Preventive Measure for Mistaken Internet Payments Using Numerical Hash

peterpeterpumpkin on 06/07/2016 - 02:00

I've been thinking about the electronic transfer system in Australia and have decided it's unnecessarily prone to mistakes. A payee can give the payer wrong BSB and/or account identifier details and the payer can likewise make entry errors.

ASICs' current recommendation for banks warning of mistaken internet payments in its ePayments Code (http://download.asic.gov.au/media/3798542/epayments-code-pub…) is written thus:

25 On-screen warning
25.1 A subscriber must clearly warn users about the importance of
entering the correct identifier and the risks of mistaken internet
payments, including that:
(a) the funds may be credited to the account of an unintended
recipient if the BSB number and/or identifier do not belong to
the named recipient, and
(b) it may not be possible to recover funds from an unintended
recipient.

My understanding is that the account name field is not taken into consideration by banks during internet transfers since updating current systems to implement this is considered expensive (perhaps this will change with the real-time payment system being introduced and expected to be implemented late next year, but I've read nothing to suggest that - http://www.apca.com.au/about-payments/future-of-payments/rea…).

I'm considering proposing to ASIC that an extremely simple, optional validation system be implemented that could prevent simple user error mistakes from occurring.

For example, take this sample account:

BSB: 923111
Account: 012345678 (0 added to front to force 9 digits)

Concatenate the BSB to the account number: 923111012345678

Perform a crc32b hash of 923111012345678: ada77604 (used http://www.md5calc.com/)

Convert hexadecimal (base-16) hash ada77604 to decimal (base-10): 2913433092 (used http://www.binaryhexconverter.com/hex-to-decimal-converter)

Take last 4 digits of decimal hash 2913433092 as a validation code: 3092

When a payee provides account details they can also specify this validation code to be optionally entered into their banking software for peace of mind, with a much lower statistical probability of user error. This is not at all intended to provide an extra layer of security but to save people from needless time-wasting exercises (an improperly entered account may currently take days to resolve - even when BSBs are incorrectly entered and mismatch the account identifiers).

This can easily be implemented instantly in all mobile banking apps and web portals using basic client-side or server-side code and the validation can be performed instantly. The generated validation code is extremely easily to generate. The risk is that a payee could use a third-party app to calculate the validation code of an improperly entered account number/BSB combination, but this is against their own interests.

Using a secondary code is nothing new and could provide an extra level of certainty where human error is especially likely but account details cannot be publicly verified in real-time (like with paypal.me). Something as simple as registering an Opal card uses a (probably) non-predictable validation code to provide an extra level of security. This proposed system isn't intended for security (who doesn't want to receive accidental money…) but for user confidence.

What are the obvious flaws?

Financial

Comments

  • mskeggs on 06/07/2016 - 09:46
    +2

    This is a nifty idea, especially as it can be implemented as an option without getting multi-party agreement.

    I had a long conversation at a party with a bloke that was heading up the project for the new payment system you linked to for one of the big four banks.
    He advised there wasn't any practical way to make changes to the existing system, as getting all the banks to agree was like herding cats, and they all had a preference for spending any resources on the new system.
    Also that they wanted to harmonise systems so end users find them easier. He quoted some figure I thought was shockingly high about people who have never made a transfer, and another about people who make them only in-person at the bank as opposed to online. We didn't talk about mutli factor auth, but I am sure he would have articulated a preference for fewer steps/checks so as not to make it too hard for nervous users.
    He advised the new system was going to have some pretty neat features. My conclusion was it would become similar to paypal in terms of ease of use, but with the benefits of bank transfer (low fees, limited repudiation).
    He said he thought it would make it in time for next year (this was in Feb 16), but with software projects, who can really say this far out.

    • peterpeterpumpkin on 06/07/2016 - 10:32

      I'm greatly looking forward to the new real-time system. A part of me feels the banks would collaborate to keep some flaws in the system to avoid shooting themselves in the foot in relation to profitable legacy services.

      Right now ING tells me they apply interest to savings accounts at midnight, so technically in a real-time system you could move funds in for a minute to accrue interest and quickly withdraw them again. With the current batch system it's not possible to schedule the minute a transfer occurs so it will be interesting to see how banks react to the changes.

      I've heard about the new system's proposed compatibility with mobile phone numbers and e-mail addresses and this will be very interesting to see. Most people in Australia aren't aware of Paypal already providing free P2P transfers with a user-profile interface and I imagine banks will move quickly to compete with Paypal (with additional options for privacy). But on the flipside, I imagine they'll come up with sneaky ways to further monetise business-to-consumer and business-to-business transfers (to compete with Paypal and emerging competitors). Hopefully P2P stays free since in a quasi-cashless society it should be a basic right.

      • retiredfeline on 06/07/2016 - 11:09

        Right now ING tells me they apply interest to savings accounts at midnight, so technically in a real-time system you could move funds in for a minute to accrue interest and quickly withdraw them again. With the current batch system it's not possible to schedule the minute a transfer occurs so it will be interesting to see how banks react to the changes.

