Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 22, 2017
The Year(s) of Ransomware
I remember, as a child, despising the neighborhood kid who would always say, "I told you so." Well, let's move ahead some 30-odd years to the WannaCry ransomware attack—I now feel like that despised child. You see, on March 29 of this year, I emailed the following note to my colleagues in the Risk Forum:
Just a few high-level and interesting notes from the conference.… 2017 & 2018 will be the Year of Ransomware (I can elaborate on this when we are all together—pretty fascinating business models developed here).
Too bad I kept my thoughts to our little group here at the Atlanta Fed and didn't get the message out to the masses (or at least to our Take on Payments readers) prior to the WannaCry ransomware attack that began on May 12. So why did I (and still do) think 2017 and 2018 will both be the "Year of Ransomware"?
Those who know me know that I am not a very technical person. I see things more strategically than technically and usually sprint away from conversations that become technical. After viewing a demonstration on how to launch a ransomware attack, I was shocked to learn that hardly any technical expertise is required to pull off an attack. This is all made possible by the "pretty fascinating business models" that I referred to in my note, business models known as Ransomware as a Service (RaaS).
I'd always envisioned that serious technical code writing capabilities would be a requirement for developing the code to send the malicious files involved in ransomware. And while coding is needed, that is where the RaaS comes into play. You pay someone else to create the malicious code, which you then use to launch a ransomware attack. And to make the attack even more successful, there are simple tools available that allow you to not only test the code against the market-leading antivirus software detection programs but also to tweak the code embedded in the malicious file to ensure that none of the antivirus software programs will detect it. Antivirus software protects users only from known malicious code, which is the reason the software must be constantly updated.
With the undetectable code in hand, you can now launch a ransomware attack through either an embedded file or a link within a phishing email or social media post to a legitimate-appearing, but malicious, website. And this costs little or nothing up front! The cost for the RaaS is only realized once a successful attack occurs, with a portion of the collected ransom paid to the RaaS provider.
Which brings me back to why I think ransomware attacks will continue to escalate, leading to 2017 and 2018 becoming "The Year(s) of Ransomware." They are simple to execute, low cost, and proving to be highly lucrative. (According to the FBI, an estimated $209 million was paid in ransom in the first quarter of 2016.) Expect a future blog post on how to plan for and defend against attacks.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 15, 2017
What Canada Knows That We Don't
In a previous post, I made reference to the pending release of a Bank of Canada study on the costs of point-of-sale payments in Canada. Last month, the study was released. This study covers cash as well as debit and credit card payments. It's a fascinating read that highlights what little comprehensive knowledge we have about comparable costs of payments in the United States.
The scope of the study was limited to the following parties in the payment chain:
- Bank of Canada and Royal Canadian Mint (prints and distributes currency)
- Financial institutions (FIs) and infrastructure providers (includes cash transport companies, payment networks and payment card acquirers)
- Retailers (covers retail trade, accommodation, food services, and personal service providers)
As background, the study categorizes costs of payments from the parties above into social (or resource) and private costs. Social costs include all internal and outsourced costs to parties outside the scope of the study. Excluded are transfer fees paid among parties within the scope of the study (for example, fees paid by retailers to FIs serving as card acquirers). This exclusion avoids overstating total social costs since fees paid to one party in the payments chain are revenue to another party in the payments chain. With this adjustment, aggregating social costs across all parties reflects the total resources expended for the entire country to facilitate payments. True or private costing from a particular party in the payment chain is simply the sum of its social costs plus any transfer fees paid to other parties within the scope of the study. Knowing private costs provides insight into which payment instruments are preferred from a costing perspective.
Here are some selected highlights from the study:
- Total annual social costs clocked in at 15.3 billion (Can$), which comprises 0.78 percent of Canada's gross domestic product (GDP). In comparison, a paper from the Kansas City Fed highlights GDP figures ranging from 0.5 percent to 0.9 percent for other developed countries. Unfortunately, no comparable comprehensive study has been conducted in the United States. Using indirect approaches based on assumptions, some sources have estimated that the cost of the payments system in the United States could be as high as 2 percent of GDP. Unfortunately, we don't have any definitive sources on what the figure really is.
- Below are the average social costs, transfer fees, and private costs (that is, sum of social costs and transfer fees) per transaction across the payment chain (in Can¢) by payment instrument.
We can see that transfer fees among the parties in the payments chain are relatively minimal for cash. Consumers proportionally pay higher transfer fees for debit card payments due to transaction fees paid to FIs. Transfer fees that retailers pay are proportionally high for debit cards and significantly higher for credit cards. Based on private costs alone, credit cards costs are less costly to consumers, while retailers incur the highest cost in accepting credit cards. These findings are generally consistent with studies conducted in other countries.
- Lastly, the study further subdivides costs into fixed costs and variable costs based on the number of payments and by the value of payments. Along with the number and value of payments, costing components in Canadian dollars are itemized below:
The proportion of variable costs to overall costs for cash, debit cards and credit cards comprise 55 percent, 64 percent, and 64 percent, respectively.
Because of the central and significant role payments play in any economy, many current payments policy questions circulate around payments—in particular the costs associated with adopting and accepting various payment methods, fraud experience and prevention, and compliance with security standards and requirements. What are your views on the value of a comprehensive cost survey in this country?
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 8, 2017
Calculating Fraud: Part 1
When analyzing payments fraud rates, we have to consider what is being measured and compared. Should we measure fraud attempts that might have been thwarted—fraud that penetrated the system but might not necessarily have resulted in a loss—or fraud losses? Whatever the measure, it is important that the definition of what is included in the numerator and denominator be consistent to properly represent a fraud rate.
In calculating a fraud rate based on value or number, a fraud tally is needed in the numerator and a comparison payment tally in the denominator. The formula works out as follows:
Fraud Rate = Numerator
Where, for any given period of time
Numerator = Value, or number of fraudulent payments across the payments under consideration,
Denominator = Value, or number of payments under consideration.
This post offers a process for tallying payments for the denominator. Part 2 of this series will focus on tallying the numerator, basing its approach on the process that the Federal Reserve Payments Study 2016 used. That process includes fraud that initially cleared and settled, not attempts, and does not exclude losses subsequently recovered.
The Fed’s 2016 payments study offers a method for whittling down all payment transactions to a subset of transactions suitable for calculating a fraud rate. Below is an extract, with clarifying commentary, from one of the study’s questionnaires, which asked card networks for both the value and number of payments.
At first blush, totals for value or number under questions 1, 2, 3, and 4 could conceivably be used to provide a comparison tally for fraud. However, we should rule out the total from question 1 since the definition includes declined authorizations, making it unnecessarily broad. Question 2, "total authorized transactions," has the disadvantage of including pre-authorization only (authorized but not settled). While some of these transactions could have been initiated as part of a fraud attempt, they were never settled and consequently posed no opportunity for the fraudster to take off with ill-gotten gains. On balance, the preferred measure for payments is the result of question 3, which measures "net, authorized, and settled transactions." Unlike "net, purchased transactions" under question 4, this measure has the benefit of not excluding some of the fraud captured by chargebacks under question 3b.1. Other types of fraud are not covered under chargebacks, including when card issuers elect to absorb losses on low-value payments to avoid the costs of submitting a chargeback.
We could follow a similar process for tallying payments for ACH and checks, with adjustments to account for potential fraud resulting from the lack of an authorization system like that for cards, which requests authorization from the paying bank.
Part 2 of this series, which covers the process for calculating the numerator, will appear in June.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 1, 2017
Additional Authentication: Is the Protection Worth the Hassle?
Last week, we discussed some findings from a research study conducted earlier this year to understand consumer knowledge of and attitudes regarding other authentication methodologies.
The survey participants read a brief description of alternative authentication methods and then answered a series of questions regarding their attitudes about the ease of use and willingness to adopt these alternatives. Some of the authentication methodologies reviewed were:
- Fingerprint biometric
- Device location
- Eye vein biometric
- Facial recognition
- Device fingerprinting/identification
- KBA (knowledge-based authentication, or personal data challenge questions)
- Two-way text message
- Voice-recognition biometric
The participants were asked to rate the ease of use for the alternative methodologies. The table shows the percentage of respondents rating the methodology as “very easy” or “somewhat easy.”
All age segments rated the user ID and password as the methodology having the greatest ease of use. All the groups ranked the eye vein biometric low in user ease; voice and facial recognition also scored low across the segments.
One key finding, which points out the continuing need for consumer education, was that many people did not understand the various alternative methodologies, even after reading a description and the pros and cons of each. Seniors were more likely to respond “Don’t Know”; millennials indicated a greater level of understanding.
Of particular interest, the study probed the ability of a financial incentive to entice customers to agree to adopt additional authentication tools. Just over half (51 percent) of the respondents indicated they would agree to additional authentication tools without any financial compensation. Offering a one-time $10 cash bonus would result in an additional 15 percent, and raising the ante to $25 would bring in 9 percent more. One-fourth of the respondents indicated they wouldn’t sign up for additional authentication with or without an incentive. Seniors are the least likely group (33 percent) to adopt additional authentication without an incentive, and millennials are the most likely (62 percent).
While the level of resistance by consumers to adopting stronger authentication processes seems to be dropping, there remains a strong need for customer education to demonstrate the benefits over any inconvenience. Meanwhile, a number of financial institutions and merchants are using covert authentication tools such as transaction-pattern anomalies and risk-based transaction scoring based on historical fraud experiences.
Passwords are likely to be around for quite some time as a basic means of authentification, but the payments industry and consumers must work together to provide a higher level of security for transactions. Do you think disincentives such as the service remaining free if you agreed to use additional authentication tools or being charged a monthly fee if you remain with a password as your only means of authentication are viable options? As always, your comments are welcome.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- The Year(s) of Ransomware
- What Canada Knows That We Don't
- Calculating Fraud: Part 1
- Additional Authentication: Is the Protection Worth the Hassle?
- Would Consumers Ever Give Up Their Passwords?
- Will the Password Ever Die? Part 1
- Catch Me If You Can
- Governance Down Under
- Don't Forget the Check
- Fraud Reduction at the IRS: Some Happy Returns
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud