
Zelle, the Banks’ Answer to Venmo, Proves Vulnerable to Fraud - rdhyee
https://www.nytimes.com/2018/04/22/business/zelle-banks-fraud.html
======
patio11
If you ever send money to A and it actually goes to B, and for some reason the
bank doesn't fix that the first time you get in touch with them, I recommend
getting off the phone and escalating to an on-dead-tree letter:

Dear BigBank Legal Department:

This is written notice under Regulation E that BigBank has processed the
following electronic transaction in error:

(Brief recitation of transaction details.)

You are required to investigate this matter within 10 business days of your
receipt of this letter and provide me written confirmation of the results of
your investigation. My desired resolution is a deposit of $XXX into my
checking account with last four digits 1234.

Regards,

$YOU

You really want BigBank to put into writing "We think we've satisfied our
obligation to you because you told us to send it to your mother and instead we
sent it to somebody in Cincinatti; that was totes reasonable." Or, rather, you
want a lawyer at BigBank to say "Eff no I am not putting that in writing; pay
him $300 and charge it off to operational losses, that's what that budget is
for."

~~~
arkades
Please elaborate, what is regulation E?

~~~
patio11
You've asked a question which is approximately "What is a garbage collector?"
in terms of depth.

Here's the short answer: it's a regulation about electronic funds transfers
that US financial institutions, including every bank which offers Zelle, are
obligated to uphold.

There is a longer version of this answer; your life will probably not be
materially improved by knowing it, but you can Google and read at your
leisure.

~~~
saulrh
To be sure, is this [1] the part of the regulation that's being invoked by
that letter?

1:
[https://en.wikipedia.org/wiki/Electronic_Fund_Transfer_Act#E...](https://en.wikipedia.org/wiki/Electronic_Fund_Transfer_Act#EFT_Errors)

------
_bxg1
A conglomerate of giant, old, non-tech companies tried to launch a casual and
trendy service, and the software sucks? I'm shocked.

That said: "...a phishing email that appeared to be from Wells Fargo tricked
her into entering her bank ID and password into a fraudulent website." This
situation didn't depend on Zelle's existence to be possible. I would say the
problem here is browsers not doing a good enough job helping people identify
when a site isn't the one they think it is, but it's a tough problem.

------
doesnt_know
Here in kiwi-land, a bank transfer from one individual or business to another
is considered the most basic of banking services and all banks support it.

Here are some screenshots from the KiwiBank web interface, (but it's similar
for all banks):

[https://i.imgur.com/ug9VU5t.png](https://i.imgur.com/ug9VU5t.png)
[https://i.imgur.com/HRsyQoN.png](https://i.imgur.com/HRsyQoN.png)

There are no fees related to this unless you start doing international
transfers, it's just part of the service.

~~~
btbuilder
I think this has to do with a fundamental difference in how sensitive account
number and routing numbers are in the US compared with other international
financial systems I have used.

In the US, if someone has your account number and routing number you can
attempt all sorts of fraud via the eCheck system. People and companies are
wary about giving out their account numbers. Providing an account number here
is more often used to withdraw money than deposit. These payment services
offer an extra level of authentication and authorization that does not appear
to be easily accessible in the traditional banking sector.

Meanwhile, in my experience, in the UK sharing your account number is
primarily used for other people doing a personal transfer to you. The
institutions that can withdraw money directly from your bank account are
limited to those in the Direct Debit system that has some vetting procedures
and guarantees similar to what you would get in a credit card agreement[1].
This significantly reduces the chance of fraud, even with incidents like when
Jeremy Clarkson printed his acct # in a newspaper on purpose [2].

[1]
[https://www.directdebit.co.uk/DirectDebitExplained/pages/dir...](https://www.directdebit.co.uk/DirectDebitExplained/pages/directdebitguarantee.aspx)

[2]
[https://www.theguardian.com/money/2008/jan/07/personalfinanc...](https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud)

~~~
staz
What's the deal with you Americans and your magic numbers?

So you have your Social Security Number that you can't give for fear of
someone impersonating you, your Credit Card Number you cannot give for someone
might steal from you and now you tell me you can't even give your bank account
number.

So you have all theses numbers you have to keep secret because they are the
gateway to someone ruining your life, yet you still have to communicate them
routinely to a number of institutions in order to function in society. Isn't
that a bit crazy?

~~~
jacoblambda
Yep. So many people are afraid of having a universal system for identifying
(and tracking) us that they would much prefer many smaller broken systems used
for impersonating us.

------
elvirs
I noticed that one of the issues with Zelle is that people have accounts at
multiple banks that all support Zelle but they use only 1 phone number
connected to their banking apps. So sometimes when I send money from my chase
mobile banking app to my friend's number who also has chase mobile banking
app, the money actually ends up going to his bank of america account because
he uses the same phone number on bank of america mobile banking app as well.
Sometimes this becomes a serious issue and I think there is no centralized way
to change your 'Zelle' settings.

~~~
joelrunyon
Them tying this to a (cell) phone number is actually VERY annoying. I have
multiple bank accounts, but one cell phone. The fact they limit the ability to
create more accounts without more than one phone creates all sorts of issues.

~~~
dawhizkid
You can tie to an email. I sent money between 2 accounts I own where one is
tied to my phone and the other an email. Not sure if this is technically
“allowed” but it is way faster than using the actual external bank transfer
options.

------
valuearb
Early Warning is owned by a consortium of major banks. Supposedly during
development of the apps, if any one bank wanted a feature the team basically
had to implement it. Allegedly the team wasn’t allowed to push out the ship
date or refuse new features, their only lever was adding more resource.

Any wonder why it shipped months late and with the most horrific reviews I’ve
ever seen for a mobile app? My guess is fixing problems going forward won’t be
an easier.

~~~
toomuchtodo
Fixing problems might not be easy, but as you mention, Early Warning is owned
by a consortium of large US banks. Compared to PayPal, Stripe, and other non
bank chartered institutions, their resources are effectively unlimited. Those
problems are going to get fixed eventually.

Wells Fargo was fined a billion dollars [1] and will continue to operate as an
ongoing business. This is a road bump.

[1] [https://www.npr.org/sections/thetwo-
way/2018/04/20/604279604...](https://www.npr.org/sections/thetwo-
way/2018/04/20/604279604/wells-fargo-hit-with-1-billion-in-fines-over-
consumer-abuses)

~~~
RSZC
Throwing infinite money and developers at something does not make a good
product.

Source: I work for a SaaS aimed primarily at large banks, most of which
attempted to build our product themselves before giving up and signing with
us.

~~~
toomuchtodo
> Throwing infinite money and developers at something does not make a good
> product.

Of course not. But it gives them more time to try and more attempts, where
your runway is limited. You would eventually run out of funds if you don't
find product market fit. They will not run out of funds, ever.

~~~
valuearb
And likely they will be unable to build a good product, ever. You can't have
decision making dissonance at the most senior levels of your organization and
make good products.

Resources alone solve no product problems, leadership is far more important. I
know of a $10B company whose most important feature (by far) of it's consumer
facing app fails well over half the time customers tried to use it. This
problem has been known for nearly a year and at no point has the team been
allowed to make fixing it a priority.

~~~
toomuchtodo
Your product doesn't need to be good if you control the market for it.

You’re going to go start a bank you say? See BankSimple and Standard Treasury
(and their abysmal exits to real banks, BBVA and Silicon Valley Bank,
respectively) to see what that path looks like.

Having a great product alone is not good enough.

------
exhilaration
Previously on HN:
[https://news.ycombinator.com/item?id=16395698](https://news.ycombinator.com/item?id=16395698)

------
panarky
There needs to be a very large, very prominent warning on every transaction:

"ONLY SEND MONEY TO PEOPLE YOU KNOW."

"IF YOU SEND MONEY TO A SCAMMER, ZELLE WILL NOT HELP YOU GET YOUR MONEY BACK."

Zelle is not PayPal.

There is no dispute resolution service if the seller on Craigslist doesn't
deliver and stops responding to your messages.

Don't use Zelle to send money to strangers.

~~~
eckmLJE
Venmo is the same way. A friend of mine accepted payment for a piece of
hardware through Venmo. My friend handed over the hardware in person to the
buyer once the payment was "in" my friend's wallet and he had initiated the
cash out, but before the money had actually cleared into his bank account.

Once he and the buyer parted ways, the payment was canceled due to a claim of
fraud by the card's owner, and my friend's Venmo account was suspended because
had used it for commercial purposes and not just sending money between
friends.

Apparently, even if you already have the money cleared in your bank account,
Venmo has the ability to charge it back once a fraud claim is initiated.
Apparently this is very common on the platform.

~~~
panarky
_> Venmo is the same way._

If Venmo reverses payment due to claims of fraud, then this is pretty much the
exact opposite of Zelle. That makes Venmo more like PayPal, with a dispute
resolution process.

Zelle doesn't care if your counterparty is a scammer. If you initiated the
payment, the money is gone.

~~~
ianburrell
There are two different kinds of fraud. One is where there is fraudulent
payment like from account being taken over. Venmo and Zelle can reverse those
transactions. The other kind is where purchase is fraudulent. Venmo and Zelle
don't offer any protection for purchases or sales. It is only credit cards and
equivalent that offer purchase protection.

~~~
panarky
_> It is only credit cards and equivalent that offer purchase protection_

And PayPal, Payza, etc.

------
sjroot
The one thing I don't understand about Venmo is that it, based on my (limited)
use, seems to show transactions amongst users in a "social networking" manner.
I believe you are able to make your activity private, but why would anyone
want it any other way? Am I the only one who thinks this is absolutely absurd?
I am a very happy user of Square Cash as a result.

~~~
rhodysurf
Sort of. It shows who paid who and their comment, but it does NOT show how
much money was exchanged.

~~~
Djvacto
Yep. I made mine private by default, but it is basically just a way to send a
friend money, that if you leave it public to other friends, is just a way to
share jokes.

Paying a roommate for utilities but setting the description to the tongue-out
emoji and an eggplant, or something similarly silly.

------
throw7
I've had problems with all of these online cash transfer "apps", so much so
that I don't trust any of them. Venmo flagged my account and required me to
"call them up" to "fix" things (yeah no).

I've used google pay the most, but I've sent money with google pay that never
reached the destination bank (the destination bank said it was "google's
fault", whatever we canceled the transactions).

I've sent money to an associate's email address with google pay and then a few
days later she told me someone had withdrawn $999 dollars from her account
associated with google pay. Her bank did get her money back after some days.
yikes.

Banks should not be "moving fast" to "catch up". They should be providing a
trustable experience. I have zelle available with my bank, but no way am I
experimenting until it's been stressed out.

~~~
herpderperator
If your bank flags and blocks your credit card for suspicious activity which
you didn't initiate, are you going to "yeah no" them too, and refuse to call
them up?

There is nothing wrong with having to call up a financial institution to
verify things that raise alarm bells for them.

~~~
dothis9
I usually just pull out a different credit card, and then take the card that
didn't work out of my wallet when I get home.

Sometimes I might get around to calling my bank (somewhat depends on my
perception of how long their customer service is going to take to fix the
issue), but it's faster for me to just replace that card with another card
from my collection of cards (I've got too many cards to keep them all in my
wallet at any given time).

The last card which was incorrectly flagged for suspicious activity probably
cost that bank several thousand dollars in foregone interchange fees.

~~~
kristianc
> Sometimes I might get around to calling my bank (somewhat depends on my
> perception of how long their customer service is going to take to fix the
> issue), but it's faster for me to just replace that card with another card
> from my collection of cards (I've got too many cards to keep them all in my
> wallet at any given time).

This is a real and common problem for banks/card issuers, who tend to be
obsessive about keeping genuine transactions declined to a minimum for this
reason.

Blocking all fraud is achievable, but it would come at the cost of many
instances like this.

------
a3n
It's frustrating to me that I can't just go to my Wells Fargo account on the
web and send money from my account to my recipient's account by routing and
account number.

I _can_ do that with my USAA bank account.

~~~
johnmcd3
US Bank took away next day transfers to a bank account via routing/account
number (ACH) as they are pushing Zelle more. They also dropped the (previously
higher) transaction limits on 3-day routing/acct numb/ACH down to the $5,000
3-day limit on Zelle.

It’s frustrating when they take away a perfectly good service just push their
new thing harder.

------
tedunangst
Is any of this actually new or unique? If you mail an old school check to the
wrong address and never get your concert tickets, do you get your money back?

~~~
mikeash
Probably. Most likely you’d never lose the money in the first place, since the
incorrect recipient would be unable to cash the check. If they did
fraudulently cash it then you could get that reversed.

------
dawhizkid
Pro tip for using Zelle more safely: Ask the receiver to request funds from
you vs sending to X or Y number/email.

------
AlphaWeaver
The Zelle app has had very poor Android support for quite a while... When I
first tried to get the app to receive money it didn't even allow the account
registration OR login flow to complete without the app crashing.

~~~
Rebelgecko
It's still iffy. I have to reenter my phone number every time I open the app

------
jrs95
Venmo itself has had a long history of the same issues. The main problem here
for Zelle is that they should have seen this coming and handled it a bit
better.

------
briandear
Of course not everyone has an Apple device, but person-to-person Apple Pay is
really slick and, based on my amateur analysis, very secure.

------
meesterdude
haha I actually tried using Zelle a few days ago - "oh look, the banks are
joining the future! lets try this". WRONG. Super convoluted and couldn't get
it to work in the end, even after calling customer service.

Paypal was 30 seconds.

Zelle is Helle

------
21
> The catch is that the bank, like all the others that use Zelle, only
> considers transactions fraudulent if the customer did not authorize them.

How can the banks be so short-sighted? Soon a lot of people will hear that
Zelle is not secure and they will avoid using it.

~~~
metei
Lots of banks and Credit Unions have implemented Zelle in app, its the last
gasp they have to compete against Venmo. The only upside to Zelle is
essentially offering instant transfers for free, where Venmo makes you wait a
few days or pay $0.25.

~~~
dawhizkid
That’s a pretty huge upside IMO...

It’s actually even faster than instant deposit on Venmo because the funds
appear to settle instantly (not just transferred instantly)

~~~
magduf
It is pretty huge, and as long as you're using it with people you actually
trust, it should be safe.

