Your SlideShare is downloading. ×
ACH Payments - Banking Fraud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ACH Payments - Banking Fraud

615
views

Published on

The trillions of dollars moving through the ACH banking channel is attracting the attention of fraudsters. Learn how cyber criminals insert new ACH batches and modify existing files to complete …

The trillions of dollars moving through the ACH banking channel is attracting the attention of fraudsters. Learn how cyber criminals insert new ACH batches and modify existing files to complete fraudulent payments.

Also, learn how financial institutions can use originator and recipient behavior to quickly detect fraudulent ACH payments without tedious, manual reviews of long ACH reports.

Published in: Economy & Finance, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
615
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
71
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Rich history, proven, broad experience Six years In contrast to al people flocking to meet guidance – rushing products out the door. We’ve been here all along (FFIEC validation, but it’s really about our dominance and proven technology) Deep expertise Only solution built from ground up using behavioral analytics Providing behavior based fraud prevention Most experience Pioneer in anomaly detection and behavioral analytics Proven at nearly 100 institutions Focused exclusively on fraud prevention
  • In terms of the fraud lifecycle we can break things down into five main functions Steal the credentials Access the platform Stage the fraud Execute the transfer Validate the transaction Within these five functions there are various techniques fraudsters use, both human and automated Important to note that while there is definitely a trend toward automation Can still be a fair amount of manual involvement on fraudster’s part Esp. within commercial accounts where there can be a good deal of complexity Setting up and executing transactions Staying current with all of the malware out there and what it can do is a difficult task We have put together a handout for you describing some well-known malware families and what each is capable of Along with some indicators of compromise I hope you find it useful! Manual modification of ACH batch files modification of ACH/Wire templates bill pay modifications mobile? Semi-Manual Leprechan - concurrent login RDP backconnect passive template modifications (initiated by legitimate user) (Slide 11) passive ATS (transaction poisoning) Automated (Slide 8) active ATS (user logs in...) server side targets wires, commercial clients primarily defeats MFA, by social engineering user move toward int'l wires rotating money mules (dynamic business mule network)
  • Progressive levels of sophistication in how criminals tamper with ACH files Each level makes it harder and harder for a financial institution to detect. Harder and requiring more resources as payments volumes grow
  • Progressive levels of sophistication in how criminals tamper with ACH files Each level makes it harder and harder for a financial institution to detect. Harder and requiring more resources as payments volumes grow
  • Position depth of experience
  • Transcript

