Card Not Present Fraud , Fraud Management & Cybercrime , Multi-factor & Risk-based Authentication
Faster Payments: Effective Fraud Mitigation StrategiesExpert Insights on Fraud Management for Payment Networks
The Faster Payments Task Force is working toward launching a real-time payments network in the U.S. by 2020. But faster payments could open the door to more fraud, as has been experienced in other countries, such as the U.K. and Mexico.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Meanwhile, the U.S. has already experienced fraud exploits on a number of P2P payments networks, including Venmo and Zelle, that offer money transfers between consumers. Those exploits focus on the lack of scrutiny that faster payment transactions receive due to the speed of funds transfers.
To minimize fraud risks as payments get faster, security experts are advising that strong authentication, customer education and scalable fraud solutions will all prove essential.
Due to high-profile advertising and the embedding of Zelle directly into many mobile banking apps, the P2P payments network has quickly gained popularity, reportedly moving a total of $75 billion in 2017, more than twice that of its close competitor, Venmo.
But fraudsters have been attacking Zelle users, abusing their lack of understanding of how Zelle, formerly clearXchange, was designed to be used to solicit payments, TechCrunch reports.
The scam is relatively unsophisticated. Victims are asked to pay with Zelle for goods or services on websites such as Craigslist. Once the payment is sent, the fraudster doesn't deliver the goods, closes the receiving bank account and is able to make off with the transferred funds before the victim realizes that a crime has occurred. And because the customer willingly sent the funds for payment, they are often left on the hook for the fraud losses by their financial institution.
At the epicenter of many of the exploits for faster payments are account takeovers and synthetic identity fraud, both of which are growing due to the exposure of PII in so many massive data breaches.
Donna Turner, chief administrative officer at Early Warning Services, the technology company behind Zelle, says the two main fraud methods the company is seeing are stolen card data being loaded into the Zelle app and account takeover/synthetic identity fraud with its participating financial institutions.
"The challenge with synthetic ID fraud is you don't know what you don't know," Turner says. "What does a synthetic loss look like? Was it bad data? Was it a bad decision? It's really nebulous."
Based on its research, Aite Group predicts that synthetic identity fraud will continue to grow from at least $820 million in payment card losses in 2017 to over $1.25 billion in 2020. Faster payment platforms will be prime targets as they continue to gain traction.
"Synthetics are a great way to create your end point for real-time payments fraud, i.e. set up your sweep account using a synthetic identity that can serve as the target destination when the criminal takes over an account and steals funds via real time payments," says Julie Conroy, Aite's research director.
Authentication at Onboarding
Robust authentication at the point of account opening is critical in controlling faster payments fraud. But new customers may be dissuaded from enrollment if they have to jump through too many authentication hoops.
"We generally advise a layered, orchestrated and risk-adjusted approach, combining passive methods, such as device profiling and behavioral biometrics, with traditional data," says Aaron Press, director, market planning fraud and identity, at LexisNexis Risk Solutions. "And while it is critical to limit friction whenever possible, there will be times when we need to ask for more information or stronger authentication, such as with a one-time password or a KBA [knowledge-based authentication] quiz."
Early Warning's Turner provides similar advice: "Take a deep breath and walk the discipline. What do you know about the card that's being loaded? What do you know about the email? What do you know about the device? Is it a prepaid or postpaid mobile account? This is all while enrolling."
Preventing account takeover, however, requires account monitoring not just at the point of enrollment but throughout the entire life of the account.
"If you're not focusing on enrollment, or the account edits or changes, a fraud is inevitable," says David Barnhardt, executive vice president at GIACT, a payments and identity fraud prevention company. "You have to manage the customer lifecycle."
Key Fraud Risk Mitigation Steps
Javelin, a research and advisory firm, and ACI Worldwide, a payment systems company, highlight a progressive approach to fraud prevention in a new research report. Among the recommendations:
- Get the right stakeholders to collaborate on any new payment network, both internally and externally, so fraud management teams have a solid understanding of potential threats and are equipped to take pre-emptive action.
- Use a scalable control framework that is designed to adjust for the value of the transaction and the overall rate of fraud. If controls are insufficient to manage fraud at an anticipated number of users, or at certain transaction thresholds, then the overall approach should be scrutinized and adjusted.
- Set up a kill switch that can be used immediately if fraud rapidly escalates.
- Provide customer education and communication to articulate potential fraud issues and best practices for fraud mitigation.
- Have fraud prevention technologies that are appropriate for faster payments, such as stronger authentication, along with fraud detection based on machine learning and behavioral analytics.
"Payments are evolving quickly, and if we don't adjust how we approach fraud, then we will fall further and further behind criminals."
—Al Pascual of Javelin
"Payments are evolving quickly, and if we don't adjust how we approach fraud, then we will fall further and further behind criminals," says Al Pascual, senior vice president of research and head of fraud and security at Javelin. "We can avoid this trap if we see it coming. So we just need to open our eyes and learn from the mistakes of the past."