ACH Fraud: How to Beat ItJim Woodhill Fights Against Corporate Account Takeover
The founder and former chairman of security vendor Authentify, Inc., Woodhill is retired from business now and focused solely on his activism on behalf of victims of corporate account takeover.
"The problem must be solved, and it must be solved quickly," says Woodhill, who recently met with U.S. Sen. Charles Schumer to discuss the problem and potential remedies - including Schumer's bill to amend Regulation E to protect municipalities and school districts.
Woodhill left the Schumer meeting convinced that Congress wants to see the private sector propose potential solutions to this fraud challenge, and he's now working to deliver such a plan by the end of March. "I will be working on pulling together the necessary players to deliver [a plan] to Sen. Schumer's office," he says.
In an exclusive interview, Woodhill discusses:
- What banks and businesses learned about ACH fraud in 2010;
- An update on the lobbying effort for Congress to extend Reg E to protect corporate accounts;
- What needs to happen in 2010 to protect banks and businesses from ACH fraud and corporate account takeover.
Woodhill worked in enterprise computing for over 40 years, first for customer organizations, then for software vendor companies and as a venture investor.
He serves on the Advisory board of San Francisco-based Resilient Networks, Inc. Woodhill holds private equity positions in Secorix, RiskWatch, Datacert, Inc., and Courion Corporation. He was the first professional investor in AnswerLogic (purchased by Primus Knowledge Solutions) and in Securant Technologies, Inc. (purchased by RSA Security). He was on the board of Colorado Springs-based Configuresoft, Inc. from its founding to its acquisition by EMC Corporation in May of 2009.
TOM FIELD: Jim it's been several months since we've spoken. Why don't you give us an update on what you are doing now professionally in terms of your activism on this issue?
WOODHILL: Well, I've been retired from active for-pay work for over a decade now, but I have served on the boards of various companies, largely security companies in which I'm invested. But I have moved completely to the activist community and away from the vendor community, so I can devote all my time to working on the problem that you framed at the beginning of this interview.
ACH Fraud: Are We Better off Today?FIELD: Well, let's tackle this question I asked up front, Jim. In terms of ACH fraud, are banking business customers better off now than they were at the start of 2010?
WOODHILL: They are worse off. The crime has grown in the rate at which it is occurring. There is nothing that has happened that the victims are any more aware of the potential -- they are no more aware of the threat they are under than they were a year ago. The antivirus products still don't see this threat coming and stop it. Microsoft has not done anything to make Windows more secure, and there is no apparent movement in the banking community to make the processes more secure at the server.
FIELD: Now Jim I know you've been involved with this from the start. You've been intimately involved with some of the victims. You've been apart of the dialogue in Washington, D.C. It is a topic you know well. What would you say that we have learned about ACH fraud?
WOODHILL: Well, it's become obvious that Congress is going to have to act. If the ACH fraud is going to be stopped, it will be stopped by political pressure and, if necessary, legislation, not by the voluntary actions of the service industry.
FIELD: And why do you say that, Jim?
WOODHILL: This is a beaten problem. Technically, the security solutions existed five years ago to prevent every single documented Zeus attack that has emerged. These are such anomalous transactions, and Zeus is vulnerable to totally out of band transaction confirmation techniques. So, we have to figure that if the financial services industry was going to stop the problem ... they would have by now. But also their public position is that they are not responsible for safeguarding their depositors. They only safeguard their own inside the firewall IT, and their customers are out there in the client cloud. So, if someone doesn't take responsibility for solving the problem, they're not going to solve it, and this is the kind of problem that inheritably can not be solved by the customers themselves, because they are not Windows cybersecurity experts. They are church members, and public library managers, and small business owners and charity executives. They are not cybersecurity groups.
Impact of GuidanceFIELD: So, Jim, earlier in the year, guidance came down from the ABA, the FS-ISAC and FBI that was to guide banking institutions and their corporate customers on ways to avoid victims of fraud. What are your thoughts on the guidelines that came down?
WOODHILL: Well, the same thoughts I had on the previous FS-ISAC guidelines that came out a year or more earlier than that. They won't make any difference because you simply cannot address a problem like this with education. You cannot get the word out at a societal scale in less than a couple of generations. It takes a full generation -- 20 years -- to ripple a change in medical practice through a medical specialty exactly the size of the independent community bankers of America. So, with 23 million account holding entities in America, there is no way to do it.
Reg E AmendmentFIELD: Now one of the things you've talked about throughout the course of the year is the possibility of amending Regulation E so that it offers to corporate customers the same protections from fraud losses as consumers. And I know you met last week with Senator Schumer, who had sponsored a bill that would amend Regulation E. What can you tell us about that meeting in progress toward the objective?
WOODHILL: Well, you know it is an example of democracy as it is supposed to work. That is: That bill was not a result of anybody lobbying for anything. It was multiple victims in New York State approaching their senator on the Banking Committee, describing how they had been victimized, the senator's staff reacting to that victimization with legislation to address the problem. The legislation narrowly focused on just municipalities and school boards, trying to avoid doing too much too quickly, and you know Senator Schumer's staff has taken the only idea that has been [discussed] in the intellectual market place, which is Regulation E extension, and they've done that because there have been no competing proposals.
FIELD: And your thoughts on the prospect of this Regulation E being amended, based on your conversations?
WOODHILL: Well, something will be done Tom. You know, the political system of America will not tolerate year after year of Choice escrows and school districts being victimized by eastern European cyber criminals. Also, we have to remember, it wouldn't even be enough for the banks to step and absorb the losses themselves. This money is flowing through foreign enemies of the United States who are using it to fund and indeed to create more better and different attacks against our banking infrastructure. So the losses have to stop, not be shifted around.
Response to the ABAFIELD: Now Jim, I know you have been critical to some extent to the banking industry's response to corporate account takeover and ACH fraud. What is your response to what you've heard, say, from the American Bankers Association on this topic?
WOODHILL: Nothing they have proposed will solve the problem ever, much less solve the problem quickly, surely, and with no disruption to the business model of community banks in this country. We have to remember that if the enemy can force us to change the way we do business in this country, to force community banks out of online banking or force every small company in America to try to be a cybersecurity expert, that is a victory all of its own. We must not let them have that victory. We must find a solution that doesn't require any community bankers to know about this problem, much less 23 million churches and districts and public libraries.
2011 AgendaFIELD: So if you could boil it down Jim, looking to 2011, what needs to happen in this year to protect banks and businesses from ACH wire fraud and corporate account takeover?
WOODHILL: Somebody has got to come up with a plan quickly, like by the end of 2011. My concern with Senator Schumer's bill is that it will prevent small organizations from being bankrupted or children in rural New York from going without their music lessons, but it just moves the problem from one set of people who can't deal with it to another set of people that -- you know, can community bankers become cybersecurity experts? Of course. Cybersecurity, there is a lot to it, but none it is any more complex than banking. The problem is that we need bankers doing banking. We need them making loans, not dropping everything and trying to learn about the cybersecurity threat landscape.
FIELD: So, Jim, what will you be doing on the activist front in 2011?
WOODHILL: Well, in our meeting with Senator Schumer's office they expressed a great desire for an alternative. Congress is not staffed to propose. Congress can only dispose. Congress decides when it must act, and then it chooses between alternatives presented to it, and right now the alternatives presented to it are in effect do nothing or extend Regulation E to cover more and more accounts, and neither of those things inherently stops this problem, much less stops it quickly, surely, and without damage to small bank business models. So, I will be working on pulling together the necessary players to deliver that plan to Senator Schumer's office. That is my highest priority.
FIELD: What is your deadline on that, Jim?
WOODHILL: If we are going to have the problem beaten by the end of the year, I would say first quarter. It is fortunate that the likely solutions can be done very quickly. So, probably by the end of this quarter I hope to have either the necessary players on board, or for them to say no and have Congress understand that they are going to have to force a solution rather than have the private sector step forward with a solution. I would prefer market mechanisms to governmental regulatory mechanisms wherever possible, and most of this problem is best solved by market capitalism. It just has to be a regulatory framework that basically just says the problem must be solved and it must be solved quickly.