FPS & eDDA Security Issue: Why Faster Isn’t Always Better

Last month, the Hong Kong Monetary Authority (HKMA) officially launched their "fast speed" service called Faster Payment System. FPS is is a real-time gross settlement payment system that connects 21 banks, but also 10 electronic payment and digital wallet operators. Via FPS, users can make payments, top up e-wallets, and perform instant money transfers by using the recipient's email address, phone number, or QR code with the user's numeric identifier.

Basically, it is a much faster payment and money transfer solution which renders going to traditional banks and dealing with the formalities obsolete, thus adding instant value to the e-wallet and internet banking concept.

However, as it turns out, the system has some major security flaws.

In the wake of recent data theft incidents that took place in Hong Kong, this faster payment mechanism has proven to be a potent breaching tool used by fraudsters. The unfortunate events reportedly occurred when people provided their ID card photos and bank account numbers during the process of an online job application. They were immediately transferred to account deposits and the losses ranged from HK$10,000 to nearly HK$100,000 in some instances.


How faster payment system frauds happened

There’s no doubt that Hong Kong’s smart payment and card top-up idea is the future of eBanking, but it did get a huge slap down when the HKMA put e-wallet operators on halt and suspended some auto transfers that were supposed to happen via their newly-launched Faster Payment System. The transfers that were blocked involved the topping-up of Octopus, the Hong Kong units of Alipay, WeChat Pay, and HKT’s Tap & Go mobile wallet, while the restrictions didn’t influence other interbank fund transfers that go through the FPS.

The ban from HKMA comes only 3 weeks after the new system was introduced. The users of the abovementioned e-wallets, however, will still be able to top up using credit cards or via individual fund transfers.

According to the officials, the incidents are currently being investigated by the authorities. “The HKMA has requested all e-wallets operators to suspend the electronic Direct Debit Authorization (eDDA) for automatically top-up via the Faster Payment System until they can find a way to review the procedure,” said the spokeswoman for the HKMA.

For those who don’t know what eDDA is, these services allow applicants to apply or change authorization for ACH or eACH and electronically deduct funds online via ATM cards or their own citizen digital certificates. All you need is internet access and a Bluetooth card reader.

Over the past couple of weeks, there have been several incidents involving personal data theft and the complainants believe their information (including Hong Kong ID numbers) has been jeopardized when they were applying for jobs online by submitting personal data. The stolen data was then illegally used to open new accounts in different e-wallets, therefore making top-up transfers from different banks possible.

These incidents pose as a potentially major step back in the HKMA’s mission to promote and encourage smart banking that would, in the near future, remodel the entire Hong Kong community and turn it into a financial hub that is ultimately cash-free.


Faster payment methods trigger new security issues

There are many barriers to faster payment mechanisms, the main and biggest one being - security.

With new types of payment methods, the entire banking ecosystem needs to completely rethink and remodel how payments, especially the ones made online, are authenticated and verified. In order to safely move to faster online payments, banking institutions must find a way to optimize identity management and keep security breaches at bay.

We live in a fast-moving digital landscape that requires instant payments, but faster isn’t always better (read: safer). Shorter transaction periods usually mean less time to make sure security levels are on point, which translates into easier fraud and data theft opportunities.

This is why these, perhaps, premature implementations of the faster payment system have resulted in major fraud spikes, not just in Hong Kong, but across the globe.

Unlike traditional payment methods where transactions periods took multiple days to complete, real-time transactions leave much more room for theft. Therefore, since in this type of banking environment the payments are irrevocable, once your money disappears, it is basically gone forever. This reduced processing time means we have to come up with a more potent and faster fraud detection technology that will be able to properly underpin the faster payment system.


UniCard users are safe

Fortunately, there are proven solutions on the market which minimize the risk of any unauthorized transfers and security breaches, UniCard being among them.

Namely, as our Generic Debit Mastercard solution is not linked to any bank account, a potential fraudster cannot gain access to any of your official financial records. Furthermore, users don’t have to worry about unauthorized fund transfers from their bank accounts, because every time they decide to top-up via FPS, they will need to input the payment PIN. Every transaction is instantly recorded and can be tracked in a mobile app, so as soon as you notice any unusual activity you get to react immediately.

This way, all UniCard users can use our services unencumbered by the fear of their money and personal data being stolen.

Find out more about our Generic Debit Mastercard Solution and how you can protect your financial assets! 




Past articles