ACH Fraud Claims New Victim
Maine Town's Account Siphoned by Cyber ThievesEarlier this month in Eliot, Maine, a small coastal town best known for its proximity to the outlet shops in Kittery, the town controller was stunned to receive a call from security journalist Brian Krebs, telling her the town's coffers had been pilfered of about $28,000.
You know the tune: Cyber thieves pirated the town's banking credentials, arranged some bogus "payroll transactions" with the town's bank, and the next thing you know ... money mules are transferring funds to the Ukraine.
Could the bank have detected and prevented the fraudulent transactions? Probably.
Will Eliot ever retrieve its stolen money? Unlikely.
Is this the last we'll be writing about yet another victim of ACH/wire fraud or corporate account takeover? I wish!
It's been two years now since this latest crime wave began, targeting small to midsize businesses (and municipalities), as well as their banking institutions. We've seen the financial services industry band together to issue warnings, reports and even the latest FFIEC authentication guidance. But nothing hints at this fraud spree abating anytime soon.
In fact, just this week comes word of yet another suit between a business customer and its bank. This time, California-based Village View Escrow has sued Professional Business Bank, claiming the bank is liable for the $465,000 financial loss Village View suffered after hackers infiltrated its online bank account in 2010.
This case revolves around the usual question of "What's commercially reasonable security?" And attorney David Navetta makes great points about how this question might play out in court. We've seen a disparity of verdicts this year - one high-profile case was resolved in favor of the customer, Experi-Metal Inc., and another involving PATCO Construction Inc. was resolved in favor of the bank - and I wouldn't begin to handicap how this new one will be resolved.
But I do know this: Until banking institutions conform to the FFIEC's new guidelines and insist on layered security controls, multifactor authentication and more effective awareness and training, we're only going to continue to see victims like the Town of Eliot, waking up to find their money gone.
In other news this week ...
We continue to get reactions to the FFIEC authentication guidance, and I was particularly pleased this week to speak with former banking regulator William Henley, who has a unique informed opinion on what banking institutions need to do between now and January 2012 to conform with the guidance. In general, Henley favors the new guidance and its timeline, but he sees one area where institutions will be challenged to comply: Anomaly detection.
"I think [the agencies] understand this takes time, but I think they've underestimated the amount of time and work that goes into institutions setting up or developing a robust anomaly detection system," Henley says. "This is an area where the agencies can take another look and give some consideration to the industry with the tight timeline to conform with that portion of the supplement."
That doesn't mean anyone should expect an extension to the January deadline. But examiners may be willing to cut institutions some slack if they can at least show good faith efforts to begin their conformance.
Meanwhile, speaking of fraud, please check out a new guest blog by Phil Alexander, an information security officer with Wells Fargo Bank. Phil takes 'know your customer' an extra mile and proposes an interesting, simple plan to help reduce incidents of ATM fraud. Let me know what you think of his idea. Could it work?