Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 5, 2015
Don't Let the Absence of a Fat Dog Scare You
Halloween, not at all my favorite holiday, looms. On this "hollow day" we commonly celebrate the ghastly—ghouls, ghosts, goblins and gloom—and with ever-increasing fanfare (when did lights get to be important for Halloween?). It's not clear to me what upside there is to focusing on that which encourages us to be frightened, worried, or just plain grossed out. This is especially true for those who work with or are responsible for retail payment systems. From cyberattacks and data breaches to basic fraud and theft, there is plenty to haunt and drive us to an early grave.
Today, I offer no solution to the threats; they seem to be ever with us. When bad things happen, and they almost surely will, one of our most important choices relates to reporting. To get to where I'm going I'll share a text series my son sent recently to report an incident at the house. His messages were as follows:
The trouble with security incidents is they don't come with a fat dog to vacuum up the mess. One of the trickier messes is in the reporting. What should be reported, to whom should it be reported, and when?
My first instinct is to say that when something goes awry, err to the side of reporting—early and often. I have said so in a previous post. Alas, it's not that easy; there is no fat dog to clean up the mess. Realizing that, I feel compelled to correct my earlier thinking or to at least offer a more nuanced view.
One can agree or not, like it or not, but the truth is notification obligations are not triggered by every security incident. What has to be reported and when varies by state as well as circumstance. That's grist for another blog. For this one, just note that one often has choices. What if bad consequences such as reduced sales or damaged reputations could have been avoided by not talking out of turn? It's not wrong to ponder that.
There are other arguments to be made against early reporting. For instance, early understanding may (likely will) need to be amended. The amendment could be dramatic if additional forensics make clear that initial conclusions or thoughts were incomplete or simply incorrect.
The other side is that erring in favor of the "early and often" principle or sacrificing self in the interest of others is "the right thing to do." I recently heard a person say their company chose to be public and transparent about a breach of theirs, in spite of incomplete information. The speaker said it was the right thing for them, in that instance. He also said it couldn't be a rule. His rule was that the CEO needs to be comfortable with what is decided because somebody is harmed no matter what the decision.
The resolution is an incident response plan. Be committed to developing a well-conceived one. Don't think your firm is too small for one. Knowing options like whether or not notice is required (and when) could prove priceless as could considering all the communication decisions in the absence of heat that accompanies a real incident. If incident response plans are already in place, test key decision makers with realistic exercises that include wide-ranging communication scenarios and find out what doesn't work for the company. Fix what is discovered before the storm hits.
Alternatively, I have a fat dog that doubles as a vacuum. Price is negotiable but any sale is final.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
September 28, 2015
I Want My Two Dollars!
Dizziness and nausea come over me sometimes when I have to pay individuals. My mind scrambles. I don't carry cash or have checks. What grueling, lengthy steps will I have to go through to pay this person? Besides worrying about forgetting to meet my financial obligation if I don't pay right now, I find myself crossing my fingers behind my back hoping they have the same mobile app as I do. Or maybe we use the same bank, with any random luck. I picture myself as Layne Frost, the character played by John Cusack, from the movie Better Off Dead, with the paperboy at my doorstep insisting, "I want my two dollars!"
From bartering to exchanging livestock and shells, from cash and coin to checks and now mobile, it is inevitable that people will always find a way to pay and be paid. Forrester Research forecasts that the U.S. mobile peer-to-peer (P2P) market will grow to nearly $17 billion in transaction value by 2019. Yet the United States P2P payment volume by instrument is still largely cash-based, followed by check. Forecasters are planning on migration from over 6 billion cash and 2.1 billion check P2P transactions to the mobile space. Who will win the lion's share of paper-based P2P payments as people embrace electronic payments?
Let's look at the P2P payment lifecycle before you make your predictions:
My expectation is that everyone in the P2P space today faces challenges in getting there from here. Some will have a handsome share of the market but in doing so may suffocate opportunity for ubiquitous solutions that will benefit consumers nationwide. Fragmentation is our obstacle in P2P today. If both Ps don't have something in common (for example, financial institution, phone manufacturer, mobile application, social media, branded debit card), then the payment can't occur and...back to the basics we go. Cash and checks are accepted by almost everyone. Moreover, cash eliminates the middle part—cash means finality of good funds, sender to recipient, instantly.
All P2P access channels, or funds load, providers who offer accounts to consumers—whether these providers are financial institutions; virtual wallets like Google and Paypal; mobile/online applications like SquareCash, Venmo, or Dwolla; or prepaid accounts like Bluebird or NetSpend—should be able to access a directory to process payments from anyone to anyone. Ubiquity means debit card or not, banked or unbanked, same state or not. This can be achieved when financial institutions cooperate through open access to a directory, since all nonbank P2P providers ultimately use a bank to conduct the business of processing payments.
There is an option that could surpass directory deliberations. Bitcoin's blockchain technology, like cash, can eliminate middle participants—like cash, it is finality of good funds, sender to recipient, instantly. Perhaps the directory will be technology nonpartisan and connect all payments. Until then, I'll keep crossing my fingers when the paperboy shows up.
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 21, 2015
Mimicking Mother Nature
A few months ago, we had a large colony of bats take up residence in our house. With the issue now resolved, and with everything we had to do to get rid of them, I realize how the whole experience was similar to the tactics of fraudsters and the challenges faced by their victims in taking preventive, detective and corrective action.
We learned of the initial intrusion purely by accident. Previously, we have never had any sign of vermin being able to gain entry, so I thought we had a solid defense. My wife had noticed a small amount of droppings on the back porch but we thought they were from squirrels. Imagine my shock when my adult son informed me we had been invaded by bats. He had discovered them one morning following an overnight stay. Departing for an early tee time, he noticed a swarm of bats flying into a soffit vent crevice. Incredulous, I waited for dusk only to see for myself a constant stream of small brown bats exiting the soffit crevice.
My wife went a little bat crazy as she imagined hoards bats swooping down to carry off one of our grandkids. Actually, she was more concerned about the real threat of respiratory disease from their droppings as well as the potential for rabies. We began to do some research, and I soon learned that bats are a protected species, so they cannot be disturbed unless they are posing an immediate health threat. They weren’t, since they were not in our living space. But the problem intensified, which I realized one evening when I saw an even larger colony emerging from our chimney.
We began contacting companies that specialize in wildlife removal. We found a wide variety of suggested courses of action and prices. We selected one company based on its reputation, process, guaranteed results, and pricing. The company’s first step was to inspect the entire house to identify any other potential points of entry and to seal them. We notified our neighbors so they could be on the lookout to make sure the bats didn’t settle inside their houses. The next step was to install one-way excluders that would permit the bats to leave but not get back in. This seemed to be working well until a group of the bats somehow got word they were being evicted. Trying to find another way into the house, they navigated an interior wall and became trapped. Without water, they soon died and a putrid smell began to emerge. After cutting several holes in the wall, the technicians were able to locate the source and remove the carcasses. After a couple of weeks, the excluders were removed and the entry points sealed so we thought the problem was resolved.
Imagine our further surprise when we returned from vacation and found about 50 dead bats in our unfinished basement. It seems a group had remained and found a chase route from the attic to the basement seeking water. With the disposal of those bats, the problem seems to have finally been resolved. As fall approaches and bats migrate to warmer climates, the threat diminishes, but I can assure you we will be on the alert next spring.
So how does this relate to the payments fraud environment? Some similarities:
- We thought we had a strong defense perimeter and were safe, but the bats found a way inside given they require an opening of only three-eighths of an inch.
- While our discovery came shortly after their initial entry, it was only by sheer luck. We could have acted earlier if we had not ignored the early warning sign of their droppings.
- We thought we had identified the sole location of the problem, but they then migrated to a second entry point.
- Regulations limited the potential range of actions we could take to deal with the issue.
- We shared information about the situation with our neighbors so they could be on the alert.
- We analyzed several different options for dealing with the issue and preventing its recurrence.
- Despite what we thought was a successful process, other issues arose and required action before there was a final resolution.
This experience with Mother Nature has provided us a learning opportunity and we are better informed and on the alert for future such events.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 14, 2015
The Cost of Free Wi-Fi
When I was a teenager, my friends and I were often on the prowl for bargain restaurant offers. The all-you-can-eat buffet at our local Chinese restaurant was a favorite, but every so often we would discover a "free meal deal." We were once reminded by my friend's dad that "nothing in life is free." That quote left a lasting impression on me.
The validity of this quote was hammered home recently during a security discussion I had with a friend on connectivity to the Internet through free public Wi-Fi. Though free public Wi-Fi is, well, free, it has "soft" costs tied to the lack of security in the connection. And these soft causes can quickly lead to the "hard" costs of fraud—from theft of personal information, user names and passwords, or payment credentials, since hackers are easily able to intercept data transmitted over the Wi-Fi network. Beyond this method, which involves a legitimate network, fraudsters can also deploy rogue Wi-Fi networks for the sole purpose of stealing information. And then, once they have that information, the fraudster can use it to access your accounts under your identity.
This does not mean that people shouldn't use free or public Wi-Fi. When I am away from my home, whether I'm at a local coffee shop or on the road at a hotel, I often seek locations with free Wi-Fi. Apparently, I am not the only one. A recent survey by a U.K. hotel chain found that free Wi-Fi was the most important factor for its customers when choosing a hotel. Free Wi-Fi even ranked higher than a good night's sleep!
However, using free public Wi-Fi and trusting it are two different things. It should never be trusted, and therefore users should do everything to protect themselves and their information. Before joining a free public Wi-Fi network, users should ensure that it is a legitimate network offered by a legitimate entity such as a business, municipality, hotel, or airport. Criminals often will use deceptive Wi-Fi names to trick users into choosing bogus Wi-Fi networks, so users should pay close attention to signage promoting Wi-Fi networks or ask staff for help in identifying legitimate networks. The Federal Trade Commission offers detailed advice on protecting yourself against Wi-Fi security risks once you are connected, including:
- Use a virtual private network, or VPN.
- Use SSL-encrypted connections by enabling the "Always Use HTTPS" website option.
- Turn off file sharing.
These risks are not just limited to free public Wi-Fi networks. They are also inherent to any public Wi-Fi network, including paid networks such as the in-flight Wi-Fi that many airlines offer. It is imperative that users of public networks take the necessary steps to safeguard their information, especially while conducting financial transactions. As free public Wi-Fi spots continue to proliferate and more financial transactions move to connected devices, rest assured that fraudsters will continue to exploit this communications channel. Educating users on how to protect themselves using public Wi-Fi is critical to safeguarding financial information.
What are you doing to bring awareness to your customers about public Wi-Fi risks?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Don't Let the Absence of a Fat Dog Scare You
- I Want My Two Dollars!
- Mimicking Mother Nature
- The Cost of Free Wi-Fi
- Why Is the U.S. Card-Present Fraud Breakout Not Present?
- A Swing and a Miss
- Payroll Cards at Interstate Speed
- Pigskin and Payments
- Payments at the Speed of Electricity--What Could Go Wrong?
- Friendly Fraud: Nothing to Smile About (Part 2)
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud