While peace on earth and goodwill toward men tends to be the theme in the last two weeks of the year, payments and commerce has been a bit spicier than that as the year is easing out. The theme this week was a bit of strife out in the ecosystem. Over P2P payments, security at the gas station point of sale (POS) and even over direct deposits, there were a lot of moving parts last week that apparently had some issues moving in tandem.
And while one ended up settled pretty quickly, the other two likely will be among the things to watch when 2020 get started in a little over a week.
Venmo and PNC’s Spat Over Zelle
In the world of modern financial services, those who hold the data have the power. Which is why reports emerging in media that banks might be strategically blocking FinTech firms’ access to consumer data quickly caught so much attention.
The most notable example, according to reports, are allegations from PNC Bank clients that they were unable to connect accounts to Venmo, the payment service owned by PayPal. When they complained, text messages show that PNC Bank seems to have suggested thost users switch to bank-backed P2P payments system Zelle. PNC is part of the consortium of banks that own Zelle.
“We’ve made some security enhancements which may be causing difficulty when attempting to link your PNC acct with Venmo. If you are having this difficulty, you may want to explore alternative means of money movement, such as Zelle, or work directly with Venmo on other options,” said PNC.
Venmo responded on social media — encouraging affected customers to tweet complaints The firm even suggested verbiage: “Hey PNC Bank … Let me use the financial service apps I need!”
The tug of war represents the delicate data dance. Banks hold the data. FinTechs need the data. The specific issue in this case seems to be a security concern that prevented Plaid from accessing end-user data, such as routing information. Plaid is a data aggregator that connects apps including Venmo to financial institutions.
“When aggregators access account numbers, many store them indefinitely, often unbeknownst to customers. This puts customers and their money at risk,” said Karen Larrimer, PNC’s head of retail banking and chief customer officer. “We want to make sure we know who is setting up the account.”
Plaid has said it has gone on to provide system updates and that Venmo users will be able to make the connections they need.
The Rising Tide of POS Attacks at Gas Stations
As of late 2019 most consumers are familiar with skimming attacks — when criminals install a device on a fuel pump to lift a consumer's credit card number while they pay for gas. According to Visa, it seems those thieves targeting gas pumps are raising the level of their technical game with three new and distinct attacks.
The first, Visa said, is a phishing attack that targets station employees though malware-packed email. When the employee clicks on the wrong link a Remote Access Trojan (RAT) virus gains access to the merchant network.
“The actors then conducted reconnaissance of the corporate network, and obtained and utilized credentials to move laterally into the POS environment. Once the POS environment was successfully accessed, a Random Access Memory (RAM) scraper was deployed on the POS system to harvest payment card data,” Visa noted.
The second attack identified is a different breach of access inside the fuel dispenser system that directly scrapes data from that POS, although how they got access is not known.
The third attack is currently being used on hospitality merchants but may eventually be used at a gas station that offers a full shellcode backdoor to merchant systems. Visa thinks that cybercrime group FIN8 may be responsible for this particular attack. The good news is that it hasn’t been seen at fuel merchants yet, Visa said, but fuel dispensers should have their eyes open for it.
“While the malware used in this attack was not identified in the attacks against the fuel dispenser merchants, it is possible FIN8 will use this malware in future operations targeting fuel dispenser merchants,” Visa said.
A Hiccup at the Fed Shakes Direct Deposits
If there were a worst weekend for a blip with direct deposits, it would almost have to be the be the weekend before Christmas. And yet that seems to have been the situation on the street last week, when the Federal Reserve noted there had been a brief delay on Thursday (Dec. 19) for direct deposits and other financial transactions due to a “disruption” in the automated clearing house (ACH) network. Said issue brought about delays in settlements.
The problem was resolved fairly quickly — the Fed reported that by 10:31 a.m. Eastern Time all systems were functioning as they typically do, and the issue had been resolved by technical staff.
It remains unknown how many banks experienced the problem or what caused the problem in the first place, though the Fed confirms tech staff are looking into the cause.
The central bank also noted that payment files for Dec. 18 had been finished, but some transaction reports would not be on time.
“The Federal Reserve is encountering issues, which is delaying ACH files,” Florida-based financial service firm VyStar Credit Union told clients in a tweet. “This issue is affecting all financial institutions. We will process the file as soon as we receive it.”
In an alert, the Fed said apologized for the inconvenience and disruption this has caused to operations at banks.”
It seems the effects were fairly minimal. The largest bank in the U.S., JPMorgan Chase, noted that impacts were minimal for customers.
So the good news of the week is that the Fed seems to have gotten things back on track — and the deposits went out more or less on time. The not-so-good news is we suspect that fight for end-user data and the ever advanced nature of cybercrime probably will not be one-off stories so much as recurring themes in the new year.
But until then, Happy Holidays from the team at PYMNTS Data Dive. We’ll see you in the new year to get you all caught up.