Take On Payments


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

September 21, 2015

Mimicking Mother Nature

A few months ago, we had a large colony of bats take up residence in our house. With the issue now resolved, and with everything we had to do to get rid of them, I realize how the whole experience was similar to the tactics of fraudsters and the challenges faced by their victims in taking preventive, detective and corrective action.

We learned of the initial intrusion purely by accident. Previously, we have never had any sign of vermin being able to gain entry, so I thought we had a solid defense. My wife had noticed a small amount of droppings on the back porch but we thought they were from squirrels. Imagine my shock when my adult son informed me we had been invaded by bats. He had discovered them one morning following an overnight stay. Departing for an early tee time, he noticed a swarm of bats flying into a soffit vent crevice. Incredulous, I waited for dusk only to see for myself a constant stream of small brown bats exiting the soffit crevice.

My wife went a little bat crazy as she imagined hoards bats swooping down to carry off one of our grandkids. Actually, she was more concerned about the real threat of respiratory disease from their droppings as well as the potential for rabies. We began to do some research, and I soon learned that bats are a protected species, so they cannot be disturbed unless they are posing an immediate health threat. They weren’t, since they were not in our living space. But the problem intensified, which I realized one evening when I saw an even larger colony emerging from our chimney.

We began contacting companies that specialize in wildlife removal. We found a wide variety of suggested courses of action and prices. We selected one company based on its reputation, process, guaranteed results, and pricing. The company’s first step was to inspect the entire house to identify any other potential points of entry and to seal them. We notified our neighbors so they could be on the lookout to make sure the bats didn’t settle inside their houses. The next step was to install one-way excluders that would permit the bats to leave but not get back in. This seemed to be working well until a group of the bats somehow got word they were being evicted. Trying to find another way into the house, they navigated an interior wall and became trapped. Without water, they soon died and a putrid smell began to emerge. After cutting several holes in the wall, the technicians were able to locate the source and remove the carcasses. After a couple of weeks, the excluders were removed and the entry points sealed so we thought the problem was resolved.

Imagine our further surprise when we returned from vacation and found about 50 dead bats in our unfinished basement. It seems a group had remained and found a chase route from the attic to the basement seeking water. With the disposal of those bats, the problem seems to have finally been resolved. As fall approaches and bats migrate to warmer climates, the threat diminishes, but I can assure you we will be on the alert next spring.

So how does this relate to the payments fraud environment? Some similarities:

  • We thought we had a strong defense perimeter and were safe, but the bats found a way inside given they require an opening of only three-eighths of an inch.
  • While our discovery came shortly after their initial entry, it was only by sheer luck. We could have acted earlier if we had not ignored the early warning sign of their droppings.
  • We thought we had identified the sole location of the problem, but they then migrated to a second entry point.
  • Regulations limited the potential range of actions we could take to deal with the issue.
  • We shared information about the situation with our neighbors so they could be on the alert.
  • We analyzed several different options for dealing with the issue and preventing its recurrence.
  • Despite what we thought was a successful process, other issues arose and required action before there was a final resolution.

This experience with Mother Nature has provided us a learning opportunity and we are better informed and on the alert for future such events.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 21, 2015 in fraud, regulations, risk, risk management | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 17, 2015

Pigskin and Payments

For those who know me well, they know that I find August to be the slowest-moving month of the year. It's not because of the oppressive southern heat and humidity, but rather it's my anticipation for football season. To help speed along the "dog days of summer," I generally read my fair share of prognostication publications. Alongside the predictions, improving player safety has become a key discussion topic as the season approaches.

Armed with data showing an increase in injuries as well as long-term negative effects from playing the sport, football's governing bodies on both the collegiate and professional levels are instituting rule changes to make the game safer. Equipment manufacturers are introducing new gear to improve safety and individual teams are adding new experts to their medical staffs all in the name of player safety.

Ironically, while there is a focus on improving player safety, football players continue to get stronger and faster aided by advancements in nutrition and workout regimes. As player strength and speed improves, this contact sport becomes more vicious and dangerous. And as a fan, I'll admit that I find watching a game featuring stronger and faster players more exciting. I do not want to see players injured, but at the same time I enjoy the excitement that comes with hard tackles and big hits.

Does this state of football sound at all like the current state of the U.S. payments industry? To make payments safer, public and private entities are leading literally hundreds of initiatives across various payments rails. Network rule changes are taking place and new technologies are being harnessed all in an effort to better secure payments. At the same time, start-ups, established payment companies, payment associations, and the Federal Reserve are collaborating to improve the speed of payments.

It's hard not to get excited about the possibilities of faster payments, from important just-in-time supplier payments to simple repayments for borrowing money from a friend or family member. However, can securing payments better derail the speed of payments? By way of example and personal experience, my more secure EMV (chip) credit card has clearly reduced the speed at the point-of-sale for my card payment transactions.

But just as player strength and speed has evolved alongside safety through rule-making and technology (think about leather football helmets here), I think we have seen the same progression within the payments industry. I think football remains as exciting as ever, and the payments expert in me is clearly excited about the future of payments.

Speed and safety are not to be viewed as mutually exclusive, and I am confident that the payments industry supports this view. In both football and payments, elements of risk will exist, regardless of safety measures in place. Finding the right balance between speed and safety should be the goal in order to maintain an exciting football game or efficient payments system. I can't wait to see what lies ahead on the gridiron and within the payments industry.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 17, 2015 in emerging payments, EMV, fraud, innovation, risk management | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 4, 2015

Keeping Up with the Criminals: Improving Customer Authentication

The interesting thing about authenticating customers for checks and PIN-based debit transactions is that the customer's authentication credentials are within the transaction media themselves—a signature, a PIN. But for the rest of the transaction types, authentication is more difficult. The payments industry has responded to this challenge in a few different ways, and may be turning increasingly to the use of biometrics—that is, the use of physical and behavioral characteristics to validate a person's identity.

Improving customer authentication in the payments industry has been a focal point for the Retail Payments Risk Forum since its formation. After all, authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of the U.S. payments system. We have intensified our focus over the last two years, including holding a forum on the topic in mid-2013. The Forum has also just released a working paper that explores the challenges and potential solutions of customer authentication.

The working paper examines the evolution of customer authentication methods from the early days of identifying someone visually to the present environment of using biometrics. The paper reviews each method regarding its process, advantages and disadvantages, and applicability to the payments environment.

Much of the paper looks at biometrics, an authentication method that has received increased attention over the last year—partly because smartphones keep getting smarter as folks keep adding new applications, and as manufacturers keep improving microphones, cameras, accelerometers, touch sensors, and more.

The table lays out six key characteristics that we can use to evaluate a biometric system for a particular application.


The use of biometrics will be the subject of an upcoming forum hosted by the Retail Payments Research Forum later this fall, so stay tuned as we finalize the date and agenda. In the meantime, if you have any comments or questions about the working paper, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 4, 2015 in authentication, biometrics, emerging payments, innovation, mobile banking, mobile payments, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Keeping Up with the Criminals: Improving Customer Authentication:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 27, 2015

Not Seeing a Tree for the Forest

For this blog's title, I confess to having pineapple-upside-down-caked the common adage "missing the forest for the trees." The thing is, I want to point to a particularly nice tree in the same day ACH (automated clearinghouse) forest. By torturing the adage I hope to inspire folks to deviate from the basic, same day forest flyover and focus on one tree. It seems to me it has not gotten all the attention due.

Those advocating for same day ACH generally tout the increased functionality or the economic benefits of the latest proposal. Another oft-mentioned benefit of the proposed rule change is that it may provide a bridge from today's payments to those of the future. However, tucked into the lush same day ACH forest is a hard-to-find risk abatement species. Allow me to point out some of its features.

Settlement—By reducing the settlement window, same day ACH reduces credit risk associated with the network ecosystem—both in terms of the length of time counterparties are exposed to settlement risk and, potentially, the total amounts of settlement risk. For sure, financial institutions will have more flexibility to better manage these circumstances.

Operations—Same day ACH provides additional processing windows that result in risk reduction opportunities. Operations managers gain the means to load balance or smooth processing volumes and may also be able to ease the pressure on deadlines. The additional processing windows can be thought of as de facto contingency alternatives and seem likely to yield a corresponding increase in reliability and quality for the ACH.

