Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

June 13, 2016


What Is GPR Feeding On? Part 2 of 2

In part 1, I shared several studies on the appetite for general-purpose reloadable (GPR) prepaid cards. It turns out there is little public data covering the fraud portion of the industry. I look forward to results from the Federal Reserve's 2016 Payments Study, which added a number of questions related to GPR card fraud.

Last week, LexisNexis® released a fraud study titled Issuers Confront Application Fraud and Account Takeover in a Post-EMV U.S. The study reports that issuers annually lose $10.9 billion to card fraud overall, with 4 percent attributed to all types of prepaid cards (not just GPR), 25 percent to debit cards, and 71 percent to credit cards. The study examines what types of fraud schemes are responsible for losses, but the data is aggregated and not broken down by card type. We will look at these results and I will describe how fraudsters could use prepaid to perpetrate that type of fraud.

Lost/stolen cards: 28 percent of total card fraud

GPR card information can be lost or stolen in a variety of ways—as can happen with all payment card instruments. When the fraudster acquires the account numbers, he or she can then sell, clone, or counterfeit new cards to make fraudulent purchases. The most common schemes include:

  • Skimming magnetic stripes via compromised ATM or POS terminals
  • Cyberattacks/data breaches
  • Simply lost or stolen cards

"Lost or stolen" also include information obtained from extortion by coercive measures and deceptive marketing. Fraudsters trick consumers into loading funds on a prepaid card and then handing over the account information. Some prepaid issuers have included warnings about this type of crime on their packaging. Some recent schemes include:

  • Pretending to represent a creditor or utility and convincing victims they are overdue on bills and must immediately make a payment using a prepaid card
  • Money-winning schemes (I always win cruises) whereby a consumer must pay taxes on the winnings with a prepaid card

Account takeover: 20 percent

These schemes typically involve business bank accounts. However, a blog by Kreb’s on Security describes a well-known case involving prepaid. Cybercriminals allegedly breached a number of payment processors over a two-year period. They acquired account information and changed account balances and daily withdrawal limits. The criminals then used the breached payment card information to clone cards to use at ATMs all over the world and withdrew nearly $55 million in cash.

Application fraud: 20 percent

Ultimately, this scheme involves the criminal opening a GPR account under a stolen or false ID, using stolen funds to open the account. Schemes that fit into this category are:

  • Filing fraudulent tax returns and sending refunds to prepaid accounts. (I recently blogged on this.)
  • Buying prepaid cards with stolen or counterfeit cards, a growing scheme that essentially creates free money out of stolen funds

Counterfeit cards: 16 percent

Counterfeiting usually occurs in conjunction with other fraud schemes. Counterfeit cards (and even lost or stolen cards) can be sold, often at a discount to the purchaser, potentially making their way into the hands of law-abiding citizens through wholesale websites.

Maybe fraudsters stock their pantry with prepaid cards, but are these common schemes unique to GPR cards or prepaid accounts? Although it's easier to open a prepaid account with little direct human contact, couldn't we substitute debit card or credit line accounts in any of these fraud schemes? Every type of monetary instrument experiences fraud but the prepaid industry has worked diligently to address these common areas. The vast majority of prepaid customers are legitimate users that have chosen this type of product for economic or payment preference reasons.

Photo of Jessica Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 13, 2016 in cards, debit cards, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 25, 2016


Be Careful, Be Very Careful

Less than halfway through the spring season of banking and payments conferences, the dominant theme of cybercrime is ringing loud and clear. In the 2015 conferences, it was virtual currency, but this year, it is the threat of cyberattacks against individuals and business in both widespread and singular manners. At a payments conference last week, a representative of the Internet Crime Complaint Center (IC3) told the session audience about her center's work. The IC3 has served since 2000 as a conduit for the public to provide information to the FBI regarding suspected Internet-facilitated criminal activity. IC3 tracks and investigates hacking, money laundering, identity theft, advanced fee, and ransomware schemes. It also tracks and investigates efforts to steal intellectual property and trade secrets.

