Association of Corporate Credit Unions ACH Fraud Mike Thomas

1
Association of Corporate Credit Unions ACH
FraudMike Thomas

• August 13, 2009

2
Agenda

• Unauthorized Transactions
• ACH Kiting
• E-Check Fraud
• Client Social Engineering/ACH Fraud

3
Unauthorized Transactions
4
Unauthorized Transactions - Debit

• A dishonest ACH business customer could instruct
  the financial institution to debit numerous
  individuals accounts at various institutions
  claiming the individuals had contracted for a
  good or service, when in fact, the individuals
  had not contracted with the business.
• When the transactions start being returned, the
  business customer disappears.

5
Unauthorized Transactions - Credit

• A dishonest employee at a good ACH business
  customer (or a dishonest financial institution
  employee) could create a fraud by altering the
  number of legitimate ACH credit recipients (ex.
  monthly payroll) with fraudulent account numbers
  that the dishonest employee controlled.

6
Unauthorized Transactions - Prevention

• Have strong upfront due diligence procedures
  before allowing a business customer to process
  ACH transactions (i.e. know your customer or
  KYC type procedures).
• Verify, through the use of callbacks to the ACH
  business customer, the validity of tapes received
  for ACH processing.
• Ensure transmissions are scheduled in advance by
  the ACH customer before processing.
• Have segregation of duties in the ACH processing
  (ex. segregate preparing files, sending files,
  performing callbacks, performing reconcilements,
  etc.).

7
ACH Kiting
8
ACH Kiting

• ACH kiting is similar to an unauthorized
  transaction scheme, with the exception that the
  dishonest ACH business customer does not cut and
  run.
• As ACH items are being returned, the dishonest
  business customer replaces the returned items
  with new fraudulent items.
• The account balance created by bogus transactions
  continues to rise over time. The fraud could
  continue until the fraud perpetrator decides to
  cash out and disappear or until the financial
  institution becomes suspicious. In either case,
  the amount of fraud can be substantial.

9
ACH Kiting - Prevention

• Have strong upfront due diligence procedures
  before allowing a business customer to process
  ACH transactions (i.e. know your customer or
  KYC type procedures).
• Monitor the level of float caused by returned
  debits.
• Place holds on accounts with high debit
  reversal activity.

10
E-Check Fraud
11
E-Check Fraud

• E-Check is ACH activity that closely resembles
  paper check transactions, but the transactions
  are processed electronically. Types of E-Check
  activity include
• Point of Purchase (POP)
• Re-Presented Check (RCK)
• Accounts Receivable Check (ARC)
• Internet Purchases (WEB)
• Telephone Purchases (TEL)

12
Point of Purchase (POP)

• A consumer hands a stores cashier a check for
  payment. The cashier uses a MICR reader to scan
  and capture data from the checks MICR line and
  keys in the check amount. The consumer signs an
  authorization for the check to be converted and
  receives the check back. The payment is
  processed electronically through ACH.

13
Point of Purchase (POP)
14
Re-Presented Check (RCK)

• A payment that was presented as an ordinary paper
  check is returned for some reason (ex.
  insufficient or uncollected funds). Instead of
  being re-presented on paper, it is transmitted
  electronically through the ACH Network as a debit
  entry. RCK applies only to bounced checks, not
  to bounced ACH transactions.

15
Re-Presented Check (RCK)
16
Accounts Receivable Check (ARC)

• A consumer mails a check payment to a creditor
  who has a Lockbox arrangement with a financial
  institution or intermediary. The Lockbox
  provider then captures information from the MICR
  line and enters non MICR information (e.g. dollar
  amount of check) and converts check to an ACH
  debit entry. The entry flows through the ACH
  network and is posted to the customers account.

17
Accounts Receivable Check (ARC)
18
Internet Purchases (WEB)

• A customer is purchasing an item through a
  website and the merchant offers a payment option
  of an electronic debit to a deposit account. The
  consumer provides authorization, including keying
  in routing number and account number, usually
  from their checks MICR data. The merchant then
  sends a debit through the ACH network (possibly
  through a processor) to ultimately debit the
  consumers account for the purchase.

19
Internet Purchases (WEB)
20
Telephone Purchases (TEL)

• A customer calls a company or, in some cases, the
  company calls the customer. The company offers a
  debit to a checking account as way to pay for the
  goods or services being ordered. If the customer
  agrees, the customer provides the MICR
  information from the check and the company sends
  payment through the ACH network and debits the
  customers account for the purchase.

21
Telephone Purchases (TEL)
22
E-Check Fraud

• E-Checks have many of the same fraud risks that
  paper checks have (see Deposit-Branch Fraud).
• E-Checks add the risks of speed and anonymity.
• The fraud is enabled by the conversion or
  elimination of the paper payment to electronics.

23
E-Check Fraud

• E-Check Fraud differs from paper check
• fraud in the following ways
• Fraudulent or nonexistent authorization
• Denial of otherwise valid authorization
• No physical document to examine

24
Example 1 E-Check Fraud

• An individual
• Calls retailer for purchase
• Authorizes telephone transaction
• Receives proper notice of authorization
• But denies transaction upon receiving checking
  account statement and completes written statement
  under penalty of perjury.

25
Example 2 E-Check Fraud

• An Individual
• Notices that a certain retailer converts checks
  at the point of sale and doesnt appear to
  otherwise have maker (check writer) information.
• Passes a batch of bad checks at this retailer.
• Retailer faces challenges tracking down fraudster
  without the bounced check.

26
E-Check Fraud Prevention - ODFI

• Know your corporate/business clients.
• Perform due diligence on each potential and
  existent customer.
• Calculate risk exposure for each customer.
• Track debit return rates and take prompt action
  for customers with too-high rates.
• Prosecute originators found to be fraudulent.

27
E-Check Fraud Prevention - RDFI

• Extend check fraud prevention tools to ACH
  transactions.
• Encourage customers to be wary of sharing account
  information with unknown parties.
• Question ACH files with unusually high return
  rates.

28
Client Social Engineering/ACH Fraud
29
Social Engineering

• Social Engineering is commonly used to gain
  sensitive information.
• May start with gaining trivial Information
• Reliance on Human Nature

30
Social Engineering

• Most Social Engineering is performed via phone
  and/or by gaining access to a work area.
• Attackers typically will pose as a trusted source
  (i.e. IT personnel)
• Whats the Risk? The information given could
  seem trivial but could help the attacker with
  their next inquiry for information (i.e.
  providing a high level managers name). This is
  also called nibbling.

31
An Example Scenario

• Using the IT administrators name, an attacker
  will pose as the IT administrator or someone
  working for the IT administrator.
• He will then inform the employee that IT noticed
  a problem with the users computer.
• They will ask the user to perform several
  functions to gather information, like the
  computers IP address.
• The attacker will then tell the user that an
  application needs to be executed on their
  computer to fix the problem.

32
Trojan Horse

• Trojan Horse - a malicious program that is
  disguised as or embedded within legitimate
  software.
• Greeting Card
• Picture
• Success Depends on Human Interaction
• The attacker counts on the employee opening the
  email or executing a program
• Whats the Risk? The attacker could gain access
  to the computer network.

33
Client Social Engineering/ACH Fraud

• Using various techniques (Social Engineering,
  Trojan Horse, Technical Hacking, etc.), a con man
  gains access to a bank clients computer system.
• With this knowledge, the con man uses the bank
  clients network application to enter the banks
  on-line cash management services (e.g. ACH).
• Then, similar to the Unauthorized Transaction
  -Credit scenario, the con man sends bogus ACH
  transactions and cleans out the bank clients
  account/line of credit.

34
Client Social Engineering/ACH Fraud - Prevention

• With the level of automation at the client site,
  many banks dont follow the manual processes
  (ex. callbacks, scheduled transactions, etc.)
  that used to be used for authentication.
• To reduce this type of fraud, finding solutions
  similar to the manual controls is critical.
• To be efficient, banks are looking to automated
  verification sources (like sending a facsimile)
  that work outside of the clients computer
  system.

35

• Questions?
• Mike Thomas
• Crowe Horwath LLP
• mike.thomas_at_crowehorwath.com
• 404-442-1607