Blog article
See all stories »

Zelle P2P Fraud: You Ain’t Seen Nothing Yet...

Zelle Fraud: You Ain’t Seen Nothing Yet…

If you live in the US, you probably already use Zelle.

Zelle is super awesome. It's sleek, real-time, and allows you to pay instantly to anyone with an email or phone number directly from your bank account - with zero commission.

And it also attracts criminals like bees to honey.

Banks that have launched Zelle – ranging from the very Top 5 US banks to small credit unions - report highly targeted fraud campaigns and an adaptive race with clever cybercrime rings who are quick to respond to new controls. In fact, by now Zelle fraud is the single most growing area of account takeover fraud in the US banking sector.

Three types of deployment

Not all Zelle flows were born equal. The usage of Zelle can be divided into three:

Stand Alone Zelle app – this is the mobile app available for direct download by consumers. The app, produced by Early Warning Services, is one of the top 5 financial apps by user ranking. EWS has various fraud controls, but they only apply to those users who use the app directly.

Online/Mobile Banking: while there aren’t any public stats, it’s likely that a vast chunk if not the majority of Zelle traffic is generated not through the stand-alone app, but rather through online and mobile banking services in which the Zelle enrollment and payment flows are embedded.

This is the case of the big national banks: they offer Zelle to their customers as a new tab within online or mobile banking. As the user enrolls to Zells and make money transfers, the back-end fulfillment is then done using the EWS rails via secure APIs. Fraud controls are done by the bank.

Zelle via P2P providers: the big P2P money transfer providers now also offer Zelle functionality to banks. In this scenario a user would log into the bank’s website or mobile app, but when they ask to enroll to Zelle or make a payment, they’re taken to the P2P money transfer provider’s pages – so the bank loses visibility into the user’s actions, and relies on the P2P provider’s controls.

Some banks that rely on third parties to fulfill Zelle enrollment and payments report that those P2P providers struggle with keeping the lid on Zelle fraud, and are therefore currently implementing strong Pre-Zelle controls in order to have better risk management.

Another motivation for those controls is being able to increase daily / trx limits for the Zelle transfers, especially in the current Corona virus outbreak prevening people from using checks or cash transfers. Those controls focus on the login sequence and the activities before and after making the Zelle interaction.

Social Engineering at its Best

Many banks targeted by Zelle fraudsters already experience the cutting edge of social engineering attacks. Phone number spoofing, robocalls and personalized text messages are already widely deployed.

Finally, it’s important to equip the call center with some visibility into what’s going on within the online/mobile banking app. If a Zelle enrollment or payment in the online banking channel was suspicious and blocked, the criminal may immediately take their chances with the call center.

A bay-area FI suffered a targeted attack in which members received a personalized fraud alert via text message. The text included the real victim’s name, warned about a possible fraudulent transaction, and asked the user to confirm whether it was valid. Those that responded got a phone call using a number spoofed to look like the real bank’s contact center number. They were asked for their user ID which was “verified”; in fact the criminal quickly went through a password reset process and asked the victim to read out loud the one-time-code sent to reset the password. Armed with a set of new credentials, they logged into the victim’s mobile banking account; at this point the user is already locked out of their account. The criminal enrolled to Zelle, asking the user to provide a second one-time code, and then went ahead and made payments of a few thousands of dollars from the victim’s account.

Another bank, one of the Top 5 Retail banks, launched Zelle a few years ago. One late Friday afternoon in September it experienced a massive social engineering attack against its users. Customers were tricked by the criminal to share their credentials, allowing them to enroll to Zelle and then make real-time payments.

The bank was quickly to react, using behavioral biometric analysis to single out the criminal actions. The fraudsters had very unique behaviors: their login patterns and up-and-down scrolling methods were different than those of the regular user in each account; they were not familiar with personal data of the payees that were set up; and they showed a remarkable familiarity with the Zelle enrollment flow - something normal people have to navigate through for the first time. The bank was able to deflect most of the attack, saving about $200k in just a single weekend. The bad guys decided not to waste more time there, and went to attack other banks.

The Dos and Don’ts

Retail Banks in the US have been fighting online banking ATO (Account Takeover) for over a decade, but never in real time. Responding to Zelle fraud, which is always real-time, is therefore a new challenge.

