About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

April 24, 2017


Would Consumers Ever Give Up Their Passwords?

In a post last week, we revisited the issue of passwords and their suitability in serving as a secure authentication method for consumers to gain access to websites and applications. Payment security professionals generally agree that most consumers do not voluntarily adopt strong security practices in selecting and managing their passwords. Consumers often select easily guessed passwords and even use the same password across numerous websites. Given these tendencies, the payments industry is looking for alternative authentication methods that either consumers could adopt or the industry could perform covertly—methods that would ultimately provide for a higher level of customer authentication.

The Aite Group conducted a research study in January 2017 to understand consumer knowledge of and attitudes regarding other authentication methodologies. In particular, the study looked at responses at the generational level, with the respondent base broken into four age segments:

  • Seniors: 70+ years of age
  • Baby boomers: 53–70 years of age
  • Gen X: 37–52 years of age
  • Millennials (Gen Y): 16–36 years of age

The study revealed a universal attitude that passwords are easy to use. Only 7 percent of the seniors indicated they are difficult to use, compared to 1 percent or less for the other three groups. Millennials use the same passwords the most, with 39 percent indicating they use only one or two different passwords and more than three-fourths (77 percent) using five or fewer passwords among all their online accounts.

The participants were asked to rank the importance of different attributes in their consideration for using their financial institution's online banking service. All the age groups indicated that ease of use is topmost. While a majority within each group also cited strong security and fraud prevention as important, seniors especially indicated its importance, giving it equal weight to ease of use.

Although the majority of the respondents in each of the groups indicated some level of willingness to change their authentication method to access their bank account, as the chart show, there was a clear relationship between their age and level of willingness (see the chart).

Chart-one

So what authentication method did the segments favor? Go read the full report or wait until our next post, which will also discuss whether it will be necessary to offer consumers incentives to get them to change their habits.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 24, 2017 in authentication , biometrics | Permalink | Comments ( 0)

April 17, 2017


Will the Password Ever Die? Part 1

It has been less than five years since the magazine Wired, in its November 2012 cover story, called for the demise of the password. It has been more than 13 years since Bill Gates called for the elimination of the password at a 2004 RSA conference. Despite these calls to action, the user ID and password remain the most common form of authentication that consumers use online.

Why has the password continued to defy its terminal prognosis? Several reasons come to mind. It remains the most ubiquitous authentication methodology. Even when you factor in the significant costs of companies supporting the need for password resets, I suspect the ongoing operating costs are lower than for other forms of authentication. The reality is that the password is generally a sufficient security tool for accessing low-value applications.

So why is the password criticized so often? Most of the weaknesses in the password are based on the latitude that customers have with selecting and managing their passwords. Surveyed consumers claim to have security in mind when they create passwords, but we have seen the stories about the most common passwords being "password" and the numbers "1-2-3-4-5-6." There is also the practice of using the same password for multiple sites. Frequently, the consumer is not required to use special characters (or the application doesn't accept special characters), nor to change their password on a regular basis.

Despite the frequency of data breaches and all the fallout that comes from them, online merchants are extremely leery of adding additional overt authentication requirements (multi-layered or multi-factor) for fear consumers would abandon their shopping sessions. Given that merchant reluctance along with consumers' general exemption from financial liability if fraudulent transactions are made when their account is hacked and online access credentials are compromised, how likely is it that password weaknesses will improve? So what can be done to strengthen authentication and produce a higher level of confidence that the customer generating a particular transaction is, in fact, the person authorized to perform that transaction?

We will look at some research into the consumer's willingness to adopt additional or alternative authentication methods within the next few weeks. Until then, let us know your suggestions for improving consumer authentication.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 17, 2017 in authentication , consumer protection , cybercrime , data security | Permalink | Comments ( 2)

April 10, 2017


Catch Me If You Can

I recently became intrigued with a reality network television show that pitted teams of two everyday people (the "fugitives") against a diverse and highly experienced team of former law enforcement, military, and intelligence investigators (the "hunters"). The goal of the contest was for the fugitive team, given a one-hour head start, to elude capture for 28 days so they could collect a prize of $250,000 in the end. The fugitives were given a pot of $500, available only from an ATM, that they could use over the 28 days. But they had a $100 daily limit—and the knowledge that the hunters would be notified of the ATM location immediately. My interest was increased by the location: the fugitives' geographic boundaries were in the Southeast, with Atlanta as the hub, so there were frequent shots of local places that I recognized and had visited.

Underneath the entertainment value was a demonstration of the classic conflict between personal privacy and big-data analytics. This issue has become increasingly complicated as data collection, storage, and analytics have advanced and become less expensive, faster, and more sophisticated. At the same time, people are participating more in electronic communications, transactions, and other activities that create electronic footprints that can be tracked and analyzed. The show demonstrated these collection capabilities numerous times as the investigators poured over bank account transactions, phone records, social media, property and vehicle databases, and other information to identify clues as to the team's location or the people that might be assisting them.

Two of the nine fugitive teams were successful. In subsequent interviews, both teams cited a key factor they believed was critical to their success. They minimized or eliminated their use of cell phones, email, and social media—going off the grid—to avoid giving hints about their location. Knowing that their location would be signaled whenever they used an ATM to get money, they would have already made arrangements to leave the area immediately, before the hunters closed in. Several of the unsuccessful contestants remarked how amazed they were to discover the wide range of information the investigators were able to access about them, their family, and their friends. Some didn't know their location could be tracked through a cell phone or a photograph posted on social media.

Of course, these contestants, as well as any families and friends who might help them, had to sign numerous waivers to allow the investigators to access and collect much of this information. But how much information would be available without such a waiver or court order? In 2015, the European Union adopted an information privacy directive that is generally viewed as highly protective of an individual's privacy. In the United States, there have been discussions over recent years about similar legislation without much headway, mostly because of differences between there and here about data collection as well as First Amendment infringement.

Does there need to be increased transparency by companies that collect data for marketing purposes? Would clearer disclosures make consumers less likely to participate in rewards programs and other activities that involve data collection, to closely guard their personal information and interests? As always, we welcome your feedback.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 10, 2017 in privacy | Permalink | Comments ( 0)

April 3, 2017


Governance Down Under

When I was a product manager responsible for faster ACH, I had a ringside seat to the lengthy maneuvering required to garner sufficient votes to mandate same-day ACH after the first attempt failed. We can anticipate similar maneuvering as we continue making fundamental improvements to payments, including the various initiatives under way around faster payments.

All of this harkens back to a compelling conference presentation that treasury representatives of a very large U.S. retailer gave several years ago. That presentation focused on the potential benefits of adopting a comprehensive, self-regulating governance model like Australia's. The Australian Payments Clearing Association (APCA) offers key payment stakeholders a seat at the table, thus balancing competing interests among parties in the payment chain.

I agree that the APCA could offer a template for any governance model being contemplated in the United States.

The APCA, to paraphrase, characterizes itself as being responsible for managing and developing regulations, procedures, policies, and standards governing payments clearing and settlement. Standing with and behind them is the authority conferred by the Reserve Bank of Australia (RBA), that country's central bank.

The 100-plus APCA members include a broad cross section of financial institutions, major retailers, and payments providers. The APCA board comprises an independent chair, the chief executive officer, two additional independent directors, eight nonvoting appointed or elected directors, and an RBA representative.

The expected completion later this year of a new payments system will be one of the APCA's more noteworthy achievements. The New Payments Platform, or NPP, will offer a low-value, faster payments service. The APCA partnered with 12 financial institutions to fund the NPP's development costs.

The APCA is divided among the following operational areas:

  • Checks
  • Direct debit/credit—is equivalent to ACH in the United States
  • Wire transfers
  • Cash—sets rules for the exchange and distribution of cash among participating financial institutions
  • Card issuers/acquirers—sponsors a forum for collaboration
  • COIN (Community of Interest Network)—offers a shared infrastructure supporting connectivity for payments such as checks, direct debit and credit, cards, bill pay, and others

Here in the United States, the Federal Reserve has already created a couple of agencies with some similar features: a task force on faster payments and another task force focused more broadly on secure payments for legacy and emerging payments. Both task forces include broad representation from financial institutions, payment providers, businesses, consumer groups, regulators, law enforcement, and others. Perhaps the biggest difference between the APCA and these two work groups is the ad-hoc, limited duration of the Fed groups and their mandate, which is limited to an advisory role. But there are some other activities that the APCA handles that here in the United States are handled by various disparate entities, a situation that hampers coordinated action.

What are your views on what, if anything, we should do to enhance payments governance in the United States?

Photo of Steven Cordray  By Steven Cordray, payments risk expert in the Retail Payments Risk  Forum at the Atlanta Fed

April 3, 2017 in payments systems , regulators | Permalink | Comments ( 1)

March 27, 2017


Don't Forget the Check

As the data in the recently released Federal Reserve Payments Study show, the decline of check usage continues—albeit at a slower rate than what past studies found. Despite the rapid decline in volume on the consumer side over the last 15 years, the check remains a key payment instrument for business customers. According to the study, in 2015, consumers and businesses wrote more than 19 billion checks representing $27.3 trillion.

While the share of the number of checks (12 percent) is dwarfed by the number of other noncash payments (debit/credit/prepaid card and ACH), which continue to grow, the check remains a key target of criminals. For that reason, we need to maintain, if not enhance, risk monitoring. Criminals use the check both to conduct fraudulent transactions and to launder money. The Financial Crimes Enforcement Network reports that the number of Suspicious Activity Reports (SAR) involving checks continues to increase. That number has grown more than 141 percent since 2013, as the chart shows. Also, checks are 71 percent of the total—by far the most common payment type of all the SAR categories.

Chart-one

In addition, the Association for Financial Professionals notes in its 2016 Payments Fraud and Control Survey that checks remain the most targeted payment method. Seventy-one percent of the 627 responding companies reported successful or attempted check fraud on their business accounts in 2015. The survey also found that checks accounted for the largest dollar amount of loss of all the payment methods, including wire transfers. On a positive note, the percentage of companies actually suffering a financial loss from check fraud declined from 57 percent in 2013 to 43 percent in 2015.

Checks remain a target since they are so easy to counterfeit or alter compared to electronic items. While much of the risk management effort focuses on electronic payments, be sure not to forget about the paper check. It is obvious the crooks haven't.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 27, 2017 in checks , cybercrime , fraud | Permalink | Comments ( 0)

March 20, 2017


Fraud Reduction at the IRS: Some Happy Returns

On a regular basis, Retail Payments Risk Forum members get asked, "What is the most significant risk facing the industry today?" While we often have lively, wide-ranging discussions on payment matters, we quickly reach consensus when asked the aforementioned question. Generally speaking, we would all answer "cybersecurity" (as would many other experts).

To fully understand the significance of cybersecurity, we have to explore other root risks. For payments, one of the largest issues is cybersecurity attacks that aim to steal identities. Identity theft is a not a new issue, but, more than ever, it's attached to cybersecurity. In the spirit of tax season and identity theft, I‘d like to provide an update on the recent efforts of the IRS Security Summit as it works to protect the industry from identity theft related to tax fraud.

Last year was the first full year for the IRS Security Summit and its seven work groups. Thanks to this industry collaboration, the IRS received 237,750 new identity theft affidavits between January and September 2016—50 percent fewer than what the IRS received during the same period in 2015. In addition, in 2016, the IRS stopped 50 percent more fraudulent returns from processing compared to 2015, preventing $7.2 billion in fraud losses. Even more promising is that fewer fraudulent returns actually made it to the IRS in the first place.

These results show improvements at each point of the tax refund cycle by the combined efforts of tax professionals, state tax agencies, financial services partners, and designated IRS personnel. Several tactical approaches the work groups are developing include:

  • Identification of data elements transmitted on both business and individual tax returns that can be used to identify fraud
  • A program to allow financial institutions to flag suspicious refunds before they are deposited
  • The requirement for tax software products to improve password practices and customer validation procedures
  • A new W-2 verification code for taxpayer authentication
  • The External Leads Program for suspicious refund returns
  • National education and awareness campaigns
  • National Institute of Standards and Technology Cybersecurity Framework for the tax industry
  • The creation of a cyber-threat assessment tool

This year, the IRS Security Summit is continuing its work with efforts cyber in nature. In January, the summit launched the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (IDTTRF-ISAC). This association will issue early warnings, identify fraud schemes, assess threats, address cybersecurity issues, and provide better data for law enforcement. While the design work for the IDTTRF-ISAC is still in progress, the work group has already reviewed the sharing practices followed by the Department of Health and Human Services and the Federal Aviation Administration. To provide the tax ecosystem a highly secure, web-based information exchange will require dedicated, well-qualified analytic and cybersecurity professionals to join an already effective, mostly volunteer task force.

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 20, 2017 in cybercrime , identity theft | Permalink | Comments ( 0)

March 13, 2017


Phone Scams and Phishing

According to a recent report from the Anti-Phishing Working Group (APWG), more phishing attacks were recorded in 2016 than in any prior year since the group began monitoring in 2004. The APWG defines phishing as a criminal mechanism employing both social engineering, often through the use of email, and technical subterfuge to steal consumers' personal identity data and financial account credentials.

While phishing attempts through electronic channels are undoubtedly up, the telephone call remains a valuable tool for fraudsters. The Federal Trade Commission (FTC) just released its 2016 Consumer Sentinel Network Data Book and revealed that of the fraud-related complaints it received in 2016 with the method of initial contact reported, 77 percent of the respondents claimed that initial contact was made via telephone. Only 8 percent reported email as the method of initial contact. Thinking broadly about these reported trends by the APWG and the FTC, I have two observations:

  • No doubt phishing emails are a growing concern based on the data from the APWG. The FTC data just might reveal what I have been hearing for the last few years: the sophistication of phishing schemes is increasing each day. About 45 percent of the fraud complaints filed with the FTC did not report the method of initial contact. Maybe these individuals did not want to report that information. Or with the increasing sophistication of phishing emails, perhaps many of these individuals still do not realize that email was in fact the entrée for fraudsters to obtain payment, personal, or financial information. Educating the public and our employees to recognize phishing emails is vitally important.
  • Phone scams are likely to increase as chip-enabled EMV cards and their acceptance become more widely adopted, making it more difficult for fraudsters to conduct counterfeit card fraud. Look no further than the United Kingdom, where the Financial Fraud ActionUK's Fraud The Facts 2016 report notes that overall financial fraud increased by 26 percent from 2014 to 2015, due in large part to the growth of impersonation and deception scams. It further notes that these scams typically involve a phone call, text message, or email. With the FTC reporting a 40 percent increase in the number of fraud complaints from 2014 to 2016, with the telephone being the initial method of contact, it is imperative for individuals to carefully handle calls before providing sensitive information.

The Retail Payments Risk Forum often stresses the importance of consumer education, as fraudsters often see the consumer as a weak link. Education is critical to preventing individuals from falling for phishing emails or phone scams. We strongly encourage individuals to exercise caution before opening attachments within emails or sharing personal or financial information over the phone. And before making good on an unexpected payment request from an email or phone call, it's a great practice to directly reach out to the payee through a known legitimate email address or phone number. For more information about recognizing and handling telephone scams, visit this FTC web page.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 13, 2017 in consumer fraud , consumer protection , phone fraud | Permalink | Comments ( 0)

March 6, 2017


Asset Size Matters in Survey Responses

A January post highlighted some of the key findings of the 2016 Mobile Banking and Payments Survey conducted in the Sixth District. The post and the related survey report segmented the findings between banks and credit unions to help financial institutions setting strategy for mobile banking and payment services.

As promised, we analyzed the results to each of the questions based on the reported overall asset size of the responding financial institutions broken down into five asset range segments. The table shows these segments and the percentage breakdown of the 117 respondents by each segment.

Chart-one

You can find the supplemental data for all the survey questions here. One of the most striking differences among the segments is the institutions’ plans to offer mobile payment services. As the chart shows, the smaller the financial institution, the more likely it is to have no plans to offer mobile payment services within the next two years.

Chart-two

We hope this information will help financial institutions as they evaluate and plan their mobile banking and mobile payment services. Next quarter, we will publish a report consolidating all the data received across the seven Federal Reserve districts that participated in the survey. If you have any questions concerning the Sixth District results, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 6, 2017 in mobile banking , mobile payments | Permalink | Comments ( 0)

February 27, 2017


Wouldn't It Be Nice to Tap and Pay?

In the mid-2000s, after setting up a new checking account following a move, I received a debit card that, in addition to the magnetic stripe, had contactless functionality. I remember thinking how "cool" this feature would be, not having to swipe the magnetic stripe but simply tapping the card on the point-of-sale (POS) terminal. However, I quickly became disappointed, as I couldn't use the tap functionality in most places that I shopped. In the few places that did allow for taps, I don't recall the tap ever working properly. After a few months, I never attempted to tap it again and reverted to the traditional swipe.

Fast forward to 2017, and contactless card usage is surging in the United Kingdom, Australia, and Canada while remaining all but nonexistent in the United States. In November 2016, contactless cards accounted for nearly 25 percent of all card payments in the United Kingdom, up from 11 percent since November 2015. In Australia, Visa reported that 75 percent of face-to-face transactions over their network happen via their contactless solution. And in Canada, 99 percent of Mastercard's consumer credit cards are contactless-enabled. A 2016 report found that Canadian consumers were frustrated by merchants that didn't accept contactless payments. All of these countries have also gone through a migration of their payments cards to EMV chip cards. Did the United States miss a great opportunity when chip cards replaced the magnetic-stripe-only payment cards?

Interestingly, in these markets where contactless card adoption rates are surging, contactless cards are leading the contactless payment push ahead of mobile payments. In the United States, we are heading in the opposite direction, with mobile contactless attempting, and struggling, to get traction. No doubt, mobile is the more challenging environment, with a variety of form factors (iPhone, GalaxyS7, Pixel, and more), different ways that the form factor can interact with the POS terminal (such as near-field communication, magnetic source transmission, and barcode), and a variety of different wallets compatible with the different form factors. With a contactless card, you get one form factor—a card—and one method of contactless interaction. (Multiple-interface cards can still be swiped or dipped at the POS.)

I am convinced that the investments made in mobile contactless to this point are one of several factors holding up this country's transition to a contactless card environment. Consumers are confused by the experience and merchants and issuers are struggling with the wide range of options to consider, such as which wallets to enable and which technologies to support. Contactless cards have the ability to create a ubiquitous experience for both consumers and merchants. And this writer believes that a payment experience can't get any easier than a tap of the card.

It's hard for me to believe that it has been 20 years since I received my keychain Speedpass fob. I have positive memories of the simple and seamless transactions that I experienced when purchasing gas by touching the contactless fob to the gas pump reader. Unfortunately, I moved to a location with very few stations that accepted my fob. I always wished that I could have a similar experience for other purchases. Contactless cards allow for that and in a much easier and simpler fashion than my mobile phone allows. So can we get on with contactless cards? I am ready to tap and pay everywhere. Are you?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 27, 2017 in chip-and-pin , contactless , debit cards , EMV , mobile payments | Permalink | Comments ( 0)

February 21, 2017


The Social Benefits of Biometrics

Based on my experience, most discussions about the authentication of individuals using a biometric modality (such as fingerprints, or voice or facial recognition) often just focus on key issues such as reliability, security, ease of use, cost, and privacy concerns. Certainly these are important issues, but one that is often omitted in the conversation is the use of a biometrics system for health and safety purposes.

My wife and I were recently blessed with the birth of our fifth grandchild, a beautiful baby girl. During the hospital visit, the risk management side of me evaluated the security aspects of the facility. What methods prevent the accidental swapping of babies or the theft of a newborn? While the frequency of such incidents in developed countries is very low, it is a more challenging issue in developing countries where medical recordkeeping is often minimal and limited to paper documents.

Talking to the hospital staff, I found out they have a number of safeguards in place to ensure the right baby is with the right mother:

  • Wristbands with barcodes that have to be scanned each time the nurse visits their room
  • An embedded RFID transmitter in a cut-resistant bracelet on the baby's leg that allows staff to see on a locational display where the baby is at any time and to sound an alarm if the infant is taken outside the protective area

These systems link the baby to the mother, but what actually documents the identity of the baby? The paper card with the baby's left and right footprints and the mother's right thumbprint has been used for decades, but is that sufficient for the future?

This issue of infant authentication reminded me of a presentation I recently attended given by noted educator and biometrics researcher Professor Anil Jain at Michigan State University. Jain and his team worked under a grant from the Bill and Melinda Gates Foundation to develop a reliable, low-cost authentication process for young children. The primary purpose was to enable the tracking of children's vaccination schedules to ensure that the right child receives the full regimen of immunizations. One of the critical issues Jain and his team faced is the difficulty in obtaining usable fingerprints from newborns—the skin on their fingertips is pliable, which results in poor contrast between the pattern of their ridges and valleys.

The goal of the research program was to determine the earliest possible age at which reliable fingerprints could be obtained using current technology. Using a high-resolution optical reader providing a fast capture rate (infants don't like to be still for very long), the research team found that fingerprint enrollment for children older than six months provides acceptance rates of 99 percent. This method can potentially serve as a reliable authentication method for the remainder of their life. Coupled with the creation of an electronic health registry, the health care worker needs only to scan a child's finger to bring up immunization records and determine any future vaccinations required. You can find a short presentation of Jain's work here.

While the public is likely to continue to question the overall benefits of biometrics, Jain's work shows an additional use for biometrics technology. Where else might biometric programs be applied?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 21, 2017 in biometrics | Permalink | Comments ( 0)

Google Search



Recent Posts


May 2017


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Archives


Categories


Powered by TypePad