About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

May 22, 2017


The Year(s) of Ransomware

I remember, as a child, despising the neighborhood kid who would always say, "I told you so." Well, let's move ahead some 30-odd years to the WannaCry ransomware attack—I now feel like that despised child. You see, on March 29 of this year, I emailed the following note to my colleagues in the Risk Forum:

Just a few high-level and interesting notes from the conference.… 2017 & 2018 will be the Year of Ransomware (I can elaborate on this when we are all together—pretty fascinating business models developed here).

Too bad I kept my thoughts to our little group here at the Atlanta Fed and didn't get the message out to the masses (or at least to our Take on Payments readers) prior to the WannaCry ransomware attack that began on May 12. So why did I (and still do) think 2017 and 2018 will both be the "Year of Ransomware"?

Those who know me know that I am not a very technical person. I see things more strategically than technically and usually sprint away from conversations that become technical. After viewing a demonstration on how to launch a ransomware attack, I was shocked to learn that hardly any technical expertise is required to pull off an attack. This is all made possible by the "pretty fascinating business models" that I referred to in my note, business models known as Ransomware as a Service (RaaS).

I'd always envisioned that serious technical code writing capabilities would be a requirement for developing the code to send the malicious files involved in ransomware. And while coding is needed, that is where the RaaS comes into play. You pay someone else to create the malicious code, which you then use to launch a ransomware attack. And to make the attack even more successful, there are simple tools available that allow you to not only test the code against the market-leading antivirus software detection programs but also to tweak the code embedded in the malicious file to ensure that none of the antivirus software programs will detect it. Antivirus software protects users only from known malicious code, which is the reason the software must be constantly updated.

With the undetectable code in hand, you can now launch a ransomware attack through either an embedded file or a link within a phishing email or social media post to a legitimate-appearing, but malicious, website. And this costs little or nothing up front! The cost for the RaaS is only realized once a successful attack occurs, with a portion of the collected ransom paid to the RaaS provider.

Which brings me back to why I think ransomware attacks will continue to escalate, leading to 2017 and 2018 becoming "The Year(s) of Ransomware." They are simple to execute, low cost, and proving to be highly lucrative. (According to the FBI, an estimated $209 million was paid in ransom in the first quarter of 2016.) Expect a future blog post on how to plan for and defend against attacks.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 22, 2017 in fraud, malware | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 8, 2017


Calculating Fraud: Part 1

When analyzing payments fraud rates, we have to consider what is being measured and compared. Should we measure fraud attempts that might have been thwarted—fraud that penetrated the system but might not necessarily have resulted in a loss—or fraud losses? Whatever the measure, it is important that the definition of what is included in the numerator and denominator be consistent to properly represent a fraud rate.

In calculating a fraud rate based on value or number, a fraud tally is needed in the numerator and a comparison payment tally in the denominator. The formula works out as follows:

Fraud Rate = Numerator
                     Denominator

Where, for any given period of time
Numerator = Value, or number of fraudulent payments across the payments under consideration,
Denominator = Value, or number of payments under consideration.

This post offers a process for tallying payments for the denominator. Part 2 of this series will focus on tallying the numerator, basing its approach on the process that the Federal Reserve Payments Study 2016 used. That process includes fraud that initially cleared and settled, not attempts, and does not exclude losses subsequently recovered.

The Fed’s 2016 payments study offers a method for whittling down all payment transactions to a subset of transactions suitable for calculating a fraud rate. Below is an extract, with clarifying commentary, from one of the study’s questionnaires, which asked card networks for both the value and number of payments.

Chart-one2

At first blush, totals for value or number under questions 1, 2, 3, and 4 could conceivably be used to provide a comparison tally for fraud. However, we should rule out the total from question 1 since the definition includes declined authorizations, making it unnecessarily broad. Question 2, "total authorized transactions," has the disadvantage of including pre-authorization only (authorized but not settled). While some of these transactions could have been initiated as part of a fraud attempt, they were never settled and consequently posed no opportunity for the fraudster to take off with ill-gotten gains. On balance, the preferred measure for payments is the result of question 3, which measures "net, authorized, and settled transactions." Unlike "net, purchased transactions" under question 4, this measure has the benefit of not excluding some of the fraud captured by chargebacks under question 3b.1. Other types of fraud are not covered under chargebacks, including when card issuers elect to absorb losses on low-value payments to avoid the costs of submitting a chargeback.

