Take On Payments


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

August 22, 2016

As with Nuclear Disarmament, So with ACH: Trust, but Verify

During his remarks at the signing of a nuclear disarmament treaty with the U.S.S.R. in 1987, President Ronald Reagan drew upon the old Russian maxim, "Doveryai, no proveryai," or "Trust, but verify." As with disarmament, businesses and others that originate automated clearing house (ACH) payments should be offered some way to verify an account, something more than hope and a prayer that the payment recipient's routing/transit number and account number are correct and that the recipient is an owner of the account.

The lack of efficient account validation options is a common complaint against the ACH. Surveys that NACHA conducted in 2012 and 2015 attest that account validation, as judged by a majority of respondents, is ACH's chief improvement need. Failing to perform account validation creates different levels of risk, depending on the payment application, whether a credit is pushed or debit is pulled and whether it is a recurring or one-time payment.

On July 19, NACHA's Payments Innovation Alliance and Board Advisory Group released two papers reviewing and critiquing existing methods for verifying bank accounts by financial institutions and businesses. The papers also suggest that a remedy to the account validation problem may be in the offing.

In both papers, NACHA defined account validation as follows:

A service wherein a business or financial institution can validate the accuracy of the account information received from a consumer or business, and the ability of that account to receive electronic payments.

Following are the various methods that NACHA identifies—and that I've complemented with my own research—that are used today to validate accounts:

  • Manual validation—A consumer's check verifies the account and identification verifies the consumer's identity. Alternatively, the originator can call the recipient's bank to confirm account details, assuming the bank is willing to provide the information, though it is risky for the bank to share such information over the phone.
  • ACH validation, via a zero-dollar prenote verification payment—If the account number is incorrect, the recipient's bank responds within three business days, though this timeframe can be shortened by using same-day ACH. As the papers state, this is a "no news is good news" form of verification. NACHA is exploring opportunities to improve the prenote process beginning in late 2016.
  • Challenge deposit validation—Typically, two micro-deposits of random amounts are made to the recipient's account and subsequently verified by the accountholder to the payment originator. Even if the account is successfully verified, the originator may subsequently be unable to debit the account because that account blocks debit payments. To identify debit blocked accounts, some originators debit the bank account equal to the micro-deposits. This method is fraught with a high abandonment rate by the consumer due to the hassle of verifying the deposits. One large online originator says that about 30 percent of consumers selecting the deposit validation method fail to verify the payment amounts. This method can take from five to seven business days—though, as with prenoting, the process can be expedited by using same-day ACH.
  • Instant validation—The customer logs into his or her bank from the company's website to establish ownership of the account. The same online originator said that 25 percent of its customers selected this validation method over deposit validation. Many consumers hesitate to use this method because the use of a third party increases the chance their banking credentials will be compromised.
  • Validation services—Service providers with access to a large number of accounts, offer scoring services that simulate or predict the likelihood an account number is "good." Though improving, these service offerings are limited for non-financial institution originators.

A solution to the problem may be in store through the World Wide Web Consortium and others working to develop a standardized application programming interface, or API, for account validation. This would allow payment originators or their service providers restricted access to bank data to verify accounts using a universal, standardized process while protecting banking credentials. Let's hope that key stakeholders rally around this important initiative and push for a speedy implementation so that we carry through with a new maxim of "Trust, but truly verify."

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

August 22, 2016 in ACH, authentication | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 8, 2016

When Fraud Hits Home: Questioning Today’s Authentication Methods

My wife was the recent victim of a vehicle burglary. Unfortunately, the bad guys got away with a wallet that included a driver's license along with several debit and credit cards. Since my wife is a cash-averse individual, I thought little harm, if any, would ensue since she reported the cards stolen within minutes of the crime taking place. What I thought could have been a simple stolen card scenario quickly escalated to a major assault on a demand deposit account (DDA) thanks, in large part, to authentication failures by the financial institutions involved.

Two days after the theft and with only a driver's license and a canceled debit card to identify the bank, the burglar, or an associate, was able to withdraw money from my wife's DDA by using a generic withdrawal slip found at most bank and credit union branches. They also cashed a counterfeit check drawn on another financial institution (FI) that, along with the bad check fee, was charged against my wife's account when the payor bank returned the check. While I am not sure whether the employees at the bank followed proper authentication protocols, there clearly was a breakdown as the thief was able to use the stolen driver's license to first obtain my wife's DDA number and then fraudulently withdraw funds.

