BioCatch Blog Channel

Browse Topics

The EBA opinion paper on new types of payment fraud: How it really is a case of The Good, the Bad and the Ugly

Written by:

Iain Swaine

The EBA opinion paper on new types of payment fraud: How it really is a case of The Good, the Bad and the Ugly featured image

Introduction

I seem to be more of a film critic than a fraud blogger lately, with my last two posts examining the accuracy of the fraud techniques used in the film “The Beekeeper.” But as I analyzed a European Banking Authority (EBA) opinion paper published at the end of April, I was reminded of a film title I felt best described that EBA piece: “The Good, the Bad and the Ugly.”

This paper looks at payment fraud data from across the European Economic Area (EEA), analyzes instant-payments risk compared to normal credit-transfer risk, and offers mitigants. It examines where fraud losses are borne (with customers or financial institutions) and the underlying payment fraud types.

The main finding, unsurprisingly, is that Authorised Push Payment fraud (APP) has supplanted Account Take Over (ATO) fraud as the most prevalent fraud type out there. The paper rightly acknowledges that Strong Customer Authentication (SCA) mandated in PSD2 is one of the key factors driving this change. An unexpected consequence, however, is a greater liability shift to the customer, which is something only partially rectified in the forthcoming PSD3 regulation.

The paper makes a lot of good points, but for me it misses out on learnings from countries where APP frauds have been more prevalent for longer (essentially the English-speaking countries).

The good

• The paper recognizes that within the EEA, instant payments feature notably higher fraud rates than normal credit transfers. The EBA states that cross-border fraud rates are about nine times greater in volume than they are for domestic transactions, and instant payments fraud rates about 10 times higher than slower credit transfers.

(This highlights why European banks have concerns about the SEPA Instant Payments rollout happening later this year. )

• SCA has successfully prevented ATO fraud alongside better transaction monitoring, but the bulk of the long-term drop in fraud numbers has come from credit cards (average fraud value decline 40-60%) and not digital payments.

• A sensible breakdown of the main emerging fraud types and whether they are unauthorized or authorized was provided:

◦ Manipulation of the payer (i.e., a scam), as shown with APP and CEO fraud: Victim both initiates transfer and authorizes the transaction.

◦ Mixed social engineering and technical scams, combining real-time phishing/vishing with social engineering: Surprisingly, the paper made no mention of remote access trojans (RATs), which are often used in this type of fraud to bypass device profiling. The paper mentions how EEA banks often recognize this fraud type as authorized, even though it’s really unauthorized.

◦ Enrollment process compromise: Enrolling a new device for purposes of SCA authentication (possession and inherence) via data stealing and social engineering. Again, often misclassified as authorized fraud.

• Under PSD2 there is no reimbursement mandate for authorized payments: it only covers reimbursement for the customer when there has been an unauthorized (ATO) fraud. PSD3 amends this to make banks liable for reimbursement in the explicit case of bank impersonation scams (APP) only.

• The paper also covers confirmation of payee in PSD3 but notes a lack of EEA-wide rollout ahead of SEPA Instant Payments.

• The paper covers the need for amended liability rules beyond PSD3 and the requirement to clarify the delineation between authorized and unauthorized transactions.

• The authors note the need for improved real-time payment profiling, including inbound and cross-EEA fraud-profiling solutions using data sharing. Data sharing across countries not only limited to unique identifiers/IBANs of the payee, but also including PII data of suspected fraudsters (e.g., names, IP addresses and phone numbers used) is essential. There is also a need for hashes to allow for data privacy and checking in real time.

The bad

• The paper uses data from 2022, but there’s anecdotal evidence that 2023 has seen an even greater acceleration of scams by both volume and value of authorized frauds.

• Although the paper covers controls for these evolving attacks, it does not really give any substantial details about them. It talks about the need for an effective real-time fraud framework for transaction monitoring but doesn’t go much further. Although a paper like this is never going to be prescriptive, it would have been good to see the best practices from English-speaking countries discussed, as these locations have had longer to identify what works.

• There is no mention of behavior on either the client side (looking for changes in user behavior during guided APP fraud) or in payment behavior networks (combined inbound and outbound).

• Instead, it offers proposals such as lowering payment limits and a delay in increasing them. Although these have some effect, they go contrary to the move to frictionless security and fraud controls and create a poor customer experience (especially for more affluent customers who will hit these limits more frequently).

• Similarly, the EBA recommend a lag period from when a new device is enrolled before it can undertake high-risk behavior. Stronger checks on the device, its characteristics, and the user enrolling it could avoid this lag period. When someone legitimately updates to a new mobile device, this is going to greatly inconvenience them. We actually see patient fraudsters who deliberately wait a period of time before trying something.

• Another strange recommendation: When refusing to execute a transaction, the user should be notified as to the reason of the refusal and receive a re-issuing of the payment instructions. This has been proven to be ineffective in APP scams as the user is under the “spell” of the fraudster.

• The paper makes no mention at of money-mules detection. The UK PSR regulation to have split-liability has kickstarted mule detection using a variety of techniques. Improved transaction monitoring, both inbound and outbound, centralized transactional behavior within the payment schemes, and proactive behavioral detection of when accounts go from good to bad have been shown to work and impact the fraudsters’ ability to withdraw funds. Certain EEA countries are already known to be mule hotspots, and Europol runs regular operations to disrupt mule networks. This one I mark down as a big missed opportunity.

The ugly

• One of the main conclusions from the paper is that the majority of digital fraud losses within the EU are now actually borne by the customers. The figures quoted are sobering: The share of losses to the user is 79% across the EEA, which equates to €1.2B in absolute terms, and that only includes those cases reported to banks.

• The share of losses borne by the user also varies considerably across the EEA . This inconsistency does not bode well for SEPA Instant Payments given how much more is lost in instant payments and across borders.

• I suspect the actual figure of customer non-refunded losses is at least 10 times the EBA figure. GASA estimates scammers steal more than $1 trillion globally every year. It also found that typically only around one in 10 victims were refunded for their losses, compared to the 1 in 5 cited in the EBA research.

• The EBA confirms these include a large chunk of unauthorized ATO frauds, which under PSD2 should be refunded by the financial institution. However, the EBA research also shows a broad interpretation of “gross negligence,” primarily thanks to the SCA.

• The EBA goes as far as to say some member states consider all SCA-authenticated transactions vulnerable to only authorized fraud, as some element of social engineering made the customer liable.

Conclusions

This paper shows how we must now look at SCA as a double-edged sword. Although it effectively put a stop to one type of fraud (ATO), it also led to rise in social engineering attacks, which in turn caused banks to refund less and shift liability to the consumer.

So, taking a step back, should we see the SCA as harmful to consumers, with the additional complexity introduced leaving them more open to social engineering and non-reimbursement?

I get the feeling the fraud experts within the EBA are very worried about SEPA Instant Payments considering this and are rightly trying to shine a light on what is happening using empirical data to back it up. They accurately define the problem space and highlight how PSD3 needs to do more to clarify the differences between unauthorized and authorized frauds and show how hybrid attacks might actually end up in the customer’s favor. I sincerely hope that more is added to PSD3 in amendments to better protect fraud victims, as the EBA intimates in this paper.

The paper, unfortunately, also misses an opportunity to offer real insights into how layered controls can tackle authorized fraud and its variety of scams. Australia and the UK have implemented behavioral analysis of customer sessions, which has reduced the absolute numbers of attacks in both volume and value. Taking this data into a comprehensive risk engine alongside inbound and outbound payments gives so much more context. Lastly, taking action against mules – whether during the transaction stage or beforehand – is crucial to combating scams, which are almost impossible to detect from client transactions only (e.g., romance and investment).

The only time friction should be introduced into a banking journey is when there is something wrong (the idea of sand in the gears to get scam victims to have a cooling-off moment to realize what has happened, for instance). Limiting device access or payment limits leads to frustrated customers and reputational and operational costs to the bank.

Winston Churchill wrote: “Those that fail to learn from history are doomed to repeat it.” I worry the EBA and EEA is going down the same path as the UK if PSD3 is not amended to better favor the customer. When UK banks were under a voluntary code for reimbursement (the Contingent Reimbursement Model), customers were not refunded consistently across different organizations. The media and consumer organizations combined to call out what they perceived as unfair treatment of customers.

This has led to strict regulation from the UK Payment System Regulator (PSR), mandating full refunds for most types of digital frauds and scams. This refund is split between the sending and receiving bank and has sparked some of the biggest fraud improvements seen since Faster Payments were introduced.

Some countries such as Sweden are already seeing the effect of media pressure, showing the real extent that digital scams (authorized and hybrid) are having on the country. I wonder how fast PSD4 might end up being introduced if sufficient safeguards or guidelines are not implemented as amendments to PSD3. European nations are seeing enough fraud right now to qualify as threats to national security. Pushing liability for that fraud back onto victims is neither the correct nor ethical stance to take.

Recent Posts

Fraud around the world: How countries differ in the fight against a global epidemic social engineering scams
October 17, 2024 Fraud around the world: How countries differ in the fight against a global epidemic
Read article
The future of scam detection combines what consumers want with what bankers need social engineering scams
October 16, 2024 The future of scam detection combines what consumers want with what bankers need
Read article
Avoiding operational chaos with BioCatch Rule Simulator Behavioral Biometrics
October 09, 2024 Avoiding operational chaos with BioCatch Rule Simulator
Read article