Zelle: A New Door Opens, But is Crime Walking In?

Ever since the U.S. banking industry took the plunge into the world of “faster payments”, the real-time peer-to-peer payments (P2P) platform Zelle - by which one can move money from their bank account to an email or mobile phone number - has gained both popularity and praise. By the third quarter of 2019, Zelle traffic was reported to have reached 196 million transactions with a volume of $49 billion, vastly higher than other competitive solutions.

Along with these new digital opportunities, many banks are now beginning to realize the far greater risk of online fraud that P2P payments expose.

In the UK, the move to faster payments in 2008 caused online banking fraud losses to triple within three years, even as every bank adopted strong authentication in the form of hardware-based or SMS-based two-factor authentication.

The UK banking community learned long ago that so-called “strong authentication” isn’t actually that strong. Criminals have developed, honed and perfected methods to get around the controls, in some cases even tricking users into making fraudulent transactions from their own online accounts through so-called social engineering.

Zelle fraud is no longer a theoretical threat. Institutions that have already launched Zelle—ranging from the top five U.S. banks to small credit unions—report highly targeted fraud campaigns and an adaptive race with clever cybercrime rings who are quick to respond to new controls. In fact, by now Zelle fraud is the fastest growing area of account takeover fraud in the U.S. banking sector.

Social Engineering at its Trickiest
Not all Zelle implementations are the same. Zelle is used in one of three ways: as a standalone mobile app that is available by consumers for direct download; embedded as a feature in external digital banking applications; and via P2P money transfer providers who have their own controls.

Banks that directly offer Zelle through their digital banking applications already experience the bulk of social engineering attacks: Phone number spoofing, robocalls and personalized text messages are already widely deployed.

Just for illustration: A Bay Area-based financial institution recently suffered a targeted attack in which members received a personalized fraud alert via text message. A list of names matched to phone numbers are not hard to come by; recently 267 million Facebook users' name and phones were reported to be fully exposed online.

Here, the text included the real victim’s name, warned about a possible fraudulent transaction, and when the user responded, they were contacted by a “rep” coming from what seemed like the bank’s number but was spoofed. The “rep” collected enough information to reset the victim’s password, and proceeded to making $2000 in Zelle payments.

In another situation, one of the top-tier American retail banks launched Zelle a few years ago and was hit by a massive social engineering attack staged against its users. Customers were tricked by the criminal to share their credentials, allowing them to enroll to Zelle and then make real-time payments. 

In this case, the bank was quick to react, using behavioral analysis to identify the criminal’s modus operandi. The fraudsters had very unique behaviors: their login patterns and up-and-down scrolling methods were different than those of the regular user in each account; they were not familiar with personal data of the payees; and they showed a remarkable familiarity with the Zelle payment flow even for users who had just enrolled for the first.

With that information identified early on, the bank was able to deflect most of the attack, saving about $200,000 in just a single weekend, and preventing further losses.

Delivering on P2P’s Promise
Retail banks in the U.S. have been fighting account takeover (ATO) fraud for over a decade, but never in real time. Responding to Zelle fraud, which is always real-time, is therefore a new challenge. The typical knee-jerk reaction to a rapid escalation in fraud would be quite similar to the initial response the banking sector had to the wave of phishing campaigns from 15 years ago: add controls, add warnings, and generally add friction.

Fraudsters adapt fast to any new control, try out new social engineering story lines, and have an enormous bag of evolving tricks. Meanwhile, as a result of that friction, real users often feel cheated and frustrated by experiencing a sub-optimal digital journey. They might abandon P2P and revert back to traditional forms of payments.

As a general rule, it’s better to prepare for something as significant as launching a new digital payment vehicle by adding behind-the-scenes layers of visibility into the user’s journey. These controls are harder for criminals defeat as they need to guess what exactly is being monitored and analyzed. 

According to the analyst firm AITE Group, the three technologies that provide that combination of higher security and seamless experience are behavioral biometrics, behavior patterns and device identity controls.

It’s also critical to monitor adjacent user flows, beyond just the immediate danger zone of Zelle enrollment and payments. Login, password resets, email and phone changes are all quite important to analyze.

Financial institutions, consumers, payment processors and others should learn from past experience and not fall into the convenience trap. The only way to stop Zelle fraud is to plan for a dynamic-based system of authentication and fraud prevention.

Done passively, and with better technologies, an effective solution also addresses the user experience and delivers on the promise of P2P payments, not just for Zelle-based consumer payments, but for other applications like business transactions and cross-border payments too.

What’s Hot on Infosecurity Magazine?