IT Value

Are Your Payment Systems Secure?

The rise in fraud related to Automated Clearing House payments puts businesses and their banks at risk.
Vincent RyanJanuary 25, 2010

Thieves rob $1.3 million from a property-management firm by initiating debits against its accounts using banking information pilfered from a painting company. Banking credentials stolen at a small veterinary office in Ohio lead to theft from a large New Jersey corporation. A series of bogus wire transfers help topple a Pittsburgh savings and loan.

As these incidents from 2009 illustrate, payments fraud against corporations is on the rise, particularly in the area of electronic transactions that take place through the Automated Clearing House (ACH) network. In December the Electronic Payments Assn. (NACHA) issued a warning to banks about a cybercrime called corporate account takeover — when thieves gain control of a bank account by stealing a finance department’s online banking passwords and possibly other credentials. Just prior to that, the FBI’s Internet Crime Complaint Center reported there was an escalation of thievery related to ACH and wire transfers.

Such electronic theft has cost some small and midsize businesses tens of thousands of dollars, although it represents only a fraction of the millions of transactions that go through the ACH system every day. Concern over the trend is evident in discussions with customers, say bankers. “The biggest difference from 18 months ago is our clients’ awareness of risk in payment systems and their desire to have payments processes that enable them to manage risk,” says Cathy Bessant, head of global technology and operations at Bank of America.

In a corporate account takeover, the perpetrators can review the account details of the business, including account activity and patterns, as well as ACH and wire-transfer origination parameters (such as file size and frequency limits). The thieves use the session to initiate funds transfers, by the ACH or wire transfer, to bank accounts opened by accomplices or unwitting persons (“money mules”) within the United States, says the NACHA warning letter. The accomplices or money mules then withdraw the funds and remit them out of the country to their “employers,” says the NACHA.

In another scam, fraudsters obtain paper checks disbursed by a company and use the account and routing numbers (which appear at the bottom of the checks) to buy goods online from Web merchants that offer electronic debit or e-check payment options. The victimized business has its account debited.

“The bottom of a paper check contains the keys to the kingdom,” says Alex Romeo, a product manager at the Electronic Payments Network (EPN), the private-sector ACH operator. If a company shares the account information with a trading partner, the information “could easily be left on a desk or a sticky note and fall into the wrong hands.”

What exacerbates the problem of fraud for business users of the ACH is that they are not protected by Regulation E, which governs electronic funds transfers for consumer bank accounts. Under that law, consumers have 60 days to inform their banks that an electronic debit is unauthorized. But corporations only have until midnight of the next day to do so, says Romeo. “The idea is that corporates are reconciling their accounts at least every day,” he explains.

In addition, although the ACH network was once used mainly for transactions with well-known trading partners, its use for point-of-sale purchases and online and telephone transactions has grown, increasing the risk of fraud. The dollar value of consumer ACH payments made via the Internet is nearing $1 trillion annually, according to the NACHA.

Banks do provide standard treasury-management security tools to prevent an unauthorized payment from clearing a company’s account. (They have motivation to keep a lid on fraud: under rules enacted three years ago, the NACHA can fine originators that allow practices that create risk-management problems for others on the ACH network.) One common tool, positive pay, involves the treasury department supplying the bank with a register of anticipated, authorized ACH debits; the bank pays only the debits preauthorized on the list. In reverse positive pay, the bank automatically makes the payment unless the treasurer tells it not to.

These tools are “a good way for a treasurer to cut down fraud on their accounts, because you’re in control of every transaction that hits,” says Paul Tomasofsky, president of Two Sparrows Consulting, a financial-services consultancy. “But it’s a lot of work if it isn’t automated.”

The ACH debit blocks and filters are less taxing. In an ACH debit block, the business tells its bank to stop all ACH debits that come into its accounts from the ACH network. With an ACH filter, a company picks and chooses the trading partners it will accept ACH debits from and provides that list to the bank.

An even more sophisticated tool is the Universal Payment Identification Code. A UPIC is a pseudo routing and account number that allows a company to receive ACH payments without divulging its actual bank account numbers and other information to payees. A UPIC cannot be used to electronically debit an account or create a check. About 1,000 users of the ACH network employ this option, and 20 banks offer it. Interest in UPICs spiked last November when the FBI reported the escalation of payment fraud, Romeo says.

Some banks also have systems that run a risk model on every transaction to determine if it is in line with client payment behaviors. Still, not all banks offer a wide range of tools to combat corporate account takeover and fraudulent payments. In the absence of those tools, companies can use low-tech ways to combat online payment fraud, according to the NACHA warning letter.

Monitoring and reconciling accounts daily is probably the simplest way. Initiating ACH and wire transfers under dual control is another option: one person authorizes the payment file’s creation and another authorizes the release of the file. In addition, workstations used for online banking can be disconnected from internal networks and restricted from use for computing tasks, such as social networking, that can increase exposure to Trojan horses and viruses designed to capture log-in and password information.

Ironically, advances in banking mobility may be introducing more risk for corporate users of online treasury tools. Mobile interfaces provided by some banks now allow a treasurer to initiate or approve wires, track intraday balances, and review and approve positive pay exceptions. But even if mobile platforms simply enable a finance executive to check balances, risk would be heightened because the information could help a cyberthief determine which accounts to target, says Tomasofsky. “Little bits and pieces may not necessarily compromise the account by themselves, but combined they could allow the bad guy to successfully take over an account,” he says.

EPN’s Romeo stresses that the ACH network itself is safe: corporate account takeovers and other security intrusions happen outside the network, usually with the front-end banking platform. Unauthorized return rates on the ACH network have been dropping steadily.

Meanwhile, use of the network is increasing. Last year about 20% of all payments transactions were made through the ACH system, only slightly less than the percentages made via paper checks and credit-card transactions. With more and more companies offering electronic payments to trading partners and customers, and many still using paper checks with valuable information on them, treasury departments have good reasons to tighten up on payments security.