The US is Moving to Faster Payments: What You Need to Know
Last week, the Federal Reserve Faster Payments Task Force released Part 2 of their Final Report: A Call to Action. There are a number of key recommendations around fraud detection and emerging technologies. As stakeholders in the US look towards 2020, the goal set to provide every consumer and business with faster payments, it makes sense to look back at the UK experience and see what can be learned.
The UK Experience
Right now, with the relative novelty of faster payment schemes internationally, there is little “fast fraud” data. Yet, observing data available from the United Kingdom, Julius Weyman, VP at Federal Reserve Retail Payments, noted:
- At the launch of the United Kingdom’s faster payment scheme in 2008, online banking fraud increased 132 percent from the previous year.
- The 2009 level was 14 percent higher than that in 2008.
- Following a downward trend in 2010–11, online fraud trends steadily advanced, with the series showing its highest level yet in 2014.
BioCatch has extensive deployments with major UK banks and was on the frontline with the implementation of Faster Payments in that market. Our experience reflects Weyman’s findings. Here we provide our lessons learned not just for faster payments, but for overall online security.
- Strong authentication is not so strong. 100% of fraud comes from authenticated sessions. Yes, this is correct. Via social engineering techniques (such as phone-based vishing or SMS-based smishing) and other malware, account takeover and remote access attacks essentially trick a user to giving up control of a session after the authentication is done. Couple that with the fact that personal credentials are available for sale on the dark web for as little as $2, fraudsters often have the information they need to impersonate a victim for authentication. There are even online courses for them to hone their craft.
- Typical lines of defense are penetrable. For some time, it has been possible to spoof the location of a smartphone and to mask device ID information, as shown on various online how-to websites. Traditional malware detection as well, leaves systems exposed, as they require known files in order to match against. More recently, as we reported in a blog post last February, fileless malware is becoming a greater threat and nearly impossible for traditional malware solutions to identify, as it hides outside the normal file system in parts of the computer not normally scanned, such as the random access memory or even the operating system kernel itself.
- Fraud migration to the US can happen FAST. On average, fraud trends in the US tend to lag the UK by 12 months, but recent events show that the gap may be closing. Note last week’s discovery on the Trickbot Trojan, which originally hit the European market last year is now hitting 13 US financial services organizations.