Better get your CFO to review UCC Article 4A and realign protocols with your business bank – The clear and present danger to our banking through malware hits at the heart of our economy: the SMB. Stealthy malware-based theft of funds start the clock ticking much quicker than most SMB owners realize and without action within 48 hours, the loss may be the SMB’s.
SMBs are defined as Small to Medium Sized Businesses. These range from Mom and Pop Shops up to 500 employees.
Forget one-off’s like credit card and debit card fraud, imagine all of your company’s payroll transferred out just a few days prior to payday due to malware and targeted spear phishing of a compromised employee’s Facebook account. A Banking Trojan like ZeuS and tactics recently described by FBI top Cybercops can make that come true.
Worst case – if your SMB’s financial team doesn’t catch Automated Clearing House, or ACH theft quickly, your bank may tell you that they’re not liable and you’re on the hook for the amount, overages, and may even tap your previously approved line of credit without your permission. Right now there are lawsuits between businesses and their banks breaking out virtually all over the country because of this.
We at the ThreatBlog will be increasing our coverage of legislature that makes a difference to you in the days and weeks to come. Krebs on Security has been doing a long series in the Washington Post on the impact of banking Trojans to mom-and-pop businesses, particularly regulation by the FDIC which according to one competitor’s recent survey, most Small to Medium Sized Business (SMB) are not aware of.
Brian Krebs has been tracking the issue for the past year and has developed specific sources and reported many case studies through his direct efforts to figure this gap in consumer knowledge of banking as well as ‘fair disclosure practices’ by the banks themselves. According to this Washington Post article written by Krebs in 2009:
If I were still back in my legal research and white collar crime investigative days I would be pressing my legal team to explore the culpability for banks under the new 2009 legislature to see whether a case precedent could be made requiring banks. If you’re a consumer victim, here’s where to file complaints about the EFT Act – Check out the dedicated FTC site dealing with consumer protections.
As far as I recall, the FTC does not deal directly with business banking. I’m sure someone will correct me in the comments if it does. IRAC’d out my stipulation for immediate and effective protection would be:
Banks currently do not display effective disclosure of business inherent risk of ACH and online banking. This can and should be clarified within the UCC through legislature concerning cybersecurity or banking regulation.
Part 1 – Business banking falls under UCC, not consumer based protection such as the EFT Act.
Part 2 – Consumers (business banking decision makers) have not been effectively warned of the differences which may not comply with Federal Trade Commission guidelines set for consumer.
Consumer protection should also include business to business consumption of banking products as well as direct consumer protection. Setting the UCC business rule along the lines of the EFT Act in order to effectively protect SMB, which has been identified as the heart and soul of our economy. Additionally, further investigative and intelligence efforts should be undertaken to determine whether this effective cybercriminal initiative has been supported by foreign state action.
Examine the following Senate 773 legislature first discussed in a recent post by Dan Clark and later in another post authored by me. Think of this as a longer term solution in reference to the key issue of the FDIC's hands-off approach to businesses victimized by banking trojan malware such as the ZeuS Banking Trojan. Specific language supporting regional cybersecurity centers includes a focus on SMBs.
Click here for a map of the incidents Krebs has been reporting on. Examine it. Think about doing something; the job you save by taking action today may be your own.
Securing Our eCity Contributing Writer
Author ESET Research, ESET