Peer to Peer payments have been around since the early days of digital commerce, and mobile P2P passed the $120 billion mark last year. One in three American consumers use P2P apps to make instant payments to friends, relatives, service providers, or anyone they owe money.
Opening a P2P account is easy and doesn’t require identity verification. The account itself is pretty useless until it’s linked to a credit card or checking account, a verification process that goes through a bank or card company’s site and usually requires quick verification using some sort of strong authentication.
And that’s where P2P Fraud comes in.
Any single point of verification is pretty useless these days. Fraudsters have countless ways to bypass authentication, be it regular, strong or multi-factor.
Using a combination of malware, social engineering, remote access, SIM swapping, call forwarding or a dozen of other techniques, cyber criminals can easily circumvent two factor authentication.
Dig this: in the UK, fraud levels in 2007 were at 22 million pounds when the industry moved to multi-factor authentication. Most banks use a physical smart card and reader system, while others use out-of-band authentication. In 2015 fraud levels were already at 133 million pounds. 100% of the fraud was in strongly authenticated sessions.
In the US, SIM swaps – a challenge that has been hitting European financial services for over a decade – are now becoming a major issue. It’s a best practice of sorts, used by criminals to bypass SMS authentication, now the most popular method used by web and mobile applications in first time registrations or re-enrollment from a new device. Other best practices include using simple tricks to bypass some behind-the-scenes controls used by the P2P schemes to verify the user’s ownership of the device and its geolocation.
Without going into details, criminals simply flock in to attack this gap: the fraudsters can set up a new P2P account, attach several compromised bank accounts, and immediately start spending without anyone at the P2P network or the individual bank suspecting foul play.
Faster Payments, Faster Fraud
One of the reasons P2P networks are a preferred target is the speed of monetization. Instant payments are a ‘Christmas comes early’ scenario for cyber criminals: we’ve said it before, faster payments means faster fraud.
In most countries the speed of financial transfers between banks is 1-3 days, or overnight at best. The UK was the first market to fully move to Faster Payments 10 years ago, as part of a regulatory move that required British banks to move money within seconds rather than within hours or days.
The result: fraud tripled overnight, despite implementing strong authentication in preparation for Faster Payments. Fraud teams were not prepared for the idea of having to make real time decisions instead of looking at suspect cases in case management queues. It was a golden age for fraud.
The same effect is now beginning to hit the US market. In the banking sector instant payment schemes are being introduced not as a regulatory control but rather as an optional track, with the first being same-day ACH, but adoption will take a few years.
There’s one exception: the mobile P2P market. Here the banks are keen to beat alternative P2P offerings and allow instant money transfer using P2P mobile apps. And again, it’s something fraudsters really appreciate. They are already equipped with quick ways to either receive money via the P2P application into mule accounts they control, or otherwise use it to pay for goods that can be sold and monetized.
P2P Fraud & Fake Sellers
Another way to exploit P2P transfer is known as the fake seller problem. Many users report being scammed by cyber criminals who have opened fake P2P accounts and use them to defraud unsuspecting victims. The scam is simple: bogus sellers offer goods such as concert or sports event tickets, ask the buyer to pay with a P2P service, and once the money is moved – withdraw the funds from the bank or credit account linked to the P2P service and disappear.
This sort of scam relies on another vulnerability – the ease of opening fake credit card and bank accounts. Fraudsters open multiple accounts, effortlessly bypassing KYC controls as they already have all the identity information they need. Once they control accounts, they can attach them to a P2P service, tempt people to pay them, and immediately take the money and run.
This creates a big reputational risk on the banking sector as well as the P2P networks. Customers expect P2P payments to be as secure as any other digital money transfer. Controlling the onboarding process to the P2P network as well as the account opening process in banks and credit card issuers is becoming a key priority.
Identity is Broken
What fuels the identity theft wildfire is the sheer mass of compromised identities. Of the 1,579 data breaches last year, hacking was responsible for 60 percent of the attacks, according to the ITRC 2017 report. If you’re a US citizen, there’s a good chance your identity data is already in the wrong hands and being traded like any commodity.
The level of account opening fraud in the financial sector, and other sectors, grows at an alarming rate as Know-Your-Customer checks are no longer stopping fraudulent online account opening. AITE Group estimates that 47% of financial fraud losses in digital channels are now due to account opening.
Fraudsters engage in either identity theft – opening an unauthorized account after obtaining the victim’s identity data – or synthetic identity creation, where they exploit various gaps in the industry’s controls to produce a doctored identity that is completely fake, yet miraculously has a perfect credit record. Both fraud methods easily defeat traditional Know Your Customer (KYC) checks, which match the personally identifiable information provided by a new applicant with data on record.
Traditional controls such as device reputation and geo-locational analysis become less effective as fraudsters fully understand that their access device and location is being monitored, and the industry is now attempting to establish a new defense doctrine against identity theft and account opening fraud.
Tracking a person’s interaction patterns as they open a new account – known is behavioral biometrics – has proven to be one of the most effective next-generation tools that show promise in the fight for digital identities.