Category: Crime & Fraud

Trust in the Future of Finance: Key insights from M2020 Asia.

Posted on by Leave a comment

Steve Pannifer, Senior Vice President of Digital Identity at Fime, summarizes the key insights and discussions from Money 20/20 Asia in Bangkok, Thailand – a prominent event that brings together the Asia-Pacific payments ecosystem to delve into the latest opportunities within the industry.

One of the main themes at Money 20/20 Asia this year was “Trust in the Future of Finance”. It is an important topic. Many of the pain points in the digital economy are related to trust, not least the rampant fraud occurring within an ever-increasing number of digital spaces such as social media. People get scammed because they trust people who they shouldn’t. The internet is over 30 years old and yet it still has no trust layer. This is essentially the problem that digital identity is trying to solve.

Alongside colleagues from Fime and Consult Hyperion, I was delighted to be able to contribute to a number of trust related sessions at the event:

  • Building Digital Trust with Modern Identity Security and Orchestration
  • Navigating Compliance and Security in Digital Identity
  • Selling to Robots: The Digital Identity Imperative in Agentic Commerce
  • Brainstorm: Building Trust with AI in Digital Identity
  • It Takes a Village – Making Digital Identity Work
  • Your Face Becomes Your Wallet of Everything: Personalization vs Security

Here are some of my key takeaways:

More friction does not necessarily mean more security

I’ve sometimes heard it said that people are lazy when it comes to online security, and it is this that results in them not taking the steps necessary to protect themselves online. I’m sure there is some truth in that, but I also believe a big part of the problem is to do with the ways systems are designed. If we put a lot of friction into the customer experience, that will also encourage poor behavior. For example, asking a customer for a memorable word is a terrible idea. They will inevitably choose something so obvious that the smallest amount of social engineering will reveal it.

Building a good customer experience is an essential part of creating a trusted service – a point that Linden Dawson, Senior Product Manager of Customer Digital Identity at National Australia Bank (NAB), made during the session “Building Digital Trust with Modern Identity Security and Orchestration”. It’s not that we need to design services with no friction. Some friction can be reassuring to customers and is an important element of building trust.

Regulation needs to address the root cause

In the same session, Natalie Reed, Director at Deloitte, described Australia as the “scam capital of the world”. I think the UK could give Australia a run for its money. Her point was that it is out of control. This report, published by the United Nations’ Office on Drugs and Crime in April 2025, highlights the level of industrialization of the scam business, which employ “multi-lingual workforces comprised of hundreds of thousands of trafficked victims and complicit individuals”. From centers in Southeast Asia and beyond, transnational organized crime is able to target victims across the world.

In some countries (like the UK) regulators are trying to address the scam issue by making the banks pick up the tab but this does little to address the root cause. It does not stop the activity of scammers. Neither does it encourage people to make sure they can trust the person to whom they are sending money. One glimmer of hope, as Natalie explained, is the new scams prevention framework in Australia which places some responsibility on the social media platforms, where many scams originate. We will have to wait to see how far the regulator can go in holding social media platforms to account.
Trust is needed across the whole lifecycle.

Too often the trust conversation has been focused on onboarding, ignoring the need for trust through the whole customer lifecycle – a point well made by Ian Sorbello, Principal Solutions Architect at Transmit Security, in the session on “Navigating Compliance and Security in Digital Identity”. Those initial checks are important but unless they are linked to strong authentication and fraud checks, weaknesses will be exploited and trust will be lost.

Anoosh Arevshatian, Chief Product Officer at Zodia Custody, took this a step further, explaining the connection between digital identity and digital assets. Ultimately digital identity boils down to the private keys under the control of the user (but likely managed by a custodian). The binding of the corresponding public keys to digital assets establishes ownership. Protecting those keys through the customer lifecycle is essential for customers to be able to trust that their assets are safe.

Trust is about to get a lot more complicated

In their session “Selling to Robots: The Digital Identity Imperative in Agentic Commerce”, Dave Birch, Global Ambassador at Consult Hyperion, Consulting by Fime and Victoria Richardson, Partner at ID Partners, highlighted how agentic AI will dramatically change the relationship between organizations and their customers. For example, AI agents will help customers find the best deals, switching as needed – meaning that businesses will no longer be able to rely on customer inertia.

Customers will of course need to trust AI agents to use them. But as Dave and Victoria explained, organizations will need to trust agents too. A key question will be whether organizations will even know that they are dealing with agents rather than actual customers?

