December 5, 2018
November 29, 2018
Posted June 5, 2018
A barrage of press reports about cyberattacks on the bank-backed Zelle personal payments platform is putting a spotlight on the threats posed by peer-to-peer (P2P) payment fraud.
The attention might also point to important lessons for the financial service industry’s digital transformation efforts.
Zelle, Venmo, and Cash are among today’s most popular P2P payment services, which enable users to, among other things, split the bill for dinner or reimburse a friend for buying movie tickets by sending cash to another user via the recipient’s email address or mobile phone number. Nearly 60 percent of people in the U.S. use these P2P platforms, including 80 percent of young adults ages 18 to 34, according to Mercator Advisory Group.
But Zelle is different. Designed to counter PayPal’s Venmo service, Zelle was launched last year by Early Warning, a consortium of banks that include Wells Fargo, Bank of America, Capital One and others.
Today, nearly 60 banks and credit unions belong to the Zelle system, and in many cases, users can access the service directly through their own bank’s mobile app. Transactions take mere seconds.
As the New York Times reports, that speed, ease and convenience may have also made the platform a target for thieves who have used the system to rip off victims. “I know of one bank that was experiencing a 90-percent fraud rate on Zelle transactions, which is insane,” Genevieve Gimbert, a partner in PwC’s financial crimes unit tells the Times, which characterizes P2P payment fraud as “flourishing.”
According to Gimbert, most banks have strong authentication and fraud-detection controls for Zelle. But she says some institutions “just implemented it without any protections.”
Zelle is hardly alone. Venmo, PayPal and others have also been targeted by fraudsters. In fact, the early days of each new P2P payments service has seemed to bring a general predictability to scams.
Some of these cons entail fraudsters pretending to be selling non-existent items online, only to vanish once the transaction is made. Some flip the equation, with crooks buying physical items and then reversing the transaction before the seller takes notice.
That’s why these payment platforms make it a point to emphasize users should only transfer money to people they know and trust.
But other scams are far more nefarious. Take account takeovers, which are up 182 percent in the last year. Using stolen identity credentials acquired through phishing attacks or acquired on the dark web, hackers can hijack a bank account and add their own computers or mobile phones to the user profile.
From there, they can access personal payments services and transfer funds to sham bank accounts before cashing out.
According to the Times, that’s what happened to one Zelle user who discovered someone had gained access to his online accounts and made off with $4,000. The user says he never received an email or text notification about the transaction—or about a new computer accessing his account.
Even factoring in the usual growing pains around security, the matter may be more urgent for Zelle.
While some people use its stand-alone service, many access the system through their bank’s app. When buzz about security issues arise with Zelle, banks within the network may see their own brands sullied, even if they’re not involved.
To mitigate that possibility, the consortium and its member banks may be working to enhance their user verification and authentication capabilities. But striking the right balance can be challenging. Add too much friction, or not enough protection, and you could end up diluting the appeal of personal payments—or send customers rushing off to faster, more secure competitors.
Institutions looking to bridge that gap may look to digital identity-based assessment technologies. These solutions are able to analyze dynamic, real-time data from thousands of sources to instantly detect fraudsters using stolen login credentials or attempting to authorize new devices, without causing user friction.
The same tensions between speed and security may also be instructive to banks undergoing digital transformation efforts of all kinds.
According to Forrester, a growing number of companies are starting to transform the security mandate from something that can have a negative impact into a customer experience enhancement that can help drive growth—but only 10 percent will crack the code this year. Those that do, however can see revenue grow 4 to 8 percent above the average for their market, earning stronger customer loyalty and boosting lifetime values.
It may be worth the effort for P2P payments players. According to American Banker, the total dollar volume of app-based person-to-person payments is expected to triple by 2021, topping $336 billion.
To learn more about how digital identity-based solutions can benefit in the fight against account takeover and peer-to-peer payment fraud, check out exclusive case studies for banks and financial services, here.