The Town of Poughkeepsie, NY was in the news this past week because the municipality’s bank account was targeted by international computer thieves. This is a prime example of the warning issued by the FS-ISAC last August, which I discussed here. In light of the incident that cost Poughkeepsie’s government nearly US$300,000, I thought it would be prudent to revisit automated clearinghouse (ACH) wire fraud.
As I mentioned when the FS-ISAC warning was issued, wire fraud attacks are especially damaging to businesses because the current rules only allow transactions to be cancelled if they are caught within two days, whereas individuals have 60 days for review. In the case of Poughkeepsie’s breach, the town was not notified about suspicious transfers for three weeks, well beyond their two-day window. Understandably, the town was upset to learn that there were no controls in place at their bank to prevent or flag transfers sent to Eastern Europe.
However, it is not clear to what extent the town bears responsibility. Naturally, the two-day window is an established control for the town’s protection, but keeping a daily vigil on bank transactions can quickly become unmanageable. To some extent, businesses should inquire with financial institutions about the methods that they offer to their customers, such as ACH Positive Pay. With a positive pay system, all transactions must be positively approved by a designated customer employee. Many banks allow customers to design rules that automatically approve positive pay transactions with certain criteria, resulting in a whitelist of approved transaction types that would reduce the business’s workload over time.
But customers should also consider that controls offered by financial institutions may only be the beginning of what is necessary. Security research organization SecureWorks recently reported that a new variation of the Bredolab trojan, dubbed Bugat, has been discovered in the wild. Bugat is designed to make fraudulent ACH transactions. Trojans Zeus and Clampi have operated prolifically in this space for some time, and there are many other banking malware variants. Not only should controls be in place at the bank, but anti-virus software and good business security controls should be in place within the organizations.
Many times, banking trojans infect systems at small businesses and capture credentials to initiate transactions. These transactions would appear to the bank as being authorized for all intents and purposes. For this reason, it cannot be left up to just one side of this relationship to bear the entire burden of establishing controls. Small businesses can protect themselves effectively if they work in cooperation with their financial organizations and third-parties such as contractors, industry organizations, and similar resources. Clearly, electronic financial transaction systems are being targeted; organizations must make efforts to reduce the effectiveness of attacks and make these types of attacks less appealing.