Hackers and ACH Fraud

Written by: Dave Nelson
August 25, 2015

Every once in a while it’s good to review some information security basics. That’s why today we’re going to discuss how to prevent hackers from using ACH fraud to drain your accounts. Over the past few years, Automated Clearing House (ACH) transactions have become standard payment methods for things like payroll, accounts receivable, accounts payable, charitable donations and most other transfers to and from an organizations bank account. Because of this, risk of fraudulent transactions has grown significantly.

Because these transactions are partially automated, the risk of losing funds is significant. If you discover fraudulent ACH transactions you may only have 24-48 hours to attempt to reverse the transaction and recover the funds. Different procedures at different banks can make this window shorter, but rarely is it much longer. Once those funds are gone, they are gone. It is then up to you, your bank and both of your insurance companies to determine liability and if the loss is covered by insurance. In the meantime though, that money is gone and you have to operate your business without it.

It should be noted that the overall amount of ACH fraud is a fairly small percentage of the total fraudulent transactions in the payment system environment. Credit or debit card fraud far outpaces it in terms of total losses. However, the single loss expectancy of a fraudulent ACH transaction is much higher as most credit cards have predetermined spending limits, which are much lower than typical ACH transactions.

One of the easiest ways to prevent unauthorized ACH transactions is to use two factor authentication to initiate transfers. This means, something you know -- like a password, and something you have -- like a one-time token generator, are both required before a transaction can be approved. This helps ensure that the person initiating the transaction is truly authorized and not an imposter.

Strong procedures around push transactions, such as individual transaction limits or limits on total transaction amounts or volumes per day or week, can help thwart attacks as well. While it may not eliminate a hacker from getting funds, it may limit the amount stolen and therefore the overall impact.

Another method is to work with your bank to implement strict IP address restrictions, such as limiting the ability to create new users or initiate transactions based on a pre-approved location. This would force the hacker to impersonate someone on your network, which increases the complexity of the attack and improves your chances of detecting the malicious activity through your information security.

It is also important to tightly control the creation of new users in your ACH system. Two levels of approval should always be required to ensure that one compromised account can’t be used to create another account. If this is not prevented, those two accounts could be used to provide the dual control authorizations for large transfers.

Hackers are getting more creative. Social engineering attacks are being made against accounting departments in order to gain access to ACH environments. You must train your users on how to identify phishing and pre-texting attacks by hackers. As we transition to even more automated and real-time payment systems, the risk for fraud will continue to increase. We have to ensure the same diligence we’ve put into ACH fraud prevention and detection will be implemented in these new payment systems as well.