- Authentication (including token based/one-time password generators) is only one layer of control. Out of band (also being called 3rd factor) verification such as call backs, fax, etc… is still highly recommended.
- Businesses and banks should require dual controls.
- Establish and monitor exposure limits. You may want to consider 2 limits – lower limits for authentication only, higher limit with out-of-band verification.
- Set up alerts to your customers so they know when a transaction has been initiated.
- Have a relatively low limit (less than 9K) for daily reporting.
- Monitor for “money mule” activity, typified by the presence of one or more of the following:
- New accounts that are opened by a customer with a small deposit, followed shortly by one or more large deposits by ACH credit or wire transfer.
- An existing account with a sudden increase in the number and dollar amounts of deposits by ACH credit or wire transfer.
- A new or existing account holder that withdraws a large amount of cash shortly after a large deposits (often 5%-10% less then the deposit).
- Examiners will be looking at this hard at your next exam: They will be looking for a combination of controls; authentication, verification, limits, risk management and monitoring.
- Educate your customers but do not rely on customer controls.
- Recommend to customer that they set up a single use computer specifically for online banking and nothing else.
- Don’t let marketing “over promise” and “under deliver”. For example, “Business banking on-line, anywhere, anytime at the touch of the key” encourages customers to not worry about security (i.e. connecting onto unsecured wireless networks).
- Have an Incident Response plan specifically for situations of this type.
- The FBI is interested. There are currently more than 250 ongoing investigations. If your bank/customer experiences an ACH attack, contact the Cyber Supervisor at the local FBI office. They have been given guidance in how to respond and report.
Read more at KrebsOnSecurity.com ...