Is ACH Secure?

Sep 15, 2016 by Scott Campbell

xxx Intro

 

I recently had dinner with the CIO of a mid sized regional bank. I asked him what his biggest concerns were and he didn’t even hesitate when he rattled off “security”. I asked him what specifically was he most worried about and he relayed this story: 

Recently one of there larger commercial clients nearly lossed $4M due to ACH. This enterprise customer sends B2B payments to large trusted vendors via eInvoices daily. Unfortunately this customer had one of their emails hacked and a scam artist saw an invoice. He watched the pattern and saw a vendor with a regular invoice over a million dollars using ACH. At that point all he needed the do was email the customer, pretend to be the vendor and let them know that his ACH account number had changed. Scary, I know.

You see ach has no built in authentication or verification mechanism. You simply tell it an account and routing number and it sends money blindly. Without modern authentication there is no built in way to ensure you are send money to the right account or the owner’s account. Sadly, this hacker by simply telling them a new account number which happened to be his own bank, was able to reroute $4M to himself. 

Fortunately, this story had a happy ending because an employee at the bank happened today catch an odd looking transaction right after it occurred and was able to pull the money back before the hacker was able to withdraw it. But because that relied on manual intervention the hacker could have withdrawn the money quicker and the customer (or the bank) would have been out the money. And if you think card solutions are any better, they are vulnerable to the same sorts or problems. So how do you secure a b2b electronic payment? 

eCheck is what we recommend for all larger dollar commercial payments. Because it’s built on modern internet principals it uses standard enterprise secruity software pricipals to perform both verification and authentication. eCheck uses something called Oauth (also used by folks like Google, Facebook, Microsot and many other modern Internet companies) to verify your username and password to ensure you are who you say you are. It then connects to the banking network to do a multi factor authentication to ensure you are the owner of the account in question. It never relies on insecure account, routing, or card numbers but only uses verfied credentials.  With eCheck you have peace of mind that 

 

"Since working with Paystand, we’ve saved almost 20 hours of work a week."

See how Motorola reduced costs by 16%.
SOFIA MITCHELL

Accounting Analyst

"Real-time updates and analytics have made it easier to forecast and budget cash flow."

See how Thumbtack reduced their DSO by 40%
CHAD BELLO

Revenue Accounting Manager

“We found Paystand so easy to use; their embedded payment links in our invoices are simple for customers. Our clients and vendors are no longer confused at the critical moment when they’re ready to pay.”

See how Allterra reduced their costs by 51%
JAMES ALLEN

CEO

"Paystand allows us to free up resources, reduce costs, and expedite payments with real-time posting of transactions. It gives us the ability to grow with confidence that our AR process is equipped to handle the pace of our business."

See how Covetrus decreased 98% in Per-Transaction Fees
KRISTEN PARISIEN

Controller, Global Prescription Management

“The Paystand platform has done exactly what we expected it to do. We’re thrilled that the results aligned with our expectations. We’re operating as a well-oiled machine.”

See how Choozle decreased 50% in late receivables
AJ HEFFERNAN

Director of Finance & Operations

“It’s almost creepy how easy Paystand makes my job. It’s unbelievable how automated it is. It’s been an even better experience than we anticipated. . . We just fully trust Paystand.”

See how Edgewood decreased 60% in transaction fees
JOHN DYBWAD

Vice President of Finance & Budget