The US has long been considered to be ‘lagging behind’ Europe in its approach to new banking technology, with an abundance of caution in fully implementing new innovations such as ‘contactless’ cards.
Security concerns have always been cited as the reason for this, but as this begins to slowly change it seems appropriate, with so many now doing home-banking, to review approaches on both sides of the Atlantic.
Since the US banking industry rolled out “faster payments”, the real-time ‘peer-to-peer’ payments (P2P) platform Zelle – which is used to move money from bank accounts to an email or mobile phone number – has become popular & also highly praised. By the third quarter of 2019, Zelle traffic was said to have reached 196 million transactions with a value of $49 billion, which is much higher than other similar solutions.
Whilst these new digital opportunities are very good, many banks are now starting to think that a far greater risk of online fraud is being unintentionally created by P2P payments.
Banking Fraud Losses
The UK moved to faster payments in 2008. However, this caused online banking fraud losses to triple within 3 years, although every bank adopted stronger authentication by means of hardware-based or SMS-based two-factor authentication.
Banks in the UK found out early that so-called “strong authentication” isn’t actually that strong after all. Criminals have developed and perfected techniques to evade the controls; in some cases they trick users into making fraudulent transactions from their own online accounts through ‘social engineering’.
Zelle fraud is not just a theoretical threat. Institutions have already launched Zelle & these range from the top 5 US banks to tiny credit unions, & they report highly targeted fraud campaigns & an adaptive ‘competition’ with informed cyber-criminals, who are very fast to adapt to new controls. Now, Zelle fraud is the fastest growing type of account takeover fraud in the American banking sector.
It seems that not all Zelle usage is the same. Zelle is used in 3 ways: as a standalone mobile app available by consumers for direct download; embedded as a feature in external digital banking applications; & via P2P money transfer providers who have their own controls.
Banks that directly offer Zelle through their digital banking applications have already experienced the majority of social engineering attacks: Phone number spoofing, robocalls & personalised text messages are already widely seen.
Take this example: A San Francisco Bay Area-based financial institution recently suffered a very targeted attack. Members received a personalised fraud alert via text message. A list of names matched to phone numbers are not difficult to obtain – recently 267 million Facebook users’ name and phones were said to be exposed online.
In this case, the text included the real victim’s name, warned about a possible fraudulent transaction, & when the user responded, they were contacted by a “so-called rep” coming from what appeared to be like the bank’s number, but was faked. The “rep” collected sufficient information to reset the victim’s password, & then proceeded in making $2000 in Zelle payments.
Also, one of the top American retail banks launched Zelle a few years ago and was targeted by a huge social-engineering attack against users. Customers then became tricked into to sharing their credentials, & this allowed the criminals to enrol to Zelle & make real-time payments.
Here, the bank responded fast, using behavioural analysis to help identify the criminal’s methods. The fraudsters had very unique type actions: their login patterns and up-and-down scrolling techniques were very different from those used by regular users in each account. Also, they were not familiar with personal data of the payees & they showed good familiarity with the Zelle payment flow, this even for users who had just enrolled.
Once that information was identified, then the bank was able to repel much of this attack, saving about $200,000 in just a single weekend, and thus preventing any further losses.
A P2P’s Promise
Retail banks in the USA have been fighting account takeover (ATO) fraud for over 10 years, but not in real time. Zelle fraud, which is always real-time, is thus very testing. Banks have been reacting in a similar way to the outbreak of Phishing campaigns 15 years ago: that is:- adding controls, adding warnings, & generally adding friction.
Fraudsters unfortunately adapt fast to any new control, test out new social engineering stories, & have many unpleasant evolving tricks. Also, as a result of that friction, real users often feel cheated and frustrated by having a below par digital service. They might abandon P2P and revert to traditional forms of payments.
Tactically, it’s better to prepare for something as important as the launch of a new digital payment method by adding ‘hidden’ layers into the user’s route. These controls are harder for criminals to defeat as they have to just ‘guess’ what exactly is being monitored & analysed.
Says consultancy AITE Group, the 3 technologies that provide that combination of higher security & seamless experience are behavioural bio-metrics, behaviour patterns & also device identity controls.
Importantly, you will need to monitor adjacent user flows, beyond the obvious danger-zone of Zelle enrolment & payments. Login, password resets, email & phone changes are all very important to examine.
Financial institutions, consumers, payment processors etc must learn well from past experience and not fall into the trap of using just established routines. The only meaningful way to prevent Zelle fraud is to proactively plan for a dynamic-based system of both authentication & also fraud prevention.
If done passively, & with better technologies, an effective solution also should address their users’ experiences and deliver the potential of P2P payments, not only just for Zelle-based consumer payments, but also for other applications i.e. business transactions & also cross-border payments as well.