Pay by Link: Central Bank steps in

Help me out here … how can ‘pay by link’ even be a thing?

Back in issue 207 of Payments:Unpacked we asked how can ‘pay by link‘ even be a thing? Pay by link is growing in use within the financial services industry, as banks and other financial services companies adopt the mechanism in their apps to service growing demands for mobile payments. 

At the time we asked does pay by link make sense when it encourages payers to click on SMS and email links?

And now it seems that the Monetary Authority of Singapore(MAS) and the Association of Banks in Singapore (ABS) also agree that ‘pay by link’ doesn’t make sense. It has been announced that Banks in Singapore are set to remove clickable links in emails and text messages sent to retail customers after a spate of SMS phishing scams.

Intrigued? Read on……..


Never click on payment links….

Back in November, we noted that Ofcom had reported on its own research into mobile security and found that, over a three month period, scam calls and texts have increased massively, with nearly 45 million people plagued by scams over the summer months.

According to their research, around 82% – more than eight in 10 – said they had received a “suspicious message” either in a text, recorded message, or phone call to a landline or mobile.


Time for a closer look

Back in November, Answer Pay stated that it’s time the industry takes a closer look at the risks of pay by link to consumers before the ‘cat really does get out of the bag’:

With the best of intentions, banks and other financial services companies are enhancing their mobile apps to serve a growing demand for bill payments on the move.

Pay by link is an obvious technical construct to explore to achieve that, but no matter how secure any given solution might be, the use of pay by link creates confusion for consumers who’ve been advised for more than a decade not to click on links.

This industry direction places demands on the maturity and digital know-how of consumers to distinguish fake solutions from legitimate vendor tools and links.


Protect your customers

Demands for mobile payments are on the rise.  Consumers want to move money quickly and easily, but they also have clear ideas about security. They care not to expose their devices to link attacks that are fast becoming the most perilous attack surface for consumers to have to deal with.

Phil Cracknell, former Cabinet Office Cyber Security Lead, and notable CISO advisor believes that the industry should be thinking hard about any decisions to adopt pay by link, regardless of the safeguards framed around it:

Owing to the rampant growth in phishing attacks, security practitioners like me have been working tirelessly to discourage users to click on links that might not be safe. Now it seems we’re saying—‘You know how I’ve been advising you for years not to trust links, well some of them are now okay.’ I think it’s confusing and, my suspicion is, others would agree.


Tackling a spate of SMS phishing scams

And now it seems that the Monetary Authority of Singapore(MAS) and the Association of Banks in Singapore (ABS) also agree that ‘pay by link’ doesn’t make sense.

Banks in Singapore are set to remove clickable links in emails and text messages sent to retail customers after a spate of SMS phishing scams.

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) say that the move, along with a host of other measures, will be put in place within the next two weeks.

Banks in Singapore have been sharing their experiences:

  • OCBC Bank revealed that nearly 470 customers lost at least $8.5 million in December after scammers posed as the lender and sent SMS’s with links to phishing sites to victims.
  • The Development Bank of Singapore has warned its customers about a similar scam in which an SMS claiming to be from the bank told victims’ that their account had been suspended and asked them to click on a link.

As well as removing clickable links in emails and text messages, Singaporean banks have been implementing other fraud mitigation initiatives including:

  • setting a threshold for funds transfer transaction notifications to customers to be set by default at $100 or lower.
  • introducing a delay of at least 12 hours before activation of a new soft token on a mobile device, while a notification will be sent to existing mobile numbers or emails registered with the bank whenever there is a request to change a number or address.

To Click or Not to Click

to click or not to click ebook

If you are keen to explore this topic……

  • Answer Pay recently sponsored a roundtable discussion about the data security threat presented by pay by link bill payment solutions – watch the video here: ‘To Click or Not to Click’.
  • Answer Pay recently responded to the Payment Systems Regulator consultation on APP Fraud – stating within the response that with SMS and E-mail there is no way for a customer to tell that the request is genuine.

Comments are closed.

Up ↑