Zelle…quick, easy, and…problematic?

Measuring risk

With the increasing adoption of PayPal, Venmo, and other instant payment services…it’s no surprise that the financial services industry entered the arena. The concept is simple – P2P payments via phone or email. At least one entity – sender or recipient – needs to have a bank account with a bank that supports Zelle. The other entity can simply link a supported debit card to enable the exchange.

Does the risk of fraud in Zelle outweigh the reward?

Zelle’s website says – Move money in minutes. It’s a breeze! It is a breeze…and it’s also a breeze for attackers. The concept is , as we said, simple – send money from your bank account quickly and easily. All you need is the recipient’s phone number, or email.
Bank of America’s Zelle page states – “It’s a fast and safe way to send and receive money with friends and family, right from our app direct to their bank accounts — in just minutes.” Chase’s QuickPay with Zelle phrases it a bit differently – “It’s simple to send and receive money from virtually anyone you know, Chase customer or not.” PNC’s information page inserts just a bit of a warning into the process – “With Zelle® and PNC, sending money is easy. With just an email address or mobile phone number, you can quickly send money to people you trust, regardless of where they bank in the U.S.”
“People you trust” – this is key to the service. And delving down into the FAQ’s of various banks, it appears that there is very little in the way of protection for consumers using the service.

Fraud protection in Zelle?

Bank of America’s FAQ states: “Neither Bank of America nor Zelle offers a protection program for any authorized payments made with Zelle.” Chase’s page states: “Make sure you send money to people you know and trust in order to avoid scams and protect your account. We don’t protect or cover purchases if you use QuickPay to pay for goods or services.” And PNC includes this note in the legal disclosures and information section – “Zelle should only be used to send or receive money with people you trust. Before using Zelle to send money, you should confirm the recipient’s email address or U.S. mobile phone number. Neither PNC nor Zelle offer a protection program for authorized payments made with Zelle.”
Giving this a bit of thought, the conundrum grows. MagnifyMoney writes – “Unauthorized activity” covers only certain kinds of fraud, however, such as account hacking — similar to a criminal stealing your credit card and using it to initiate fraudulent purchases. On the other hand, transactions initiated by consumers that later turn out to be fraud — when there really aren’t “Hamilton” tickets for sale — are not covered. Credit card issuers often call this “purchase protection” or “dispute resolution.” And Zelle doesn’t offer that.
Discussing the issue of fraud, American Banker writes – A dominant form of fraud remains account takeover, according to Turner, which could happen through phishing or some other malware tactic. Zelle banks use stronger authentication, device binding and malware detection tools to try to keep this type of fraud at bay. Some use one-time passwords to improve authentication. Early Warning tries to match the user’s address against what the card networks and the banks have for that person.

Phishing attacks can view Zelle as a fraud opportunity

From a security perspective, this appears to be a bright new horizon from attackers. On a daily basis, almost all of my email accounts (real and spam traps) contain messages purporting to be from a financial institution. They often caution against suspect transactions, and ask me to log in to verify my account details. These fraudulent portals could easily capture the type of info necessary to set up a fake Zelle account, and drain the victim’s account in short order.
TechCrunch  points out – “Scammers know people aren’t aware of this, because Zelle is brand-new. They also know that people will choose to trust Zelle because it’s backed by their bank, and because it’s a feature within their bank’s own app.” The Chicago Tribute writes – “Ultimately, treat your P2P payments as you would cash. If you wouldn’t feel comfortable giving a stranger cash before receiving a product or service, don’t send that person money by Venmo, either. Once the money is gone, it’s gone.”

Risk vs. Reward

So, knowing the risk vs. reward, what would you do with Zelle? Is it a quick and easy way to settle up a lunch tab with a friend, or send money to a family member out of the area? Or is the potential cost of fraud too high to bear? Another thought…if you do not set up a Zelle account when it’s available to you – even if you never use it – does that allow an attacker increased ability to create an account in your stead?
If you are one of our friends and clients in the financial services world, what’s  your take?? I’d love to hear it – reach out. I’m on Twitter @TheTokenFemale, or lwallace@microsolved.com
If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.
This entry was posted in Emerging Threats, General InfoSec, Policy and Process, Risk Management by Lisa Wallace. Bookmark the permalink.

About Lisa Wallace

Lisa Wallace joined MSI in 2015 as a security focal and project manager, and became Technical Director in 2017. She is involved in internal and external penetration testing application assessments digital forensics threat intelligence incident response eDiscovery efforts She is responsible for scoping our efforts across all workstreams, as well as project and staff coordination and management. She has worked in a variety of fields, including utilities, financial services, telecommunications, and consulting in a number of ancillary industries.