Japan FSA surveys E-Payment Fraud

Following the highly publicized cases of e-payment fraud through NTT Docomo’s “Koza” service and a similar, overlapping exploit at Japan Post Bank, both disclosed in September this year, the Japan Financial Services Agency (FSA) has surveyed all banks under its purview, with 190 “voluntary” responses received.

Background

To recap, through NTT Docomo’s Koza service a total of JPY 25.42m (USD 240k) was stolen from customers’ bank accounts in 120 cases. The exploit became possible when NTT Docomo expanded the service in September last year to include users of other mobile carriers, after it was initially available only to its own subscribers. Accounts for the e-payment service could be opened by providing just an email address and name, with no confirmation taking place whether the name provided was legitimate. Thus cybercriminals where able to use stolen account numbers and access codes to retrieve the funds, with the largest single withdrawal believed to be JPY 600,000. NTT Docomo had 35 partner banks for Koza.

A few days later, Japan Post Bank disclosed 380 cases of fraudulent withdrawals amounting to JPY 60m through seven partner companies’ electronic payment services, including NTT Docomo’s Koza and SoftBank affiliate Paypay. The Japan Post Bank cases apparently go back all the way to July 2017.

Japan FSA Survey

In the survey, which results were just published in Japanese, the FSA solicited information on illicit payments on deposits occurring over the past five years, from January 2016 to September 30, 2020, as well as on the partner companies and authentication methods.

Out of 190 financial institutions, 117 (62%) have entered into a total of 699 contractual relationships with payment services providers, of which 62% again are with fund transfer companies (see graph to the left). In the context of the failed Open Banking in regulation in Japan (see for example: “Moneytree CPO calls out lack of Open Banking progress”), this actually provides a relevant data point, although we will not explore it any further in this article. 69% of the 699 contracts stipulate multi-factor authentication.

At the time of the transaction, for 12% of the contracts, financial institutions do not perform a confirmation, and for 48% this is done through a third-party business that does not need to follow the “Law Enforcement Regulations Concerning Prevention of Transfer of Proceeds from Crimes” — only in 38% of the contracts, the business operators themselves actually perform the confirmation (see graph to the left). In the fraudulent cases where the authentication method is known, 89% of the accounts were protected with single-factor authentication only.

In terms of fraudulent transactions, 38% of financial institutions report to be impacted, affecting 15% of contracts. A total of 948 accounts have been affected — this number includes only those where the cause of the leakage of personal information (bank account number & access code) is unknown — with a damage of JPY 187.58m.

Money transfer companies were involved with 68% of the accounts and 86% of the monetary damage. 68% of fraudulent activity was reported by customers, 19% by money transfer companies, and 10% by the financial institutions themselves.

The highest amount of damage was incurred between April and June 2019, and the highest number of accounts impacted was from July to September 2020, as the following graph shows.

This article is part of our Tokyo FinTech Publication, please follow us to read more from our writers, like hundreds of readers do every day. Please also register for our short weekly digest, published every Saturday, at the link below.

Should you live in Tokyo, or just pass through, please also join our Tokyo FinTech Meetup. In any case, our LinkedIn page, Facebook page and our Instagram account are there for you as well.