Stopping Faster Payments Fraud, Faster

When the U.K. implemented Faster Payments, fraud tripled as fraudsters exploited the vulnerabilities of a new system that moved money in an instant. In the latest Data Drivers, BioCatch’s head of Cyber Strategy tells Karen Webster how new tools and technologies can slow fraud to a crawl, even as payments move fast.

Faster is better for payments. Faster is better, too, for fraudsters.

In the latest Data Drivers, Uri Rivner, head of Cyber Strategy at BioCatch, stated that as countries around the world embrace faster payments, they may do well to heed some sobering statistics on fraud gleaned from the United Kingdom’s own experience.

Data Point One: 300 Percent

This is the rate of fraud that has been documented in the U.K. between 2007, before faster payments, and 2008-2010 — all of which is to say that fraud tripled in the wake of faster payments.

Even though banks were ready for faster payments right when implementation came, stated the executive, it was a huge jump in fraud. For the bad guys, “it’s almost like Christmas came early,” he said. Before faster payments, the waiting was all — simply put, the fraudsters had to wait for the money to hit accounts before they could abscond, a process that could take hours or even days. In the meantime, the banks could be vigilant and look for anomalies and find out and root out wrongdoing, stopping withdrawals before they could be made.

“Now the industry moved into making decisions in a matter of seconds,” he said, so “it’s no longer … let’s have the transaction go through because we have a few hours to a few days to sift through the transactions and look for anomalous ones and then stop them.” Now the money is in the destination and out (and gone) with haste.

“For fraudsters, it is great because they do not have to worry about making all these investments in fraud and not seeing the fruit of that.” In the U.K., he continued, it had been fine to find fraud after the fact in the wake of faster payments and then try to recover the money, but it was, in many cases, too late.

Bad news for the U.S. then, on its own path to faster payments? Could be, said Rivner, as “we should expect” a similar outcome with any country that moves into faster payments.

Queried by Webster whether banks had, or even have, the right tools in place to stop this, Rivner replied that banks “didn’t think that [fraud] would move that quickly,” and the need is always there for strong authentication. Another benefit which comes hand-in-hand with transaction monitoring — in real time — where technology and human interaction can be effective in stopping fraud.

Looking back on that tripling in fraud in the U.K., Rivner cited the growth in the number of attacks was tied to an increase in the sophistication of those attacks.

Data Point Two: 100 Percent

This is the percent growth of fraud that was done in the U.K. amid sessions marked by stronger authentication. This comes, Rivner explained, despite stronger authentication efforts, such as those tied to two-factor identification, which were protocols banks deployed and users knew about in the U.K. Other efforts centered on tokenization or smart card readers.

“From a user experience it was quite horrible, and from a security perspective it was perceived as being very, very strong,” noted Rivner. Yet despite these efforts, fraudsters developed clever ways not just on how to breach these defenses, but also how to circumvent those efforts.

They found ways to get the information from the users by other means: where, for example, browser attacks proved effective, or where, post authentication, once hurdling “something you have [a device] and something you know [user-specific information], malware could hijack a session and move money automatically. All of this happened, more or less, at the same period of the faster payments,” said Rivner, and its introduction into the U.K.

Data Point Three: 24 Percent

This is the percent by which fraud declined after these banks started introducing behavioral biometrics into their processes. Biometrics represents “relatively a new entrant” into the fraud defense arsenal, with an introduction around three years ago and deployment two years ago across several U.K.-based banks.

Looking at 2014 to 2015, fraud showed a huge bump in the U.K., up six times. One wrinkle explains that leap: Remote access, a tool deployed by fraudsters, “eliminate[s] these [aforementioned] lines of defense — strong authentication on one hand … and malware … and then banks looked for technology to combat that.”

Remote access attacks have a few flavors, including malware, and efforts to trick users into installing software that allows that access. But beyond that, the goal is the same, with fraud driven by remote access: To understand and then mimic user behavior as they interact with their devices, from the keyboard to the mouse, how they scroll through pages and so on — in other words, there’s insight into hand/eye coordination that looks to fool multiple levels of payments vigilance.

As a line of defense, said Rivner, behavioral biometrics can be deployed to detect robotic behavior and uncover malware as it tricks users, for example, to click on buttons designed by a fraudster to help move money illicitly. In the end, behavioral biometrics is “user agnostic.” The real-time analysis may know nothing about the specific user under scrutiny, but it can root out threats regardless, because it differentiates between “good users and bad users” in general.

In one scenario, consider the online credit card application process, where honest people looking to get a card will peruse the application, interact with it and deliberate over questions. Criminals, conversely, will have an identifiable methodology in filling out the application — likely a rote process as they do it several times daily — and there can even be a tell when using shortcuts when shifting through tabs with speed to get the application in (less than 1 percent of applicants may be conversant in these shortcuts).

Such minute observations can lead to effective anti-crime efforts. And to paraphrase Sherlock Holmes, when it comes to payments fraud, “what one man can invent, another can discover.”

To learn more about faster payments, faster fraud, join PYMNTS CEO, Karen Webster and Uri Rivner, head of Cyber Strategy and vice president of Business Development at BioCatch on June 19th for a deep dive into the UK fraud landscape and practical insights for the future of faster payments in the US.