About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

August 28, 2017


Identity Theft: A Growing Epidemic

I recently attended a conference that explored improvements in identifying and authenticating individuals. Many of the sessions focused on identity theft. While the conference primarily targeted law enforcement, immigration control, and the military, many of the lessons can easily apply to the public sector. A recent industry report validated the conference's focus, noting that in 2016, 15.4 million Americans were victims of identity theft, an increase of 18 percent from the previous year.

Identity theft (also called identity fraud) covers a wide range of crimes in which the criminal obtains and illegally uses another person's personal information in a fraudulent or deceptive manner, typically for economic benefit. In most cases, the criminals get personal information through a data breach, but malware on a computer or mobile phone or email phishing are other sources. Sometimes criminals can get enough personal information from public data—such as property and voter records, as well as social media accounts—to create a false identity and commit a crime.

Social Security numbers appear to be the most valuable information element in creating false identities. For this reason, legislation was passed in 2015 mandating that the Centers for Medicare and Medicaid Services (CMS) remove Social Security numbers from Medicaid cards. CMS recently announced that it will reissue Medicaid cards in April 2018 with a new beneficiary identification scheme.

The criminal actions of identity theft include using account numbers to obtain merchandise that can be monetized, filing fraudulent tax refund returns, and applying for credit to buy cars, lease homes, or even get home equity lines of credit. Outside the financial services arena, identity theft crimes include obtaining medical services, social program benefits, and false identification documents.

The Identity Theft Resource Center is a nonprofit organization established in 1999 to help identity theft victims resolve their cases and to broaden public education and awareness of identity theft, data breaches, cybersecurity, scams and fraud, and privacy issues. The center also tracks the number of data breaches across five industry sectors. As this chart shows, businesses remain the number one target for data breaches, and the number of attacks targeting businesses increased 4.4 percent during the first half of 2017 compared to that same period in 2016.

Us-breaches-by-industry-sector-chart

The increased use of chip cards at merchant terminals has made it more difficult for the criminal element to commit point-of-sale card fraud. Meanwhile, however, overall identity theft fraud is on the rise. So how do we combat this growing threat? We will look at some threat mitigation tactics and tools in a future post.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

August 28, 2017 in authentication, cybercrime, data security, identity theft, malware | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 12, 2017


Watching Your Behavior

Customer authentication has been at the core of the Retail Payments Risk Forum's payments risk education efforts from the beginning. We've stressed not only that there are legal and regulatory requirements for certain parties to "know your customer," but also that it is in the best interest of merchants and issuers to be sure that the party on the other end of a given transaction is who he or she claims to be and is authorized to perform that transaction. After all, if you allow a fraudster in, you have to expect that you or someone else will be defrauded. That said, we also know that performing this authentication, especially remotely, has several challenges.

The recently released 2017 Identity Fraud Study from Javelin Strategy & Research estimated that account takeover (ATO) fraud losses in 2016 amounted to $2.3 billion—a 61 percent increase over 2015's losses. (ATO fraud occurs when an unauthorized individual performs fraudulent transactions through a victim's account.) Additionally, new-account fraud on deposit and credit accounts has increased significantly and generated several public warnings from the FBI.

In payments, the balancing act between imposing additional customer authentication requirements and maintaining a positive, low-friction customer experience has always been a challenge. Retailers, especially online merchants, have been reluctant to add authentication modalities in their checkout process for fear that customers will abandon their shopping carts and move their purchase to another merchant with lower security requirements. Some merchants have recently introduced physical biometrics modalities such as fingerprint or facial recognition for online orders through mobile phones. Although these modalities have gained a high acceptance rate, they still require the consumer to actively participate in the authentication process.

Enter behavioral biometrics for online transactions. Behavioral biometrics develops a pattern of a user's unique, identifiable attributes from when the user is online at a merchant's website or using the merchant's proprietary mobile app. Attributes measured include such elements as typing speed, pressure on the keyboard, use of keyboard shortcuts, mouse movement, phone orientation, and screen navigation. Coupled with device fingerprinting for the customer's desktop, laptop, tablet, or mobile phone, behavioral biometrics gives the merchant and issuer a higher level of confidence in the customer's authenticity. Another benefit is that behavioral biometrics is passive—it is performed without the user's involvement, which eliminates additional friction in the overall customer experience. Proponents claim that while it takes several sessions to develop a strong user profile, they can often spot fraudsters' attempts because fraudsters often exhibit certain recognizable traits.

Behavioral biometrics is still fairly new to the market but over the last couple of years, some major online retailers have adopted it as an additional authentication tool. Like any of the physical biometric modalities, no single behavioral authentication methodology is a silver bullet, and multi-factor authentication is still recommended for moderate- and higher-risk transactions.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 12, 2017 in authentication, banks and banking, consumer fraud, fraud, mobile banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 1, 2017


Additional Authentication: Is the Protection Worth the Hassle?

Last week, we discussed some findings from a research study conducted earlier this year to understand consumer knowledge of and attitudes regarding other authentication methodologies.

The survey participants read a brief description of alternative authentication methods and then answered a series of questions regarding their attitudes about the ease of use and willingness to adopt these alternatives. Some of the authentication methodologies reviewed were:

  • Fingerprint biometric
  • Device location
  • Eye vein biometric
  • Facial recognition
  • Device fingerprinting/identification
  • KBA (knowledge-based authentication, or personal data challenge questions)
  • Two-way text message
  • Voice-recognition biometric

The participants were asked to rate the ease of use for the alternative methodologies. The table shows the percentage of respondents rating the methodology as “very easy” or “somewhat easy.”

Chart-one

All age segments rated the user ID and password as the methodology having the greatest ease of use. All the groups ranked the eye vein biometric low in user ease; voice and facial recognition also scored low across the segments.

One key finding, which points out the continuing need for consumer education, was that many people did not understand the various alternative methodologies, even after reading a description and the pros and cons of each. Seniors were more likely to respond “Don’t Know”; millennials indicated a greater level of understanding.

Of particular interest, the study probed the ability of a financial incentive to entice customers to agree to adopt additional authentication tools. Just over half (51 percent) of the respondents indicated they would agree to additional authentication tools without any financial compensation. Offering a one-time $10 cash bonus would result in an additional 15 percent, and raising the ante to $25 would bring in 9 percent more. One-fourth of the respondents indicated they wouldn’t sign up for additional authentication with or without an incentive. Seniors are the least likely group (33 percent) to adopt additional authentication without an incentive, and millennials are the most likely (62 percent).

While the level of resistance by consumers to adopting stronger authentication processes seems to be dropping, there remains a strong need for customer education to demonstrate the benefits over any inconvenience. Meanwhile, a number of financial institutions and merchants are using covert authentication tools such as transaction-pattern anomalies and risk-based transaction scoring based on historical fraud experiences.

Passwords are likely to be around for quite some time as a basic means of authentification, but the payments industry and consumers must work together to provide a higher level of security for transactions. Do you think disincentives such as the service remaining free if you agreed to use additional authentication tools or being charged a monthly fee if you remain with a password as your only means of authentication are viable options? As always, your comments are welcome.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

May 1, 2017 in authentication, biometrics | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 24, 2017


Would Consumers Ever Give Up Their Passwords?

In a post last week, we revisited the issue of passwords and their suitability in serving as a secure authentication method for consumers to gain access to websites and applications. Payment security professionals generally agree that most consumers do not voluntarily adopt strong security practices in selecting and managing their passwords. Consumers often select easily guessed passwords and even use the same password across numerous websites. Given these tendencies, the payments industry is looking for alternative authentication methods that either consumers could adopt or the industry could perform covertly—methods that would ultimately provide for a higher level of customer authentication.