While the breakdown in authentication is concerning, the FI's solution for improving authentication with my wife's new account is archaic—a password. The FI suggested that she open a new account and password-protect the account. When making an in-person transaction, she will be required to state the password before a transaction can be completed or account information revealed in addition to other authentication measures that were already in place.

My wife, not comfortable with the new proposed account set-up or with the failure in authentication on the old account, decided to seek a new FI relationship. Clearly she believed that a more technology-driven solution would have been substantially better from both a security and user standpoint than the proposed password solution. And this got me wondering. With all the efforts and investments in authentication technologies, why are passwords still being used for banking and payment transactions in 2016? What will it actually take to "kill the password," which we have been talking about for years? We are in the midst of a technology revolution, yet authentication methods from 2,000 years ago are still being suggested for use today as the primary means to protect money and assets.

In Singapore, the government has mandated two-factor authentication while allowing consumers to retain some choice in the authentication factor. In the United States, the Federal Financial Institutions Examination Council, or FFIEC, issued guidance in 2011 regarding the use of multi-factor authentication for Internet transactions. Is guidance concerning authentication enough? Without favoring any particular solution or technology, is it time to adopt better authentication methods in the United States? I am not advocating mandate like in Singapore, but my wife can give you more than 2,500 good reasons why it should be considered.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 8, 2016 in authentication | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 8, 2016

Will Biometrics Breed Virtual Clones?

In the middle of last November, our group, the Retail Payments Risk Forum, hosted a conference on the application of biometrics for banking applications. For me, one of the important "ah-ha" moments from the conference was hearing about the potential downside to the technology. While the various speakers and panelists certainly pointed out the powerful security improvements that could result from an increased use of biometrics, there were also thoughtful contributions about what could go wrong. To illustrate one of these downsides, let me take you back to the breach that occurred at the United States' Office of Personnel Management (OPM) earlier this year. For those who may have applied for a position with a government agency over the last 20 years or so, the form letter notifying you of the potential breach of your personal data read like this:

Since you applied for a position or submitted a background investigation form, the information in our records may include your name, Social Security number, address, date and place of birth, residency, educational and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation.
Our records also indicate your fingerprints were likely compromised during the cyber intrusion. Federal experts believe the ability to misuse fingerprint data is currently (emphasis mine) limited.… If new means are identified to misuse fingerprint data, additional information and guidance will be made available.

The conference made clear, to me anyway, that fingerprint data certainly has the potential to be misused—now. Experience leads me to conclude that it is bound to happen, especially if the biometric measurements captured at enrollment are not converted to templates that mask the data.

Biometrics are sure to proliferate in the next few years. I think everyone ought to pause and consider whether or not the security advantages—that have the potential to be turned against us in a moment—are worth it. Consider a future breach and the subsequent form letter from some entity that has built biometrics into its payment process. It could include all of those things noted in the OPM excerpt above. Additionally, victims could also have to be told that their iris, facial, and voice prints along with their DNA were taken. A virtual clone masquerading as me makes me shudder. Imagine standing up when they ask for the real you to do so—and then the dismay at not being believed.

The work to advance biometric security needs not just to be focused on advancing the accuracy and efficacy of the usage, but also to have a heavy emphasis on protecting the data collected—while it's collected and used and when it's at rest, in storage. And no matter how good all of that work is, I hope that choices for transacting business remain. Cash, which requires no authentication, and paper checks, which authenticate with a signature, figure to provide useful alternatives for quite some time.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 8, 2016 in authentication, biometrics, data security, identity theft, innovation | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 4, 2015

Keeping Up with the Criminals: Improving Customer Authentication

The interesting thing about authenticating customers for checks and PIN-based debit transactions is that the customer's authentication credentials are within the transaction media themselves—a signature, a PIN. But for the rest of the transaction types, authentication is more difficult. The payments industry has responded to this challenge in a few different ways, and may be turning increasingly to the use of biometrics—that is, the use of physical and behavioral characteristics to validate a person's identity.

Improving customer authentication in the payments industry has been a focal point for the Retail Payments Risk Forum since its formation. After all, authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of the U.S. payments system. We have intensified our focus over the last two years, including holding a forum on the topic in mid-2013. The Forum has also just released a working paper that explores the challenges and potential solutions of customer authentication.

The working paper examines the evolution of customer authentication methods from the early days of identifying someone visually to the present environment of using biometrics. The paper reviews each method regarding its process, advantages and disadvantages, and applicability to the payments environment.

Much of the paper looks at biometrics, an authentication method that has received increased attention over the last year—partly because smartphones keep getting smarter as folks keep adding new applications, and as manufacturers keep improving microphones, cameras, accelerometers, touch sensors, and more.

