Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
February 26, 2018
Explosive News Regarding ATMs
You've probably seen at least one video of a criminal attaching a chain from a truck an ATM to try to pull the ATM out of its mounts. Or maybe you've seen one of someone using a sledgehammer to try to smash an ATM open. Although these types of attacks are destructive, they do not rise to the level of the explosive attacks that have been taking place in Europe, Australia, and South America—and, just recently, in the United States. First reported about 10 years ago in Europe, their frequency has increased dramatically over the last several years.
I learned a bit about these and other ATM dangers at a conference I recently attended in Las Vegas on emerging functionality for ATMs and cash dispensers. One of the most interesting sessions was a presentation on ATM crimes that a U.S. Secret Service agent gave. The agent talked about the two major categories of ATM terminal crimes: logical and physical attacks. Criminals carry out logical attacks using software, skimming devices, or cameras. With software, they aim to gain access to the ATM software or operating system so they can intercept data transmissions or issue commands to dispense currency. With skimming or shimming devices and cameras, they can capture card and PIN data. A recent logical attack "jackpotted" an ATM—that was the first time in the United States that a criminal forced an ATM to dispense all its currency.
Criminals trying to blow up ATMs in Europe have predominately used gas. They pump a combustible gas like oxyacetylene, used in welding, into the ATM enclosure through a drilled hole, currency slot, or other entry point, and then detonate it. This 2015 Bloomberg Businessweek article describes explosive attacks in England in great detail.
Unfortunately, reports indicate that solid explosives such as dynamite, explosive gel, and C4 are becoming more common in Europe and South America. In Brazil, dynamite is the predominant explosive, in part because a large supply of dynamite was stolen from a mining operation. As expected, these attacks are highly destructive, not only to the ATM but also to the surrounding building, which you can see in the photo below (this ATM attack recently took place in Atlanta). Normally these attacks are carried out at ATMs in isolated locations at off-hours. Fortunately, I have not heard of any loss of life or injuries to innocent people from these attacks.
Because the frequency of these attacks is growing, ATM manufacturers and other third parties have developed countermeasures either to detect and thwart the attacks or to reduce the monetary value of a successful attack. For gas attacks, detection sensors installed in the ATM may do several things: trigger an audible—and monitored—alarm, release a gas-suppression system to prevent detonation, open a cover to prevent the gas pressure from building to a level that will detonate, or trigger a currency-staining mechanism that would put an ink stain on the currency in the machine, neutralizing its ability to be used. Additionally, penetration mats may be installed inside the ATM fascia that could detect drilling. Regrettably, attacks with solid explosives are more difficult to mitigate, but the industry has responded with harder enclosures and currency-inking neutralization systems.
We can hope that such attacks will not grow in frequency the United States, but security folks will probably tell us that we are being a bit Pollyannaish. Best be prepared.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 28, 2017
Are Consumers Out of Touch?
According to the Identity Theft Resource Center (ITRC), 791 data breaches occurred in the first half of 2017, an increase of 29 percent over the first half of 2016. This rising incidence of data breaches is a continuation of a trend, as the 1,093 data breaches tracked by the ITRC in 2016 represented a 40 percent increase over breaches in 2015. As data breaches continue to proliferate, I would expect consumers to be very concerned that their payment credentials (credit, debit, and bank account numbers) are at risk of being compromised. Apparently, my expectations are a bit off, which is both puzzling and alarming.
In a just-released report on a survey conducted in May, Transaction Network Services found that only 46 percent of U.S. adults believe that a data breach may have exposed their credit or debit card information. In 2015, 60 percent of the respondents had that fear. So evidence exists that data breaches are on the rise, yet consumers have less fear today than they did in the past.
In its review of the 2017 data breaches, the ITRC found that only 13 percent resulted in the exposure of card data. However, this figure is up from 10 percent in 2016. Social Security numbers appear to be the prime target, with 60 percent of breaches exposing them. Small wonder, as this information is critical for committing identity theft. Why steal a card number when you can steal a Social Security number and apply for any number of credit cards?
I would like to think that, because the industry is making great strides in improving both transaction security, with initiatives such as EMV, and data security, with encryption and tokenization, consumers are feeling that their card data is more secure than it used to be. But the pessimist in me believes that consumers may be a bit naïve about the risks associated with data breaches, and may have also been inured by the proliferating occurrences. Or maybe because of limited liability protections, consumers just don’t care about their card data falling into the wrong hands from breaches. But now is not the time for consumers to drop their guard as data breaches—more specifically, breaches of card data—are on the rise. They must continue to take steps to protect themselves from falling victim to card breaches, such as keeping debit card PINs private and examining credit card and bank statements regularly for fraudulent transactions.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 28, 2011
Gains made in reducing identity theft, but significant fraud losses still loom
Was it a mere coincidence that the day following the release of Javelin Strategy & Research's 2011 Identity Fraud Survey Report, CNBC aired American Greed: Operation Get Rich or Die Tryin'? This show examines Albert Gonzalez's hacking into computer networks of retailers (most notorious, TJX Companies) and a payment processor (Heartland Payment Systems) and the subsequent extensive fraud using compromised credit and debit card information.
