ACH Fraud: Bank Speaks OutExclusive: Bank President Reveals True Impact of Account Takeover
During an exclusive interview, we hear from the president of a $100 million southeastern community bank that experienced an incident of corporate account takeover in 2009. The bank and the president have asked to remain anonymous.
During this interview (transcript below), we discuss:
- How the breach occurred;
- Why banks and commercial customers must share responsibility for online security, anti-fraud and ACH responsibility; and
- How the industry and regulatory guidelines could assist banks, especially on the community side, with "reasonable" security measures and legal assistance after a breach occurs.
The interview is with the president of a $100 million southeastern community bank that experienced an incident of corporate account takeover in 2009.
TRACY KITTEN: ACH and wire fraud, as well as other forms of so-called corporate account takeover have led to numerous lawsuits between commercial customers, like Experi-Metal, and their banks. Account takeovers also have fueled heated discussions about how the industry should define reasonable security, the security it provides commercial customers for online banking. Amendments have been proposed to Regulation E to protect commercial customers when breaches occur, and industry regulators are soon expected to issue new guidelines for stronger online and transactional authentication. Corporate account takeover losses are expensive and detrimental, not only for the victimized commercial clients, but also for the banks that oversee the accounts.
Corporate Account Takeover: The Bank's Side of the Story
I'm here today to get a banker's perspective on corporate account takeover. After one of its commercial customers fell victim to an online account takeover, this community bank suffered losses, reputational damage, and learned that legal disputes rarely favor the bank. Today I talk with the president of a southeastern community bank with $100 million in assets that experienced an incident of corporate account takeover in 2009. The bank and the president have asked to remain anonymous.
Before we jump into the line of questioning, can you give us a little background about your institution, the types of clients you work with and tell us a little about the incident itself, such as when it occurred and how it occurred?
BANKER: Well, Tracy, our bank is a business-oriented community bank. We principally focus on smaller commercial customers in the local area. We've had commercial ACH and treasury-management services available to our customers for several years. Now, the incident itself occurred in the summer of 2009, and to the best of anyone's ability to document, involved a criminal faction stealing our customer's user ID and password. One thing that caused some trouble during the process of working this out is, to the best of our knowledge, there was never a police report filed by our customer. But our investigation was able to confirm that this particular customer used GoToMyPC.com as a way to interact between a home office of one of its employees, the customer's main network, and the bank.
KITTEN: And do you still have a relationship with that customer?
BANKER: No we don't.
Breach Led to $50,000 LossKITTEN: And how much was lost as a result of the takeover itself, i.e. how much money was taken from the commercial customer?
BANKER: Well, it was, initially, between $50,000 and $100,000. Although, we were able to work with two of the receiving banks to recover almost 30 percent of the total. I'll mention that those two receiving banks were other community banks. The remainder of the funds had been directed to a money-center bank, which essentially refused to help in recovering these funds.
KITTEN: And how was the breach identified? Did you catch it or did the client notify you?
BANKER: In this case, the client notified us. Again, based on our investigation, the dollar amounts of the transactions were within the normal range of transactions that they tended to send through the service.
KITTEN: And I understand that your online platform is managed by a third-party vendor. Did this vendor have settings in place to notify you when suspicious account activity occurred?
BANKER: Not to our knowledge. And, again, I'm not sure that any suspicious activity monitoring would have helped, because the dollar amounts were within the range of their historical activity. The one principle feature that was different is that this customer tended to send the vast majority of its ACH credits to other businesses and the fraud occurred when credits were initiated to consumer accounts.
KITTEN: So, that would have been a red flag of sorts, correct?
Vendor Support Would Have HelpedKITTEN: And what support did this vendor provide after the takeover if any?
BANKER: Well, their technical areas were able to help us pull history information on the activity of this particular customer. For example, the log-in history, password changes; and they were able to tell us that there had been a failed log-in a couple days before the fraud occurred. That was important, since, when the failed log-in occurred, the customer was prompted to reset their security questions. And as we were able to learn, the criminals - and that's sort of how we refer to them here - the criminals, when they logged in to the customer's account, this happened on two separate instances one day apart. In one particular case, they were prompted for security questions which they got right.
KITTEN: And do have any idea about how they were able to access those security questions or the answers, or do you think it was just a lucky guess?
BANKER: Our investigator told us that, basically, they believe the criminals had hacked into the customer's computer system through the GoToMyPC portal and prompted the failed log-in attempt so they would have an opportunity to key log the answers.
KITTEN: Now, you mentioned that this particular third party that you worked with also provided other services. Are you at liberty to share what other services this party provided?
BANKER: They are a core processor. We had other independent companies that handled our computer security, monitoring, and they were also called in to check back through our records to make sure that there had no penetration of our system.
Legal Battles Don't Pay OffKITTEN: I'm sure when we look at the losses that were associated with the account takeover itself, those were relatively isolated; but over the long term, I'm sure this was a very expensive undertaking. Can you give us any idea about how much this particular incident cost the institution in legal fees, reimbursement, if any, of the client for damages and losses that were incurred?
BANKER: The total, between legal fees and reimbursement through a settlement, was just slightly in excess of $50,000, and that does not include the time and effort of our employees working through this process.
KITTEN: Even though some of the funds were recovered, it ended up costing you just as much as the actual incident itself, or just about as much, right?
BANKER: That's correct. Our attorney had provided an estimate of the cost for proceeding to a trial and it was going to be far in excess of the amount lost.
KITTEN: And then the reputational damage that would have been associated with something going to trial and becoming public would have been costly as well, I presume.
BANKER: Well, that's correct, even though the customer did file suit, so that was public record.
KITTEN: And we talked a little bit about reputational losses at the beginning, but how do you quantify those or how did you quantify those losses, as they related to this particular incident?
BANKER: Well, the interesting thing is, I'm not sure there really have been any reputational losses. While our particular case was going on, there was another local bank that had suffered a similar loss with one of their customers. That customer actually contacted us to see if we would be able to take on their commercial account. They told us about the circumstances of their loss and, naturally, asked whether we would have covered their losses; and we said, "No." So, when we learned that we were not alone out there in having customers experience this type of loss, we began to worry less about the reputational damage.
It's Fair to Ask Customers to Protect ThemselvesKITTEN: Do you think it's fair to ask commercial customers to ensure security of their online transactions? Where do you see the responsibility of the bank beginning and ending when it comes to online security?
BANKER: Well, I absolutely believe that it is fair to ask commercial customers to insure security of their transactions outside the bank's portal. Our contract specifically states that the customer is solely responsible to ensure the confidentiality of their password and user ID, and the additional measure of the symbol. I feel like the bank ought to take responsibility if there is any intrusion into the bank's system that impacts our customers; but I feel like the customer is responsible for everything outside of the system of the bank.
KITTEN: The question over reasonable security is one the financial industry would like to have answered, and you and I have talked about this in the past. How do you define reasonable security and why does reasonable security need to be more precisely defined?
BANKER: One reason reasonable security needs to be defined a little better is that it is fairly a broad term, and as our legal advisers warned us during the process of our case, it can change on a daily or monthly basis, depending on available technology out there. As we define it, in our particular dispute, it was, "Did we satisfy the current guidance from the FFIEC for multifactor log-in?" And we determined that we did. If they used a different computer, the challenge questions were to pop up; so, we feel like we satisfied that particular requirement.
KITTEN: There have been discussions among leaders within the Independent Community Bankers Association about the role third-party solutions providers play when it comes to ensuring security for mid-sized and small institutions, especially those in the community space. Now, Cary Whaley, the vice president of payments and technology policy for the ICBA says third-party vendors have an obligation, if you will, to keep their bank customers in compliance and up to date, especially where online security is concerned. What is your perspective on that?
BANKER: Well, my perspective is that we expect them, third-party vendors, to keep us up-to-date, particularly since, in most cases, community banks are signing multiyear contracts with these particular vendors. So, if we can't count on our vendors to keep us current on the up-to-date technology, then it makes it very difficult for us to agree to multiyear contracts. The difficulty is in balancing pricing and service and the familiarity that our staff might have with this particular vendor's products. In our case, while we were happy to have the help of their technical areas in determining some of the specifics of this particular event, we were very unhappy with the attitude of this core vendor's management. Once we told them that we had been sued by our customer, we were no longer allowed to speak with anyone other than their legal department.
KITTEN: And I would like to know how your business and security practices have changed since this incident of corporate account takeover. It sounds like it has not only impacted the relationships that you have with your own customers, the internal relationships that you have with your employees, but also the relationships you have with some of your service providers.
BANKER: Prior to this incident, most of our activity on the ACH side would involve the customer sending in files through our system. What we would do locally is confirm that the funds were available to pay those items. As of the date of that event, we've gotten much more involved and inserted ourselves into the middle of this process, such as, now we require customers who are initiating ACH transactions to provide independent verification of the number of items and the total dollar amounts, either via facsimile, phone call to a particular number, or via e-mail. As it turned out, when the FDIC and the FBI sent out alerts and best practices, that was one of the best practices that they recommended.
Stronger AuthenticationKITTEN: In looking back, how do you think you could have improved security, especially where transaction authentication is concerned, and could a third-party vendor have helped you? Maybe not the one that you were working with, but going forward, where could a vendor have stepped in to maybe give you better advice or help from an authentication perspective?
BANKER: Well, I think the authentication is really a way to protect a customer. But if their actions, by using a third-party service on their end, put their network at risk, I'm not sure that any vendor can protect a customer from its own ill-advised actions. But, one thing that I mentioned earlier that would have been helpful is if there was a software solution that monitored the types of transactions a particular customer was normally issuing. For example, if an event happened where, all of a sudden, we had multiple transmissions to consumers, that would pop up as a red flag.
Education is Key
KITTEN: What educational steps for employees, as well as commercial customers, have you implemented since the incident?
BANKER: One thing we have implemented for all of our commercial customers that use the ACH module within our Internet banking is that our treasury-management personnel have gone onsite on an annual basis to do a review and update agreements and contracts and conduct training for the employees of our customers that are actually using the service. We've also mailed out reminders of best practices and been asked in a couple of cases to come out and train new employees who might be taking the place of former employees and are therefore new to using the service.
KITTEN: And what do you deem to be the most important piece, when it comes to preventing an account takeover?
BANKER: I think, based on our experience, the most important piece is vigilance by our customer. We had implemented one of the best practices put place by the FDIC back in the fall of 2009 - using a dedicated computer for Internet banking and ACH initiation. And we've had several customers that have taken that step. We have customers that will get in touch with us on a phone call if they're sending unusual transactions or have initiated ACH to a new recipient, just to tell us to watch out for that. They let us know it is authorized, and I think our customers are much more focused on that security issue.
KITTEN: And, finally, what three words of advice could you offer other community banks and commercial clients about preparing for and preventing corporate account takeovers?
BANKER: Well the three words would be "Trust But Verify. The authentication is just one part of it, because, again, as we learned and our customer learned, if you allow access to your system, it is possible for criminals to find out your user ID, your password and a variety of other information about your business. So, in the case of both the customer and the bank, we have got to do a little bit better job going forward and trying to monitor for out-of-the-ordinary activity.
KITTEN: Having an idea of what the behavioral analytics are?
BANKER: That's an issue that is going to be very difficult, I think, for a lot of community banks, particular as they get bigger and activity increases. The best way is for a couple of employees who do that activity on a daily basis to notice, "Hey, wait a minute. This is the first time they've ever done something like this." But there also will almost assuredly have to be some technology investment to do that type of monitoring through a solution as well.
KITTEN: And are those investments that your institution is looking at?
KITTEN: Are those things that you expect to invest in during the current year?
BANKER: Potentially, depending on cost. At this point, no one really has the perfect mousetrap ready to deliver to us.