Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
September 26, 2016
AdmiNISTering Passwords: New Conventional Wisdom
I have lived long enough to go through several cycles of "bad" foods that are now deemed not to be so bad after all. In the 1980s, we were warned that eggs and butter were bad for your heart due to their level of cholesterol. Now, decades of nutritional studies have led to a change in dietary guidelines that take into account that eggs provide an excellent source of protein, healthy fats, and a number of vitamins and minerals. Similar reversals have been issued for potatoes, many dairy products, peanut butter, and raw nuts.
Much to my surprise, much of the old, conventional wisdom about passwords has been spun on its heels with proposed digital authentication guidelines from the United States National Institute for Standards and Technology (NIST) and an article from the Federal Trade Commission's (FTC) Chief Technologist Lorrie Cranor regarding mandatory password changes. Some of NIST's recommendations include the following:
- User-selected passwords should be a minimum of 8 characters and a maximum of 64 characters. Clearly size does matter as generally the longer the password, the more difficult it is to compromise
- A password should be allowed to contain all printable ASCII characters including spaces as well as emojis.
- Passwords should no longer require the user to follow specified character composition rules such as a combination of upper/lower case, numbers, and special characters.
- Passwords should be screened against a list of prohibited passwords—such as "password"—to reduce the choice of easily compromised selections.
- They should no longer support password hints as they often serve like a backdoor to guessing the password.
- They should no longer use a knowledge-based authentication methodology—for example, city where you were born—as data breaches and publicly obtainable information has made this form of authentication weak.
The FTC's Cranor argues in her post that forcing users to change passwords at a set interval often leads to the user selecting weak passwords, and the longstanding security practice of mandatory password changes needs to be revisited. Her position, which is backed by recent research studies, is consistent with but not as strong as NIST's draft guideline that says that users should not be forced to change passwords unless there has been some type of compromise such as phishing or a data breach. Cranor's post does not represent an official position of the FTC and recommends that an organization perform its own risk-benefit analysis of mandatory password expiration and examine other password security options.
So while I finish my breakfast of eggs, hash browns (smothered and covered, of course), and buttered toast washed down with a large glass of milk, I will continue to ponder these suggestions. I would be interested in your perspective so please feel free to share it with us through your comments.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 19, 2016
Mobile Banking and Payments—What's Changed?
This week, the Federal Reserve Banks of Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond are launching an online mobile banking and payments survey to financial institutions based in their respective districts. The purpose of the survey is to achieve better understanding of the status of mobile banking and payments initiatives, products, and services that financial institutions offer in the various regions of the country. The results of the survey at the individual district level should be available to participants by mid-December; a consolidated report for all the districts will be published in early 2017.
The last survey, which had 625 participants, was conducted in the fall of 2014. That was before the launch of the various major mobile wallets operating today, so it will be interesting to see what level of impact these wallets have had on the mobile payments activity of financial institutions. You can find the results of the 2014 Sixth District survey on our website. This survey effort complements the 2016 Consumer and Mobile Financial Services survey conducted by the Federal Reserve Board's Division of Consumer and Community Affairs.
First designed by the Federal Reserve Bank of Boston in 2008, the survey has been updated over the years to reflect the many changes that have taken place in the mobile landscape in the United States. Similar to past surveys, the 2016 survey looks to capture:
- Number of banks and credit unions offering mobile banking and payment services
- Types of mobile services offered or planned
- Mobile technology platforms supported
- Features of mobile services offered or planned
- Benefits and business drivers associated with mobile services
- Consumer and business adoption/usage of mobile services
- Barriers to providing mobile services
- Future plans related to mobile payment services
If your financial institution is based in one of the participating districts and has not received an invitation to participate in this year's survey, please contact your district's Federal Reserve Bank. For the Sixth District, you can contact me via email or at 404-498-7529. You can also contact me if you need assistance in locating your district's lead survey coordinator.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 12, 2016
Risk Mitigation Isn't Just for Banks
My summer in Atlanta wouldn't be complete without "shooting the Hooch." Friends and family gather upriver on the Chattahoochee River, bringing rafts, tubes, or kayaks for a chance to beat the pervasive southern heat. This year, towards the end of our two-hour float, we came upon Diving Rock, a crowded swimming hole where people stop to watch cliff jumpers. A jumper can choose either a 20- or a 30-foot freefall into the river below. As the family's "chief risk officer," when my eight-year-old son asked me if he could jump, I quickly assessed the inherent and residual risks of such an activity at this location. I concluded that our family was risk-averse in this situation and there would be no jumping.
Conversely, when my son asked if he could play tackle football, I decided we had an appetite for this type of risk. I don't want to detail all of the risk factors compared to the mitigation controls that went into my assessments and ultimate decisions. But looking at these two personal examples made me wonder: in a business context, who else is faced with important risk decisions? And who, besides banks, should be conducting constant risk assessments for their organization?
A tax preparer faces fines and, in extreme cases, jail time for filing returns with errors. Those who receive return-related penalties can also face suspension or expulsion of themselves or their entire firm, or other enforcement action by the IRS. Can a tax preparer be held liable for filing returns with errors even if unaware that the taxpayer was acting illegally? The tax preparer is held to the reasonable person standard, so if it is something he or she should have known, yes. But if the client omitted pertinent details, the tax preparer might have no way of knowing. Since the consequences are severe, should the tax preparer dig deeper and try to catch fraudulent client activity prior to submitting a return or keep blinders on?
I pay for monthly parking at a city garage. This week I found out that they monitor my activity closely with the access card I use. They know whether or not my car is in or out of the garage. They have triple-factor authentication to prevent parking space fraud. In order to get in or out, you need the weight of a vehicle at the gate with an authorized access card and the correct in and out record on the card in order to be provided pass through.
Doesn't it stand to reason that all organizations—whether they're responsible for tax preparation, parking space provision, or payment network access—in pursuit of success, whatever that is for them, should conduct assessments and implement mitigation controls in order to understand how customers engage in their services, especially if they can be held liable for those activities? Should payment services be any different and if so to what extent?
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 29, 2016
The Simple Consider Three but Four is the Key
In July of 1991 the late sports columnist and humorist Lewis Grizzard gave his top 30 reasons for loving America. The second item on his list read as follows:
I can still see reruns of the Andy Griffith Show. My favorite scene remains the time a reporter came to Mayberry to do a story on the city with the lowest crime rate in the state. The reporter found Barney alone at the sheriff's department and asked him, "How many are on the Mayberry force?"
Barney replied, "Well, there's Andy [the Sheriff] and me…," then patted his holster and added, "And baby makes three."
Payments has three officers, if you will, that are charged with securing the landscape, just like in Mayberry. In either case, the work of the officers on the beat is about "prevention, response, and remediation."
With payments, "prevention" is about thwarting attacks—both physical and cyber-related, fraud, and outright theft. The work consists largely of insulating and securing processes, systems, and valuables with the most up-to-date security tactics and applications. It also involves educating and training staff. Awareness of and good judgment about the landscape, discerning the right policies and approaches, are vital.
"Response" entails reacting to incidents or problems. Here, the work is about having the wherewithal to detect a problem. It also entails reporting—before, during, and after events, both internally and externally. Additionally, response is about investigating and understanding precisely what happened and how. Determining how to seal the hole or holes that gave rise to the problem in the first place also falls under "response."
"Remediation" is the after-event work. This is about repairing the damage resulting from an event and includes everything from recovering losses and further shoring up security to assisting those harmed by an event. Repairing reputational damage falls under remediation.
Back to Mayberry. In the show, Andy got credit for the town's sterling record, and rightly so—he had good judgment and instincts. However, in my opinion, some of the best episodes highlighted Andy's secret weapon, a fourth entity on the police force—the average citizen. Individual responsibility that rolled up into collective ownership for the town underpinned Mayberry's enviable crime record. Sometimes it was Floyd the Barber (and town gossip) who gave Andy the advance warning he needed. Other times it was Gomer at the gas station or Andy's son, Opie, who provided folksy wisdom or insight that ended up being the difference between triumph and tragedy.
For payments to attain Mayberry's covetable crime rate, the citizens—that is, the consumers—have to be fully empowered, thoroughly educated, and roundly encouraged to vigorously participate in their own security. In my opinion, payments are at least partially plagued by moral hazard that owes to blanket consumer liability protections in some instances with a seeming bias for more of that, not less. At the very least, we should question our experience, revisiting and debating the matter of balance between reasonable consumer protection versus the notion of applying blanket coverage, irrespective of consumer choice and action. I see no scenario where dread over what will descend on the payment landscape next abates, not until safety consciousness among users has become more deeply rooted and the culture stabilized in a place where ownership for our well-being is a duty embraced by all, all the time.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- FFIEC Weighs In On Mobile Channel Risks
- Cash: Reports of Its Pending Death Are Greatly Exaggerated
- The 411 on Banning the RCC
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud