Memento provides next-generation technology and solutions that enable financial institutions to rethink and improve the way they combat fraud and manage compliance. Memento customers realize unmatched business value and rapid ROI.

Home > Forums > Bank Fraud Forum > Insights and Opinions > ACH Fraud â The Cyber Connection

RECENT NEWS

View All

bank fraud forum
< Back to listing

ACH Fraud – The Cyber Connection

December 4, 2009 by Mike Mulholand
4 comment(s)

Bank Fraud Forum has been closely tracking cyber attacks on small to midsized US companies that have resulted in Fraudulent ACH transactions and in some cases pretty significant losses for those companies. In September I posted an article The High Cost of ACH Fraud in which I said "This demonstrates what I believe to be the most significant threat against the ACH today. Apparently others agree. Just yesterday NACHA published an operations bulletin on the topic, and this morning announced a Cyber Attack Against Payment Processes (CAPP) Exercise Scheduled For February 9-11, 2010. Additionally IC3 issued an alert on November 3rd titled Fraudulent Automated Clearing House (ACH) Transfers Connected To Malware And Work-At-Home Scams that had this intelligence note attached to it. Remember, you heard it here first.

This is a big deal. The Intelligence note I referenced says there have been $100 million in attempts as of October 2009. It supports another point that I have been making in speaking engagements and other forums since October of 2007, that the nexus between fraud and information security is growing ever stronger. It also makes it clear for those who have been walking around in a fog that fraud is international. Electronic payments systems are open to attack from anywhere there is an internet connection! I'm not an alarmist, but I do think that we need to be aware of the threats to our payments mechanisms and take appropriate steps to address them.

I recommend that you bookmark the IC3 site as well as NACHA if you haven't already.


Make a Comment

* = Required
*
*
*
*
 

Recent Comments:

Lee
December 17, 2009 - 2:27 PM
"Mike, I agree with you that ACH fraud is one of the most serious threats facing small to midsized US companies. All it takes is the knowledge of a routing and checking number and little company research and fraudsters have all they need to start "pulling" funds. Additionally, wire transfer fraud has become a necessary compatriot of ACH fraud with funds typically being wired back to the fraudsters' home country. Taken together, these two disparate systems have allowed ACH fraudsters to flourish at the expense of small businesses. Smaller banks are more vulnerable due to their reliance on front-end credential authentication with no holistic cross-channel fraud strategy. I can only hope that banks and other FIs begin to fully understand the problem and how to mitigate the risks associated with ACH fraud. Above all, it requires a multi-layered approach utilizing strong authentication through a token, fraud detection and out-of band verification for suspicious transactions. Most of the fraud can be identified and stopped when institutions use these three together. However, to successfully combat ACH fraud it also requires greater collaboration and communication between all the stakeholders (i.e. regulators, Governments, law enforcement, agencies, FIs and businesses). Fraudsters are more collaborative, global, efficient and effective than ever... Shouldn't the good guys start to emulate this collaboration? Lee "
Mike Braatz
December 17, 2009 - 8:33 PM
"Lee - Great input to the ACH discussion. Re: your final point/question... I couldn't agree more. See http://www.mementosecurity.com/bankfraudforum/index.php/memento_blog/comments/bring_every_tool_you_can/ for my take. Thanks for moving the discussion forward. Mike Braatz "
Lee
December 20, 2009 - 1:07 PM
"Mike, Thanks for the article to illustrate the collaboration effort... I can only hope this continues to develop and foster greater efficiency when responding to fraud events. I started thinking some more about the collaboration aspect and how its going to weigh-in on strategic decisions that banks and FIs take in the future. One particularly interesting consideration is about the impact of banks establishing "closed" ACH networks. For example, Wells Fargo and BofA are planning to launch a closed ACH system in 2010 called Pariter Solutions. Do you believe this will limit collaboration between stakeholders? Or is this just a natural evolution of payment systems with the old antiquated ACH system being replaced by new siloed closed ACH systems? Do you foresee further closed ACH systems as the future of the payment processing? ACH is undoubtedly going through a dramatic transformation and within the next few years it may hard to believe how far its evolved... Lee "
Mike Mulholand
December 22, 2009 - 9:32 AM
"Lee, Thanks for your post. You bring up an interesting issue in regard to ACH clearing options. From what I can tell about Pariter Solutions, the main focus is to develop a new ACH processing platform that will have the capabilities to address the needs being identified as the use of ACH evolves. According to an interview of Stephanie Sturgis-Griffin (Pariter CEO) in August 2008, the motivation was not to reduce transaction fees per se, but to spread the development of a joint system over a greater number of transactions. If the two banks take an "on we” approach as opposed to an "on us”, they will siphon off their volume to each other from the Fed and EPN (network operators). Given that they were the #2 & 3 originators and #1 & 2 receivers on the system in 2008, that could make a bit of a dent in shared system volume. Direct send arrangements are nothing new though, and will probably continue on large and small scales when it makes sense. Data sharing for better risk management does not have to be impacted by these developments though. Early Warning Services has clearly demonstrated the utility of sharing data between banks for checks and employees (or more accurately bad employees), as well as known fraudsters. There is no reason that this type of sharing couldn't benefit the ACH as well. The concept of information sharing has been kicked around for some time. Two Sparrows' white paper available on the NACNA website (http://tinyurl.com/yjgphj9) discussed it in 2005, and NACHA's A Comprehensive Strategy for Risk Management in the ACH Network published in 2007 (http://tinyurl.com/y9a4kn7) contains the idea. "
Solutions Overview
Technology
Approach
Forums
About Memento
WE CAN ALSO BE FOUND:
  • facebook
  • linkedin
  • twitter

©2012 Memento, Inc. All rights reserved.
55 Network Drive Burlington, MA 01803
1-877-371-0673 |

Privacy/ Usage Agreement | Contact Us | Sitemap