Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Real-time payment services like The Clearing House and Zelle will completely clear transactions in an instant...but account takeover attackers love that speed as much as you do.

Joan Goodchild, Contributing Writer, Contributing Writer

December 19, 2019

5 Min Read

ACH transfers and credit cards have offered ways for people to pay without cash or check for years. Yet those kinds of transactions often take time – even several days – to officially clear, thereby delaying consumer and business account-holders' access to funds. Not so with real-time payment systems (RTP). Real-time payment systems allow the immediate or near-immediate transfer of funds through a secured payment gateway, and they are answering the call for faster payments and access to funds.

Yet the very benefit of RTP – speed — is what also makes it more insecure, say experts.  

{image 1}

"What makes [RTP transactions] vulnerable, and attractive to hackers, are the same features that make them popular with the public – which is fast, simple, and easy-to-use transactions," says Atif Mushtaq, CEO of SlashNext. "The most popular avenue for cybercriminals is data breaches for credential stealing that enable them to quickly perform account takeovers and drain bank accounts."

"The instant or near-instant nature of RTP means that in many cases, when money is removed from an account, it's going to be very difficult to get it back," says Richard Henderson, head of global threat intelligence at Lastline. "The rapid clearing of payments mean that banks are really going to have to shoulder the risk burden when it comes to protecting customers when the worst happens and a kind, retired lady gets hoodwinked out of tens of thousands of dollars.

What RTP Services Are – and Are Not
Most consumers have heard of mobile payment services like Zelle and Venmo. But there is some confusion about what services actually offer payments in real time.

Many popular payment services require a period of time before the funds are released. Known as wallet-based systems, some services – Venmo is one – are run by financial services technology firms, not banks, and users need to open an account on the payment network in order to use it.  In Venmo's case, payments made within the network – in person-to-person transactions or to purchase services from participating merchants – are unrestricted but cannot officially be moved to out-of-network accounts, such as bank accounts, until the funds have cleared, which could take up to several days. (Venmo now does, however, offer real-time transfer of funds from a user's Venmo wallet to their connected banking account.)

True real-time payment services are operated by banks and financial institutions. The Clearing House's Real Time Payments network – accessible only to FDIC-insured financial institutions – is one example. And the well-known Zelle – a strong competitor to Venmo in the person-to-person mobile pay app market – also provides true real-time payments because it uses The Clearing House's network.

Other existing examples of RTPs are Payments Service (FPS) and Real Time Gross Settlement (RTGS). The US Federal Reserve said earlier this year that Federal Reserve Banks are planning to develop a new real-time payment and settlement service, called the FedNow Service.

The money transferred through a true RTP service moves from member-to-member bank accounts. The sending bank guarantees funds will be available, that all fund transfers will be properly debited or credited, and that asset transfers between account-holding institutions will occur to support the transfers.

How RTPs Platforms Are Skimping on Security
However, in a recent interview with American Banker, Stephen Lange Ranzini, CEO of University Bank in Ann Arbor, Mich., outlined the many ways that established RTP platforms, including The Clearing House's RTP and Zelle, fail to meet basic requirements laid out by both the Federal Reserve's Faster Payments Task Force and the Federal Secure Payments Task Force.

The three criteria overlooked that are most concerning to Lange Ranzini include:

1. All data with Personally Identifiable Information (PII) needs to be encrypted.

2. Systems need a robust enrollment process.

3. Systems need a robust authentication process each time a user tries to initiate transaction.

Current RTP systems do not fully meet any of these criteria, he said. And there are times during the life cyle of the payment when the data involved in the transaction is "in the clear" he notes – meaning it is unencrypted.

Account Takeover a Common Criminal Strategy
Because RTPs reduce the amount of time that might customarily be spent preventing fraud, cybercriminals can take advantage by committing more efficient account takeover (ATO) attacks. With unfettered banking account access, attackers may move the victim's money at will; account-holders who are not checking their account regularly may have no idea the funds are gone.  

In some ways these ATOs are precisely the same as without RTP: Attackers compromise accounts by using the same social engineering and hacking tricks security pros have been dealing with for years.

"There are multiple ways through which these attacks can occur for RTP users – including through email, SMS text message, or even over the phone," SlashNext's Mushtaq says. "The purpose is the same, which is trying to get the users to hand over their information."

Once fraudsters have access to account details, they can push funds to attacker-controlled accounts, and the financial institutions will officially clear the transaction in in real time. And as Lastline's Henderson noted earlier, once money is removed from an account, it will be very difficult to get it back because the victim's legitimate account authorized the payment and the financial institution cleared it. It puts both consumers and attackers at risk.

"Attackers will target accounting staff at businesses and attempt to rob them. This isn't new," says Henderson. "It is going to be essential for companies to start building out very strong procedures for how they send and receive payments. Using a dedicated computer for nothing but payments in accounting that has been hardened by your security staff will be very important.

"Don't pay invoices from suppliers overseas if there is a change in how they have asked you to send funds until you can verify using alternative channels that it is legitimate. Multiple sign-offs over a set amount should be the norm."

Related Content:

About the Author(s)

Joan Goodchild, Contributing Writer

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights