Several weeks ago, I published an article which provided a summary of the Australian Payments Council's Australian Payments Plan. This plan is designed as a strategic roadmap for the future of Australian payments, specifically the initiative around the New Payments Platform, or NPP. In short, the NPP is going to introduce the ability to send funds in real-time via online banking as a way to increase competition and innovation within the Australian payments landscape.
Currently, when you send a payment via online banking to a recipient (individual or business), there is typically a delay of up to 24 hours for the funds to become available. There are some exceptions - such as when the sending and receiving bank are the same - but largely, there is an overnight delay. The shift to a 'real-time' model is a game changer for payments in Australia and the implications will include:
- Consumer benefits such as lower cost payments and improved functionality
- Commercial impacts to banks, merchants and payment providers
- An increase in online banking fraud attempts and losses
Consumers stand to be the primary beneficiaries of the NPP as it will provide a far greater range of payment options and ultimately increase marketplace competition. I anticipate that the benefits will fall into three broad areas:
- Peer-to-peer payments - Quickly/easily send funds to friends or family
- Business payments - A simple (cheap) payment option for goods or services
- eCommerce - An alternative online payment option to credit/debit cards
Without a crystal ball, it is hard to anticipate all the potential commercial implications of the NPP, but they will be material. The NPP provides a brand new payment alternative which will be a direct competitor to many of the incumbents.
As a merchant, the NPP will provide a new way for your customers to pay for goods or services and will likely yield lower payment processing costs. For payment providers, pricing models and product offerings will need to be re-validated and adjusted to meet the additional competition.
The Fraud Effect
From a professional perspective, I am most interested in how the NPP will impact online banking fraud in Australia. I have two predictions: An increased velocity and volume of online banking fraud attempts and a decrease in online banking fraud recovery rates.
The first prediction is based simply on the fact that bad guys look for highest yield with lowest effort. Immediate cash-out of compromised online banking accounts via real-time payments is highly desirable and therefore the rate of attack is likely to increase. Bad guy ROI.
The second prediction is based on the fact that the current model of delayed payments provides a window for banks to detect, hold and recover funds which have been transferred fraudulently (due to malware, phishing, data compromise and social engineering). NPP will remove this safety net for the majority of payments and the potential fraud loss implications are material.
If the current online banking fraud detection rate (post payment) is 80%, then we have an opportunity to hold and recover these funds prior to them clearing in the destination (mule) account. If $1 million in fraud is committed, then the net loss to the business will be only be ~$200k once recovery actions are complete. Real-time payments closes this window.
In card fraud terms (Issuer perspective), it is comparable to chargebacks completely disappearing as a recovery mechanism. This thought would be a Card Fraud Manager's worst nightmare, as typically at least 60-70% of all card fraud losses are recovered via the chargeback process.
To gauge the potential magnitude of the fraud loss implications, we can look no further than the UK roll-out of 'Faster Payments' in May 2008. The chart below clearly demonstrates the rapid increase in fraud experienced in the UK when real-time payments was deployed.
Based on the UK case study, it is not unreasonable to expect that Australian online banking fraud losses will at least double once NPP is rolled out. As discussed previously, this is simply because the safety net window for post-transaction fraud detection and recovery is effectively gone.
To make the potential impact more tangible, we can break down the numbers and apply them to the Australian market as an indicative guide.
- £0.37 UK online banking fraud per capita p.a. (pre 'Faster Payments')
- £0.98 UK online banking fraud per capita p.a. (post 'Faster Payments')
- Increase +£0.61 per capita p.a.
- Convert to AUD. ~$1.20 online banking fraud loss per capita p.a.
- Australian Population (23 million) x $1.20 = $27.6 million
Obviously, there are many assumptions - such as comparable inherent controls, attack vectors/velocity - but it is not unreasonable to assume that online banking fraud losses could easily increase by $25 million per annum.
Strategies to Reduce the Impact of Fraud
There are many views as to what is the best approach is to prevent fraud losses due to real-time payments. Although the approach may be debated, the ultimate desired outcome is consistent; prevent as much fraud as possible without negatively impacting the digital customer experience.
My personal opinion is that a four pillar strategy is required to achieve this goal:
- Strong Authentication (used sparingly) provides a robust security foundation and reassurance to a customer that their online banking is secure
- Behavior Analytics. It is important to understand your customers and identify outliers. Behavior analytics provides long-term levers to manage risk and cannot be easily reverse engineered by attackers.
- Understand the endpoint. Device intelligence can provide low hanging fruit in terms of removing false positives, risk segmentation and identifying known threats.
- Know your enemy. Threat intelligence provides benefits in the short (e.g. compromised accounts) and long term (e.g. what other markets are seeing). To best mitigate risk, we need to understand both the problem and the adversary.
A layered fraud defense which incorporates each of these elements is likely to protect an organisation and its customers from being an easy target.
Author: Tim Dalgleish
Category: RSA Fundamentals, Blog Post
Keywords: Australian Online Banking, Consumer Security, Cybercrime, Cybercrime and Fraud, Financial Fraud, New Payments Platform, NPP, Online Banking Fraud, Real-Time Payments