Several emerging AI agents use screen scraping to access services through the same interface as human customers, making it difficult to distinguish between the customer and their AI agent. Frameworks such as the Model Context Protocol (MCP), which is seeking to standardize how AI agents access data sources, may help. By giving agents a different end-point to the human customer, organizations will have a better chance of working out what or who they are interacting with.

The technology and standards to deliver trusted digital identities exist. These can address the issues of fraud, friction, inclusion and privacy we see all around us today. The task of building a trusted internet may be complex, requiring the commitment of many stakeholders but it is not unachievable. Examples around the world have shown that with the right incentives, real progress can be made – the key point from my session.

Stay ahead of key market trends

Attending conferences such as Money 20/20 Asia allows us to keep our finger on the pulse of the key challenges and opportunities faced by each player in the market. It isn’t just the main conference programme that offers these insights; it’s getting the chance to speak directly with the banks, merchants, and service providers that operate within each region and finding out what matters most to them. Trust remains the cornerstone of a secure digital future. Events like Money 20/20 Asia show us that while the challenges are complex, the solutions are within reach – if we work together.

Learn more about Fime’s expertise across the digital identity ecosystem.

Biometric authentication vs AI threats: Is mobile security ready?

Posted on by Leave a comment

Quality biometric solutions provide outstanding security with a seamless UX. This makes it appealing for use cases ranging from state-of-the-art access control for critical government infrastructure, to something as routine as unlocking your phone. However, this diversity of use cases brings its own challenges. The varying needs of different applications, coupled with the speed with which the technology has developed, has created a fragmented ecosystem with little standardisation.

Many emerging use cases rely on the biometric capabilities of consumer’s own commercially available off the shelf (COTS) device. Android platform recognized this and has laid the groundwork to enfranchise device manufacturers and biometric solution vendors to create the next generation of state-of-the-art authentication products. And it does so just in time. Artificial Intelligence has transformed the biometric security battleground, and it is vital that stakeholders understand both the threats they face, and the steps that must be taken to meet them head on.

The changing threat landscape.

Biometric authentication is based around using an individual’s unique identifiers such as their iris, fingerprint, or face to provide an additional data point to verify identity. When launched, it was praised for the infallibility and security it provided as biometric data was, quite literally, always ‘on hand’ for users, but it couldn’t be lost or stolen.

Except now it can. Easily.

Artificial Intelligence, or AI, has unlocked a host of efficiencies in our life, specifically in data management and customer experience. However, these same AI tools are also readily available to fraudsters who can use them to execute devastating attacks. For example, photos can be taken from a user’s social media and in a matter of moments be transformed into a deepfake video to be used in an injection attack that aims to spoof facial recognition technologies and gain access to private data.

Meanwhile, AI is also being used to work through extensive data caches to locate and exploit any vulnerability in a security system. This has caused a rapid expansion in both the scale and sophistication of cyberattacks. 

Stakeholders throughout the authentication ecosystem are working to adopt more robust practices. Biometrics has a key role to play in this, but only if it can be secured and trusted. The uniqueness of each individual’s biometrics, its greatest strength as an authenticator, can also be its most fundamental risk. If the data is compromised, a user cannot simply rewrite their fingerprints in the same way they change their password. It is therefore crucial the data is protected and secure. Similarly, if a biometric solution can be easily spoofed fraudsters can gain access to the user’s device, accounts and personal information. 

An updated approach.

To meet the challenges posed by this evolving threat landscape, Android defined its three classes of biometric strength for devices operating under its remit. Its Compatibility Definition Documents (CDD), the requirements that each Android device must comply with should it wish to participate in the Android ecosystem, outlines the requirements for biometric security as Class 3 (formerly known as Strong), Class 2 (formerly Weak), and Class 1 (formerly Convenience).

Devices require independent third-party testing to evaluate their Spoof Acceptance Rate (SAR) along with verification of False Acceptance Rate (FAR) and False Rejection Rate (FRR) as a part of their Biometrics Compliance Report (BCR). 

Android’s biometric requirement and the ISO/IEC 30107 standard also defines Presentation Attack Detection (PAD) testing to evaluate the liveness detection capability of the biometric solutions. This is a crucial step towards detecting and resisting spoofing attacks such as deepfakes and protecting the end users.

Independent testing and compliance will raise the baseline for the minimum performance and security of biometric solutions. It requires all biometric solution providers and Android device OEMs to carefully develop their offer to ensure it meets the minimum thresholds backed by impartial evidence. This means that authentication should work right first time for the verified user, while also prevent spoofing and hacks. Not only will this help mitigate the rising threat of spoofing and fraud, it also elevates the user experience, thereby increasing trust in the biometrics ecosystem and proliferating its growth into additional use cases.

Adding value with testing and 3rd party validation.

The process of 3rd party evaluation with industrial standards acts as a layer of trust between all players operating in ecosystem. It should not be thought of as a tick-box exercise, but rather a continuous process to ensure compliance with the latest standards and regulatory requirements. In doing so, device manufacturers and biometric solution providers can collectively raise the bar for biometric security.

The robust testing and compliance protocols ensure that all devices and components meet standardized requirements. This is made possible by trusted and recognized labs, like Fime, who can provide OEMs and solution providers with tools and expertise to continually optimize their products.

But testing doesn’t just safeguard the ecosystem; it elevates it. As an example, new innovative techniques like test the biases of demographic groups (blog) or environmental conditions. Using these techniques allow testers to discover any differential performances by using or simulating different demographic groups or environmental conditions. Biases detection can prevent security issue on real life deployment. This allows also solution providers to optimize the quality and inclusivity of their solutions to meet the needs of more markets and differentiate from the competition.

Building for the future.

We have reached a critical moment for the future of biometric authentication. The success of the technology is predicated on the continued growth in its adoption, but with AI giving fraudsters the tools they need to transform the threat landscape at a faster pace than ever before, it is essential that biometric solution providers stay one step ahead to retain and grow user trust. Stakeholders must therefore focus on one key question:

Can the user trust that they are not sacrificing security for convenience when using biometric authentication?

Product managers must make sure that the performance of their biometric offer balances these two seemingly contradictory demands, but if successful, there are a whole host of emerging use cases that could unlock new revenue streams for them. These include biometrics backed in store checkout, enhanced access control, augmented automotive experiences, and more.

Another significant trend on the horizon is the increasing use of biometrics in identity verification for eID and eKYC use cases. Digital identity is offering a faster, more secure way to verify identity in the online world. Biometrics can provide a simple, seamless to augment the enrollment and verification process for this, but much like in the payments ecosystem, its success depends on the implementation of state of the art solutions throughout the user journey.

Compliance and quality validation are no longer optional. They are essential to protecting end users, preserving brand integrity, enabling innovation, and safeguarding the future of biometric technology.

Breaking the Fraud Cycle: Why Payment APIs Need a Rethink.

Posted on by Leave a comment

Imagine you walk into a store, hand over your card and wait for your goods and then … nothing. Everyone ignores you. You shout a bit and wave your arms but eventually go home in a very bad mood and phone your bank. Who basically shrug their shoulders and suggest you be more careful about who you give your money to next time. End of story.

Wouldn’t happen … right?

Well, in a way it’s exactly what is happening with advanced push payment fraud where accountholders are being manipulated into sending their money to the accounts of fraudsters. Let’s face it, we all have to go through a bunch of onerous identity checks whenever we sign up for an account so when we send money to a fraudster, and we want it back the receiving bank should know who they are. And, of course, they do, but that’s about as far as it goes.

In card payments the scenario above doesn’t happen because of a combination of regulation and card scheme governance. If a cardholder isn’t satisfied with the service they’ve received they can complain to their bank who complains, via the card scheme, to the merchant’s acquirer. If the dispute is found in the cardholder’s favor then the merchant has to repay. If they don’t then the acquirer can withhold funds to make the refund and if that doesn’t work the acquirer themselves is on the hook for the refund.

In a similar situation in account-to-account payments the “merchant” is a fraud because the receiving bank hasn’t managed its risk correctly and the receiving bank isn’t generally liable to refund the money – or have any means of reclaiming it from the fraudster. The UK has now introduced some very heavyweight regulation to make it the sending and receiving banks’ joint responsibility to refund the money but have completely ignored the underlying issue, which is the lack of an underlying scheme equivalent to (say) Visa or Mastercard and any dispute and refund process.

Of course, the traditional response to this is that the people paying the fraudsters are idiots and need to be educated to stop them doing this. Unfortunately there’s a long trail of research that says that financial education doesn’t work and that people will continue to send fraudsters their money and then look around for someone else to blame. Human nature.

