About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

April 24, 2017


Would Consumers Ever Give Up Their Passwords?

In a post last week, we revisited the issue of passwords and their suitability in serving as a secure authentication method for consumers to gain access to websites and applications. Payment security professionals generally agree that most consumers do not voluntarily adopt strong security practices in selecting and managing their passwords. Consumers often select easily guessed passwords and even use the same password across numerous websites. Given these tendencies, the payments industry is looking for alternative authentication methods that either consumers could adopt or the industry could perform covertly—methods that would ultimately provide for a higher level of customer authentication.

The Aite Group conducted a research study in January 2017 to understand consumer knowledge of and attitudes regarding other authentication methodologies. In particular, the study looked at responses at the generational level, with the respondent base broken into four age segments:

  • Seniors: 70+ years of age
  • Baby boomers: 53–70 years of age
  • Gen X: 37–52 years of age
  • Millennials (Gen Y): 16–36 years of age

The study revealed a universal attitude that passwords are easy to use. Only 7 percent of the seniors indicated they are difficult to use, compared to 1 percent or less for the other three groups. Millennials use the same passwords the most, with 39 percent indicating they use only one or two different passwords and more than three-fourths (77 percent) using five or fewer passwords among all their online accounts.

The participants were asked to rank the importance of different attributes in their consideration for using their financial institution's online banking service. All the age groups indicated that ease of use is topmost. While a majority within each group also cited strong security and fraud prevention as important, seniors especially indicated its importance, giving it equal weight to ease of use.

Although the majority of the respondents in each of the groups indicated some level of willingness to change their authentication method to access their bank account, as the chart show, there was a clear relationship between their age and level of willingness (see the chart).

Chart-one

So what authentication method did the segments favor? Go read the full report or wait until our next post, which will also discuss whether it will be necessary to offer consumers incentives to get them to change their habits.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 24, 2017 in authentication , biometrics | Permalink | Comments ( 0)

April 17, 2017


Will the Password Ever Die? Part 1

It has been less than five years since the magazine Wired, in its November 2012 cover story, called for the demise of the password. It has been more than 13 years since Bill Gates called for the elimination of the password at a 2004 RSA conference. Despite these calls to action, the user ID and password remain the most common form of authentication that consumers use online.

Why has the password continued to defy its terminal prognosis? Several reasons come to mind. It remains the most ubiquitous authentication methodology. Even when you factor in the significant costs of companies supporting the need for password resets, I suspect the ongoing operating costs are lower than for other forms of authentication. The reality is that the password is generally a sufficient security tool for accessing low-value applications.

So why is the password criticized so often? Most of the weaknesses in the password are based on the latitude that customers have with selecting and managing their passwords. Surveyed consumers claim to have security in mind when they create passwords, but we have seen the stories about the most common passwords being "password" and the numbers "1-2-3-4-5-6." There is also the practice of using the same password for multiple sites. Frequently, the consumer is not required to use special characters (or the application doesn't accept special characters), nor to change their password on a regular basis.

Despite the frequency of data breaches and all the fallout that comes from them, online merchants are extremely leery of adding additional overt authentication requirements (multi-layered or multi-factor) for fear consumers would abandon their shopping sessions. Given that merchant reluctance along with consumers' general exemption from financial liability if fraudulent transactions are made when their account is hacked and online access credentials are compromised, how likely is it that password weaknesses will improve? So what can be done to strengthen authentication and produce a higher level of confidence that the customer generating a particular transaction is, in fact, the person authorized to perform that transaction?

We will look at some research into the consumer's willingness to adopt additional or alternative authentication methods within the next few weeks. Until then, let us know your suggestions for improving consumer authentication.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 17, 2017 in authentication , consumer protection , cybercrime , data security | Permalink | Comments ( 2)

April 10, 2017


Catch Me If You Can

I recently became intrigued with a reality network television show that pitted teams of two everyday people (the "fugitives") against a diverse and highly experienced team of former law enforcement, military, and intelligence investigators (the "hunters"). The goal of the contest was for the fugitive team, given a one-hour head start, to elude capture for 28 days so they could collect a prize of $250,000 in the end. The fugitives were given a pot of $500, available only from an ATM, that they could use over the 28 days. But they had a $100 daily limit—and the knowledge that the hunters would be notified of the ATM location immediately. My interest was increased by the location: the fugitives' geographic boundaries were in the Southeast, with Atlanta as the hub, so there were frequent shots of local places that I recognized and had visited.

Underneath the entertainment value was a demonstration of the classic conflict between personal privacy and big-data analytics. This issue has become increasingly complicated as data collection, storage, and analytics have advanced and become less expensive, faster, and more sophisticated. At the same time, people are participating more in electronic communications, transactions, and other activities that create electronic footprints that can be tracked and analyzed. The show demonstrated these collection capabilities numerous times as the investigators poured over bank account transactions, phone records, social media, property and vehicle databases, and other information to identify clues as to the team's location or the people that might be assisting them.

Two of the nine fugitive teams were successful. In subsequent interviews, both teams cited a key factor they believed was critical to their success. They minimized or eliminated their use of cell phones, email, and social media—going off the grid—to avoid giving hints about their location. Knowing that their location would be signaled whenever they used an ATM to get money, they would have already made arrangements to leave the area immediately, before the hunters closed in. Several of the unsuccessful contestants remarked how amazed they were to discover the wide range of information the investigators were able to access about them, their family, and their friends. Some didn't know their location could be tracked through a cell phone or a photograph posted on social media.

Of course, these contestants, as well as any families and friends who might help them, had to sign numerous waivers to allow the investigators to access and collect much of this information. But how much information would be available without such a waiver or court order? In 2015, the European Union adopted an information privacy directive that is generally viewed as highly protective of an individual's privacy. In the United States, there have been discussions over recent years about similar legislation without much headway, mostly because of differences between there and here about data collection as well as First Amendment infringement.

Does there need to be increased transparency by companies that collect data for marketing purposes? Would clearer disclosures make consumers less likely to participate in rewards programs and other activities that involve data collection, to closely guard their personal information and interests? As always, we welcome your feedback.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 10, 2017 in privacy | Permalink | Comments ( 0)

April 3, 2017


Governance Down Under

When I was a product manager responsible for faster ACH, I had a ringside seat to the lengthy maneuvering required to garner sufficient votes to mandate same-day ACH after the first attempt failed. We can anticipate similar maneuvering as we continue making fundamental improvements to payments, including the various initiatives under way around faster payments.

All of this harkens back to a compelling conference presentation that treasury representatives of a very large U.S. retailer gave several years ago. That presentation focused on the potential benefits of adopting a comprehensive, self-regulating governance model like Australia's. The Australian Payments Clearing Association (APCA) offers key payment stakeholders a seat at the table, thus balancing competing interests among parties in the payment chain.

I agree that the APCA could offer a template for any governance model being contemplated in the United States.

The APCA, to paraphrase, characterizes itself as being responsible for managing and developing regulations, procedures, policies, and standards governing payments clearing and settlement. Standing with and behind them is the authority conferred by the Reserve Bank of Australia (RBA), that country's central bank.

The 100-plus APCA members include a broad cross section of financial institutions, major retailers, and payments providers. The APCA board comprises an independent chair, the chief executive officer, two additional independent directors, eight nonvoting appointed or elected directors, and an RBA representative.

The expected completion later this year of a new payments system will be one of the APCA's more noteworthy achievements. The New Payments Platform, or NPP, will offer a low-value, faster payments service. The APCA partnered with 12 financial institutions to fund the NPP's development costs.

The APCA is divided among the following operational areas:

  • Checks
  • Direct debit/credit—is equivalent to ACH in the United States
  • Wire transfers
  • Cash—sets rules for the exchange and distribution of cash among participating financial institutions
  • Card issuers/acquirers—sponsors a forum for collaboration
  • COIN (Community of Interest Network)—offers a shared infrastructure supporting connectivity for payments such as checks, direct debit and credit, cards, bill pay, and others

Here in the United States, the Federal Reserve has already created a couple of agencies with some similar features: a task force on faster payments and another task force focused more broadly on secure payments for legacy and emerging payments. Both task forces include broad representation from financial institutions, payment providers, businesses, consumer groups, regulators, law enforcement, and others. Perhaps the biggest difference between the APCA and these two work groups is the ad-hoc, limited duration of the Fed groups and their mandate, which is limited to an advisory role. But there are some other activities that the APCA handles that here in the United States are handled by various disparate entities, a situation that hampers coordinated action.

What are your views on what, if anything, we should do to enhance payments governance in the United States?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

April 3, 2017 in payments systems , regulators | Permalink | Comments ( 1)

Google Search



Recent Posts


April 2017


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Archives


Categories


Powered by TypePad