In its latest annual report, IC3 provides detailed statistics on Internet-related complaints and trends. In 2014, the center received almost 270,000 complaints, accounting for more than $800 million in losses. Average monthly complaints received were 22,452. Complaint volume peaked in July at 24,521; the month with the fewest was February, with 20,888.

I asked the IC3 representative about the top complaints the unit was currently seeing. She indicated that email compromise of targeted businesses was the primary complaint and the one that generally resulted in the highest financial loss per complaint. It is common for employees in accounting areas to be targeted. They receive spoofed emails instructing them to initiate wire transfers or to change invoice remittance payments to fraudulent parties and locations, often accounts at financial institutions located in eastern Europe or the Asian-Pacific region. Although representing less than 1 percent of the total complaints filed in 2014, the losses from business email compromise accounted for 28 percent of the total losses reported, and from January 2015 to January 2016 the loss rate increased 270 percent.

Advanced fee schemes involving home rentals or sales, automobile sales, dating services, and lottery/prize winnings are also common. As the name implies, the criminals gain the confidence of victims and demand upfront payment as a sign of good faith. Once they receive the first payment, they will often try for additional payments before disappearing.

Finally, intimidation or extortion schemes are becoming more prevalent. The criminal generally contacts the victims by phone, accuses them of being past due on tax payments or utility bills, and says if immediate payment is not made, their property will be confiscated or they will be arrested. Often the criminal has used social engineering or public records to obtain legitimate data to make their representation of the agency seem more legitimate.

The size and frequency of data breaches of financial institutions, retailers, health care and insurance companies, and government agencies have led some people to conclude that just about everyone's personal identification information has been compromised to some level. I believe it is sensible to be a bit distrustful and apprehensive about the legitimacy of offers or information you might receive through emails or websites, especially those with which you are unfamiliar. Many of the attempts are easy to spot but many others involve highly sophisticated techniques, so one should be extremely careful when on the Internet.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 25, 2016 in cybercrime, data security, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 11, 2016


Combat Gear for Tax Season

Recently, a local newspaper reported on two ex-bankers who were sentenced for their roles in a two-year-long fraud scheme. These ex-bankers created fraudulent bank accounts, then generated more than 2,000 false tax returns totaling more than $2.8 million in fraudulent refunds. The IRS has plenty more stories of tax fraud to tell.

Currently, "file taxes" is number one on my to-do list, and maybe yours. Do you shiver considering the possibility a tax return in your name has already been filed by someone else? Criminals, organized or not, know they can earn a living by filing fake returns. Even a legitimate taxpayer who owes taxes can be a victim of identity theft tax (IDT) refund fraud, as defined by the Internal Revenue Service's (IRS) Security Summit. (Note: The Electronic Tax Administration Advisory Committee, which reports to Congress, calls IDT refund fraud stolen identity refund fraud, or SIRF).

Formed on March 19, 2015, the Security Summit joins the IRS, state departments of revenue, and members of the tax refund ecosystem to discuss ways to combat IDT refund fraud. The Summit currently has seven working groups, including one focused on refund authentication and fraud detection. We have blogged before on the importance of data analytics in detecting fraudulent filings; this working group is attempting to strengthen these data tools. The working group also laid out best practices for software providers in enhancing identity requirements and strengthening validation procedures. At the end of last year, Congress provided a big assist in these efforts by passing the Protecting Americans from Tax Hikes, or PATH, Act of 2015, which closes one of the biggest loopholes in the tax refund process by requiring employers to electronically file W-2 forms and 1099 forms with the IRS by January 31 of each year instead of March 31. This new requirement, which becomes effective in 2017, will allow federal and state taxing authorities to match returns with actual W-2s for the first time.

