These fraudulent transfers can easily go unnoticed for 24 hours, he says, but even if it's a shorter period it's certainly long enough for the criminals to shift the funds again and make them impossible to recover.
Before the exposed batch folders can be altered, though, hackers first have to break into bank LANs and gain enough privileges to access the shares that contain them. Robbins says in his penetration-testing experience hackers can escalate to domain administrator in financial institutions about half the time using phishing in combination with other common hacking methods. Once they've done that they can almost always find ACH folders, he says.
The researchers have come up with a proof-of-concept of this hack they say they've presented it to various financial institution associations and to NACHA which manages development and administration of ACH. After two months of responsible disclosure, they've decided to publicly reveal it. Recently they have been in touch with NACHA and they feel some progress is being made toward fixing the problem.
One way to address the problem is to encrypt all transaction files before they come out of the secure core network, Henry says. If that can't be done, the ACH system and the means to electronically send funds should be replaced.
All access to these files should be logged and write access to these files should be prohibited by machines outside the core network, he says.
Robbins admitted that the largest of banks those that account overwhelmingly for the monetary value of total transactions upload transfers electronically directly from their core banking networks.
Some smaller banks outsource their core networks to outsourcers but still expose ACH files to their business networks, he says. Sometimes the outsourcers place their core networks on the bank's corporate LAN.
Sign up for CIO Asia eNewsletters.