Safecypher Limited’s Post

Payment Tokenization =========================================== Despite the technological evolution of payment cards, the main principles of card-present (CP) transactions have changed little over the decades. The customer presents his card, which directly identifies the account from which the funds to cover the payment will eventually be drawn. To do so, the card carries a Primary Account Number (PAN), which is linked to the customer’s account. Because the possibility to spend other people’s money has always been alluring to fraudsters, payment cards have been under attack from their invention. And due to its central role in identifying the customer’s account, the PAN has always been at the center of attention in these attacks, with thieves trying to obtain PANs and the payment industry trying to protect them. Historically, the emphasis for risk reduction in the card payments industry has been on reducing the likelihood of fraud. EMV and PCI are prime examples of this. EMV reduces the chance of fraud happening with CP transactions by introducing strong card authentication. PCI reduces the chance of fraud by keeping the PAN secret. 3D-Secure-based mechanisms such as ‘Verified by Visa’ and ‘MasterCard SecureCode’ attempt to reduce card not present (CNP) fraud by means of cardholder authentication. This gradual evolution of card technology was disrupted by the advent of the internet and its mass adoption over the last two decades. People started to use the internet to get access to all imaginable virtual and real goods and services. Obviously, a way to pay over the internet was needed. This is where banks and payment schemes decided to re-use the ‘card-not-present’ (CNP) transaction. CNP transactions already existed before the internet, for example in the form of mail order or telephone transactions (MOTO), but now issuers start using this type of transactions also for payments over the internet. This caused the volume of CNP transactions to grow much faster than that of CP transactions. Banks recognize that CNP transactions potentially carry a higher risk, since not all card data are present in the transaction, cardholder verification (PIN or signature) is not possible and card authentication as in an EMV transaction cannot take place. In some cases, knowledge of the PAN and the card expiry date is enough to perform a CNP transaction - we can imagine the level of fraud here. Here comes the need to address these problems – Payment Tokenization Technology (will post more on this). P.S Banks have been allowing MOTO transactions for their selected merchants which are transacting using foreign currency such as Alfarag which is a duty-free operator located in Ethiopian Airlines – that generates huge amount of hard currency for our country and the banks as well. Source: UL White paper

🔔 RBI’s New Directive: Transforming Banking Communication and Fraud Prevention! 🔔 In a bold move to strengthen digital security, the Reserve Bank of India (RBI) has issued new guidelines designed to make banking communications safer and more transparent while reducing fraud risks. Let’s take a closer look: 📝 What’s New? 1️⃣ Designated Number Series: '1600xx' for transactional communications like account updates, transaction alerts, and OTPs. '140xx' for marketing and promotional messages. 2️⃣ Compliance Deadline: Banks must align with these changes by March 31, 2025. 3️⃣ Advanced Monitoring: Banks are directed to use the Mobile Number Revocation List (MNRL) integrated with the Digital Intelligence Platform (DIP), developed by the Department of Telecommunications (DoT) and the Ministry of Communications. This platform ensures real-time monitoring of revoked mobile numbers and prevents fraudulent activity linked to them. 4️⃣ Operational Enhancements: Regulated Entities (REs) must create Standard Operating Procedures (SOPs) for fraud risk monitoring and prevention. SOPs will include: Verified updates to Registered Mobile Numbers (RMNs). Strengthened surveillance of accounts linked to revoked mobile numbers. 5️⃣ Digital Payment Security Measures: RBI has expanded protections, including mandatory account name verification for RTGS and NEFT transfers to minimize errors and fraudulent transactions. 🌟 Key Benefits of the New Framework 📌 For Customers: Fraud Prevention: A layered security approach with stricter checks on mobile number verification and updates. Confidence in Transactions: Account name verification for RTGS/NEFT ensures payments reach the correct recipient. Enhanced Transparency: Clearly identifiable communications reduce confusion and risks of scams. 📌 For Banks and Financial Institutes: Proactive Fraud Monitoring: Real-time tracking of revoked numbers through DIP prevents misuse. Strengthened Protocols: SOPs provide a structured framework to mitigate fraud risks. Increased Compliance: Aligning with RBI and DoT mandates ensures trust and regulatory confidence. 📌 For Fraud Prevention: Enhanced Security: Scamsters and fraudsters will face significant barriers in imitating legitimate banking numbers. Customer Empowerment: A safer ecosystem encourages customers to respond only to verified communication. Integration Across Sectors: DIP integration, Aadhaar-based biometric verification for SIM cards, and enhanced payment safeguards create a holistic fraud prevention ecosystem. Monitoring Efficiency: Robust surveillance on revoked mobile numbers closes key loopholes exploited by fraudsters. This directive from the RBI, combined with advanced technological measures, demonstrates a firm commitment to safeguarding digital banking and payment systems. Together, these steps reinforce the security, transparency, and trustworthiness of India’s financial ecosystem. #RBI #BankingSecurity #FraudPrevention #SafeBanking #RegulatoryAdvice

