ACH Fraud: 7 Tips for Secure TransactionsStart with a Dedicated Computer, Then Monitor Access Closely
1. Use a Dedicated MachineComputers are relatively inexpensive; use a separate dedicated machine for all of your online financial transactions. If multiple people need transaction access, each person must have an additional, separate computer - or leverage terminal services to create a system of clients and dumb terminals.
2. Segregate it from the NetworkThis dedicated machine must not be part of a Windows domain. Utilize a Local Administrator account that can operate on the account access information. This avoids the "Clampi effect" of one compromised machine leading to a fully infiltrated network where miscreants can more easily steal sensitive account information.
3. Turn off Computer When Not in UseAs trivial as this sounds, shut the machine down when it is not in use; this can limit your exposure - many of the modern worms/trojans exploit vulnerabilities in the Windows Operating System, and contrary to popular belief do not require the user to have taken any actions such as opening emails or visiting malicious websites.
4. Monitor TrafficImplement firewall/proxy instrumentation on both your ingress and egress points, monitoring and logging all traffic to/from your machine to ensure unauthorized access is denied no matter from what point it is initiated. The machine should be used for financial transactions only; all non-business essential network traffic should be denied to/from this machine.
5. Regulate ChangesImplement a change management process for any work that is to be done on machines performing financial transactions (this should include any changes to proxy or firewall settings that could impact these machines). Changes must require multiple party approvals. Convenience is not an acceptable reason to open access.
6. Think VirtualVirtualized environments are another option employees can leverage; the solution can work for multiple employees, or employees who travel and who need to perform financial functions on the road. Again, computers are cheap; use a netbook or comparable alternative dedicated exclusively to financial transactions.
7. Mind Your MediaLeverage dedicated, bootable media (CD/DVD/USB...) when performing financial transactions. One could even go a step further and remove the ability to write to the hard drive, so that nothing can actually be stored on the machine, other than the core operating system and key applications.
Source: Rodney Joffe, Senior Technologist at Neustar, Inc., a Sterling, VA-based security firm.