ACH Fraud: Is This Progress?FBI, Victims and Banks Share Latest Views on Account Takeover
At a recent congressional hearing in Washington, D.C., Gordon Snow, assistant director of the Federal Bureau of Investigation's Cyber Division, said his agency is currently investigating more than 400 cases related to corporate account takeover incidents - cases that involve cybercriminals' attempts to drain more than $255 million from commercial bank accounts.
Mark Patterson, CEO of Maine-based PATCO Construction Inc., is one of the more noted fraud victims. He sued his former bank after his company lost more than $500,000 to fraudsters. "The FBI realizes this is a huge threat to our businesses and government entities," he says, pleased that this topic has made its way to Congress. "The laws need to be changed to hold the transferring agencies, i.e., the banks, accountable for the ACH fraud."
But William Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), says banks are already moving in that direction, without legal mandates. He cites the new FFIEC Authentication Guidance as a step in the right direction by banking regulators and the industry. "The FFIEC guidance really raises the bar for banks and credit unions to increase the amount of security, in terms of having an in-depth layer of security," he says. "And they're going to be examined on that next year."
FBI: Scary NumbersFinancial losses associated with ACH and wire fraud were the focus of this recent House subcommittee meeting, convened to address cybersecurity threats facing U.S. financial services. [See Banks, Feds Seek Common Ground.]
Referencing a 2010 incident, Snow highlighted the tricky techniques cybercriminals use to fool unsuspecting online-bank users:
"In 2010, the village of Summit, a town of 10,000 citizens outside of Chicago, was the victim of a cyberintrusion, resulting in unauthorized ACH transfers totaling $100,000," Snow told the subcommittee. "When an authorized individual logged into the town's bank account, the individual was redirected to a site alerting her the bank's website was experiencing technical difficulties. During this redirection, the criminal used the victim's valid credentials to initiate transactions. The town was able to recover only $30,000."
In addition to municipalities, such as Summit, Snow noted that cybercriminals also are targeting payments processors and networks. "In November 2008, a U.S. payments processor discovered that hackers had breached the company's network and compromised the personal data of over 1.5 million customers," he said. "Approximately 1 million Social Security numbers were also exposed. The criminals used the stolen data to create counterfeit debit cards and withdrew more than $9 million from ATMs worldwide." [See ATM Fraud Linked In RBS WorldPay Card Breach.]
Victims: 'Everyone Knows It's Happening'Fraud victim Patterson bitterly recalls May 2009, when he got a first-hand taste of account takeover. That's when cyberthieves launched a malware attack on PATCO that hijacked the business's online banking credentials for the account it held with Ocean Bank [now owned by People's United Bank].
The federal government and regulators need to understand how devastating the losses can be, Patterson says. "The fact that the majority of these attacks are coming from outside the U.S. makes it difficult, at best, for the FBI to catch the bad guys. In most cases, in their country, it is not illegal for them to steal from U.S. bank accounts.
Patterson says the laws for ACH crimes should mirror what's required on the credit card front: Banking institutions need to bear more responsibility.
"Everyone knows it is happening, but no one is capable of stopping the proliferation of these cyberattacks," says Jim Payne, director of business development at Missouri-based Choice Escrow and Land Title LLC. In March 2010, Choice Escrow had its account taken over and $440,000 fraudulently wired from its account at BankcorpSouth to a bank in Cypress. Since then, Choice has stopped banking online.
"Once there is a guarantee of secure online banking facilitated by insured transactions, we will then reconsider online banking," Payne says. "The risk, as it currently stands, is too great. The labor savings and efficiencies the banks get should more than pay for secure banking environments."
Industry: Making ProgressFS-ISAC's Nelson told subcommittee members that financial institutions already have made progress in their fight against account takeover.
"We have to be honest with ourselves: Is this problem growing?" Nelson asks. "Clearly, we have a long way to go, but we have made progress. And when I think about where we were two years, when I'd go to corporate audiences and they did not know anything about ACH fraud and now they are all changing the way they do things, I can see we've come a long way."
In fact, a recent survey conducted by the FS-ISAC shows financial institutions and their commercial customers are improving. Financial losses associated with incidents of ACH and wire fraud dropped 50 percent from 2009 to 2010. [See ACH Fraud: The Impact on Banks.]
Jim Woodhill, an outspoken advocate of ACH-fraud protections for small businesses, says he's not convinced. He feels the financial industry and government need to do more.
"I am not at all hopeful that the recent updated FFIEC guidance in this area will be helpful," Woodhill says. "My concern is that America's small- and medium-sized banks do not have the expertise to understand the new guidance, much less to follow it. All but America's very largest financial-services institutions are like America's small- and medium-sized enterprises, cybercrime is something that they must be protected against - they cannot be expected to do the 'protecting'."
But Nelson says the real area for improvement is communication, not just between banks and businesses, but among financial services companies, regulators and the government. He also believes there is some confusion among some of the people discussing these crimes.
"I was a little taken back by some of the questions [at the congressional hearing]," Nelson says. "There's some confusion about how much the losses actually total. One congressman talked about $369 billion in losses, and I wondered where he got that figure. I think people get the losses confused with the cost of security. But even the cost of security is only about $30 billion."
Nelson also notes there was confusion on the parts of the subcommittee about the payments system, generally. "I think some got it, but most don't understand the business."