
NY Payroll Company Vanishes with $35M - campuscodi
https://krebsonsecurity.com/2019/09/ny-payroll-company-vanishes-with-35-million/
======
patio11
Since this is sort of my beat:

If this ever happens to you, immediately call bank, say “Electronic
transaction posted in error.”, specifically identify the transaction, and ask
what address the bank takes Regulation E written complaints at. If the CSR
doesn’t know that answer, their supervisor does, or in the alternative FedEx
HQ addressed to chief counsel or head of compliance. The letter just needs to
state transaction details, date you first called them, and your desired action
(“Credit me back $X.”), but it’s marginally more effective to say Regulation E
in it since that will put the fear of God into whomever opens it.

You’ll get the money back.

~~~
october_sky
Hey Patrick, I'm surprised to see "this is sort of [your] beat". Do
transactions like this happen to you often? What sort of speed-to-recovery do
you see when you take this approach?

~~~
dfcowell
The guy works for Stripe. I’d say as a company they’re pretty savvy about
banking regulations in general, and transaction disputes specifically.

~~~
ThrustVectoring
His blog also mentions that he's ghostwritten a few hundred letters to various
financial institutions in order to resolve errors in credit reports
([https://www.kalzumeus.com/2017/09/09/identity-theft-
credit-r...](https://www.kalzumeus.com/2017/09/09/identity-theft-credit-
reports/)).

------
gregmac
This was confusing to understand, because multiple bad things happened.
Normally:

* Step 1: Transfer funds from each Employer's account to Cachet's holding account

* Step 2: Transfer funds from Cachet's holding account to each Employee account

Both of these steps are handled with an 'instructions file'.

\---

The crime (or horrible mistake that _really_ looks like a crime):

Step 1's file was changed so that the funds went to an account at Pioneer
Savings Bank (controlled by MyPayrollHR)

Step 2's file was sent as it normally would be.

\----

Mistake 1: The file for Step 2 was processed, and funds from Cachet's holding
account were transferred to employees, despite funds from Employers not coming
in.

Apparently Cachet had at least $26M extra in their holding account for this to
work.

As a result of this, Cachet tried to reverse these transactions, since
basically they hadn't actually been paid.

\----

Mistake 2: The reversal file was improperly formatted. NACHA rules say these
files should be ignored or rejected, but..

\----

Mistake 3: Some financial institutions processed the improperly formatted file
anyway.

\----

To fix Mistake 2, Cachet submitted a new reversal file, which was then _also_
processed by the companies.

It sounds like this "reversal file" was actually just a transfer in the other
direction (as opposed to "undo transaction ID 937641745"), so of course it
would make sense that it was processed.

\----

As a result, all employees paid via MyPayrollHR were paid, then had that
payment removed. Some also had the same payroll amount removed a second time.

One thing I haven't figured out, is apparently the MyPayrollHR account at
Pioneer Savings Bank is 'frozen' \-- but I can't find any reporting about
whether it has $26M in it or not. Meanwhile the CEO has disappeared.. So did
he get the money, or just cause a massive life disruption for thousands of
people?

~~~
apacheCamel
Thank you for explaining it, you did a great job at helping me understand what
happened. The whole process seems way too convoluted for something as serious
as paychecks. It really relies on everybody acting in good-faith and in the
proper fashion. By Cachet working Step 2 before Step 1 and _possibly_ assuming
Step 1 was going to happen, they already were too far gone and only made the
situation worse for them and a bunch of employees.

~~~
lotsofpulp
The whole idea of ACH transfers and giving everyone write access to everyone's
account in this day and age is crazy to me.

There should not be a way for money to leave an account without the account
owner's explicit permission.

~~~
privateSFacct
We insisted that our bank provide positive pay for ACH. If you are a business
you should consider this if you hold large balances. It works very well. Only
authorized ACH entities up to authorized limits can debit (or I can set it to
notify and someone has to approve each one).

------
antaviana
In the US anyone with your bank account number can debit your account
irreversibly?

