- Authentication (including token based/one-time password generators) is only one layer of control. Out of band (also being called 3rd factor) verification such as call backs, fax, etc… is still highly recommended.
- Businesses and banks should require dual controls.
- Establish and monitor exposure limits. You may want to consider 2 limits – lower limits for authentication only, higher limit with out-of-band verification.
- Set up alerts to your customers so they know when a transaction has been initiated.
- Have a relatively low limit (less than 9K) for daily reporting.
- Monitor for “money mule” activity, typified by the presence of one or more of the following:
- New accounts that are opened by a customer with a small deposit, followed shortly by one or more large deposits by ACH credit or wire transfer.
- An existing account with a sudden increase in the number and dollar amounts of deposits by ACH credit or wire transfer.
- A new or existing account holder that withdraws a large amount of cash shortly after a large deposits (often 5%-10% less then the deposit).
- Examiners will be looking at this hard at your next exam: They will be looking for a combination of controls; authentication, verification, limits, risk management and monitoring.
- Educate your customers but do not rely on customer controls.
- Recommend to customer that they set up a single use computer specifically for online banking and nothing else.
- Don’t let marketing “over promise” and “under deliver”. For example, “Business banking on-line, anywhere, anytime at the touch of the key” encourages customers to not worry about security (i.e. connecting onto unsecured wireless networks).
- Have an Incident Response plan specifically for situations of this type.
- The FBI is interested. There are currently more than 250 ongoing investigations. If your bank/customer experiences an ACH attack, contact the Cyber Supervisor at the local FBI office. They have been given guidance in how to respond and report.
Read more at KrebsOnSecurity.com ...
Posts
