As New Payments Platform debuts, cybercriminals already considering its benefits

Consumer-to-consumer payments could become conduit for faster fraud

Financial institutions have spruiked this week’s launch of the New Payments Platform (NPP) as a game-changer in the movement of money – but as authorities wrestle with another major cryptocurrency theft, the security implications of monetary fluidity are becoming increasingly clear.

Cryptocurrency thefts have become surprisingly frequent, with a November heist of $US31m ($A39m) in cryptocurrency Tether dwarfed by the January theft of $US500m ($A624m) worth of NEM coins – outshining the 2014 implosion of Bitcoin exchange Mt Gox, after it lost $US474m ($A591m) in Bitcoin.

With cybercriminals increasingly injecting cryptocurrency mining tools into their exploits, efforts to chip away at cryptocurrency security have put exchange providers into defensive mode and fuelled a cottage industry in cryptocurrency security firms like High-Tech Bridge.

The challenges of cryptocurrency linger in the background as businesses and consumers alike wake to the possibilities – and risks – posed by a bank-backed NPP system that offers instantaneous transfer of money using nothing more than a mobile phone number or email address as an identifier.

NPP was designed as a response to the Reserve Bank of Australia’s Strategic Review of Innovation in the Payments System, to – in the company’s own words – “support an economy that never sleeps, never tires and never slows”.

Developed by global payments clearinghouse SWIFT, the extensible platform is intended to support streamlining of invoicing and other financial processes, with participating institutions able to integrate its capabilities into their own business processes and consumer-facing services.

The first of these is financial provider BPAY’s Osko real-time payment service, which is available to customers through participating banks and proclaimed its having carried over $1m in transactions by lunchtime on its first day. But even as they drive the development of new services, real-time payment services raise new risks that are likely to emerge as cybercriminals come to grips with their possibilities.

“While the NPP signifies a monumental change for our payments system, it does not come without potential ramifications,” warned Proofpoint APJ vice president Tim Bentley in a statement. “As the funds clearing period shifts from one to two days to instant under the new system, the window of opportunity to halt fraudulent transactions is effectively closing.”

That had significant potential repercussions for “devastatingly effective” business email compromise (BEC) attacks, through which attackers trick employees into transmitting funds and then empty the account before the transactions can be reversed.

Given that Australia has already shown a predilection for electronic payments – Capgemini’s recent World Payments Report flagged the country as the world’s fourth-largest adopter of non-cash transactions (behind the US, South Korea, and Denmark).

“Card issuing banks and major retailers are all looking closely at how best to compete in the domestic low value, high volume payments game, as transaction values continue to reduce and transaction volumes increase and digital wallets become our preferred method of payment,” said Capgemini Australia Banking and Capital Markets Industry Practice director Phil Gomm in a statement.

Defences such as DMARC can help companies authenticate the identity of potential transfer recipients, but lagging adoption is leaving Australian companies exposed. And while firms like EFTSure offer other means for verifying identity, companies rushing too quickly into real-time payments without suitable protections – which also include a higher degree of automation – may well leave themselves exposed.

“Essentially,” Bentley said, “Australian businesses will become more globally appealing targets for fraudsters, who will see the impending NPP changes as a vulnerability ready to be exploited for what is already the most lucrative form of cybercrime today.”