Patterson, co-owner of PATCO Construction, says the new Federal Financial Institutions Examination Council's updated authentication guidance isn't sufficient. He says it does not go far enough to protect small businesses from ACH fraud. Until banks are held legally liable and accountable for losses suffered after incidents of ACH and wire fraud that result from corporate account takeover, security won't improve.
"I think what it really comes down to is [banks] need to be that watchdog," Patterson says in an interview with BankInfoSecurity's Tracy Kitten [transcript below]. "Most small businesses and consumers just simply aren't sophisticated enough to see what's going on."
In protecting small businesses from ACH fraud, collaboration and communication are key. Patterson says businesses need to talk with their banks about the policy surrounding ACH fraud and whether losses are covered or not.
Another step: monitoring ACH-risk reports. "Somebody, a real person, needs to look at that report," Patterson says. "Have someone monitor them [and] make sure that [with] any of the high-risk transactions, they're making a commitment to the customer that they're going to check those, that their money is indeed safe at their banking institution."
Education also is critical. "It's kind of a difficult thing," Patterson says. "How many banks want to send a message to their commercial customers that their money may not be safe in their bank account?"
During this interview, Patterson discusses:
- How fraudulent ACH transactions over a five-day period led to more than $550,000 in losses for PATCO;
- Why commercial accountholders need financial institutions to clearly define and explain security risks and exposure after an online breach; and
- How collaboration between business accountholders and institutions can improve security.
Patterson is a co-owner of Sanford, Maine-based PATCO Construction Inc., a small residential and commercial construction company with 22 employees that has been in business since 1985.
TRACY KITTEN: Can you give us a little background about the ACH-fraud incident that hit your business in 2009?
MARK PATTERSON: What happened with us is I came in on a Wednesday - actually, I came home because all my bank statements are sent to my home so that I can review them before our bookkeepers receive them, which many accountants and CPAs ask their customers to do to make sure they're detecting any internal fraud. Anyway, I get all my statements mailed to my house and I got home on a Wednesday night and received a notice from the bank that one of the ACH transactions we had performed the previous Friday - about five days earlier - the account number was not correct and they needed to give us a better account number so they could complete the transaction. I looked at it. It was for $9,000 to a woman out in California. I look at it and said, "Well, this must be wrong, because the only thing we do ACH transactions for is payroll, and we don't have an employee in California."
I get in the next morning and spoke to my CFO and I asked him, "Can you call the bank, because obviously this is wrong; this isn't us." And I kind of left it at that, because I just figured it was a bookkeeping error - that the wrong message had been mailed to us the previous Friday.
He called me later on. I was on the road and he called me and said, "Mark, you know, we have a bigger problem. It appears as though over $545,000 had been moved from our accounts to various bank accounts all over the country over the previous five days." We had not heard from the bank. We hadn't been notified that any of this money had moved. It was all being done electronically, and we were blown away.
So we contacted the bank. The bank really didn't know what was going on. They said, "Gee, let's look into it and we'll get back to you." Unfortunately, it took them long enough that another $100,000 - that brought it up to $545,000 - had already left the bank, because they really weren't up-to-date on what ACH fraud was and how it worked. We were able to claw back almost a little over $200,000, so our total loss was $345,000.
Ocean Bank Lawsuit
KITTEN: You later filed a lawsuit against the former Ocean Bank, which is now part of People's United Bank, to recoup some of the losses that you suffered as a result of this account breach. What was the outcome and where does the case stand now?
PATTERSON: After we had met with the bank and asked them if we could come to some sort of an agreement on this, the bank basically said, "This is your problem. The money didn't disappear because somebody compromised our system. They compromised your system - one of your computers." What we did was we filed a lawsuit and had depositions, and it took well over a year to get through that whole process, and it was very trying. But in the end, what we did was we made a motion for summary judgment, which basically says this isn't a question of fact, but a question of law, and the law that we were basing our claim on was that the security measures and security systems at Ocean Bank were not commercially reasonable. The bank did a similar motion for summary judgment that said that they were commercially reasonable.
We filed our lawsuit in the Federal District Court in Portland. The judge didn't hear the case. He moved it over to a magistrate and the magistrate wrote a 70-page opinion that basically said, on the benefit to the bank, that although their security measures could be better, they met the requirements of law, and they found in their favor.
What does that mean? We basically lost at that point because it's a question of law, not a question of fact. The case didn't actually go in front of a judge, and it can't go in front of a jury because every small business signs an agreement with their loans and deposits that they will waive jury trials. We lost at that point, but we now have filed an appeal and we're waiting for that to be heard at the First District Court of Appeals.
KITTEN: Now with the FFIEC's updated authentication guidance taking effect in January, many financial institutions are making investments in enhanced controls that would help to detect and prevent fraudulent transactions - like the ones that hit PATCO - from being approved. How do you feel about the updated guidance, and do you think it will have an impact on improving online security?
PATTERSON: I've read the updated authentication guidance and it certainly goes further to explain what banks need to do. Unfortunately, it's really a restatement of what their requirements are in terms of the types of authentication they need to do, and it really isn't expanding it at all. So although I'm excited and glad that they've done an update, I don't think it's really going to have an impact on improved online security, in general, because the bottom line is the banks are not responsible if someone compromises one of their customer's computers and money is stolen from their bank accounts.
KITTEN: Where do you see the guidance lacking? What areas do you think could be improved in the guidance, or that could be included, to hold banks more accountable?
PATTERSON: Well, it all comes down to not really a guidance issue. I think the government has to step up. The Zeus Trojan, which is probably where our computer was compromised - I've seen estimates as high as 70 percent of all personal and business computers have the Zeus Trojan on them. And most folks don't even know that those Zeus Trojans are on them. Their firewalls are just not sophisticated enough to prevent it. The problem is you have to look at it and say, "Where can we detect that the money is leaving the account and that's a fraudulent transfer?"
The banks already have that software available and it's being used. Regulation E requires that if a consumer has money stolen on a credit card or an ACH transaction, it's the banks responsibility, and the banks do a very good job on that. I mean, there probably isn't a consumer today with a credit card that has not had a call from their credit card company or bank saying, "There's just been a transaction done 20 states over from you and it was on your credit card. We're just calling to confirm that it was your transaction and you meant to do it." The systems are in place. The banks already have that software. The difference is that because they're not responsible, they're not on the hook for it. They don't watch it close enough and they don't make that immediate response and say, "Hey, we need to act on this now, because if we don't, we're going to be responsible and we're going to lose the money."
Banks Need to be Watchdogs
KITTEN: What more would you say small businesses like yourself need from the financial institutions that they work with?
PATTERSON: I think what it really comes down to is they need to be that watchdog. Most small businesses and consumers just simply aren't sophisticated enough to see what's going on. Unfortunately, when I explained my story - and I tell my story as often as I can because I'm really trying to get the word out so folks understand what it is - most people, when I say this is what happened to me, their eyes are wide; their mouths are open and they say, "Isn't that covered by FDIC insurance?" And I said, "No, that's not what FDIC insurance is for." If a financial institution goes down, you're covered, but not if the money is stolen through ACH fraud.
They need to really ask their banks, and there are a number of banks that have stated that they will cover ACH fraud, but obviously, most banks aren't.
What do they need from their financial institutions? Obviously, that would be the best, if they'd say, "We're going to guarantee that your ACH transactions are safe." That would be awesome. If not that, they really need to understand the agreement that they're asked to sign from the bank and they read it and understand that they have the potential, if they use ACH transactions, to lose their bank account.
Enhanced Customer Education
KITTEN: What role do you see enhanced customer education playing and do you think that it would have made a difference in your case?