Returns—Expedited settlement means expedited return handling. same day ACH would provide the opportunity for receiving banks to return same day payments on that same day. Moreover, because return requirements are tied to settlement, any same day payment that needs to be returned to an originating bank will be received one banking day earlier than would have occurred without same day settlement. NACHA points out that exceptions may be identified sooner and returned sooner, which means resolution for more problems may begin sooner. They have described this as "a 'win-win' for all parties." It's hard to argue the point.

If it passes, same day ACH will improve the risk posture of financial institutions, benefiting both ACH payers and payees. As spring continues to unfurl, perhaps some of you will get to stroll through the woods. If you come across a particularly handsome dogwood or perhaps an eastern redbud, be reminded that the same day ACH ballot will pop later this spring. I'm keeping my fingers crossed that the woodsmen don't get to clear cut the forest this time and we don't lose any of the nice trees.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

April 27, 2015 in ACH, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Not Seeing a Tree for the Forest:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 6, 2015

What Can Parenting Teach Us about Data Security?

My older child often asks if he can play at his friend's Mac's house. If his homework is completed, my wife and I will give him the green light, as we are comfortable with where he is heading. This level of comfort comes from our due diligence of getting to know Mac's parents and even the different sitters who watch the children when Mac's parents might be working late. Things often get more challenging when he calls to tell us that he and Mac want to go to another friend's house. And this might not be the last request as our son might end up at yet another friend's house before finding his way home for dinner. We might not be familiar with these other environments beyond Mac's house so we often have to rely on other parents' or sitters' judgment and due diligence when deciding whether or not it is okay for our son to go. Regardless of under whose supervision he falls, we, as his parents, are ultimately responsible for his well-being and want to know where he is and who he is with.

As I think about my responsibility in protecting my children in their many different environments, I realize that parenting is an excellent metaphor for vendor risk management and data security. For financial institutions (FI), it is highly likely that they are intimately familiar with their core banking service providers. For merchants, the same can probably be said for their merchant acquiring relationship.

However, what about the relationships these direct vendors have with other third parties that could access your customers' valuable data? While it probably isn't feasible for FIs and merchants to be intimately familiar with the potentially hundreds of parties that have access to their information, they should be familiar with the policies and procedures and due diligence processes of their direct vendors as it relates to their vendor management programs.

In today's ever-connected world, with literally thousands of third-party solution providers, it is necessary for FIs and merchants to be familiar with who all has access to their customers' data and with the different places this data resides. Knowing this information, it is then important to assess whether or not you are comfortable with the entity you are entrusting with your customers' data. Just as I am responsible for ensuring my children's safety no matter where or who they are with, financial institutions and merchants are ultimately responsible for protecting their customers' data. This difficult endeavor should not be taken lightly. Beyond the financial risks of fraud losses associated with stolen or lost data, businesses might also be subject to compliance-related fines. And you are highly likely to take a negative hit to your reputation. What are you doing to ensure various third-parties are protecting your sensitive data?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 6, 2015 in consumer protection, data security, KYC, risk management, third-party service provider | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference What Can Parenting Teach Us about Data Security?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 30, 2015

Safely Motoring the Payments Highway

I've ridden a motorcycle for 30-plus years and, except for a slight bump from behind by a car when I was stopped at a four-way stop sign, I have a perfect safety record. Some say I'm lucky. While there is probably some element of truth to that—I've made it through a number of dangerous situations over the years—I believe my good safety record is largely because early on in my riding days, I invested in proper safety clothing and took classes in motorcycle riding skills and safety. In addition, when I've been out on the road, risk management has played an integral role in my safety: I follow the Motorcycle Safety Foundation's recommended practice of S-I-P-D-E: scan, identify, predict, decide, and execute.

I recently took advantage of an early spring day and rode the North Georgia back roads. Later that evening, when I thought back over my day, I couldn't help but think of the parallel between motorcycling risk management and payments risk management. To maintain a good safety record in both, you should practice SIPDE. Here's how SIPDE can work with payments.

Scan: Constantly examine the environment you are in. Don't focus on a particular payment method or channel or you will get target fixation and be likely to miss threats to other payment types. How often have we heard that while resources were focused on responding to a distributed denial of service attack, the criminals took advantage of the distraction and executed some unauthorized transactions? When riding, I try to always be alert and I constantly move my sight lines to spot any dangers.

Identify: As you conduct your examination, identify all potential risks. Some may be immediately apparent, and some may be hidden. Some may be major threats, and others less serious. While most of the criminal threats will come from external elements, don't forget about insider fraud.

Predict: After you have identified the risks, run through scenarios as to potential outcomes given a variety of circumstances. I sometimes change my lane position to increase my visibility and always cover the brake lever to prepare for that emergency stop. You must certainly consider the worst-case scenario, but don't forget that an accumulation of less-severe situations may result in a loss that is just as big.

Decide: After weighing all the options and the likelihood of their panning out, determine your course of action so that you're ready if one of the scenarios becomes a reality. Reaction time is critical with motorcycle riding and dealing with criminal attacks.

Execute: Put into motion that course of action to deal with the risk. This is where your training, skills, and tools come into play, helping you to properly and completely execute your plan.

Just as when I ride and the environmental factors and potential threats around me are constantly changing, such is the case in our payments environment. We must constantly use our S-I-P-D-E skills to assess and react to the environment, whether that's the road you're riding on or the payments environment you're operating in.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 30, 2015 in consumer protection, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Safely Motoring the Payments Highway:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 16, 2014

Banking on the Financial Institutions as Gatekeepers

With all the changes and new participants in the payment industry, financial institutions remain the participants in the best position to know their customers. They still play a central role in transactions, so laws, regulations, and rules view them as gatekeepers, best able to protect consumers from unauthorized payments and fraudulent business practices. This gatekeeper role has never been simple, but the increase in the number and type of businesses conducting transactions over the internet and mobile devices has added to its complexity and difficulty. Complicating the gatekeeper role further is the increasing number of intermediaries involved in the payments stream.

Over the years, regulators have issued guidance to institutions highlighting issues related to high-risk businesses and service providers. In the fourth quarter of 2013, both the Office of the Comptroller of the Currency and the Federal Reserve Board issued guidance on third-party risk management for financial institutions. The new guidance highlights the growing importance of managing relationships with payment participants and makes it clear that institutions have to focus on managing customer relationships, which starts at onboarding.

Regulatory pressure is one approach to keeping the payments system safe, and so is the pressure that law enforcement agencies put on financial institutions. A recent example includes the crackdown of the New York Department of Financial Services on unlawful payday lending practices.

Payments system rules are also effective in keeping financial institutions focused on indicators of the fraudulent use of a payment type. For instance, NACHA Operating Rules include a provision that says an institution is out of compliance if its businesses have a return rate for unauthorized transactions over 1 percent. (A previous post addressed proposed enhancements to the NACHA Operating Rules to address additional indicators of fraud.)

An even stronger type of pressure exerted on financial institutions is when an agency bans a payment type entirely or restricts its usage. For instance, the Federal Trade Commission issued a proposal last year to ban the use of remotely created checks by telemarketers. If a payment type is banned, the financial institution's role is to enforce the ban with its business clients.

The emphasis on the financial institution's gatekeeper role underscores the continued importance of protecting consumers from fraudulent payment practices. It also highlights the fact that this role is not an easy one and brings with it certain risks and costs.

Photo of Deborah Shaw

June 16, 2014 in banks and banking, regulations, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Banking on the Financial Institutions as Gatekeepers:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 19, 2014

Choking on the Cost of Risk Management

In March 2013, the Department of Justice (DOJ), joined by the Federal Deposit Insurance Corporation (FDIC) and the Consumer Financial Protection Bureau (CFPB), quietly launched the program “Operation Choke Point.” The program’s objective is to cut off fraudsters’ access to consumer bank accounts by restricting—or choking off—their access to the banking system. Normally the fraudsters would be the only ones complaining about officials trying to shut down their business, but this program is also creating new risk management challenges for the banking industry.

While critics of the program readily admit that criminal activities should be fully investigated and prosecuted, they contend that the program has imposed a wider, “chilling,” effect on financial institutions and their third-party payment processors. A number of financial institutions have said that the operational, compliance, and risk costs associated with the increased scrutiny outweigh the benefits of such high-risk but legal business account relationships and can result in their termination.

The agencies defend their actions, stating that the “know-your-customer” and “know-your customer’s customers” requirements have been in place for some time. They say they are targeting only processors and financial institutions that are blatantly exchanging these requirements for due diligence and compliance with the Bank Secrecy Act (BSA) for a sizable fee revenue opportunity.

By September 2013, the DOJ had issued 50 subpoenas to financial institutions and their processors citing the BSA’s requirements for a financial institution to monitor the activities of its customers and its customer’s customers for suspicious activity. In its first enforcement action of the program, in early 2014, the DOJ entered into an agreement with a holding company of a North Carolina community bank for $1.2 million in civil penalties and with certain restrictions with regards to its future processor relationships. The DOJ alleged that the holding company’s management knowingly ignored numerous warning signs that some of its processing customers had clients engaged in illegal business practices, including internet-based payday lending, gambling, and even Ponzi schemes, all to generate large amounts of account service charges and fees. A U.S. District Court judge approved the agreement on April 25 this year. However, the bank didn’t admit to anything in the DOJ complaint nor to any liability.

To help financial institutions better deal with the risk management requirements that Operation Choke Point highlights, a number of associations have developed materials or issued guidelines. An earlier Portals and Rails post discussed the reminders from NACHA on the know-your-customer’s-customer rules and the proposed rules about return item limits that could potentially signal fraudulent or deceptive practices. The Electronic Transactions Association (ETA) has recently published a best-practices guide for processor relationship onboarding and continued oversight. This document, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” is available to ETA members only, but the organization has given us permission to make the guide’s executive summary available.

Portals and Rails is interested in your thoughts on Operation Choke Point and the response by some banks, and we pose this question: Are banks properly pricing their services to the business that requires such intense risk management measures?

Photo of Deborah ShawBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 19, 2014 in banks and banking, law enforcement, regulations, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Choking on the Cost of Risk Management:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 30, 2013

Securing All the Links in the Chain: Third-Party Payment Processors

Consumers may not know when a payment transaction involves more than the merchant who they buy from and the bank that has the debited account. They have no reason to know that there are often other "links" in the payment processing "chain." One such link is the third-party payment processor (processor).

The processor works between the business and the bank, providing payments services to the business while serving as a connection point to the banking system. The processor facilitates automated clearing house, or ACH, payments; credit, debit, and prepaid card payments; and remotely created check payments.

Banks that have processors as their customers must be careful to minimize the risk associated with adding another link to the payments process. Central to this risk mitigation is for the bank to conduct due diligence, including "know your customer" (KYC)—in this case, the processor—and also "know your customer's customer" (KYCC)—in this case, the businesses on whose behalf the processor is transmitting payments. Regulators, including the Federal Deposit Insurance Corporation and the Office of Comptroller of the Currency, have published and updated guidance emphasizing the essential importance of banks' risk-based management of their processor relationships.

Bank risk mitigation includes taking steps at the time of onboarding new processors as well as on an ongoing basis to monitor for any problems related to changes in those relationships. Recommended practices during onboarding include verifying the legitimacy of the business by visiting the processor's office and reviewing marketing materials and websites. It is essential that the bank understand the business lines that the processor's customers support and be aware of any payments-related concerns. For example, processors should provide the bank information on any law enforcement actions and consumer complaints related to its customers.

A bank's ongoing monitoring should include knowing about changes with either the processor or its business customers. Requiring the processor to inform the bank of new customers or business lines is one way to identify developments that require further study. Banks should also require processors to report any changes in the nature of consumer complaints, particularly if they include claims of unfair and deceptive practices that a business customer may have used. Monitoring for warning signs of potential fraud can be aided by receiving reports from the processor on its return rates and those of its business clients. High return rates for certain reasons, such as unauthorized or insufficient funds, should be investigated for the underlying cause and then addressed with the processor.

Furthermore, banks are advised to keep their board members aware of processor relationships by providing periodic reporting on transaction volumes, return rates, and types of businesses served.

Banks that focus on securing the processor link in payments transactions will mitigate their risk, support the payment efficiencies that processors bring to their merchant clients, and protect the payments system for the benefit of consumers.

We would like to hear what processes your institution has in place to monitor processors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 30, 2013 in banks and banking, consumer protection, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Securing All the Links in the Chain: Third-Party Payment Processors:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 6, 2013

Staying One Step Ahead of ATM Attacks

Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.

The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.

As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.

Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.

It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.

These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 6, 2013 in ATM fraud, crime, identity theft, risk management | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Staying One Step Ahead of ATM Attacks:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

November 2015

Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          



Powered by TypePad