A Qualified Security Assessor at the PCATS annual conference in New Orleans this January mentioned to attendees that cyber-thieves are targeting automated clearing house (ACH) transactions to drain checking accounts.
Thieves inject "key loggers" into PCs, usually through email or unsecure Web site vectors, that constantly sift through entered and transmitted data on the unsuspecting userâ€™s PC. Of particular value to these thieves: access credentials and routing and transfer information for a business or consumer checking account. Exploiting a security flaw in the ACH system â€" whereby the transactions are not verified (e.g., by PIN) and are not cleared in real time â€" thieves clean out accounts before anyone notices the cash is gone.
Recently, according to this QSA, one small jewelry merchant was cleaned out of $1 million in less than 36 hours this way. The thieves obtained all the credential and account information to access the main account, but how they transferred the money is ingenious. They took out an employment ad for a fictitious business and "hired" about 100 applicants; requesting their bank account details "in order to set up direct payroll deposit."
The thieves then transferred $9,999 into each "employee account" (under the IRS red flag amount) by accessing the chainâ€™s disbursement account with the stolen credentials.
The next day, the thieves wrote ACH transfers on the "employee" accounts to deposit in a central European bank â€" and the money was promptly withdrawn as cash.
Think your online banking system is safe? So did this chain. Install anti-malware and anti-virus software, and keep them up to date. Also consider using a dedicated, secure PC for all online bank transactions â€" you never know whoâ€™s watching your keyboard.