Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
August 20, 2018
With Social Engineering, It Takes Only One
I recently wrote a post about the time I spent job shadowing in my employer's Information Security Department (ISD). One of the main objectives of the job shadow program is to allow ISD to introduce their communication, education, and outreach efforts to employees. This department works constantly to make employees aware of trending security threats, especially social engineering, and they have to do it in a way that gets the employees' attention. Creating a security-aware culture is critical because it takes just one employee, just one time, to cause a significant risk event. ISD has found that if they deliver messages in a fun way—such as an annual chili cook-off—more ears are open to hear them.
The Retail Payments Risk Forum follows social engineering trends closely since social engineering presents a major security risk and it directly affects payments. These attacks can easily open a gateway for criminals to access payment systems or any protected information system. Here's a quick review of social engineering: it relies on manipulating human behaviors through direct or indirect communication, and it does not necessarily involve technology. As computer security grows increasingly sophisticated, some criminals have found it can be easier to manipulate an individual than to game a machine. Some reports say that social engineering schemes have cost U.S. businesses nearly $3 billion since 2013. It's no wonder that social engineering is a growing concern.
A common social engineering attack is phishing, which is when the criminal uses an email that appears to be from a legitimate company to get people to respond with personal information such as account credentials. According to one company's report, phishing and pretexting in 2017 represented 98 percent of social incidents and 93 percent of breaches. (Pretexting often involves a scam whereby one individual lies to get personal information from another individual. A pretexter, for example, might pretend to be conducting a survey.) At 96 percent, email continues to be the most common vector. The good news is that 78 percent of people who were phished last year didn't open a single email, according to the same report.
But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.
Psychological manipulation is a powerful tool to try to influence someone to divulge sensitive information. Since social engineer fraudsters need to reel in just one victim, we need to ensure that every single employee hears the message. Promoting security awareness scratches the surface in fighting social engineering, but it needs to be fun and creative constantly.
Look for one more post in this series describing my time in the job shadowing program in my employer's Information Security Department.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 13, 2018
Protecting Our Senior Citizens from Financial Abuse
By all accounts, elder financial abuse appears to be a multi-billion-dollar problem. A 2011 New York State study found that, for every documented case of elder financial exploitation, more than 43 other cases went unreported. A 2015 report from True Link Financial estimates that nearly $17 billion is lost to financial exploitation, defined as the use of misleading or confusing language, often in conjunction with social pressure and tactics, to obtain a senior’s consent to take his or her money. According to the same report, another $6.7 billion is lost to caregiver abuse, which is deceit or theft by someone who has a trusting relationship with the victim, such as a family member, paid caregiver, attorney, or financial manager.
Over the last several months, Risk Forum members have had several conversations with boards and members of different regional payment associations. The topic of elder financial abuse and exploitation came up often. It has been over seven years since Take On Payments last explored the topic, so we are overdue for a post on the subject given both the interest from some of our constituents and new legislation around elder financial abuse recently signed into law.
With an aging baby boomer population representing the fasting growing segment of the population, awareness of the magnitude of elder financial abuse and an understanding of ways to identify and prevent it are critical to the well-being of our senior citizens. And that is exactly the intent of the Senior SAFE Act that on May 24 was passed by Congress and signed into law under Section 303 of the Economic Growth, Regulatory Relief, and Consumer Protection Act. Briefly, the act extends immunity from liability to certain individuals employed at financial institutions (and other covered entities) who, in good faith and with reasonable care, disclose the suspected exploitation of a senior citizen to a regulatory or law enforcement agency. The employing financial institutions are also immune from liability with respect to disclosures that these employees make. Before they were afforded immunity, banks and other financial-related institutions had privacy-violation concerns over disclosing financial information to other authorities. The new immunities are contingent on the financial institution developing and conducting employee training related to suspected financial exploitation of a senior citizen. The act also includes guidance regarding the content, timing, and record-keeping requirements of the training.
Massive underreporting of elder financial abuse and exploitation makes it difficult to estimate the amount of money lost. While the law does not require financial institutions to report suspected financial abuse and exploitation, it definitely encourages them to create employee educational programs by offering immunity. And those who know the Risk Forum well know that we are strong advocates of education. Elder financial abuse is a growing problem that must be tackled. How is this law changing your approach to reporting suspected cases of elder financial abuse and related employee education?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 6, 2018
The FBI Is on the Case
I recently took advantage of a job shadow program in our Information Security Department (ISD). I joked with our chief information security officer that I was ready to "ride along" with his detectives for our own version of the television drama series Crime Scene Investigations (better known as CSI).
