Our soccer club is a moderate size club – about 1000 kids – which isn’t huge by metropolitan standards, but it certainly keeps us busy. We offer Recreational, Travel, and Special Needs soccer programs to area youth. We do everything we can to keep costs low, but our annual budget is still in excess of $100,000. We don’t pay for facilities (use municipal fields) or coaching/staff (all volunteers). Imagine the amount of money that flows through a bigger league with facilities expenses and coaching salaries.
Soccer clubs (and many other youth sport organizations) process hundreds of thousands of dollars a year, with 5-6 figure balances in their accounts when registration fees are collected. This makes them prime targets for cyber criminals. Think about it – what would happen to your soccer club if your treasurer logged into your account to find that 5-6 figure balance gone? Transferred out to a foreign country, often via unwitting ‘mules’, with little chance of recovering it? Could the club survive? Would you have to declare bankruptcy? Could you maintain possession of facilities and other assets your club (or more often your funding bank) own if you couldn’t pay the loans? Do I have your attention yet?
Part of the reason I haven’t been writing as much lately (besides coaching four teams – insanity!) is I also opened an IT Services business in town recently which takes up a lot of time. Despite 15+ years of IT experience, I’m still amazed at how many computers are infected every day. The bulk of my repair business is cleaning infected machines. While many are familiar with the ‘fake’ anti virus programs and other infections, they often hide more dangerous infections that make PCs part of botnets like Zeus, which are used for criminal purposes. These infections, often undetectable by modern anti virus programs, capture login credentials for bank accounts, credit cards, social networks, and more. Many computer users mistakenly believe you have to actually ‘click’ on something to be infected. However, many infections are ‘drive by‘ in nature. You visit a website that has been compromised and your browser loads infected code that takes advantage of an unfixed (or worse unknown) vulnerability in the browser, or common add-ons like Adobe’s Flash and Acrobat Reader, or Sun’s Java. The latter are more dangerous because they can be utilized regardless of the browser in use and tend to be updated less frequently.
In other words, your club treasurer could visit a Fortune 500 company website that has been quietly compromised and have their computer infected without even realizing it. Their anti-virus software doesn’t catch the infection and the next day they login to your club’s bank account to check the balance, transfer funds, or pay club bills. A week later, the account is cleaned out by a series of sub $10,000 wire transfers. Think this is unlikely? Guess again as many small and medium sized businesses have been hit by this as well as non-profits. Brian Krebs, a well renowned writer and security analyst has been highlighting the issue at his blog Krebs on Security. Reading just a few of those stories is frightening as both a club president and small business owner.
Another common misconception, that many of these businesses and organizations learn the hard way, is that fraud losses to commercial accounts are rarely covered by the bank. If they can’t reverse the transfers (often impossible more than 24 hours after they happen), the money is gone. Criminals are catching on quickly – online bank thefts now exceed ‘real’ bank robberies. You can often steal much more and with much less risk. While the prevalence of fraud is causing many companies to switch banks, it’s unclear if it’s enough of a problem to force banks to help customers with better security practices.
Do you believe the threat is real yet? Have you seriously considered what would happen to your club if the bulk of your money was taken via fraud? Do you have insurance that would cover the loss if your bank doesn’t? Do you check your account daily to monitor for fraud? These are all serious questions that I fear many organizations don’t have good answers to.
So what can you do to protect yourself? Here are a few things that can help:
- Restrict who has access to your club accounts to a select few.
- Limit the use of debit cards or disable their use entirely and use a club credit card paid off monthly instead. The fraud coverage is better.
- Change the access credentials to your online accounts at least once a season.
- Do not access your accounts online with a Windows PC. I cannot stress this enough. Instead use a Mac, or even better a Linux based ‘Live CD’. Live CDs are extremely secure since they can’t be ‘compromised’, even if the computer itself is, since they run off the pristine read-only CD. Remove the CD and your normal operating system will boot. Brian put together a great tutorial on how to download and use a Live CD to access online accounts. Expect banks to finally wake up and start to offer real fraud coverage if you limit yourself to Live CD access to your accounts, or something similar.
- See if your bank offers a type of account that you can transfer money into easily, but require a branch visit to transfer money out of. Then keep only a workable balance in the main checking account, with the rest parked in a more secure account (preferably earning some interest).
- See if your bank can flag your account to either disable wire transfers (have you ever used one?), or require two different sets of credentials from two different people. Wire transfers can wipe an account out in no time. This still leaves debit card fraud, but that is subject to transaction limits and better fraud detection.
This is one of those things that people don’t take seriously until it’s too late. Just like anchoring soccer goals. It’s a hassle to do properly and consistently, and it’s easy to think “we’ve never had a goal tip over” until it’s too late and your club is facing a multi-million dollar liability lawsuit. I’ll admit that my own club isn’t doing all of the above currently, but we are working to implement most, if not all of them. In our short 7 year history, we’ve already had a debit card compromised once, with thousands of dollars in fraudulent charges (which the bank, thankfully, covered). It can happen to any of us without warning – we still have no idea how they got our number.
Criminals don’t care if you’re a for profit business or a non-profit youth organization. They just want your money. So take steps to protect your club – if you aren’t in a position to enact these changes, send this to someone who is and make sure it gets done. Ask for a report at the next general meeting highlighting the steps that have been taken to protect the club’s assets. Our kids are worth it!