ACH Fraud: How to Fight Back
In advance of the FDIC's symposium on cyber threats, Jane Larimer of NACHA discusses:
Larimer currently serves as NACHA's executive vice president of ACH Network Administration and as its general counsel. In this capacity, she leads the department responsible for activities that support NACHA's role as administrator of the ACH Network. She also provides legal support for the NACHA Operating Rules and for NACHA's activities in the areas of electronic commerce, electronic check initiatives, electronic bill payment/presentment and electronic benefits transfer. Prior to joining NACHA, Ms. Larimer practiced law with the Lending, Banking and Public Finance Group of Powell, Goldstein, Frazer & Murphy in Atlanta, Georgia.
TOM FIELD: What can financial institutions and businesses be doing to protect themselves from ACH fraud? Hi, this is Tom Field, Editorial Director with Information Security Media Group. The FDIC is about to put together a one day symposium on ACH fraud, and we're fortunate to be speaking today with Jane Larimer, ACH Network Administration Executive Vice-President and General Counsel with NACHA. Jane, thanks so much for joining me.
JANE LARIMER: You are welcome, Tom, glad to be here.
FIELD: Now, Jane, I know that NACHA is going to be represented at the symposium next week talking about much of what you are talking about today. Maybe you could take just a minute to introduce yourself and tell us a bit about your role with NACHA.
LARIMER: I'd be glad to. As you had said, I am Executive Vice-President of ACH Network Administration and General Counsel at NACHA. In that capacity, I am responsible for the ACH network rules, the risk management and rules enforcement, and also the new application development here at NACHA.
FIELD: Now Jane, it seems like everyday, we've been reporting on fraud involving transactions crossing the ACH network. Can you give us a big picture view of what has been happening?
LARIMER: Sure, Tom. What we're actually talking about here is what we've been calling Corporate Account Takeover. That occurs when company's online banking credentials are stolen and they are used to fraudulently access bank accounts and engage in fraudulent banking activity. So, it's a type of identity theft really in which cyber thieves gain control of business' bank account by stealing the business' valid online banking credentials. So these credentials are stolen through malware that is installed on a computer, and it can happen in a few different ways. So among those ways could be infected documents that are attached to an email, and the business clicks on that email that document, or a link contained within the email that connects to an infected website. Or a business could use an USB port, a flash drive, so they put the flash drive that has been infected into the USB port. So, I guess a fourth way would be legitimate websites where businesses are surfing the web and they go to social networking sites, where they unknowingly click on a document or a video or a photo that is posted there, and then this malware can be downloaded on to their computers.
So once they have access to the online banking credentials, the cyber thieves at that point can really do whatever the banking customer could do on that site, including fund transfers by either ACH or wire transfer to the bank accounts of their associates within the United States or often wired directly out of the country, often to Eastern European nations. Many of the cases out there that are being described as ACH fraud are actually fraudulent wire transfers or a combination of ACH and wire. For example, the town of Poughkeepsie case had funds that were going directly to the Ukraine. So that would imply to me that those were actually wire transfers to the Ukraine, because the ACH can't move money out of the countries. In additionally, Hillary Machinery case -- that was wire transfers. And Experi-Metal case was actually both wire transfers and ACH transactions. So, we think that by calling it ACH fraud, it's really missing the broader point because the area focus should be online banking, and the online banking site and how businesses can protect themselves from their computers being infected with malware, and how financial institutions the tools that they can use to try to lock down those sights as well.
So, it's really about the point of entry on to the online banking site, not about either the wire system or the ACH network itself.
FIELD: Well, you make a good point, because really it is corporate account takeover, and we're sort of giving it a miss-number by calling it ACH fraud.
LARIMER: I think corporate account takeover is much more precise about what we're really dealing with.
FIELD: Jane, give us a sense of how prevalent corporate account takeover is now. We here of incidents every day, but what are we not seeing behind the scenes?
LARIMER: A recent study, in fact, from the AFP, which is the Association of Financial Professional, looked at fraud across the payment types. Their 2009 study concludes that only a small fraction of fraud occurs on the ACH, and of that even a smaller amount happens with credit transactions. In fact, the study concluded that not only does ACH fraud reflect really a relatively small number of organizations, it occurs infrequently among those organizations that have been affected by it, and often it could have been prevented if best practices had been practiced by the companies or the businesses.
FIELD: Jane, what has NACHA done in particular to help educate and prepare banking institutions to safeguard against corporate account takeover?
LARIMER: NACHA has been really kind of on top of this since we first heard about this issue in 2007. So in 2007, March, May, and June in fact, we issued member communications and risk management guidance on corporate account takeover. At the time we were calling it "key logging" because we had just seen that this was coming in through key loggers. The key guidance in our communications then was that FI's should be using multifactor authentication, multilayered security, and that they should be complying with the FFIEC guidance that was issued in 2005.
What we saw after that first wave in 2007, a lot of the financial institutions that had been attacked at that time really deployed robust authentication and more sophisticated transaction security. But what we saw again in July and August of 2009, really mid-2009, is that these attacks began targeting smaller businesses and FI's. So in the summer of 2009 we issued additional member communications and risk management guidance, and then in August we issued a joint bulletin with the FS-ISAC and the FBI. In 2009, we issued an operation bulletin again that we have posted on our website to provide further guidance -- not just to financial institutions, but guidance that the financial institutions could then provide their business customers.
And I think lastly, just not to go through my litany of everything that we've been doing, but lastly, we partnered with the Better Business Bureau. One of the initiatives that they had, it's a handbook called Data Security Made Simple, and we worked with them to provide guidance to small businesses because small businesses were being targeted by this outreach to try to educate themselves about what they could do to protect themselves.
FIELD: What's your sense that the financial community has done to alert its own business customers about the risks?
LARIMER: You know, Tom, what we've been hearing from financial institutions is they have been proactive, or trying to be proactive, in reaching out to their business customers and educating them on what they can do. So we know that there has been that kind of outreach. We know the regulators have put out some guidance in this response, and NACHA has been moving up to our members. You know all of the member alerts and the risk management guidance that we've sent them, and then in turn our regional payment associations have been providing education and guidance to their financial institutions, so that their financial institutions can then move out and educate their businesses. And then again, I'm hoping that small businesses are seeing the Better Business Bureau's Data Security Made Simpler material, which is out on the web.
FIELD: Really, what you need here is a partnership with financial institutions and their business customers. What should they be doing to protect themselves against these fraudsters?
LARIMER: Well, I think you just said something that is really important, and I just want to bring it up, which is a partnership between financial institutions and businesses. Because I think that is really important. It's critical that there is this partnership.
Financial institutions can do their part by really taking advantage of fraud detection and risk management services and tools that are offered out there commercially. They also need to take that role of educating their business customers on preventive measures. Like one of the simplest things that a business can be doing, and that a financial institution should remind their business to do, is that they should be reconciling their accounts daily. I mean, that is something, so that if they see something that is unauthorized, if they see anomalous activities, that they can contact their financial institution immediately. Some of the frauds that we've seen go over several periods, you know several days. So that could have been stopped on the first day.
Financial institutions should be deploying, if they have not already, multifactor, multilayer security for their business accounts. They can implement red flag alerts and out-of-band transaction verification. So, there are really different things that financial institutions can be looking at and offering their customers, and I think business customers need to look at those offerings not just for their convenience -- whether they are convenient or not -- but for how much protection they give. So dual control where you have one person authorizing a payment, and you need to have another person verify. It might be inconvenient, but that's a great method, another layer of security and another method of protection. Out-of-band transaction verification where you get a fax or an email alert or a phone call, a phone call back. That is something that may not be the most convenient thing, but again adds another layer of protection for businesses. So I think that both sides, both the financial institutions and the businesses, need to do their part to both protect themselves and to make sure that they use the different techniques and the different practices and processes that are out there.
FIELD: Jane, you talked about tools. What types of tools are available now for financial institutions to use to safeguard against corporate account take over?
LARIMER: The first thing I want to talk about is some of the kind of old, what I would think of as the old school tools, the things that have been out there for a long time, but I think may have been abandoned for a while. So again, dual control or out-of-band transaction verification. We were speaking with the FBI on a tele-seminar that we held recently, and the FBI agent said that he believes that those two practices and combinations could stop a large percentage of what activity that we've been seeing out there. So I think those are things that that aren't being used that could be, and those aren't the kind of new sophisticated tools. Then I think commercially, we're seeing from vendors that there are new tools out there commercially available to both prevent and detect fraud.
FIELD: Jane, if you could boil it down, what advice would you offer to financial institutions and businesses both on how they best can protect themselves from the type of fraud we've been talking about?
LARIMER: I think the best advice for both sides is to be vigilant. It's to understand both the risks and the opportunities presented by being able to access accounts over the internet. One analogy is what we're told about personal safety. For a person, you know when you are walking at night, what they say to you is always be aware of your surroundings. I think the same can be said in this instance with the corporate account takeover. That nearly all of these can be -- a loss can be avoided by both the financial institutions and the business by implementing their best practices. So again, not to sound like a broken record, but multifactor authentication, multilayer security, dual control, out-of-band transaction verification. For business, again, this isn't new or sophisticated, but reconcile your accounts daily. The other thing is if you are using a computer for financial transactions, don't be surfing the web on that computer. Don't be taking that computer to, you know, your favorite coffee spot where they have Wi-Fi and using the computer to do your financial transactions, because that is not a best practice. So use a computer that is dedicated to financial transactions to try to protect yourself.
So beware of your surroundings, protect yourself, and use the tools that are available to you.
FIELD: And as you say, some of these steps might not be convenient, but they are not more inconvenient than a corporate account takeover.
LARIMER: That's exactly right.
FIELD: Jane, it's been a pleasure to talk to you. I thank you, and I look forward to talking to you again in the future.
LARIMER: It's been my pleasure, Tom, thank you.
FIELD: We've been talking with Jane Larimer from NACHA. The topic has been corporate account takeover. For Information Security Media Group, I'm Tom Field. Thank you very much.