Globally, both consumers and businesses now have the expectation of real time payments and transactions. With the exponential increase in customers performing real time payments than ever before, it’s not surprising that fraudsters continue to seek ways to exploit the digital channel where such payments are performed.
This makes it imperative to utilize the latest approaches to mitigate risk and defend against attacks. Existing legacy authentication measures that protect accounts such as login credentials and biometric authentication are important but have been proven to be circumvented by fraudsters.
Account takeover has continued to rise, with several contributing factors, including data breaches, social engineering, poor consumer hygiene on passwords and slower than desired adoption of biometrics, and the increasing sophistication of fraudsters by using bots and crimeware.
Real-time payments may be booming, but they may also be growing targets for fraud — and credit unions and other financial institutions are getting worried, an industry pro warned this week.
The payment method, which allows financial institutions and members to pay bills and make payments almost instantaneously, can also enable criminals to avoid evade manual reviews, security measures that identify out-of-pattern activity and ACH service blocks, said Mike Lynch, who is chief strategy officer at San Francisco-based risk-profiling company Deep Labs. Growing account takeover activity, poor consumer password hygiene and social engineering vulnerabilities, among other things, may be helping criminals exploit real-time payments, he said.
“We have the perfect storm of many different factors at a high level, and now we’re moving money in real-time and we need to have a lot more security layers behind the scenes,” he said. “We can’t just have a rules-based approach. We need to correlate a lot of signals. So here is where you use device intelligence and behavioral analytics, et cetera.”
Real-time payment platforms aren’t necessarily the vehicles through which criminals are stealing data; they’re often the vehicles through which criminals can quickly exploit stolen data.
“It’s the tricking through social engineering or spoof calls for phishing,” he said. “That’s growing to be a pretty common technique and customers may be tricked into transferring funds to someone and never receiving the goods. So it looks like the money’s appeared in the seller’s account, but then a few days later [the platform] reverses the transaction.”
Credit unions and other financial institutions involved with real-time payment platforms should make sure they’re following best practices in terms of P2P security.
Deep Labs Michael Lynch discusses in this Bank Business article whether open banking will come to the United States and if banks should start planning for it now.
Open banking is currently mandated in the EU, via a European directive. The regulation behind open banking is the second Payment Services Directive (PSD2). Open banking is designed to permit consumers’ data to be used by third party providers and thereby increase the competition and quality of products in the banking, payments, and credit cards space. Other benefits include ways to save consumers money with better interest rates or cash incentives, as well as making it easier to switch accounts, or to permit consumers’ data to be used by third party providers for helpful tools such as creating a dashboard of all their financial accounts.
PSD2’s main goal is to increase commerce, create a consumer-friendly ecosystem, while ensuring that the consumers’ data remains secure in the process.
One continual question is will we see open banking come to the United States under similar regulations? It is only matter of speculation at this point, but it seems thus far in the U.S. that the private sector will trend towards similar capabilities without a regulatory mandate.
In this article, Deep Labs Chief Strategy and Product Officer, Michael Lynch discusses whether open banking will come to the United States and if banks and credit unions should start planning for it now.
Open banking is currently mandated in the EU, via a European directive. The regulation behind open banking is the second Payment Services Directive (PSD2). Open banking is designed to permit consumers’ data to be used by third party providers and thereby increase the competition and quality of products in the banking, payments, and credit cards space. Other benefits include ways to save consumers money with better interest rates or cash incentives, as well as making it easier to switch accounts, or to permit consumers’ data to be used by third party providers for helpful tools such as creating a dashboard of all their financial accounts.
PSD2’s main goal is to increase commerce, create a consumer-friendly ecosystem, while ensuring that the consumers’ data remains secure in the process.
One continual question is will we see open banking come to the United States under similar regulations? It is only matter of speculation at this point, but it seems thus far in the U.S. that the private sector will trend towards similar capabilities without a regulatory mandate.
Deep Labs Chief Strategy and Product Officer, Michael Lynch discusses how account opening fraud is a rapidly increasing challenge for issuers due to the plethora of identity data available to fraudsters. The 2018 Identity Fraud Study by Javelin Strategy & Research shows that the number of identity fraud victims increased by eight percent in 2017, with the amount stolen totaling $16.8 billion.
Some of the top financial institutions employ specific and often expensive point solution providers for device risk, behavioral risk, mobile phone intelligence, social reputation, email reputation, call center fraud defense, bot and malware detection. And each of these providers typically provides a risk score or a rules-based approach, and a potentially long list of data attributes.
But this approach creates an issue and an opportunity. It isn’t necessarily a bad investment to add new point solution or data providers as long as you are getting value out of these investments. However, that is often the hardest determination to make. Personally, I have worked in large organizations where we invested in the latest and greatest data source, but never fully realized the potential of what we had purchased.
To complicate this further, often there is no cross-channel communication for authentication or identity decisions. Each channel is working in its own silo as is each point solution provider with their scores and rule sets. And from a consumer view, they must prove their identity or authenticate across different lines of business or for different types of transactions. It starts to be obvious why we are losing the battle against fraud with this approach. Many systems, many rules, many scores, no central decision maker or analysis to determine the optimal blend of accurate decision, cost, and performance.
SAN FRANCISCO, September 26th, 2019 — Deep Labs has earned the prestigious Gold status in the Golden Bridge Awards® Artificial Intelligence Category as Company of the Year. The coveted annual Golden Bridge Awards program encompasses the world’s best in organizational performance, innovations, products and services, executives and management teams, women in business and the professions, innovations, best deployments, product management, public relations, marketing, corporate communications, international business, and customer satisfaction programs from every major industry in the world.
Winners will be honored in San Francisco on Monday, October 28, 2019 during the annual Red Carpet SVUS Awards Ceremony.
“We’re honored to be named Company of the Year Gold winner,” said Scott Edington, CEO of Deep Labs. “The award is a testament to Deep Labs’ commitment to providing unique persona-based artificial intelligence that enables businesses to solve complex problems and continuously assess risk in real time.”
About the Golden Bridge Awards
Golden Bridge Awards are an annual industry and peers recognition program honoring best companies in every major industry from large to small and new start-ups in North America, Europe, Middle-East, Africa, Asia-Pacific, and Latin-America, Best New Products and Services, Best Innovations, Management and Teams, Women in Business and the Professions, Case Studies, Customer Satisfaction, and PR and Marketing Campaigns from all over the world. Learn more about Golden Bridge Awards here.
About Deep Labs
Founded in 2016 by a team of experienced Payments and Signals Intelligence experts, Deep Labs has created a platform that leverages persona-based dynamic risk & propensity profiles to address Payments and Healthcare risk.
ValueWalk’s interview with Michael Lynch, Chief Strategy and Product Officer, Deep Labs. In this interview, Michael discusses his and his company’s background, fraud-prevention strategies for real time payments, the problems with Zelle, Venmo and other big fintech giants, the three-day good funds model that banks use for wire transfers, if Chase is offering safe real time transfers, fraudsters using social engineering to transfer money, FedNow, the role of Libra and crytocurrencies in real time payments, using AI or machine learning to predict problematic payments, legislation related to consumer protection, and the the potential for fraud in persons to person payments.
Interview with Deep Labs’ Michael Lynch
Can you tell us about Deep Labs?
Founded in 2016 by a team of experienced payments and signals intelligence experts, Deep Labs has created a machine intelligence platform that leverages persona-based dynamic risk & propensity profiles.
Deep Labs’ context-aware platform can use persona-based intelligence to better differentiate between a fraudulent transaction and a legitimate one. We are therefore able to provide a solution, based on our ability to distinguish between different contexts, that allows the banks, the payment networks and the various merchants to really understand the context surrounding that transaction.
The use of personas improves consumer activity verification and engagement by determining the likely needs or activities of that individual, based on past behaviors and external variables.
Deep Labs’ patented machine learning technology provides key insights on identity behavior through billions of calculations, iterative insights and process analytics.
Our platform connects authentication, device, behavior, and transaction data for modeling across customer interaction points and solves for siloed views of customer interactions across channels.
Because banks, fintech firms, merchants and payments processors in the European Union have struggled to meet the Sept. 14 deadline for compliance with the new PSD2 “strong customer authentication” requirements for electronic payments, it may take awhile for European consumers to notice authentication changes.
Back in June, the European Banking Authority, an EU regulatory agency, said that “on an exceptional basis” national regulators may be able to provide limited additional time for implementation. Subsequently, regulators in the U.K. announced in August they were delaying enforcement of the authentication requirements by 18 months – but only for online payments within the U.K.
In a statement, the Financial Conduct Authority, a regulator in the U.K., said: “All parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together over the next 18 months to ensure the smooth and timely implementation of SCA [strong customer authentication] by 14 March 2021 and the third parties should make every effort to move to API access where available as soon as possible during this period.”
The Hurdles to Overcome
Security experts say many banks are not ready to comply with the PSD2 strong customer authentication requirement because they face technical and operational challenges as well as budgetary constraints.
“The bottlenecks for banks to comply with the PSD2 standards are the complexity of requirements owing to the competing environments of the third parties, particularly in the context of potential deployment of APIs, identity and security,” says Gavin Littlejohn, chairman of the Financial Data and Technology and Association, a global association for financial services companies.
Michael Lynch, chief strategy and product officer at Deep Labs, an IT services firm, says many European banks and payment service providers lack the necessary technologies to meet the authentication requirements.
“The problem is, it requires a deep understanding of technical and security components to understand and design a solution for the requirements. The banks are not geared up to provide a platform for the transaction risk analysis, leveraging data signals and new technologies such as context-aware machine intelligence.”
Lynch says that banks preparing to comply with the new mandate need to make multiple investments beyond authentication technologies, such as malware detection and secure communication via encryption.
But one of the most significant challenges, security experts say, is putting in place the necessary APIs to enable authentication transactions with merchants processors and fintech firms.
Artificial intelligence is creeping into almost all aspects of our lives. Everything from mobile banking apps and chatbots to voice-activated home assistants and self-service checkouts at supermarkets now have some form of AI embedded in them. Given the technology’s pervasiveness in the consumer space, it was only a matter of time before it started to permeate our business lives as well.
Most companies plan to invest in AI in the coming months, according to research by Accenture. However, more than 50% are still in pilot mode or the early phases of adoption while some have not even reached the starting blocks—an indication of the implementation challenges.
Scott Edington, CEO of Deep Labs, an AI start-up, says AI has a journey ahead. “You don’t just go from zero to 100 overnight,” he says. “You start introducing some of these technologies in a supervised mode.”
Even for companies that are wedded to legacy technologies like ERP and treasury management systems, Edington says it’s not a case of having to “rip and replace” these systems; AI plugs into existing technologies that companies already use.
When it comes to body parts the European Banking Authority (EBA) is agnostic: heart, veins, retina – even your fingers wandering idiosyncratically over a keyboard.
The regulator, needless to say, was not talking about harvesting organs when it got open minded about human anatomy in an opinion published this summer, but biological and behavioural biometrics: specifically, the types it will accept as “inherence”.
What is “inherent” to someone making a payment (and few would deny that veins and a heart are pretty inherent indeed) is about to get very important. Here’s why.
European Banking Authority: OK With Your Heart Rate
Under the looming “Strong Customer Authentication” requirements of Europe’s Second Payment Services Directive (PSD2), payments and ecommerce providers need to introduce two-factor authentication (2FA) for payments of over €30 (£27).
Future transactions above this SCA threshold have to satisfy two of the three elements the EBA deems satisfactory authentication methods: something you are, e.g. biometrics; something you know, e.g. a password or PIN; and/or something you have.
While the strict new rules were set to come into force on September 14, UK providers have won an 18-month extension from the Financial Conduct Authority (FCA).
One of the things they need to think about as they belatedly prepare their systems for SCA is what the “2” in “2FA” is going to be.
It could be your palm geometry…
In a payments biometrics opinion in June, the EBA took a broad view of what constitutes adequate biometric inherence.
“The EBA is of the view that inherence, which includes biological and behavioural biometrics, relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these”
“Inherence”, it noted, “is the category of elements that is the most innovative and fastest moving, with new approaches continuously entering the market.”
It approved: retina and iris scanning, fingerprint scanning, vein recognition, face and hand geometry (identifying the shape of the user’s face/hand), voice recognition, keystroke dynamics (identifying a user by the way they type and swipe), the angle at which a user typically holds their device, and their heart rate.
Are these really viable options? We asked Michael Lynch, Chief Strategy and Product Officer, Deep Labs. He said: “There are two important dynamics for the use of the inherence technologies. First is the acceptance by the consumer to use such technologies, and the second is the efficacy of the technology.