Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
September 26, 2016
AdmiNISTering Passwords: New Conventional Wisdom
I have lived long enough to go through several cycles of "bad" foods that are now deemed not to be so bad after all. In the 1980s, we were warned that eggs and butter were bad for your heart due to their level of cholesterol. Now, decades of nutritional studies have led to a change in dietary guidelines that take into account that eggs provide an excellent source of protein, healthy fats, and a number of vitamins and minerals. Similar reversals have been issued for potatoes, many dairy products, peanut butter, and raw nuts.
Much to my surprise, much of the old, conventional wisdom about passwords has been spun on its heels with proposed digital authentication guidelines from the United States National Institute for Standards and Technology (NIST) and an article from the Federal Trade Commission's (FTC) Chief Technologist Lorrie Cranor regarding mandatory password changes. Some of NIST's recommendations include the following:
- User-selected passwords should be a minimum of 8 characters and a maximum of 64 characters. Clearly size does matter as generally the longer the password, the more difficult it is to compromise
- A password should be allowed to contain all printable ASCII characters including spaces as well as emojis.
- Passwords should no longer require the user to follow specified character composition rules such as a combination of upper/lower case, numbers, and special characters.
- Passwords should be screened against a list of prohibited passwords—such as "password"—to reduce the choice of easily compromised selections.
- They should no longer support password hints as they often serve like a backdoor to guessing the password.
- They should no longer use a knowledge-based authentication methodology—for example, city where you were born—as data breaches and publicly obtainable information has made this form of authentication weak.
The FTC's Cranor argues in her post that forcing users to change passwords at a set interval often leads to the user selecting weak passwords, and the longstanding security practice of mandatory password changes needs to be revisited. Her position, which is backed by recent research studies, is consistent with but not as strong as NIST's draft guideline that says that users should not be forced to change passwords unless there has been some type of compromise such as phishing or a data breach. Cranor's post does not represent an official position of the FTC and recommends that an organization perform its own risk-benefit analysis of mandatory password expiration and examine other password security options.
So while I finish my breakfast of eggs, hash browns (smothered and covered, of course), and buttered toast washed down with a large glass of milk, I will continue to ponder these suggestions. I would be interested in your perspective so please feel free to share it with us through your comments.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 19, 2016
Mobile Banking and Payments—What's Changed?
This week, the Federal Reserve Banks of Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond are launching an online mobile banking and payments survey to financial institutions based in their respective districts. The purpose of the survey is to achieve better understanding of the status of mobile banking and payments initiatives, products, and services that financial institutions offer in the various regions of the country. The results of the survey at the individual district level should be available to participants by mid-December; a consolidated report for all the districts will be published in early 2017.
The last survey, which had 625 participants, was conducted in the fall of 2014. That was before the launch of the various major mobile wallets operating today, so it will be interesting to see what level of impact these wallets have had on the mobile payments activity of financial institutions. You can find the results of the 2014 Sixth District survey on our website. This survey effort complements the 2016 Consumer and Mobile Financial Services survey conducted by the Federal Reserve Board's Division of Consumer and Community Affairs.
First designed by the Federal Reserve Bank of Boston in 2008, the survey has been updated over the years to reflect the many changes that have taken place in the mobile landscape in the United States. Similar to past surveys, the 2016 survey looks to capture:
- Number of banks and credit unions offering mobile banking and payment services
- Types of mobile services offered or planned
- Mobile technology platforms supported
- Features of mobile services offered or planned
- Benefits and business drivers associated with mobile services
- Consumer and business adoption/usage of mobile services
- Barriers to providing mobile services
- Future plans related to mobile payment services
If your financial institution is based in one of the participating districts and has not received an invitation to participate in this year's survey, please contact your district's Federal Reserve Bank. For the Sixth District, you can contact me via email or at 404-498-7529. You can also contact me if you need assistance in locating your district's lead survey coordinator.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
September 12, 2016
Risk Mitigation Isn't Just for Banks
My summer in Atlanta wouldn't be complete without "shooting the Hooch." Friends and family gather upriver on the Chattahoochee River, bringing rafts, tubes, or kayaks for a chance to beat the pervasive southern heat. This year, towards the end of our two-hour float, we came upon Diving Rock, a crowded swimming hole where people stop to watch cliff jumpers. A jumper can choose either a 20- or a 30-foot freefall into the river below. As the family's "chief risk officer," when my eight-year-old son asked me if he could jump, I quickly assessed the inherent and residual risks of such an activity at this location. I concluded that our family was risk-averse in this situation and there would be no jumping.
Conversely, when my son asked if he could play tackle football, I decided we had an appetite for this type of risk. I don't want to detail all of the risk factors compared to the mitigation controls that went into my assessments and ultimate decisions. But looking at these two personal examples made me wonder: in a business context, who else is faced with important risk decisions? And who, besides banks, should be conducting constant risk assessments for their organization?
A tax preparer faces fines and, in extreme cases, jail time for filing returns with errors. Those who receive return-related penalties can also face suspension or expulsion of themselves or their entire firm, or other enforcement action by the IRS. Can a tax preparer be held liable for filing returns with errors even if unaware that the taxpayer was acting illegally? The tax preparer is held to the reasonable person standard, so if it is something he or she should have known, yes. But if the client omitted pertinent details, the tax preparer might have no way of knowing. Since the consequences are severe, should the tax preparer dig deeper and try to catch fraudulent client activity prior to submitting a return or keep blinders on?
I pay for monthly parking at a city garage. This week I found out that they monitor my activity closely with the access card I use. They know whether or not my car is in or out of the garage. They have triple-factor authentication to prevent parking space fraud. In order to get in or out, you need the weight of a vehicle at the gate with an authorized access card and the correct in and out record on the card in order to be provided pass through.
Doesn't it stand to reason that all organizations—whether they're responsible for tax preparation, parking space provision, or payment network access—in pursuit of success, whatever that is for them, should conduct assessments and implement mitigation controls in order to understand how customers engage in their services, especially if they can be held liable for those activities? Should payment services be any different and if so to what extent?
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Calculating Fraud: Part 2
- Watching Your Behavior
- Responsible Innovation Part 1: Can Community Banks Remain Competitive?
- The Year(s) of Ransomware
- What Canada Knows That We Don't
- Calculating Fraud: Part 1
- Additional Authentication: Is the Protection Worth the Hassle?
- Would Consumers Ever Give Up Their Passwords?
- Will the Password Ever Die? Part 1
- Catch Me If You Can
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud