“If the fraudsters find a hole, they’re going to run a bunch of transactions through it,” Ingo Money CEO Drew Edwards remarked to Karen Webster.
Right now, financial services are vulnerable to all sorts of fraud because technology, wielded by criminals, allows them to hide in the shadows — tricking even the most robust defenses of banks, neobanks and FinTechs alike.
That’s especially true for the FinTechs, where it’s so much easier to open an account. For the criminals and the FinTechs — the neobanks seeking to upend banking in general — the game of hopscotch is afoot. The hackers and the criminals wind up funding accounts at these digital upstarts with money pilfered from other sources and then prey on merchants, deluging them with transactions tied to debit card fraud.
“If we’re talking about fraud, we’ve got to be talking about account funding,” said Edwards, who added that “account funding of transactions without risk management is nothing short of Russian roulette.”
Two Types of Fraudsters
In Edwards’ telling, the fraudsters themselves fall into two types: There are organized groups that are meticulous in their planning and their attacks, and then there are the “desperate individuals” that ply their trade in a haphazard fashion, looking for a few scores out of who knows how many attempts to get would-be victims to part with their personal details.
It’s the organized fraudsters, of course, that have the most scale and pose the most concerted threat. The threat continues to loom large, as in recent months, a number of vulnerabilities in pandemic-era relief have come to light.
To date, 1,500 people have been charged with pandemic fraud and 450 have been convicted, and investigators are still chasing down abundant leads in what could top $163 billion illegally siphoned from COVID unemployment insurance benefits alone.
Fraudsters are proving especially creative, as they open mule accounts online and transfer funds digitally before disappearing into the proverbial ether.
Volume and Scale
The vulnerabilities are created, in part, by the sheer volume of new account openings seen across the industry, as Edwards noted. PYMNTS’ data shows that 59% of United States consumers opened at least one new account with a financial services provider — bank and nonbanks — last year.
The traditional banks have at least some robust lines of defense in play, as they have the in-branch settings that can help ascertain that people are who they say they are. The neobanks? Well, they’re flying a bit blind, since they may never see their consumers face to face.
“We wouldn’t be seeing these fraudulent transactions if the consumer had to walk into a branch to open an account but there’s a hundred choices now where I can rapidly and digitally open a new account,” observed Edwards.
Along the way, we’re seeing the rise of that old stalwart of fraud, Edwards said. Nigeria is shaping up to be a key ground zero for at least some vectors of attack, aided with the high tech — chiefly through spoofing and geolocation — that can act as a cloaking mechanism of sorts.
As Edwards told Webster only a bit tongue-in-cheek, “You can think that these individuals are standing in your headquarters — but instead, they’re actually in Nigeria.”
Some Lines of Defense
Edwards said the rise of digital wallets, Apple Pay among them, and various technical standards such as 3DS could offer some promise, but so far there’s been little adoption of the latter. The “Pays,” of course, use pseudo numbers that are used a single time and are then thrown away.
As it stands right now, the issuers must nimbly walk a tightrope. Fraud related to debit cards has been on the rise, and as Edwards noted, these enterprises don’t always have strong fraud protections on hand. He pointed to recent news reports spotlighting small merchants who had fallen victim to waves of hundreds (even thousands) of fraudulent transactions tied to cards that had been used in “card testing” schemes, in this case through Ally Bank.
Eventually, he said, “Everybody begins to realize that these are accounts that were stolen and the fraudsters are ‘ramming’ them at these merchants.”
The problems, of course, can be extrapolated to FinTechs where fraudsters might seek to use legitimate products to perpetrate fraud. The fraudster armed with details can find other personal identifying information (PII) on the web and take that information to open an account at another FinTech, stuffed with funds gleaned from the money stolen from the traditional bank accounts.
“Then they’ll pull the money out of the FinTech and disappear,” said Edwards (and, he added, it’s easier to open a FinTech account than one at a traditional player). “The debit cards are out there for sale on the internet.”
To really combat the account funding issues created by digital debit card fraud, Edwards said it’s critical to be able to tie the pieces together and get a gestalt picture of what’s going on. Matching a slew of data points becomes key — before the fraudsters take the money and run.
As Edwards told Webster, “Card not present transactions are just becoming a bigger and bigger part of the transaction flow — and attracting all of the very best bad actors. The crooks know the math better than anybody.”
