The fact that the number of cybersecurity incidents affecting companies is rising at an alarming rate year over year hardly raises eyebrows anymore. It’s a notion as commonplace as putting pumpkin spice in everything the minute fall arrives.
But that doesn’t change the reality that there was a 38% increase in cyber security incidents from 2014 – 2015 (PwC, 2016). Or that the FBI has seen a 270% increase in identified victims and exposed loss as a result of a dramatic rise in business e-mail compromise scams. This is all likely to be even worse for 2016. And now we have same-day ACH.
I can’t help but think about the I Love Lucy episode where Lucy and Ethel are helplessly stuffing chocolates into their mouths as they try to keep up with a speeding conveyor belt full of candy that needs to be wrapped. It’s how I imagine banks must feel as they now face the prospect of securing the flood of same-day payments they’re receiving. Most banks were already struggling to stay ahead of the rapid fire pace of security threats. Same-day ACH is like their own version of Lucy and Ethel’s conveyor belt, with security threats shuttling in at an impossible pace and threatening the very foundation of their organization.
Don’t get me wrong. Same-day ACH is a tremendous (and long overdue) advancement in payments technology. But the rate at which payments will now be processed does present some very serious implications for the banks that need to secure those payments.
Standard ACH payments have historically been tough for fraudsters to exploit because perpetrators couldn’t easily infiltrate the businesses making these payments and because there was a sufficient time and resources to review transactions. The increasing threat of business-email compromise, combined with a same-day processing window, now makes ACH transactions significantly more risky.
To further compound the problem, the payment fraud detection systems used by most banks are lacking in a few key areas…
A reliance on back-office monitoring. It’s not reasonable to expect that people would be able to review the increased volume of transactions that will occur as a result of same-day ACH – and they certainly can’t do it in the necessary timeframe. It simply isn’t possible. Same-day ACH ultimately means that manual processing is no longer a valid approach to fraud detection. Effectively securing payments, particularly at the speed at which they will now be occurring, requires automated, real-time fraud intelligence that monitors transactions from the point of origination.
A lack of investigative and audit tools. Banks generally don’t have the right tools and systems in place to investigate suspicious activity quickly enough. To efficiently address the threats posed by same-day ACH, it’s critical to not only proactively detect suspicious activity but also to prioritize alerts in the right order to respond to the biggest threats first. Tools that embrace risk scoring, data visualization and incorporate link analysis can speed up investigations and provide a powerful audit trail that empowers investigators.
An inability to block transactions. Identifying fraudulent transactions is only half the battle in securing same-day payments. Stopping those transactions before they happen is even more important. Unfortunately, most banks don’t have an easy way to stop transactions in real-time, which leaves them vulnerable to significant -– and typically unrecoverable -- financial losses.
The situation isn’t as fatalistic as it sounds. While fraudsters are hard at work devising schemes to exploit the risks inherent in same-day payments, it is possible for banks and organizations to protect themselves from being the next big cybersecurity headline. It ultimately all comes down to thinking about security in a new way. The threats we face today are completely different from the threats of even a few years ago. Our approach needs to evolve as well, in a way that starts with basic common sense.
To provide the best protection against the risks associated with same-day ACH, banks should:
Take a fresh look at the building blocks of their security strategy, to make sure they’re up to the challenge of present day threats,
Assume they will be breached, because it’s only a matter of time. With that in mind, make sure there are protections in place to identify threats in real-time and keep fraudulent transactions from being completed
Get reacquainted with their institution’s security needs from every angle to make sure they’re taking a multi-layered approach that uses the right security solutions at every level
Harden critical systems to lock down vulnerable access points.
Evaluate the cyber hygiene practices of staff to make sure they’re in compliance with security policies and conduct training if they aren’t.
There’s a lot that can be admired in Lucy and Ethel’s hilarious approach to their candy debacle, most notably that they did everything they could to handle the unstoppable force they were faced with. Unfortunately, the lesson that can be taken from it is that approach means everything. Being haphazard will get you nowhere, especially when it concerns the risks associated with same-day ACH.
Boaz Krelbaum is general manager of cyber security for Bottomline Technologies.