Credit Cards Don't Require Signatures. So Why Do We Still Sign?: An anonymous reader shares a report: The big financial moments in life used to be marked with a flourish of a pen. Buying a house. A car. Breakfast. Not anymore. Visa, Mastercard, Discover and American Express dropped the requirement to sign for charges like restaurant checks in 2018. They don't look at our scribbles to verify identity or stop fraud. Taps, clicks and electronic signatures took over the heavy lifting for many everyday purchases -- and many contracts, loan applications and even Social Security forms. The John Hancock was written off as a relic useful mainly to inflate the value of sports memorabilia. But signatures didn't die. We continue to be asked to sign with ink on paper or using fingers on touch screens at many restaurants, bars and other businesses. And people keep signing card receipts out of habit -- even when there is no blank space for it -- because it feels weird not to, payment networks and retail groups say. "Traditions have this odd way of sticking around," said Doug Kantor, general counsel of the National Association of Convenience Stores. Signatures had been used to verify identity and agree to financial terms for centuries. Banks kept records of customer signatures to check against, but the sheer number of transactions and advancements in technology eventually made that impractical. By the 1980s, charges could be processed electronically. Signatures were still used in cases of fraud or stolen cards. Banks could call merchants and ask them to present a signed receipt. Yet given how easy signatures are to forge, they proved limited as a fraud prevention tool. Now there are more sophisticated ways to determine whether cards are stolen or misused, according to Mark Nelsen, global head of consumer payments at Visa. Read more of this story at Slashdot.

This article emphasizes the vulnerabilities that exist within mobile and online banking platforms. Fortunately, in Malaysia, Bank Negara Malaysia (BNM) has mandated a series of fraud countermeasures since June 2023 to strengthen banks defenses against fraud. While reading the article, I couldn't help but recognize the positive impact that the FCM have had in reducing fraudulent activities within the Malaysian banking landscape. 1. Enhanced Verification Processes: Previously, verification in Malaysia was done via SMS; however, multi-factor authentication (MFA) for banking transactions is now conducted through secured messages. This change enhances security by using more reliable methods to authenticate a user’s identity, making it more challenging for criminals to commit fraud. If Jack’s bank had been using such a system, he may have been less vulnerable to the bypass that allowed the scammers to access his account. 2. Real-Time Transaction Monitoring: Malaysian banks now utilize advanced fraud detection systems to monitor transactions in real-time. This proactive measure allows for the quick identification and addressing of potential fraud, alerting customers to any suspicious activity before significant losses occur. In Jack’s case, the rapid succession of unauthorized payments should have triggered an alert system that could have protected his funds. 3. Dedicated Customer Support: Banks in Malaysia have established their own 24/7 fraud hotline, providing customers with quick access to dedicated support for reporting suspected fraud and receiving immediate assistance during critical situations. Additionally, the National Scams Response Centre (NSRC) can be reached at 997, further enhancing the support network available to consumers. If Jack had access to such immediate support, he might have been able to freeze his account faster before more funds were stolen. 4. Kill Switch: The Bank Negara Malaysia (BNM) countermeasures now require banking apps to have a button tha allows users to immediately cut off all banking activities if they suspect they have been defrauded, addressing concerns such as the 23 minutes it took Jack to reach the right department to freeze his account. 5. Cooling Off Period: The implementation of a cooling-off period for transactions would mitigate rapid, suspicious transactions as noted by Jack, when 137 payments were made to three new payees in the space of an hour. A cooling-off period would have allowed Jack time to reflect and perform additional checks before the transactions actually take place.

If trust goes both ways, why do banks and payment service providers put almost all the authentication responsibility on the initiator of a transaction? I believe this lack of mutual authentication between the payer and payee, in the transaction process, is a contributing factor as to why fraud and scams continue to be the drain on the financial well-being of society and that "slowing down" and "enforcing mutual authentication and identification" can help reduce the cost to everyone, including the banks. Most of the tools and systems in place today put the onus on the customer initiating the transaction to validate who they are and that the transaction and its destination account is valid. If I want to pay someone or send some money to a business, I am often asked to authenticate or validate my identity in any number of ways - PINs, authentication messages, tokens, biometrics on my mobile device etc. Furthermore, I am told it is my responsibility to ensure the person or business I am transacting with is valid. In a scam or fraud situation the truth is I am not the right person to be asking this question of - I am already making the mistake of initiating a money transfer or payment to the wrong person or business. The process is setting me up as the fall person... If trust was being enforced both ways, payment processes should be able to also enforce the payee to authenticate and validate they are who they say they are, before settling my transaction. For example, when I want to initiate a transfer to a person who I believe to be JS Real Estate, just because the payees account name is John Smith Real Estate doesn't mean this account is the right account or even under the control of the principals of JS Real Estate. In a mutual authentication world there has to be authentication provided by the payee before the transaction is completed. If any party - the payer, the bank or payment service provider - doesn't receive a valid identification from the authorized payee (PIN, biometric recognition, authenticator confirmation etc.) or a mismatch between the payee's identification and the purported payee account, the transaction can be stopped until the authentication issue is resolved. We all like to get things done faster and easier, but when it comes to payments, our race for more speed, such as the New Payments Platform in Australia https://lnkd.in/ghrUqzmZ, could be a Pandora's box that has inadvertently opened the door to frauds and scams, with money often moving at the speed of light outside of a countries financial jurisdiction. To alleviate this issue, slowing things down and enforcing mutual payment authentication, not just relying on the initiating customer to take all the responsibility, without the tools to do so, could help. If you have thoughts on how we can build systemically more secure payment processing to stop frauds and scams, feel free to share.

Consumers must beware of Tap and Go fraud    “You can spend quite a lot of money in one tap, which means that the skimming devices designed to draw the funds at the moment of payment can really hit people hard,” says Frost.  Well, for FNB customers, the protection is mandatory, the company is ending the tap and go functionality as of 2024. However, for anyone else, it’s important to change the way they use their cards, particularly for large amounts in crowded or busy areas. Some banks allow users to disable the tap functionality in their card, this is, says Frost, the best way to ensure financial security. 'Disable Tap-to-Pay as a backup'   “Disable the function and keep your card as a backup, somewhere safe where nobody can find it,” he suggests.  “Only use it when you have to insert it into a machine and use your pin. The best option is to use your mobile phone with a virtual card or one of the digital wallet payment services like Googe Pay or Apple Wallet. Your mobile phone has more security and when you tap it, the phone will only allow the amount to come off once."   "After that, any additional taps will fail which will prevent this type of fraud from happening. There’s also a time-limit on your phone which means that the window of opportunity for someone to come up and tap your phone is significantly smaller. Then bolster this by making the tap amount on your phone small so you can protect yourself from the outset.”   “Then, for the worst-case scenario, use a private folder on your phone to hide your banking apps,” concludes Frost.   “There have been cases where people have been held at gunpoint and forced to do an EFT so don’t have your account visible."   Consumers should consider using their chip and pin function in their cards for expensive purchases, their mobile devices for quick tap and go purchases, and to always remain aware of their surroundings. It’s advisable to avoid making payments in a crowded space and to opt into payment solutions that require some form of authentication. Source: Bizcommunity.com, Provided by SyndiGate Media Inc.

💹 Businesses Are Losing $100 Billion a Year to ‘Friendly Fraud’ 📛 Key Points and Statistics...... "Friendly fraud" occurs when customers dispute legitimate charges they made on their payment methods. This often happens accidentally due to confusion over merchant names on bills. Mobile banking enhancements have made disputing charges easier, prompting experts to recommend contacting the merchant first. Many consumers, whether intentionally or not, are bypassing merchants and disputing legitimate charges directly with their card issuers, leading to significant losses for businesses. This phenomenon, known as "friendly fraud" or "first-party fraud," results in annual losses of $100 billion, according to identity verification platform Socure. A recent Socure survey revealed that 35% of Americans have committed first-party fraud, and 40% know someone who has. This issue has been exacerbated by improvements in mobile banking services, which have made it simpler for consumers to dispute charges. Rodrigo Figueroa, COO of Chargeback Gurus, notes that while chargebacks are meant to address legitimate disputes, the system is now facing widespread abuse. Identifying friendly fraud is challenging because it can encompass both intentional and unintentional disputes. For instance, consumers might mistakenly dispute charges they don't recognize due to unfamiliar merchant names on their bills. Socure's report found that 29% of those who committed first-party fraud did so by accident. Economic hardship (34%) and influence from others who had successfully disputed charges (19%) were other contributing factors. Merchants bear the brunt of these chargebacks, which can lead to financial penalties and affect their ability to process payments. To combat this, Socure has launched a consortium of banks and fintech companies to better identify fraudulent behavior by analyzing atypical data points not found in standard credit reports. Overall, the rise of friendly fraud poses significant challenges for businesses, emphasizing the need for improved systems to distinguish between genuine and fraudulent disputes.

#MADMonday with Martin Woods - Addressing the issue Online banking is convenient and does not come with the expense of buying, renting and maintaining customer facing premises. Consequently, many online firms never meet with their customers. Almost all, but not quite all interaction is online. The one physical, location required interaction is the delivery of a bank card to the customer. There was a time when none face-to-face customer engagement was considered to be high risk. Nowadays none face-to-face is standard business practice. All of which means the one physical, location transaction is critically important. In the online world people including our customers can present themselves in any way they wish, old or young, tall, short, rich, smart, calling themselves by any name of their choice. Compromised and stolen identity data enables criminals to pretend to be someone else. In the UK, criminals use stolen identity data to incorporate companies, but when providing a registration address, they use a physical address they control or have access to. They use the same address as the ‘correspondence’ address for named directors. Behold the person whose identity has been compromised, has no idea they have become the director and likely owner of a new company. Armed with this company, this criminal avatar, the fraudsters and launderers apply for an online bank account, all the while hidden behind the wonders of the and the continued inadequacies of Companies House. When applying for their new bank account, the creation of a new getaway car for their next fraud, they are compelled to provide ‘know your customer’ (KYC) data, including the company’s registered address, the director/owner’s residential address and the company’s principal place of business, trading, operating address if is different to the company’s registered address. The Money Laundering Regulations (ML Regs) require firms to identify and verify a company’s registered address and principal place of business if it is different to the registered address. In the past year the Financial Conduct Authority (FCA) has issued warnings related to companies registered at ‘virtual addresses’ (addresses provided by regulated company formation agents and corporate service providers) as well as several companies being registered at other addresses, including residential addresses. The fact is companies cannot operate from virtual addresses, such as 20-22 Wenlock Road London N1., where in excess of 100,000 companies have been registered. [Note, this is the registered address for thousands of legitimate companies and is simultaneously the address which feature most prominently within FCA fraud warnings.] Here’s another fact, criminals will provide minimal information and those incorporating companies to facilitate crime will not provide a separate operating or trading address. There is a lot of logic to this... To be continued...

MuleSoft in Action: Combating Bank Fraud with Real-Time Analytics MuleSoft to the Rescue: Real-Time Integration for Fraud Prevention MuleSoft provides an integration platform that connects disparate systems and applications within a bank's ecosystem. This allows for the seamless flow of real-time transaction data, enabling immediate analysis and fraud detection. Here's how MuleSoft empowers banks to combat fraud: API-Powered Data Capture: Transactions from various channels (mobile apps, online banking portals, ATMs) are captured in real-time using APIs (Application Programming Interfaces). MuleSoft acts as an API gateway, ensuring secure data transfer. Enriched Data for Better Insights: The captured transaction data is enriched with additional user information retrieved from internal systems through APIs. This might include: Historical Transaction Data: Analyze spending patterns to identify significant deviations. Customer Demographics: Location data (generalized), age group, spending habits. Device Information: Identify transactions from unrecognized devices. Real-Time Analytics with Anypoint Platform: MuleSoft's Anypoint Platform houses a powerful streaming engine that analyzes the enriched transaction data in real-time. The bank uses MuleSoft’s real-time analytics capabilities to monitor transactions. Each transaction is logged and analyzed in real-time. If a transaction appears suspicious (for example, if it involves a large amount of money or originates from an unusual location), it is flagged for further investigation. Pre-Configured Fraud Detection Rules: The flagged transactions are then passed to the fraud detection system. This system uses machine learning algorithms to determine whether each transaction is likely to be fraudulent. If a transaction is deemed likely to be fraudulent, the system sends an alert to the bank’s fraud team for further investigation The Anypoint Platform uses pre-configured rules to evaluate incoming transactions. These rules might consider factors like: Transaction Amount: Does it significantly exceed the user's usual spending habits? Merchant Location: Is the merchant in a geographically unusual location compared to the user's past transactions? Time of Transaction: Does the transaction occur at an atypical time for the user? Code Example XML <?xml version="1.0" encoding="UTF-8"?> <flow name="fraud-detection-flow"> <http-listener config-ref="API_Listener_Config" doc:name="Capture Transaction Data" /> <enrich target="transactionData" doc:name="Enrich with User Data"> Read the full post at https://lnkd.in/gTWEYhss #mulesoft, #salesforce, #mulesoftarchitects, #mulesoftdeveloper, #mulesoftarchitect, #mulesoftdevelopers, #integrations, #mulesoftmeetups, #cloudhub, #anypointplatform, #mulesoftcommunity, #apis, #api #apisecurity #enterprisearchitecture #bestpractices #directions #integration

Our groundbreaking new protections for victims of authorised push payment (APP) scams start today! 🙌 🙌 🙌 Under our new rules, people making payments from one UK account to another using the Faster Payments system (the system used for mobile and online banking) or CHAPS system (the UK’s high value payment system used for some consumer payments such as house purchases) will now benefit from world leading levels of protection against APP fraud. 📢 David Geale, Managing Director of the PSR, said: "Today is a very important day in making it quicker and simpler for victims of APP scams to get back money they’ve lost to criminals, with a guaranteed minimum level of protection in place. “But not only that, our new requirements will see all payment firms involved facing strong incentives to introduce more robust ways of identifying and preventing these scams from happening in the first place. Firms have already made a good start in making changes and we expect to continue seeing new and innovative systems being rolled out to drive fraud out of our payment systems.” 👉 Read our full announcement here: https://lnkd.in/eE8WnQba