The Australian banking industry has just announced a $100 million initiative to combat certain forms of fraud. The Confirmation of Payee (CoP) system will allow payers to verify the account name of the payee prior to authorizing payment. A similar initiative exists in the UK and both systems are intended to combat Authorised Push Payment (APP) fraud.
What is Authorised Push Payment (APP) Fraud?
APP fraud occurs when a customer, believing themselves to be paying a legitimate payee, is scammed into paying a fraudster instead. The scam occurs by providing the customer with the fraudster’s account details, through the likes of false invoices, scam emails and phone calls, etc. Even though the payee account name will not match the fraudster’s account, banks operate on account numbers, not names.
The Role of Confirmation of Payee (CoP) in Preventing APP Fraud
APP fraud relies on the customer doing all the work of creating and authorizing the payment, thereby successfully passing all the bank’s security checks, including one-time passcodes. The CoP system, by highlighting the discrepancy in payee names, should therefore reduce this form of fraud. However, when one hole is plugged fraudsters simply move to another model.
Limitations of CoP in Tackling Account Takeover (ATO) Fraud
This initiative will have no effect in reducing another form of payment fraud, specifically ATO – Account Takeover Fraud, but it may increase its prevalence. This fraud is based on social engineering techniques where the fraudster typically masquerades as working for the bank’s fraud department and dupes the target customer into believing that their account is at imminent risk. In this scenario, the fraudster wants to take over the account and then make payments and perhaps change phone numbers, reset passwords, etc. to lock the genuine customer out.
One-Time Passcodes (OTP) and Social Engineering Vulnerabilities
The one thing the account takeover fraudster typically needs is the one-time passcode (OTP) that these transactions usually require. The fraudster’s actions result in the OTP being generated by the bank and sent to the genuine customer’s mobile phone. So how does the fraudster get the OTP? He asks for it using any number of pretexts such as “I’ve sent you a code to prove I’m talking to the correct account holder”, etc. The customer, remember, thinks they’re talking to the bank’s fraud department.
Because the OTP is just 4 digits that get keyed back into the browser, it’s all the fraudster needs. That is the inherent weakness of an OTP, it can be compromised by social engineering. Anyone who knows it can use it. The same applies to mobile authenticators. If the “bank” says we’ve sent an authentication request to prove who you are, the customer will simply authenticate it and authorize the fraudster’s transaction.
Improving OTP Security with Voice Biometrics
So, while the CoP initiative is welcomed, the OTP system is still a weakness whilst anyone can obtain it through social engineering. Because it’s impossible to stop people from getting scammed and as the scams get more and more sophisticated, the answer lies in making the OTP useless to anyone but the intended recipient. That would restore the OTP to its intended raison détre, as an effective multi-factor authentication technique.
And it’s as simple as speaking the OTP. By using voice biometrics and speaking the OTP into the browser rather than keying it, the OTP becomes paired with its true owner and regardless of who else knows it, they can’t use it.
In the world of payments, CoP is an initiative to identify the payee, and a voice-based OTP is actually an initiative to identify the payer. Two separate forms of fraud require two separate forms of identity. Having both is critical in the fight against payment fraud.