How P2P Payment Apps Fight Fraud Attacks
More and more consumers are turning to digital methods to pay their friends and retailers during the global health crisis. Buyers seek to avoid exchanging money and cards in person and instead opt for contactless transactions or remote purchase options. This trend has created a myriad of opportunities for P2P (peer-to-peer) payment applications like Venmo and Zelle, which allow consumers to quickly, easily and digitally transfer funds to merchants and friends.
However, these app-based transactions must be secure enough to allow consumers to fully enjoy their benefits. P2P payment providers have their work cut out for this, as cybercriminals stepped up their attacks during the pandemic. This month’s Deep Dive examines the fraud challenges that real-time P2P payment applications face and the strategies these services can use to mitigate these threats.
Buyers are relying more on P2P apps during the pandemic, prompting fraudsters to do the same. The New York Times recently reported that although the number of daily Venmo users has increased by 26% over the past year, the number of customer reviews containing the words “fraud” or “scam” has almost quadrupled. Both of these trends suggest that these payment services continue to gain the attention of both legitimate users and bad actors.
So many P2P application providers are very keen on finding ways to serve consumers while outwitting the bad guys, but the security challenges present in these payment services are no small problem. More than 70 percent of American adults in a recent investigation said they use such apps, in part because the apps allow them to to send funds immediately – an attractive option compared to transactions that take several days. These fast transfers give payment service providers shorter time frames during which they can review and stop the movement of funds if something goes wrong, however. Scammers often seek to take advantage of the irreversibility of real-time payment services, typically by setting up P2P app accounts and tricking victims into sending funds that cannot be recovered. Consumers who use these apps to send money to people they don’t know risk channeling the funds to scammers.
Cybercriminals take advantage of consumer trust by soliciting funds under dishonest pretexts. Some to pretend be tax officials and insist that their targets send funds through apps, for example. Other scams occur when scammers post Craigslist ads claiming to sell items and require upfront payment through P2P apps. They then flee with the funds without delivering the goods. Consumers who fall prey to these schemes cannot file chargebacks and receive refunds, unlike credit cards. Many consumers are unaware that they should avoid sending money to third parties who are unfamiliar with the apps, and 47% of those surveyed in a 2019 investigation reported using P2P apps to send money to strangers in response to classifieds on Craigslist and other sites. Fifty-three percent said they use these apps to pay unknown sellers they’ve met on auction platforms like eBay.
P2P application providers are working to stay ahead of these issues by educating consumers about the risks involved in such transactions. Some applications now offer pop-up alerts that to warn users of the risks they face when sending funds to recipients they don’t know, for example. Other app providers have ditched one-click transaction activation and instead prompt users to review their payments before hitting send, giving customers time to review their choices, check for errors. and confirm the details.
Preventing fraudsters from using real-time payment services to defraud legitimate customers may in the first place prevent bad actors from entering the space. Application providers need to be able to detect when users can take advantage of fake identities during onboarding. Scammers often attempt to create accounts using stolen credentials or synthetic IDs cobbled together using personally identifiable information gathered from multiple victims. Payment providers can rely on banking partners to monitor customers while increasing their efforts to to catch bad actors sneaking around using artificial intelligence (AI) -based tools to detect abnormal user behaviors that could indicate fraud.
ATOs and how P2P applications can fight back
Real-time payment providers also need to protect honest customers from cybercriminals who might take control of their accounts. Fraudsters who access these accounts can steal the funds they store on the apps or embezzle money from any bank or card account linked to them. Some cybercriminals may try to leverage Usernames and passwords stolen in data breaches or purchased on the dark web to log into customer applications. Others apply brute force techniques that rely on malicious bots to automatically insert various usernames and passwords into login screens and hope they find the right combinations.
However, P2P application providers are far from helpless when it comes to stopping takeover account (ATO) attacks. A simple first step is to encourage customers to use unique passwords when signing up, which reduces the likelihood that their account details will be compromised if another business experiences a data breach. A recent study found that only 37 percent of Canadian bank customers use different passwords for each of their accounts, with 22 percent recycling two to five passwords across different accounts. Reusing passwords is risky because hackers can use compromised login credentials from other breaches to gain access to additional accounts. Therefore, application providers may need to make dedicated efforts to educate customers on the importance of changing their habits.
Payment companies can also watch for sudden and rapid spikes in failed login attempts, which could indicate brute force attempts are underway. P2P application providers could even take security a step further and implement multi-factor authentication (MFA) to ensure that stolen password and username combinations are not enough on their own to give users criminals accessing customer accounts. P2P applications that implement MFA require clients to present at least one additional layer of authentication to validate their identities.
Many consumers recognize that real-time P2P payments can take the friction out of their transaction experiences and make payment quick and easy. To enable customers to reap the benefits of such offerings, application providers must also ensure optimal security. The right anti-fraud approaches can help P2P payment providers move transactions forward quickly while stopping fraud.