Why faster payments mean faster fraud

Banks on the Zelle network may want to re-examine their growth figures for fraudulent transactions. Mobile payments are becoming more popular for consumers and financial institutions, but that could signal another rise in payments fraud, which is already on the rise according to new data from the Federal Reserve. Less than a month ago Early Warning Services, the network that powers peer-to-peer payments platform Zelle, touted $75 billion in funds moved through its bank-supported platform with plans to expand its member network. One member bank, however, also reported a fraud rate of 90 percent shortly after implementing Zelle last year, said someone familiar with the statistics who wished to remain anonymous. “Faster payments doesn't really mean it’s more secure than traditional payments,” said Genevieve Gimbert, PwC head of fraud management consulting. If anything, the opportunity for criminals and fraudsters to exploit operational and control loopholes in mobile payments is growing with the popularity of new vehicles like Zelle and messenger based payments because they generally don’t have as much of a clearing period. “In traditional payments you have time to vet those payment requests and see if they're fraud or not,” at least a couple of days. But faster payments that make the funds available within minutes, there isn’t as much time. “The biggest challenge is having the proper real-time fraud detection system in place to identify whether the payment request is suspicious or not.” Fraud detection in banks, however, is no longer just about building a wall to keep outsiders out; cybersecurity teams need to install a filter that can identify who can and should enter the system. Upgrading fraud detection systems to ensure they work in real-time and can organize the data well enough and fast enough is a multi-million dollar effort, Gimbert said. “Moving money in real-time from one account to another creates new opportunities for ‘bad actors’ to commit new types of fraud,” said Early Warning in an emailed statement shared with Tearsheet. “We work to prevent a range of existing and emerging threats that can compromise accounts, including measures to prevent account takeovers.” Much of that work involves implementing multi-layer and multi-factor authentication during the enrollment process, the company said, in addition to “what we are doing 24/7 to monitor account activity and take action against fraud or potential fraud once anomalies are detected.” Early Warning hangs onto customers’ email addresses and phone numbers and facilitates peer-to-peer payments across the banking network rather than having each individual bank set up agreements with 50 others. Each bank has an agreement with the other to make the funds of the transfer available right away even if they don’t process it until later. Fraud didn’t increase because of the implementation of Zelle, though. “It’s a game of whack-a-mole,” Gimbert said. “If the banks strike the controls on one channel, the fraudsters will move to identify other vulnerabilities in another channel.” Cybersecurity has been a top priority for banks since the dawn of time, and as everyday activities become more digital and more social, banks’ are being targeted by simpler and more common types of attacks. Fraudsters are finding it easier to impersonate customers — either through phishing scams or, increasingly, when calling banks’ call centers — to gain access to legitimate login credentials. The call center is the most vulnerable channel today, Gimbert said. Bank of America will spend $600 million this year on cyber defense alone, its chief operations and technology officer Cathy Bessant recently told Tearsheet. In December Menlo Security, a company that provides malware isolation solutions, raised $40 million in Series C funding, bringing its total funding to $85 million. JPMorgan Chase, HSBC and American Express Ventures are among its investors. For the past couple months banks have also been enhancing authentication controls to move away from knowledge-based authentication — such as prompting customers to identify the last four digits of their Social Security number or their mother’s maiden name. For example, a number of banks such as Chase and Wells Fargo are pushing customers to adopt Apple’s Face ID and Samsung’s iris scanner technology. Almost half of all phishing attacks in 2016 involved redirecting users to a phony banking website, according to Kaspersky Labs. According to a separate Kaspersky Lab survey of more than 800 financial institutions, 53 percent of financial institutions in the U.S. say phishing and social engineering attacks on customers are in their top cybersecurity concerns — followed by attacks on local/branch offices (33 percent), on digital and online banking services (31 percent), on back-office systems (23 percent) and on point-of-sale systems (20 percent). But beyond the need for system upgrades, banks have fraud detection systems for each product in their organization, Gimbert explained. If the banks have segregated systems, they need to consolidate them or add yet another layer to identify and look at the risk across the various fraud detection system holistically. “Checking accounts, debit cards, credit cards, ACH wires — they’re all segregated,” Gimbert said. “With faster payments you need to have a consolidated view of your risk whether I’m sending a check or processing a debit card transaction. You need to understand the customer as a whole and understand the potential fraud happening with this customer.”