ACH Fraud: Banking Groups Fight BackABA, FS-ISAC Lead Charge Against Corporate Account Takeover
And now the banking industry is fighting back with a series of public initiatives designed to raise awareness and share tips about how to detect and deter these attacks.
The Federal Deposit Insurance Corporation (FDIC) is hosting a day-long symposium on the topic on Tues., May 11. And recently the American Bankers Association (ABA) and the Financial Services Information Sharing and Analysis Center (FS-ISAC) held training at two conferences. The clear message from banking institutions regarding these educational sessions: We want more. "The banking professionals were very engaged," says Doug Johnson, Vice President and Senior Policy Advisor at the ABA.
"The majority of attendees said they were already experiencing corporate account takeover of their business customers' accounts," says Bill Nelson, Executive Director of the FS-ISAC. Nelson says 90 percent of his audience claimed to have experienced incidents of corporate account takeover. "Usually I hear a percentage of 20 to 30 percent."
An "after action report" is being reviewed by the FS-ISAC board, but Nelson shared some of the key highlights from the training exercise:
- Attack Recognition and Response - The attendees said they found there was some good information about whom they should contact for assistance if attacked. Regional payment associations were their number one choice, followed by NACHA second and FS-ISAC third.
- Liability and Loss - "While these two are two different issues, liability would be decided if the case went to court," Nelson says. "If you look at some of the current press coverage on this, in many articles it shows the business getting stuck with the loss. But in some cases, if the bank thinks they were part of the issue, they will share in the loss." Nelson also sees that there is a lack of understanding about the Uniform Commercial Code Article 4-A and where liability can be drawn. UCC's Article 4-A refers to whether the bank offers commercially reasonable security for the business customer. This definition has changed over time, as technology has improved, also compared to similar banks of same size, and what they're offering for security. "Both banks and businesses think that the contract they are in override 4A, but 4A was written actually to supersede the contract, in terms of determining liability," he notes.
- Preventing Future Attacks - Nelson says that, from the steps that NACHA and FS-ISAC put together last August, "We asked banks for their list of points they found useful. The least important for the banks was the dedicated computer at the business for online banking," he notes. For businesses, they listed it as number two on their list. One final thing that came out of the training exercise "was the realization that we're all in this together, and more information sharing must happen -- especially between banks," Nelson says.
Working Group Formed
FS-ISAC has created a working group focused on developing best practices for institutions to help fight corporate account takeover. Errol Weiss, an information security professional at a worldwide bank, is leading FS-ISAC's Corporate Account Takeover Working Group. He says the working group's four teams will cover the following areas:
- Protection -- Helping to establish some best practices, working with the banking sector to develop some communications that are customer-focused on these issues. These awareness campaigns won't just be for the business banking customer, but also for the retail customer, he says, because individual banking customers are also being hit by account takeover. The task force is looking to develop public awareness ads similar to FakeCheck.org's campaign on check fraud. Those ads made real headway in terms of awareness of the issue, Weiss notes.
- Detection -- This team will work with the FIs to determine what controls are needed internally, and what fraud detection mechanisms need to be in place to catch these frauds in real time. The information-sharing portion will also include information on money mules that are cashing out these accounts and the attack signatures that are being used, he says.
- Response -- The issue for this team will be the communication between the financial institution and the customer after an account takeover has happened. Also the financial institutions need to develop best practices when these attacks happen, restitution guidelines, and the team is charged with developing a set of best practices to augment the FS-ISAC's earlier publication.
- Law Enforcement Involvement -- This team will facilitate the communication and involvement of law enforcement when the prosecution begins. Much of what happens after the crime has happened is dependent on law enforcement's involvement. One of the areas this team will develop is how to report these events to law enforcement and build it into their incident response plan.
Weiss says that as the working group fleshes out its plans for the teams, there will be more information available.