The typical knee-jerk reaction to a rapid escalation in fraud would be quite similar to the initial response the banking sector had to the wave of phishing campaigns some 15 years ago: add controls, add warnings, and generally add friction. But tightening controls, lowering transactional limits and placing stark warnings in the online banking site - generally elevating the friction level with the real users – is a short-lived measure that leads to counterproductive results.

Fraudsters adapt fast to any new control, try out new social engineering story lines, and have an enormous bag of tricks that was proved useful in many international online fraud campaigns – things such as malware, remote access tools, and various tools and methods to increase the effectiveness of their social engineering and make it more scalable. The real users that are hit by elevated friction, however, often feel cheated and frustrated by experiencing a sub-optimal digital journey, and may revert to other payment forms or using the call center.

As a general rule, it’s better to prepare for something as significant as launching a new digital payment vehicle by adding invisible layers of visibility into the user’s journey. These controls are harder for criminals defeat as they need to guess what exactly is being monitored and analyzed.

It’s also important to monitor adjacent user flows, not just the immediate danger zone of Zelle enrollment and payments: login, password resets, email and phone changes are all quite important to analyze.

Finally, it’s important to equip the call center with some visibility into what’s going on within the online/mobile banking app. If a Zelle enrollment or payment in the online banking channel was suspicious and blocked, the criminal may immediately take their chances with the call center.

So - stay safe, and prepare yourselves for Zelle attacks. For cyber criminals, it's the most interesting game in town.

a member-uploaded image
7032

Comments: (3)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 27 April, 2020, 11:55Be the first to give this comment the thumbs up 0 likes

Great post. Equally applicable to FPS (UK), UPI (UK)  and all A2A RTPs in the world. The Finextra article entitled APP fraud losses hit £456 million in 2019 proposed additional steps to minimize fraud. As you can see from my comment below that article, I totally agree with you that adding more steps is not the solution and it will prove counterproductive. 

I notice you've proposed "backdoor" / invisible steps. IME, such steps lead to inconsistent UX and patchy performance. They ask for some info sometimes, not other times, thus disconcerting the user. They tend to be slow. That's why I proposed a non-tech solution. While you can read my full recommendation in aforementioned comment, here's a tl;dr version: Banks should reimburse victims once, train them how to use the app securely & refuse reimbursements if they fall for fraud again. Of course, that article's focus was APP fraud whereas your article's focus is account takeover fraud, so solutions will need to be tweaked accordingly. 

Uri Rivner
Uri Rivner - BioCatch - Tel Aviv 27 April, 2020, 14:42Be the first to give this comment the thumbs up 0 likes

Hi Ketharaman - thanks for the comment! You're right that UX consistency is important. However today there are a lot of controls in place that disrupt the UX due to all sort of security and risk policies: you're accessing from a new and untrused device, or from out of the country, or you're moving much more than you normally do (well, in these troubled times of social distancing moving irregular sums of money online for the first time is actually pretty expected as you cannot use checks or cash). In those cases there is a 'user escalation' - a transaction can be blocked, or you might need to approve it using a one time code, or someone from the bank may need to contact you. These user escalations are normally not very effective: criminals find ways around them, and honest people just get bothered. The idea of using invisible layers of visibility such as device intelligence and behavioral biometrics is to get a firm understanding of whether this activity is good or bad without any change to the UX. So, completely friction free. This can over-ride more crude controls and actually improve the UX, and it's also much more effective in terms of catching fraud. 

With regards to APP fraud, the banks are now using a clever combination of payee name verification, device intelligence, behavioral biometrics and risk-based messaging to the users, in addition to education. It's always a mix of controls and technology that can fight sophisticated attacks...

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 27 April, 2020, 16:00Be the first to give this comment the thumbs up 0 likes

@Uri Rivner: If the backdoor measures proposed by you are completely friction-free, then I'm all for it. TY for the clarification. 

Uri Rivner

Uri Rivner

Chief Cyber Officer

BioCatch

Member since

14 Apr 2008

Location

Tel Aviv

Blog posts

86

Comments

37

This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.


See all