Title: ACH Risk Management Mitigating ACH Fraud Risk
1ACH Risk ManagementMitigating ACH Fraud Risk
To begin, click Start
Start ?
2Introduction
NACHA defines ACH fraud risk as the risk that
ACH data will be compromised through the
introduction of false transactions, the
alteration of valid transactions or the
alteration of static data that controls the
routing or settlement of valid ACH transactions.
Source NACHA, 2007 ACH Risk Management Handbook,
p. 51
Although the goals of ACH participants vary based
on their unique roles, all share a common
responsibility to safeguard the network against
fraud through appropriate and sound controls and
processes.
- This presentation will discuss
- Common responsibilities of ACH Participants
- Types of cyber attacks used recently by
fraudsters - Primary risk mitigation tactics to combat ACH
fraud
Click Next to continue.
Next ?
3What Do They Want? Click a circle to explore the
expectations of each participant in the ACH
Network. When you are finished, click the Next
button to continue to the next topic.
NACHA
CreditUnions
ACH Network
SolutionProviders
BusinessOwners
Consumers
Next ?
When you have explored all five participants,
click Next
4NACHA
NACHA
CreditUnions
- Compliance with ACH Rules
- Transaction Growth (vs. Card, Cash and Checks)
ACH Network
SolutionProviders
BusinessOwners
- Avoid losing volume to off-network bilateral
arrangements
Consumers
Source Glenbrook, 2009 (www.glenbrook.com)
When you have explored all five participants,
click Next
Next ?
5Credit Unions
NACHA
CreditUnions
- Interchange or fee revenue
- Control consumer demand deposit account access
ACH Network
SolutionProviders
BusinessOwners
Consumers
Source Glenbrook, 2009 (www.glenbrook.com)
When you have explored all five participants,
click Next
Next ?
6Business Owners
NACHA
CreditUnions
- Reliable, low-cost payment vehicle for low-dollar
transactions
ACH Network
SolutionProviders
BusinessOwners
- Straight-through processing and reduced complexity
Consumers
Source Glenbrook, 2009 (www.glenbrook.com)
When you have explored all five participants,
click Next
Next ?
7Consumers
NACHA
CreditUnions
- Reliable, low-cost payment vehicle regardless of
channel (Point-of-Sale, eCommerce, eBill Pay,
Mobile)
ACH Network
SolutionProviders
BusinessOwners
Consumers
Source Glenbrook, 2009 (www.glenbrook.com)
When you have explored all five participants,
click Next
Next ?
8Solution Providers
NACHA
CreditUnions
- Profitable, sustainable transaction growth
ACH Network
SolutionProviders
BusinessOwners
- Reasonable rules and regulations
Consumers
Source Glenbrook, 2009 (www.glenbrook.com)
When you have explored all five participants,
click Next
Next ?
9Risk mitigation and prevention are the
responsibility of every party in the ACH
Network. Credit unions serving as Originating
Depository Financial Institutions (ODFIs) can
help prevent fraud and protect against potential
financial loss by understanding current threats
and applying common risk mitigation practices.
NACHA
CreditUnions
SolutionProviders
BusinessOwners
Security
Consumers
Click Next to learn about the latest attacks used
by fraudsters. Click Back to review the ACH
Network expectations and responsibilities.
Next ?
? Back
10ODFI Cyber Attacks
Click the buttons below for an overview of the
latest malicious software used by cyber-criminals.
According to the 2009 AFP Payments Fraud and
Control Survey, seventeen percent of
organizations that were victims of ACH fraud
during 2008 suffered a financial loss as a result.
MALWARE
TROJANS
Cyber criminals use malicious software to steal
user credentials. Within the ACH network, this
could allow them to originate wire transfers and
ACH batches, increasing the risk of potential
financial loss to the institution.
NACHA warns that malicious software (malware)
used by fraudsters is becoming increasingly more
common.
ROOTKITS
SPYWARE
PHISHING
KEYLOGGERS
WORMS/VIRUSES
When you have finished exploring the newest
attacks, click Next
Next ?
11Click the buttons below for an overview of the
latest malicious software used by cyber-criminals.
Malware
A general term for malicious software designed
to infiltrate or damage a computer system without
the owners informed consent. NACHA Risk
Management Alert, 2009, www.nacha.org
MALWARE
TROJANS
ROOTKITS
Types of malware include
SPYWARE
- Phishing
- Keyloggers
- Worms Viruses
PHISHING
KEYLOGGERS
WORMS/VIRUSES
When you have finished exploring the newest
attacks, click Next
Next ?
12Click the buttons below for an overview of the
latest malicious software used by cyber-criminals.
Rootkit
MALWARE
What it is A program designed to hide or
obscure the fact that a system has been
compromised. NACHA Risk Management Alert,
2009, www.nacha.org
TROJANS
ROOTKITS
SPYWARE
What it does Replaces executable files in a
system so that other files or processes installed
by the criminal are hidden.
PHISHING
KEYLOGGERS
WORMS/VIRUSES
When you have finished exploring the newest
attacks, click Next
Next ?
13Click the buttons below for an overview of the
latest malicious software used by cyber-criminals.
Spyware
MALWARE
What it is A program installed and hidden on a
computer to intercept or take partial control of
the users interaction with the computer,
without user consent. NACHA Risk Management
Alert, 2009, www.nacha.org
TROJANS
ROOTKITS
SPYWARE
What it does Monitors and collects personal
information, installs other programs or redirects
browser activity, without the users knowledge or
awareness.
PHISHING
KEYLOGGERS
WORMS/VIRUSES
When you have finished exploring the newest
attacks, click Next
Next ?
14Click the buttons below for an overview of the
latest malicious software used by cyber-criminals.
Trojans
MALWARE
What it is Software that appears to be
legitimate, but is malicious. Trojans often look
like a legitimate program, game, utility,
screensaver or other attractive software tool.
TROJANS
ROOTKITS
SPYWARE
What it does Varies by type, but can be used by
fraudsters to obtain remote access, back door
access, networking of infected machines and
keylogging.
PHISHING
KEYLOGGERS
WORMS/VIRUSES
When you have finished exploring the newest
attacks, click Next
Next ?
15Click the buttons below for an overview of the
latest malicious software used by cyber-criminals.
Phishing
MALWARE
What it is E-mails and websites that imitate the
appearance of the financial institutions
communications and website, so users and members
dont realize they are accessing a fake site
designed to harvest login credentials.
TROJANS
ROOTKITS
SPYWARE
What it does Make it possible for criminals to
steal user credentials, ultimately to originate
wire transfers and ACH batches, increasing the
risk of potential financial loss to the
institution.
PHISHING
KEYLOGGERS
WORMS/VIRUSES
When you have finished exploring the newest
attacks, click Next
Next ?
16Click the buttons below for an overview of the
latest malicious software used by cyber-criminals.
Keyloggers
MALWARE
What it is A program or device used, usually
covertly, to capture keyboard input.
TROJANS
ROOTKITS
What it does Coupled with other malware, a
keylogger may watch for and capture user IDs,
passwords, account information, SSIDs, and other
information.
SPYWARE
PHISHING
KEYLOGGERS
WORMS/VIRUSES
When you have finished exploring the newest
attacks, click Next
Next ?
17Click the buttons below for an overview of the
latest malicious software used by cyber-criminals.
Worms and Viruses
MALWARE
What they are Worms and viruses are malware that
copy themselves across a network. Worms can run
themselves, while viruses need a host program to
run.
TROJANS
ROOTKITS
SPYWARE
What they do Damage or corrupt data, change
data, or degrade the performance of your system
by utilizing resources such as memory or disk
space. Source www.tech-faq.com
PHISHING
KEYLOGGERS
WORMS/VIRUSES
When you have finished exploring the newest
attacks, click Next
Next ?
18Knowledge Check
Which of the following concerns is common among
all ACH Network Participants?
A
Avoid transaction volume loss to off-network
bilateral arrangements
B
Increase interchange or fee revenue
C
Safeguard against ACH fraud risks by
understanding current threats and applying common
risk mitigation practices
Select your answer by clicking the option button
next to your choice.
19Knowledge Check
A. Avoid transaction volume loss to off-network
bilateral arrangements
Maintaining network transaction volume is a
primary concern for NACHA The Electronic
Payments Association.
Did you know? More than 15,000 depository
financial institutions originated and received
18.2 billion ACH payments in 2008. NACHA
represents nearly 11,000 financial institutions
through direct membership and 18 regional
payments associations. Source www.NACHA.org
Click Try again to return to the question and
select a different answer.
? Try again
20Knowledge Check
B. Increase interchange or fee revenue
Increasing interchange or fee revenue related to
ACH transactions is a concern for natural person
financial institutions, like credit unions.
Did you know? Card interchange allows a financial
institutions customers to use a bank credit card
at any card honoring merchant and to gain access
to multiple ATM systems from a single ATM.
Interchange fees are fees paid by one financial
institution to another to cover handling costs
and credit risk in a bankcard transaction.
Source www.ffiec.gov/ffiecinfobase
Click Try again to return to the question and
select a different answer.
? Try again
21Knowledge Check
C. Safeguard against ACH fraud risks by
understanding current threats and applying common
risk mitigation practices
Risk mitigation and prevention are the
responsibility of every party in the ACH
Network. Credit unions serving as Originating
Depository Financial Institutions (ODFIs) can
help prevent fraud and protect against potential
financial loss by understanding current threats
and applying common risk mitigation practices.