All jokes aside, I enjoyed working with ISD as part of the team rather than as an auditor, a role I have played in the past. We spent a good part of the day walking through layered security programs, vulnerability management, and data loss prevention. Underneath these efforts is an important principle for threat management: you can't defend against what you don't know.
Threat investigations absolutely must uncover, enumerate, and prioritize threats in a timely manner. Digging into each vulnerability hinges on information sharing through adaptable reporting mechanisms that allow ISD to react quickly. ISD also greatly depends on knowledge of high-level threat trends and what could be at stake.
It turns out that many payments professionals and law enforcement agencies also spend a large part of their time investigating threats in the payments system. After my job shadowing, I realized even more how important it is for our payments detectives to have access to efficient, modern information-sharing and threat-reporting tools to understand specific threat trends and loss potential.
One such tool is the Internet Crime Complaint Center (IC3). The FBI, which is the lead federal agency for investigating cyberattacks, established the center in May 2000 to receive complaints of internet crime. The mission of the IC3 is two-fold: to provide the public with a reliable and convenient reporting mechanism that captures suspected internet-facilitated criminal activity and to develop effective alliances with industry partners. The agency analyzes and disseminates the information, which contributes to law enforcement work and helps keep the public informed.
The annual IC3 report aggregates and highlights data provided by the general public. The IC3 staff analyze the data to identify trends in internet-facilitated crimes and what those trends may represent. This past year, the most prevalent crime types reported by victims were:
- Personal data breach
The top three crime types with the highest reported losses were:
- Business email compromise
- Confidence/Romance fraud
The report includes threat definitions, how these threats relate to payments businesses, what states are at the highest risk for breaches, and what dollar amounts correspond to each crime type. This is one tool available to uncover, enumerate, and prioritize threats to the payment ecosystem. Do you have other system layers in place to help you start your investigations? If you don't know, it might be time for you to take a "ride along" with your detectives.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 30, 2018
Are You at Risk from Zombie Credit Cards?
Do you have any infrequently used credit cards hiding in the back of a drawer? Maybe a card you applied for to get a discount on a new washing machine? Or a card you used frequently a few years ago that has been superseded by a newer card with better rewards or a lower interest rate? You know, the kind of card you might think is dead but isn't quite.
I had a card like that in the back of a drawer, until my bank canceled it a few weeks ago. The bank pointed out that I hadn't used the card in years but offered me the opportunity to reactivate.
No, thanks. I don't need the extra exposure of a forgotten card that has long outlived its usefulness. It's enough trouble keeping track of the cards I do use.
When it comes to inactive credit cards, it turns out I'm not alone. The 2016 Federal Reserve Payments Study finds that, of general-purpose credit cards issued to consumers, 42 percent were not used to make at least one purchase a month during 2015. As a percentage share, this is about the same as 2012, when 44 percent of credit cards were not used at least once a month. ("General-purpose" cards use one of the four major credit card networks, while "private-label" cards can be used only at a particular merchant or limited set of merchants.)
In 2015, there were 192 million consumer general-purpose credit cards outstanding and inactive. That's about four inactive credit cards for every five adults in the United States. (The adult U.S. population in 2015 was 247 million.)
Of course, inactive cards are not necessarily abandoned cards, as mine was. Perhaps their owners reserve them for a special purpose, or keep them around for times when particular retailers offer discounts. Perhaps they are backups in case primary cards are compromised. Or perhaps they serve as an emergency credit cushion—a "just-in-case" line of credit.
Nevertheless, these account numbers are out there. Mine could be sitting in the database of a magazine that is automatically renewed every year or maybe attached to an expired membership at a website I don't use anymore. It's good to have that card canceled, to avoid the risk that the card will rack up charges, zombie-like.
So what about those infrequently used cards at your house? Are you holding on to an older card because a longer lifespan card could possibly improve your credit score? If not, today might be a good day to cancel and then cut them up.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- With Social Engineering, It Takes Only One
- Protecting Our Senior Citizens from Financial Abuse
- The FBI Is on the Case
- Are You at Risk from Zombie Credit Cards?
- Learning about Card-Not-Present Fraud Mitigation
- Behind the Growth in Debit Card Payments
- Attack of the Smart Refrigerator
- Down but Not Out
- Thinking about My Grandmother and Future-Proofing Payments
- Consumer Habits and Cash Use
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud