Thursday, 16 November 2017

Bank Transfers using ABA Payment files: A Warning

If you use an “ABA” or Australian Bankers Association (see file for payment runs, please read this.  

An ABA file is a text file that contains all the transactions for a payment “run”.  It is uploaded to a bank’s website and the payments listed in the file are executed.  We were told of this, very expensive, security breach (it did not happen to a WK-Consulting client).

Just as ransomware can change your files by encrypting them a criminal can change your ABA file, or trick you into doing this for them.  The image below is of a sample ABA from the Cemtex ABA website link.

In the breach described to us all of the account numbers in a payment run ABA file were changed to accounts that the criminal controlled.  The amounts were not changed, so as not to raise suspicion.  The entire run was transferred to the criminals and the payments had to be transferred correctly a second time - ie the unfortunate payee was very much out of pocket.

Please:  at least spot check transfers in your ABA file.  The payment transfer summary will also be displayed in your bank’s web payment portal before you hit confirm.  Check the account numbers there also.  Even if you have just generated the payment ABA file in your own accounts application.

Please do not:  automatically trust an ABA file you receive via e-mail or download from a website.