The Faster Payments Task Force is working toward launching a real-time payments network in the U.S. by 2020. But faster payments could open the door to more fraud, as has been experienced in other countries, such as the U.K. and Mexico. Meanwhile, the U.S. has already experienced fraud exploits on a number of P2P payments networks, including Venmo and Zelle, that offer money transfers between consumers. Those exploits focus on the lack of scrutiny that faster payment transactions receive due to the speed of funds transfers.
Zelle fraud
Due to high-profile advertising and the embedding of Zelle directly into many mobile banking apps, the P2P payments network has quickly gained popularity. Reportedly, the network is moving a total of $75 million in 2017, more than twice that of its close competitor, Venmo.
But fraudsters have been attacking Zelle users, abusing their lack of understanding of how Zelle, formerly clearXchange, was designed to be used to solicit payments, TechCrunch reports.
The scam is relatively unsophisticated. Victims are asked to pay with Zelle for goods or services on websites such as Craigslist. Once the payment is sent, the fraudster doesn’t deliver the goods, closes the receiving bank account and is able to make off with the transferred funds before the victim realizes that a crime has occurred. And because the customer willingly sent the funds for payment, they are often left on the hook for the fraud losses by their financial institution.
At the epicenter of many of the exploits for faster payments transactions are account takeovers and synthetic identity fraud, both of which are growing due to the exposure of PII in so many massive data breaches.
Fraud mitigation strategies to fight synthetic identity fraud
Donna Turner, chief administrative officer at Early Warning Services, the technology company behind Zelle, says the two main fraud methods the company is seeing are stolen card data being loaded into the Zelle app and account takeover/synthetic identity fraud with its participating financial institutions.
“The challenge with synthetic ID fraud is you don’t know what you don’t know,” Turner says. “What does a synthetic loss look like? Was it bad data? Was it a bad decision? It’s really nebulous.”
Based on its research, Aite Group predicts that synthetic identity fraud will continue to grow from at least $820 million in payment card losses in 2017 to over $1.25 billion in 2020. Faster payment platforms will be prime targets as they continue to gain traction.
“Synthetics are a great way to create your end point for real-time payments fraud, i.e. set up your sweep account using a synthetic identity that can serve as the target destination when the criminal takes over an account and steals funds via real time payments,” says Julie Conroy, Aite’s research director.
Authentication at On-boarding
Robust authentication at the point of account opening is critical in controlling faster payments fraud. But new customers may be dissuaded from enrollment if they have to jump through too many authentication hoops. “We generally advise a layered, orchestrated and risk-adjusted approach, combining passive methods, such as device profiling and behavioral biometrics, with traditional data,” says Aaron Press, director, market planning fraud and identity, at Lexis Nexis. “And while it is critical to limit friction whenever possible, there will be times when we need to ask for more information or stronger authentication, such as with a one-time password or a KBA [knowledge-based authentication] quiz.”
Early Warning’s Turner provides similar advice: “Take a deep breath and walk the discipline. What do you know about the card that’s being loaded? And what do you know about the email? What do you know about the device? Is it a prepaid or postpaid mobile account? This is all while enrolling.”
“Payments are evolving quickly, and if we don’t adjust how we approach fraud, then we will fall further and further behind criminals,” says Al Pascual, senior vice president of research and head of fraud and security at Javelin. “We can avoid this trap if we see it coming. So we just need to open our eyes and learn from the mistakes of the past.”
–via Bank Info Security
