Richard Booth told iTWire during an interview that previously banks had a number of hours to identify investigate and stop fraud. "Now, under NPP, those hours are reduced to mere seconds. The result is that fraud systems that can’t prevent fraud in real-time will leave banks exposed to increased losses," he said.
Financial Fraud Action UK, an organisation that works against financial fraud, has reported a 64% rise in online banking fraud losses in the same year that the Faster Payments limit was raised to £250,000, a statistic that Booth cited.
Booth (below, right) has been working in the security space for 12 years, eight of which have been focused on financial crimes and digital fraud. He was interviewed by email.
Richard Booth: Criminals are able to perform a wider variety of fraud at a larger volume and a quicker velocity. According to the Attorney-General’s Department, the annual cost of identity crime in Australia is $2.2 billion. Credit card fraud, identity theft and scams are the most common types of fraud.
More alarmingly, identity crime continues to be a key enabler of serious and organised crime, which in turn costs Australia about $15 billion annually. A similar real-time payments system was introduced in the UK in 2008 and fraud losses in online banking have nearly doubled since then.
What are some of the fraud techniques that banks/financial institutions should be looking out for when using the NPP?
Criminals are most likely to attack the NPP ecosystem through what is known as Account Takeover Fraud. This is when a legitimate customer’s account is compromised and taken over by a criminal. The criminals start by stealing the customer’s login details using techniques like phishing or more sophisticated malware. Once they have access to the customer’s online account, they can change things like the phone number and email address to have SMS one-time codes redirected to a new number.
With the NPP’s new PayID system relying so heavily on static data like mobile phone numbers and email addresses, banks will need to be extra vigilant when a customer chooses to change such details. Another likely technique in the early days of the new service will be Registration Fraud, whereby a criminal simply registers for a PayID illegitimately on behalf of the genuine user, thereby redirecting any funds paid to that PayID into the criminal’s account.
Banks have always put aside money to deal with fraud. So will they not be doing the same for dealing with the risk after the NPP is fully in place?
Fraud losses have always been seen as a cost of doing business, but banks cannot bear the burden of criminal gain that has the potential to grow significantly. Each institute will have their own risk appetite for increased fraud losses attributed to NPP, but we know from speaking with many of our customers that there isn’t an infinite pot of funds to cover these losses.
From the user's point of view, what can he/she do to reduce the chance of being taken for a ride?
For consumers, the NPP creates yet another avenue for criminals to confuse and scam them. Consumers need to be educated on the difference between legitimate communications from their bank and criminal scams. Protecting your personal information and login details is now more critical than ever before. Registering for a new PayID as soon as possible makes Registration Fraud for criminals more difficult.
Presumably, a platform like Osko from BPAY would be more reliable for use, given that BPAY has a pretty good record on security. Your comment?
I would prefer not to comment on the specific security of a service like Osko or BPAY. What I can say is that if Osko is relying on the integrity of the PayID and criminals are able to use techniques like I described above to compromise a PayID, then it has the potential to compromise the entire payment flow.
NPP Australia has gone to great lengths to ensure that security and trust are central to the platform, but ultimately each participating bank will make their own risk assessment and choose to invest in controls that they believe are appropriate. No system is ever 100% bulletproof.
To loosely quote you, "financial institutions have traditionally taken responsibility for fraud risk, but the NPP provides very little time for them to detect, and act upon, fraud". Does this mean that banks may now try to wriggle out of bearing the risk?
There is not much wriggle room for banks. Rather, financial institutions face a very steep learning curve over the next 12 months as they come to grips with a new operating norm and see firsthand how aggressively criminals choose to attack the ecosystem.
Previously banks had a number of hours to identify investigate and stop fraud. Now, under NPP, those hours are reduced to mere seconds. The result is that fraud systems that can’t prevent fraud in real-time will leave banks exposed to increased losses.
Anything else that people should be aware of when they begin using the NPP?
Big advancements in technology should never be feared or avoided. The NPP represents an exciting new opportunity for businesses and consumers alike. That said, everyone, not just the banks, needs to realise that this doesn’t come without its risks. As we see more and more data breaches and scams trying to steal information and money from victims, the NPP represents a new opportunity for criminals to attack.
Why have some banks — apart from CBA — decided to wait before setting up their own payments platform on the NPP? Cautious? Or else a lack of trust?
It ultimately comes down to a business decision. Some banks don’t feel they need to be the first at everything. Following Roger’s Distribution of Innovation curve, there are always the Early Adopters counter-balanced by the Late Adopters. Risk plays a bigger role in business decisions these days and whether it is a financial risk, a reputation risk or some other risk, clearly the banks that have chosen to wait have done so due to their appetite for risk. We shouldn’t see that as a vote of no confidence towards the NPP.
Do you think those who delay will lose out to other institutions?
Personally, if my bank had chosen to wait, I would have switched to a participating bank. I am an early adopter and being part of the first wave is something that is important to me. Whether or not the banks that choose to wait will lose out will depend largely on the personal attitudes of their customers. Some people I speak to don’t have a clue about the NPP, PayID or Osko and so the fact that their bank isn’t in the first wave may not mean anything to them either.