The table lays out six key characteristics that we can use to evaluate a biometric system for a particular application.


The use of biometrics will be the subject of an upcoming forum hosted by the Retail Payments Research Forum later this fall, so stay tuned as we finalize the date and agenda. In the meantime, if you have any comments or questions about the working paper, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 4, 2015 in authentication, biometrics, emerging payments, innovation, mobile banking, mobile payments, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Keeping Up with the Criminals: Improving Customer Authentication:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 9, 2015

Who's to Stand in for Mom?

You have likely heard about the fraud that's clouding one of the newest mobile payment solutions. Credit where it is due, the security underpinning the mobile payments themselves represents an amalgamation of strong advances including such things as tokenization, biometric authentication (at the time of the transaction), encryption, and on-device secure storage. The problem that's generating the latest buzz pivots around a gap in authentication—specifically, verification of the legitimacy of those registering the cards that will be used to effect subsequent transactions. Truth is, this isn't a misstep by a singular entity. We've seen this trouble pop up in any number of payment channels.

Some institutions have put a lot of thought into enrollment authentication while others may have felt a need to rush to market at the expense of developing a fully effective authentication process. In November 2014, First Annapolis Consulting/M & A Advisory Services documented various approaches in use by issuers and followed up this past February with emerging best practices and recommendations.

To tack in the way I want for this topic, I will quote a thought provided in one of our recent forums that was given by Peter Tapling, president and CEO of Authentify Inc.: authentication is proving "you are who your mother says you are." This could be key to the best practice of all. But if moms everywhere prove disinclined to authenticate all of us rascals at the provisioning stage (and let's be frank, they're a little busy) can another stand for Mom in this place?

Since we're talking about payments, banks seem a logical option. Consider these highlights of their responsibilities related to "customer due diligence" (CDD) as detailed by the Federal Financial Institutions Examination Council:

  • The concept of CDD begins with verifying the customer's identity….
  • The cornerstone of a strong… compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all (emphasis added) customers…
  • CDD policies, procedures, and processes are critical to the bank because they can aid in:
    • Avoiding criminal exposure from persons who use or attempt to use the bank's products and services for illicit purposes.
    • Adher(ing) to safe and sound banking practices….
    • Provid(ing) guidance for resolving issues when insufficient or inaccurate information is obtained.

The context of the excerpt above is BSA/AML—or Bank Secrecy Act/anti-money laundering—compliance and is generally applied to customers in the business space. However, it seems reasonable to think the skill set might be brought to bear wherever there is need. Banks are clearly best positioned to determine who is setting up a payment and whether or not that person should be. Yet the responsibility is a broad one. Those party to any payment solution, including innovators, provisioning banks, and consumers, should demand that new and extant solutions include enrollment authentication that is well considered and properly coordinated using the best techniques for thwarting fraud. To get the best authentication, it's about who you know—and also, who knows you, besides your mother.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

March 9, 2015 in authentication, mobile payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Who's to Stand in for Mom?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 14, 2014

Mobile Biometrics: Ready or Not, Here They Come

Apple's recent announcement about the release of its mobile wallet app—called Apple Pay—energized the mobile payments community. One reason for the spike of interest is Apple Pay's use of fingerprint biometrics as an additional layer of security in validating customers and their transactions. What may have gotten a little a little lost in the chatter that followed this announcement was another, related announcement. As reported in a September 19 FinExtra story, MasterCard (MC) announced it had completed a pilot project that used a combination of facial and voice recognition on a smartphone. MC said that the trial program—which involved MC employees around the globe conducting 14,000 transactions—had a successful validation rate of 98 percent.

The Apple and MC announcements together certainly show that the future of the additional security options on smartphones looks promising. As a recent post noted, consumer research has consistently found that consumers' largest concern about using mobile phones for financial transactions is security. But are biometric technologies ready for prime time? Will their application in the payments ecosystem really give payment providers more confidence that the person they are dealing with is not an imposter?

The latest generations of Apple and Android smartphones are equipped with fingerprint scanners, cameras, and microphones, which allow for the use of fingerprint, voice, and facial recognition. But limitations exist for each of the techniques. The Apple and Android fingerprint readers, for example, were compromised within days of their initial release. And facial and voice recognition applications work best in controlled conditions of lighting and with limited background noise—an unlikely environment for a smartphone user on the go.

But security experts agree that additional customer authentication methodologies—beyond the common user ID and password entry fields—increase the overall authenticity of transactions. Numerous companies are continuing to focus their research and development efforts on improving the reliability and use of their authentication products. So while there is no "one size fits all" authentication solution over the weak and easily compromised ID-and-password method, these biometric methods represent a step forward, and are likely to improve over time.

The Retail Payments Risk Forum is taking a close look at biometrics technology and its impact on the payments system. We are working on a paper assessing biometrics and authentication methodologies that will probably be released by the end of the year. We're planning a forum to be held this upcoming spring on mobile authentication technologies. And we're continuing to write posts on the topic in Portals and Rails.

Please feel free to contact us with your suggestions on biometric issues you would like to see us address in our continuing efforts.

Lott_david_01 By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


October 14, 2014 in authentication, biometrics, innovation, mobile banking | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Mobile Biometrics: Ready or Not, Here They Come:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 6, 2014

Starting Off on the Right Note with Mobile Enrollment

In Rogers and Hammerstein’s Sound of Music, the classic song “Do-Re-Mi” begins “Let's start at the very beginning / A very good place to start...” Such a suggestion is essential in ensuring that the person enrolling in a payments system is, in fact, who he or she claims to be. The USA Patriot Act requires financial institutions (FIs) to develop a formal customer identification program that validates the customer when the account is opened. This program must specify the documentation that is used for authentication.

However, once the account is open, FIs have greater latitude in their procedures for identifying customers when the FIs handle account access requests, such as when a customer requests a change of address or enrolls in a third-party program that uses a card that the FI has issued to the customer. At that stage, it’s up to an FI’s own risk-management policies as to what documentation to require.

This situation can be risky. For example, let’s look at what happens when a customer wants to add a payment card to a mobile wallet that a third party operates. When the customer adds the card—enrolls with the third party—how can the FI that issued the card know that not only the payment card being added but also the mobile phone itself belongs to the right individual? How can the issuer efficiently and effectively ensure that the payment card information being loaded on a phone hasn’t been stolen? Adding any sort of verification process increases the friction of the experience and can result in the legitimate user abandoning the process.

Most mobile wallet operators use several techniques to validate that both the mobile phone with the wallet and the payment card belong to the rightful customer. (These operators send a request to the issuing FI as part of their enrollment process.) Some FIs require the operator to have customers submit their payment card information along with their cards’ security code and additional data, such as the last four digits of the social security number. Others may require just the payment card number, expiration date, and card security code, although such a minimal requirement offers little protection against a stolen card being added to a criminal’s phone. Still others require the customer to submit a photo of the payment card taken with their phone to verify possession of the card. If the issuer can obtain some of the phone’s device information, it can increase the level of confidence that the authorized cardholder is using their phone.

Regardless of what process is used, having strong identification controls during the initial enrollment step is essential to a sound risk management program.

Photo of Douglas A. King

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 6, 2014 in authentication, financial services, mobile banking, mobile payments, payments systems | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Starting Off on the Right Note with Mobile Enrollment:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 29, 2014

Let's Talk Token, Part II: Distinguishing Attributes

Several weeks ago, Portals and Rails embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. Since writing the first post, payment tokens has jumped front and center in the payments community when Apple introduced Apple Pay, which uses tokenization. Also, the Mobile Payments Industry Workgroup just released a detailed white paper recounting their recent meeting on the current tokenization landscape in the United States.

In today's installment, we look at some distinguishing attributes of the end-to-end token initiatives currently under way and consider their impact on mitigating risk in payments transactions.

  • Token format: Common ground exists in the payments industry in terms of the token format. The end-to-end token solution relies on the creation of a token, known as a device account number (DAN), to initiate a payment in place of the original primary account number (PAN). To mitigate operational risks and make use of existing messaging rules and applications associated with the payment transaction, it is imperative that the format of the DAN preserves the format structure of the PAN. This means that DAN generation should be as random as possible, even while preserving the original PAN format structures to maintain basic card or account validation rules associated with the PAN.

  • Token type: Payment tokens can be dynamic or static. Dynamic tokens are valid either for a single transaction or for a limited number of transactions occurring in a very short time. By the time a fraudster intercepts a dynamic token, it has likely already expired, so the fraudster can’t use it. However, there is a slight down side to dynamic tokens—they can work against loyalty programs as well as some back-end fraud detection systems. Because each transaction has a different DAN, merchants and processors cannot consolidate multiple transaction information for an individual cardholder.

    On the other hand, static tokens are multi-use, so they allow merchants to connect the token user with past transactions. But given their multi-use nature, they are not as secure as dynamic tokens. For additional security, each transaction with a static token can include an additional element: a uniquely generated cryptogram.

  • Device coverage: Tokens can be created and stored either on a secure element on a mobile phone or in a cloud. Much industry discussion focuses on which approach is more secure, but the approach also has an impact on device access to the token. Storing a token only on secure elements limits tokens to mobile phones, a situation that does not address the significant volume of card-not-present payments that consumers conduct on computers and other devices. Alternatively, storing a token in a cloud would allow any connected device (mobile, tablet, laptop, or computer) to access the token, so all e-commerce transactions would be covered.

  • Token service provider: A number of parties can play the critical provider role. The provider is ultimately responsible for generating and issuing the DAN, maintaining the DAN vault, and mapping the DAN to the PAN for presentment to the issuer that ultimately authorizes the transaction. A network, issuer, processor, or another third-party provider can perform this role. We can make a case for any of these parties to play the role, but the critical risk mitigation factor to note is that the merchant should never see the PAN, thereby preventing a breach of payment card data within their systems.

To date, a standards body controlled by the largest global card networks and a company representing the largest global banks has driven most of the payment tokenization standardization efforts. Although these organizations have advocated for public discussions and input in an open environment, some critics argue that the management of standards development should be left to an open-standards body such as X9 or ISO. Tokenization efforts and standards will continue to evolve as tokenization may play a critical role in mitigating payment risk in the future. Still, security challenges will remain even with its adoption. In the next installment of this tokenization series, we will examine risks that that a tokenized payments environment won't resolve, and risks that will be all new.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 29, 2014 in authentication, fraud, mobile payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Let's Talk Token, Part II: Distinguishing Attributes:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 8, 2014

Seeking a Successful Biometric Solution

As an earlier post noted, advances in technology have spurred the implementation of various biometric authentication methodologies in the consumer market. But as people are discovering, not all methodologies are equally suited for all applications. Those who are implementing such applications have to consider risk level, cost, operating environment, and targeted population. They also have to evaluate a number of other factors to determine if a particular biometric is better suited than another for an intended application. These factors include but are not limited to:

  • Uniqueness. While the biometric doesn't always have to be unique to every individual on the planet, the probability that two people share a particular characteristic should be unlikely enough to prevent an unacceptable number of false acceptances (when one person is wrongly authenticated as another). For example, fingerprints are considered to be unique to every individual, but current smartphone fingerprint readers have such low-resolution scanners that the possibility of a false acceptance is one in 44,000. This rate is most likely sufficient for many applications, but a high-dollar transaction may require supplemental authentication.
  • Universality. The targeted characteristic must be present in the overall population, with only a few exceptions. Only a couple of biometric elements, such as DNA and facial recognition, can provide complete population coverage. Hand geometry and vein recognition, for example, won't work on people who are missing fingers or other body parts.
  • Permanence. The characteristic should not change over time. Even though people can alter almost any physical characteristic through medical procedures, the possibility of such alteration to the characteristic being considered for biometric authentication should be infrequent among the population—and the alteration procedure should be relatively expensive.
  • Collection ease. The more invasive the collection of the biometric sample, the more resistance people will have to it. People tend to view facial and voice recognition and fingerprinting as noninvasive but retinal scans as highly invasive—a light beam scans the back of the person's eye, which can be very uncomfortable.
  • Performance. The biometric element must support the creation of a template that is accurate and quickly obtained while also providing minimal database storage requirements. A system that takes a long time to authenticate someone during peak usage periods will encounter user dissatisfaction and possibly decreased productivity.
  • Accuracy. Individuals should not be able to fool the system. Fingerprint readers should verify that the right fingerprints belong to the right person, that a spoken phrase is live and not recorded, and so on.
  • User-embraced. Even when people have to use certain biometric authentication systems as a condition of their employment, the technology should be one that has a high level of acceptance, with minimal cultural, religious, collective bargaining, or regulatory implications.
  • Cost-effectiveness. As with all risk management practices, the cost of implementing and operating the system must be commensurate with the risk exposure for using a less secure authentication system.

As you consider the possibility of implementing a biometric authentication methodology for your customers, I hope you will find these evaluation elements helpful.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 8, 2014 in authentication, biometrics, innovation | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Seeking a Successful Biometric Solution:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 18, 2014

Crooks Target Business Clients

Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.

Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:

  • Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
  • Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system

Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.

The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 18, 2014 in authentication, cybercrime, data security, identity theft | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Crooks Target Business Clients:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

October 2016

Sun Mon Tue Wed Thu Fri Sat
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          



Powered by TypePad