With account-based fraud on the rise, the move from standard to real-time transactions is causing significant security challenges for central banks and clearing houses.
Most fraudsters will usually follow the path of least resistance.
The success of anti-fraud measures like EMV chip, EMV 3-D Secure and payment tokenization in mitigating card fraud in-store and online means fraudsters are turning elsewhere.
Demand deposit account (DDA) credentials, which relate to current, savings or checking accounts that are used for direct credit transactions through automated clearing house (ACH) processing, are an increasingly attractive target.
DDA credentials are already stored in their raw form across various locations, such as e-commerce websites, mobile and P2P wallets, invoices and payroll.
While the frequency and public awareness of ACH fraud is much lower than credit and debit compromises, the average value of unauthorized ACH transactions is actually much higher. This creates the potential for very large value frauds, and even systemic attacks against national payment systems.
Despite the threat, many central banks don’t actively monitor some of these types of fraud, with losses below a certain limit written off as a cost of doing business.
The move from standard to real-time transactions adds another layer of complexity and creates further opportunities for fraudsters. Quicker transaction times increase the chances of fraudulent transactions going undetected.
This is because banks currently rely on a layered approach combining various techniques. But somewhat surprisingly in today’s automated world, checking payment mandates and unusual account activity manually remains a mainstay of the traditional clearance process.
Manual review is simply not feasible when the clearance time for account-to-account transactions is measured in seconds, not days.
Importantly, fraudsters recognize the challenges facing banks when transitioning and are ready to exploit any vulnerabilities as soon as a real-time payments scheme goes live.
Banks need to get ahead, be proactive and protect the account data itself, rather than simply be reactive and wait for the fraudsters to strike.
Enter tokenization. Tokenization has been hugely successful in safeguarding payments in-store and online by replacing the consumer’s primary account number (PAN) with a unique payment token that is restricted in its usage, for example, to a specific device, merchant, transaction type or channel.
By removing account numbers from the transaction process entirely, tokenization can significantly reduce the risk and impact of account-based fraud to support the development of a safe and secure instant payments framework.
The good news is that tokenization is easily transferable to account-based transactions, is complementary to other anti-fraud measures, and is easily compatible with existing systems.
For banks, ACH fraud represents a bigger financial risk than card fraud and is going to become harder to manage as real-time payments become the norm. The ecosystem must work to mitigate fraud before it has been attempted. Tokenization, therefore, is primed to play a pivotal role within the broader security mix.
