Must faster payments come with faster fraud?
As the coronavirus pandemic has driven more people to work from home and shop online, the demands on digital, faster payment systems have been heightened — as have the opportunities for fraudsters to exploit them.
"As we have been forced to disperse from these large physical concentrations that most of us were used to, like an office, plant or building, we had to pivot to something different in a short period of time," said Adm. Michael Rogers, former director of the National Security Agency.
While many have made this transition fairly smoothly, with basic IT structures in place, it highlighted the differences in connectivity across the world, exposing weaknesses in redundancy and resiliency, Rogers said this week during a keynote at the Chicago Payments Symposium hosted by the Federal Reserve Bank of Chicago.
"You have actors out there trying to take advantage of that," said Rogers, who also served in the past as the chief of the Central Security Service and commander of the U.S. Cyber Command. "Those actors would be nation states, criminal groups and individuals."
The playbook for criminals has not really changed; it just has a wider range of targets and security gaps to focus on. Attackers examine a payment structure and how it was built and how it operates, and they go after individuals who have access to networks; they also research all of the external entities that have access to a payment network, Rogers added.
Payments and financial service providers have had a good track record of quickly addressing security gaps and concerns, with messaging standards provider Swift's past dealings with attacks on its network serve as an example, Rogers said.
But challenges will mount as payments technology advances during the pandemic and after it passes.
"Digital currency is going to be an interesting area in the financial arena in the coming years," Rogers said. "I really embrace the idea of getting into digital currency, but there are hundreds of different digital currencies right now, with no standardization, no security and no oversight."
If a new network or concept "doesn't have speed, efficiency, security and accuracy, you don't have trust," Rogers added. "That will be a challenge for payments and financial structure in how you integrate digital currency."
Providers advancing the concept of faster payments and digital currency acknowledge that security is not only a top priority, but a major aspect of research analyzing the pros and cons of faster payment rails and their expanding list of use cases.
They also take into account that scammers like to quickly move money or exploit credentials they have stolen, so they are understandably enamored with faster payments rails. But the notion that faster payments automatically equates to faster fraud overlooks the reality that faster fraud prevention and transaction authorization tools are also in place.
"It is critically important to lean into a data analytics strategy that really is in parallel with your faster payments strategy as you are rolling that out," Dondi Black, vice president of banking solutions at FIS, said at the conference. "By leveraging your data more effectively, you are going to be better positioned to protect the front door in terms of authentication strategies."
Authorization goes beyond approving a person making a transaction, as it now dips into device recognition and provision, shopping behaviors and patterns. "Gone are the days of relying on a secure password or asking the person what street they grew up on, so we have to start thinking differently about leveraging data and pulling it in," Black said.
FIS has been emphasizing security through its issuers and acquirers as they create more closed-loop environments since the expansion of its client database from its 2019 acquisition of Worldpay.
"We are removing friction and enabling much more contextual, relevant communications, and that has direct implications on the fraud life cycle as well," Black added. "Data really is the secret sauce when thinking about how to support more layered authentication strategies … and to put real-time services in place."
Collecting and deciphering data today is much more complex than it was just five years ago, and security vendors are bringing complex new machine-learning tools to the table that may leave prospective clients unsure of what to do, said Yuval Marco, general manager of fraud and authentication management at NICE Actimize.
"One of the challenges, really, is knowing where to get the biggest bang for the buck," Marco said.
Whether a bank or credit union, there is some uncertainty about which level of integration to initiate and where to start within the network when moving toward faster payments and digital money movement, Marco said.
"Should I reinforce my account balance, and then my account services, or something else," Marco said. "Vendors need to include in their guidance, information about what type of data to prioritize."
Another aspect is evaluating the investment in architecture that would allow the introduction of new data — more efficiently and at less cost, Marco added.
In conducting research about faster payments and digital currency, the Federal Reserve Bank of Boston has been working with MIT Digital and others to get a clear understanding of how best to address fraud in a faster payments environment.
The Fed has also established its FraudClassifier model to break down the various types of fraud and deliver it as a communications tool for banks and businesses to better understand what they are dealing with
"A year ago the Fed convened a group of security officials and we came up with a model for classifying fraud, with our focus on ACH and wire, because there was no standard set of definitions there," said Jim Cunha, senior vice president of secure payments at the Boston Fed.
The FraudClassifier would be applicable to faster payments schemes and provide a clear illustration that maps every type of fraud, breaking down authorized and unauthorized transaction initiators.
"We believe it is simple and intuitive and able to be used for any type of payment," Cunha said.
The Fed envisions the model helping to encourage the sharing of fraud information and allowing all parties to be classifying it under the same categories as a security measure.