BACKGROUND:
This may be a good comment opp as the holiday shopping season kicks off. Although Regulation E* (part of the federal Electronic Fund Transfer Act) requires banks to refund consumers for fraudulent transactions on their accounts, banks are stating that Zelle, as a peer-to-peer app, does not have the same protection. The Consumer Financial Protection Bureau put out a directive in June, saying that Regulation E only applies “if a third party fraudulently induces a consumer into sharing account access information.” So the working assumption is that if a consumer willingly sends money to a faked/spoofed account, they’re out of luck.
- KWTX in Texas reports Central Texas woman scammed out of hundreds of dollars trying to buy PS5, after the woman paid $550 through Zelle for a PS5. Fraudsters are stealing Twitter accounts to sell game consoles and insisting buyers pay with Zelle.
- ABC7 in NY reports Warning: Don’t fall for scam involving Bank of America/Zelle cash transfer, telling how a text claiming to be from Bank of America asked a woman if she just authorized a Zelle transaction for $1,375.50. Upon replying “no”, a call from “Bank of America” walked her through a sham process of “retrieving” her money, which was then stolen.
<p>’Tis the season for low-life scammers. Practice ‘zero trust’ in your email and text apps and on the phone; by that, do not click any unsolicited links and if someone calls you about money, calmly say nothing, hang up, and either go directly to a website or call the financial institution yourself. If there is a real issue, someone there will have the information. Also, while you’re on their official site, for the love of the season, set up two-factor authentication, and then never share those numbers or codes with anyone “live”. Those are for legitimate apps and websites that you use.</p>
<p>It is sad that criminals find the simplest routes to take advantage of trusting people. Gmail, Twitter, and now Zelle seem to be on the top of their scamming lists. If a deal seems to be too good to be true, it is. Or if someone is breathing down your neck to transfer money, that’s another big warning sign. Caveat conexus emptor.</p>
<p>This is a concerning issue for Zelle. Trust is integral to any financial tool or application. Scamming won\’t subside if it continues to be successful. Putting aside the need for a degree of user responsibility, designing applications that balance low friction transactions with security is a critical requirement for product longevity. Finding the right cyber and infosecurity talent is critical when designing robust dev teams that power these platforms. We have the technology and tools to find this talent, even in tight labor markets. The financial sector and emerging Fintech sector need to continue to invest to ensure consumers are protected and trust is maintained.</p>
<p>Heralding in the era of the cashless society is revealing some significant bumps in the road. In particular, using electronic transfers offer more opportunities for attackers to use tools such as social engineering to steal from individuals. Zelle, a popular transfer mechanism owned by a consortium of major banks, is being used as a mechanism by phishers and fake bank representatives to scam individual Zelle users into giving them personal and transaction information.</p>
<p>Ultimately, the risks of compromise using transfer services such as Zelle may outweigh their convenience. Consumers have to take extra precautions against getting scammed, such as carefully examining emails and phone messages to make sure they are legitimate. These services tend to place strict limits on how they contact customers, and customers should be aware of those limits in assessing the validity of a contact.</p>
<p>The payment industry-wide shift to online has resulted in the proliferation of P2P (Peer To Peer) and PSPs (Payment Service Providers). While this offers more customer flexibility and choice, it’s also facilitating growth channels for money laundering and fraud. Consumer fraud is rapidly adapting towards transactions and fraudsters are developing new and insidious ways to target vulnerable individuals. The expanded attack surface is also stressing the fault lines and gaps in the banking systems traditional AML systems (Anti Money Laundering) and customer authentication methods.</p>
<p>Passwords are inherently the weakest link in the chain. By being inherently “phishable”, through social engineering, brute force guesswork or coercion, they can enable MITM (Man In The Middle) attacks, that can bypass traditional checks and balances and are responsible for more than 80% of all incidents. Complex passwords are hard to remember, are often stored in plain text and reused, further compounding the problem.</p>
<p>Consumer finance institutions and e-commerce sites should mandate passwordless authentication methods based on W3C and FIDO standards. Such solutions create a strong binding between the end user and their FIDO2 authenticator making it impossible for a 3rd party to misuse. Also, these solutions are easier to use and improve customer satisfaction.</p>