We could follow a similar process for tallying payments for ACH and checks, with adjustments to account for potential fraud resulting from the lack of an authorization system like that for cards, which requests authorization from the paying bank.

Part 2 of this series, which covers the process for calculating the numerator, will appear in June.

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

May 8, 2017 in ACH, checks, debit cards, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 27, 2017


Don't Forget the Check

As the data in the recently released Federal Reserve Payments Study show, the decline of check usage continues—albeit at a slower rate than what past studies found. Despite the rapid decline in volume on the consumer side over the last 15 years, the check remains a key payment instrument for business customers. According to the study, in 2015, consumers and businesses wrote more than 19 billion checks representing $27.3 trillion.

While the share of the number of checks (12 percent) is dwarfed by the number of other noncash payments (debit/credit/prepaid card and ACH), which continue to grow, the check remains a key target of criminals. For that reason, we need to maintain, if not enhance, risk monitoring. Criminals use the check both to conduct fraudulent transactions and to launder money. The Financial Crimes Enforcement Network reports that the number of Suspicious Activity Reports (SAR) involving checks continues to increase. That number has grown more than 141 percent since 2013, as the chart shows. Also, checks are 71 percent of the total—by far the most common payment type of all the SAR categories.

Chart-one

In addition, the Association for Financial Professionals notes in its 2016 Payments Fraud and Control Survey that checks remain the most targeted payment method. Seventy-one percent of the 627 responding companies reported successful or attempted check fraud on their business accounts in 2015. The survey also found that checks accounted for the largest dollar amount of loss of all the payment methods, including wire transfers. On a positive note, the percentage of companies actually suffering a financial loss from check fraud declined from 57 percent in 2013 to 43 percent in 2015.

Checks remain a target since they are so easy to counterfeit or alter compared to electronic items. While much of the risk management effort focuses on electronic payments, be sure not to forget about the paper check. It is obvious the crooks haven't.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 27, 2017 in checks, cybercrime, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 9, 2017


The Year in Review

As we move into 2017, the Take on Payments team would like to share its perspectives of major payment-related events and issues that took place in the United States in 2016, in no particular order of importance.

Cybersecurity Moves to Forefront—While cyber protection is certainly not new, the increased frequency and sophistication of cyber threats in 2016 accelerated the need for financial services enterprises, businesses, and governmental agencies to step up their external and internal defenses with more staff and better protection and detection tools. The federal government released a Cybersecurity National Action Plan and established the Federal Chief Information Security Office position to oversee governmental agencies' management of cybersecurity and protection of critical infrastructure.

Same-Day ACH—Last September, NACHA's three-phase rules change took effect, mandating initially a credit-only same-day ACH service. It is uncertain this early whether NACHA will meet its expectations of same-day ACH garnering 1 percent of total ACH payment volume by October 2017. Anecdotally, we are hearing that some payments processors have been slow in supporting the service. Further clarity on the significance of same-day service will become evident with the addition of debit items in phase two, which takes effect this September.

Faster Payments—Maybe we're the only ones who see it this way, but in this country, "faster payments" looks like the Wild West—at least if you remember to say, "Howdy, pardner!" Word counts won't let us name or fully describe all of the various wagon trains racing for a faster payments land grab, but it seemed to start in October 2015 when The Clearing House announced it was teaming with FIS to deliver a real-time payment system for the United States. By March 2016, Jack Henry and Associates Inc. had joined the effort. Meanwhile, Early Warning completed its acquisition of clearXchange and announced a real-time offering in February. By August, this solution had been added to Fiserv's offerings. With Mastercard and Visa hovering around their own solutions and also attaching to any number of others, it seems like everybody is trying to make sure they don't get left behind.

Prepaid Card Account Rules—When it comes to compliance, "prepaid card" is now a misnomer based on the release of the Consumer Financial Protection Bureau's 2016 final ruling. The rule is access-device-agnostic, so the same requirements are applied to stored funds on a card, fob, or mobile phone app, to name a few. Prepaid accounts that are transactional and ready to use at a variety of merchants or ATMS, or for person-to-person, are now covered by Reg. E-Lite, and possibly Reg. Z, when overdraft or credit features apply. In industry speak, the rule applies to payroll cards, government benefit cards, PayPal-like accounts, and general-purpose reloadable cards—but not to gift cards, health or flexible savings accounts, corporate reimbursement cards, or disaster-relief-type accounts, for example.

Mobile Payments Move at Evolutionary, Not Revolutionary, Pace—While the Apple, Google, and Samsung Pay wallets continued to move forward with increasing financial institution and merchant participation, consumer usage remained anemic. With the retailer consortium wallet venture MCX going into hibernation, a number of major retailers announced or introduced closed-loop mobile wallet programs hoping to emulate the success of retailers such as Starbucks and Dunkin' Brands. The magic formula of payments, loyalty, and couponing interwoven into a single application remains elusive.

EMV Migration—The migration to chip cards and terminals in the United States continued with chip cards now representing approximately 70 percent of credit/debit cards in the United States. Merchant adoption of chip-enabled terminals stands just below 40 percent of the market. The ATM liability shift for Mastercard payment cards took effect October 21, with only an estimated 30 percent of non-FI-owned ATMs being EMV operational. Recognizing some of the unique challenges to the gasoline retailers, the brands pushed back the liability shift timetable for automated fuel dispensers three years, to October 2020. Chip card migration has clearly reduced counterfeit card fraud, but card-not-present (CNP) fraud has ballooned. Data for 2015 from the 2016 Federal Reserve Payments Study show card fraud by channel in the United States at 54 percent for in person and 46 percent for remote (or CNP). This is in contrast to comparable fraud data in other countries further along in EMV implementation, where remote fraud accounts for the majority of card fraud.

Distributed Ledger—Although venture capital funding in blockchain and distributed ledger startups significantly decreased in 2016 from 2015, interest remains high. Rather than investing in startups, financial institutions and established technology companies, such as IBM, shifted their funding focus to developing internal solutions and their technology focus from consumer-facing use cases such as Bitcoin to back-end clearing and settlement solutions and the execution of smart contracts.

Same Song, Same Verse—Some things just don't seem to change from year to year. Notifications of data breaches of financial institutions, businesses, and governmental agencies appear to have been as numerous as in previous years. The Fed's Consumer Payment Choices study continued to show that cash remains the most frequent payment method, especially for transactions under 10 dollars.

All of us at the Retail Payments Risk Forum wish all our Take On Payments readers a prosperous 2017.

Photo of Mary Kepler
Mary Kepler
Photo of Julius Weyman
Julius Weyman
Photo of Doug King
Doug King
Photo of David Lott
Dave Lott
Photo of Jessica Trundley</span>
</div>
Jessica Washington
Photo of Steven Cordray
Steven Cordray

 

January 9, 2017 in ACH, ATM fraud, cards, chip-and-pin, cybercrime, debit cards, emerging payments, EMV, fraud, mobile banking, mobile payments, P2P, prepaid, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 17, 2016


EMV Comments That Make Me Cringe

Some aspects of the chip card implementation in the United States certainly make us frustrated. For one, the customer experience could be seen as slightly more negative because of the longer transaction time and confusion about the debit card selection menu. However, at several payments conferences I have attended recently, I have heard comments made by speakers and panelists about EMV chip cards and their technology that caused me to cringe a bit. I understand that a number of stakeholders are not proponents of EMV technology for a variety of reasons and, while some parts of their comments are factually accurate, they certainly are not "the truth, the whole truth and nothing but the truth."

Cringe #1: The United States is implementing 20-year-old-technology with EMV chip cards. Yes, the first EMV specifications were publicly released in 1995. But isn't that like saying that the gasoline-powered automobile is technology that is 130 years old? Microsoft's first release of Windows was in 1985. Do we hear complaints about it being 30-plus years old? The reality is that the EMV specifications, like practically all software development, are continually updated over the years with enhancements continuing as long as the software is still being supported. The EMV specifications are now at version 4.3, released in November 2011, with 20 supplemental bulletins issued since then and more on the way.

