It’s hard for paranoia not to set in when you see organizations as important as Colonial Pipeline, the U.S.’s largest refined products pipeline, held for ransom for $4.4m from cyber attackers. The CEO, Joseph Blount, made the difficult decision to pay the ransom because they didn’t know the extent of the intrusion by hackers and how long it would take to restore operations. An FBI-led operation led to the recovery of $2.3m in Bitcoins paid to the hackers, but the situation highlighted extreme vulnerabilities.
No industry is immune. Since March 2020, identity thieves have taken nearly $1b in unemployment payments from The Texas Workforce Commission.
Consumers are also anxious about fraud. Sixty-five percent of 2,000 consumers surveyed stated that they are more concerned about fraud than before COVID-19 hit, and a quarter admitted to being victims of fraud within the last 12 months (a 25% increase over the prior year).
To add to an already challenging environment, attacks are becoming more sophisticated and are harder for common security tools to detect. For instance, mimicking human behavior to thwart traditional bot detection tools by running scripts that show common browser and application behavior. Techniques include spoof locations and slowing down attacks so they better resemble human interaction. In the first half of 2020, 96% of FI attacks were considered “sophisticated”.
As payments get faster and more rails become available, fraud is a reasonable concern. It can be expected for bad actors to try to take advantage of new systems, so fraud prevention efforts will always be essential. According to Gareth Lodge from Celent, here are some best practices to avoid fraud:
Speed is of the essence
The TCH rules place obligations on the sending bank to be sure that what is being sent is legitimate and that the receiving party is as well. In short, the receiving bank should be able to trust that the funds are good. Given the almost zero downtime that is allowed, that means FI fraud systems need to operate in a 24/7 single message way as well, and at speed—the total end-to-end time is from time of sending of the transaction to receiving, giving the bank very little time to do those checks.
Good practice makes a difference
Lessons from other countries around the world show that when setting up a new payee, banks should validate with the account holder that it is them. Some countries have suffered “man-in-the-browser” attacks that meant a fraudster could access the account details, set themselves as the recipient, and clear the account. By validating account details via text message, it helps ensure that it really was the account holder setting it up!
It’s a new rail
It’s not a card or a wire or an ACH, so don’t be tempted to use models developed for those rails! Instead, focus on building those patterns from scratch—artificial intelligence and machine learning are great tools for doing this. With low volumes at first, it also ensures that every data point adds to the model—again, too often, we have seen banks update their fraud models monthly or even quarterly! Bad actors could easily have emptied accounts in minutes before anyone has ever noticed using that approach!
Customer awareness and education are key. Getting them to understand what is normal and what isn’t makes a difference. It also drives uptake. If it goes wrong (in their eyes!) the first few times, then they won’t adopt it. If you position and productize it correctly though…
Payment system outages are another huge interruption, read Preparing for Payment System outages.