Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

June 6, 2016

Mobile Security and Privacy

In an earlier post, I provided some of the top-line findings from the Federal Reserve Board of Governors' recently released Consumers and Mobile Financial Services 2016 report. Safety and risk continue to be cited by consumers as significant barriers to their adoption of mobile banking and other new payment technology. Many consumers either don't believe that the mobile banking channel is safe or they don't understand the security features that are part of the mobile technology. The research effort probed these issues in greater detail to better understand consumer perspectives.

One of the first questions in this area asked how safe a person's personal information is when using mobile banking. As the table shows, while there has been steady positive movement over the last three years in getting many consumers to feel their personal information is safe, there remains a great challenge. A decrease of only two percentage points (42 percent in 2015 compared to a high of 44 percent in 2014) in those who believe their personal information is "somewhat unsafe" or "very unsafe" doesn't signify much advancement in the safety education efforts for these folks.

Q. How safe do you believe people's personal information is when they use mobile banking?


In a separate survey question, a slightly higher percentage of respondents (46 percent) believed that their personal information was "very unsafe" or "somewhat unsafe" when conducting a mobile point-of-service transaction at a store.

With 15 percent of the respondents indicating they "don't know," the survey illustrates the need for additional education about the security aspects of mobile banking and payment technology. The research showed that among those with mobile phones and bank accounts, mobile banking users had more confidence in the security of mobile banking transactions than non-users. Only 3 percent of mobile banking users thought that their personal information was "very unsafe" when they use mobile banking, compared to 28 percent for non-users.

When mobile phone users were probed about their specific security concerns about using their mobile phone for banking or payments, their most common response was that they were concerned about all of the listed security risks. For those who chose one specific reason, they most frequently cited fears about the phone being hacked or the data being intercepted, followed by concerns about their phone being lost or stolen.

On a positive note, consumers appear to be adopting more secure mobile phone practices. The percentage of smartphone users who password-protect their phone increased to 70 percent in 2015 from 61 percent in 2013. One-third of the smartphone owners were using antimalware software or applications to protect their phone, and a similar share used an app or service to help them locate, remotely access, erase, or disable their phone in the event it is lost or stolen.

Additionally, consumers are recognizing the need for improved authentication with their banking service provider. Seventy-four percent of smartphone owners indicated they either "strongly agree" or "agree" that they would be willing to undergo additional authentication steps when they were logging in to their mobile banking service.

Other important findings are contained in the research report, so be sure to give it a good read.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 6, 2016 in malware, mobile banking, mobile payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 18, 2013

Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud

The Retail Payments Risk Forum and the southeastern Regional Payments Associations (RPAs) cohosted an Executive Fraud Forum at the Atlanta Fed on October 30. Forum attendees engaged with speakers and panelists on such issues as the latest payments fraud trends, legislation and regulation, and best practices for financial institutions to mitigate risk in today's dynamic payments environment.

In one session, Federal Reserve Bank of Atlanta senior examiner Tony DaSilva discussed best practices to combat cybercrime. Cybercrime remains top of mind for financial institutions because denial-of-service attacks, which overload an institution's computers so customers cannot access their account information, can affect an institution's reputation and divert attention away from account takeover attempts. Account takeover is when a fraudster uses malware to attempt to steal a customer's valid online credentials and direct payments—often via wire and ACH—out of the customer's account. DaSilva suggests that financial institutions should assume that their systems are infected, and thus constantly, proactively monitor for cybercrime.

DaSilva also highlighted the importance for an institution's board and management to understand the nature of current cyber threats, assigning adequate IT resources and using industry tools to contend with cybercrime. DaSilva also emphasized the importance of following regulatory guidance.

A critical piece of regulatory guidance in this area is the Federal Financial Institutions Examination Council's (FFIEC) 2011 supplement to its 2005 guidance, Authentication in an Internet Banking Environment. The updated guidance recognizes the changing nature of cyber threats, including account takeovers, and emphasizes three area of responsibility for institutions.

  • Periodic risk assessments, at a minimum every 12 months, are important. In these assessments, institutions should consider the current threat landscape, changes in customers, and actual incidents, and then make adjustments to customers' authentication controls
  • Layered security for high-risk Internet-based systems should at a minimum detect and respond to anomalies and have robust controls for system administrators of business clients
  • Education should focus on making consumer and business customers aware of security steps, and should explain federal consumer protection provisions, risk controls offered by the institution and relevant institution contacts

For more on this topic, view Tony DaSliva's video interview and presentation on the conference web page.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 18, 2013 in cybercrime, malware, regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 5, 2013

Gone Phishing: How Your Employees' Bad Security Habits Can Impact Your Business

Phishing is the practice of sending an e-mail that appears to originate from a legitimate representative of a company or government agency in an effort to get the recipient to click on an embedded link. The link takes the individual to a cleverly disguised imposter of a legitimate website. Here, the targeted victim is asked to enter various account credentials that the criminal records and uses later to access the individual's accounts. A refined version of phishing, known as "spear-phishing," targets specific employees to try to gain access to their companies' financial accounts or files. At mid-sized to large companies, such an e-mail could appear to be an internal directive from HR or IT.

While early phishing efforts were easier to spot through their spelling and grammatical errors or poor company logo reproductions, many criminals have become more sophisticated. They now produce well written and convincing messages with high-quality graphics that make the messages appear legitimate and create a sense of urgency. In some cases, a criminal's success in writing a convincing message comes through the practice of social engineering. He or she "researches" targeted individuals by gathering information about their interests, activities, family, and friend names, travels and other personal information through their social network sites. The criminal weaves some of this information into the phishing message. For example, if the criminal sees you are an avid golfer, you might get an e-mail that seems to be from a sporting goods company asking you to enter a sweepstakes contest to win a set of clubs. Most people would never think of providing information such as birthday, place of birth, or other personal data to a stranger they meet on the street, but often do so without hesitation on social websites.

Many employers provide periodic workplace security training including warnings not to click on links that are unknown or appear to be suspicious. Despite such efforts, an investigation conducted after a criminal online intrusion generally reveals that an employee did such a thing to start the chain of events. That employee's actions resulted in the disclosure of the information necessary to illegally access the company's accounts or to download malware into the employee's computer that sniffed for the account credential information and later relayed it to the criminal. Unfortunately, many small businesses neglect this education and find themselves victims of major financial losses that can threaten the viability of their entire businesses.

There are hardware and software solutions that provide some layer of protection to a business, but the best protection is having educated and aware employees who receive frequent training and reminders about the importance of solid workplace computer safety practices. Employees must be made to understand that lax or weak online security practices in their personal lives can be harmful to themselves and to their employers.

Tell us: how do you protect yourself and your business from phishing?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 5, 2013 in cybercrime, fraud, malware | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Gone Phishing: How Your Employees' Bad Security Habits Can Impact Your Business:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 22, 2013

Are You the Weakest Link?

Okay, maybe not you and maybe not me—unless we haven't heeded the three suggestions provided by my colleague in a recent post. Banks, processors, transaction networks, acquirers, and other stakeholders in the financial payments ecosystem are waging a daily battle against a wide range of antagonists who are constantly seeking ways to access computer systems illegally These criminals are trying to get confidential data, disrupt operations within the company and for its customers, achieve financial gain, or simply seek notoriety for their achievement. By not following a couple of easy steps, are we compromising the battle for the banks and other institutions?

You and I—the consumers and the end users—are important elements in the overall payments ecosystem. It is generally for our use, of course—so that we can access our accounts or perform our daily financial chores conveniently and efficiently—that the other stakeholders are running the various financial applications. If it weren't for us, I think their jobs in protecting their systems would be much easier.

So how are we the weakest link? A basic tenet of security that we often mention in Portals and Rails is that experienced criminals attack the weakest points in the system. Why worry about picking the lock on the highly visible front door when there is an unlocked window at the back? Unfortunately, despite all the research surveys that report consumers' greatest concern about performing mobile or internet electronic transactions is their privacy and the security of the transaction, the evidence clearly demonstrates that, while they may "talk the talk," they often don't "walk the walk."

Panda Lab's 2012 annual report estimates that one-third of the personal computers in the world are infected with some type of malicious software (malware). So how do these computers get infected? The users are not following proper security guidelines when they are using their computers or smartphones. Critical unsafe behaviors include:

  • Not using antivirus software or not keeping it updated
  • Not using a firewall or disabling the firewall that might have been included in a device's operating system
  • Poor password security—using easy-to-guess passwords, using the same password on multiple applications and devices, allowing passwords to be stored in a device
  • Not updating software—software vendors frequently post software updates when they become aware of security problems, especially such utility software as Flash and Java
  • Visiting unknown websites, often through links on social network website pages, that contain hidden viruses

Here at the Federal Reserve, a combination of recurring education and required security tactics are used to minimize the risk of such poor practices by users such as me. I won't detail those techniques because that could compromise aspects of our network security, but when I place my personal computer, smartphone, and home network against those same criteria, I certainly see some ways in which I have been less than diligent and need to change my habits. What about you?

Be sure to read the Risk Forum's recent paper on account takeovers and how less-than-adequate Internet security practices of a few individuals and businesses can contribute to criminals' ability to obtain sufficient personal information and account credentials to conduct account takeovers and steal your money.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2013 in consumer fraud, consumer protection, malware, online banking fraud | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Are You the Weakest Link?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 15, 2013

Do Cyberattacks Threaten Confidence in Our Payment Systems?

This past October, former Defense Secretary and CIA Director Leon Panetta said, "A cyberattack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11." In the days leading up to this statement, multiple major U.S. banks were the targets of cyberattacks known as distributed denial of service (DDOS). In these attacks, which continue to take place on a steady basis, a bank's servers are overwhelmed by a flood of messages from networks of computers infected with malicious software (botnets) leading to website outages. Frequently, these attacks are politically motivated and are undertaken by foreign states. They are intended to be disruptive and create customer service dissatisfaction rather than to commit fraud.

At a recent conference I attended, security expert and former senior White House Advisor Richard Clarke suggested that technology and automated tools currently used to detect and prevent these attacks aren't always effective. For instance, firewalls can be penetrated and, although antivirus tools are good protection against the general hacker, they may not be as effective against the sophisticated malware that the well-organized bad guys are creating at alarming rates. The primary goal of implementing security measures is prevention, of course, but we have to be realistic in accepting there will always be some number of successful attacks requiring post attack countermeasures.

To date, these DDOS attacks have created only short-term inconveniences for consumers. I believe that consumers' overall confidence in payment systems remains high, and rightfully so. But the threat for a mass disruption to financial institutions and the payments community through a cyberattack on U.S. companies is real. Consider the potential ramifications that a nationwide cyberattack could have on the U.S. banking and payment systems. We need only look at the cash crunch that Hurricane Sandy caused to the payment system in the Northeast last October, when the area experienced prolonged electrical and resulting communication outages. The banking community, led by FS-ISAC and others, must continue its efforts to not only prevent, but also plan for a response to an extended, widespread cyberattack to avoid even worse disruptions and a subsequent loss in confidence in our payment systems.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 15, 2013 in cybercrime, malware | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Do Cyberattacks Threaten Confidence in Our Payment Systems?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 11, 2012

A human firewall? Tips to keep information secure

As we've discussed on Portals and Rails in the past, PIN cardholder verification offered by ATM and debit cards has proven superior in preventing fraudulent transactions compared to signature cardholder verification. And while a PIN is a solid fraud deterrent, it is by no means 100 percent effective in reducing fraud. As we are in the midst of ATM and Debit Card Safety Awareness Month, it is important for consumers to understand their responsibility in the fight against cardholder fraud.

Financial institutions and the ATM and debit card networks have robust fraud detection and prevention systems and measures in place. However, cardholders need to view themselves as "human firewalls" of sensitive data, including ATM and debit card information and PINs. While fraudsters have become highly sophisticated at obtaining this data, weak PIN selection and security by cardholders makes it easier for fraudsters to commit their crimes.

In today's prolific social media world, weak PINs do not just include simple numbers such as "1111" and "1234." With more information than ever about us online, a birth date, address number, or even an anniversary date could prove to be an easily guessed PIN. According to a study by a Cambridge University Computer Laboratory team, one out of every 11 wallets could contain cards with easily discovered PINs. And ATM and debit card fraud can be more costly to cardholders than credit card fraud. Fraudulent ATM and debit card transactions verified by a PIN generally carry a higher consumer liability limit than do credit card or signature debit transactions. This is especially true if a consumer fails to report a card or PIN as lost or stolen or identify a fraudulent transaction in a timely manner.

In the spirit of ATM and debit card safety awareness, we encourage all cardholders to strengthen any weak PINs as well as follow these and other suggested tips from the PULSE ATM/debit network:

  • Monitor your financial account statements.
    Many experts recommend reviewing accounts online daily so that any suspicious activity is spotted quickly. Switch from postal delivery of statements to online access or ensure that mailed statements are sent to locked boxes and not left available to fraudsters.
  • Protect your wallet, purse and PIN.
    Carry only what you need and avoid carrying items with private information such as your Social Security number. Don't share your PIN with anyone. That means don't write it down and don't give it to a clerk or anyone else to enter for you.
  • Be extra alert at ATMs.
    Don't use an ATM if it is in an unlit or hidden area. Block the keypad while entering your PIN so you can't be observed. If an ATM looks phony or has a suspicious card reader that is loose or not part of the main body of the machine, do not use it.
  • Protect your online shopping.
    Update computer anti-virus software, anti-spyware, and firewalls. New attacks come frequently, and your software provider will frequently send updates to stop them. Use only secure sites and network connections when shopping online.
  • Protect personal information online.
    Limit social media access to friends only and don't "friend" people you don't know. Fraudsters use personal information such as birth dates, family and pet names, high schools, and birth cities to "verify" your identity.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 11, 2012 in cards, consumer fraud, identity theft, malware | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference A human firewall? Tips to keep information secure:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 9, 2012

Mobile payments malware: Assault and low battery

According to Dr. Markus Jakobsson, principal scientist at PayPal, malware is moving to the mobile channel as mobile handsets replace PCs. Criminals are businessmen and subsequently go for market size in their exploits. Within a year, he says we will see more handsets than PCs, and we can also expect to see more mobile abuse trends as a result. An interview of Markus on YouTube provides some startling facts and general insights on mobile security challenges and trends.

I first wrote about the emerging threat of malware migrating from PCs to the mobile channel in a July 2010 post titled "The confluence of payments, social networks, and malware: Elements of a perfect storm?" As Portals and Rails readers well know, mobile banking and payments and accessing payments via social networking were just beginning to take off. The post noted that the rapid pace of mobile application innovation and deployment creates vulnerabilities in payment systems accessed via mobile devices. Markus's interview reveals why malware-related intrusions are expected to become more commonplace in the mobile channel and offers some thoughts on a new paradigm for thinking about mobile security.

Mobile handset is a social device as well as a computer
This is the big issue. While numerous consumer behavioral surveys report that consumers are concerned about privacy and security, they treat the handset as a social device to interact quickly with websites, businesses, and other people. In short, consumers trust their mobile devices and value the ability to access social media. As a result, they often fail to adopt available safeguards such as password locks. Jakobsson says that people tend to dislike passwords because they are slow to enter and it's easy to make a fat-finger error. As a result, they opt to operate without cumbersome passwords. Jakobsson asserts that we need a new paradigm to encourage safe authentication going forward.

The problem with virus protection for mobile phones
Consumers don't think of their handsets as computers, but they actually are computers, except that they don't have equivalent battery resources. This means that mobile handsets lack the capacity to run the most basic anti-malware software. Antivirus software works by constantly scanning for malware intrusion. Jakobsson says this is fine if you have only a few instances of malware, but frequent incidents require more frequent scanning, which drains the battery. This is going to be a problem for mobile devices, a problem that to date has not received much recognition.

The root cause: Spoofing and spam
Some problems are beginning to arise with fraudulent apps that divert the user to an unintended website. Spoofing, the practice of sending forged e-mails or directing users to malicious websites, is a critical risk that is hard to manage. According to Key Findings of the 2010 Email MAAWG Security Awareness and Usage Survey, consumers admit to risky behaviors online, with four out of ten admitting to opening an e-mail they suspected was spam. The Messaging Anti-Abuse Working Group (or MAAWG) also reported that younger users are more likely than older users to open suspicious e-mails and click on links.

Who is opening spam and why?

Mobile ecosystem will require different assumptions about security
As e-commerce increasingly moves to the mobile channel, handsets and networks will require new protections to protect data used for identity and payments. As consumers share more information via their handsets in social media and broadcast their geolocations to merchants, the mobile channel will become more vulnerable to criminal activity. Malware exposure will occur cross platform through gaming and social applications that are not suitably policed. While mobile malware circulation is not yet prevalent, the projected growth of mobile platforms versus traditional computers will make mobile an attractive target for organized crime. Industry stakeholders should consider the prospective risks of malware in discussions on mobile payments security.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

April 9, 2012 in malware, mobile banking, payments | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Mobile payments malware: Assault and low battery:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 9, 2010

Shopping at the Fraud Mall: Fictional fantasy or harsh reality?

One of the most fascinating scenes in the cavalcade of Harry Potter movies is the requisite trip to Diagon Alley, the quaint London backstreet where the Hogwarts students go shopping in various specialty stores for their school supplies, such as books, potions, strange pets, magic wands, capes, and, of course, flying brooms. Over the past several weeks, battered by the never-ending news of one new payments fraud scheme after another, I lapsed into a daydream in my office about a mythical, but similar, Fraud Village, where fraudsters go to shop for their wares. My vivid recollections follow.

Wandering down Fraudster Alley
As I entered Fraudster Alley, I saw John Doe's ID Shoppe on the right, apparently a business selling payment credentials. On the various shelves, I saw arrays of credit and debit card numbers arranged by issuer, as well as actual bank account numbers sorted by geographical locations in order to minimize the confusion associated with those silly routing number assignments. The data is priced from $1 to $100, the cost depending on the relative credit lines and payment histories of the actual cardholders.

In the premium product aisle I saw a card with a glittering $95 tag for a person with a $30,000 limit that travels frequently and pays off monthly. At the back of the store I located the bank account number case priced from $2 to $1,000 with the top of the line offering belonging to a high balance account holder with several electronic withdrawals and a home banking service with a bank who has notoriously weak access controls. Keeping a couple of good sale items in mind, I slipped outside and gazed up at a remarkable billboard advertising a school for hackers.

Computer hacker billboard

Easing past a street vendor selling memory sticks, I did some window shopping at Willie's Web Emporium, a small shop hawking a variety of e-mail credentials that listed businesses with poorly protected financial software. A gaudy red $12 tag is affixed to a URL touted as hosting a poorly protected payroll system. I chatted with the clerk to see why these credentials were on sale, and he said that the market has been flooded in recent months by an oversupply that has driven the price down.

I got his business card and eased next door into a software/hardware store called Mystic Malware. I was overpowered by flashing displays of various fraud solutions, including a vast array of nearly 500 variations of Zeus malware packages designed to take over small business systems. Like my local Kroger cereal section, the options were bewildering—key-logging variations, with or without icons to be loaded onto desktops, call detection modules, and payment duplication engines. I noticed that some of the older products, like Win32/Conflicker were marked way down in light of the implementation of successful security blockers, while Renos and Vundo versions are premium priced, reflecting their recent success and popularity. In another area, I found a treasure trove of hardware devices, such as ATM skimmers, in bins labeled for the various makes and models of cash dispensers.

Across the street was Mikhail's Money Mule shop, where I browsed through employment applications for folks interested in being "financial managers" for Internet firms. They are arranged by cities, which made it particularly convenient for me to target accounts at choice banks trying to grow their retail base. I briefly scanned a number of "personals" arranged on a bulletin board, each highlighted by a special skill, such as the ability to break Triple DES encryption on a particular server. Next door was the Fraudsters Training Academy, an attractive storefront with a small auditorium running periodic films and live interviews with well-known fraudsters with names like Dark Vader and Card Warrior. Travel posters for Nigeria, the Ukraine, and Romania added a bit of gaiety to the walls.

Fiction turns to fact
I was startled awake from my daydream by a colleague calling for a coffee break. Sipping an overpriced Starbucks, I came to the disturbing realization that much of what I dreamed is simply the harsh reality of today's world of payments. While there is no such physical fraud village, the Internet has in fact become a virtual shopping mall for crooks intent on striking innocent, poorly educated, and singularly unaware business owners and consumers. The possible prices for illegal wares noted above are taken from a recently published study by First Data Corporation that refers to other studies by Symantec and Microsoft.

The billboard shown above actually stands on Interstate 75 near downtown Atlanta. In just the past week, I have read these headlines: "FBI, Slovenian and Spanish Police Arrest Botnet Creator, Operator", "Two Arrested in Massive Scheme: Investigators Recover Skimmers, Fake Cards, 1,000 Pages of ID's," and "Atlanta Security Company Startled At Check Stealing Software."

Alarmingly, it is time for all of us in the payments world to realize that yesterday's fiction is today's reality in the harsh world of payments fraud and protecting our assets, our people, and our reputations is going to take more time an effort than ever before.

By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum

August 9, 2010 in consumer fraud, cybercrime, fraud, identity theft, malware, payments risk | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Shopping at the Fraud Mall: Fictional fantasy or harsh reality?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 12, 2010

The confluence of payments, social networks, and malware: Elements of a perfect storm?

Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?

More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.


Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.


Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.

Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.

Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

July 12, 2010 in fraud, identity theft, malware, mobile banking, mobile payments, risk, social networks | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference The confluence of payments, social networks, and malware: Elements of a perfect storm?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 24, 2010

Bank revenues and fraud detection: A marriage made in heaven?

Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.

The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.

Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.

The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.

Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

May 24, 2010 in account takeovers, banks and banking, malware, wire transfer fraud | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Bank revenues and fraud detection: A marriage made in heaven?:


Rob, excellent observations with which I agree in part. However, the concept I was pushing here is that banks can leverage the growing awareness of commercial fraud into fee revenue product opportunities to make a part of their business client's offering.

Posted by: richard oliver | May 24, 2010 at 02:13 PM

The detection options listed should be added but it will take time to implement them uniformly which would seem mandatory for larger clients that want the same standards across their institutions. Many of the online banking applications already have several measures available that are not used by banks that have them deployed. The security/convenience trade off decisions that banks make vary by an almost unbelievable degree.

It is my understanding that several U.S. regulatory bodies (including the Federal Reserve?) have begun discussing new security requirements for large payment transactions initiated online. Challenging each transaction initiation or every sensitive act (e.g. adding a new payee) would prevent most of the fraud seen during the last couple of years. If the challenge was conducted via another channel or out-of-band (a phone call) it would be even more effective.

Until forced, via judicial ruling or legislative action, it seems unlikely that banks will uniformly protect small business customers via any method.

Posted by: Rob | May 24, 2010 at 01:49 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

March 2017

Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  



Powered by TypePad