In the desktop environment a fraudster needed access to your premises to perpetrate a fraud via your MYOB company file. With online files they can do it from anywhere, …and anytime.
Earlier I was contacted by a MYOB company file user asking who could change BSB and account numbers on a Supplier Card on an online company file. Answer - anyone who can log in and has access permission to the Cards File.
Situation:
2 Suppliers contacted business owner advising payments were not received - in total $22k. Enquiries revealed payments were made but to different BSB and account numbers than those provided by the Suppliers - these had been changed since last week's payments were made.
Owner contacted MYOB to be told it had to be an 'inside job' - in other words wasn't done by hacking the MYOB online servers. MYOB also advised changes to a Supplier's BSB and account number are not tracked by the Audit Trail - seems this is an 'idea' that needs votes - http://community.myob.com/t5/AccountRight-Idea-Exchange/Log-changes-to-Supplier-BSB-and-Account-Numbers/idi-p/279403
Most don't understand the implications until affected by fraud - then they too can't believe MYOB doesn't automatically track this - in my view this should not be an 'idea' - it should be a 'given'.
It was suggested the owner analyses all logins over the week to try to pinpoint which user made the change. I also suggested they look for any password resets (not sure if this is tracked by audit log or not but it absolutely should be). On some systems a fraudster who has access to an insecure email system can easily gain access by triggering a password reset and then intercept the system generated email - not sure if MYOB online files can have access passwords reset this way or not.
Just had a follow up call about the matter. Owner has only one trusted employee with access to Card File, as well as IT consultant. By analysing log-ins and backups, owner tracked change to a late night log-in under IT consultant's credentials. IT consultant denied making the change and the late night log in.
Seems a security issue at IT consultant's was to blame. Fraudster (possibly another client or former employee of IT consultant) somehow obtained access to passwords used and accessed at least 2 unrelated client files.
While the blame game goes on, owner is $22k out of pocket.
Recommendation 1:
So I suggest if your file is hosted online, review who has access as well as their level (or permissions). While you may have complete trust in your IT consultant, bookkeeper, accountant etc, you have no control over the security of their systems. A breach in their office can put your online data at risk.
Recommendation 2:
I also recommend enforcing regular password changes. We all get comfortable with a password and use it for a long time, sometimes on multiple systems/files. Despite the best security systems, online files do present additional risks to desktop files - all a fraudster needs is an email address and a password.
Recommendation 3:
And from an audit log perspective, I also suggest each user has their own log in credentials - 'Administrator' should be used only when essential and only by one specific user.
Recommendation 4:
Regularly check access logs. A fraud based on a BSB and account number change can only last a short while. It will be detected and stopped. But a competitor with access to your data interested in stealing a client rather than your cash may last longer and be harder to detect. When was the last time you checked who logs into your online file?
Regards
Gavin