The trillions of dollars moving through the ACH banking channel is attracting the attention of fraudsters. Learn how cyber criminals insert new ACH batches and modify existing files to complete fraudulent payments.
Also, learn how financial institutions can use originator and recipient behavior to quickly detect fraudulent ACH payments without tedious, manual reviews of long ACH reports.
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
ACH Payments - Banking Fraud
1. Using Anomaly Detection to Prevent ACH
Payments Fraud
Tiffany Riley – Vice President, Marketing
Eric LaBadie – Vice President Sales and Customer Success
2. Guardian Analytics: The Leader in Fraud Prevention
“Minimum expectations for layered
security include the ability to detect
and respond to anomalous activity”
“FraudMAP allowed us to shift from being
reactive to proactive giving us confidence to
expand our online and mobile offerings
"Guardian Analytics…has a proven and
effective fraud detection risk-scoring
engine."
3. Criminals Turning Focus to ACH
“It seems that from some of the data,
the criminals are shifting from wires in
many respects to ACH to exfiltrate
funds”
– Bill Nelson, FS-ISAC (July 2012)
4. Two Recent Examples
“In the second week of July, I spoke with three different small companies that
had just been hit by cyberheists.” - Brian Krebs, Krebs on Security (Aug 12)
Example 1:
Business: Georgia fuel supplier
Bank: $123M Community bank
Story: Criminals attempted to transfer $1.67 million out of the company’s
accounts. When that failed, they put through a fraudulent payroll batch
totaling $317,000, which the victim’s bank allowed.
Example 2:
Business: Tennessee contracting firm
Bank: $270M community bank
Story: Trojan stole controllers login info and one-time password and redirected
user to “site down” webpage. Meanwhile, the attackers used that browser
session to put through a batch of fraudulent payroll payments for $328,000 to
at least 50 “money mules.”
5. Criminals Better At Defeating Authentication
Fraudster
machine
Proxy/RDP
through victim
Spear phishing machine Change personal info
Vishing Leprechaun Call/phone forwarding
Access Validate
Human Steal Set Up Transfer
Online Transactions
Automated Credentials Fraud Money
Banking
ACH, Wire, Bill Pay,
Twishing Zeus Check Fraud…
“Operation High Roller” Zitmo
Phishing SpyEye
attacks Ice IX
Ice IX
Spitmo
Gameover
Gameover
Citadel
Shylock
6. Customers and Profits Are At Risk
Fraudster takes ove
Criminals
Effort to find fraud with traditional corporate account
Progressive levels of fraud infiltration
Progressive levels of fraud
infiltration rules-based monitoring and reports fraud
Effort to find Business
1
FRAUDULENT FILE
• Fraudster submits a new completely
fraudulent ACH batch file
• May or may not exceed caps/limits
ROGUE RECIPIENTS
2
• Existing batch file
• New fraudulent payments
• Changes volume of transactions and batch amount
• May or many not exceed caps/limits
BALANCED BATCHES
3
• Existing batch file
• Criminal adds new credit transactions In 73% of
• Criminal balances file amount by adding debits corporate
• Likely not to exceed caps/limits or violate rules account
takeovers,
TAMPERED TRANSACTIONS money was
• Existing batch file
4
successfully
• Edits portions of transactions only (account transferred.
Increasing effectiveness
number, routing number)
• Transactions and amount typically the same at defeating caps. rules,
• Likely not to exceed caps/limits or violate rules limits
7. Customers and Profits Are At Risk
Fraudster takes ove
Criminals
Effort to find fraud with traditional corporate account
Progressive levels of fraud infiltration
Progressive levels of fraud
infiltration rules-based monitoring and reports fraud
Effort to find Business
1
FRAUDULENT FILE
• Fraudster submits a new completely
fraudulent ACH batch file
• May or may not exceed caps/limits Lose
confidence
after 1
ROGUE RECIPIENTS fraud attack
2
• Existing batch file
• New fraudulent payments
• Changes volume of transactions and batch amount
• May or many not exceed caps/limits Took their
business
elsewhere
BALANCED BATCHES
3
• Existing batch file following
• Criminal adds new credit transactions a fraud
In 73% of
• Criminal balances file amount by adding debits In 73% of attack.
corporate
• Likely not to exceed caps/limits or violate rules corporate
account
account Banks
takeovers,
TAMPERED TRANSACTIONS takeovers, sharing
money was
• Existing batch file money was losses with
4
successfully
• Edits portions of transactions only (account successfully their
transferred.
number, routing number) transferred. customers
• Transactions and amount typically the same
• Likely not to exceed caps/limits or violate rules
8. Courts Favoring Businesses
Comerica – Experi Metal – Bank Did Not Act in Good Faith
Ocean Bank – Patco – Bank Did Not Have Reasonable Security
Bancorp South– Choice Escrow – Contract Not Valid
• "Long story short, the court ruled that UCC 4A pre-empted the
indemnification clauses being used by the bank in their
counterclaim,”
• The ruling suggests that a bank's contract with a customer that
contradicts the spirit of the UCC could be nullified by the courts
when legal disputes over fraud arise.
9. Investments in Addressing This Problem
“Behavioral analytics is a big area of spending we're
seeing, both to ward off the threats as well as to
comply with the FFIEC (Federal Financial Institutions
Examination Council) guidance.”
Julie McNelley, Aite Group
58% of FIs implemented anomaly detection and
cited it as effective in reducing Account Takeover
Fraud.
FS-ISAC ABA 201 Account Takeover Survey
11. Behavior-based Fraud Prevention Solutions
Proven Approach
Individual behavioral analytics
Maximum detection, minimum
alerts
Retail Business
Most complete protection
Instant, 100% coverage, no
adoption issues
Stops widest array of fraud
attacks
Not threat specific
Dynamic Account ModelingTM
TM
Easy to deploy and manage
SaaS Offering
Fast time to security with no
customer impact
No IT maintenance
No rules to write/maintain
12. Introducing FraudMAP ACH
Best protection against sophisticated criminal
attacks
• Automatically analyzes ACH origination files for
suspicious activity
FRAUDMAP ® ACH • Dynamic Account Modeling™ determines risk
RISKAPPLICATION
based on individual originator behavior
Eliminate manual file review and streamline
investigation
• Prioritize highest risk batches and transactions
FRAUDMAP ® ACH RISKENGINE • Risk reasons inform investigations
• Rich behavioral history provides context
Fast time to security, low ongoing maintenance
• Rapid implementation
• No rules required
13. Behavior-Based Anomaly Detection for ACH Files
File Batch Transaction
• Customer Account • Company Name • Transaction Code
• File date • Effective Entry Date • Amount
• File time • Batch/credit amount • Destination Account
• File ID modifier • Standard Entry Class • Receiver name
•… Code •…
•…
FRAUDMAP ® RISKENGINE
Are the customer’s ACH actions normal? For this
time in history? (occurrence, frequency, sequence, timing,
type amounts, number)
Are the transactions typical? Are the transactions being
Given past relationship between made to a risky receiver?
customer/ receiver? (type, amount) (confirmed/suspected mule)
15. FraudMAP ACH Customer Story
"The customer e-mails us to tell us the total amount of the batch, but with
hundreds of transactions in one batched file, Burris says it's impossible to catch
everything with a manual review.”
“With FraudMAP, the review of ACH files will be completely automated,
detecting if any payees, for instance, have been changed or if line-item amounts
in the batch are atypical.”
"We know the threats aren't going away, and there is only so much you can do to
educate your customers."
“And even if we covered a loss, we could run the risk of losing the client. We have
not had any account takeovers in the past, but we consider ourselves lucky.
Many banks and credit unions our size have been hit."
16. For More Information
info@guardiananalytics.com - Monthly Fraud Factor and
ongoing Fraud Informers
www.guardiananalytics.com - Copy of the Business Banking
Trust Study or the Operation High Roller Report
elabadie@guardiananalytics.com
triley@guardiananalytics.com
Rich history, proven, broad experience Six years In contrast to al people flocking to meet guidance – rushing products out the door. We’ve been here all along (FFIEC validation, but it’s really about our dominance and proven technology) Deep expertise Only solution built from ground up using behavioral analytics Providing behavior based fraud prevention Most experience Pioneer in anomaly detection and behavioral analytics Proven at nearly 100 institutions Focused exclusively on fraud prevention
In terms of the fraud lifecycle we can break things down into five main functions Steal the credentials Access the platform Stage the fraud Execute the transfer Validate the transaction Within these five functions there are various techniques fraudsters use, both human and automated Important to note that while there is definitely a trend toward automation Can still be a fair amount of manual involvement on fraudster’s part Esp. within commercial accounts where there can be a good deal of complexity Setting up and executing transactions Staying current with all of the malware out there and what it can do is a difficult task We have put together a handout for you describing some well-known malware families and what each is capable of Along with some indicators of compromise I hope you find it useful! Manual modification of ACH batch files modification of ACH/Wire templates bill pay modifications mobile? Semi-Manual Leprechan - concurrent login RDP backconnect passive template modifications (initiated by legitimate user) (Slide 11) passive ATS (transaction poisoning) Automated (Slide 8) active ATS (user logs in...) server side targets wires, commercial clients primarily defeats MFA, by social engineering user move toward int'l wires rotating money mules (dynamic business mule network)
Progressive levels of sophistication in how criminals tamper with ACH files Each level makes it harder and harder for a financial institution to detect. Harder and requiring more resources as payments volumes grow
Progressive levels of sophistication in how criminals tamper with ACH files Each level makes it harder and harder for a financial institution to detect. Harder and requiring more resources as payments volumes grow