ACH AND WIRE FRAUD LOSSES Financial Institution Technology Funnel Matthew G. Brenner Date: September 26, 2013 Orlando, Florida www.lowndes-law.com
What We Will Cover Why is this important? Who does this impact? What exactly are we talking about? Case studies how it plays out? What remedies might be implemented? Please: Questions and/or share experiences at any time!
Why Is This Important? 21 billion ACH transactions in 2012 º $36.9 trillion dollars º 660 ACH transactions per second º $1,760.00 each transaction1 Source: 2012 Association for Financial Professionals (AFP) Payments Fraud & Control Summary Report of Survey Results, Association for Financial Professionals, March 2012
85% are native electronic payment (noncheck conversions) Wires lower volume BUT larger amounts º CHIPS in 2012 cleared transaction and settled an average of $1.5 trillion in crossborder and domestic payments daily.1 Source: The Clearing House Payments Company, L.L.C.
Like CHIPS FEDWIRE Statistics: Source: The Board of Governors of the Federal Reserve System
Who Does it Impact? Everyone individuals and businesses of all sizes. Banks of all sizes in all geographical areas. Anectodal evidence that smaller regional banks are targeted by the wrongdoers.
2/3 of organizations involved with AFP experienced attempted or actual payment fraud (checks, ACH and card). Incidents of fraud increased 28% for respondents in 2011 over 20101 Source: 2012 AFP Payments Fraud and Control Survey Report of Survey Results.
Source: 2012 AFP Payments Fraud and Control Survey Report of Survey Results. Orlando, Florida www.lowndes-law.com
Source: 2012 AFP Payments Fraud and Control Survey Report of Survey Results Orlando, Florida www.lowndes-law.com
What Are We Talking About? ACH Fraud Account hijacking via hacking/take over of computer system ACH kiting Identity fraud Phishing obtaining banking information via e-mails and redirection
Two Classic Examples of Typical ACH Fraud Account Takeover Fraud 1. Fraudster opens a fake business account at bank A. 2. Fraudster targets account holders at bank B through phishing attacks. Despite continual education on phishing, a certain percentage of bank B customers fall
victim, and click on the phishing link, taking them to a bogus site where they enter their login and authentication token information, which the fraudster captures. 3. Armed with sensitive account login and authentication token information, the fraudster accesses bank B s customer s
on line banking accounts. 4. Once inside the online banking system, the fraudster initiates an ACH transaction to the fake business at bank A. 5. Once the funds have been transferred to bank A, the fraudster then initiates a wire transfer from the fake business account (at bank A) to bank C (either domestic or foreign).
Man-in-the-middle attacks 1. Fraudster writes malicious code/malware (hidden in e-mail spam scams, such as fake news stories, popular videos, links to greeting cards, etc.), which infects account holders computers with a virus that collects data typed into web forms, including banking pages.
2. Armed with data entered into the web forms, the fraudster utilizes a spearphishing campaign to target the specific accounts with recent online banking activity, sending account holder a highly personalized and convincing e-mail asking them to click here to reset their security code, which installs another virus that waits
for the next online banking session. 3. The next time account holder logs into their online banking account, the fraudster s virus inserts itself between them and their online banking system, where it executes commands to initiate wire transfers or ACH transactions unbeknown to the genuine account holder.
Wire Fraud Most often a result of compromising of banking credentials/corporate takeover
Case Studies PATCO Construction, Inc. v. Ocean Bank
Facts PATCO, a Maine based construction firm, made news in 2009 when it revealed that fraudsters had drained more than $580,000 in a series of bogus transactions from the firm s commercial account with the former Ocean Bank.
In 2010, PATCO sued Ocean Bank for the funds it lost in the account takeover incident. PATCO argued that Ocean Bank did not comply with existing FFIEC requirements for multifactor authentication when it relied solely on log-in and password credentials to verify transactions.
Bank Offered Customer: User ID and Password: PATCO employees were required to enter a company ID/password as well as a userspecific ID and password to access online banking. Device identification: The system used
cookies to create a log of known devices customers used to access accounts. If the cookie changed or was new, it could impact the risk score, potentially triggering challenge questions. Risk Profiling: Bank s adaptive monitoring provided a risk score for every log-in attempt and transaction based on
a multitude of data, including IP address, device cookie identification, geo location and transaction history. If a user s transaction varied from the usual profile, then the transaction might be scored as high risk. Scores were issued on a sale of 0 to 1000, and scores above 750 triggered challenge questions.
Challenge questions: Upon the initial login, users were required to establish three challenge questions and responses, which could come into play for various reasons, as detailed above. If the user failed to answer the questions in three attempts, then that user would be blocked from online banking.
Dollar Amount Rule: The system allowed the bank to set transaction thresholds, above which challenge questions would be triggered even if user ID, password and device cookies all were valid. In 2008, Ocean Bank set the transaction threshold at $1, ultimately requiring every transaction to be approved
through responses to challenge questions. efraud Network: The premium package of the system also included a subscription to the efraud Network, which provided Ocean Bank an avenue for information-sharing about fraud. Through the network, financial institutions report IP addresses or other characteristics that have previously been connected to fraud.
Thus, if access to a NetTeller account were attempted by an entity linked to fraudulent characteristics, such as a bad IP address, that attempt would automatically be blocked. Customer agreed in account documents what Bank offered was commercially reasonable.