        Do you think that would work? Maybe they'll apply interest for the minimum amount during the last 24 hours?

        • peterpeterpumpkin on 06/07/2016 - 11:14

          Probably not :) Knowing how ING currently deals with people who exploit the system regarding EFTPOS withdrawals for the 50c bonus (suspensions and warnings, apparently) I'll imagine they'll quickly move to fix it.

        • retiredfeline on 06/07/2016 - 11:17

          @peterpeterpumpkin: Or maybe a system analyst who thinks like you and me has already thought of and catered for it. :)

  • boomramada on 06/07/2016 - 10:36

    layman's terms, you saying adding a check digit to BSB+A/N?
    I think most banks already doing that by BSB + A/N + account name. That is more than enough :)
    Plus its not that hard to reverse a transaction.

    • mskeggs on 06/07/2016 - 10:49
      +1

      They don't look at the account name unless a human gets involved because there is a problem.

    • peterpeterpumpkin on 06/07/2016 - 10:55

      Exactly. You'd think they would use the account name (why ask for it otherwise?) but it's explicitly stated they don't (Financial Ombudsman Fact Sheet - https://www.fos.org.au/custom/files/docs/fact-sheet-mistaken…). The account name can only help prove you've made an honest mistake (https://www.moneysmart.gov.au/managing-your-money/banking/un…).

      The whole point was to avoid an honest mistake in the first place. Reversals are rarely instant (you have to identify the money was never received - maybe 24-48 hours before you realise and the receiving bank has to investigate and return it - which is quicker in the first 10 days).

      • boomramada on 06/07/2016 - 11:05

        Well you could always use the IBAN number, you need to use this when you transfer money between overseas accounts, I had to use it once. Which has a check digit. Bank can start using IBAN number but expenses outlay the benefit. Same as IP4 vs IP6 argument. What you suggest is already there just too expensive to implement.

        • peterpeterpumpkin on 06/07/2016 - 11:10
          +1

          We actually don't use IBAN in Australia. Banks in Australia fake it by concatenating BSB and Account numbers (plus country code) and the sender would have to add the bank's SWIFT code. But yeah they've probably got something they could implement.

        • boomramada on 06/07/2016 - 11:14

          @peterpeterpumpkin:
          I know, we should start using that, we don't need our own method/system, we should start using IBAN since most European and south american countries all ready using it.

          User point of view, problem with IBAN is that it is not human friendly, bloody long.

        • peterpeterpumpkin on 06/07/2016 - 11:25
          +1

          @boomramada: I get more nervous reading IBANs than trying to read long concatenated words in German. With the Commbank example for Malta it seems almost impossible not to make a mistake MT84MALT011000012345MTLCAST001S(https://www.commbank.com.au/support/faqs/84.html) :)

        • boomramada on 06/07/2016 - 11:33

          @peterpeterpumpkin:
          yep, I don't want newer system, when rest of the world having another system.
          I haven't made any mistakes transferring money yet.
          Your idea is good, but IBAN incorporate with country code etc which make a bigger number.
          Well one day we will all have few tattoos with bar codes to make our life easier or micro chipped ;)

  • fruit on 06/07/2016 - 10:53
    +1

    Account Name… oh god can you imagine the problems with middle names, nicknames, company names etc.

    https://en.wikipedia.org/wiki/Luhn_algorithm

    • peterpeterpumpkin on 06/07/2016 - 11:05

      While the strategy of the Luhn checksum is a bit different - since it doesn't usually concatenate two distinct identities - it could also be used as a checksum. The proposal I had was that, unlike credit card numbers, don't append the checksum so as to allow backwards-compatibility with the current system. As mskeggs's acquaintance pointed out, banks are very difficult to agree on something.

  • bluesky on 06/07/2016 - 22:01

    I like the idea - since it is optional; standalone, does not impact the banking core code (less integration/testing, less cost being passed to us customers :-)).

    But not sure how beneficial it ultimately will be, or whether many will use it. It is another 4 digits to associate with the correct account number.

    So a payee will have to supply the payer this checksum too. (No point the payer generating these 4 digits, or garbage-in, garbage-out). Which is another piece of info to supply.

    As for wrong entry by payers - I would imagine most people enter this info once (carefully) into the Payee Address book, and just call up the Payee, by search. So the opportunity for errors aren't that many.

    Clearly, there might be dimensions I haven't thought of yet. So as long as it is optional, it is still a good thing.

  • [Deactivated] on 07/07/2016 - 08:16

    Good concept for standard accounts.

    Already implemented for BPAY payments, that's why I pay by BPAY if I have the choice.
    https://www.bpay.com.au/BPay/media/BPAYMediaGallery/PDFs/BPA…

Login or Join to leave a comment
Login Join