The Aite Group conducted a research study in January 2017 to understand consumer knowledge of and attitudes regarding other authentication methodologies. In particular, the study looked at responses at the generational level, with the respondent base broken into four age segments:

  • Seniors: 70+ years of age
  • Baby boomers: 53–70 years of age
  • Gen X: 37–52 years of age
  • Millennials (Gen Y): 16–36 years of age

The study revealed a universal attitude that passwords are easy to use. Only 7 percent of the seniors indicated they are difficult to use, compared to 1 percent or less for the other three groups. Millennials use the same passwords the most, with 39 percent indicating they use only one or two different passwords and more than three-fourths (77 percent) using five or fewer passwords among all their online accounts.

The participants were asked to rank the importance of different attributes in their consideration for using their financial institution's online banking service. All the age groups indicated that ease of use is topmost. While a majority within each group also cited strong security and fraud prevention as important, seniors especially indicated its importance, giving it equal weight to ease of use.

Although the majority of the respondents in each of the groups indicated some level of willingness to change their authentication method to access their bank account, as the chart show, there was a clear relationship between their age and level of willingness (see the chart).

Chart-one

So what authentication method did the segments favor? Go read the full report or wait until our next post, which will also discuss whether it will be necessary to offer consumers incentives to get them to change their habits.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 24, 2017 in authentication, biometrics | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 17, 2017


Will the Password Ever Die? Part 1

It has been less than five years since the magazine Wired, in its November 2012 cover story, called for the demise of the password. It has been more than 13 years since Bill Gates called for the elimination of the password at a 2004 RSA conference. Despite these calls to action, the user ID and password remain the most common form of authentication that consumers use online.

Why has the password continued to defy its terminal prognosis? Several reasons come to mind. It remains the most ubiquitous authentication methodology. Even when you factor in the significant costs of companies supporting the need for password resets, I suspect the ongoing operating costs are lower than for other forms of authentication. The reality is that the password is generally a sufficient security tool for accessing low-value applications.

So why is the password criticized so often? Most of the weaknesses in the password are based on the latitude that customers have with selecting and managing their passwords. Surveyed consumers claim to have security in mind when they create passwords, but we have seen the stories about the most common passwords being "password" and the numbers "1-2-3-4-5-6." There is also the practice of using the same password for multiple sites. Frequently, the consumer is not required to use special characters (or the application doesn't accept special characters), nor to change their password on a regular basis.

Despite the frequency of data breaches and all the fallout that comes from them, online merchants are extremely leery of adding additional overt authentication requirements (multi-layered or multi-factor) for fear consumers would abandon their shopping sessions. Given that merchant reluctance along with consumers' general exemption from financial liability if fraudulent transactions are made when their account is hacked and online access credentials are compromised, how likely is it that password weaknesses will improve? So what can be done to strengthen authentication and produce a higher level of confidence that the customer generating a particular transaction is, in fact, the person authorized to perform that transaction?

We will look at some research into the consumer's willingness to adopt additional or alternative authentication methods within the next few weeks. Until then, let us know your suggestions for improving consumer authentication.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 17, 2017 in authentication, consumer protection, cybercrime, data security | Permalink

Comments

With many websites willing to "remember" passwords for future use, it is no surprise that some groups would not want to give up using something they don't need to remember. Perhaps some vendors or banks should turn this option off, in order to protect some consumers from themselves.

Posted by: Barbara Guhanick | April 24, 2017 at 01:24 PM

As a consumer, I would appreciate a vendor, whether it be a shopping site, bank, medical heath record site, etc. , to provide an easy to use software VPN application. Besides passwords, knowing that the link between my endpoint and the other is protected by more than a password, or internet security (https) would be wonderful. Layered security is really the key.

Posted by: Barbara Guhanick | April 24, 2017 at 01:14 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 22, 2016


As with Nuclear Disarmament, So with ACH: Trust, but Verify

During his remarks at the signing of a nuclear disarmament treaty with the U.S.S.R. in 1987, President Ronald Reagan drew upon the old Russian maxim, "Doveryai, no proveryai," or "Trust, but verify." As with disarmament, businesses and others that originate automated clearing house (ACH) payments should be offered some way to verify an account, something more than hope and a prayer that the payment recipient's routing/transit number and account number are correct and that the recipient is an owner of the account.

