Help me out here ... how can 'pay by link' even be a thing?

Issue 207 | 19 November 2021

In this edition of Payments:Unpacked Extra! we ask the question how can 'pay by link' even be a thing?

Help me out here ... how can 'pay by link' even be a thing?

Pay by link is growing in use within the financial services industry, as banks and other financial services companies adopt the mechanism in their apps to service growing demands for mobile payments. 

But does that make sense when it encourages payers to click on links?

Never click on payment links….

Just last month, Ofcom reported on its own research into mobile security and found that, over the last three months, scam calls and texts have increased massively, with nearly 45 million people plagued by scams over the summer months.

According to this new research, around 82% – more than eight in 10 – said they had received a “suspicious message” either in a text, recorded message, or phone call to a landline or mobile.

In a follow-up article, Katia Gonzalez, head of fraud prevention and security at BICS, said: “It is clear from this data that a fundamental rethink in approach is required.”

Time for a closer look

Mike Chambers, Chairman of Answer Pay thinks it’s time the industry takes a closer look at the risks of pay by link to consumers before the ‘cat really does get out of the bag:

With the best of intentions, banks and other financial services companies are enhancing their mobile apps to serve a growing demand for bill payments on the move.

Pay by link is an obvious technical construct to explore to achieve that, but no matter how secure any given solution might be, the use of Pay by Link creates confusion for consumers who’ve been advised for more than a decade not to click on links.

This industry direction places demands on the maturity and digital know-how of consumers to distinguish fake solutions from legitimate vendor tools and links.

Protect yourself

In the customer communication reproduced below Santander tells its customers to never enter your Open Banking or bank card details after clicking on a link in an email or text message.

Protect your customers

Google the term ‘pay by link’ and you will return a succession of promotions by providers suggesting this approach is useful, convenient and secure.

Tech leaders in banks and financial services businesses know there is an audience of buyers today that want to do everything on their mobile phone. For these mobile warriors, the smartphone in their pocket has become their primary computing device.

In consequence, demands for mobile payments are on the rise.  Consumers want to move money quickly and easily, but they also have clear ideas about security. They care not to expose their devices to link attacks that are fast becoming the most perilous attack surface for consumers to have to deal with.

Phil Cracknell, former Cabinet Office Cyber Security Lead, and notable CISO advisor believes that the industry should be thinking hard about any decisions to adopt pay by link, regardless of the safeguards framed around it:

CTOs are under great pressure to bring bill payments to mobile platforms, but this ‘goldrush agenda’ by individual companies risks creating an industry behaviour that places consumers in an impossible situation.

Owing to the rampant growth in phishing attacks, security practitioners like me have been working tirelessly to discourage users to click on links that might not be safe. Now it seems we’re saying—‘You know how I’ve been advising you for years not to trust links, well some of them are now okay.’ I think it’s confusing and, my suspicion is, others would agree.

All of which is interesting…

Because, for more than a decade, the vocal agenda of information security professionals has been to discourage pay by link behaviours. 

The risk banks and other financial services companies face, is that by adopting pay by link, (irrespective how safe any given app might be) is to risk encouraging user behaviours that fly in the face of known data security guidance, and that ultimately give rise to fraud. 

So, help me out here ... how can 'pay by link' even be a thing?

If this article has caused you to think we not drop me a message and share your thoughts on how pay by link can even be a thing?

Also, if you are keen to explore this topic further why not join the ‘To click or not to click?’ webinar next week - you will find more information below.

To click or not to click... What do the information security experts have to say?

So, what does the information security industry have to say about this change in attitudes?

Chaired by Phil Cracknell, former Cabinet Office Cyber Security Lead and serial CISO in the UK information security industry, join a virtual event to hear what the roundtable of information security experts have to say.

Webinar: 1.00 pm GMT - 23rd November 2021 - An Expert Panel Discussion Sponsored by Answer Pay


Help grow Payments:Unpacked’s audience

If you enjoy reading Payments:Unpacked please share the word with your friends and colleagues - sharing the newsletter makes such a difference to growing the newsletters audience.

Share Payments:Unpacked