We don’t allow this in card payments, we shouldn’t allow it in account-to-account payments. The solution is straightforward – anyone can pay out of their account but only people or businesses who’ve been through an enhanced KYC process can receive payments in. The receiving bank is on the hook for fraudsters, so they will be incentivised – heavily – to make sure that people are genuine. This should all come with a proper dispute resolution service and the ability of receiving banks to control the risk of incoming payments in the same way that card acquirers do – they should charge accounts for receiving payments, have the ability to withhold payments if they’re uncertain about their authenticity and be able to demand deposits if they’re worried about the risk.

The obvious way to implement this is through Open Banking. It enables enhanced KYC processes anyway, via Account Information. Allowing people to go into their bank accounts and pay anyone they want, whenever they want, still be allowed – for free. But they shouldn’t be protected if they do that. If they go through Open Banking interfaces they should be – which is why we need a scheme, with proper governance and a proper dispute resolution process.

Sure, this would be annoying and painful to start with. I want to send money to my kids whenever I want to or pay my share of the meal with my friends. But none of that’s impossible, you just need businesses smart enough to design the services to make that work. I can pay the service, the service can pay my kids or my friends. Of course, that’ s not free but, you know what, payments aren’t free except in the world of regulators and politicians. Or, alternatively, I can just send the money to #scamyourgranny and let them get on with it.

Slower Payments?

Posted on by 1 Comment

I’ve just received a cheery email from my credit card provider entitled, “We’re improving your fraud protection.” I assume it is from them: it arrived amongst a barrage of emails telling me not believe what I read in emails. When online scamming was in its infancy, you could spot the difference but, as fraudsters’ skills, use of AI and sophistication has developed, nobody really can any more.

It is important to remember that this is an equal opportunities form of fraud. You don’t have to be online. You don’t even need a mobile phone. If you have a UK bank account and a phone number, the scammers will delight in using their social engineering skills to extract your life’s savings.

In the communication I’ve received, beyond all the good news about the generosity of the bank, there is a brief mention of the Payment Systems Regulator (PSR) [1]. Apparently, they require all Authorised Push Payment (APP) transactions to be subject to a refund within 5 workings days if they are found to be fraudulent. This applies to payments over both Faster Payments and CHAPS. There are exceptions to this, for example where the customer is grossly negligent and not considered vulnerable [2].

There is also a ceiling set on the amount. This was initially announced as £415k but, due to strong resistance from the banks, is now set at £85k. The PSR state that this will cover 99% of APP claims. It happens to be the same amount as individuals can claim for lost savings under the Financial Services Compensation Scheme [3], should their bank become insolvent.

In the early days, Faster Payments was a rather unpredictable experience but, as it has scaled, many of the creases have been ironed out. Confirmation of Payee has helped to ensure that the payment reaches the intended beneficiary. It can take a couple of attempts to get it right. e.g. for dog walkers, they may appear as Wendy’s Walkies, under the name of the owner Wendy Walker and as a business account or a personal account. Still, if you have the correct sort code and account number, things tend to fall into place.

My bank has sent me a similar email, telling me to be wary around One Time Passwords (OTPs) and referring me to the Take Five To Stop Fraud [4] website. Again, it looks plausible and the advice is not unreasonable. It is, however, disappointing that there seems to be very little discussion of mutual authentication these days.

One aspect of the new regime is that all Payment Service Providers (PSPs) must be registered with Pay.UK. Both receiving PSPs and sending PSPs can be liable for any APP fraud. This is a significant departure from the existing regime, where the burden tends to fall on the sending PSP.

Losses due to APP scams are estimated at nearly £500m [5] annually. UK Finance [6] has identified factors which contribute to APP fraud, one of which is perceived urgency in dealing with a situation. While Faster Payments provides real convenience, the transactions are not reversible and so it has become a honey pot for thieves. Once money is transferred to a fraudulent account, it can be sent on to multiple accounts, sometimes with the assistance of money mules, either in the UK or overseas.

Frequently, by the time the fraud is investigated, the money is long gone. In response to this, PSPs are permitted to introduce a delay into the processing of payments. In principle, where a payment appears suspicious, they can put in place a pause of up to four days [7]. Clearly, this has serious implications for transactions such as conveyancing, where a housing chain requires everyone to complete on the same day. Even in simple situations, like paying a credit card bill, delays can result in the cardholder having to pay additional charges and interest.

While it is positive to see the challenges of APP fraud being addressed, it will be interesting to see how these significant changes to the payments landscape play out over the coming months. Activities such as intelligence sharing, risk-scoring and real-time screening [8] will remain central to tackling fraud.

It is interesting to note that in other countries where approaches to Open Banking are being explored, the focus tends to be on data sharing rather than payment initiation. For example, in the US, the Consumer Financial Protection Bureau [9] (CFPB) is working to open up data sharing, to promote innovation in financial services.

References

[1] https://www.psr.org.uk/news-and-updates/latest-news/news/psr-confirms-its-decision-on-app-scams-reimbursement/
[2] https://www.psr.org.uk/media/tbbdhkcx/sr1-consumer-standard-of-caution-exception-dec-2023.pdf
[3] https://www.fscs.org.uk/what-we-cover/banks-building-societies-credit-unions/
[4] https://www.takefive-stopfraud.org.uk/
[5] https://www.psr.org.uk/our-work/app-scams/#:~:text=Every%20year%20thousands%20of%20individuals,to%20APP%20scams%20in%202023.
[6] https://www.ukfinance.org.uk/news-and-insight/blog/how-understanding-human-behaviour-key-effective-prevention-app-fraud
[7] https://www.bbc.co.uk/news/articles/cn7yel28rx6o
[8] https://www.synectics-solutions.com/our-thinking/why-your-app-scam-strategy-must-not-be-swayed-by-the-reimbursement-limit-update
[9] https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-process-to-recognize-open-banking-standards/

Safer Internet Day 2022 – It’s all about you!

Posted on by 1 Comment
person in red pants sitting on couch using macbook

For Safer Internet Day, I thought I’d bring a Mediterranean theme. As a classicist, I frequently switch between ancient and modern, applying time-tested principles to emerging technologies. Plato had it right on data protection: the price of not participating in public life is to be ruled by less able men.

Continue reading “Safer Internet Day 2022 – It’s all about you!”

Defending secure applications against Jedi mind tricks

Posted on by Leave a comment
man people woman connection

Here at Consult Hyperion, we are often involved in design implementation and testing of secure systems on devices such as smart cards and mobile phones for payments, banking and other applications where security is critical.

Continue reading “Defending secure applications against Jedi mind tricks”

Point of Sale cyberattacks – is certification enough?

Posted on by Leave a comment
a person making a payment using a smartwatch

The biggest news in payments security in the last month concerns allegations that point of sale terminals supplied by PAX Technology have been subverted to have the capability of launching cyberattacks. Details of the allegations can be found at Krebs and Bloomberg; in response, PAX Technology has published a rebuttal.

Continue reading “Point of Sale cyberattacks – is certification enough?”

Big Tech, Financial Data … and resilience for critical infrastructure

Posted on by Leave a comment
black android smartphone showing instagram and gmail application

Victoria Saporta, BoE executive director for prudential supervision, has said recently that minimum resilience requirements should be required for the tech giants’ (and others’) hosting services, before they may process and store banking data. We strongly support these comments. We have identified this issue as one of a number of new risks arising from modern financial systems architecture, in recent Structured Risk Analyses that we have carried out for financial and retail organisations in North America, Asia-Pac and EMEA.

Continue reading “Big Tech, Financial Data … and resilience for critical infrastructure”

Uses of digital ID for preventing financial crime

Posted on by 1 Comment
matrix background

In the new digital economy, digital identity is a key component to ensuring security, privacy, and convenience for people and businesses.

Continue reading “Uses of digital ID for preventing financial crime”

Will Brexit make stealing bank cards attractive again?

Posted on by 2 Comments
black payment terminal

A couple of weeks ago I wrote a piece for our friends at Smartex; ‘Brexit and the UK Finance’s proposed £100 contactless limit’. Perhaps a title more worthy of grabbing readers would be ‘Will Brexit make stealing bank cards attractive again?’

The pandemic has accelerated consumer behaviour that has been teetering for the last decade. The desire for contact-free (and therefore contactless) transactions, has meant a significant trend in consumers becoming comfortable with tapping their cards and perhaps more interestingly, their phones (devices/wearables). We’ve seen merchants switch from hand scribbled ‘cash only’ signs, to ‘please use cards (devices etc) wherever possible’. Some stores have completely rejected cash altogether.

Continue reading “Will Brexit make stealing bank cards attractive again?”

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.