PATTERSON: Obviously, an attempt to educate users, consumers and small businesses is going to help. But I think it's like most things that come from your bank. You probably get a little statement every month and in each of your bank statements, you look at it or you don't look at it, but you [give] sort of a cursory look at it. You're more interested in what the statement says - your balancing, your checkbook and so forth. It's very difficult to get the word out. In our case, many of the transactions - the warnings - were done online, and I can almost guarantee you that most small-business owners are not necessarily the ones doing payroll.
Small businesses can be a one-person show. It can be 10, 20, 30, 40, 100 employees, and there's usually someone else doing the transaction, going in and doing weekly payroll and so forth. But it's the owner of the business that probably reads the details. Just like when they're getting a loan document, they read the detail. I think that banks certainly should sit down with the owners when they set up an account and say, "This is what's going on. This is what your potential loss could be if someone compromises your computer. What do you want to do?"
Education's good, but on the other hand, it's so much easier ... for the persons who actually transfer the money - the bank - to look at the transaction and say, "You know what, this is a bad IP address. It's from a third-world country. We ought to look at this and maybe verify it with the customer before we transfer the money."
KITTEN: Do you see incidents of corporate account takeover decreasing? Do you think that the industry is doing a better job at protecting commercial accounts than it did, say, two years ago?
PATTERSON: One of the challenges you have with this type of theft is, many times, it goes unreported. Many cases, we were finding out, the banks simply reimbursed the customer and there was never a report that said there's been a theft. It's hard to determine what the volume is of how many crooks are being caught and ... with most third-world countries it's not even illegal to steal the money from someone out of your country, like in eastern Europe. It's very hard to find or determine what the volume is.
Is the industry doing a better job? Yes, I think they're doing a better job, but I think they need to do more. I see e-mails, I get phone calls from people all over the country that are continuing to have their money lost - many of them non-profits and small local governments. There was one that happened just this spring in a town a couple towns over from where I live that lost $100,000.
Obviously, the word's not getting out far enough so that people are saying, "Whoa, I've got to do something different." It's a very difficult thing. One thing they recommend folks do is that they have a certain computer that's dedicated to doing their ACH transactions and as soon as they make their transactions, they shut the computer down; they don't use it for any other reason. I can almost guarantee you that most small businesses don't have the luxury of having a computer they just [use] for payroll or ACH and then they use another computer to do the rest. I would imagine most small businesses are struggling just to keep their computers up-to-date. What's the total number of losses that are occurring right now? I'm not sure anybody has that number.
Collaboration Between Banks and Small Businesses
KITTEN: What about collaboration? Do you see opportunity for small businesses and financial institutions to collaborate more in the future to help avoid some of these losses?
PATTERSON: One of the things is they need to get onto a more secure system. If they were on passwords like we were, they definitely want to take advantage of tokens, and although tokens have been breached, it's much more secure than using passwords because the guidance is saying that two passwords is not dual authentication. They need to work together on that. But boy, I'll tell you, I'm not sure how they can collaborate, because to be honest with you, I just don't think small businesses know the threat that's out there and how bad it is.
KITTEN: Finally, before we close, what advice could you offer to banking institutions who are listening to this podcast and trying to figure out a way that they could work more collaboratively with the small businesses to help educate and protect them?
PATTERSON: I guess what I would recommend they do is they're all most likely using a software that rates ACH risk relative to ACH transactions, and we had some transactions that were obviously ACH transactions that were rated a risk rating of over 700. A normal payroll transaction might be in the single digits, so when that type of risk occurs, there's a flag going off - somebody, a real person, needs to look at that report and say, "We need to look at that." Because once the first one goes out, the next one from that ACH fraudster with the same IP address now has a much lower security risk - security rating - because the first one already went through; it's developing a pattern.
I really think what they need to do is, one, watch the reports. Have someone monitor them [and] make sure that [with] any of the high-risk transactions, they're making a commitment to the customer that they're going to check those, that their money is indeed safe at their banking institution. The other thing, which I have seen relatively little in the two years since our transaction, is they need to get the word out. It's kind of a difficult thing, you know? How many banks want to send a message to their commercial customers that their money may not be safe in their bank account?