Certified and Experienced Forensic Accounting Professionals
Richard Potocek, a former FBI agent with more than 20 years of experience investigating white collar cases, and his team of experts utilize forensic techniques to identify, collect and analyze financial information to reconstruct accounting activities and pursue document trails essential to helping you uncover evidence to solve any forensic accounting, fraud or white collar case.
Whether you are a victim of securities fraud, mortgage fraud, bankruptcy fraud, wire and mail fraud or corporate embezzlement, or want to minimize potential exposure, our professionals are certified forensic examiners that will work with you to recover stolen or embezzled assets and/or develop strategies to manage risks.
Rick Potocek, certified public accountant and certified forensic/fraud examiner, is available to discuss any questions you may have regarding a forensic audit, expert and fact witness testimony, litigation support consulting, internal corporate investigations or any other white collar crime related topics.
Sign up below for our free Fraud Matters Newsletter where you will find essential articles on detecting and preventing fraud.
See below for a white paper by Rick Potocek on ACH fraud.
Automated Clearing House Fraud and How to Reduce Your Risk
by Rick Potocek
To report the results of our research into the criminal activity often referred to as Automated Clearing House (ACH) Fraud and to provide the results of our independent review of policies, procedures, best practices and security tools available to the banking industry and third party entities to reduce the risk of loss of customer funds as a result of this scheme.
ACH is an electronic network for financial transactions in the United States. ACH processes large volumes of credit and debit transactions in batches. ACH credit transfers include direct deposit payroll and vendor payments. ACH direct debit transfers include consumer payments of insurance premiums, mortgage loans, and other payments. Debit transfers also include new applications such as the point-of-purchase (POP) check conversion pilot program sponsored by NACHA-The Electronic Payments Association, formerly known as the National Automated Clearing House Association. Both the government and the commercial sectors use ACH payments. Businesses increasingly use ACH online applications to have customers pay, rather than via credit or debit cards.
Rules and regulations that govern the ACH network are established by NACHA and the Federal Reserve. In 2002, this network processed an estimated 8.05 billion ACH transactions with a total value of $21.7 trillion. By 2010, volume had more than doubled. According to NACHA documents, 2010 volume was 19.4 billion transactions with a value of almost $32 trillion.
The Federal Reserve Banks are collectively the nation’s largest automated clearing house operator, and in 2005 processed 60% of commercial interbank ACH transactions. The Electronic Payments Network (EPN), the only private-sector ACH operator in theUS, processed the remaining 40%.
As the volume of ACH commerce has grown, so has the potential for fraud. According to an article on the CSO Online website, fraud involving the Automated Clearing House Network is becoming an increasingly popular way for hackers to siphon money out of the bank accounts of unsuspecting victims. 
According to the article, criminals involved in this activity typically only require a victim’s user name and password to access the account to then initiate ACH transactions out of that account. They most often obtain the information with a targeted or “spear phishing” email that tricks the victim into downloading and unwittingly running malicious “keystroke logging” software which records online bank account access user names and passwords. The resulting fraud is known as Corporate Account Takeover. One of the most notorious malware programs is Zeus, a Trojan horse. According to Trusteer, a security company, “Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. approximately 1% of the PCs in the US)…Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time.” Trusteer reports that hackers are continuing to expand and upgrade Zeus to stay ahead of anti-virus programs and have expanded to other platforms such as mobile phones.
According to a recent report from the FBI, there had been approximately $100 million in attempted losses due to ACH fraud as of October 2009. The FBI reports it is seeing several new victim complaints and cases opened every week. The FBI website is chock full of articles about ACH fraud arrests and convictions across the country.
GUIDANCE AND BEST PRACTICES FOR FINANCIAL INSTITUTIONS
The rise in ACH fraud and other Internet-related financial crime led the Federal Financial Institution Examination Council (FFIEC) to issue new guidance in 2011. The FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau* (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.
On June 28, 2011, the FFIEC issued a supplement to its Authentication in an Internet Banking Environment guidance, originally issued in October 2005. According to the press release, “the purpose of the supplement is to reinforce the risk-management framework described in the original guidance and update the FFIEC member agencies’ supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment.”
The press release went on to say, “The continued growth of electronic banking and greater sophistication of the associated threats have increased risks for financial institutions and their customers. Customers and financial institutions have experienced substantial losses from online account takeovers. Effective security is essential for financial institutions to safeguard customer information, reduce fraud stemming from the theft of sensitive customer information, and promote the legal enforceability of financial institutions’ electronic agreements and transactions.”
The original 2005 FFIEC Guidance provided a risk management framework for financial institutions offering Internet-based products and services to their customers. It stated that institutions should use effective methods to authenticate the identity of customers and that the techniques employed should be commensurate with the risks associated with the products and services offered and the protection of sensitive customer information. The Guidance provided minimum supervisory expectations for effective authentication controls applicable to high-risk online transactions involving access to customer information or the movement of funds to other parties. The 2005 Guidance also provided that institutions should perform periodic risk assessments and adjust their control mechanisms as appropriate in response to changing internal and external threats.
NACHA has a Risk Management Advisory Group (RMAG) “dedicated to establishing sound business practices for risk management, developing rules necessary to assure ongoing strength and stability, and improving quality in the ACH Network.” RMAG’s sound business practices are intended “for financial institutions of all sizes to consider when reviewing and implementing security procedures to mitigate threats” and are presented in a white paper available on the NACHA website.  The sound business practices include:
- Agreements and Minimum Security Procedures – Financial Institutions are recommended to enter into written agreements with clients that explain security requirements in detail and require current and robust anti-virus and security software.
- Dual Control for Payment File Initiation – Dual control involves file creation by one employee with file approval and release by another employee on a different computer. Or, require dual use of tokens where a single employee creates a file, but can only release the same file by logging in a second time using a new passcode or token.
- Out-of-Band Authentication and Alerts – Using e-mail, callbacks, text messages or Fax to the customer for verification that a new payee was created; an alert that the account has been accessed using an Internet Protocol (IP) address not previously used, or requests for new Originator credentials.
- Enhancement of Account Security Offerings – Financial Institutions should consider fraud detection and risk management services offered by ACH Operators such as dollar thresholds or caps, and other options such as IP address authentication, behavior analytics or payment patterning as well as value-added services like positive pay, debit blocks and tokens to enhance Originator’s account security.
- Exploration of Low-Tech Security Options – Financial Institutions should establish and enforce exposure limits, use origination calendars to establish the chronology of normal behavior, and consider using pre-notification for changes to an origination file.
- Education – Financial institutions should communicate with other institutions and industry sources regarding fraudulent activity and new threats; educate customers about preventing, detecting, and reporting measures related to cybercrimes and account takeover; and inform clients about optional services the client can use to prevent losses.
- Special Considerations for Receiving Depository Financial Institutions (RDFI) – RDFIs should educate staff about identifying “money mules,” individuals that are tricked into receiving and sending money, and what steps they should take if one is detected.
According to the NACHA white paper, each financial institution should evaluate its risk profile with regard to Corporate Account Takeover and develop and implement a security plan to prevent and mitigate risk. Although NACHA is the rule-making body of the ACH network, financial institutions are not required to be members of NACHA and don’t necessarily have to abide by NACHA’s best practices.
In addition to the security tools and protocols available to financial institutions described above, our research has identified several other tools available to banks to thwart efforts by hackers to access customers’ accounts as follows:
- “Client Side” certificates – A client side certificate is software which is downloaded from the financial institution to the customer’s computer upon initial registration to use online banking services. When a user attempts to sign in to the online account, the bank’s computer looks for the “Certificate” on the customer’s computer to authenticate that the person signing into the account is using a computer which has been pre-authorized. If the certificate is not present, the bank’s system initiates additional authentication steps which may include the person attempting to sign in to answer a series of security questions or use an “out-of-band” communication to the authorized account user to confirm that he or she is attempting to sign on.
- On Screen Keyboard – This bank side application causes a virtual keyboard to be displayed on the customer’s computer screen and the customer uses his mouse to tap out his password. As the password is not entered with keystrokes, keystroke logging software will not be able to capture the password and transmit it to the hackers.
- Hard and Soft Tokens – A hard token is a small, battery powered device which generates a new serial number, generally six digits, on a scheduled time interval such as every minute. A soft token is software provided by the financial institution that resides on the customer’s workstation, is accessed with a password and generates a serial number. In either case, the customer must have the number generated by the hard or soft token to successfully log in. The tokens are timed with the bank’s system so that the bank’s computer is looking for the unique number generated by the token. If the number entered by the customer matches with the number the bank’s computer is expecting, the user is authenticated and allowed to access the account. Computer Key-logging software surreptitiously installed on a customer’s computer might capture the number generated by the token when entered by the customer. However, as the number changes every minute or so, the number captured and forwarded to the hacker becomes useless after one minute and the “old” number would not allow him to access the bank account.
- Internet Protocol (IP) address filters – IP address filters on the bank’s computer look for several characteristics regarding the IP address assigned to a user who is attempting to logon. If a customer has a “static” IP address, meaning his IP address never changes, then the bank’s computer must see that exact IP address before it will allow access to the account. Many businesses use Internet Service Providers (ISPs) that provide a “dynamic” IP Address. This means that the IP address assigned by the ISP is different almost every time a user signs on. ISPs are assigned a range of consecutive numbered IP addresses. This range can be programmed into the bank’s ISP filter to confirm that the user attempting to sign on is using an IP address falling within that range. IP address filters can also be programmed to block out a user whose IP Address is coming from high risk nations such as Russia, China, Nigeria and others.
As a result of our review of available documentation regarding ACH Fraud and online account security and interviews with several experts in the field, we have learned that financial institutions have a number of tools available to them to minimize the threat of ACH fraud, even if a customer’s user name and password have been compromised. There is a wealth of guidance available, not only from those responsible for managing the online banking network, but from banking regulators themselves, to guide financial institutions in protecting client accounts from unauthorized access.
Financial institutions that lack tight computer security expose themselves and their customers to the risk of substantial losses due to ACH and other Internet-based fraud schemed. For a number of years, financial institutions and their regulators have been aware of the danger of ACH fraud and industry losses have been in the millions of dollars. It is true that customers who do not have and maintain appropriate antivirus computer software are leaving their computer systems open to a variety of online threats to the security of the systems, their data, and their personal identifying information. However, in our opinion, financial institutions which do not use some or all of the many protocols and software tools available to minimize customer losses bear a significant amount of the responsibility when a loss occurs.
ABOUT THE AUTHORS:
Richard M. Potocek CPA, MBA, CFE was a special agent with the FBI for 24 years who spent most of those years working fraud related and other white collar crime matters. After leaving the government, he worked for a “Big 4” accounting firm as a director in the “Forensic and Dispute Services” practice of the firm. In 2009, Mr. Potocek founded Greystone Advisory Group LLC, based in Washington DC and suburban Maryland to provide forensic accounting, business intelligence and internal corporate investigation services. He merged this practice with Gelman, Rosenberg and Freedman CPAs in August 2012.
Robert H. Pearre Jr. CPA was also a Special Agent with the FBI working fraud and other white collar crime cases. Mr. Pearre left the FBI to take a position with the U.S. House Appropriations Committee, Surveys and Investigations Staff, rising to the position of Chief and Director. The staff consisted of approximately 80 investigators who conducted research into government agencies and programs, at the request of the Chairman, to determine if government funds were being utilized effectively, efficiently and for the purpose intended. Mr. Pearre is currently a private consultant as well as the principal of a private investigations firm located in Highland, MD.
 See www.trusteer.com
 FFIEC Releases Supplemental Guidance on Internet Banking Authentication, June 28, 2011, http://www.ffiec.gov/press/pr062811.htm