Account Takeover: Better or Worse?Experts Say Attacks Continue, But Defenses Have Improved
But have these efforts actually curbed fraud losses and takeover incidents, or are we just hearing less about them?
In the absence of any hard statistics on 2011 fraud incidents, industry experts rely on their opinions - which vary. Some say attempted incidents are up, but fraud losses are down - a credit to the security systems and processes institutions have implemented. Others say the incidents and losses continue to climb, but more institutions and commercial customers are settling their differences out of court - hence avoiding the reputation hit from bad publicity.
"We don't expect the number of attacks to necessarily decrease," says Doug Johnson, vice president of risk management policy for the American Bankers Association. "But we do expect the measures institutions put in place to be more successful."
ACH Fraud Trends
The current wave of ACH fraud incidents began in mid-2009. Today, ACH fraud losses in the U.S. total about $100 million per year, according to the Federal Bureau of Investigation, though industry pundits suggest that figure is likely low, since not all fraud is reported. At a congressional hearing in September, Gordon Snow, assistant director of the FBI's cyber division, said the FBI is investigating more than 400 cases related to corporate account takeover incidents involving more than $255 million in attempted and successful fraud. [See ACH Fraud: Is This Progress?.]
For context, First Data Corp. in 2010 estimated overall annual fraud losses, not just ACH, cost the U.S. financial and retail industries $200 billion.
NACHA - The Electronic Payments Association estimates the U.S. annually conducts between 15 billion and 19.4 billion ACH transactions.
Johnson of the ABA says there's little doubt attacks against corporate accounts increased in 2011, but he believes enhanced security measures are likely thwarting losses.
"Clearly, there is a lot of attention being paid to anomaly detection [one of the tenets of the FFIEC Authentication Guidance]," Johnson says. "Institutions are determining whether their existing authentication and fraud measures are able to pick up on anomalies, and they're making investments to improve detection."
Johnson suggests that while incidents of attempted ACH and wire fraud are up, losses are down. The ABA is evaluating results from a recent ACH-fraud survey, and it expects to issue an analysis soon. The analysis could reveal declining losses, similar to what the industry has seen in the realm of check fraud.
Johnson's view is supported by findings reported in August from the Financial Services Information Sharing and Analysis Center, better known as FS-ISAC. In March, FS-ISAC's Account Take Over Task Force conducted a first-time survey about ACH- and wire-related fraud. [See ACH Fraud: The Impact on Banks.]
Errol Weiss, a member of the FS-ISAC task force, says the survey revealed positive results. Thirty-six percent of the takeover incidents reported in 2010 were stopped before fraudulent funds transfers were approved, an improvement from 2009, when only 20 percent of takeover attacks were detected before funds left the institution.
According to the survey of 77 U.S. financial institutions, 21 suffered from account takeover attempts sometime in 2009 and the first half of 2010. Among those 21 institutions, 108 takeovers were reported during the first six months of 2010. In 2009, only 86 takeovers were reported, although FS-ISAC did not say how many institutions were affected.
"Banks and customers are recognizing the situation sooner and are getting into response mode quicker, and so they're able to retrieve the funds before the transactions are irreversible," Weiss says.
ACH Fraud: Legal Wars
Legal disputes between small businesses and their banks after incidents of fraud drew attention to gaps in online user authentication practices, ultimately being one of the catalysts for federal regulators to issue the updated FFIEC Authentication Guidance.
The spirit of the guidance points the finger at banks and credit unions, saying they should have had better controls in place to prevent fraud. While commercial customers bear some responsibility, they should not be held solely accountable for measures their banking institutions should mandate and enforce, the FFIEC suggests.
The updated guidance notes the need for:
- Better risk assessments;
- Effective strategies for mitigating known online risks;
- Improved customer and employee fraud awareness. [See FFIEC Guidance: Focus on Awareness.]
Among the ACH and wire fraud disputes that have gone to trial, the decisions have been split.
One of the most notable cases was the case between Michigan-based Experi-Metal Inc. and Comerica Bank. The lawsuit revolved around who bears responsibility when financial losses result from online compromises.
In 2009, EMI sued Comerica for damages totaling more than $560,000 - funds EMI lost after Comerica approved fraudulent wire transfers that totaled more than $1.9 million. EMI won the case. [See Court Favors EMI in Fraud Suit.]
In another legal wrangle, between Maine-based PATCO Construction Inc. and the former Ocean Bank, now Peoples United, the court delivered a different legal outcome. In the PATCO case, spurred by the fraudulent ACH transfer of $545,000 in May 2009, a magistrate sided with the bank. PATCO is appealing the ruling.
Discretion Over Litigation?
Mark Patterson, co-owner of PATCO, says the lack of headlines about account takeover incidents is not necessarily an indication incidents have ceased. "What's the total number of losses that are occurring right now?" he asks. "I'm not sure anybody has that number. I just don't think small businesses know the threat that's out there."
Barry Rich, chief financial officer at Tennessee-based de novo CapitalMark Bank & Trust [$668 million in assets], say most banks and credit unions these days are simply addressing ACH- and wire-related losses more discreetly. [See Fighting ACH Fraud: A Case Study.]
"I think ACH fraud is still going on, but a lot of people are just waiting to see how the litigation is going to turn out on this," Rich says. "You may have the best commercial agreement in the world, but at some point, you have to weigh the cost of litigation against the proposed settlement, and you do that because it's the best way to resolve the problem and make it go away, before your reputation is damaged."
In some cases, institutions and customers don't necessarily know they've been fraud victims, says Randy Romes, a principal in the Information Security Services group at LarsonAllen LLP, a CPA firm. He says smaller institutions and commercial account holders are getting hit more now by ACH-linked fraud than they were even a year ago. "I don't think we're hearing as much because the banks and customers that are getting hit have, up to now, remained really unaware of the problem," he says. "I've been called into two or three situations in the last six weeks to respond or investigate, on the bank side and on the customer side."
Commercial customers still expect to be reimbursed when losses occur, and institutions are leery of initiating litigation that could lead to reputation-damaging headlines. "If it goes to trial, then financial institutions run the risk of the court saying or ruling that their controls were not adequate," Romes says. "If that's the case, then the financial institutions are not going to have a choice; the courts are going to decide what is reasonable. ... In the end, it's a big black eye for the bank, and potentially for the customer, and nobody wants the courts to decide this."