NY Payroll Company Vanishes with $35M(krebsonsecurity.com)
Since this is sort of my beat:
If this ever happens to you, immediately call bank, say “Electronic transaction posted in error.”, specifically identify the transaction, and ask what address the bank takes Regulation E written complaints at. If the CSR doesn’t know that answer, their supervisor does, or in the alternative FedEx HQ addressed to chief counsel or head of compliance. The letter just needs to state transaction details, date you first called them, and your desired action (“Credit me back $X.”), but it’s marginally more effective to say Regulation E in it since that will put the fear of God into whomever opens it.
You’ll get the money back.
Hey Patrick, I'm surprised to see "this is sort of [your] beat". Do transactions like this happen to you often? What sort of speed-to-recovery do you see when you take this approach?
The guy works for Stripe. I’d say as a company they’re pretty savvy about banking regulations in general, and transaction disputes specifically.
His blog also mentions that he's ghostwritten a few hundred letters to various financial institutions in order to resolve errors in credit reports (https://www.kalzumeus.com/2017/09/09/identity-theft-credit-r...).
I suspect it's because he works for Stripe now, which handles the electronic transfer of monies. Therefore, Stripe would have to know about Regulation E to be able to operate effectively in that space.
It has been my experience that when working at a company, even if you didn't know or care about the industry/field that company does business in before starting there, you can't help but learn the ins and outs of that field or industry while working there, to at least a partial degree. The particulars of that field will necessarily influence business operations, and therefore, what you do in that company in some form or another. How much one absorbs, and how much he is aware of this will depend on both the individual and the duties of his position, and whether this comes from deliberate training or cultural osmosis. But I don't think that a person could remain completely ignorant of the particulars of an industry after being employed by a company in that space.
That's my theory, anyway. Watch Patrick prove me wrong by describing how he came into knowledge of Regulation E by some other path than training or cultural osmosis while working at Stripe
While that was a high percentage guess, and I have learned a lot at Stripe, I have pre-existing comparative advantage on this topic as a result of Ctrl-F “weird hobby”: https://www.kalzumeus.com/2017/09/09/identity-theft-credit-r...
Not sure I'm correctly parsing "high percentage guess", but nonetheless, after clicking through that link, I feel like a derp, because I'm pretty sure I'd read it before and should have thought of it, but didn't. Oh well.
This was confusing to understand, because multiple bad things happened. Normally:
* Step 1: Transfer funds from each Employer's account to Cachet's holding account
* Step 2: Transfer funds from Cachet's holding account to each Employee account
Both of these steps are handled with an 'instructions file'.
The crime (or horrible mistake that really looks like a crime):
Step 1's file was changed so that the funds went to an account at Pioneer Savings Bank (controlled by MyPayrollHR)
Step 2's file was sent as it normally would be.
Mistake 1: The file for Step 2 was processed, and funds from Cachet's holding account were transferred to employees, despite funds from Employers not coming in.
Apparently Cachet had at least $26M extra in their holding account for this to work.
As a result of this, Cachet tried to reverse these transactions, since basically they hadn't actually been paid.
Mistake 2: The reversal file was improperly formatted. NACHA rules say these files should be ignored or rejected, but..
Mistake 3: Some financial institutions processed the improperly formatted file anyway.
To fix Mistake 2, Cachet submitted a new reversal file, which was then also processed by the companies.
It sounds like this "reversal file" was actually just a transfer in the other direction (as opposed to "undo transaction ID 937641745"), so of course it would make sense that it was processed.
As a result, all employees paid via MyPayrollHR were paid, then had that payment removed. Some also had the same payroll amount removed a second time.
One thing I haven't figured out, is apparently the MyPayrollHR account at Pioneer Savings Bank is 'frozen' -- but I can't find any reporting about whether it has $26M in it or not. Meanwhile the CEO has disappeared.. So did he get the money, or just cause a massive life disruption for thousands of people?
Thank you for explaining it, you did a great job at helping me understand what happened. The whole process seems way too convoluted for something as serious as paychecks. It really relies on everybody acting in good-faith and in the proper fashion. By Cachet working Step 2 before Step 1 and possibly assuming Step 1 was going to happen, they already were too far gone and only made the situation worse for them and a bunch of employees.
The whole idea of ACH transfers and giving everyone write access to everyone's account in this day and age is crazy to me.
There should not be a way for money to leave an account without the account owner's explicit permission.
We insisted that our bank provide positive pay for ACH. If you are a business you should consider this if you hold large balances. It works very well. Only authorized ACH entities up to authorized limits can debit (or I can set it to notify and someone has to approve each one).
There are lots of multi-day delays in the ACH system. It's common to pay money out of an account on the expectation that a matching amount of money will be paid in the same night.
Thanks for the explanation, based on the way Krebs worded the post I couldn't tell what actually happened.
One final step: Cachet is cancelling all of the reversals so everybody should finish up with their usual pay. Of course, this leaves Cachet with a $26 million problem, but this seems to be the least worst short term solution.
If Cachet is doing that then I'm very glad. I don't know what their legal obligations look like, but I imagine they could have said "We weren't paid to perform our service" and left the employees without a paycheck.
Given how many people live paycheck to paycheck... It's a pretty big deal.
In the US anyone with your bank account number can debit your account irreversibly?
In Europe (with SEPA Core) we have 8 weeks to reject any debit even if the entity issuing the debit has a signed mandate to debit the account.
Knowledge of a bank account number is sufficient to attempt to debit it. Whether it will appear to succeed or not depends on the bank and a variety of factors. Regardless of whether it initially successes, it is (very) reversible.
There’s a lot of technical nuance here which I’d ordinarily geek out on but don’t quite have the time to today.
Any other bank can debit your checking account, but they become responsible for refunding in the case fraud/error. Since no access card (atm card, pin, etc) was used, customers have $0 liability for the same 60 days as you do.
This is partly why banks are strict with merchant processing, holding back variable reserves to cover refunds/fraud based on your history and business type.
There are (broadly) similar guarantees in the US. So they will get the money back, at least eventually. The problem is the effect it has when the account has sometimes been debited 2x. If this has made, say your rent or car payment bounce, you have an big hassle at minimum.
In the UK, direct debit (the equivalent to ACH) allows a consumer to request an instant refund of any payment they believe to be in error. The bank must refund first, and ask questions later.
As you might imagine, some people use that to steal money...
NACHA just uses FTP for their file transfers too
This does seem like a nightmare scenario for the vast majority (4 in 5?) of Americans who live cheque-to-cheque.
Your pay is yanked, life doesn't stop and the bills keep coming. A few days, a week later, it's corrected and the pay reappears. Who's on the hook for your overdraft fees?
Overdraft fees: depends on your bank’s policies. Many low sophistication bank users will eat fees in this case and not attempt to get them reversed or not successfully convince T1/T2 CSRs to push the button for them.
Words which are close to magic here: “The bank assessed this fee incident to an overdraft caused by an EFT which was subsequently reversed under Regulation E. Will the bank waive this fee for me?” (If you are less in a Dangerous Professional mood or don’t have a hobby interest in banking regulation, my next best suggestion is “Can the bank waive this fee since I’m a good customer?” hear no “I would be disappointed if we can’t fix this, because I have been a loyal customer for years. What can we do here?”
More than that. They didn't get paid and instead they got a WITHDRAWAL against their account for their paycheck, twice.
Not only did they not get paid, they got the equivalent amount of their paycheck stolen from them twice over. The larcenous criminals should be the ones to pay back the overdraft fees that were the direct result of their larceny of 4 figure dollar amounts stolen from their accounts.
What is an overdraft fee? How much is it? Is it interest?
This is a flat fee assessed if your account goes into "overdraft" to cover a check (or other liability). If your account is set up to do this (pretty standard in the US) rather than a check failing to clear your bank will cover the check and charge, e.g. $30-$50 for covering it. Of course you owe the overdraft amount as well.
I also think it's mostly meant to be a deterrent. When I had BofA, any time I got overdraft I just called and they would take it off, usually without an explanation.
That's true, but as in other areas I think it probably has a lot to do with how much they value your future business.
Overdrafting is when the balance goes below 0. Policies vary by bank, but generally it's a $25~$50 (could be more or less) for _each_ transaction the bank processes while your account has a negative balance.
So looking at this case, let's say you have to go 7 days until this issue is resolved and the employees are given their paychecks. If they got automatic payments they could find that itunes, spotify, bills, etc, automatically charge them during that period. EACH charge might be 45$. Say 5 services do it, boom over 200$ in the hole in fees alone.
(If you're ever in the situation listen to the other comments about how to approach the bank about reversing over-draft fees)
It seems the FBI in the NY Albany office is now looking into this.
Honestly, this is really scary. Personally, I would be unable to take a [2x my bi-weekly salary] hit to my account and that would result in a pretty negative balance. I think I recently saw an article about a bank depositing too much money into an account and the account owner spent it then got arrested. It just seems like the people in charge of how we get/hold our money can screw up with minimal blow back, yet the receiver of the money is almost always the one who draws the short straw. I could be wrong, but it really makes me question the safety of (what little) money I have.
They got arrested because $120k was deposited incorrectly and they spent it. Once the bank called them, they continued spending it.
If the couple had left it in their account and returned it when asked, there would not have been an issue.
If you earn 3k a month, one month you get paid 100k, and you spend 5k on normal things, you aren't going to be arrested.
If you earn 3k a month, one month you get paid 100k, and you spend 95k on stuff you don't normally buy, you are going to be arrested.
If you pick up 20 centrs from the floor and spend it, you won't be arrested.
If you find $50k in a bag and spend it, you will be.
I'm pretty sure if you find a bag of money on public property, you're under no obligation to actually return it.
This is not correct. If you find a bag of money (or, much more common: a wallet) and you can identify the owner you are obligated to return it. Not doing so is a crime. As it should be.
California Civil Code section 2080.1 for example
"the person saving or finding the property shall, if the property is of the value of one hundred dollars ($100) or more, within a reasonable time turn the property over to the police department of the city"
I'm sure that'll make for some great "well we can't get them on anything else" prosecutions in a few decades as inflation works its magic. Hard coding dollar amounts into law is beyond stupid. At least it's a civil infraction so you should only get a fine in most cases. (I'm making the charitable assumption that having the amount decrease over time was not intended).
Hardcoding dollar amounts into law isn't so bad because future laws can update them. For example, a future law might say "All dollar amounts put into law more than 10 years ago are hereby doubled".
The UK has a similar system for fines. Laws are written that if a particular offence occurs, a "Band A fine shall apply", and a separate bit of regulation says what each band of fine or punishment entails.
>Hardcoding dollar amounts into law isn't so bad because future laws can update them.
Sure, but we all know that never happens until a sufficient number of easy to feel sorry for people get screwed real hard. Those people are getting needlessly screwed because the legislators were lazy. For example, most states have felony charges as an option for vandalism over a certain dollar amount, in some states these dollar amounts are low. This results in teenagers getting threatened with felonies (and the charges inevitably stick sometimes) because cleaning up their mess cost a few hundred bucks. That is a level of draconian-ness that is not ok in a free society.
"Well, if we can't get them on anything else, we'll get them on theft" seems OK to me.
Writing catch-all laws especially ones that require law abiding people to go out of their way in order to follow them seems pretty darn dystopian but I see how one could turn a blind eye to it if it's used for something they want.
How do you have to "go out of your way" to follow a law which says "don't take stuff you don't own"?
Read the cited law. It says you are obligated to report anything you find over $100 to the police. If a bartender finds a wallet with $150 in it, sticks it behind the bar and doesn't report it and the patron comes back alleging it had $200 in it he/she could get screwed. I'm sure you could come up with other examples. The point is that using a specific dollar amount is stupid. Give it some time and $100 will be a lot more like $50. Sure, the law can be changed if the relative value gets too low but there will never be any will to do it unless a real sob story comes along because people don't find property that the owner subsequently wants back all that often.
Bartender could simply leave it alone
A New York police agency has or had the obnoxious practice of leaving bait wallets on subway platforms, and arresting anyone who picks one up and walks past an officer without returning it.
Does that apply to any property that isn't yours?
That's way too broad of a question. They can try and prosecute you for anything. Whether it succeeds depends heavily on the specific circumstances.
The broadness is more in the specific laws in your jurisdiction. However ask yourself if you think these situations are different:
If you find $10k in cash in a bag
If you find a $10k car parked on the street
If you find the latest iphone sitting on a table
Specific laws aside, the pattern of facts still matters a lot.
I get what you're getting at but I'm saying that there are plenty of details that matter regardless of ease of proof that the object isn't yours or whether or not it's foreseeable have been left there under "reasonable" circumstances
Cars and phones are trivially easy to track back to their owner, with cash possession is basically ownership. Cars get parked places, phones get left places, cash does not get left lying around and if you leave cash somewhere you basically forfeit ownership of it since that's the cultural norm since ownership can't be proven.
The specific facts and details matter very much. Time and attempts to find the property by the owner are particularly important. There's a very big difference between leaving your phone at a bar and leaving your phone at a bar for a week, in the latter case the bartender has a nice new phone they can use.
Interesting, and a bit frightening about the lack of security.
I have had to work with the equivalent process for payments in the UK - we where fixing up a problem when the accounts receivable system would not cut the BACS tape for 6 months!
Submitting a BACS Tape required the use of onetime codes and a physical device and this was in the late 80's
Besides the banking issues, when do the people get paid?
If the disappeared payroll company got money from employers, it's possible some employers may not have enough cash to pay a second time.
Then they out of business, or close to it.
The old businessman's phrase "You've never had to meet a payroll" is really meaningful here, the scramble to pay everyone.
The article said that Cachet is covering the transactions, even though they haven't been paid. The companies will have to find a new payroll provider before their next payroll, but not have to come up with the extra cash.
If I were Cachet's shareholders, I wouldn't be happy about that...
If I was one of their shareholders, I would be happy instead, as they seem to have come out as the real good guys in the whole story (unless they were legally obligated for covering the mess).
If they begin to offer payroll services directly to some of the affected companies, I imagine the shareholders would be quite happy. They might be out the money until the insurance pays up, but ongoing fees and goodwill could well cover that inside of a year or two.
Is it possible to protect one's direct-deposit wages from (unjustified) ACH reversals, by transferring funds into a different account ASAP after the deposit occurs?
I.e., by maintaining an account that serves only as a temporary inbox for direct deposit?
Yes, and if you don't bank with one of the big banks (BofA, Wells Fargo etc) you'll be fine (those bigger banks deal with so many screwups that they'll just debit a different one of your accounts assuming it was a mistake). Or use two different banks if you can move money back and forth easily and for free.
If you have a company it's really important to create a special account solely for auto debits and move money in there manually. This saved my bacon when ADP mis-debited a couple of hundred $K from a payroll run once.
I think that this doesn't protect you and you would just end up over drafting your account, resulting in fees.
Overdraft fees caused by fraud will probably be reversed. I have never heard of it not happening -- it would be a terrible PR for a bank that allowed for it. It will simply take time.
It ought to be a regulatory incident, not just bad PR.
I'm sure it will be, but bad PR triggers resolution much faster than OCC.
Can't you disable overdraft?
Sure, but at least you'll still be able to pay rent etc without late-payment fees. A single overdraft fee is way less bad.
This is what I do. Not sure if it’ll work for this case, but my primary reason was to remove a single point of failure from my “banking architecture” and avoid the headaches publicized by people on HN that lost access or to their only bank. Hopefully I never will have to find out if it works!
Yes, it is a little bit of a pain in the neck however. Basically you are going to implement your own ZBA with a positive pay ( while some form of a PP may be available to non-business accounts I have never heard of a ZBA + PP combination ). You will probably need to chat with the branch manager in a midsized/regional/community bank as everyone else would look at you as if you had two heads.
The good security policy is this:
1. Have an incoming account. That's the account number that you would be giving to payroll companies/account into which you would get deposits. You should presume that information about this account is known and all the money in this account is at risk. Which means that as soon as money becomes marked as "available" in this account, you have to move the money away.
2. Have a main funds account that has a positive pay type service turned on if your bank offers it. Positive Pay service is the "Notify customer about pending transactions and wait for customer to acknowledge them. If a customer does not acknowledge them by the cut off window, decline a transaction." This is typically done on a treasury management or cash management website of the bank though as recently as two years ago a certain reasonably well known bank still used a fax as a method of sending positive pay requests to customers and getting it back from customers. If your bank does not offer a positive pay type service, have this account coded for no withdrawals. This means that all debit transactions against this account will be declined unless someone on a platform side of the bank overrides it ( most banks have teller sides and platform sides -- platform side are people that you go to talk to inside the branch to deal with the issues with your account ).
3. Have a payment account that you would use to pay others. If your bank has a positive pay service, add it to this account as well. This is the account that you will fund from (2) when you know the amounts of outgoing payments. Money in this account is also at risk which is why you should only fund it with the minimum needed to cover the outstanding payments. If you have "enough money not to care if you are out of a few thousand for a couple of months" you can keep $3k-5k here at all times and just replenish it from (2) once or twice a month -- while this would leave you exposed for $3k-5k it will still protect a bulk of your cash and make your life easier. All of this is a matter of convenience vs. risk -- you should know what's your average monthly spend is and you want to expose not more than that plus a few percent for variance.
4. Have a nightly/daily/hourly sweep of all available funds from account (1) to account (2). It can either be done using a service the bank provides, or using online account transfer. Definitely sweep away immediately after a large payment ( such as a paycheck ) or electronic/non-electronic checks post to this account.
5. No debit transactions can post to the account (2) [including bank internal transactions] without an override ( for a coded account) or without a positive pay acknowledgement for a positive pay account. That of course means that if this is not a positive pay account, you would need to show up physically at the bank and have one of the tellers after the teller checks your ID process a transfer of funds from (2) to (3).
If you have a significant amount of money, you should have this setup in several banks.
Remember, your goal is to make issues with money less stressful while you are resolving them. At the end of the day, you will be made whole because we have a fairly strong legal system to get redress. You are trying to make sure that you still have the money while you are using the legal system to deal with the issues.
Source: Did consulting for execs at medium sized banks.
Sounds like for personal use, and if you can afford it, it's much easier to have your funds spread over a number of accounts (e.g. have a main account, a second account at a different bank with at least enough money for expenses until you can withdraw from a savings account, and a savings account at a third bank).
And a bit of cash in case the ATMs all go down.
That's the standard opsec issue. People mess up. Positive pay exists to make that "mess up" less painful.
Thanks for this overview! I've been using parts of this flow for a few years, but it's not 100% automated where it could be.
Do you have suggestions for banks that make it easy to implement this workflow?
I have had a good with with a few community banks that were in the area that I happened to be in. The poor man's implementation ( 3 accounts with the one coded for no withdrawals ) costs about $15/mo and it makes me known to the branch staff, including the managers, which is invaluable. It works for both personal and business accounts but it does not have a good online experience -- there's no positive pay.
National banks ( think Chase/Citi/Boa/WF/HSBC ) offer positive pay on cash management accounts ( corporate/treasury/commercial ) but have very complex workflow so I avoid them.
From regional ones I had a good experience with PNC.
Wouldn't getting physical paychecks instead of direct deposit also work for protecting your account number while receiving payments?
Unfortunately, with the Check21 whoever issued the physical check will get access to the scanned image of the substitute check together with the bank information of the account the check was credited to.
Ah, so you'd have to do something like get it cashed at Wal-Mart for $8 and then deposit the cash into your account. The extra trip and fees make that annoyingly impractical.
This may be tangential and specific to United States, but is there a way to prevent someone from withdrawing money from your account if they know the account and routing number? Both of those numbers are on checks.
There isn't a good way to do that. Electronic funds transfers are generally reversible, though. After informing your bank of an unauthorized electronic funds transfer, they are required to investigate and provide you at least a provisional credit for the amount within ten business days.
Why such a complicated transfer chain just to pay salaries? In my country you just export a bank file from your payroll system and that's it.
I suspect it's partly because there's a complicated employment arrangement going on, with the employees being sorta employed by the payroll management company ("employer of record"), and sorta employed by the company they actually work for, which then pays the payroll management company to handle all that stuff so they don't have to.
> from your payroll system
The payroll system is a 3rd party here. Which is pretty normal, there are a lot of different taxes and things that need to be tracked, and it's easier to let a specialist handle that.
What form of financial network allows a random company to take money from people without any authorization or interaction on their part?
If the employees had somehow set up whatever the USA calls a direct debit, then sure, I can see a reason for this to happen. But through mistake or malice they are still able to dip into peoples account - that's the real issue here, surely?
Really makes me appreciate the non-obvious complexity for companies like justworks (and all the other companies) to operate in this space
Shades of office space! I'm calling it... the crack coder screwed up the instructions files! Instead of redirecting fractional pennies from each employee to his pioneer bank account, he redirected the whole shebang! boom! ruh ohh!
ACH reversals are horrible when they mistakenly happen. They really are a selling point for getting paid in cryptocurrency.
Wouldn't a flag on the ACH that makes it irreversible accomplish the same goal with considerably less overhead? I think it's already possible to do this with a wire transfer.
I'm not sure these ACH transactions are actually processed like reversals. Otherwise, you wouldn't be able to reverse the same transaction twice, as happened here. They just pulled money back out.
You can't currently do that can you? If you can, please tell me how because I would love to know. :-)
If you mean that this could be implemented, then great I'm all for it. From a technical perspective it doesn't seem like it should be difficult. I'm under the impression it doesn't exist most likely because the banks don't want it to. Hence the benefit of using cryptocurrency.
Yeah, until you need to pay rent, loans, credit cards, or buy groceries, or prove you are paying folks at least minimum wage.
Converting out to fiat is completely doable. People in countries where their own currency is experiencing issues make it work. Of course, ideally, ACH reversals couldn't be done without your permission.
Sure, it can, theoretically, work. But this isn't a reasonable thing for folks to do, at least not with a stable currency. Might as well get paid in gift cards. Theoretically, you can sell them for something more useful too.
And people say crypto exchanges are bad because of exit scams. The same thing essentially happened here, except the authorities are actually investigating.
Bollocks. Once a crypto exchange is gone your money is gone.