In Europe (with SEPA Core) we have 8 weeks to reject any debit even if the
entity issuing the debit has a signed mandate to debit the account.

~~~
patio11
Knowledge of a bank account number is sufficient to attempt to debit it.
Whether it will appear to succeed or not depends on the bank and a variety of
factors. Regardless of whether it initially successes, it is (very)
reversible.

There’s a lot of technical nuance here which I’d ordinarily geek out on but
don’t quite have the time to today.

------
soneil
This does seem like a nightmare scenario for the vast majority (4 in 5?) of
Americans who live cheque-to-cheque.

Your pay is yanked, life doesn't stop and the bills keep coming. A few days, a
week later, it's corrected and the pay reappears. Who's on the hook for your
overdraft fees?

~~~
the-dude
What is an overdraft fee? How much is it? Is it interest?

~~~
ska
This is a flat fee assessed if your account goes into "overdraft" to cover a
check (or other liability). If your account is set up to do this (pretty
standard in the US) rather than a check failing to clear your bank will cover
the check and charge, e.g. $30-$50 for covering it. Of course you owe the
overdraft amount as well.

~~~
mattwad
I also think it's mostly meant to be a deterrent. When I had BofA, any time I
got overdraft I just called and they would take it off, usually without an
explanation.

~~~
ska
That's true, but as in other areas I think it probably has a lot to do with
how much they value your future business.

------
MBCook
It seems the FBI in the NY Albany office is now looking into this.

[https://twitter.com/FBIAlbany/status/1171827423333289985](https://twitter.com/FBIAlbany/status/1171827423333289985)

------
apacheCamel
Honestly, this is really scary. Personally, I would be unable to take a [2x my
bi-weekly salary] hit to my account and that would result in a pretty negative
balance. I think I recently saw an article about a bank depositing too much
money into an account and the account owner spent it then got arrested. It
just seems like the people in charge of how we get/hold our money can screw up
with minimal blow back, yet the receiver of the money is almost always the one
who draws the short straw. I could be wrong, but it really makes me question
the safety of (what little) money I have.

~~~
isostatic
If you earn 3k a month, one month you get paid 100k, and you spend 5k on
normal things, you aren't going to be arrested.

If you earn 3k a month, one month you get paid 100k, and you spend 95k on
stuff you don't normally buy, you are going to be arrested.

If you pick up 20 centrs from the floor and spend it, you won't be arrested.

If you find $50k in a bag and spend it, you will be.

~~~
notfromhere
I'm pretty sure if you find a bag of money on public property, you're under no
obligation to actually return it.

~~~
harryh
This is not correct. If you find a bag of money (or, much more common: a
wallet) and you can identify the owner you are obligated to return it. Not
doing so is a crime. As it should be.

~~~
isostatic
California Civil Code section 2080.1 for example

"the person saving or finding the property shall, if the property is of the
value of one hundred dollars ($100) or more, within a reasonable time turn the
property over to the police department of the city"

[https://codes.findlaw.com/ca/civil-code/civ-
sect-2080-1.html](https://codes.findlaw.com/ca/civil-code/civ-
sect-2080-1.html)

~~~
dsfyu404ed
I'm sure that'll make for some great "well we can't get them on anything else"
prosecutions in a few decades as inflation works its magic. Hard coding dollar
amounts into law is beyond stupid. At least it's a civil infraction so you
should only get a fine in most cases. (I'm making the charitable assumption
that having the amount decrease over time was not intended).

~~~
londons_explore
Hardcoding dollar amounts into law isn't so bad because future laws can update
them. For example, a future law might say "All dollar amounts put into law
more than 10 years ago are hereby doubled".

The UK has a similar system for fines. Laws are written that if a particular
offence occurs, a "Band A fine shall apply", and a separate bit of regulation
says what each band of fine or punishment entails.

~~~
dsfyu404ed
>Hardcoding dollar amounts into law isn't so bad because future laws can
update them.

Sure, but we all know that never happens until a sufficient number of easy to
feel sorry for people get screwed real hard. Those people are getting
needlessly screwed because the legislators were lazy. For example, most states
have felony charges as an option for vandalism over a certain dollar amount,
in some states these dollar amounts are low. This results in teenagers getting
threatened with felonies (and the charges inevitably stick sometimes) because
cleaning up their mess cost a few hundred bucks. That is a level of draconian-
ness that is not ok in a free society.

------
C1sc0cat
Interesting, and a bit frightening about the lack of security.

I have had to work with the equivalent process for payments in the UK - we
where fixing up a problem when the accounts receivable system would not cut
the BACS tape for 6 months!

Submitting a BACS Tape required the use of onetime codes and a physical device
and this was in the late 80's

------
JJMcJ
Besides the banking issues, when do the people get paid?

If the disappeared payroll company got money from employers, it's possible
some employers may not have enough cash to pay a second time.

Then they out of business, or close to it.

The old businessman's phrase "You've never had to meet a payroll" is really
meaningful here, the scramble to pay everyone.

~~~
kaikai
The article said that Cachet is covering the transactions, even though they
haven't been paid. The companies will have to find a new payroll provider
before their next payroll, but not have to come up with the extra cash.

~~~
londons_explore
If I were Cachet's shareholders, I wouldn't be happy about that...

~~~
notfoss
If I was one of their shareholders, I would be happy instead, as they seem to
have come out as the real good guys in the whole story (unless they were
legally obligated for covering the mess).

~~~
philpem
If they begin to offer payroll services directly to some of the affected
companies, I imagine the shareholders would be quite happy. They might be out
the money until the insurance pays up, but ongoing fees and goodwill could
well cover that inside of a year or two.

------
DoofusOfDeath
Is it possible to protect one's direct-deposit wages from (unjustified) ACH
reversals, by transferring funds into a different account ASAP after the
deposit occurs?

I.e., by maintaining an account that serves only as a temporary inbox for
direct deposit?

~~~
itake
I think that this doesn't protect you and you would just end up over drafting
your account, resulting in fees.

~~~
notyourday
Overdraft fees caused by fraud will probably be reversed. I have never heard
of it not happening -- it would be a terrible PR for a bank that allowed for
it. It will simply take time.

~~~
ThrustVectoring
It ought to be a regulatory incident, not just bad PR.

~~~
notyourday
I'm sure it will be, but bad PR triggers resolution much faster than OCC.

------
xoraes
This may be tangential and specific to United States, but is there a way to
prevent someone from withdrawing money from your account if they know the
account and routing number? Both of those numbers are on checks.

~~~
ThrustVectoring
There isn't a good way to do that. Electronic funds transfers are generally
reversible, though. After informing your bank of an unauthorized electronic
funds transfer, they are required to investigate and provide you at least a
provisional credit for the amount within ten business days.

------
Kiro
Why such a complicated transfer chain just to pay salaries? In my country you
just export a bank file from your payroll system and that's it.

~~~
danaris
I suspect it's partly because there's a complicated employment arrangement
going on, with the employees being sorta employed by the payroll management
company ("employer of record"), and sorta employed by the company they
actually work for, which then pays the payroll management company to handle
all that stuff so they don't have to.

------
orf
What form of financial network allows a random company to take money from
people without any authorization or interaction on their part?

If the employees had somehow set up whatever the USA calls a direct debit,
then sure, I can see a reason for this to happen. But through mistake or
malice they are still able to dip into peoples account - that's the real issue
here, surely?

------
ydnaclementine
Really makes me appreciate the non-obvious complexity for companies like
justworks (and all the other companies) to operate in this space

------
Samix10
ok

------
throw7
Shades of office space! I'm calling it... the crack coder screwed up the
instructions files! Instead of redirecting fractional pennies from each
employee to his pioneer bank account, he redirected the whole shebang! boom!
ruh ohh!

------
ahnick
ACH reversals are horrible when they mistakenly happen. They really are a
selling point for getting paid in cryptocurrency.

~~~
eli
Wouldn't a flag on the ACH that makes it irreversible accomplish the same goal
with considerably less overhead? I think it's already possible to do this with
a wire transfer.

~~~
roywiggins
I'm not sure these ACH transactions are actually processed like reversals.
Otherwise, you wouldn't be able to reverse the same transaction _twice_ , as
happened here. They just pulled money back out.

------
seibelj
And people say crypto exchanges are bad because of exit scams. The same thing
essentially happened here, except the authorities are actually investigating.

~~~
sofaofthedamned
Bollocks. Once a crypto exchange is gone your money is gone.