Click Next to continue to the next section Click
Return to return to the question and view the
other answers.
Next ?
?Return
22How can credit unions mitigate fraud risk?
All participants in the ACH payment system
should be on the alert for fraudulent activity by
their customers and within their organization.
NACHA, 2007 ACH Risk Management Handbook, p. 51
Common risk mitigation practices include
- Dual control settings
- Multifactor authentication of users
- IP address restrictions
- System access limitations
- Transactional dollar limits
- Strict password parameters
- ACH file transmission dollar limits
- Daily origination activity monitoring
- Update software patches regularly
- Limit user administrative rights
Click Next to continue. Click Back to review
cyber attacks.
Next ?
? Back
23How can credit unions mitigate fraud risk?
Applies to Users, transactions and templates
within an ACH system
Dual Approval Controls
What it does Requires a second, authorized party
to approve user setup, ACH transaction batches
and template use prior to transmission
How it helps These settings in an ACH system
ensure internal risk reduction policies like dual
control and separation of duties are adhered to.
Click Next to continue. Click Back to return to
the previous slide.
Next ?
? Back
24How can credit unions mitigate fraud risk?
Applies to Users of an ACH system
What it does Requires that in addition to a
user ID and password a user confirm via one or
more additional, established methods, the
legitimacy of their identity and access to the
system. Often, this relates to information that
only the legitimate user possesses.
Multifactor Authentication of Users
How it helps Multiple factors are more
challenging for criminals or other unauthorized
users to compromise
Click Next to continue. Click Back to return to
the previous slide.
Next ?
? Back
25How can credit unions mitigate fraud risk?
Applies to Users of an ACH system
IP Address Restrictions
What it does Limits user access to a specific
computer address (IP address).
How it helps Restricts user access to the
specified terminals prevents transactions from
being originated from unauthorized terminals
Click Next to continue. Click Back to return to
the previous slide.
Next ?
? Back
26Knowledge Check
Which security tactic features the use of
information that only a legitimate ACH user
possesses?
A
Dual approval controls
B
Restriction of IP addresses
C
Transactional dollar limit settings
D
Multifactor authentication of users
Select your answer by clicking the option button
next to your choice.
27Knowledge Check
A. Dual approval controls
Dual approval controls require a second,
authorized party to approve user setup, ACH
transaction batches and template use prior to
transmission.
NACHA calls dual approval one of the most
effective, yet basic, controls available for
mitigating ACH fraud risk. Source NACHA Risk
Management Alerts, 2009
? Try again
Click Try again to return to the question and
select a different answer.
28Knowledge Check
B. Restriction of IP addresses
IP address restrictions reduce the risk of
unauthorized access to an ACH system outside of
approved locations.
Combining IP address restrictions with dual
approval settings is a very effective method for
protecting against fraud attacks.
? Try again
Click Try again to return to the question and
select a different answer.
29Knowledge Check
C. Transactional dollar limit settings
Setting dollar limits per transaction can help
identify potential keying errors or fraudulent
activity by stopping transactions with amounts
above a users approved limits.
? Try again
Click Try again to return to the question and
select a different answer.
30Knowledge Check
D. Multifactor authentication of users
In addition to user ID and password requirements,
utilizing RBA risk based authentication and
challenge questions helps to ensure the identity
of users accessing an ACH system.
Click Next to continue to the next section Click
Return to return to the question and view the
other answers.
Next ?
?Return
31How can credit unions mitigate fraud risk?
Applies to Users of an ACH system
What it does Limits user access to specific
hours and days of the week for select user
functions.
System Access Limitations
How it helps By restricting ACH users access to
necessary functions and appropriate processing
hours, this setting reduces the risk of
unauthorized access outside of approved
timeframes.
Click Next to continue. Click Back to return to
the beginning of this section.
Next ?
? Back
32How can credit unions mitigate fraud risk?
Applies to Users of an ACH system
Transactional Dollar Limits
What it does Limits the maximum transactional
dollar amount a user can initiate.
How it helps Protects against keying errors and
stops potential erroneous or fraudulent activity
caused by users entering dollar amounts above
their approved limits.
Click Next to continue. Click Back to return to
the previous slide.
Next ?
? Back
33Knowledge Check
IP address restrictions prevent fraud by ?
A
Preventing inadvertent downloading of malware
B
Preventing ACH access from unauthorized terminals
C
Limiting user access to an ACH system to
specified hours and days
Select your answer by clicking the option button
next to your choice.