The Security Summit also has a Financial Services Working Group, which explores ways to prevent criminals from using stolen identification credentials to establish financial services products such as checking accounts and prepaid cards that would allow the criminal to access the proceeds of fraudulent returns. After all, fraud may not be realized until after processing the tax return. Refunds are distributed either by check or direct deposit via ACH, which can be sent to a prepaid account (card) or traditional bank account. The IRS can't determine which account type an ACH refund is destined for since routing number and account number aren't standardized by account type, nor is there a database of routing numbers to identify prepaid accounts. Some have suggested that knowing when it is a prepaid account could be helpful in risk rating the return before sending the refund. The Financial Services Working Group has developed a standard state ACH file-naming convention so that state tax refunds can be identified by the industry in order to apply enhanced fraud filtering. Suspicious state tax refund deposits can be detected based on amounts, name matching, account type, length of relationship, and volume of deposits or withdrawals. The new format standard will strengthen fraud control systems in that all tax refund deposits will be able to be further scrutinized.

The Security Summit has a total of seven working groups, and they have their work cut out for them. While I shiver to think I could be a victim to identity theft, I support the progressive efforts to stop this crime, especially in the pre-filing and pre-refund stages so the criminals can't see a reward for their efforts.

Photo of Jessica Trundley By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 11, 2016 in ACH, consumer fraud, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 8, 2016


Will Biometrics Breed Virtual Clones?

In the middle of last November, our group, the Retail Payments Risk Forum, hosted a conference on the application of biometrics for banking applications. For me, one of the important "ah-ha" moments from the conference was hearing about the potential downside to the technology. While the various speakers and panelists certainly pointed out the powerful security improvements that could result from an increased use of biometrics, there were also thoughtful contributions about what could go wrong. To illustrate one of these downsides, let me take you back to the breach that occurred at the United States' Office of Personnel Management (OPM) earlier this year. For those who may have applied for a position with a government agency over the last 20 years or so, the form letter notifying you of the potential breach of your personal data read like this:

Since you applied for a position or submitted a background investigation form, the information in our records may include your name, Social Security number, address, date and place of birth, residency, educational and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation.
Our records also indicate your fingerprints were likely compromised during the cyber intrusion. Federal experts believe the ability to misuse fingerprint data is currently (emphasis mine) limited.… If new means are identified to misuse fingerprint data, additional information and guidance will be made available.

The conference made clear, to me anyway, that fingerprint data certainly has the potential to be misused—now. Experience leads me to conclude that it is bound to happen, especially if the biometric measurements captured at enrollment are not converted to templates that mask the data.

Biometrics are sure to proliferate in the next few years. I think everyone ought to pause and consider whether or not the security advantages—that have the potential to be turned against us in a moment—are worth it. Consider a future breach and the subsequent form letter from some entity that has built biometrics into its payment process. It could include all of those things noted in the OPM excerpt above. Additionally, victims could also have to be told that their iris, facial, and voice prints along with their DNA were taken. A virtual clone masquerading as me makes me shudder. Imagine standing up when they ask for the real you to do so—and then the dismay at not being believed.

The work to advance biometric security needs not just to be focused on advancing the accuracy and efficacy of the usage, but also to have a heavy emphasis on protecting the data collected—while it's collected and used and when it's at rest, in storage. And no matter how good all of that work is, I hope that choices for transacting business remain. Cash, which requires no authentication, and paper checks, which authenticate with a signature, figure to provide useful alternatives for quite some time.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 8, 2016 in authentication, biometrics, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 1, 2016


Putting All Our Payment Eggs in a Single Basket

More than 60 percent of risk managers at financial services firms believe the probability of a global, "high-impact event" has increased of late, according to a new survey from the Depository Trust & Clearing Corporation. Worry over actual or potential cyberattacks underpins this belief. In a discussion about the survey, a colleague lamented the invention of computers and wished that our financial transactions hadn't become so dependent on technology. At first I thought to agree until it dawned on me that this thinking is tantamount to tossing the baby with the bathwater.

The problem revolves around thieves, not their tools. We have never been free from worry over theft, and this was true when our best computer was an abacus. When the Aztecs used chocolate for money, counterfeiters of the day took the cacao bean, separated the original contents from the husk, and repacked it with mud. And still, in any place where commerce is overly cash-based, thieves tend to concentrate their efforts, targeting the most vulnerable with everything from counterfeit notes to outright theft. The digital age did not usher in larceny; thieves have always stolen, and hiding from computers won't insulate us from bad guys.

But hold up, you say. A block chain—the part of bitcoin technology that ensures anonymity—just might insulate you. Not to take away hope, but what have we ever invented that hasn't been hacked, cracked, or abused? I can think of nothing, no matter how cleverly conceived or well defended, that isn't eventually defeated.

I don't despair over it all and will say why in a moment, but first I need to note that even with a long list of advances, both in how and what we exchange, the new has not eradicated the old. Coins survived the advent of paper. And despite decades-old, recurring predictions of their looming demise, both coins and paper have survived the magic of computing. As a result, despair gives way to cheer. There are options, and plenty of them.

Options—different forms of payments based on diverse platforms and premises—make for textbook risk mitigation. First of all, what survives gets better. It must so that it can survive. Consider what bills look like today, with their numerous anticounterfeiting elements, compared to what they looked like 20 years ago. Or consider when checks dominated fraud conversations and contrast that to their relative (un)importance in fraud conversations today. Moreover, multiple payment channels and options mean less concentration of risk. To the extent that cash, checks, and more remain—"cyberstuff" too, but with the cyber-world diversified, not overly consolidated—risk can be spread and hence reduced.

An advanced society that wants to endure, stay resilient and strong cannot rely on only one means of exchange based on only one platform. For those wishing for one or just fewer, more modern payment solutions (with apologies to all paper haters), my advice is be careful what you wish for. For the average consumer, my advice is pay attention to the "payments intelligentsia" and be wary of pushes for an advanced, universal, singular way to do payments. Be particularly wary of changes that aren't being called for by the market itself. We can never eliminate risk but we can mitigate it and minimize the extent that bad people can create widespread trouble.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 1, 2016 in cybercrime, fraud, identity theft, innovation, payments risk | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 19, 2016


Mobile Wallets: Is This the Year?

In our 2015 year-end retrospective post, we commented on the slow pace of adoption of mobile payments despite the introduction of several major mobile wallets. While some consumer research continues to point to widespread consumer usage of mobile wallets in the coming years, we have seen similar projections from past research fail to materialize.

So what have been the major barriers to adopting mobile wallets? And for those who have adopted them, what functions are the most important? As I have noted before, I am a firm believer in former Intel CEO Andrew Grove's 10X rule: a new technology experience must be at least 10 times better than the previous method to achieve widespread consumer adoption and usage. A number of different elements—speed, cost, convenience, personalized experience, ease of use, and so on—can all contribute to achieve that 10X factor. Another critical element is the consumer's trust in the security of the wallet to ensure that payment credentials and transaction information will not be compromised in some way. The market research and strategy firm Chadwick Martin Bailey (CMB) conducted mobile wallet research in March–April 2015 on a nationally representative sample of smartphone owners and specifically asked mobile wallet nonusers what were their particular security concerns. As the chart shows, identity theft and the interception of personal information during the transaction were the top two reasons given.

Chart-1

The tokenization of payment credentials goes a long way to providing a higher level of security, but a major educational effort is required to relay this knowledge to consumers to increase their level of confidence. The CMB study found that 58 percent of nonusers would be somewhat or extremely likely to use a wallet if tokenization of their payment account information were performed.

But is it enough to convince consumers that mobile payments are more secure to significantly speed up adoption and usage? Mobile wallet proponents have been saying for years that the mobile wallet must deliver more than just a payment function, that it should include incorporate loyalty, couponing, identification, or other functions.

So if the desired end state is known, why is it taking so long for the mobile wallet providers to achieve that winning solution? The retailer consortium MCX is going into its fourth year of development and has just recently begun a pilot program of its CurrentC wallet in the Columbus, Ohio, market. Two of MCX's owners and major U.S. retailers, Walmart and Target, have announced in the last couple of months their plans to develop and operate their own mobile wallet. While these companies still profess their support of the MCX program, have they concluded that a common mobile wallet solution among competing retailers doesn't meet all their specific needs? Or is it a desire to offer their customers a wider choice of shopping experience options and differentiate their experience? Or is it another reason altogether? Only time will tell.

