BACKGROUND:

This may be a good comment opp as the holiday shopping season kicks off. Although Regulation E* (part of the federal Electronic Fund Transfer Act) requires banks to refund consumers for fraudulent transactions on their accounts, banks are stating that Zelle, as a peer-to-peer app, does not have the same protection. The Consumer Financial Protection Bureau put out a directive in June, saying that Regulation E only applies “if a third party fraudulently induces a consumer into sharing account access information.” So the working assumption is that if a consumer willingly sends money to a faked/spoofed account, they’re out of luck.

Subscribe
Notify of
guest

4 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Bill Lawrence
Bill Lawrence , CISO
InfoSec Expert
November 12, 2021 9:45 am

<p>’Tis the season for low-life scammers. Practice ‘zero trust’ in your email and text apps and on the phone; by that, do not click any unsolicited links and if someone calls you about money, calmly say nothing, hang up, and either go directly to a website or call the financial institution yourself. If there is a real issue, someone there will have the information. Also, while you’re on their official site, for the love of the season, set up two-factor authentication, and then never share those numbers or codes with anyone “live”. Those are for legitimate apps and websites that you use.</p>
<p>It is sad that criminals find the simplest routes to take advantage of trusting people. Gmail, Twitter, and now Zelle seem to be on the top of their scamming lists. If a deal seems to be too good to be true, it is. Or if someone is breathing down your neck to transfer money, that’s another big warning sign.  Caveat conexus emptor.</p>

Last edited 10 months ago by Bill Lawrence
Doug Britton
Doug Britton , CEO
InfoSec Expert
November 12, 2021 9:44 am

<p>This is a concerning issue for Zelle. Trust is integral to any financial tool or application. Scamming won\’t subside if it continues to be successful. Putting aside the need for a degree of user responsibility, designing applications that balance low friction transactions with security is a critical requirement for product longevity. Finding the right cyber and infosecurity talent is critical when designing robust dev teams that power these platforms. We have the technology and tools to find this talent, even in tight labor markets. The financial sector and emerging Fintech sector need to continue to invest to ensure consumers are protected and trust is maintained.</p>

Last edited 10 months ago by Doug Britton
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
November 12, 2021 9:42 am

<p>Heralding in the era of the cashless society is revealing some significant bumps in the road. In particular, using electronic transfers offer more opportunities for attackers to use tools such as social engineering to steal from individuals. Zelle, a popular transfer mechanism owned by a consortium of major banks, is being used as a mechanism by phishers and fake bank representatives to scam individual Zelle users into giving them personal and transaction information.</p>
<p>Ultimately, the risks of compromise using transfer services such as Zelle may outweigh their convenience. Consumers have to take extra precautions against getting scammed, such as carefully examining emails and phone messages to make sure they are legitimate. These services tend to place strict limits on how they contact customers, and customers should be aware of those limits in assessing the validity of a contact.</p>

Last edited 10 months ago by Saryu Nayyar
Rajiv Pimplaskar
InfoSec Expert
November 12, 2021 9:41 am

<p>The payment industry-wide shift to online has resulted in the proliferation of P2P (Peer To Peer) and PSPs (Payment Service Providers). While this offers more customer flexibility and choice, it’s also facilitating growth channels for money laundering and fraud.  Consumer fraud is rapidly adapting towards transactions and fraudsters are developing new and insidious ways to target vulnerable individuals. The expanded attack surface is also stressing the fault lines and gaps in the banking systems traditional AML systems (Anti Money Laundering) and customer authentication methods.</p>
<p>Passwords are inherently the weakest link in the chain. By being inherently “phishable”, through social engineering, brute force guesswork or coercion, they can enable MITM (Man In The Middle) attacks, that can bypass traditional checks and balances and are responsible for more than 80% of all incidents. Complex passwords are hard to remember, are often stored in plain text and reused, further compounding the problem.</p>
<p>Consumer finance institutions and e-commerce sites should mandate passwordless authentication methods based on W3C and FIDO standards. Such solutions create a strong binding between the end user and their FIDO2 authenticator making it impossible for a 3rd party to misuse. Also, these solutions are easier to use and improve customer satisfaction.</p>

Last edited 10 months ago by Rajiv Pimplaskar
Information Security Buzz
4
0
Would love your thoughts, please comment.x
()
x