Shining a Light on ACH FraudCybercrime Event Focuses on Corporate Account Takeover
If there is any one quote that sums up the theme of the CyberCrime 2010 Symposium in Portsmouth, N.H., this would be it.
The words were spoken by renowned security scribe Brian Krebs, and the context was him describing the universal reactions he's heard over the past 18 months from scores of victims of ACH fraud. But the same words easily could have been spoken by the banking/security leaders in attendance. "I had no idea how exposed I was."
According to Stephen Nix of the U.S. Secret Service, international law enforcement organizations are looking at fewer than 50 major cyber criminals linked to ACH fraud.
ACH fraud has been one of the top stories in banking for over a year now, and it's fair to say we all have learned a lot about the crime of corporate account takeover. It was encouraging to see bankers, security vendors, journalists and industry leaders come together at this event for a bit of mindshare.
For me, part of the event's attraction was the opportunity to meet some folks I'd known solely via e-mail and the telephone. Krebs, for one. Also, author Joseph Menn, who handed out copies of his new book "Fatal System Error"; Doug Johnson of the American Bankers Association; FBI agent Russ Brown, who's been close to recent ACH investigations; activist Jim Woodhill, who's made it his personal crusade to put an end to ACH fraud.
And, of course, it was especially rewarding to finally meet some of the victims of these crimes. Namely, Mark Patterson of Patco, a Maine construction company that was fleeced of $300,000. And Karen McCarthy, president of New York marketing agency Little and King, who was so enraged by her own losses and her bank's reaction that she started her own Facebook page called Your Money is Not Safe in the Bank.
Some of what I gleaned from the event:
Why ACH Fraud Tips Were Delayed - Know the advisories issued last month by the FS-ISAC, FBI and other organizations? Well, according to Johnson, these documents were actually complete in August, but the FBI classified them, so they couldn't be released. The FBI apparently thought the tips constituted a "cookbook" for would-be fraudsters, and had to be convinced that the fraudsters didn't need any recipes, thanks, but prospective victims needed this advice ASAP.
Size of the ACH Fraud Problem - According to FBI agent Brown, law enforcement officials are focused on three aspects of ACH fraud: the malware creators, malware exploiters and the money mules. And this is the current scale of the crisis:
- ACH Fraud Cases: 390
- Fraud Losses: $70 million
- Attempted Losses: $220 million
- Money Mules: 3500
Size of the Fraudster Population -According to Stephen Nix of the U.S. Secret Service, international law enforcement organizations are looking at fewer than 50 major cyber criminals linked to ACH fraud. "But who do they work for?" Nix asks. That's the key question.
Nix also offers great perspective on the sophistication of these fraudsters and how they carefully select their targets and their times to strike - when business accounts have the most money. "They're doing what they're supposed to be doing as criminals," Nix says. "Now we have to do what we're supposed to do as cops."
The event included the usual themes you expect to hear in any discussion of ACH fraud these days. How prevention is a "shared responsibility" between banks and their customers, and how the key to killing the crime (agree or disagree) is by raising employee and customer awareness.
But I was encouraged, too, to hear banking/security leaders discuss steps they've actually taken to prevent ACH crimes. You don't hear enough about proactive banks.
One community bank now requires two authorizations - first when the business customer logs into the account, and then via a token to initiate a transaction.
A mid-sized credit union now mandates a two-day delay to confirm any transactions after a customer's ACH template has been altered in any way.
These are good, positive steps, and they were applauded by the audience attending this event. But it's a topic that transcends a single symposium in Portsmouth, N.H., and there are other solutions out there that are of value and should be shared with merchants, bankers, government and security leaders. If you have some of these ideas, I'd love to hear them.
Because I agree with Brian Krebs. I don't think any of us knew exactly how exposed we were. Now that we do know, let's fix it.