While the CNBC story was intriguing, Javelin's 2011 report just might be even more intriguing given the surprising results that identity thefts and the related losses in 2010 were at their lowest levels since 2003, when the survey began. In 2010, the incidence rate for existing card account fraud stood at a lowly 2.3 percent and only 7 percent of consumers were notified of a data breach, compared to 11 percent in 2008. While many factors are responsible for these low levels, it seems that preventive and detection measures by financial institutions, merchants, and consumers are playing a positive role. However, the fact remains that in the current magnetic-stripe environment, all parties could still experience significant losses from counterfeit cards if a large data breach were to occur.
Merchants and PCI implementation: Success in reducing data breaches
At year-end 2010, Visa reported that 96 percent of its Level 1 and 2 merchants (merchants with more than 1 million transactions a year) were compliant with the Payment Card Industry Data Security Standard (PCI DSS), and 100 percent had been validated as not storing prohibited data. For smaller merchants (Level 3 and 4), Visa reports moderate PCI DSS compliance but does not offer any figures. Watching the CNBC special, it was a bit harrowing to fully understand the amount of card and personally identifiable data that merchants and processors store, sometimes without even encrypting the data. The PCI DSS was put into place to not only require the encryption of data, but also prohibit the storage of certain sensitive cardholder authentication data such as full magnetic-stripe data, CVV2 codes, and PINs. In the event that a PCI DSS-compliant merchant is hacked, it would be much more difficult to perpetrate a fraud as extensive as Albert Gonzalez and his accomplices pulled off. It’s possible that these strict data standards have been effective in thwarting fraudsters and hackers.
Financial institutions and consumers working together to reduce detection times
Not only are the incidence of existing card account fraud and related losses stemming from identity theft at all time lows, the detection time—and subsequent losses—for this type of fraud is significantly shorter than for existing noncard fraud and new account fraud. According to Javelin, 31 percent of all existing card fraud is detected within a day or so, and nearly another 30 percent within a week. The top three fraud detection methods as reported by Javelin are notification to a consumer by a financial institution, consumer's monitoring of accounts through paper statements, and consumer's monitoring of accounts through electronic means or ATM. With increased availability, and consumer usage, of online and mobile banking, consumers can more easily monitor their accounts and more quickly identify fraudulent transactions than with the traditional method of a monthly paper statement. Many financial institutions are also being proactive in their battle against fraud by using the mobile channel to push notification alerts of potential fraudulent transactions to the consumer. According to Javelin's 2010 Banking Identity Safety Scorecard, 85 percent of the top 30 banks or credit unions offer mobile phone alerts.
Still vulnerable from the mag stripe, but where to go from here?
Even though we've taken great strides to reduce identity theft and related fraud losses, we can't make the same claim for card technology in the United States. As history shows us, fraudsters are often a step ahead of the industry. And unfortunately, implementation of new standards and technology is often reactive to the latest fraud rather than proactive to fraud that could happen. As long as the United States remains a magnetic-stripe country, we'll continue to have the risk for widespread fraud losses from the counterfeiting of magnetic-stripe cards.
Visa recently recognized the importance of chip-and-pin along with PCI DSS compliance when it announced its Technology Innovation Program (TIP). With TIP, merchants will no longer have to go through costly annual PCI DSS validation if 75 percent of their Visa transactions are completed at chip-and-pin-enabled terminals—but TIP is not available to merchants in the United States. Though much has been written about the lack of a business case for contact or contactless chip form factors in the United States, will continued mag-stripe fraud and the potential for even larger losses—all while the rest of the world migrates to chip-and-pin—finally build that case?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Gains made in reducing identity theft, but significant fraud losses still loom:
- Paying with PlasticMetal
- Merchant Surcharging: Winners and Losers
- Fintech for Financial Wellness
- Advice to Fintechs: Focus on Privacy and Security from Day 1
- Convenience Always Wins, In One Form or Another
- Mobile Banking and Payments' Weakest Link: Me
- Webinars Discuss Mobile Banking and Payments Survey Results
- Webinar to Explore Faster Settlement and Funds Availability
- Explosive News Regarding ATMs
- Best Practices for Data Privacy Policies
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud