One increasingly prevalent form of theft is automated clearing house fraud, which occurs when businesses’ online financial transactions are hacked by individuals seeking to steal or embezzle funds. Automated Clearing House (ACH) refers to an electronic network for financial transactions in the United States that incorporates direct deposit payroll, vendor payments, and consumer payments of insurance premiums, mortgage loans and credit card payments. As such transactions move increasingly to the Internet, hackers are developing increasingly sophisticated ways to navigate around protections that have been put in place to access accounts and engage in illegal activity.
Many businesses assume their banks or financial institutions provide sufficient protections to counteract systemic risks and vulnerabilities to fraud. But the ongoing prevalence of ACH—keep reading for an alarming statistic from the FBI—demonstrates that hackers are not dissuaded by available protections.
Business owners should proactively review this critical topic with their banks to minimize their exposure to fraud or theft. We recommend discussing the availability of the following four tools to help protect business accounts:
- Client side certificate – A client side certificate is software downloaded from the financial institution to the customer’s computer upon initial registration to use online banking services. When a user attempts to sign in to the online account, the bank’s computer looks for the “certificate” on the customer’s computer to authenticate that the person signing into the account is using a computer which has been pre-authorized. If the certificate is not present, the bank’s system initiates additional authentication steps which may include asking the person attempting to sign in to answer a series of security questions or using an “out-of-band” communication to the authorized account user, such as a text message or email, to confirm that he or she is attempting to sign on.
- On screen keyboard – This bank side application causes a virtual keyboard to be displayed on the customer’s computer screen and the customer uses his mouse to tap out his password. As the password is not entered with keystrokes, keystroke logging software will not be able to capture the password and transmit it to the hackers.
- Hard and soft tokens – A hard token is a small, battery powered device which generates a new serial number, generally six digits, on a scheduled time interval such as every minute. A soft token is software provided by the financial institution that resides on the customer’s workstation, is accessed with a password and generates a serial number. In either case, the customer must have the number generated by the hard or soft token to successfully log in. The tokens are timed with the bank’s system so that the bank’s computer is looking for the unique number generated by the token. If the number entered by the customer matches with the number the bank’s computer is expecting, the user is authenticated and allowed to access the account. Computer key-logging software surreptitiously installed on a customer’s computer might capture the number generated by the token when entered by the customer. However, as the number changes every minute or so, the number captured and forwarded to the hacker becomes useless after one minute and the “old” number would not allow him to access the bank account.
- Internet protocol (IP) address filters – IP address filters on the bank’s computers look for several characteristics regarding the IP address assigned to a user who is attempting to log on. If a customer’s “static” IP address, meaning his IP address, never changes then the bank’s computer must see the exact IP address before it will allow access to the account. Many businesses use Internet Service Providers (ISPs) that provide a “dynamic” IP address. This means that the IP address assigned by the ISP is different almost every time a user signs on. ISPs are assigned a range of consecutive numbered IP addresses. This range can be programmed into the bank’s ISP filter to confirm the user attempting to sign on is using an IP address falling within that range. IP address filters can also be programmed to block out a user whose IP address is coming from high risk nations such as Russia, China, Nigeria and others.
Banks and financial institutions should provide up-to-date protections, including the tools listed above, to help business customers minimize the threat of ACH fraud. According to an FBI report, approximately $100 million in attempted losses due to ACH fraud occurred as of October 2009, an amount that has no doubt since increased. Documents compiled by the National Automated Clearing House Association also show that 19.4 billion ACH transactions occurred in 2010 with a value of nearly $32 trillion, providing a growing temptation to hackers hoping to explore weaknesses in online accounts and transactions.
While individuals and businesses need to take responsibility for maintaining appropriate antivirus computer software to block online threats to system security, banks and financial institutions that fail to use available protocols and software tools to minimize customer losses bear significant responsibility when losses occur due to internet-based fraud schemes.