Cringe #2: EMV (chip) cards haven't solved the card-not-present (CNP) fraud problem. Again, this is an accurate statement. CNP card fraud is the second largest category of fraud losses in the U.S. (see the chart). But, the statement is misleading inasmuch as the EMV specifications and chip cards were never intended to address the CNP ecommerce environment. Counterfeit card fraud, whereby the criminal produces a card using data obtained from a skimmer or data breach, has been the number-one source of card-present fraud in the United States. It was this type of card fraud that the chip card was designed to target, and, from all accounts to date, it has been highly successful in doing so.

table-one

Source: Chip Cards in the United States: The PIN, PINless, Debit, Credit Conundrum, Aite Group, July 2016

Cringe #3 – Using a PIN improves the security of the chip card. While a cardholder using a PIN in lieu of a signature does clearly result in a lower level of fraud losses, the claim is somewhat of an apples and oranges comparison. The chip on the card authenticates the card itself, while the use of a PIN is intended to authenticate the cardholder performing the transaction. These are two separate types of authentication which, when combined, make the transaction more secure—a good thing. The use of a PIN should result in lower lost/stolen card fraud as it invokes two-factor authentication—something you have (card) and something you know (PIN).

Are the current EMV specifications perfect? Of course not, and that is why there are constant efforts to identify ways to improve them. But one must recall that the EMV specifications provide global interoperability and must be developed keeping that requirement in mind. What are your thoughts on the EMV specifications and how they can be improved?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 17, 2016 in chip-and-pin, consumer fraud, consumer protection, EMV, fraud | Permalink

Comments

Good stuff, Dave; I fully agree with your first 2 cringes, but on the third I think the objection is that if minimizing fraud is so important, why would we not complete the process of requiring PIN and take security to the next logical step?

Of course this opens up plenty of other debates- consumer choice, merchant fee levels, etc.- but thought it would be helpful to clarify that point in hopes of advancing the dialogue.

Posted by: Glen Sarvady | December 12, 2016 at 02:28 PM

Hello Dave,
While I agree with much that you have written.
The EMV specification has not kept pace with modern needs. The Target breach was the catalyst for the US implementation of EMV. Yet the current implementation of EMV would not have prevented the breach. The chip card exposes the static, clear text Primary Account Number (PAN) and other Personally Identifiable Information (PII) in numerous places. It does not cryptographically protect the sensitive data. To match our current needs, the cryptographic and computational power of the chip should be harnessed to protect the PAN and the PII. Or better yet, remove the PAN and PII from the chip card entirely.
The card is a physical token which should represent the PAN, but not expose it. The PAN should remain inside the Financial Institution (FI) linked to various tokens, each of which has a Device ID. The physical token should be authenticated without revealing the PAN to the merchant or a payment intermediary. Once the token (the Card or other access device) has been authenticated by the Issuer, it can look up the corresponding account and move (or not move) the funds accordingly.
When the card is capable of protecting itself, it can be issued, secured and validated by the issuer without the need for any intermediaries (consumers, merchants, processors, acquirers, networks) to participate in the protection process. With a proper chip card specification, this can be accomplished while maintaining global interoperability.
Respectfully,
Mimi Hart, MagTek

Posted by: Mimi Hart | December 9, 2016 at 03:11 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 15, 2016


The Personal Cost of Fraud

Last week's post by my colleague Doug King described the check fraud that took place after someone burglarized his wife's car and stole her wallet, including her driver's license and credit and debit cards. The frequency and magnitude of data breaches and constantly reading and researching payments fraud as part of my job have probably numbed me to the personal impact of fraud. When discussing the likelihood of becoming victims of some sort of identity theft fraud, we jokingly paraphrase the slogan in the South about termite infestations: "It's not a matter of if, it's a matter of when." Given the data breaches and information available through public records, we operate under the assumption that the criminal element has all the information they need to perpetrate fraud against us and, for those of us who haven't already been victimized, it is likely to happen in the near future. A pessimistic outlook for sure, but one I fear is realistic.

I still get frustrated when I see the many studies that show that, despite consumers' concern about the security and privacy of their transaction and personal information, the vast majority do not adopt strong security practices. They use easy-to-guess passwords or PINs and often use the same user ID and password for their various online accounts, from social media to online banking access. I believe that many financial institutions (FI) and ecommerce providers have passively supported this environment in that they often do not require customers to use stronger practices because they don't want to incur the customer service cost associated with password resets or customer abandonment. The lack of consistent password formatting structures adds to the confusion (some require special characters and others don't allow them).

I certainly don't hold myself out as the poster child for strong security, but our family has adopted a number of the recommended stronger security practices. These include using a simple compound password structure that creates a separate password for each application, creating a more complex password structure for financial applications, establishing filter rules designed to spot spam and phishing emails, and conducting a frequent review of financial accounts to spot unauthorized transactions.

