The Fraud Burden on BanksHow Many Incidents Can We Focus on at Once?
The EMI case, which is based on a $560,000 ACH fraud incident, ended Jan. 26, but still awaits a verdict. EMI claims Comerica could have prevented the fraud, had it invested in adequate security measures to pick up on suspicious and anomalous wire activity.
Nearly two years into this wave of ACH/wire fraud, and banks and business customers are still being victimized.
And Choice Escrow, which in November 2010 sued former bank BankcorpSouth, says its case has seen no movement. Choice Escrow lost $440,000 after its account was taken over by cyberthieves, who subsequently wired funds to overseas accounts.
And while the legal cases haven't been resolved, there has been some movement by banking regulators and associations. The Federal Financial Institutions Examination Council has dedicated significant thought to the impact of these account takeover incidents, as seen in its widely circulated draft of updated online authentication guidance. [See First Look: New Authentication Guidance.] And associations, like the American Bankers Association, NACHA, and financial bodies such as the Financial Services - Information Sharing and Analysis Center are doing their part to keep banking institutions informed about emerging threats. In fact, FS-ISAC recently issued a white paper describing and diagramming how corporate account takeover is perpetrated and steps financial institutions should take to ensure ACH and wire transfers are adequately authorized and authenticated.
But is the industry getting the message? It does not appear so, given the recent alert about a string of account takeover incidents originating in China. Nearly two years into this wave of ACH/wire fraud, and banks and business customers are still being victimized.
Jim Payne, owner of Choice Escrow, says the new FFIEC guidance about online security and ACH fraud will help. But there is no firm indication when this new update is going to evolve from "draft" to "final," giving institutions the regulatory nudge they need to improve online authentication and customer awareness of security issues.
Also in the news:
Banks Help Detect Michaels Breach: It's been interesting to follow the last two weeks' unfolding of the Michaels breach involving point-of-sale PIN pad tampering.
To their credit, banks and credit unions, as the card issuers, did a pretty good job of not only catching the debit fraud affecting their cardholders, but also tracking it. Card issuers were quick to pinpoint the common denominator - Michaels - via strong transaction monitoring and behavioral analytics.
The POS PIN swap scheme, which reportedly affected Michaels customers in 20 different states, was widespread and far-reaching. If banks and credit unions didn't have their fraud-detection acts together at some level, they never could have capably connected those dots.
Kudos for that.
Massachusetts Reveals Hack: The Massachusetts' Unemployment Assistance and Career Services announced this past week that an unknown number of the nearly 282,000 unemployed workers in Massachusetts likely had their names, Social Security and bank account numbers, along with their e-mail and street addresses, exposed to hackers.
The common theme to all these incidents, whether ACH fraud, the Michaels breach or the Massachusetts hack? Not one of them occurred at a bank. Yet, the banking institutions are the ones that end up picking up the pieces with compromised accounts and reissued cards.
The cycle doesn't seem to end, but here's hoping for some guidance from the courts and banking regulators soon, so financial institutions can secure even greater resources for fraud detection and prevention. Clearly, they need all the help they can get.