Deep Dive: Securing P2P Apps Against Scams And ATOs

A need for faster and easier ways to pay during the pandemic has quickly made peer-to-peer (P2P) payment apps popular among U.S. consumers. Consumers of all ages appear to be increasing their adoption of financial institutions (FI)-provided payment apps recently. Customers who are at heightened risk of serious health complications might use these tools to repay neighbors who pick up groceries for them, for example. Payment apps are also frequently used for splitting bills among friends and sending money to family members, but consumers do not limit themselves to only sending funds to trusted contacts. This problem puts many at risk of falling victim to scams.

This month’s Deep Dive examines the ways that bad actors try to exploit P2P payment app users via scams and account takeovers (ATOs). It also details how payment service providers can up their defenses against such threats.

Fraudulent Sellers

Consumers are more likely to fall victim to fraudulent schemes when they assume there are stricter security measures protecting their P2P app transactions than there are in truth. Major P2P apps like PayPal and Zelle do not have policies protecting users against losses from sending authorized payments to recipients who turn out to be scammers. Bad actors often exploit customers who are unaware that they will not be able to reclaim their funds. Criminals might connect with consumers over online marketplaces with offers to sell items in exchange for payment made upfront via P2P apps. These criminals accept the money but then never deliver the promised goods. Fraudsters know that consumers have little ability to regain funds lost this way because P2P app transactions lack the chargeback protections that credit cards have.

Users are most likely to fall victim to such schemes when sending funds to recipients they have never met and therefore have been unable to vet. This exposes payers to a greater likelihood of getting swindled should these unknown parties turn out to be malicious. This problem is widespread, as 53 percent of respondents in a 2019 survey said they had used P2P apps to send money to unknown sellers on bidding platforms like eBay. It also found that 47 percent used the apps to pay strangers in response to classified ads, such as those posted on Craigslist. Some payment app providers have sought to foil such scams by providing better information to consumers, including pop-up alert features into apps that warn users about the risks of sending money to recipients they do not know. Other apps have, meanwhile, added steps that require customers to review and confirm payment details before funds are sent instead of enabling one-click transactions. This gives consumers the time to review and confirm the transaction details and also ensures that funds are not accidentally sent to the wrong recipients.

Account Theft

Raising awareness among users about potential threats is important, yet P2P apps must also prevent criminals from accessing their services, and that can be challenging. P2P apps may succeed in stopping fraudsters from opening accounts, but bad actors can still find ways to seize control of accounts belonging to honest customers. Fraudsters that have gained control over a legitimate account can then easily steal victims’ money, and P2P payment platforms must therefore stand on guard.

Criminals that plan to commit ATO fraud often first need to find details about their intended victims. They might hack databases to obtain information like consumers’ emails and phone numbers or they might find such information already available on the dark web from previous data breaches. Criminals often have an easy time gathering such details on victims because modern consumers tend to have many digital accounts, and any single successful attack can be enough to steal personal details such as addresses, emails or phone numbers. Researchers in 2019 discovered an unsecured database containing more than 267 million records about Facebook users, including their full names and phone numbers.

Cybercriminals equipped with users’ contact details can then message those victims under the pretense of being representatives from their bank or a P2P app they have installed on their phone and can urge customers to hand over sensitive app login information. Fraudsters also want to steal details like the names of consumers and their banks because including such information in phishing texts and emails lends an air of legitimacy to their masquerade, making it harder for consumers to detect the scheme. Criminals that successfully convince users to hand over login information can take control of the accounts and block out the original owners.

One recent example of this saw scammers alerting users about potentially fraudulent transactions. The ploy enabled the criminals to then glean enough information that they could enter targeted customers’ accounts to reset passwords, giving the bad actors complete control of the accounts. Fraudsters were able to make $2,000 worth of transactions.

App providers can up their defenses against such attacks, however, by requiring users to present login credentials such as biometrics details that fraudsters cannot steal. Payment app customers might confirm their identities by having their smartphones scan their fingerprints, for example.

Other fraud attacks occur when bad actors direct bots to automatically and rapidly plug many different username and password combinations into payment app logins in hopes of stumbling across the correct answers that will let them enter victims’ accounts. Payment app providers can detect these kinds of brute-force attempts by monitoring for red flags like spikes in login attempts and significant increases in login failures, especially those involving usernames that do not correspond to any real account holders.

P2P payment apps solve critical problems for consumers who need convenient ways to make transactions while avoiding handling cash and credit cards during the pandemic, but consumers are unlikely to use these apps if they have security concerns. Implementing tight fraud monitoring and authentication approaches also could lead to an upswell in P2P app use, prompting customers to make these services part of their long-time payment habits.