While liability protection laws and regulations generally hold a consumer financially harmless, there clearly is a social and individual cost associated with fraud from the time spent dealing with law enforcement and FI representatives to the issue of not being able to access the funds fraudulently taken until reimbursement is made. Perhaps Doug's wife's requirement for her FI to provide a stronger level of authentication reflects a changing sense of the need by the general public for stronger security practices. I certainly hope so.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

August 15, 2016 in consumer fraud, cybercrime, data security, fraud, identity theft | Permalink

Comments

David,

Great article highlighting the importance of a consumer experience that includes creating a trustworthy system. "Friction-less" transactions should not be the only driver in the equation. As well, friction has become an ambiguous over used term, that has yet to be measured or defined consistently.

New products in market now, offer low cost alternatives that protect consumers through a simple process, build trust in the system, while alleviating consumer fears and worries that their cards will be compromised. It's time for the industry to think about these solutions differently and change the paradigm. Rolling out a fraud prevention solution doesn't mean compromising the purchasing process. Instead it may actually help create greater consumer peace of mind.

Thank you, Maddy Aufseeser, CEO Tender Armor

Posted by: Maddy Aufseeser | August 16, 2016 at 12:26 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 13, 2016


What Is GPR Feeding On? Part 2 of 2

In part 1, I shared several studies on the appetite for general-purpose reloadable (GPR) prepaid cards. It turns out there is little public data covering the fraud portion of the industry. I look forward to results from the Federal Reserve's 2016 Payments Study, which added a number of questions related to GPR card fraud.

Last week, LexisNexis® released a fraud study titled Issuers Confront Application Fraud and Account Takeover in a Post-EMV U.S. The study reports that issuers annually lose $10.9 billion to card fraud overall, with 4 percent attributed to all types of prepaid cards (not just GPR), 25 percent to debit cards, and 71 percent to credit cards. The study examines what types of fraud schemes are responsible for losses, but the data is aggregated and not broken down by card type. We will look at these results and I will describe how fraudsters could use prepaid to perpetrate that type of fraud.

Lost/stolen cards: 28 percent of total card fraud

GPR card information can be lost or stolen in a variety of ways—as can happen with all payment card instruments. When the fraudster acquires the account numbers, he or she can then sell, clone, or counterfeit new cards to make fraudulent purchases. The most common schemes include:

  • Skimming magnetic stripes via compromised ATM or POS terminals
  • Cyberattacks/data breaches
  • Simply lost or stolen cards

"Lost or stolen" also include information obtained from extortion by coercive measures and deceptive marketing. Fraudsters trick consumers into loading funds on a prepaid card and then handing over the account information. Some prepaid issuers have included warnings about this type of crime on their packaging. Some recent schemes include:

  • Pretending to represent a creditor or utility and convincing victims they are overdue on bills and must immediately make a payment using a prepaid card
  • Money-winning schemes (I always win cruises) whereby a consumer must pay taxes on the winnings with a prepaid card

Account takeover: 20 percent

These schemes typically involve business bank accounts. However, a blog by Kreb’s on Security describes a well-known case involving prepaid. Cybercriminals allegedly breached a number of payment processors over a two-year period. They acquired account information and changed account balances and daily withdrawal limits. The criminals then used the breached payment card information to clone cards to use at ATMs all over the world and withdrew nearly $55 million in cash.

Application fraud: 20 percent

Ultimately, this scheme involves the criminal opening a GPR account under a stolen or false ID, using stolen funds to open the account. Schemes that fit into this category are:

  • Filing fraudulent tax returns and sending refunds to prepaid accounts. (I recently blogged on this.)
  • Buying prepaid cards with stolen or counterfeit cards, a growing scheme that essentially creates free money out of stolen funds

Counterfeit cards: 16 percent

Counterfeiting usually occurs in conjunction with other fraud schemes. Counterfeit cards (and even lost or stolen cards) can be sold, often at a discount to the purchaser, potentially making their way into the hands of law-abiding citizens through wholesale websites.

Maybe fraudsters stock their pantry with prepaid cards, but are these common schemes unique to GPR cards or prepaid accounts? Although it's easier to open a prepaid account with little direct human contact, couldn't we substitute debit card or credit line accounts in any of these fraud schemes? Every type of monetary instrument experiences fraud but the prepaid industry has worked diligently to address these common areas. The vast majority of prepaid customers are legitimate users that have chosen this type of product for economic or payment preference reasons.

Photo of Jessica Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 13, 2016 in cards, debit cards, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 16, 2016


Improving Customer Authentication: Is the PIN Past Its Prime?

The Financial Fraud Action UK recently released its Year-End 2015 Fraud Update. This report, filled with fraud-related figures from a fully EMV(chip)-migrated country, provides insight into what the future of fraud in the United States might look like as we are approximately eight months into our EMV journey. And if indeed the United Kingdom’s experience is a harbinger of things to come in the United States, then I think there will be disappointment for anyone who thought EMV by itself would be a magic bullet. After I spent time studying this report, it became evident that customer authentication is the latest low-hanging fruit and fraudsters are having a feast.

Fraud losses on payment cards in the United Kingdom (£567.5m) are approaching pre-EMV migration levels, and fraud loss rates have increased above 8 basis points (0.08%), hitting a level last seen in 2009. Diving deeper, we find that:

  • As expected, card-not-present (CNP) fraud losses represent a majority of card fraud losses (70 percent). Interestingly though, ecommerce spend volume grew faster than ecommerce fraud losses in 2015, suggesting that the industry made headway in its efforts to mitigate ecommerce fraud.
  • Lost and stolen card fraud (remember, the United Kingdom is a PIN environment) increased more than 24 percent in 2015, reaching levels last seen in 2006. The report highlights distraction thefts through cameras or simply shoulder surfing as methods of fraudulently obtaining PINs.
  • Card ID theft fraud losses, defined as losses from spend on fraudulently opened or obtained cards through stolen personal information, increased by 28 percent and are now approaching counterfeit card levels.
  • A bit of good news is that counterfeit card fraud losses remain well below pre-EMV levels and fell even further in 2015—perhaps, as the report suggests, driven partly by the increased acceptance of EMV cards in the United States.
  • Beyond cards, remote banking fraud losses (losses from Internet, telephone, and mobile banking) increased by more than 134 percent during the last two years, totaling nearly £169 million.

EMV is performing exactly as expected and doing a phenomenal job of authenticating payment cards in the card-present environment. Why are fraud losses increasing in a mature EMV environment? Because customer authentication remains a challenge, as is evident by rising fraud losses from lost and stolen cards, card applications with stolen identities, and remote banking.

Whether on the front end of authenticating the user during the account opening process or the back end of authenticating the user at the time of payment, authentication measures are coming up short, and these measures include PINs and passwords. Replacing passwords has been an ongoing conversation and likely may continue to be a conversation piece rather than a prolific action item. Yet there is a growing push for the use of PINs coupled with EMV cards here in the United States. While PIN authentication is an improvement over signature authentication, it, too, has its flaws. With improvements and advancements in new technologies such as biometrics, perhaps it's time for the industry to advance beyond PINs. Because of the current signature-laden EMV environment in the U.S., the timing is perfect.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 16, 2016 in chip-and-pin, EMV, fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 25, 2016


Be Careful, Be Very Careful

Less than halfway through the spring season of banking and payments conferences, the dominant theme of cybercrime is ringing loud and clear. In the 2015 conferences, it was virtual currency, but this year, it is the threat of cyberattacks against individuals and business in both widespread and singular manners. At a payments conference last week, a representative of the Internet Crime Complaint Center (IC3) told the session audience about her center's work. The IC3 has served since 2000 as a conduit for the public to provide information to the FBI regarding suspected Internet-facilitated criminal activity. IC3 tracks and investigates hacking, money laundering, identity theft, advanced fee, and ransomware schemes. It also tracks and investigates efforts to steal intellectual property and trade secrets.

In its latest annual report, IC3 provides detailed statistics on Internet-related complaints and trends. In 2014, the center received almost 270,000 complaints, accounting for more than $800 million in losses. Average monthly complaints received were 22,452. Complaint volume peaked in July at 24,521; the month with the fewest was February, with 20,888.

I asked the IC3 representative about the top complaints the unit was currently seeing. She indicated that email compromise of targeted businesses was the primary complaint and the one that generally resulted in the highest financial loss per complaint. It is common for employees in accounting areas to be targeted. They receive spoofed emails instructing them to initiate wire transfers or to change invoice remittance payments to fraudulent parties and locations, often accounts at financial institutions located in eastern Europe or the Asian-Pacific region. Although representing less than 1 percent of the total complaints filed in 2014, the losses from business email compromise accounted for 28 percent of the total losses reported, and from January 2015 to January 2016 the loss rate increased 270 percent.

