Fraudsters are licking their chops at the thought of infiltrating person-to-person payment systems and enabling a never-ending flow of small-value transactions — with the potential to strike bigger accounts.
After all, they have to adjust their targets significantly in the wake of EMV chip card technology shoring up security at the point of sale and renewed emphasis on deterring fraud from shifting to card-not-present payments.
"We are watching P-to-P risk exposure closely because the small-value, high-volume formula is something fraudsters are looking at," said Sasi Mudigonda, head of financial crime and compliance for Oracle Financial Services.
As a way to control risk, banks can limit P-to-P use by transaction size or by protecting it behind the same authentication layers applied to online and mobile banking. But as the payment method expands to other platforms, as it has in some countries, keeping transactions safe will call for more advanced machine-learning security measures, Mudigonda said.
P-to-P can be a lucrative hunting ground for fraudsters, considering some South American and African markets already rely on P-to-P for a major portion of money transfers, payments and even payroll delivery. Accounting departments at banks and businesses are increasingly relying on the speed of P-to-P methods to pay vendors and suppliers.
Oracle is monitoring digital payment advancements in India in the wake of that country's recent moves to spur the use of electronic payments and reduce reliance on cash, Mudigonda said. Criminals looking to breach digital payment networks are equally focused on what's happening in those markets, he added.
By comparison, the U.S. is in the early stages of P-to-P advancements and adoption, even though the country's large banks are getting behind the Zelle network, and various third-party providers such as PayPal's Venmo are establishing strong user bases.
Still, the task of securing P-to-P registration methods is not lost on financial executives.
"The risk associated with P-to-P is a product set that has long kept many payments execs up at night," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "That's one of the reasons why we've historically seen it tightly controlled with rigorous registration procedures, as well as rules and velocities once a new user is registered."
To more closely monitor P-to-P activity, banks use directory, or look-up, services that can verify a customer's account number or correlate a confirmed account number to a proxy such as a mobile phone number, Conroy added.
"While some of the directory services will alleviate some of those issues, I think a lot of fraud execs are still concerned that the bad guys will find the loopholes before the good guys can seal them up," Conroy said. "I think analytics are one of a variety of services that will help mitigate the risk."
Banks are keenly aware of how fraudsters like to hijack a P-to-P money transfer service to send funds from a compromised bank account to a "mule" account the fraudster controls. But any sort of P-to-P payment is fair game as fraudsters worm their way onto mobile commerce platforms.
Though P-to-P payments differ in some ways from other mobile or remote commerce transactions, the increase in fraud in those areas indicates fraudsters' intent.
The mobile channel experienced an increase of 40% in successful fraud with debit cards in 2016, compared to 24% in 2015, while staying at a level of 45% both years in successful credit card fraud transactions, according to a 2016 fraud cost report from risk solution provider LexisNexis.
P-to-P payments are positioned to benefit from more extensive machine-learning or Artificial Intelligence screening, mainly because of the high volume moving along P-to-P rails.
"In emerging markets, banks are quicker to adopt P-to-P technology and are seeking ways to monitor the activity in an account," Mudigonda said. "The high volume makes it ripe for AI because there is enough data to learn from."
Some payment forms, including wire transfers, don't have enough volume or data to allow banks to benefit from machine-learning algorithms.
"We have a lot of information on card data about user spending patterns and lifestyles and there are many things we can do with machine-learning from card data," Mudigonda said. "Much of that sophistication is not available in the P-to-P arena, but there is data that can be gathered through high volume."
Oracle provides software to its bank clients that provides machine learning and building of security techniques to protect financial transactions, including the P-to-P options.
Five years ago, Oracle supported rules-based risk management tools, but has since concentrated on building machine learning into its platform.
There's a big reason for that.
"Card-not-present fraud is higher than P-to-P fraud right now and probably will be for some time," Mudigonda said. "But I am certain that P-to-P fraud will catch up."