34Knowledge Check
A. Preventing inadvertent downloading of malware
Keeping operating systems and components updated
with current patches and utilizing firewalls,
filters, virus scanning and other software
along with global system user controls is the
best protection against the download and
installation of malicious software.
Click Try again to return to the question and
select a different answer.
? Try again
35Knowledge Check
B. Preventing ACH access from unauthorized
terminals
IP address restrictions prevent user access to an
ACH system to the terminals you specify and
prevents access from unrecognized locations.
Click Next to continue to the next section Click
Return to return to the question and view the
other answers.
Next ?
?Return
36Knowledge Check
C. Limiting user access to an ACH system to
specified hours and days
Restricting user access to specific days and
times is another good way to limit unauthorized
user access, but it doesnt include IP addresses
in the limits.
Click Try again to return to the question and
select a different answer.
? Try again
37How can credit unions mitigate fraud risk?
Applies to Users of an ACH system
What it does Confines system access to
authorized users.
Institute Strict Password Parameters
How it helps More complex passwords (passwords
that are longer, and contain alpha-numeric
characters, special characters, and combinations
of upper- and lower-case letters) and restricting
re-used passwords makes it harder for
unauthorized users to manipulate an ACH system.
Click Next to continue. Click Back to return to
the beginning of this section.
Next ?
? Back
38How can credit unions mitigate fraud risk?
Applies to Users of an ACH system
What it does Allows the ACH administrator to set
daily debit and credit exposure limits for member
originators
Establish Dollar Limits and Control Officers for
ACH File Transmission
How it helps Prevents members from exceeding the
organizational credit exposure limits. Once
limits are set, adding a control officer provides
an additional control point for review and
approval or disapproval of suspended, over-limit
transactions.
Click Next to continue. Click Back to return to
the previous slide.
Next ?
? Back
39How can credit unions mitigate fraud risk?
Applies to Member originators in an ACH system
Monitor Origination Activity Daily
What it does Allows credit union to monitor
batches and transactions of member originators
for adherence to exposure limits.
How it helps Allows credit unions to control
member activity that potentially exceeds its risk
tolerance.
Click Next to continue. Click Back to return to
the previous slide.
Next ?
? Back
40How can credit unions mitigate fraud risk?
Applies to Participating Financial Institutions
Keep O/S Software Patches and Other Protections
Updated
What it does While technically not an ACH
security measure, keeping operating systems and
components updated with current patches and
utilizing firewalls, filters, virus scanning and
other software along with global system user
controls is a best practice protection against
malicious software.
Click Next to continue. Click Back to return to
the previous slide.
Next ?
? Back
41How can credit unions mitigate fraud risk?
Applies to Participating Financial Institutions
What it does While technically not an ACH
security measure, protects the financial
institution by limiting the activities users can
perform on their assigned workstations, including
uploads, downloads, installations, etc.
Limit User Administrative Rights
How it helps Protects against the inadvertent
download of malicious software and viruses.
Click Next to continue. Click Back to return to
the previous slide.
Next ?
? Back
42Knowledge Check
Which of the following is a potential red flag
for ACH fraud?
A
A password longer than the credit-union defined
minimum characters
B
Transaction amounts smaller than the maximums
defined in the Credit Policy
C
A unique user name
D
Access outside of normal business hours
Select your answer by clicking the option button
next to your choice.
43Knowledge Check
A. A password longer than the credit
union-defined minimum characters
Longer passwords are more challenging to
fraudsters. Strong passwords typically contain
a minimum of eight to ten characters and include
numbers, mixed-case letters and special
characters.
Click Try again to return to the question and
select a different answer.
? Try again
44Knowledge Check
B. Transaction amounts smaller than the maximums
defined in the credit policy
It is recommended that credit unions set maximum
transactional amounts. Amounts smaller than the
maximum are not typically red flags, but
administrators and control officers should always
be vigilant for any unusual or extraordinary
activity.
Click Try again to return to the question and
select a different answer.
? Try again
45Knowledge Check
C. A unique user name
All users of an ACH system should have a unique
user name the sharing of user IDs and passwords
is a system vulnerability that cyber criminals
can exploit.
Click Try again to return to the question and
select a different answer.
? Try again
46Knowledge Check
D. Access outside of normal business hours
Access to the ACH system outside of the users
normal business days and hours may be an
indication of unauthorized access or potential
fraud.
Click Next to continue to the next section Click
Return to return to the question and view the
other answers.
Next ?
?Return
47Summary
Click the buttons belowto return to any of the
previous sections for additional review.
Introduction
ACH Participants
Current Fraud Tactics
ACH Risk Mitigation
Click Next to continue.
Next ?
48This concludes the Mitigating ACH Fraud Risk
presentation. When you have finished, click
the Exit button to exit the presentation.
Exit ?