ACH Fraud: Payroll Hack Drains $217K

Non-Profit Says Bank Not to Blame for Losses
ACH Fraud: Payroll Hack Drains $217K
A new twist in the ongoing online security battle between banks and their commercial customers was reported this week after a corporate account in Omaha, Neb., was hit with thousands in fraudulent ACH transactions.

Cyberthieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority, a nonprofit organization that operates the Qwest Center and other recreational facilities in Omaha. According to a post on KrebsOnSecurity and The Omaha World-Herald, an employee at MECA fell for a phishy e-mail that unleashed a malware attack that subsequently provided hackers access to the organization's payroll system.

From there, cyberthieves hijacked the system's login and password credentials, allowing them to add their own hires to the payroll. Those hired individuals or money mules, once on the payroll, received payment transfers from MECA's bank account, which was managed by First National Bank of Omaha. The payments went to the money mules hired through work-at-home scams.

The World-Herald reported Thursday that MECA says it's working with the Federal Bureau of Investigation to analyze the crime. "This was an important lesson to us about vulnerability in the online world," MECA told The World-Herald in a statement. "We have changed several online banking security procedures."

Gartner Analyst Avivah Litan says in the scheme of corporate account takeovers, the infiltration of payroll systems is more prevalent than the industry admits. "It's a very common method," she says. "I think it's more common than the one-off way. We hear about ACH and wire fraud a lot, but we don't hear about the payroll breaches, even though they represent just another way to push an ACH payment, without taking over the payroll submission account."

Payroll hacks are common, because they are difficult for banks to detect and prevent. "These payroll files or batch files are an issue," Litan says. And they're a pain point for banks and vendors.

"Under the old way, you would just get a hash total. But if at the end of the day the hash totals don't match, then it's tricky," she says. "How do you set limits, when you don't want to keep people from getting paid?"

Positive-pay lists are the evolving solutions, but even positive-pay lists struggle when it comes to accounting for employee name discrepancies, which can result when new people are hired, as well pay-scale variations that fall outside given or specified ranges.

But the most interesting twist surrounding the MECA incident is MECA's admission of responsibility for the attack. Before the attack, MECA allegedly passed on security options offered by First National Bank of Omaha, including one option that required two employees to sign off on every funds transfer.

"We had declined some of the security measures offered to us," Lea French, MECA's chief financial officer, reportedly told Krebs. "We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems."

Litan says that admission of fault on the part of the commercial accountholder reflects a shifting perspective in the ACH fraud liability debate. "I think the fact that the customer is taking responsibility is a big change, and is probably a reflection of many of the customer education efforts banks have put in place recently," she says.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.