Association of Foreign Exchange and Payment Companies

The addition of contact information, authorising new users or similar. For example, we have seen an increase in fraud recently where criminal individuals contact banks or payment firms by phone and request the addition of new users or email addresses to the system of existing accounts. These email addresses are then used as a means to reset passwords or to add a fraudster as a trusted user. The references made by the EBA are predominantly concerned with dealing with security around payments, and not around general account security, which still remains weak.
The issue with the use of “data”, particularly static data, is that it can all too easily be compromised. Once it is compromised (for example using date of birth or a PIN number) it sometimes cannot change. The phrase “potentially data controlled only by the payment services users” is an impossible thing to achieve as users will often inadvertently share data, or be coaxed into providing it via social engineering hacks and fraud. A physical one-time pass which produces a single use data element is safest, and prevents the user from being able to provide that to a third party, particularly when these codes are time resticted.
Behaviour based characteristics are suitable on a range of devices, but have severe flaws. The data input and behaviours of a user can be easily mapped, either through keystroke loggers or recording software on PC’s. These can easily be scripted and replicated. It should however be noted that for low value, repeat payments to an existing beneficiary, such a low grade security feature may be suitable. However with the prevalence of mobile payments, the bulk of metrics (such as keyboard use and mouse movements) are lost, so whilst this may be a useful feature for online banking, its relevance is limited on certain platforms.
No comment.
Overseas transactions, taking place from outside of the UK would be the primary issue. The reliance on SMS networks means that card transactions taking place when individuals travel to more remote places, or to locations where cell coverage and power are poor, or when they are unwilling to reveal their cell phone, may reduce the usage of payment cards overseas. Other issues may exist in the ability to provide services to users with disabilities, such as those unable to easily copy and remember codes inside of the required time frames.
Yubikey devices (which can be independent from the phone.) These use NFC to to validate against a phone and confirm the user has the physical object. These generate a one-time pass which can be time stamped. For example the code they generate will be valid only for the period of the transaction, it would not be valid later for additional transactions. Specific keys would be required by individual users, to ensure that keys could not be used by other individuals.
Low-risk transactions based on a transaction risk analysis (taking into account detailed criteria to be defined in the RTS) - this needs definition, firms should already be considering payment risk as part of their fraud monitoring systems, if these systems were any good we wouldn’t have a fraud risk to prevent!

We believe these are useful, but note that “low value” transactions from PSD 2 are €30. We would like to see either a clarified sterling amount, and would also question if this should be higher. Contactless, unverified transactions are available up to £30, I feel this level should at least be maintained.
A shift in burden for fraud losses, such as those maintained by Amazon in which Amazon accept all fraud losses, means that users are not inconvenienced when their card is stolen. Firms should be able and willing to accept liabilities and losses should they wish to have reduced validations, where they believe that this will substantially inconvenience the customer.
Geography of the customer at the time of transaction, if, for example, this is well outside of a standard geo-fence or range of the customer's normal operating area. Frequency and velocity of transactions, whether a small transaction has just taken place on the account prior to full trade (small scale test transactions)

Beneficiary information. The proposed metrics are heavily based upon the buyer, and not the seller or processor of transaction. Transaction risk could consider the details of the seller, levels of fraud rates and such which highlights if this is a higher risk beneficiary which is likely to present a great fraud risk, This would require that merchant activity be reviewed and fed back, but the risk of merchants, such as those identified in the UK Money Laundering Threat assessment (e.g. sellers of Prepaid cards) may present a greater risk.
No comment
No comment
No comment.
Firms should be required to offer Bug Bounty or similar, to encourage hackers to probe their systems. Hackers and other groups will do this naturally, and when they find a gap exploit this for profit. Offering a reward to such groups means that they can profit from their activities without compromising security. They are going to do it anyway, you might as well get them to work for you rather than against you.
With the user, either through social engineering hacks, loss of devices or similar.
No comment.
No comment.
No comment.
No comment.
No comment.
No comment.
Yes
[Other"]"
We are an association of authorised payment institutions and electronic money institutions
[Other "]"
We are an association of authorised payment institutions and electronic money institutions
richard.creed@afep.co.uk
Richard Creed
028 90 650 481
Yes