The High Cost of ACH Fraud
0 comment(s)
In the video blog, The Rapid Rise of ACH Risk, I detailed how changes in the ACH network have substantially increased the risk posed to financial institutions. In a dramatic example of this, Dwelling House Savings and Loan in Pittsburgh, PA was forced out of business due to an extraordinarily large fraud perpetrated through the ACH network.
The bank was attacked by fraudsters using the internet over a period of 6-12 months starting in late 2008. By the time the bank discovered the thieves, it was too late. They had siphoned more than $3 million dollars using the internet to initiate ACH transactions. This level of fraud loss was simply too great for the bank to bear and on August 17th, PNC took over the troubled institution. Pittsburgh Police and the FBI continue to search for the criminals responsible.
Another recent article in the Washington Post reported on a variety of attacks against small to mid-sized companies. These are perpetrated by cyber criminals from Eastern Europe. The article stems from an interview with the FS ISAC (Financial Services Information Sharing and Analysis Center). In an alert to its members, FS ISAC reported, "In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses".
Just the examples the article gave involved over $2,000,000 (roughly $1 million was recovered). It is not only banks like Dwelling House Savings and Loan at risk; it is small to mid-sized businesses across America. In one case, because the company spotted the fraud quickly, its bank was able to retrieve all but $190,000 of the stolen money. The company's operations manager made the point, "This could have put us out of business". Another victim clearly pointed out that it doesn't stop at the hard dollar loss, "When we start looking at all of the investigation and the things we had to change as a result of this fraud, we estimate the soft costs to our company is already three times what our straight online banking loss was.". In my opinion these costs don't seem too "soft".
This demonstrates what I believe to be the most significant threat against the ACH today. The nexus between information security, especially on-line security, is growing ever stronger. As these and many other stories point out, there is a clear need for strong authentication and good security practices, but these criminals are sophisticated and they will still extract their "pound of flesh". While we are barring the front door, it is foolish not to monitor what goes out the back door to make sure it is what we expected.
It's time to seriously consider an effective transaction monitoring solution for ACH. Have you had a similar experience? Are you vulnerable?