Financial Fraud Analysis of Automated Clearing House - Boon to Doom

By balaji

June 17, 2011

In the beginning, fund transfer between banks was limited locally. To transfer funds internationally, one would have to bring foreign currency into the country and then convert it into local currency. Today, international fund transfer is just a few clicks away thanks to Payment Gateways and Internet Banking. Many of the banks provide Fund Transfer options from foreign countries like the US and the UK to India due to the Automated Clearing House (ACH).

In the beginning, fund transfer between banks was limited locally. To transfer funds internationally, one would have to bring foreign currency into the country and then convert it into local currency. Today, international fund transfer is just a few clicks away thanks to Payment Gateways and Internet Banking. Many of the banks provide Fund Transfer options from foreign countries like the US and the UK to India due to the Automated Clearing House (ACH).

ACH is an electronic network for financial transactions in the US. It can process large volumes of credit and debit transactions, including direct deposit payroll and vendor payments, such as direct debit for insurance premiums, mortgage loans, etc.

The rules and regulations for ACH are established by NACHA (National Automated Clearing House Association) and the Federal Reserve. NACHA represents more than 12,000 financial institutions directly, and around 650 organizations through its industry councils.

An example of an ACH process for international fund transfer to India is shown below:

  • Visit the bank's website and register online for transferring funds to India. For registration, the user is required to provide his/her SSN (Social Security Number), name and address, proposed username and password as well as mobile number.
  • After the user is successfully verified by a simple background verification of the SSN and OFAC (Office of Foreign Assets Control) checks, as well as ACH transactions, the user is able to start the process of fund transfer from the US to India.
  • Altogether, it takes around a couple of hours to a few days for the whole verification process to be completed.

The Verification Procedure

  • Validation of the information provided during registration is carried out by an external agency. The user's name is verified against the OFAC list.
  • The SSN, name, address, etc. are verified by an agency that maintains databases.
  • The account number is verified by initiating three ACH (Automated Clearing House) transactions conducted by the system.

Who Are Involved?

OFAC is the office at the US Department of the Treasury that administers and enforces economic and trade sanctions against targeted foreign countries, terrorism-sponsoring organizations, and international narcotics traffickers based on the US foreign policies and national security goals. OFAC blocks the assets of foreign countries subject to economic sanctions; controls participation by US personnel, including foreign subsidiaries, in transactions with specific countries or nationals of such countries; and administers embargoes on certain countries or areas of countries.

According to the US Patriot Act - Section 326, every financial institution needs to verify the identification of every new account holder. Section 326 states: "Take reasonable and practical steps to verify the identity of any person seeking to open an account; Maintain records of the information used to verify a person's identity, including name, address and other identifying information; And consult government lists of known or suspected terrorists or terrorist organizations to determine whether a person seeking to open an account appears on any such list."

How ACH Verifies Account Credibility

To ensure that only an authentic person can authorize money transfers from their source account (USD Bank Account), the ACH procedures are carried out as a means of security measure. This process is called the Account Verification Process. The process involves debiting and crediting a random nominal amount (maximum of 1 USD) to the source account. After this transaction, the user has to check what the exact amounts of the transaction were by looking at his/her account statements (or even through Internet banking), return to the Registration page and enter the transaction amounts to confirm the credibility of the account.

It is vital for the customer to refer to the bank statement of his/her source account (account in the US) and enter the exact amount in the space provided on the site. The account will be blocked for the ACH facility if the correct amount is not provided in three consecutive attempts.

Once the account is verified by key organizations like OFAC and ACH, the next step would involve adding beneficiaries to the account in order to receive funds. When a beneficiary is added to the account, the system sends a one-time password (valid for a short duration) to the registered mobile number of the user for confirmation. After the user enters the correct code on the website, the beneficiary is added to the account. Once the registration is successful, transactions can start immediately.

I didn't make that transaction: Worst fear realized


One of the main issues with ACH transactions is the difference in the timeframe between the ACH transaction initiation and cancellation provided by the bank, and the timeframe between the consumer receiving the monthly statement and the 60 days rendered by the Electronic Fund Transfer Act of the US. The Act states that "if the owner of the account claims that, they have not authorized the transaction that has occurred within a period of 60 days of the transaction; the US Bank should credit the money back to the account and issue an investigation into the matter". This is represented in above Figure.

Here, the same fear was realized. Funds were transferred to various beneficiaries in India and the beneficiaries withdrew the money from their accounts. But, a few days down the line, the owner of the source account claimed that he/she did not authorize the transaction. Now according to the Act, the US bank is required to credit the funds back to the source account. But when the remittance bank (which credited the funds to the beneficiary) attempted to contact the beneficiary to collect the withdrawn amount, it was found that the details of the beneficiary were fake.

Paladion was entrusted by such a remittance bank to conduct a fraud analysis, understand the process flow, identify the hidden flaws and recommend steps to mitigate similar future threats.

The analysis began with logs from the Payment Gateway servers. Logs specific to the accounts were identified and logs pertaining to events ranging from account creation to the last transaction were collected. A process review was conducted to understand the exact flow from account creation, verification, beneficiary addition and then to transactions.

After studying the logs, it was found that most of the illegal activity was carried out using compromised accounts. The accounts in question had been hacked completely. The malicious user knew the name, address, bank account details (possibly hacked) and even the SSN numbers of the users (who were identified to be legetimate US citizens).

The IP addresses in the logs were checked using open IP checking services like McAfee's, Cisco's and, and were identified to be accessed from Nigeria and/or running from an anonymous proxy.

Technical Recommendations

After a thorough analysis, Paladion recommended the following controls to be put in place in order to protect/detect similar future threats.

  • Use a combination of a web application firewall and reverse proxy with features like IP filtering, geolocation, IPS functionality, etc. to protect against web-based attacks (IP spoofing, use of anonymous proxies, etc.).
  • Activities performed from blacklisted countries should be blocked or should be kept on hold for further enquiries.
  • Activities performed from different IP addresses with different geolocations should be blocked/kept on hold for the same user account. For example: User "xyz" has logged in at 6:16:09 PM on 5/6/2010 with IP at the location: US and then logged in again at 9:56:45 PM on 5/6/2010 with the IP at the location: Nigeria. With the time zone difference of 5 hours, it is not possible for the same user to have logged-in from both the locations.
  • Real-time monitoring and alerts of web and application server logs should be implemented.
  • Real-time fraud-monitoring applications can be used, which have inbuilt intelligence. These can be customized according to the bank's requirements.

Process-Level Recommendations

Along with technical recommendations, Paladion also recommended a few changes that can be implemented by the remittance bank to ensure that its interest is protected:

  • For every new beneficiary, an added ACH test should be performed.
  • Insurance protection can be taken in the US for protection against denial of transactions.
  • The registered mobile number of the user should be verified in the US.

Tags: Features