Request to Pay – Security

Why has RtP become the sensible alternative to mobile pay by link solutions for digital bill payments?

Download Full PDF Version

Updated February 2022

The Request to Pay (RtP) Security Story

This page contains an abridged version of our eBook on Request to Pay security. To obtain the full eBook, please download the PDF version.

1. Risks posed by pay by link
  • The issues
  • The facts
  • The risk issues
2. What the experts say

Feedback from the ‘To Click or Not to Click’ digital payments information security roundtable (Nov ’21)

3. Request to Pay security benefits
  • Bill payments evolution
  • How Request to Pay (RTP) helps
mobile_to click or not to click ebook cover

1. Risks posed by pay by link

 

Phishing attacks are on the rise, encouraged by the growing use of pay by link solutions in messaging and WhatsApp communications

Pay by Link is seen as a relatively painless and convenient solution for FinTechs to keep in with the leader pack and avoid becoming a laggard in the gold rush to real-time payments by mobile.  Unfortunately, email and SMS are inherently insecure… and phishing attacks have become a prevalent attack vector. 

The trend towards use of pay by link in the apps created by financial services companies flies in the face of data security advice penned for a decade; it’s contrary to the ‘don’t click on links you are unsure of’ mantra that Chief Information Security Officers (CISOs) have been repeating for years. So, why is it still used by banks and payment service providers?

Some facts

  • Three in ten consumers have experienced some form of cybercrime – such as malware or virus infection, email or social media account hacking, or credit card fraud – in the past 12 months.

  • More than 50,000 fake login pages were identified in the first 6 months of 2020 (IRONSCALES report)
  • July 2020, HSBC UK customers were targeted by a malicious SMS phishing scam designed to trick its victims into believing the link they received was to a legitimate HSBC page.
  • Royal Mail phishing scam made national news, and 2,867 crime reports were received by Action Fraud mentioning DPD between June 2020 and January 2021

“Nothing in life is certain but death and taxes, and what is tax if not yet another bill payment?”

Peter Cornforth, Answer Pay

graphic of common attack vectors

A fundamental security flaw

The rise in popularity of ‘pay by link’ solutions has been amplified by continuing global growth in consumer digital demand. The last 18 months have seen an acceleration of already developing trends towards increasing convenience for consumers through digital—particularly mobile—means.

However, there is a fundamental security flaw with pay by link. Recipients are asked to click on a link that could be a fake, taking them to an undisclosed web page operating in the no-man’s-land outside the security protections.

It is in this common backdoor area where hackers can install phishing attacks, to persuade legitimate users that their interventions are authentic.

The issues

Fake login landing

  • Messages containing fake logins can now regularly bypass technical controls, such as secure email gateways (SEGs) and SPAM filters, without much time, money or resources invested by the adversary.  

Inattentional blindness

  • This psychological phenomenon occurs when an individual fails to perceive an unexpected change in plain sight.

 

2.  What the experts say

Phil Cracknell

“Digital teams are pressured to deliver on commercial priorities.  Either, having consulted infosec decision-makers, project sponsors believe pay by link to be a justifiable commercial risk, or they’re just running late tagging their infosec team into the conversation.”

Phil Cracknell
Former Cabinet Office Cyber Security Lead, Cyber Breach Advisor & CISO

“Fraud is a global problem that requires global collaboration to address. We need to do more to stop the scammers at source. This means greater collaboration across the entire communications ecosystem. Telecoms firms, governments and regulators need to work together, with better coordination between countries, and an open, proactive approach to sharing resources and information on the latest vulnerabilities.”

Katia Gonzalez
Head of Fraud and Security at BICS, Chair i3Forum Fraud Fight Group

Katia Gonzalez pic
David Toozs-Hobson

“We live in a tap-to-go society, everybody is looking to move cash faster, quicker… and this is effectively a follow through on the ‘tap and go’ mentality that society is adopting.”

“Pay by link providers are saying—Don’t worry, your customer will see your logo on your website and see it’s you.”

David Toozs-Hobson
Director at Cyberfort Group

“People are going to be looking to play on your humanity, they’re going to be looking to use urgency… people are going to start to play on those emotions, play on that desire to maintain that connectivity and that access.”

Ben de la Salle
CEO/Founder, ICA Consultancy Ltd, previously CISO for Old Mutual Wealth

Ben de la Salle pic
peter cornforth
“Because of the pandemic there is a greater need for remote payments, and so you are seeing more providers enter the market space because there’s greater demand.”

Peter Cornforth
Commercial Director, Answer Pay

“Social engineering is always the spearhead, the knife that opens the wound for the target organisation, and of all the social engineering techniques, email and email phishing have always been the most popular…”

“I think we need to make more noise. If the regulators aren’t doing what we wish them to do, I don’t see the information security community or the cyber security community on its own having enough influence to change them… it is, in the end, a consumer protection issue.”

Peter Wood
Partner and Lead Consultant at Naturally Cyber LLP 

Peter Wood picture
Finbarr Joy Profile Picture

“The focus of debate here is not that any given solution is insecure, but that use of unsecured links to make payments from email and SMS messages risks utter confusion for customers and promotes a behaviour that should be discouraged.”

“For years, security professionals have battled with technology evolution to protect their environment, only to be circumvented by the human element whose natural instinct is to click a link. After all, that’s what Tim Berners-Lee intended links to be used for!”

“There are alternatives.  Request to Pay allows the payer to communicate with the biller and in that context it’s the benefit of enabling a conversational dialogue, and therefore brings the convenience factors… but crucially adds far greater security as those interactions take place inside the app provided by your bank.”

Finbarr Joy
Financial Services, CTO and Non Executive Director, Answer Pay

REQUEST TO PAY ADOPTORS
onebanks hub logo

OneBanks is deploying Request to Pay across its bank branch network to bring simpler payments to underbanked communities

Money Carer Foundation logo

The Money Carer Foundation is connecting the financially vulnerable to digital bill payments with RtP, implemented by Answer Pay

3.  Request to Pay security benefits

The fact is, the demand drivers for mobile payments have outstripped efforts made by financial services providers to bring about credible and robust messaging standards offering the security posture customers expect.

Innovation in digital payments

Fortunately, the payments industry has not stood still through this period. Request to Pay is a new messaging interoperability standard that protects consumer bill payment transactions far better than email or SMS, while bringing even greater levels of convenience. 

Answer Pay estimates in the UK that, with 55% of utility bills paid by Direct Debit, and the remainder paid by cards, cash and cheques, the Request to Pay market could equate to 1,354 million transactions a year.

 

How RTP keeps mobile bill payments safe

Since the new RtP standard can be embedded within the apps already being used for day-to-day interactions then it is even more convenient than ‘out of bounds’ interactions through SMS and email.

The standard mandates mature, proven web-ready authentication protocols—such as Oauth—so ‘spoof’ interactions are not possible and credential fraud is avoided.

Interested to see how Request to Pay works? 

Our live online demo takes only 20 minutes 

Got a question? Get in Touch.