Opinion: Mobile operators aren’t to blame for payment fraud
In this option piece Peter Cornforth from Answer Pay offers a point of view that mobile operators aren’t to blame for payment fraud…..
It’s all about trust
Let me start by saying that I believe the answer to Authorised Push Payment Fraud is Request to Pay. Your most vital asset in payments is trust and Request to Pay allows a recipient of a payment request to trust the originator of the request is who they say they are. You can find out more on our website or reach out to me for more details. This article is instead going to focus more on why mobile operators aren’t the problem in remote payment fraud.
What we love about mobile networks is their ubiquity. In many markets there are more mobile phones than bank accounts so they are a fantastic means of communication. They are intentionally open networks, even allowing users of one network to be able to communicate with one another even if they’re using a different network operator. This is hugely important as it for example allows you to contact a business, without any hindrance, that you may not currently have a relationship with. You can also do it anonymously, so you are not sharing your data (other than mobile number) with a 3rd party unwittingly. Here also is the downside: a fraudster can also contact a consumer or business anonymously or worse by spoofing the phone number to look like someone else.
But people aren’t stupid so why do they click on the links sent in text messages like the one pretending to be from the Royal Mail asking you to transfer £2.99?
Because it’s completely plausible that your bank or a business will contact you by text for a payment, with at least two of the top 5 UK banks offering it as a service, and the Payment Systems Regulator doesn’t like it. The first question to ask is why do banks do it? After all, banks wouldn’t place their data centres in the local cafe which is open to everyone and accessed by an open wifi network, so why would they use an open network where they can’t be sure of who they’re communicating with? This is where the distinction between the actors becomes important.
Corporate banks and payment providers supporting businesses are the ones offering the services and their service is no doubt secure, however they have little interest in the ecosystem impacts and the creation of a viable fraud vector. The retail banks and their customers are usually the ones that suffer the pain as they are the ones transferring the money and will be out of pocket. It’s the retail banks that are on the whole advising customers to not click on payment links in text messages. If you think the proposed rebalancing of the liability of the fraud will help, then you’d be wrong. As I mentioned before the operators of this service likely have low fraud rates themselves but are legitimising the fraud vector someone else for which they will receive no penalty.
So given this situation, why don’t we “fix” the mobile networks to prevent fraud? To me it seems a bit of a cop out to try and force another industry to change its service to allow you to use it for a purpose it wasn’t designed for. That said, the mobile networks have developed a wealth of tools already that payment providers can use to prevent various types of fraud that are available to buy.
Do Not Originate List
This protects against number spoofing where a fraudster might try and impersonate a bank by presenting the bank’s number instead of their own. Created by Ofcom and UK Finance, banks can add their numbers to this list and mobile network operators will prevent them from being spoofed. Unfortunately it has not been as widely used as you’d hope as highlighted by this Which? Article. It also provides a great summary as to why spoofing is a legitimate tool.
SIM swap Identification
SIM swap fraud is where a fraudster steals your mobile number by porting it to their SIM (remember being able to migrate your number to a new SIM card can be a good thing). Fortunately, mobile operators have a service for banks and that allows them to see if a SIM has been swapped recently – I particularly liked this document from Telefonica discussing the creation process. I don’t know how extensively these services are used by payment providers currently.
Multi-factor authentication using SMS
Connected to the above is the fact that many banks have text messages as part of their multi-factor authentication process. Usually it will be a step down from a biometric service offered by the handset OS provider (Apple, Samsung, Google etc.). There is however an alternative mobile operator service that allows you to validate you are who you say you are by providing a PIN challenge from the network operator confirming that the SIM is in your possession (something you have). More on that here: https://mobileconnect.io/authentication/
Finally, the mobile operators do also offer a trust mark (think little blue Twitter tick) to provide assurance that the business you are talking to is really them. https://www.gsma.com/futurenetworks/rcs-brand-communications/. I’ve personally never seen this from any of my payment providers who send me texts.
I think it’s pure deflection to say this is not a banking problem and point at mobile operators instead. The tools are there, whether it is mobile operator based or Request to Pay. Have they been adopted? Not sure. I know from previous roles that connecting to mobile operators can be challenging especially if you are connecting to multiple markets as each market may have different operators increasing the number of connections you need to make. This is why a standards based approach like a Request to Pay is perhaps the easiest way to tackle this problem.
If this isn’t a technology issue, then where is the problem?
Peter Cornforth is the Commercial Director at Answer Pay – Peter is a payments product specialist with over 10 years of experience in the payment arena with Santander, Vodafone, Amazon and Paysafe.
Click here to simplify remote payments and integrate Request to Pay.