Steve Percy

President, Diolkos Commerce Solutions

February 2021

Bankers, in their 30 year quest for digital self-servicing, have self-mandated themselves to address cybersecurity. They have accomplished a lot and will continue the journey not only with customer access but with other security items such as network security. This includes firewalls and router port security and all kinds of other advanced tech solutions to protect the bank from interlopers. In fact, that is the origin of their business, protect our money in their safe.

Customers however have experienced cybersecurity throughout the last 30 years differently. Login ID’s in text form or 16 Digit Card numbers, dial-in telephone keypads, Access Cards, PIN’s, Personal Computers, downloaded security software (Entrust for example), challenge questions, multi-factor authentication, via ATM’s, telephones, PC’s, Smartphones, and Tablets. Login credentials have also included thumbprints and facial recognition, and GPS location services. But getting access to online digital services is only one aspect that consumer’s experience. They are also exposed to self-support services and sales through online offerings including websites and chat services that also require methods of identification. Of course, all of this remote access has opened the doors to anonymous interlopers of a different kind, spanning across all borders. As a result, everyone should have dozens of login credentials and supporting physical devices, and they must maintain them with regular changes to assure their efficacy. It is a challenge. One that few are more disciplined at than the majority.

Fraud technologies and industries have grown from this continually growing challenge. Credit and Debit Card providers have battled and continually enhance their fraud and theft prevention solutions, and while having reasonable effectiveness the banks and their customers are still feeling the pain of fraud to the tune of hundreds of millions annually across the industry. Banks have no choice. They are required to be safe and spend whatever they must to provide security. It is the cost of remaining in business. Any bank that is not safe will be out of business the next day.

Consumers still feel the pain of “Card Not Present” and “Offline Payment” fraudulent activity. They have to work through their card issuing financial institutions and will continue to run into challenges on some fraudulent charges to their accounts. And of course, criminals will continue to root out vulnerabilities to the many non-FI/corporate provided card security schemes where payments are injected into the payment infrastructure. Over the last 10 years, the newest business segment called the GIG Economy is the target. Fraudsters ability to exploit holes in GIG Payments (UBER – Vomit fraud, Skip-The-Dishes App hack,…) or Loyalty Payment systems (PII hacks, point Phishing) occurs regularly enough to garner coverage in local and national news publications. Any open payment solution where payments can be injected from a corporate system using their own captured PII information will continue to experience these issues.

The newest, and some experts argue is the only new payment solution to hit the market in the last 20 years, is e-mail transfers or e-transfers. Growing significantly, particularly in the Covid-19 period, they now represent 2.5% of the total volume and 1.8% of total value as reported by Payments Canada. Of course, this in turn has led to a growth in fraudulent activity as they have vulnerabilities that are being exploited by interlopers.

Services including Zelle, Venmo, and Interac use an alias such an e-mail address or cell phone number to represent an individual. These solutions create a mapping scheme to tie the alias to the customer and their account. And just as shipping an account number around on a cheque is a problem , so is an alias-based solution.

One of the largest issues with this solution type is the need for “customer participation” security. Customers must provide and exchange a ‘shared secret” to authenticate and execute the transfer. Of course, the everyday person is not as diligent in completing this requirement over the long term and fraud and theft occur as a result. And a large portion of these thefts lead to arguments between the customer and their bank, never to the satisfaction of either. The relationship is severely strained pushing customers to look elsewhere when satisfactory resolution is not obtained. And it is a real challenge to move your banking to another FI.. While a very successful solution, the costs of fraud will continue to grow with volumes for both the banks and their customers. And while it is still a small expense for banks, it can become a large reputational risk item.

And how are these successful fraudulent issues resolved ? The first step is recognition, which primarily falls to the account owner. Hence timeliness is important which is governed by an Account Agreement. This agreement mandates the account owner to monitor activity on their account and outlines their responsibility in protecting their access credentials and to properly use the security features. When fraudulent activity is noticed, the Account Owner must contact their financial institution through one of their offered communication channels and launch an investigation.

Financial Institutions have many different payment systems for their various business segments that age back in some cases to the 1980’s. Investigations into problems remain an expensive challenge for different reasons (technology and human resource training) as they must be traced through both internal and outsourced services/payment rails (card and interbank debit), and now these new e-mail service channels. At times even system log files need to be extracted and used in the investigation or requests need to go out to other financial institutions. While newer systems support more consistent consolidated reporting, the aggregation of information is necessary to trace back to the source of payment initiation. Then a discussion is held with the client. Who’s fault is it and how is it remedied ? Let the pain begin.

There are no winners and the pain is always larger for the customer. The banks do a lot to protect us but … no winners.

What else do consumers experience in terms of cybersecurity ?

A threat that is more abusive is Identity Theft. This occurs via the hacking of PII data off of corporate servers. We see these stories reported in the media ever couple of months. And it is not just corporations, it is all levels of government systems as well. This has reached the level where there are growing court actions against corporations who do not invest sufficiently in protecting their customers PII data.

Separate industries have arisen that provide Online Identity protection solutions that individuals subscribe to annually. Corporations that have been hacked have voluntarily provided paid support to their customers for these services to mitigate their responsibility. But does one or two years of protection provide solace ? Can’t the interlopers just wait longer ? Don’t you have to change all your cards and other identity credentials to really protect yourself ? It is a real problem that needs everyone’s full attention.

Who best to solve the problem ? Well, who has the both the expertise and the funding to do so ? Who has to absolutely solve the problem ?

Ultimately, the problem is ending up at the foot of the banker. It will always be necessary for them to resolve and protect against fraudulent payment authorizations. And because regulated Know Your Customer requirements have made banks the world leaders in PII data collection and ongoing management, they must become the biggest experts in PII data protection. So they have spent more on this than any other industry. Open Banking is a regulatory initiative for the rest of society to capitalize on banking excellence in this area. It is good for us all.

From a payments perspective however, what is needed is a solution that does not rely on Corporate or Government collection/retention/storage of PII for payment execution, or even the exchange of PII for that matter. Tying a person or corporation to an account “Alias” is not ideal either as fraud remains a risk as reported around the world for these solutions. Nor is it a good idea to provide a service where “pointing fingers” at who is responsible for executing security is ideal. Something smarter is needed. Something that is designed from first principles, cradle to grave, front to back, with payment security in mind.

Hmmmm.....Maybe bankers should look into Diolkos.