CU & Tech Observers Respond to Zelle Vulnerability Report

Industry observers and experts responded to reports of vulnerabilities in the Zelle Network, which enables participating institutions to send money to anyone with a U.S. credit union or bank account.

“The same features that make Zelle so useful for customers, its speed and ubiquity, have made it irresistible to thieves. Hackers and con artists have used the system to steal from victims,” Stacy Cowley of New York Times wrote. The article stated, “The scale of the problem is hard to pinpoint, because Zelle is fairly new and banks do not report much data about it.”

Apps such as Venmo (owned by PayPal), Popmoney, Square Cash and Apple Pay made digital cash transfers fast and easy. Some financial institutions united to create Zelle, as a competing offering, operated by Early Warning Services, a Scottsdale, Ariz. consortium jointly owned by seven large banks. An estimated $75 billion went through Zelle last year.

Early Warning told the Times there have been very few incidents and the problem is under control

Several industry experts also offered feedback.

“CO-OP Financial Services is partnering with Early Warning to enable participating credit unions to implement Zelle,” Michelle Lemieux, senior product manager for Rancho Cucamonga, Calif.-based CO-OP Financial Services, said. “Zelle is bringing faster person-to-person payments to millions of U.S. consumers through the convenience of mobile banking apps. Safe banking is a top priority, and Zelle offers consumers multiple layers of protection, and clear processes, to investigate and remediate unauthorized transactions.”

Fran Duggan, CEO of a new smart digital payments solution provider, Payrailz, stated, “The volume of use of Zelle highlights the need for a robust bank/credit union solution. As with any new service that has an overwhelming response, you are going to have some hiccups, but the good news is that Zelle is aware of the issues and working to resolve them quickly.”

Credit unions should take precautions as with any bleeding or leading-edge technology. Steve Gilde, Holly Springs, N.C. based Paragon Application System’s director of global product marketing, explained, “When introducing a new payment platform like Zelle, credit unions should make sure that they fully understand all of the potential risks and proactively communicate these to their members upfront.” Gilde, added it is also important to define and share best practices, and for credit unions to develop and implement a comprehensive testing strategy when introducing new payment platforms to flag potential vulnerabilities.

“The battle for security is an arms race where each side counters the other continually,” Michael Carter, EVP for the Memphis, Tenn.-based independent contract advisory firm Strategic Resource Management, said. “Anyone in our industry that decides to use the Zelle instance to disparage that organization is begging the gods to make them the next example.”

Carter pointed out, “Consumers primarily adopt new features, functions and offerings that provide them additional convenience. However, most do not realize that convenience and security are often antithetical. The more security, the more friction, the more friction the less convenience.”

Robb Gaynor, chief product officer of Austin-based digital banking provider Malauzai said. “When you transfer money in real time, it’s a real concern. We’ve never really done real time transfers in the consumer world, but we feel we can mitigate it.” Gaynor suggested there are some unique challenges but there are three primary risk mitigations available, behavioral and out-of-band usage analyses; and demanding consumer turn on alerts and notification.

Not everyone, especially consumers, understands Zelle, which Gaynor also pointed is not a payment rail but a message set and a directory, utlizing existing vehicles to carry out payment instructions.

“A key reason money-transfer app fraud is on the rise is a lack of proactive security on the part of banks to catch fraud before it occurs,” Kedar Samant, co-founder/CTO, Palo Alto, Calif.-based fraud prevention firm Simility said. “By failing to adopt and implement emerging technologies such as user behavior monitoring, artificial intelligence, machine learning, and device intelligence, banks are giving fraudsters a head start to carry out their crimes. This not only potentially leaves banks on the hook for reimbursing customers, but really damages the relationship with the customer.”

Tomorrow we look at whether CUs complicated decision to Zelle or not to Zelle.