So do you believe that 2016 will be the year of the mobile wallet? Let us know what you think.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 19, 2016 in consumer fraud, contactless, identity theft, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 23, 2015


Balancing Security and Friction

Several weeks ago, my colleague, Dave Lott, wrote a post addressing the question "Does More Security Mean More Friction in Payments?" Having had several weeks to ponder this concept while attending multiple payments conferences and participating in similar discussions, I can say that I believe that securing payments does mean more friction. Friction may not be seen as good for commerce, but it can be good for security. An enormous challenge that those in the payments industry face is determining the right balance of friction and security. This challenge is heightened since consumers have a range of choices in payment types, yet do not often bear financial liability for fraudulent transactions.

It is absolutely critical to secure the enrollment or provisioning of the payment instrument on the front end. However, this introduces friction before a payment transaction is even attempted. And if consumers deem the process too onerous, they can reject that payment instrument or seek alternative providers. The recent media coverage of fraud occurring through Apple Pay highlights the challenge in the onboarding process. Consumers and pundits have raved about the ease of provisioning a card to their Apple Pay wallet through what they already have on file with iTunes. But fraudsters have taken advantage of this easy onboarding process. I should stress that this isn't just a mobile payments or Apple Pay problem—fraudsters are well-versed in opening bank accounts, credit cards, and other payment instruments using synthetic or stolen identities.

Let's assume that a person's payment credentials are in fact legitimate. Verifying that legitimacy introduces more friction into the payment process. A transaction that requires no verification obviously comes with the least friction, but it is the riskiest. Signatures and PINs bring a small amount of friction to the process, with very different results in terms of fraud losses. We don't know yet what kind of friction, if any, different biometric solutions create during both provisioning and the transaction. Issuers must enable the various forms of verification, and it is up to the merchants to implement solutions that will use various verification methods. Yet consumers, who bear less of the risk of financial loss from fraudulent transactions than the merchants, can choose which payment method, and sometimes which verification method, to use—and they often do so according to the amount of friction involved, with little to no regard for the security.

Issuers and merchants will offer the right balance of friction and security based on the risks they are willing to take and the investments they make in security processes and solutions. But it is the consumer who will ultimately decide just by accepting or rejecting the options. With limited or no financial liability, consumers are often willing to trade off security in favor of less friction—and the financial institutions and merchants have to bear the losses. So I'll ask our Take On Payments readers, how do you balance friction and security in this environment?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


March 23, 2015 in biometrics, consumer fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb080d3a99970d

Listed below are links to blogs that reference Balancing Security and Friction:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 20, 2015


Phone Scams: Still Calling Around

With 2014 filled with news about data breaches and faster payments and new technologies trying to jumpstart various payment applications, it was easy to forget about that old-fashioned device, the telephone, and the role it can play in fraud. (It's been almost a year since I wrote the post "Phone Fraud: Now It's Personal!" about fraud schemes involving telephones.)

Pindrop Security recently released some research on the most frequent consumer phone scams, reminding us of how criminals can use a low-tech device combined with high-tech research tools to scam millions of consumers out of tens of millions of dollars each year.

We can generally place the underlying tactics of the scams into one of four categories:

  • Scare tactics. Often, the caller poses as a governmental agency official such as an IRS agent or law enforcement officer and advises the victim they have an outstanding debt or arrest warrant. The caller tells the victim to send in a certain amount of money immediately to cover the debt or pay a fine—or be arrested, have a lien placed against the home, or face other serious actions. The criminal's goal is to obtain funds directly from the victim.
  • Attractive offers. In this type of scam, the caller generally wants the victim's payment card or bank account number—although, as we outlined in an earlier post on advance fee scams, the caller may also be after direct payments. The offer may be for anything from a free vacation to a government grant, or from a reduction in the victim's mortgage or credit card interest rate. In any case, the caller insists the victim pay a handling fee. Sometimes, the caller asks questions about the victim's banking accounts to make sure the victim "qualifies" for the special offer. With the information obtained, the fraudsters generate payment transactions or use that information for future identity theft efforts.
  • High-pressure techniques. Most scams involve high-pressure techniques; the criminals want to create a sense of urgency to get the victim to act quickly, without thinking. A common scenario is when the caller tells the victim that his or her bank account or payment card has been frozen because of suspicious activity and then urges the victim to provide sensitive account information to restore the account to normal status. The caller can then use the information the victim has provided to initiate fraudulent transactions or identity theft.
  • Information-gathering. A criminal may call to get "additional" information about a customer to go into an identity profile that the criminal can use later in committing an identity theft crime. Often the criminal has already gathered some information about the targeted victim through social media or public records to weave into a cover story about why they are requesting the information to make the story more believable.

Since any of us can be a target of such calls, we must educate ourselves—and the public and our colleagues—about these scams constantly so we can all be on the alert and safeguard our accounts and personal information.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


January 20, 2015 in consumer fraud, identity theft, phone fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c73af7e5970b

Listed below are links to blogs that reference Phone Scams: Still Calling Around:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 18, 2014


Crooks Target Business Clients

Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.

Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:

  • Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
  • Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system

Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.

The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 18, 2014 in authentication, cybercrime, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73e029c67970d

Listed below are links to blogs that reference Crooks Target Business Clients:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 4, 2014


Fishing for Your Private Data

fishing Recently, I received a text from my daughter about an e-mail that appeared to be from her financial institution. The e-mail stated that online access to her bank account would be terminated because she had tried to access her account from several computers. However, she could retain access by clicking on a link. While my daughter's natural reaction was concern that she would lose online access to her bank account, I told her that this was probably a phishing incident.

Unlike the hobby of fishing, phishing is the work of fraudsters. With phishing, fraudsters attempt to dupe a consumer or employee into believing that they must immediately provide personal or private data in response to an e-mail that appears to be (but is not actually) from a legitimate entity. Much like fishing, phishing relies on numerous casts, with the phisher hoping that many of those who receive the e-mail will be fooled and swallow the bait. If they get hooked, malware may be loaded on their computer to monitor their keystrokes and pull out financial service website log-on credentials. Or, in my daughter's case, if she had clicked on the link, it would have most likely taken her to a legitimate-looking web page of the bank and requested her online banking credentials. The volume and velocity by which anyone can send e-mails has created a wide window of opportunity for fraudsters.

In their e-mail, the fraudsters create a sense of urgency by indicating some sort of drastic action will be taken unless the customer acts immediately. Although organizations have repeatedly posted statements that they would never send an e-mail asking for private data, this threatened action often causes the recipient to act without considering the consequences or taking the time to call the company or organization to verify the e-mail's authenticity. If it is not authentic, the individual should immediately delete the e-mail without replying, without clicking on any links embedded in the email, and without opening any attachments.

In addition to the need for consumers and employees to be wary of e-mails that are not legitimate, financial institutions must continually stay abreast of the latest technologies to help combat these schemes and educate customers. In a past post, we discussed steps financial institutions should take to help customers protect themselves from fraudsters. These schemes remain in the news even though banks, businesses, and government entities continue to post educational information and best practices for consumers and employees. As my daughter's example demonstrates, consumers opening bank accounts for the first time are not likely to know these schemes. This example suggests that—in addition to educating both business and consumer customers generally—it would be beneficial for financial institutions to place more emphasis on education concerning these schemes at the time customers open their accounts.

Photo of Deborah Shaw

August 4, 2014 in banks and banking, consumer fraud, consumer protection, data security, fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dfaf641970d

Listed below are links to blogs that reference Fishing for Your Private Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


July 2016


Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Archives


Categories


Powered by TypePad