The lack of efficient account validation options is a common complaint against the ACH. Surveys that NACHA conducted in 2012 and 2015 attest that account validation, as judged by a majority of respondents, is ACH's chief improvement need. Failing to perform account validation creates different levels of risk, depending on the payment application, whether a credit is pushed or debit is pulled and whether it is a recurring or one-time payment.

On July 19, NACHA's Payments Innovation Alliance and Board Advisory Group released two papers reviewing and critiquing existing methods for verifying bank accounts by financial institutions and businesses. The papers also suggest that a remedy to the account validation problem may be in the offing.

In both papers, NACHA defined account validation as follows:

A service wherein a business or financial institution can validate the accuracy of the account information received from a consumer or business, and the ability of that account to receive electronic payments.

Following are the various methods that NACHA identifies—and that I've complemented with my own research—that are used today to validate accounts:

  • Manual validation—A consumer's check verifies the account and identification verifies the consumer's identity. Alternatively, the originator can call the recipient's bank to confirm account details, assuming the bank is willing to provide the information, though it is risky for the bank to share such information over the phone.
  • ACH validation, via a zero-dollar prenote verification payment—If the account number is incorrect, the recipient's bank responds within three business days, though this timeframe can be shortened by using same-day ACH. As the papers state, this is a "no news is good news" form of verification. NACHA is exploring opportunities to improve the prenote process beginning in late 2016.
  • Challenge deposit validation—Typically, two micro-deposits of random amounts are made to the recipient's account and subsequently verified by the accountholder to the payment originator. Even if the account is successfully verified, the originator may subsequently be unable to debit the account because that account blocks debit payments. To identify debit blocked accounts, some originators debit the bank account equal to the micro-deposits. This method is fraught with a high abandonment rate by the consumer due to the hassle of verifying the deposits. One large online originator says that about 30 percent of consumers selecting the deposit validation method fail to verify the payment amounts. This method can take from five to seven business days—though, as with prenoting, the process can be expedited by using same-day ACH.
  • Instant validation—The customer logs into his or her bank from the company's website to establish ownership of the account. The same online originator said that 25 percent of its customers selected this validation method over deposit validation. Many consumers hesitate to use this method because the use of a third party increases the chance their banking credentials will be compromised.
  • Validation services—Service providers with access to a large number of accounts, offer scoring services that simulate or predict the likelihood an account number is "good." Though improving, these service offerings are limited for non-financial institution originators.

A solution to the problem may be in store through the World Wide Web Consortium and others working to develop a standardized application programming interface, or API, for account validation. This would allow payment originators or their service providers restricted access to bank data to verify accounts using a universal, standardized process while protecting banking credentials. Let's hope that key stakeholders rally around this important initiative and push for a speedy implementation so that we carry through with a new maxim of "Trust, but truly verify."

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

August 22, 2016 in ACH, authentication | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 8, 2016


When Fraud Hits Home: Questioning Today’s Authentication Methods

My wife was the recent victim of a vehicle burglary. Unfortunately, the bad guys got away with a wallet that included a driver's license along with several debit and credit cards. Since my wife is a cash-averse individual, I thought little harm, if any, would ensue since she reported the cards stolen within minutes of the crime taking place. What I thought could have been a simple stolen card scenario quickly escalated to a major assault on a demand deposit account (DDA) thanks, in large part, to authentication failures by the financial institutions involved.

Two days after the theft and with only a driver's license and a canceled debit card to identify the bank, the burglar, or an associate, was able to withdraw money from my wife's DDA by using a generic withdrawal slip found at most bank and credit union branches. They also cashed a counterfeit check drawn on another financial institution (FI) that, along with the bad check fee, was charged against my wife's account when the payor bank returned the check. While I am not sure whether the employees at the bank followed proper authentication protocols, there clearly was a breakdown as the thief was able to use the stolen driver's license to first obtain my wife's DDA number and then fraudulently withdraw funds.

While the breakdown in authentication is concerning, the FI's solution for improving authentication with my wife's new account is archaic—a password. The FI suggested that she open a new account and password-protect the account. When making an in-person transaction, she will be required to state the password before a transaction can be completed or account information revealed in addition to other authentication measures that were already in place.

My wife, not comfortable with the new proposed account set-up or with the failure in authentication on the old account, decided to seek a new FI relationship. Clearly she believed that a more technology-driven solution would have been substantially better from both a security and user standpoint than the proposed password solution. And this got me wondering. With all the efforts and investments in authentication technologies, why are passwords still being used for banking and payment transactions in 2016? What will it actually take to "kill the password," which we have been talking about for years? We are in the midst of a technology revolution, yet authentication methods from 2,000 years ago are still being suggested for use today as the primary means to protect money and assets.

In Singapore, the government has mandated two-factor authentication while allowing consumers to retain some choice in the authentication factor. In the United States, the Federal Financial Institutions Examination Council, or FFIEC, issued guidance in 2011 regarding the use of multi-factor authentication for Internet transactions. Is guidance concerning authentication enough? Without favoring any particular solution or technology, is it time to adopt better authentication methods in the United States? I am not advocating mandate like in Singapore, but my wife can give you more than 2,500 good reasons why it should be considered.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 8, 2016 in authentication | Permalink

Comments

If I'm not mistaken, FFIEC issued its 2FA guidelines in 2005. In 2011 - or 2012 if I'm not mistaken - it only reissued them. Maybe America believes that, if heaven hasn't fallen in 11 years by not implementing 2FA while the rest of the world has, it won't fall anytime soon. Just saying...

Posted by: Ketharaman Swaminathan - GTM360 Marketing Solutions | August 10, 2016 at 03:47 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 8, 2016


Will Biometrics Breed Virtual Clones?

In the middle of last November, our group, the Retail Payments Risk Forum, hosted a conference on the application of biometrics for banking applications. For me, one of the important "ah-ha" moments from the conference was hearing about the potential downside to the technology. While the various speakers and panelists certainly pointed out the powerful security improvements that could result from an increased use of biometrics, there were also thoughtful contributions about what could go wrong. To illustrate one of these downsides, let me take you back to the breach that occurred at the United States' Office of Personnel Management (OPM) earlier this year. For those who may have applied for a position with a government agency over the last 20 years or so, the form letter notifying you of the potential breach of your personal data read like this:

Since you applied for a position or submitted a background investigation form, the information in our records may include your name, Social Security number, address, date and place of birth, residency, educational and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation.
Our records also indicate your fingerprints were likely compromised during the cyber intrusion. Federal experts believe the ability to misuse fingerprint data is currently (emphasis mine) limited.… If new means are identified to misuse fingerprint data, additional information and guidance will be made available.

The conference made clear, to me anyway, that fingerprint data certainly has the potential to be misused—now. Experience leads me to conclude that it is bound to happen, especially if the biometric measurements captured at enrollment are not converted to templates that mask the data.

Biometrics are sure to proliferate in the next few years. I think everyone ought to pause and consider whether or not the security advantages—that have the potential to be turned against us in a moment—are worth it. Consider a future breach and the subsequent form letter from some entity that has built biometrics into its payment process. It could include all of those things noted in the OPM excerpt above. Additionally, victims could also have to be told that their iris, facial, and voice prints along with their DNA were taken. A virtual clone masquerading as me makes me shudder. Imagine standing up when they ask for the real you to do so—and then the dismay at not being believed.

The work to advance biometric security needs not just to be focused on advancing the accuracy and efficacy of the usage, but also to have a heavy emphasis on protecting the data collected—while it's collected and used and when it's at rest, in storage. And no matter how good all of that work is, I hope that choices for transacting business remain. Cash, which requires no authentication, and paper checks, which authenticate with a signature, figure to provide useful alternatives for quite some time.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 8, 2016 in authentication, biometrics, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 4, 2015


Keeping Up with the Criminals: Improving Customer Authentication

The interesting thing about authenticating customers for checks and PIN-based debit transactions is that the customer's authentication credentials are within the transaction media themselves—a signature, a PIN. But for the rest of the transaction types, authentication is more difficult. The payments industry has responded to this challenge in a few different ways, and may be turning increasingly to the use of biometrics—that is, the use of physical and behavioral characteristics to validate a person's identity.

Improving customer authentication in the payments industry has been a focal point for the Retail Payments Risk Forum since its formation. After all, authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of the U.S. payments system. We have intensified our focus over the last two years, including holding a forum on the topic in mid-2013. The Forum has also just released a working paper that explores the challenges and potential solutions of customer authentication.

The working paper examines the evolution of customer authentication methods from the early days of identifying someone visually to the present environment of using biometrics. The paper reviews each method regarding its process, advantages and disadvantages, and applicability to the payments environment.

Much of the paper looks at biometrics, an authentication method that has received increased attention over the last year—partly because smartphones keep getting smarter as folks keep adding new applications, and as manufacturers keep improving microphones, cameras, accelerometers, touch sensors, and more.

The table lays out six key characteristics that we can use to evaluate a biometric system for a particular application.

New_characteristics_table

The use of biometrics will be the subject of an upcoming forum hosted by the Retail Payments Research Forum later this fall, so stay tuned as we finalize the date and agenda. In the meantime, if you have any comments or questions about the working paper, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 4, 2015 in authentication, biometrics, emerging payments, innovation, mobile banking, mobile payments, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d10cb742970c

Listed below are links to blogs that reference Keeping Up with the Criminals: Improving Customer Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 9, 2015


Who's to Stand in for Mom?

You have likely heard about the fraud that's clouding one of the newest mobile payment solutions. Credit where it is due, the security underpinning the mobile payments themselves represents an amalgamation of strong advances including such things as tokenization, biometric authentication (at the time of the transaction), encryption, and on-device secure storage. The problem that's generating the latest buzz pivots around a gap in authentication—specifically, verification of the legitimacy of those registering the cards that will be used to effect subsequent transactions. Truth is, this isn't a misstep by a singular entity. We've seen this trouble pop up in any number of payment channels.

Some institutions have put a lot of thought into enrollment authentication while others may have felt a need to rush to market at the expense of developing a fully effective authentication process. In November 2014, First Annapolis Consulting/M & A Advisory Services documented various approaches in use by issuers and followed up this past February with emerging best practices and recommendations.

To tack in the way I want for this topic, I will quote a thought provided in one of our recent forums that was given by Peter Tapling, president and CEO of Authentify Inc.: authentication is proving "you are who your mother says you are." This could be key to the best practice of all. But if moms everywhere prove disinclined to authenticate all of us rascals at the provisioning stage (and let's be frank, they're a little busy) can another stand for Mom in this place?

Since we're talking about payments, banks seem a logical option. Consider these highlights of their responsibilities related to "customer due diligence" (CDD) as detailed by the Federal Financial Institutions Examination Council:

  • The concept of CDD begins with verifying the customer's identity….
  • The cornerstone of a strong… compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all (emphasis added) customers…
  • CDD policies, procedures, and processes are critical to the bank because they can aid in:
    • Avoiding criminal exposure from persons who use or attempt to use the bank's products and services for illicit purposes.
    • Adher(ing) to safe and sound banking practices….
    • Provid(ing) guidance for resolving issues when insufficient or inaccurate information is obtained.

The context of the excerpt above is BSA/AML—or Bank Secrecy Act/anti-money laundering—compliance and is generally applied to customers in the business space. However, it seems reasonable to think the skill set might be brought to bear wherever there is need. Banks are clearly best positioned to determine who is setting up a payment and whether or not that person should be. Yet the responsibility is a broad one. Those party to any payment solution, including innovators, provisioning banks, and consumers, should demand that new and extant solutions include enrollment authentication that is well considered and properly coordinated using the best techniques for thwarting fraud. To get the best authentication, it's about who you know—and also, who knows you, besides your mother.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed


March 9, 2015 in authentication, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb0801aa6c970d

Listed below are links to blogs that reference Who's to Stand in for Mom?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


December 2017


Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Archives


Categories


Powered by TypePad