Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 17, 2016
EMV Comments That Make Me Cringe
Some aspects of the chip card implementation in the United States certainly make us frustrated. For one, the customer experience could be seen as slightly more negative because of the longer transaction time and confusion about the debit card selection menu. However, at several payments conferences I have attended recently, I have heard comments made by speakers and panelists about EMV chip cards and their technology that caused me to cringe a bit. I understand that a number of stakeholders are not proponents of EMV technology for a variety of reasons and, while some parts of their comments are factually accurate, they certainly are not "the truth, the whole truth and nothing but the truth."
Cringe #1: The United States is implementing 20-year-old-technology with EMV chip cards. Yes, the first EMV specifications were publicly released in 1995. But isn't that like saying that the gasoline-powered automobile is technology that is 130 years old? Microsoft's first release of Windows was in 1985. Do we hear complaints about it being 30-plus years old? The reality is that the EMV specifications, like practically all software development, are continually updated over the years with enhancements continuing as long as the software is still being supported. The EMV specifications are now at version 4.3, released in November 2011, with 20 supplemental bulletins issued since then and more on the way.
Cringe #2: EMV (chip) cards haven't solved the card-not-present (CNP) fraud problem. Again, this is an accurate statement. CNP card fraud is the second largest category of fraud losses in the U.S. (see the chart). But, the statement is misleading inasmuch as the EMV specifications and chip cards were never intended to address the CNP ecommerce environment. Counterfeit card fraud, whereby the criminal produces a card using data obtained from a skimmer or data breach, has been the number-one source of card-present fraud in the United States. It was this type of card fraud that the chip card was designed to target, and, from all accounts to date, it has been highly successful in doing so.
Source: Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum, Aite Group, July 2016
Cringe #3 – Using a PIN improves the security of the chip card. While a cardholder using a PIN in lieu of a signature does clearly result in a lower level of fraud losses, the claim is somewhat of an apples and oranges comparison. The chip on the card authenticates the card itself, while the use of a PIN is intended to authenticate the cardholder performing the transaction. These are two separate types of authentication which, when combined, make the transaction more secure—a good thing. The use of a PIN should result in lower lost/stolen card fraud as it invokes two-factor authentication—something you have (card) and something you know (PIN).
Are the current EMV specifications perfect? Of course not, and that is why there are constant efforts to identify ways to improve them. But one must recall that the EMV specifications provide global interoperability and must be developed keeping that requirement in mind. What are your thoughts on the EMV specifications and how they can be improved?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
October 11, 2016
Taking a Quantum Leap into Payment Security
It was 1969, and the only thing hotter than muscle cars was space exploration. Several of my elementary school books found ways to talk about space, astronauts, NASA, or all of them, and more than one almost guardedly indicated that someday man may even reach the moon. Those of you who recall black-and-white TV might remember watching the moon landing live in the summer of '69.
Despite all that was speculated and wondered about at the time—from extraterrestrials to moon colonies—the space race had been "won." There followed a decline in related interests and, ultimately, a moderating of investment in basic scientific research. One of those sciences, quantum research, is of particular note in regards to potential commercialization for computing and communications. And we're behind like we were in the space race in the early 1960s.
NASA research and development (R&D) appropriations in 1959 were about $200 million. By 1966, R&D totaled almost $5 billion, according to the NASA Historical Data Book for 1958–1968. U.S. federal funding for quantum research each year is just barely what space R&D totaled in 1959. Those numbers offer their own stark contrast, but I'll add one other point of comparison—between what we're spending in this area versus China—one of only three countries to ever soft land on the moon, and now the first to launch a quantum communications satellite. Their annual funding has been conservatively estimated at over $10 billion, according to the Wall Street Journal.
To explain why a payment blogger cares about all this, I'll ask a couple of questions. What would it be worth to have a payment scheme based on "unhackable" communication? Impossible? Maybe not.
Quantum communication is secure against computing because its encryption relies on physics, not math. Josh Chin's August 16 article in the Wall Street Journal explained it this way:
Quantum encryption is secure…because information encoded in a quantum particle is destroyed as soon as it is measured. Gregoir Ribordy…likened it to sending a message written on a soap bubble. "If someone tries to intercept it when it's being transmitted, by touching it, they make it burst," he said.
There are critics. U.S. security experts have questioned whether intricacies of quantum communication can be simplified enough for practical, broad use. Others have stipulated that it's possible for hackers to trick incautious recipients. Indeed, this blogger has espoused the idea that nothing is infallible against a determined criminal. But it's hard to argue the advance wouldn't change the game. One might speculate that quantum communication could yield results similar to those described in the etiological tale of the Tower of Babel where languages were confused. Mischief wasn't halted for all time, but altering communication put some pacing on misbehavior. Changing the game, wholesale, is worth considering as the evidence is overwhelming that we're losing in payment security by making changes at the margin to current schemes, methods, and processes.
I'll close with this. Substantial sums of federal money were spent on infrastructure, R&D, policing, and defense owing to the space race. I think most will agree we got our money's worth, especially considering that aside from stated objectives, investing in the space race gave us everything from microchips to satellite navigation—and let us not forget CorningWare. Investing in quantum research holds similar promise, and payment security might benefit from some catch-up.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
October 3, 2016
Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
On September 23, phase 1 of NACHA's three-phase rules change took effect, mandating two same-day ACH clearing/settlement windows for credits only. The subsequent two phases add debit payments in 2017 followed in 2018 by receiving banks being obligated to make credit payments available to receivers by 5 p.m. on the settlement day.
Prior to this change, using legacy ACH, one had to wait one business day for payments to clear and settle. A payment cap of $25,000 along with a mandatory interbank fee of 5.2 cents are other noteworthy differences for same-day ACH items as compared to legacy ACH. For some, these are unwelcome limits and fees, and time will tell the extent to which they stifle (or not) the service's growth. As the Federal Reserve's Financial Services website notes, a further limitation is that the federal government will neither originate nor accept same-day payments at this time, although plans are under way for their eventual participation.
I and others in the forum have commented on various aspects of this long-awaited enhancement here, here, and here. Now is probably a good time to proffer some questions for future consideration in helping to measure the success of this new venture.
- Will projections in the first 12 months of service match NACHA's expectations of same-day garnering one percent of total ACH payment volume? Furthermore, will volume trending point to NACHA achieving its projection of 1.4 billion same-day payments by 2027? Early numbers may be somewhat misleading if payment originators inadvertently send payments for same-day settlement that were intended to be settled the following business day.
- Whatever volume is achieved, will the primary payment use cases identified by NACHA be the actual drivers of same-day volume?
- Payroll for hourly workers, late and emergency payrolls
- Business to-business invoice payments with remittance information between trading partners that are under the $25,000 cap
- Expedited consumer bill payments using both ACH credits and debits for just-in-time and late payments
- Account-to-account transfers among accounts owned by the same consumer
- Given the 18-month full implementation, how will same-day ACH hold up against existing faster payment schemes that leverage such things as debit card networks that offer much faster payments or even new faster payment schemes that are not reliant on existing payment rails?
- How much, if any, will payment fraud increase with the availability of faster ACH?
- How will service usage be impeded, if at all, by originating banks passing along the cost of the interbank fee to their payment originators?
- Will the somewhat complicated eligibility requirements of no support for federal government payments, deferred debit, service and delayed funds availability slow adoption?
Despite these questions, there is reason to be optimistic. This is a major step forward for same-day ACH. What are your views on how these questions will eventually resolve themselves?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 26, 2016
AdmiNISTering Passwords: New Conventional Wisdom
I have lived long enough to go through several cycles of "bad" foods that are now deemed not to be so bad after all. In the 1980s, we were warned that eggs and butter were bad for your heart due to their level of cholesterol. Now, decades of nutritional studies have led to a change in dietary guidelines that take into account that eggs provide an excellent source of protein, healthy fats, and a number of vitamins and minerals. Similar reversals have been issued for potatoes, many dairy products, peanut butter, and raw nuts.
Much to my surprise, much of the old, conventional wisdom about passwords has been spun on its heels with proposed digital authentication guidelines from the United States National Institute for Standards and Technology (NIST) and an article from the Federal Trade Commission's (FTC) Chief Technologist Lorrie Cranor regarding mandatory password changes. Some of NIST's recommendations include the following:
- User-selected passwords should be a minimum of 8 characters and a maximum of 64 characters. Clearly size does matter as generally the longer the password, the more difficult it is to compromise
- A password should be allowed to contain all printable ASCII characters including spaces as well as emojis.
- Passwords should no longer require the user to follow specified character composition rules such as a combination of upper/lower case, numbers, and special characters.
- Passwords should be screened against a list of prohibited passwords—such as "password"—to reduce the choice of easily compromised selections.
- They should no longer support password hints as they often serve like a backdoor to guessing the password.
- They should no longer use a knowledge-based authentication methodology—for example, city where you were born—as data breaches and publicly obtainable information has made this form of authentication weak.
The FTC's Cranor argues in her post that forcing users to change passwords at a set interval often leads to the user selecting weak passwords, and the longstanding security practice of mandatory password changes needs to be revisited. Her position, which is backed by recent research studies, is consistent with but not as strong as NIST's draft guideline that says that users should not be forced to change passwords unless there has been some type of compromise such as phishing or a data breach. Cranor's post does not represent an official position of the FTC and recommends that an organization perform its own risk-benefit analysis of mandatory password expiration and examine other password security options.
So while I finish my breakfast of eggs, hash browns (smothered and covered, of course), and buttered toast washed down with a large glass of milk, I will continue to ponder these suggestions. I would be interested in your perspective so please feel free to share it with us through your comments.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud