How to Combat Fraud in the Banking Payment System Kim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck@paymentsnation.com 602-443-2960 phone - PowerPoint PPT Presentation

1 / 91
About This Presentation
Title:

How to Combat Fraud in the Banking Payment System Kim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck@paymentsnation.com 602-443-2960 phone

Description:

How to Combat Fraud in the Banking Payment System Kim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck_at_paymentsnation.com 602-443-2960 phone – PowerPoint PPT presentation

Number of Views:482
Avg rating:3.0/5.0
Slides: 92
Provided by: KimB69
Category:

less

Transcript and Presenter's Notes

Title: How to Combat Fraud in the Banking Payment System Kim A. Bruck, AAP, VP Risk Management, PaymentsNation kim.bruck@paymentsnation.com 602-443-2960 phone


1
How to Combat Fraud in the Banking Payment
SystemKim A. Bruck, AAP, VP Risk Management,
PaymentsNation kim.bruck_at_paymentsnation.com
602-443-2960 phone
2
Disclaimer
  • This course provides a basic overview of
    fraud/risk management scenarios that may take
    place in the various payment systems. Handout
    material and seminar discussion are not intended
    to be used as legal advice. Conditions of use
    are within the control of individual users.
    There is no warranty, expressed or implied, in
    connection with making this handout available.

3
AFP Study on Payments Fraud
  • 72 percent of organizations surveyed by the AFP
    experienced attempted or actual payments fraud in
    2006, up from 68 percent in 2005.
  • According to the AFP, cheques continue to be the
    focus of criminal attacks, as 93 percent of
    organizations that experienced payments fraud in
    2006 were victims of attempted cheque fraud.
  • Other payment methods targeted for fraud include
    ACH (Automated Clearing House) transfers
    consumer credit cards and corporate cards.

4
AFP Study on Payments Fraud
  • The AFP says that 35 percent of organizations
    said they had experienced attempted or actual ACH
    fraud in 2006, with 17 percent reporting that
    they had suffered fraud involving consumer credit
    cards and 14 percent experiencing corporate card
    fraud.
  • In many cases, fraud is perpetrated internally,
    according to the AFP
  • Employees were responsible in about half of the
    cases involving fraud associated with the use of
    organizations' corporate cards last year, it
    says.
  • In addition, internal fraud appears to be an
    important factor in cheque and ACH fraud, the AFP
    report warns.

5
Who are the Criminals?
  • FI Corporate Insiders
  • Independent Operators
  • Organized Crime
  • Use of Runners
  • Homeless
  • Students

Criminals are going to look for path of least
resistance!
6
Are you at Risk for ID Theft?
  • I carry my Social Security Card in my wallet (10)
  • I use an unlocked, open box at work or at home to
    drop off my outgoing mail (10)
  • I do not cross-cut shred banking and credit
    information when I throw it in the trash (10)
  • I do not cross-cut shred pre-approved
    applications (10)
  • I do not cross-cut shred convenience checks (10)
  • I provide my SSN whenever asked, without asking
    questions as to how that information will be
    safeguarded (10) If you provide your SSN orally
    without checking to see who might be listening
    (5)
  • I am required to use my SSN at work as an
    employee or student I.D. number (5)
  • I have my SSN or Drivers License number printed
    on my personal checks (20)
  • I carry my insurance card in my wallet and either
    my SSN or that of my spouse is the ID (20)
  • I have not ordered a copy of my credit reports
    for past 2 years (10)
  • I do not believe that people would root around in
    my trash looking for credit or financial
    information (10)

7
Mitigating Risk in Payments Fraud
  • Know your employees
  • Use peer review
  • Audit regularly
  • Respect system security

8
Corporations are Responsible for Mitigating Risk
in Payments Fraud
  • Who in the organization should have
    responsibility for originating transactions or
    approving transactions
  • One user creates a transaction and another user
    approves it
  • There should be detailed reporting of all
    transactions originated in the system with
    comprehensive audit trails to show every user who
    touched the transaction, rich user entitlement
    and audit trails are going to help when it comes
    to Sarbanes-Oxley compliance
  • Sticky notes are a great invention but consider
    the risk if you use them to decorate your
    computer with passwords

9
In the News
  • Identity Theft The 'Business Bust-Out'
  • A criminal rents space in the same building as
    your company
  • Applies for corporate credit cards using your
    firm's name
  • The application passes a credit check because the
    company name and address match, but the cards are
    delivered to the criminal's mailbox
  • He sells them on the street and vanishes before
    you discover your firm's credit is wrecked.
  • The so-called "business bust-out" scam is one way
    sophisticated criminals steal business identities
    across the country
  • Identity thieves increasingly target businesses
    instead of individuals, experts and law
    enforcement officials say, but federal law and
    many state statutes don't consider business
    identity theft a crime. That's because the raft
    of identity theft laws passed in the last decade
    apply mostly to individual consumers -- not
    business entities.
  • While business identity theft can often be
    prosecuted under other statutes, like mail fraud
    or wire fraud, businesses victimized lose many of
    the protections afforded to consumers under
    identity theft laws, like access to information
    about their credit

10
Combating ID Theft A Corporate Perspective
  • Politicians, reacting to public outrage, have
    also framed ID theft as a consumer protection
    issue and are placing much of the responsibility
    on the shoulders of business
  • When someone steals sensitive consumer
    information from an organization, that person is
    actually robbing the organization of three
    valuable assets business information, brand
    value and self-determination for IT investments.

11
Corporate Fraud
  • According to the Association of Certified Fraud
    Examiners the typical U. S. organization loses 6
    of annual revenue to fraud
  • Thats 660 billion in yearly losses nationwide
  • May be higher as many companies dont report
    fraud
  • Proper procedures and tools, however, can help
    prevent many workplace crimes
  • Businesses unable or unwilling to identify and
    control such problems do so at their own risk

12
Human Resources
  • Hiring Policy/Background Check/Screening
  • Verification of SS for employers, more info at
    www.ssa.gov/employer/ssnv/htm
  • Screen cleaning service temporary firms you use
  • Enforce vacation policies
  • Keep personal information of employees/customers
    in locked files

13
Internal Policies and Procedures
  • Ethics policies should clearly detail what you
    consider to be illegal, improper and fraudulent
    behavior
  • New employees should receive and sign statements
    that delineate what they can and cant do
  • Educate existing and new employees, including
    executives, about the use of such policies and
    the penalties for defying them and up-date such
    training annually

14
Separate Duties
  • Its critical to separate financial tasks among
    several employees
  • Budgetary cutbacks and downsizing, however, often
    result in the same person handling multiple
    procedures such as taking orders, readying
    invoices and documenting transactions
  • Compounding such an invitation to fraud is when
    those same employeesfearing that other employees
    might discover their deeds--work unusually late
    and on weekends
  • Requiring all employees to take vacations often
    uncovers fraud that your best employees
    perpetrate

15
Fraud Hotline
  • Independence
  • Operations should be independent from corporate
    management
  • Privacy
  • Consult with legal counsel on privacy protections
  • Tracking
  • Assign a secure tracking system
  • Investigations Reporting
  • Decisions to investigate should be made on case
    by case basis

16
Blow the Whistle
  • Because whistle blowers expose a large percentage
    of frauds, 24 hour tip lines encourage employees
    to report potential offenses that security
    professionals can investigate.
  • Publicize the confidentiality and anonymity of
    fraud prevention hotlines, which are most
    effective and secure when outside subscription
    services run them.
  • Keeping employees abreast of such reporting
    mechanisms demonstrates your intolerance for
    fraud and limits would-be corporate villains
    opportunities.

17
Online Attacks Common for Business According to
FBI Survey
  • Attacks cost companies an average 24,000
  • Nearly nine out of 10 U.S. businesses suffered
    from a computer virus, spyware or other online
    attack in 2005 despite widespread use of security
    software
  • Some 44 of attacks came from within the
    organization, the survey found
  • Of those coming from outside, nearly a quarter
    could be traced to China

18
Data Breaches
  • Via hacking, stealing actual computers and hard
    drives, stealing laptops or skimming devices
  • More more thieves are sitting on data hoping to
    use it later
  • Who?
  • Universities, Government Agencies, Public
    Companies, Nonprofits, Financial Institutions,
    Call Centers out of the Country (India)

19
Data Security Preventive Tips
  • Implement data and security programs to safeguard
    consumer records
  • Example Encryption
  • Notify authorities when a security breach occurs
    and make public notification if there is a likely
    chance that the stolen data has been or will be
    misused

20
Encryption
  • Encryption is the best and only true way to
    protect sensitive information such as consumer
    data from unauthorized access
  • particularly powerful method for securing data at
    the perimeter of the corporate network, where it
    often leaves the office on laptops, PDAs and
    removable storage devices.
  • any organization that uses encryption to secure
    data will have a ready response for authorities
    and the public in the event of a security breach
  • one of the most comprehensive and cost-effective
    methods for managing compliance with data
    security regulations.

21
Protecting the Corporate Data
  • Protecting private information looms large as a
    crucial corporate challenge.
  • Is your company vulnerable to loss or theft of
    critical and private information?
  • Is your private customer data safe and secure?
  • Web security is essential to protect a company's
    own private information and must protect
    confidential information about its customers.
  • Preventing Fraud Guarding electronic information
    is more difficult.
  • It's challenging to maintain security and keep up
    with technological innovations
  • New Technology devices being used for illegal
    purposes
  • Keystroke Logger

22
Protecting the Corporate Data
  • Measures that can be taken to control data stored
    on electronic media
  • Sensitive data files to portable disk and back up
    with another disk
  • Store backup files offsite
  • Sensitive magnetic media
  • Password protection
  • Consistent backup protection
  • Training and Monitoring
  • Confidential or personal information should never
    be sent in e-mail messages, since it is not a
    secure method of transmitting data

23
Your Information on the Internet
  • Public records such as divorce documents, real
    estate records and more
  • State of Arizona new law 1/1/07 shall no longer
    contain more than 5 numbers of SSN and shall not
    contain an individuals
  • Credit, Debit or Charge Card Numbers
  • Retirement Account Numbers
  • Savings, Checking or Securities Entitlement
    Account Numbers

24
The Convenience of Wireless
25
(No Transcript)
26
Check Fraud
27
Your Account Number
  • So how did they get my account number?
  • You wrote them a check
  • They stole your statement via mail
  • You received a check and deposited the check
  • For Deposit Only and Your Acct
  • Access your account online
  • Check images with your account number and
    signature
  • ImageMask product from 41st Parameter
    www.the41.com
  • Blurs sensitive data in scanned documents that
    are accessed online

28
In the News
  • The FDIC has been receiving an increasing number
    of reports from financial institutions,
    businesses and consumers that counterfeit
    business checks are in circulation.
  • Scams that make use of counterfeit business
    checks typically involve bogus lotteries,
    sweepstakes or contests, and overpayment for
    merchandise purchased often over the Internet
  • In recent examples, counterfeit business checks
    have displayed the names of well-known and
    recognizable businesses

29
In the News Giving the Bounce to Counterfeit
Check Scams
  • Its your lucky day! You just won a foreign
    lottery! The letter says so. And the cashiers
    check to cover the taxes and fees is included.
    All you have to do to get your winnings is
    deposit the check and wire the money to the
    sender to pay the taxes and fees. Youre
    guaranteed that when they get your payment,
    youll get your prize.
  • http//www.ftc.gov/bcp/edu/pubs/consumer/credit/cr
    e40.htm and http//www.ftc.gov/opa/2007/02/fyi071
    6.htm

30
In the News Avoiding Cashiers Check Fraud
  • OCC Consumer Advisory on Avoiding Cashiers Check
    Fraud gives you information on some common scams
    and some steps you can take to avoid becoming a
    victim.
  • Although this advisory focuses on cashiers
    checks, you may find the information useful if
    you transact business using other official bank
    instruments, such as money orders and official
    checks.
  • http//www2.fdic.gov/idasp/main_bankfind.asp

31
Can a US Citizen play the lottery in another
country?
  • Federal Statute Racketeering TITLE 18 gt PART I gt
    CHAPTER 95 -Racketeering gt 1953 Prev Next
    1953. Interstate transportation of wagering
    paraphernalia Release date 2005-08-03 (a)
    Whoever, except a common carrier in the usual
    course of its business, knowingly carries or
    sends in interstate or foreign commerce any
    record, paraphernalia, ticket, certificate,
    bills, slip, token, paper, writing, or other
    device used, or to be used, or adapted, devised,
    or designed for use in (a) bookmaking or (b)
    wagering pools with respect to a sporting event
    or (c) in a numbers, policy, bolita, or similar
    game shall be fined under this title or
    imprisoned for not more than five years or both

32
Check Washing
  • Would you hand a complete stranger a blank check?
    Of course not. But that's practically what
    happens to victims of check washing.
  • Americans lose as much as 800 million to this
    thieving scheme each year.
  • Each month, most of us send hundreds of dollars
    worth of checks in the mail. Nearly all of them
    make it to their destination. But if one of those
    checks got in the wrong hands, there's no telling
    how much money you could lose. 
  • Through a crime called check washing, crooks wipe
    the ink off your check, and make it out to
    themselves.
  • But technology is making the life of a crook
    harder.
  • New pens and built in check protection claim to
    make the scheme nearly impossible. 

33
Check Security Measures
  • Watermarks
  • Most are subtle designs on front /back
  • Not easily visible, unless held up to light at 45
    degree angle
  • Protection from counterfeiting because copiers
    and scanners generally cannot accurately copy
    watermarks
  • Copy Void
  • When photocopied, the pattern changes and the
    word VOID appears, making the copy nonnegotiable
  • Chemical Void
  • When chemicals are applied, the treatment causes
    the word VOID to appear, making the item
    nonnegotiable
  • Checks treated cannot be altered without detection

Deter check fraud by making checks difficult to
copy, alter or counterfeit
34
Check Security Measures
  • High Resolution Micro-printing
  • When magnified, the line or pattern contains
    series of words that run together or become
    totally illegible if the check has been
    photocopied or scanned with a desktop scanner
  • Three Dimension
  • Metallic Stripe (similar to credit card)
  • Items are difficult to forge, scan or reproduce
    because they are produced by a sophisticated
    laser-based etching process
  • Security Inks
  • Reduce a forgers ability to modify printed
    dollar amount or alter the designated payee
  • When solvents are applied, a chemical reaction
    with the security ink distorts the appearance of
    the check
  • Very difficult to alter without detection

35
Check Security Measures
  • Optical Variable Ink (OVI)
  • Special ink containing small flakes of film that
    change color as it is being viewed from different
    angles
  • Not easily obtained, making it expensive and
    difficult to counterfeit
  • Used on US Currency
  • Thermo chromatic Ink
  • Heat sensitive and will fade and eventually
    disappear as the temperature increases
    temperature decreases from the raised level the
    ink will reappear
  • Check Fraud ID Theft Document for more info on
    check securities
  • www.abagnale.com

36
Image-Survivable Security Features
  • PaymentsNation registry for image-survivable
    security features
  • PaymentsNation will be the sole provider and
    operator of this industry-wide risk management
    tool designed to combat check fraud using
    image-survivable security features.
  • ISCF SIG Website
  • www.stopcheckfraud.org (members only)

37
Ten Tips Preventing Corporate Fraud
  • Set an ethical tone that starts from the top
  • Establish regular fraud detection procedures
  • Have a hotline
  • www.fdic.gov/news/news/financial/2005/fil8005.html
     
  • Educate employees about fraud
  • Have Certified Fraud Examiner on Staff
  • Involve your suppliers in your fraud detection
    efforts
  • Take all tips seriously and investigate
  • Decide who will be notified about tips
  • Conduct background checks
  • Have oversight by member of senior management and
    the board

38
Uniform Commercial Code
  • Since the revision of UCC banks are no longer
    100 liable for check fraud incidents
  • UCC Section 3-406 introduced the term ordinary
    care.
  • Under this section, the accountholder is
    restricted from seeking restitution if their
    failure to exercise ordinary care (e.g. in their
    internal processes and procedures) contributed to
    the forged or altered check.
  • In UCC sections 3-406B and 4-406E the concept of
    comparative negligence could place liability on
    the account holder in many cases the company
    itself.
  • The liability is allocated according to the
    degree to which the bank and accountholder failed
    to provide ordinary care. This means that
    companies can be held accountable if their
    actions or inaction to prevent check fraud fail
    and result in a monetary loss to employees or the
    bank.

39
UCC Corporate Check Fraud
  • FIs are not usually liable unless they do
    something to be negligent
  • Check law training from PaymentsNation
  • Summary of UCC regarding check fraud
  • www.law.cornell.edu/ucc/
  • Search specific topic
  • White Paper Check Fraud, The UCC and YOU
  • http//www.acom.com/micr_lib/news001.htm
  • How is corporate check fraud committed so easily?
  • Once fraudsters acquire a good account they can
    create check fraud at will

40
Why is my company potentially liable for a fraud
incident
  • Lack of security control for the storage of
    check stock
  • Lack of timely bank account reconciliation for
    payroll accounts payable
  • Lack of secure control over storage and access to
    signature stamps or machines
  • Lack of signature verification on canceled
    checks during reconciliation process
  • Lack of timely reporting of potential check
    fraud occurrences to your FI
  • Lack of paper safety features in your check paper
    stock
  • Lack of procedures with your company that
    contribute to a forged signature or amt
    alteration
  • Lack of supplying current documentation to your
    FI on authorized signers

It is up to each company to prepare to defend
itself against the lack of ordinary care
procedures within their organization.
41
How can I best protect the interests of my
company against check fraud?
  • Unfortunately there is not a guaranteed method
    available of protecting your company against
    check fraud but the following suggestions are
    recommended to you as a starter
  • Contact your FI and ask for written copy of their
    suggested procedures as regards to check fraud
    prevention, check stock considerations and check
    reconciliation processes that they expect you to
    follow.
  • Written procedures they follow to reduce check
    fraud (back office ordinary care activities)
  • Positive Pay a key fraud-fighting tool for
    disbursement accounts
  • Implement Internal External Procedures
  • Check Security Features
  • Use of Electronic Payments

42
Positive Pay
  • Whats new in Positive Pay?
  • Teller Positive Pay
  • Decision made at teller line
  • Payee Positive Pay
  • What if the criminal adds a payee name, alters a
    payee name
  • Image Positive Pay
  • Review front and back of checks
  • Per Frank Abagnale
  • Positive pay is the best product in 25 years to
    deal with the problem of forged, altered and
    counterfeit checks

43
Internal Procedures for your Company
  • Consider moving check disbursement activity to
    electronic payment
  • Food for Thought
  • An employee takes their payroll check to cash
    maybe at a retail store, supermarket,
    check-cashing store think about the many places
    they cash their check and how one of those places
    whose unethical employee works at may photo copy
    the check and use your account number and routing
    number.
  • What about a disgruntled or recently fired
    employee who was paid by check.
  • What about all the companies you pay by check do
    you really want them having your ABA and account
    number.

44
Insider - Preventive Measures
  • New Employees
  • Background Check
  • www.myspace.com
  • Social Security Employee Verification Service
    Publication No 20-004
  • Fingerprinting
  • Criminal Record Check
  • Credit Report
  • Chex Systems
  • Maintain Separation of functions
  • Dual Controls

45
Remote Deposit Capture Risks
  • There is risk in remote deposit ranging from poor
    image quality to duplicate check processing,
    either innocently if the check is accidentily
    scanned twice, or malevolently if its both
    scanned and physically deposited.
  • With corporate customers now keying the check
    amounts theres also the risk of incorrect
    encoding.
  • To address these risks, remote deposit
    applications should have image quality assessment
    capabilities with standards that can be
    controlled by the bank.
  • Many remote deposit applications have
    functionality to prevent the checks until they
    are destroyed.
  • Amount recognition technology can address some of
    the issues around the keying of the dollar
    amounts and deposit balancing features can help
    point out discrepancies.

46
www.fakechecks.org
47
ACH Fraud
48
Who Are the Participants?
  • Originator
  • Entity that agrees to initiate ACH entries into
    the payment system according to an arrangement
    with a Receiver
  • Originating Depository Financial Institution
    (ODFI)
  • Receives payment instructions from Originators
    and forwards the entries to the ACH Operator
  • ACH Operator
  • Central clearing facility operated by Federal
    Reserve Bank or Electronic Payments Network on
    behalf of DFIs
  • Receiving Depository Financial Institution (RDFI)
  • Receives ACH entries from the ACH Operator and
    posts the entries to accounts of the depositors
    (Receivers)
  • Receiver
  • Natural person or an organization which has
    authorized an Originator to initiate an ACH entry
    to the Receivers account with the RDFI
  • May be company or consumer

49
How the ACH Transaction Flow Works
Standard Entry Class Codes
Third Parties
50
Standard Entry Class Codes
  • Rules based on the Standard Entry Class Codes
  • Authorization Requirements, Return Time Frames,
    etc.
  • PPD Prearranged Payment Deposit Entry
  • RCK Represented Check Entry
  • WEB Internet Initiated Entry
  • TEL Telephone Initiated Entry
  • ARC Accounts Receivable Entry
  • POP Point of Purchase
  • CCD Cash Concentration Disbursement
  • BOC Back Office Conversion

51
What is the Strategy?
  • The ACH Network is a safe, high quality payments
    systems.
  • NACHA, its members and the ACH operators have a
    responsibility to ensure that the ACH network
    remains a safe, high quality payment system
  • Protect FIs financial interest and reputations
  • Implementing a comprehensive risk management
    strategy addressing four categories
  • 1) Network entry requirements
  • 2) Ongoing requirements
  • 3) Enforcement
  • 4) ACH Operator tools.

52
Fraud in the ACH Network
  • Internal ACH Fraud
  • Corporate or FI
  • More likely at corporations without dual controls
  • Payroll clerk can pay herself 1M by direct
    deposit if nobody else has to sign of on the file
  • ODFI Exposure File Limits
  • Selling or Furnishing Information
  • Money Laundering
  • Does the ACH network warranty the product or
    service received or not received?

53
ACH Kiting
  • An originator can use an ACH kite scheme to
    inflate an account balance with the offsetting
    credits generated from ACH debit origination
    activity.
  • When the originator generates unauthorized debits
    or valid debits to accounts that they or their
    accomplices own, the account is credited covering
    previous unauthorized debits as they are
    returned.
  • The scheme is essentially a check kite executed
    electronically.
  • Even kiting used to cover short term cash flow
    problems can put a FI at risk.
  • Kites of this nature often go undetected because
    of a lack of coordination and communication
    between the FIs fraud and ACH operations units.
  • If the fraud unit becomes aware of an unusually
    high volume of administrative returns, it may
    investigate the situation more closely.
  • Just as check-based kite schemes are identified
    through a source of funds analysis, ACH kite
    schemes can be discovered by analyzing the direct
    debit activity being originated.

54
Origination System Hacking
  • Originator or 3rd Party generates invalid
    transactions using the name of the true
    originator
  • Perpetrators hack into origination systems using
    compromised logon IDs and passwords and originate
    ACH credits to mule accounts created for
    express purpose of committing fraud
  • Empty accounts and abandoned them
  • True originators account is debited for the
    invalid origination file
  • Credits usually irretrievable by the time the
    fraud is discovered
  • How were they compromised?
  • Keyloggers, trojans or phishing
  • Compromised by insider (know your employees)

55
Fraud Scenarios Reverse Phishing
  • The Scenario
  • A company received e-mails from two trading
    partners asking for changes to bank and account
    numbers used to receive ACH payments for
    invoices
  • The company believed the requests to be
    legitimate, as the e-mails looked like those from
    the trading partners
  • The company originated ACH credits to the new
    bank and account numbers for these trading
    partners
  • The ACH credits went to newly opened accounts,
    and the funds were withdrawn
  • Eventually, the company received phone calls from
    the real trading partners about failure to pay
  • The company investigated and discovered that the
    original e-mails supplying new payment
    instructions were fraudulent.

56
Fraud Scenarios Reverse Phishing
  • NACHA is calling it a case of reverse phishing
    instead of e-mails attempting to fraudulently
    obtain corporate banking information, the
    perpetrator(s) sent e-mails fraudulently
    providing corporate banking information.
  • Recommendations
  • Originators should perform due diligence in
    accepting changes in payment instructions. 
  • For example, a widely used security procedure is
    a callback to a known individual at the trading
    partner.
  • ODFIs can alert their Originators to this type of
    fraud scheme.

57
Fraud Scenarios Keylogging Spyware
  • The scenario
  • A corporate treasury workstation or computer used
    to log on to online banking is infected with
    keylogging spyware
  • The keylogging spyware records the companys
    online banking credentials - User ID and Password
    when an employee signs in to online banking
  • The keylogging spyware then sends this
    information to the perpetrator
  • The perpetrator uses the companys credentials to
    sign in to online banking on the corporate
    banking web site
  • The perpetrator initiates outbound funds
    transfers out of the companys corporate
    account(s), either via ACH credits or wire
    transfers

58
Fraud Scenarios Keylogging Spyware
  • The Scenario
  • The company does not employ any additional means
    to confirm the transactions and release funds,
    and the bank does not require additional
    authentication of the party initiating the
    transfers
  • The perpetrator routes funds to deposit accounts
    at various financial institutions these accounts
    were recently opened either by the perpetrator,
    or arranged to be opened through willing
    associates or unknowing individuals
  • These accounts receive deposited good funds via
    ACH credits or wire transfers
  • The account owners then wire funds overseas, and
    are non-recoverable by the company and its bank.

59
Fraud Scenarios Keylogging Spyware
  • Recommendations for Originators
  • Originators should use best practices for
    treasury management and corporate banking,
    including authentication for authorizing
    transactions online and/or independent
    confirmation of outbound transfers
  • Originators should reconcile their accounts
    daily
  • Originators should use best practices
    for information technology security, covering the
    integrity of hardware, software and identity
    management.

60
Fraud Scenarios Keylogging Spyware
  • Recommendations for ODFIs
  • ODFIs should use best practices for
    authenticating corporate customers and executing
    instructions for outbound funds transfers
    initiated online
  • ODFIs should work with their Originators on best
    practices for corporate banking and IT security
  • ODFIs can alert their Originators to this type of
    fraud scheme.

61
Fraud Scenarios Keylogging Spyware
  • The scenario takes advantage of compromised IT
    security, poor corporate treasury management
    practices, and weak authentication.  The scenario
    is not specific to ACH payments wire transfers
    were involved as well.

62
Traditional Uses of the ACH Network
  • PPDs - Recurring credits or debits
  • Payroll
  • Pensions
  • Social Security
  • Insurance Premiums
  • Utility bills
  • Risk of fraud almost non-existent

2/12/04 - 64,000 .01 ACH credits
63
Check Fraud in the ACH WorldeCheck
  • Point of Purchase (POP)
  • Is the source document (check) valid?
  • Did the retail clerk check ID and document
    information about the consumer?
  • Source document (check) isnt given back to the
    consumer
  • Check converted is counterfeit
  • Consumer Fraud
  • States they never wrote check at retailer
  • Accounts Receivable Entry (ARC) Back Office
    Conversion (BOC)
  • Check converted is counterfeit
  • Can your systems talk to each other? Are you
    monitoring your transactions?