Bank Did not Offer: Out of band authentication User elected picture function Token Monitoring Identified red flags
Result? Orlando, Florida www.lowndes-law.com
Trial court and appellate court came up with different results One size fits all approach to monitoring and authenticating token transactions exposed customer to more risk. Silver lining: Court still has to determine whether customer had satisfied its obligations under 4A of UCC -
reasonableness of its own security policies. Responsibilities not a one way street.
Case Study Experia-Metal, Inc. v. Comerica Bank
On the morning of January 21, 2009, Comerica Bank became aware that phishing emails had been sent to its customers by third parties trying to lure them to divulge sensitive account information. The next day, at 6:48 A.M.,
the controller at Experi-Metal, Inc., a Comerica customer, received and responded to one of these email messages believing it to have been sent by Comerica. He replied to the message and included all of the information necessary for the criminal to initiate wire transfer payment orders.
Between 7:30 A.M. and 2:02 P.M. that day, ninety-three fraudulent payment orders totaling $1,901,269.00 were executed using the controller s user information. The majority of the orders were directed to accounts at banks in Russia and Estonia. To facilitate the fraud from the customer s sweep account, (one of the accounts from
which wire transfers were authorized to Originate), the criminal transferred funds from Experi-Metal s other accounts to the sweep account. Some of the wired funds created overdrafts, which the bank covered. At approximately 11:30 A.M., an investigation analyst at the bank was alerted by telephone from its
correspondent JPMorgan Chase regarding six suspicious wire transfers. Staff at Comerica immediately investigated and then contacted the president of Experi- Metal and confirmed that the company had authorized no payment orders that day. The bank then proceeded to attempt to recall all of the processed wires and stop future activity.
Its efforts were only partially effective as some orders initiated after the bank disabled Experi- Metal s user identifications still went through because this measure did not preclude a user already logged onto the system from continuing to initiate transfers. Eventually, Comerica recovered all but $561,399 of the fraudulent transfers. A few months later, Experi-Metal filed an action
against Comerica seeking to hold it liable for the unrecovered amount. Parties agreed to a security procedures to be used to verify authenticity of payments. Procedure was a secure token.
Result: Orlando, Florida www.lowndes-law.com
Bank failed to demonstrate it observed reasonable commercial standard. Too many red flags: º No real-time analysis of transfers º Out-of-range transfers º Overdraft allowed by Bank º Account in question used usually had small balance º Aware of recent phishing scams targeting its customers
Also: No fraud screening program No fraud screening monitoring program No standards with respect to responding to a phishing market
Case Study Village View Escrow, Inc. v. Professional Business Bank
In March 2010, organized computer crooks stole $465,000 from Redondo Beach, California based Village View Escrow, sending 26 consecutive wire transfers from Village View s accounts to 20 individuals around the world who had no legitimate or previous business with the firm.
The escrow firm retrieved some of the stolen funds - $72,000 but that still left Village View with a $393,000 loss, forcing the company s owner to take out a personal loan at 12 percent interest to cover the loss of customer funds.
In June 2011, Village View sued its financial institution Professional Business Bank arguing that the bank was negligent because it protected customer accounts solely with usernames and passwords (single factor authentication) and had no method for recovering funds.
Village View did not use dual controls. Email verification disabled (via malware). Contention was that bank had no procedures in place for this situation.
Result: Orlando, Florida www.lowndes-law.com
In August 2013, Village View announced that it had reached a settlement with the bank to recover more than just the full amount of the funds taken from the account plus interest for Village View Escrow.
Case Study Hillary Machinery v. Plains Capital Bank Texas
Cyber criminals transferred more than $800,000 from Plano, Texas based Hillary Machinery s Plains Capital bank account via ACH and wire transfers. Criminals acquired the user name and password of Hillary s account via malware. After the theft, Hillary and Plains Capital were able to recover about $600,000 of the funds, which were sent to Eastern Europe.
When asked to repay the remaining $229,000, Plains Capital responded by filing a lawsuit against Hillary, asking the judge to declare that the bank s security measures were reasonable. In a countersuit, Hillary charged that the bank didn t detect the irregular wire transfers and ACH transactions made to Europe over a weekend. They asserted bank s security
measures used only user identification, password and a secure access code, and should have used a multifactor security system requiring image or word recognition, challenge questions, single use access codes or computer terminal authorization procedures. Also no IP address verification or geolocation information.
Result: Orlando, Florida www.lowndes-law.com
1. Settlement undisclosed amount after 4 months and after judge denied Bank s request for arbitration. 2. Side Note: Wrongdoers were arrested in NYC, miles Eastern European mules stole $3M from victims.
Remedies A. Education of customers collaboration. Initiate ACH and wire transfers under dual control if possible. Online transactions should be executed from a dedicated stand alone and completely locked down computer system from where e-mail and web browsing is prohibited.
Limit users workstation use outside of business to prevent infiltration Positive Pay/reconciliation daily Password security Use repeat codes Out of band authentication
B. Know customers business; due diligence C. Monitoring systems to identify red flags/risksbalances º Balances º Transactions size, timing, patterns; and º Recipients
D. Exposure limitations in agreements especially for new customers: º Single day º Week/month, etc. E. Monitor ACH returns determine if problem exists early. º Customers do not know what they do not know. Theme in litigation.
No matter what UCC may require, burden will be on banks to prove reasonableness of systems.
Questions/Comments? Matthew G. Brenner Lowndes, Drosdick, Doster, Kantor & Reed, P.A. 215 North Eola Drive Orlando, Florida 32801