Advanced fee schemes involving home rentals or sales, automobile sales, dating services, and lottery/prize winnings are also common. As the name implies, the criminals gain the confidence of victims and demand upfront payment as a sign of good faith. Once they receive the first payment, they will often try for additional payments before disappearing.

Finally, intimidation or extortion schemes are becoming more prevalent. The criminal generally contacts the victims by phone, accuses them of being past due on tax payments or utility bills, and says if immediate payment is not made, their property will be confiscated or they will be arrested. Often the criminal has used social engineering or public records to obtain legitimate data to make their representation of the agency seem more legitimate.

The size and frequency of data breaches of financial institutions, retailers, health care and insurance companies, and government agencies have led some people to conclude that just about everyone's personal identification information has been compromised to some level. I believe it is sensible to be a bit distrustful and apprehensive about the legitimacy of offers or information you might receive through emails or websites, especially those with which you are unfamiliar. Many of the attempts are easy to spot but many others involve highly sophisticated techniques, so one should be extremely careful when on the Internet.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 25, 2016 in cybercrime, data security, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 11, 2016


Combat Gear for Tax Season

Recently, a local newspaper reported on two ex-bankers who were sentenced for their roles in a two-year-long fraud scheme. These ex-bankers created fraudulent bank accounts, then generated more than 2,000 false tax returns totaling more than $2.8 million in fraudulent refunds. The IRS has plenty more stories of tax fraud to tell.

Currently, "file taxes" is number one on my to-do list, and maybe yours. Do you shiver considering the possibility a tax return in your name has already been filed by someone else? Criminals, organized or not, know they can earn a living by filing fake returns. Even a legitimate taxpayer who owes taxes can be a victim of identity theft tax (IDT) refund fraud, as defined by the Internal Revenue Service's (IRS) Security Summit. (Note: The Electronic Tax Administration Advisory Committee, which reports to Congress, calls IDT refund fraud stolen identity refund fraud, or SIRF).

Formed on March 19, 2015, the Security Summit joins the IRS, state departments of revenue, and members of the tax refund ecosystem to discuss ways to combat IDT refund fraud. The Summit currently has seven working groups, including one focused on refund authentication and fraud detection. We have blogged before on the importance of data analytics in detecting fraudulent filings; this working group is attempting to strengthen these data tools. The working group also laid out best practices for software providers in enhancing identity requirements and strengthening validation procedures. At the end of last year, Congress provided a big assist in these efforts by passing the Protecting Americans from Tax Hikes, or PATH, Act of 2015, which closes one of the biggest loopholes in the tax refund process by requiring employers to electronically file W-2 forms and 1099 forms with the IRS by January 31 of each year instead of March 31. This new requirement, which becomes effective in 2017, will allow federal and state taxing authorities to match returns with actual W-2s for the first time.

The Security Summit also has a Financial Services Working Group, which explores ways to prevent criminals from using stolen identification credentials to establish financial services products such as checking accounts and prepaid cards that would allow the criminal to access the proceeds of fraudulent returns. After all, fraud may not be realized until after processing the tax return. Refunds are distributed either by check or direct deposit via ACH, which can be sent to a prepaid account (card) or traditional bank account. The IRS can't determine which account type an ACH refund is destined for since routing number and account number aren't standardized by account type, nor is there a database of routing numbers to identify prepaid accounts. Some have suggested that knowing when it is a prepaid account could be helpful in risk rating the return before sending the refund. The Financial Services Working Group has developed a standard state ACH file-naming convention so that state tax refunds can be identified by the industry in order to apply enhanced fraud filtering. Suspicious state tax refund deposits can be detected based on amounts, name matching, account type, length of relationship, and volume of deposits or withdrawals. The new format standard will strengthen fraud control systems in that all tax refund deposits will be able to be further scrutinized.

The Security Summit has a total of seven working groups, and they have their work cut out for them. While I shiver to think I could be a victim to identity theft, I support the progressive efforts to stop this crime, especially in the pre-filing and pre-refund stages so the criminals can't see a reward for their efforts.

Photo of Jessica Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 11, 2016 in ACH, consumer fraud, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


May 2017


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Archives


Categories


Powered by TypePad