64
Fraud in the ACH Network
  • Telephone Initiated Entry (TEL)
  • Existing relationship or Consumer initiates call
  • Telemarketing Fraud
  • Merchants operating with fraudulent intent
    without having obtained consumers authorization
  • Merchants violate TEL rules by cold calling
  • Merchants use of post cards
  • Merchants with no intent to deliver a product or
    service
  • Consumer Fraud
  • Consumer never intends to make payment good
  • Federal Trade Commission
  • Telemarketing Sales Rules
  • www.ftc.gov
  • www.donotcall.gov
  • What city are most Americans being ripped-off
    from?

65
Telemarketing Fraud
  • Scams
  • Youve won a prize or lottery
  • Advance Fee
  • Credit Cards
  • Medical Plans/Insurance
  • Find victims
  • Telemarketing Lists, Via Obituaries,
  • First name tells age
  • Mabel vs. Paula
  • Leo vs. John
  • Sharon vs. Pearl
  • Ramona vs. Greg
  • Select type of victim
  • Income range, gender and age
  • Elderly Female best targets
  • www.lookstogoodtobetrue.com

66
Fraud in the ACH Network
  • Internet-Initiated Entry (WEB)
  • Anonymous nature of internet presents Originator
    with unique challenges
  • ODFI establishes separate WEB exposure limit
  • Originator verifies the identity of Receiver
  • Requirements of WEB Originators

www.cybercrime.gov - a great resource on
cybercrime for FI/Corporate
67
WEB Fraud Schemes
  • Spamming with account numbers searching for
    real account number
  • R03 Invalid or R04 No Account
  • How many actually posted?
  • Identity Theft Stolen Bank Account Information
  • Spoofing Phishing
  • Obtain sensitive identifying information
  • Consumer Fraud
  • Consumer never intends to make payment good

68
Commercially Reasonable Fraudulent Transaction
Detection Systems (FTDS) to screen WEB Entries
  • Authentication is the most Important feature of a
    Transaction Detection System

69
Password Authentication
  • Passwords Dont use names of spouses or
    children, which are easily guessed, or words in
    the dictionary, which automated systems may be
    able to break with so-called dictionary
    attacks.
  • The use of passwords can be strengthened by
    enforcing certain rules, such as requiring
    passwords of a certain length, using both
    numbers, symbols and letters, and using both
    upper and lower case letters.

70
What Technology is Available?
  • IP Analysis http//www.whatismyipaddress.com/
  • Browser Authentication
  • Input Security
  • Black-List/Clustering
  • Login Challenge
  • Session Risk Assessment
  • Device Authentication Session Clustering
  • Session Challenge
  • Device Consumer Payment Protection
  • Biometric Security

71
ODFI Warranties
  • Warranty Article Two, Subsection 2.2.1.1 of the
    NACHA Operating Rules
  • Each entry transmitted by the ODFI to an ACH
    Operator is in accordance with proper
    authorization provided by the Originator and the
    Receiver
  • Breach of Warranty Article Two, Subsection 2.2.3
    of the NACHA Operating Rules
  • Liability for Breach of Warranty

72
RDFIs Role
COLORADO State EFT Law supercedes and there is
no liability. Does your state have statue of
limitations?
  • Customer Care Issues
  • Education of Staff about ACH Consumers
  • Handling of Returns Consumer Unauthorized
  • Completion of Written Statement Under Penalty of
    Perjury Form
  • Class 4 Felony if they lie
  • RDFI must supply to ODFI is requested!
  • Regulation E 60 days from statement date
  • Beyond 60 days
  • How do you find out who ODFI is?
    www.paymentsnation.com R/T Search
  • Contact ODFI regarding unauthorized transaction
  • Request proof of proper authorization and
    Originators name and phone number
  • ODFI Warranties Subsection 2.2.1.1

73
RDFIs ROLE
  • Corporate entry unauthorized
  • CCD, CTX or CBR
  • 24 hours to return unauthorized item (R29)
  • Unless you contact the ODFI and get permission to
    return the item (R31)
  • ODFI Warranties Subsection 2.2.1.1
  • Sometimes you dont get what you deserve, You
    get what you demand
  • Demand Satisfaction place responsibility for
    theft on the perpetrators and enablers not the
    victim
  • ODFIs must live up to their warranty

74
RDFI Corporate Account Prevention
  • Account Balancing Reconciliation
  • View Account Daily
  • Positive Pay
  • Dollar Limit on ACH Debits or Credits only
  • UPIC
  • Transaction Monitoring
  • Real time
  • Delayed
  • Alerts
  • ACH Debit Blocks Filters

75
ACH Debit Blocks Filters
  • Allows companies to block all incoming ACH debit
    or credit transactions, or both
  • Allows blocking of all incoming ACH transactions
    except those items specifically defined by the
    company
  • Company instructs and authorizes the bank to pay
    specific transactions based on specific criteria
    they define

76
Network Enforcement Rule Changes
  • Rule changes approved 11/8/07 will modify the
    structure of the National Systems of Fines (now
    called Rules Enforcement with December 21, 2007
    rules change) and increase the amounts of fines
    that may be levied
  • Permit the ACH Rules Enforcement Panel to direct
    an ODFI to suspend an Originator or Third Party
    Sender
  • Looking at an Originator Watch List program
  • Create new Rules compliance tool based upon
    unauthorized return rates

77
Network Enforcement Rule Changes
  • New rule allows NACHA to request information
    about an originator from an ODFI when NACHA
    believes that the Originators return rate for
    unauthorized reasons exceeds one percent
  • Allows NACHA to initiate a rules enforcement
    proceeding if
  • ODFI fails to respond appropriately
  • ODFI fails to reduce the rate to below 1 within
    60 calendar days after contact from NACHA
  • ODFI fails to maintain the rate below 1 for 180
    additional days

78
Network Enforcement Rule Changes
  • Revises rules violation classifications and fines
  • Class 1 1st, 2nd or 3rd recurrence
  • 1,000 2,500 or 5,000
  • Class 2 willful disregard 100,000
  • Class 3 significantly harmful 500,000

79
Electronic Payments Network
  • Universal Payment Identification Code (UPIC)
  • Secure bank account identifiers that can be
    offered to business customers along with other
    security offerings such as debit blocks and
    positive pay
  • UPICs look and act like bank account numbers and
    allow companies to receive electronic credit
    payments without divulging their sensitive bank
    information
  • Over 1Billion payments with 19 industries and 9
    major FIs issuing UPICs

80
Operation Bulletin from NACHA
  • Use of the Back of a Check for ACH Authorizations
  • Deceptive practices
  • Authorization
  • Federal State Laws

81
Resources
  • Report any telemarketing fraud scheme
  • FTC _at_ 1-877-FTC-Help or www.ftc.gov
  • Contact your local police department if you or
    someone you know may be a victim.
  • Phoenix Police Department 602-262-6151
  • Arizona Telemarketing Fraud Task Force
    602-650-3333
  • Report if victim of identity theft
  • Example consumer never gave out their account
    information
  • FTC _at_1-877-IDTHEFT or www.consumer.gov/idtheft

82
Resources
  • United States Postal Inspection Service
  • www.usps.com/postalinspectors
  • Telemarketing Fraud using US Postal Service
    877-987-3728
  • Report any Internet crimes
  • Internet Fraud Complaint Center
  • www.ic3.gov
  • Fraud Alert Flyer
  • http//www.ic3.gov/media/FraudAlert.pdf
  • Fraud Originated from Canada
  • Phonebusters
  • Federal Canadian anti-fraud call centre
    www.phonebusters.com or 888-495-8501
  • ICE (Telemarketing Fraud only) 866-DHS-2ICE
  • Department of Justice
  • www.usdoj.gov/criminal/fraud/telemarket/

83
Public Websites Consumer Can Report Fraud
www.ripoffreport.com www.my3cents.com www.consume
raffair.com www.complaintsboard.com
84
http//onguardonline.gov/index.html
85
(No Transcript)
86
www.electronicpayments.org
87
ftc.gov/infosecurity
88
(No Transcript)
89
Networking Resources
  • Networking
  • International Association of Financial Criminal
    Investigators www.iafci.org
  • Certified Fraud Examiners www.cfenet.com
  • Infragardwww.infragard.net
  • ID Theft http//www.idtheft.gov/
  • The FBIs Efforts to Combat ID Theft
  • www.infragard.net/press_room/articles/article_0413
    05.htm
  • National Criminal Justice Reference Service
  • State Local ID Theft Programs
  • http//www.ncjrs.org/spotlight/identity_theft/prog
    rams.html

90
U.S. Postal Inspection Service Fraud Prevention
Video http//postalinspectors.uspis.gov/pressroom
/videos.aspx
  • All the Kings Men - Victims of Crimes
  • Dialing for Dollars - Investment Telemarketing
    Scams
  • Long Shot - Lottery Scams
  • Nowhere to Run - Cross Border Telemarketing Scams
  • Web of Deceit - Phishing
  • Work at Home Scams
  • Identity Crisis ID Theft
  • Truth or Consequences Fake Check Scams

91
Any Questions?
  • Knowledge is Power!
  • Education
  • Networking
  • Resources
  • Contact your Regional Payments Association
    www.alacha.org
Write a Comment
User Comments (0)
About PowerShow.com