Card Not Present Fraud , Fraud Management & Cybercrime , Fraud Risk Management

Australia Launches Real-Time 'New Payments Platform'

Payments Are Speedy But Irreversible; Will Fraud Rise?
Australia Launches Real-Time 'New Payments Platform'
Australia's New Payments Platform lets consumers use a single ID, called a PayID. (Source: PayID)

On Tuesday Australia became the latest country to roll out real-time payments, where funds from an account at one bank reach an account at another bank in seconds.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The New Payments Platform's broad goal is to have 95 percent of payments clear within 15 seconds or less. It's a move to satisfy consumer demands to send money with the same speed and ease as an email.

But real-time payments come with a hitch: They're essentially irreversible. Once funds are zapped to another account and withdrawn, say, through an ATM, they're gone. Criminals love faster payments just as much as consumers.

Banks had more breathing room to investigate and halt suspicious transactions with batch processing, where transactions are bundled up and settled in the wee hours. Now they'll have a very small window to detect fraud.

"They don't have a lot of time to make a decision," says Phillip Finnegan, managing director of Pacific for ACI Worldwide, a payment systems software provider. "The banks need to make a decision: do I authorize this payment, do I decline it or do I hold a small percentage for further analysis?"

In the United States, the move to faster payments is still in the works (see Faster Payments Don't Have to Mean Faster Fraud).

Billion-Dollar Project

The New Payments Platform has been a years-long effort supported by the Reserve Bank of Australia. Thirteen entities have participated in its development. The project, which uses infrastructure developed by The Society for Worldwide Interbank Financial Telecommunication, or SWIFT, is estimated to have cost at least AU$1 billion (US$790 million).

A single PayID can be linked to a bank account. (Source: PayID)

In addition to real-time settlement, the New Payments Platform lets consumers use a single ID, called a PayID, to send money to someone else.

PayID is intended to replace the need to share a routing code, called a Bank State Branch code and an account number with another party to send payments. The PayID can be a nickname, an email address or a phone number. On the backend, the PayID is mapped to a BSB and account number.

The New Payments Platform will also allow for more data to be attached to transactions. The system supports ISO 20022, an XML-based messaging standard for financial transactions. Remittance information can carry up to 280 characters rather than 18, and the standard can accommodate attachments.

Will Fraud Rise?

Real-time payment platforms may make it faster for criminals to get their hands on funds, but there's no clear data on whether the advent of the systems themselves makes fraud rise.

The Federal Reserve Bank of Atlanta published a study in 2016 looking at the risks of faster payment schemes. Of more than a dozen countries with such systems, none have publicly released data on whether the deployment of the systems caused fraud to rise.

"[Fraud] is like a balloon. You squeeze it at one end, and it pops out the other."
—Giselle Lindley, ACI Worldwide

Even if that data was available, "the relative newness of faster payment schemes in most countries would make trends questionable and conclusions premature," the study says.

Still, one often-cited statistic is that in the U.K., online banking fraud spiked 132 percent in 2008, the same year it launched its Faster Payments system. In 2009, fraud increased another 11 percent.

Online banking fraud in the U.K. jumped 132 percent in 2008, the same year a real-time payments schemed was launched. (Source: Federal Reserve Bank of Atlanta)

The rise in fraud and the launch of the U.K.'s system still seems to be more than just a coincidence. The Federal Reserve Bank's study acknowledges that "it seems reasonable to conclude that a new scheme will offer new security challenges."

And criminals tend to navigate to the lowest hanging fruit. Giselle Lindley, a principal fraud consultant with ACI Worldwide, quotes the common observation: "Like a balloon, you squeeze it at one end, and it pops out the other."

Pressure's On

Lindley says Australia has been lucky: Fraud is still relatively a small proportion of transactions. And for at least a decade, banks have applied fraud risk management tools and mitigation tools for credit cards transactions, which have long been executed in real time.

The difference, she says, is now these payments are going through a different channel and "there's a lot more pressure to get it right."

But many of the same techniques will be used to make a quick decision on a transaction: where the payment is going, whether the person has made a payment to the entity before and whether they're accessing a banking application from a device they've used before.

Also, the use of ISO 20022 should also help with security because it will provide more transaction information, Lindley says. The greater problem for banks is being able to quickly analyze the data. Anti-fraud systems tend to be siloed, and some are very old legacy systems, she says.

Ingesting the data and getting it to the right systems sounds simple, but it's a huge undertaking, she says. Taking in more data for analysis also means an increased computational overhead, which begins to lengthen transaction approvals.

For smaller financial institutions, Lindley says using IP address, geolocation data and device fingerprinting - relatively easy metrics to collect - are still successful at stopping fraud. Larger institutions with bigger budgets can deploy other more sophisticated technologies.

An illustration of device fingerprinting. (Source: University of Applied Sciences Upper Austria)

"There's a truckload of new technology that's being brought to bear in this space," says Jon Malone, head of fraud and identity for Australia and New Zealand at Experian.

To help risk segment gray transactions, it's possible to look at how fast people are tying into fields, if they're alt-tabbing between applications on their laptop, or if they're copying and pasting into fields, Malone says.

Newer models of smartphones with fingerprint and facial recognition technology can also be leveraged. If other metrics can't provide clarity into a transaction, Malone says a bank could ask the customer for some kind of biometric authorization, such as a fingerprint or taking a quick selfie to prove "liveliness." The bank can then compare that to a photo they have on file.

"Your challenge questions will be there for the customers that you can't segment using technology," Malone says.

Who Pays For Fraud?

The New Payments Platform is intended for high-volume, low value transactions. It will be up to individual financial institutions to set the transaction limit. But invariably, the risk for consumers when making fast payments is greater than credit cards since the money can disappear quickly.

Because consumers send money directly to someone else, the transactions are sometimes referred to as "push" payments. There are ongoing concerns in the U.K. over the security of those transactions.

In 2016, the U.K consumer advocacy group Which? filed a super-complaint with the Payment Systems Regulator. The complaint alleged banks are not providing enough protections for push payments as they do for other types of payments.

The consumer group contended that victims have lost life-changing sums to sophisticated scammers that have tricked them into making irrevocable push payments.

"Placing more liability on banks for the losses from such scams would create efficient incentives for banks to develop systems to better manage risks, through identifying and checking high risk payments while maintaining the benefits of Faster Payments," the complaint says.

The losses have been staggering. In the first half of last year, the U.K. counted 19,000 victims of push payment scams, amounting to £100 million (US$139 million).

After a year-long review, the PSR said in November it found that the fraud detection systems for banks and payment service providers couldn't detect push payment scams and didn't collect enough data.

By September, the regulator hopes to have a model that would allow push payment victims to be reimbursed, although the details of who pays hasn't been determined.

Consumer Liability

The same concerns are surfacing in Australia. Steve Worthington, an adjunct professor at Swinburne University of Technology, writes in The Conversation on Tuesday that if someone is fraudulently induced to make a payment, the liability may lie with the consumer rather than a bank.

Worthington points to a Q&A published by Bank First, a customer-owned institution using the New Payments Platform. If a person believes to have made a payment in error, Bank First writes "you should contact us immediately so we can attempt to recover the funds for you."

Worthington interprets that to mean the bank is not liable for the loss.

"In this case your bank might be able to help you recover the funds, but the recipient of the funds (potentially a fraudster) will have to consent to repay your funds," Worthington writes. "So if you have a dispute with a recipient of your funds transfer, you will need to resolve the dispute directly with that person or organisation under the new scheme."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.