Entries tagged with “ACH”.

Often times working with a website you aren’t familiar with can be difficult to understand. We at ProPay have tried to make our website as user friendly as possible. One way we try to do this is by providing FAQ and tutorial pages which give detailed explanations of the main features of your ProPay account. This article focuses on how you can transfer the funds in your ProPay account to a personal checking or savings account. To see the tutorial on how this works, please visit the link below:


Each time you transfer your funds, please remember that it typically takes 2-4 business days for the funds to post to your account, and a small fee is taken for this transfer (amount may vary depending on your ProPay account type). Please be sure that you verify the funds have arrived in your personal account before you attempt to spend against them.

ProPay is constantly striving to meet all of your financial needs in order for your business to be successful. For additional explanations of how your ProPay account works (how to process a card, how to reset your password, how to send an email invoice to a customer), please visit our tutorial page (http://www.propay.com/propay-support/tutorials/). Or, to get answers to some our most common questions by visiting our FAQ page (http://www.propay.com/propay-support/frequently-asked-questions/).

Kyle Hunt; Customer Service Supervisor

I received a call a few minutes ago from Colleen who represents NACHA.  She was very pleasant and pointed out that the article which I referenced in my blog post had some critical mistakes, omissions, and errors.  She asked that I listen closely to the audio recording and, if appropriate change the post.   Having been on the receiving end of interviews in which I was misquoted I can understand the frustration.  It is a lesson for me and others to NOT rely on an article without closely comparing the facts and comments to the actual audio recording.  

In the article it was written that that Ms. Estep claimed that ACH account fraud represented 8% of total transactions.  It was this, and a few other select quotes, that formed the basis of my opinion.

After listening to the audio more closely, I did NOT hear Ms. Estep say anything related to 8% fraud. Where this came from is anyone’s guess.  Several of the quotes attributed to Ms. Estep were clearly taken out of context or flat wrong.  I am going to dissect the audio over the next day and provide a very accurate post on what was and was not said as well as the context in which it was written.

I applaud NACHA for taking a personal interest in correcting this and will update this blog in short order. 

In the interview, NACHA’s CEO, Jan Estep states: “ACH fraud is not so much of a problem,” and then goes on to articulate that “The number of compromises and losses are relatively low, when compared with the number of dollars and transactions that go over the ACH annually.”  NACHA has found that “corporate account takeover fraud perpetrated via ACH or wire transfer accounts for only 8% of all transactions.”  (emphasis added)

What is troubling about this particular inteview is the fact that is appears acceptable and simply a part of business to accept that 8% of all transactions will be fraudulent.  The article suggests that the problem is much less than that of credit or debit card transactions.

While this may or may not be true, there is a fundamental difference.  Liability is limited on payment card transactions.  The Federal government limits liability to $50 while the major card brands have zero liability.  This means that if someone steals your credit card and fraudulently makes a purchase than you are limited to $50 liability and in most cases will have no liability.  Due to extensive travelling as a consultant I have been the victim of credit card fraud several times.  I have never had to pay a single dime.

ACH fraud occurs through account takevover.  This means that the person is able to authenticate to the bank or system and initiate an ACH transaction.  Because the criminal is able to authenticate as you or your company it is very difficult to prove that it was not a legitimate transaction.  Furthermore, often the only recourse is to try to sue to recover your money.  Criminals, while operating illegally are not stupid.  They use mules to transfer the money.  The chance of recovering money from an ACH takeover is slim to none in the vast majority of cases.  While it may be true that ACH fraud occurs less relative to credit and debit card fraud the impact to the victim is disproportiately greater. 

Regarding the 8% number.  Imagine a car company that stated that only 8% of the time the breaks failed on their newest model and justified it by saying that it is better than bicycles whose breaks fail more often.  Imagine if your bank stated that they are only robbed 8% of the days they are open but that this number is less than the hair dresser that is robbed more often.  It is difficult to justify  an 8% failure rate as acceptable where there is such a profound impact to the victim. 

The interview provides some guidance for preventing ACH fraud.  According to Estep: “Keeping the computer secure is really the key.”  It is at this point, as a security professional, I must disagree with her position.  The end point “computer” can never really be considered “secure”.  Operating under the assumption that the computer will not be secure, it is incumbent upon the businesses which support ACH transactions to require more robust authentication.  Multi-factor authentication, out of band authentication will go a long way toward preventing account takeover.

In 2009 in anticipating of ACH fraud rising, ProPay developed a tokenization solution specifically for ACH.  Companies are able to initiate ACH transactions without requiring the sensitive data to be stored.  When coupled with robust authentication this provides greater security than traditional methods of ACH.

Chris Mark, EVP; Data Security & Compliance

In an rticle on Krebs on Security organized cybertheive stole over $600,o00 from teh Catholic Diocese of Des Moines, Iowa.  According to the archdiocese, cyberthieves obtained the bank login credentials of the Diocese and used dozens of ususpecting ‘mules’ hired through work at home scams to move the money.

ACH fraud has been increasing significantly in the last 12 months.  You can see Dan kaplan of SC Magazine interview me on this subject at this link.

The scam works like this.  First, the theives steal bank login data that will allow them to initiate ACH transactions.  Often these credentials are stolen through malicious software inadvertently downloaded from an infected website or attached to an email.  The criminals recruit well-intentioned people from job boards to “work” for a fabricated company.  The criminals then ACH the money to these newly recruited “mules” who, in turn, transfer the money to another account.  The mules are allowed to keep a percentage of the money as a fee for their efforts.

How can this have been prevented?  First, banks should ensure they comply with the FFIEC guidelines requiring multi-factor authentication for account logins.  Even if a bank is using multi-factor athentication it is adviseable that people or companies look for banking institutions that use more robust forms of authentication such as token-based, two-factor authentication.  This would require that both a password and a code from a physical token be entered to access the bank account.  Second, companies and individuals should keep a close eye on their accounts to look for any suspicious activity that may indicate someone has accessed the account.

WARNING!  sales pitch- ProPay announced the released of our ACH tokenization service to help protect companies against the theft of ACH data and resulting fraud like that detailed in this blog post.  ProPay’s ACH tokenization solution replaces ACH account data with a useless token to prevent the theft and subsequent use of actual account data.  Additionally, ProPay employs robust multi-factor authentication, including X509 certificate-based, two-factor authentication to protect merchants’ login credentials from being stolen and used maliciously.  Contact us today for more information.

Chris Mark; EVP, Data Security & Compliance

You can read more about ProPay’s ACH Tokenization in the Digital Transaction article: “ProPay Takes Early Lead in Extending Data Protection to ACH”  but we will summarize here.  In speaking with numerous merchants over the years it became obvious that while many were actively pursuing PCI DSS compliance they often did so at the expense of protecting other sensitive data.  ACH data, in particular, exposes companies to significant risk of compromise.  While other types of cybercrime are decreasing, Gartner’s Avivah Litan states that ACH Fraud is actually increasing.  You can read some of Avivah’s comments here.

Although ProPay is proud of acheving ACH tokenization to help protect clients’ data, we are most proud of the flexibility of the ProtectPay suite that enables ProPay to protect data that is outside of the transaction process.  While most, if not all, of the tokenization providers focus solely upon transaction data such as that sent for authorization, ProPay has taken a leadership role in providing both payment card transaction encryption, and tokenzation as well as tokenization of data external to the payment card transaction process.   ACH tokenization is simply representative of the flexibility inherant in the ProtectPay product suite. 

With nearly 4 dozen (yes 48) state data breach or data protection laws now in the books, companies need to be even more aware of the risks associated with storing other types of data aside from payment card transaciton data.  A quick investigation will demonstrate that while important, PCI related data (cardholder data, sensitive authenication data) arguably exposes companies to less risk than other types of PII and financial data.

You can read the ProPay press release here.