The New Payments Platform: fraudsters will be ready but will we?

Natalie Faulkner, Director, Forensic
Natalie Faulkner, Director, Forensic

With 35 countries implemented, or scheduled to move to near real time payments systems a new world of opportunity for fraudulent payments is also opening up. Although systems differ between each country, they have in common domestic, inter-bank, electronic payment confirmation to the originator and receiver in one minute or less.

In Australia, at date of publication, 13 banks have committed funding to build the NPP, working with KPMG as the Programme Manager, SWIFT, BPAY and the Reserve Bank of Australia.  In late 2017 the first tranche of participants will go live on the National Payments Platform (NPP).

A new way of transacting

With the NPP you no longer need a card to process a transaction, in fact you don’t even need the receiver’s BSB and account number. Under the NPP, you will be able to request payments with a person’s alias, which can include an email address or mobile phone number

Real time payments are not new and this timeline shows Australia has not been an early adopter.

Time is no longer your friend

Whereas previously the banks had a window of up to a few days to pause, reflect and decide whether a transaction is likely fraudulent before releasing funds, transactions will now settle in under 15 seconds.

Reduced processing times will provide the opportunity for fraudsters to push transactions through the gateway undetected and once the money has “left the building”, recovery is difficult.

If a transaction is suspected to be fraudulent detection and decision making on stopping the transaction will need to be faster than the under 15 seconds payment processing time.

What can we learn from fraud trends in other jurisdictions with fast payments?

Statistics on fraud losses when real time payments systems are implemented are hard to come by. From what we have seen in the UK when fast payments were rolled out in 2008, the annual value of fraud losses nearly tripled (132 percent increase) as cyber criminals took advantage of the reduced processing time.

Since 2008, technology has moved on but so have hackers and cyber-criminal activity.

They are more sophisticated with social engineering, theft of credentials (for sale on the darknet), man in the middle (MITM) attacks where communications between two parties are intercepted and altered or man in the browser (MITB) attacks where web pages or transactions are modified. These attacks are not stopped by traditional retail bank two factor authentication described as something you know, for example your password, and something you have, for example a token or bank card details).

What should be done to prevent a spike in fraud?

The key is to build out automated fraud prevention and detection systems and use machine learning to keep abreast or ahead of the fraudsters and leverage experience from the gaming sector, who are a step ahead when it comes to real time monitoring.

Effective threat detection is risk based and should be invisible to the account holder to ensure it’s not at the expense of the customer experience.

Step 1: Identity and Access Management

The first step is to authenticate the person accessing the account is the account holder and the account has not been taken over by a bot, malware or a fraudster.

Take Joe. Joe is slow and methodical in his two finger typing, has a low deep voice and uses his fingerprint to logon to his iPad in Sydney, where he checks his account balance twice a day.

In this case, behavioural biometric technology could be used to authenticate a customer based on their physical or behavioural characteristics so if the session behaviour significantly deviates from the known customer attributes, action can be taken to protect the account and prevent fraud loss.

The parameters verified are typically in the hundreds.

They include the device used to access the account, the location of the device, how the account holder interacts with the device (typing flow and speed, left/right handed, tremors, mouse movement and customer preferences) with some checking physical attributes of the account holder, including finger print, iris scans, voice or facial recognition.

Behavioural biometrics application is increasingly used in global banks to prevent fraud before the transaction occurs.

Step 2: Real time transaction monitoring

Machine learning algorithms build up a dynamic profile of an account holder’s ‘normal’ behaviour to detect anomalies that may indicate an account is compromised.

Real time transaction monitoring detects anomalies using Time Series Analysis of customer’s spend patterns; Graph Theory, where the relationship and transaction flow networks between people and entities are monitored, and Deep Learning where tasks are broken down to make machine assistance possible and enhance monitoring algorithms.

In this case, our mate Joe shops at his local stores and is partial to some online shopping but transacts in denominations below $1,000. Real time transaction monitoring, in this simple case, would risk score transactions on Joe’s account that do not fit this dynamic profile. A decision can then be made, in real time, to add additional security or hold transactions from the payments gateway if the risk score (combining behavioural biometrics and transaction monitoring) suggests account takeover or fraud is occurring on Joe’s account.

The time is now, the NPP is coming, criminal activity is becoming more sophisticated and real time payments will be considered a good business opportunity by fraudsters. Continuous, real time customer authentication is needed to lock them out.

4 thoughts on “The New Payments Platform: fraudsters will be ready but will we?

  1. The credit card companies and banks can’t even provide customers with meaningful, detailed information on via their apps/online accounts/statements in order to verify transactions (even though they have the info in order to process the transaction) and help keep their accounts/money safe. How are they going to move forward if they have to be dragged to get the basics right with existing processes?

  2. Hmmm – as a security specialist, the dependence upon “behavioural biometric technology” for authentication scares me deeply….any static rule base that is centrally managed / enforced, or concrete credential that cannot be changed (e.g. fingerprint) will provide user’s with a perception that their transaction is safe, but will be easily breakable / spoof-able with those having a small level of knowledge…..and not to forget, the cost of managing false positives where the computer says “no”

    1. Totally. Surprised the new payments platform is not using any form of cryptocurrency and is built on somewhat redundant technologies in 2017. Reminds me of the NBN

Add Comment