The Bankwatch

Tracking the consumer evolution of financial services

A frightening new account attack

This attack method is frightenly simple. The bad guys ping account numbers until they are successful in making contact with a legitimate account. Upon successful identifaction of an account the bad guys can debit the account. This highlights an apparent flaw in the US ACH system.

the scammers appeared to be taking advantage of validation weaknesses among businesses using the automated clearinghouse (ACH) system, a private electronic payment network that links banks with one another via the Federal Reserve.

The network is used by banks to process large volumes of payroll, credit and debit card transactions, but it also facilitates direct payment of consumer bills such as mortgages, loans and utility bills, as well as business-to-business and federal, state and local tax payments.

Source: Washington Post

This came to light when a member of American Air Force personnel noticed his account was less than it should be,

More specifically, the account balance was $124.90 less than it should have been. A business named “Equity First” had made the debit. The toll-free number listed on the transaction led to dead ends — none of the options would allow Airman A to speak with a human. So he went online.

Source: Air Force Link

Read through the two links above; this is a new one to me, and although I am appalled at the implications here, when I put my mind into that of the criminal, I can see how easy it is. This could euqally easily happen with the Candian EFT (Electronic Funds Transfer) system. All that is required is to open a business account, and purchase EFT access. I assume the US circumstance is similar.

Written by Colin Henderson

May 19, 2007 at 21:49

Posted in Security

2 Responses

Subscribe to comments with RSS.

  1. Hardly a flaw in the ACH system. More a flaw in the bank that processed the debits. It all comes down to Direct Debit Authorisations (DDAs), how they are defined and validated.

    I believe that DDAs for retail customers, at the bare minimum, MUST have the following
    – Payee Bank and Account Identifier
    – Reference No (such as a policy no)
    – Validity period
    – Frequency (Daily, Weekly, Monthly)
    – Maximum Dr amount

    I feel it’s the bank’s responsibility to capture DDAs with these details and validate against the inward Dr.

    Though this will not solve the problem that people are able to ping and get a list of valid account nos. Credit Authorisations would be counter-productive.

    Shreepad Shukla

    May 21, 2007 at 02:51

  2. I agree, its seems almost too easy. I could be wrong, but I believe that a company can also send a pre-notification with no dollar amount through the ACH network to ping an account. A legit company would do this, for example, to verify the account number you gave them for pre-authorized debit is valid.

    I also find Shreepad’s comment interesting and reflective of the regime in place for handling this type of risk: proper procedures and regulation. In the case of an unauthorized debit, US Federal law (Reg E) gives you the right to stop or reverse a payment you believe you did not authorize or was made in error. I think you have 60 days to notify your bank.

    However, this is all reactive and an inconvenience for the consumer isn’t it? If the bank failed in following proper process, it is up to you to find the error and make the proper notifications. That being said, I guess this is to be expected and that there will always be a trade off between convenience and security.

    John Januszczak

    May 23, 2007 at 11:53


Comments are closed.

%d bloggers like this: