Internet Banking Best Practices & Controls
CLIENT BEST PRACTICES & CONTROLS FOR BUSINESS ONLINE BANKING
ACCOUNT CONTROLS & RECOMMENDATIONS:
- Clients should be proactive about learning about account features that may protect their accounts, such as daily transaction limits, security alerts and secure access codes.
- Recommend reconciliation of all banking transactions on a daily basis, preferably at beginning and end of day.
- Recommend customers initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer, using separate computers.
- Recommend out of band authentication at the transaction level. This requires a secure access code sent to your phone via voice call or text.
- Review online banking user ID’s and access levels with bank on a regular basis (ensures correct additions/deletions, etc.)
- Do not have user id’s that contain sensitive information, such as account number or Social Security Number.
- Create a strong password with at least 8 characters that includes a combination of mixed case letters, numbers and special characters.
- Do not share usernames and passwords.
- Change the password a few times each year, perhaps even more than the required amount.
- Clients must familiarize themselves with the institution's account agreement and with the customer's liability for fraud under the agreement.
- Immediately escalate any suspicious transactions to the financial institution, especially ACH or wire transfers. There is a limited recovery window for these transactions and immediate escalation may prevent further loss.
INTERNET CONTROLS & RECOMMENDATIONS:
- Never access bank, brokerage or other financial services information at Internet cafes, airports, hotels, public libraries, or any other networks that you do not control. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.
- Online banking users should question the authenticity of every email. Phishing email often appears to be from a financial institution, IRS, FDIC, NACHA, FBI or other government agency.
- They may also appear to be from a known source, such as UPS, Fed Ex, etc. It may request account information or verification of banking credentials. We will not send you an email stating that our website is down, or your credentials have expired. Do not open the email. Opening file attachments or clicking on links could expose the system to malicious code that could hijack your computer. You may forward suspicious looking emails to: email@example.com .
- Use a unique password for each website that you access. Using the same password for Online Banking that you use for other online accounts may put your account at risk if someone is able to capture that password.
- Verify use of a secure session (https not http) in the browser for all online banking or when submitting or dealing with sensitive information online.
- Avoid using an automatic login feature that saves usernames and passwords for online banking.
- After using online banking, be sure to log out of the session and close out the Internet browser. Never leave a computer unattended while accessing online accounts.
- Watch out for sudden pop-up windows asking for personal information or warning of a virus, or a warning of virus protection that has expired. This is called “scareware” because it frightens people into providing information, downloading malicious software or paying for removal.
- Pay attention to the toolbars at the top of your screen. Current versions of the most popular Internet browsers often will indicate if you are visiting a suspicious website.
- Be careful if you download software onto a cell phone. Software download to a phone has the potential to contain spyware or malicious code, which could allow a hacker access to your online banking application. Before downloading online banking software, check with the financial institution to make sure this option is safe and supported.
- Consider purchasing Cyber fraud insurance and “session protection” technology, such as those provided by Trusteer and Prevx.
- Subscribe to the FDIC Consumer News. This provides practical guidance on how to become a smarter, safer user of financial services. You can also read prior issues. To subscribe or view prior newsletters go to www.FDIC.gov, and in the search engine put “FDIC Consumer News.”
SYSTEM CONTROLS & RECOMMENDATIONS:
- Conduct all online banking activities from a dedicated, hardened and completely locked down computer. Do not allow access to any email or websites other than the online banking site.
- Remove administrator rights on users' workstations to help prevent the inadvertent installation of malware or viruses.
- Install anti-virus and desktop firewall software on all computer systems. Ensure virus protection and security software are updated regularly. Anti-virus is only secure if it has the most recent signatures and updates.
- Consider a dedicated, actively managed hardware firewall, especially if you have a broadband or dedicated connection to the Internet, such as DSL or cable.
- Ensure computers are patched regularly with security patches, especially operating system and key applications.
- If you outsource IT work, make sure you choose a reputable company and or qualified technical professional to manage your computer systems and network. The security of all of your company’s data and information is dependent on the capabilities of the IT staff who maintains it.
If you have any questions about any of these suggestions/best practices, please refer to your company IT department or IT consultant.
These recommendations were developed by multiple sources of industry professionals including the FDIC and NACHA for business customers that want to protect their online banking credentials and strengthen ACH and wire security.