% of these trojans were constructed for Windows and will fail to run on anything else.
The easiest approach is downloading a Linux live CD, booting from it, performing the online banking tasks, then removing it and restarting back into Windows. Need to open an excel spreadsheet, browse, check email or access a network storage? The Ubuntu Linux live CD will allow you to run Firefox, OpenOffice and perform most of the basic tasks without installing anything on the local disk.