    • 1. Using Anomaly Detection to Prevent ACHPayments FraudTiffany Riley – Vice President, MarketingEric LaBadie – Vice President Sales and Customer Success
    • 2. Guardian Analytics: The Leader in Fraud Prevention “Minimum expectations for layered security include the ability to detect and respond to anomalous activity” “FraudMAP allowed us to shift from being reactive to proactive giving us confidence to expand our online and mobile offerings "Guardian Analytics…has a proven and effective fraud detection risk-scoring engine."
    • 3. Criminals Turning Focus to ACH “It seems that from some of the data, the criminals are shifting from wires in many respects to ACH to exfiltrate funds” – Bill Nelson, FS-ISAC (July 2012)
    • 4. Two Recent Examples “In the second week of July, I spoke with three different small companies that had just been hit by cyberheists.” - Brian Krebs, Krebs on Security (Aug 12) Example 1: Business: Georgia fuel supplier Bank: $123M Community bank Story: Criminals attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed. Example 2: Business: Tennessee contracting firm Bank: $270M community bank Story: Trojan stole controllers login info and one-time password and redirected user to “site down” webpage. Meanwhile, the attackers used that browser session to put through a batch of fraudulent payroll payments for $328,000 to at least 50 “money mules.”
    • 5. Criminals Better At Defeating Authentication  Fraudster machine  Proxy/RDP through victim  Spear phishing machine  Change personal info  Vishing  Leprechaun  Call/phone forwarding Access ValidateHuman Steal Set Up Transfer Online TransactionsAutomated Credentials Fraud Money Banking ACH, Wire, Bill Pay,  Twishing  Zeus Check Fraud…  “Operation High Roller”  Zitmo  Phishing  SpyEye attacks  Ice IX  Ice IX  Spitmo  Gameover  Gameover  Citadel  Shylock
    • 6. Customers and Profits Are At Risk Fraudster takes ove Criminals Effort to find fraud with traditional corporate account Progressive levels of fraud infiltration Progressive levels of fraud infiltration rules-based monitoring and reports fraud Effort to find Business 1 FRAUDULENT FILE • Fraudster submits a new completely fraudulent ACH batch file • May or may not exceed caps/limits ROGUE RECIPIENTS 2 • Existing batch file • New fraudulent payments • Changes volume of transactions and batch amount • May or many not exceed caps/limits BALANCED BATCHES 3 • Existing batch file • Criminal adds new credit transactions In 73% of • Criminal balances file amount by adding debits corporate • Likely not to exceed caps/limits or violate rules account takeovers, TAMPERED TRANSACTIONS money was • Existing batch file 4 successfully • Edits portions of transactions only (account transferred. Increasing effectiveness number, routing number) • Transactions and amount typically the same at defeating caps. rules, • Likely not to exceed caps/limits or violate rules limits
    • 7. Customers and Profits Are At Risk Fraudster takes ove Criminals Effort to find fraud with traditional corporate account Progressive levels of fraud infiltration Progressive levels of fraud infiltration rules-based monitoring and reports fraud Effort to find Business 1 FRAUDULENT FILE • Fraudster submits a new completely fraudulent ACH batch file • May or may not exceed caps/limits Lose confidence after 1 ROGUE RECIPIENTS fraud attack 2 • Existing batch file • New fraudulent payments • Changes volume of transactions and batch amount • May or many not exceed caps/limits Took their business elsewhere BALANCED BATCHES 3 • Existing batch file following • Criminal adds new credit transactions a fraud In 73% of • Criminal balances file amount by adding debits In 73% of attack. corporate • Likely not to exceed caps/limits or violate rules corporate account account Banks takeovers, TAMPERED TRANSACTIONS takeovers, sharing money was • Existing batch file money was losses with 4 successfully • Edits portions of transactions only (account successfully their transferred. number, routing number) transferred. customers • Transactions and amount typically the same • Likely not to exceed caps/limits or violate rules
    • 8. Courts Favoring Businesses Comerica – Experi Metal – Bank Did Not Act in Good Faith Ocean Bank – Patco – Bank Did Not Have Reasonable Security Bancorp South– Choice Escrow – Contract Not Valid • "Long story short, the court ruled that UCC 4A pre-empted the indemnification clauses being used by the bank in their counterclaim,” • The ruling suggests that a banks contract with a customer that contradicts the spirit of the UCC could be nullified by the courts when legal disputes over fraud arise.
    • 9. Investments in Addressing This Problem “Behavioral analytics is a big area of spending were seeing, both to ward off the threats as well as to comply with the FFIEC (Federal Financial Institutions Examination Council) guidance.” Julie McNelley, Aite Group 58% of FIs implemented anomaly detection and cited it as effective in reducing Account Takeover Fraud. FS-ISAC ABA 201 Account Takeover Survey
    • 10. FFIEC Guidance, RMAG Sound Business Practices
    • 11. Behavior-based Fraud Prevention Solutions Proven Approach  Individual behavioral analytics  Maximum detection, minimum alerts Retail Business Most complete protection  Instant, 100% coverage, no adoption issues  Stops widest array of fraud attacks  Not threat specific Dynamic Account ModelingTM TM Easy to deploy and manage  SaaS Offering  Fast time to security with no customer impact  No IT maintenance  No rules to write/maintain
    • 12. Introducing FraudMAP ACH  Best protection against sophisticated criminal attacks • Automatically analyzes ACH origination files for suspicious activity FRAUDMAP ® ACH • Dynamic Account Modeling™ determines risk RISKAPPLICATION based on individual originator behavior  Eliminate manual file review and streamline investigation • Prioritize highest risk batches and transactions FRAUDMAP ® ACH RISKENGINE • Risk reasons inform investigations • Rich behavioral history provides context  Fast time to security, low ongoing maintenance • Rapid implementation • No rules required
    • 13. Behavior-Based Anomaly Detection for ACH Files File Batch Transaction • Customer Account • Company Name • Transaction Code • File date • Effective Entry Date • Amount • File time • Batch/credit amount • Destination Account • File ID modifier • Standard Entry Class • Receiver name •… Code •… •… FRAUDMAP ® RISKENGINE Are the customer’s ACH actions normal? For this time in history? (occurrence, frequency, sequence, timing, type amounts, number) Are the transactions typical? Are the transactions being Given past relationship between made to a risky receiver? customer/ receiver? (type, amount) (confirmed/suspected mule)
    • 14. FraudMAP ACH DEMO
    • 15. FraudMAP ACH Customer Story"The customer e-mails us to tell us the total amount of the batch, but withhundreds of transactions in one batched file, Burris says its impossible to catcheverything with a manual review.”“With FraudMAP, the review of ACH files will be completely automated,detecting if any payees, for instance, have been changed or if line-item amountsin the batch are atypical.”"We know the threats arent going away, and there is only so much you can do toeducate your customers."“And even if we covered a loss, we could run the risk of losing the client. We havenot had any account takeovers in the past, but we consider ourselves lucky.Many banks and credit unions our size have been hit."
    • 16. For More Information info@guardiananalytics.com - Monthly Fraud Factor and ongoing Fraud Informers www.guardiananalytics.com - Copy of the Business Banking Trust Study or the Operation High Roller Report elabadie@guardiananalytics.com triley@guardiananalytics.com
    • 17. Thank You