Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 15, 2018
An Ounce of Prevention
Benjamin Franklin coined the phrase "An ounce of prevention is worth a pound of cure," and after attending late September's FinovateFall 2018 Conference in New York City, I find this aphorism as relevant today as it was in 1735. The conference showcased 80 demonstrations of leading-edge financial technology over two days with presenters representing five continents. Demos touched on a wide range of technologies and solutions, including game-based marketing and financial education; "lifestyle" mobile banking applications that integrate social media, news, e-commerce, and financial management to deliver personalized recommendations; lending and home buying; and integration with intelligent personal assistants. What stood out to me most were the many possible technologies offered to authenticate users, cards, and mobile transactions, each with the potential to prevent payments fraud.
As card payments continue to dominate consumer transactions in the United States, usage is increasing in other countries, and remote purchases gather steam, the demand for fast, reliable identity and payment authentication has also grown. So has the even greater demand from consumers for frictionless payments. But how does technology reward the good guys, keep out the bad ones, and prevent cart abandonment or consumer frustration? Here are just a few examples of how some of the fintech companies at the conference propose to satisfy these competing priorities.
SMS—While one company proclaimed that SMS was designed for teenagers and never intended for use as a secure messaging means, another proposed a three-factor authentication method that combined the use of a PIN, Bluetooth communication, and facial recognition via SMS sent to account holders to identify a possible fraud event in real time. Enhancing this technology was artificial intelligence that analyzes facial characteristics such as smiling or frowning.
Biometrics—Developers demonstrated numerous biometrics options, including those using unique, multifactor, non-gesture-based biometric characteristics such as the speed and pressure we use to swipe our mobile devices. Also demonstrated was the process of linking facial recognition to cards for both in-person and e-commerce purchases, as well as "liveness" tests that access the mobile phone's gyroscope to detect slight physical movements not present when a bot is involved. Another liveness test demonstrated was one in which people use their mobile devices to shoot videos of themselves reciting a number or performing randomized movements. Video content is then checked against identity verification documents, such as driver's license photos, that account holders used at setup. The developers noted that using video for liveness testing helps prevent fraudsters from using stolen photos or IDs in the authentication process.
Passwords—Some developers declared that behavioral biometrics would bring about the death of the password, and others offered services that search the corners of the dark web for compromised credentials. Companies presented solutions including a single, unique identification across all platforms and single-use passwords generated automatically at each login. One of the most interesting password technologies displayed involved the use of colors, emojis, numbers, and logos. This password system, which could be as short as four characters, uses a behind-the-scenes "end code," where the definition of individual password characters is unique to each company employing the technology, rendering the password useless in the event of a data breach.
As I sat in the audience fascinated by so many of the demos, I wished I could go to my app store to download and use some of these technologies right away; the perceived security and convenience, combined with ease of use, tugged at the early adopter in me. Alas, most are white-labeled solutions to be deployed by financial institutions, card networks, and merchant acquirers rather than offered for direct consumer use. But I am buoyed by the fact that so many solutions are abiding by the words of Ben Franklin and seek to apply an ounce of prevention.
By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed
October 1, 2018
Safeguarding Things When They’re All Connected
In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.
- Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
- Check with reliable product review sites to see what others have to say about the product’s security features.
- If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.
- Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
- Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
- Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
- Register your device with the manufacturer to be notified of security updates or recalls.
- Add the device to your separate network if available.
If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.
We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.
By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 24, 2018
Racing Ahead in the Wireless Space
This past Sunday, Eliud Kipchoge smashed the marathon world record at the Berlin Marathon, with a time of 2:01:39, shaving 1 minute 22 seconds off the previous world record. Though some running experts claim a marathon under two hours will never happen, I think elite runners will continue to push the speed envelope and we will witness a sub-two-hour marathon one day.
The marathon isn’t the only area where the speed envelope is being pushed. Another area, and the focus of today’s blog, is in the wireless space.
It was in 2002 when the first commercial 3G network launched in the United States. 3G made it possible for our phones to run applications using a global positioning system (GPS) or using videoconferencing, among other things. The second half of 2010 marked the first commercial launch of 4G in the United States, with many of the mobile network operators launching this service. 4G expanded on the speed of 3G and made it possible for consumers to access the web with their mobile devices, stream high-definition video, and connect Internet of Things devices.
Now, as we approach the fourth quarter of 2018, we are on the cusp of 5G networks, which will be 10 times as fast as our 4G networks. According to a recent Wall Street Journal article on 5G that sparked my interest in the topic, the speed of 5G networks will allow the proliferation of applications such as self-driving cars, virtual reality, and remote surgery. And this got me thinking, what impact will 5G have on the future of commerce, payments, and security?
I haven’t spent any time researching that last question, but no doubt there will be significant benefits and risks that 5G networks will introduce into retail payments. I can draw inspiration from one of my favorite cartoons, the Jetsons, and think ahead to what a Jetson house might look like in 2025: one that is filled with connected devices that communicate with not only us but also each other. Close your eyes and imagine a house with a robotic vacuum that communicates with a virtual home assistant when it needs new bags—and zero human interaction is needed in the process. Or imagine a vehicle that drives itself to the nearest gas station when the low-fuel light appears. Undoubtedly, this new faster-speed wireless world will create security threats that we have yet to face.
So as we at the Risk Forum think about the possibilities and new risks of a 5G world and its impact on commerce, payments, and security, what should we be paying attention to?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 17, 2018
Insuring against Business Email Compromise Fraud
In July, an FBI public service announcement reported that global losses from business email compromise (BEC) fraud exceeded $12.5 billion in the four-and-a-half years from October 2013 to May 2018. Important to managing any fraud is a good risk management strategy, as my colleague recently discussed. The table lists some of the strategies you can use to protect yourself against BEC.
|Risk Management Strategy Elements||Description||Example|
|Avoidance||Implement policies and procedures to avoid risk.||Accept no payment transaction instructions via email.|
|Mitigation||Use controls and policies to reduce risk.||Require dual authorization for large-value payments.|
|Transfer||Transfer the losses associated with a fraudulent event.||Purchase an insurance policy.|
|Acceptance||Budget for fraud losses and litigation/fines related to security incident.||Maintain funds in a reserve account.|
This post will focus on risk transfer—specifically, it will discuss some appellate court legal developments on insurance policies and coverage related to BEC scams. This post is not intended to offer legal advice but rather, by highlighting rulings in three recent cases, to illustrate some of the challenges associated with BEC scams and transfer strategies using insurance policies. The question is whether or not the computer fraud coverage in a commercial crime policy covers losses from social engineering fraud such as BEC or payment instruction fraud. Judgments in three recent cases have been mixed, one in favor of the insurance company and two others in favor of the compromised businesses.
In April, the Ninth Circuit Court of Appeals ruled that Aqua Star's losses stemming from payment instruction fraud, a type of BEC scam, were not covered under its computer crime insurance policy. In this case, a criminal posing as a vendor of Aqua Star duped an employee through email to change the vendor's bank account information. More than $700,000 was wired from the company to the criminal's account. The court found that, even though the criminal used electronic means to dupe the employee, the Aqua Star insurance policy did not cover the loss because an authorized employee accessed the company's systems and changed the wiring instructions.
In contrast, in July, appellate courts ruled in favor of two businesses that sought coverage from loss of funds to a BEC scam. In the first, a BEC scheme victimized Mediadata to the tune of nearly $4.8 million. An accounts payable clerk was tricked into wiring money into a criminal's account with an email that appeared to be from the company's president and a spoofed phone call that seemed to be from a Mediadata attorney. The Second Circuit Court of Appeals concluded that, in this instance, Mediadata was covered by its computer fraud policy because the fraudster used a computer code to alter a series of email messages to make them appear legitimate—even though Mediadata computers weren't directly hacked.
Then one week later, the Sixth Circuit Court of Appeals ruled in favor of American Tooling Center (ATC). This company was also victimized by a BEC scheme and lost more than $800,000. In this case, the money was wired to a criminal's bank account after the perpetrator intercepted emails between ATC and a vendor and then began impersonating the vendor. The court rejected the insurance company's argument that the losses were excluded because an ATC employee caused the loss by changing the payment instructions. Instead, the court determined that computer fraud does not require unauthorized access to a company's computer systems and that a company can claim a direct loss as a result of an employee being duped.
These cases show the difficulty in understanding what types of fraud losses might be specifically covered under your insurance policy since the courts do not always agree. Some insurance companies now offer separate BEC riders, which could prove valuable in the event you are a victim of this fraud. Because the crimes can result in significant losses, it is also important to know how much coverage is available under commercial crime policies, and imperative to ensure that the coverage is sufficient for losses that can arise from this type of fraud. Are you insuring your company from BEC fraud?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- An Ounce of Prevention
- Safeguarding Things When They’re All Connected
- Racing Ahead in the Wireless Space
- Insuring against Business Email Compromise Fraud
- The Case of the Disappearing ATM
- The First Step in Risk Management
- Who Owns Your ATM?
- With Social Engineering, It Takes Only One
- Protecting Our Senior Citizens from Financial Abuse
- The FBI Is on the Case
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud