Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 15, 2019
The Future of Fraud in a Post-EMV Chip Environment
"Doug: Your conclusion has me worried about credit-push in an environment where payments are irrevocable." I received this brief email a few days after my latest paper was published on the Atlanta Fed website. In this paper, I explore fraud trends in countries with a fully mature, or close to it, EMV chip card environment—trends we are likely to see in the United States as our EMV chip card implementation matures.
When the topic of EMV chip card fraud comes up, the conversation nearly always makes its way to the documented shift from counterfeit card fraud to card-not-present (CNP) fraud. While that is a fair and valid conversation, times are changing, and we just may need to refocus the fraud conversation, as this email indicates—my emailer was referring to credit-push payments and the fraud that can happen, and is happening, in this environment.
Data clearly show that when countries such as the United Kingdom, France, and Australia migrated to EMV chip cards, CNP fraud rose—in some instances, dramatically. And where the data are available, we can see that the fraud rate for CNP transactions also initially rose. But over the last several years something interesting has happened. Both absolute CNP fraud and CNP fraud rates are declining in some of the countries. While these countries did not have many CNP fraud prevention techniques and tools at their disposal when they first migrated to EMV chip cards, the technology is catching up and they have more tools now. If there was any benefit for the United States from being an EMV laggard, perhaps this is it: we are better equipped to deal with CNP fraud.
But back to push payments. Authorized push payment (APP) fraud, which is a form of credit-push fraud, is a growing problem. In the United Kingdom, the real-time payment system is being used extensively to carry out this type of fraud. Just as other countries didn't have many tools to fight CNP fraud in early EMV chip adoptions, we don't have all the tools yet to mitigate APP fraud.
At the heart of APP fraud is business email compromise, which we've covered in this blog and which was the featured topic in the Atlanta Fed's most recent Economy Matters podcast episode . To read more about this particular fraud trend and other trends the U.S. payments industry should be wary of as our EMV chip card environment matures, be sure to read the paper .
Back to the email I received—it was short, but my reply was even shorter: "You should be worried."
July 8, 2019
A Tip for Summer Travel
Because I study payments, people like to brag to me about the ways they pay. "I never use cash." "I don't carry cash, even when I travel." "I buy a pack of gum with my phone." "I haven't seen a dollar bill in five years." Et cetera.
Lots of times, I get these comments while I'm traveling. Like me, the people I chat with are traveling. Handing over a bag to a skycap. Getting housekeeping services in a hotel. Eating a burger at the bar.
So please tell me, all you smartphone-carrying, thin-wallet sophisticates, how do you tip?
When I was a kid, hotel rooms had tiny paper envelopes "for the maid," my father said. Filling the envelope was the last step before loading kids and caboodle into the car. Before we got to drink Tang and eat powdered-sugar donuts, we thanked the housekeeper. Like Tang, those envelopes are becoming an artifact of the past, with the result that you might expect: declining tip income for service workers.
Plea to app developers: find a way to make it easy to tip on the go. There are plenty of tipping apps out there, and from my point of view, they work fine for relationship tips—for example, an app payment to a hair stylist. But what about the one-time tip? When I'm running for the subway I can't (or won't) stop to open or download an app and key in a dozen letters or numbers to thank Keytar Bear, a busker who performs here and there in Boston.
This brings up a key obstacle to apps for tipping: not only do I have to have the app, but the service person does also.
What could be easier to adopt and use than the $2 bill I keep in the outside pocket of my backpack for Carlos, the best guitar player in Harvard Square? I don't have to ask, "Do you accept this or that?" I don't scan or key. I just wave to Carlos, drop the cash, and keep moving.
To tip in cash, we need to carry cash. About 20 percent of respondents to the 2017 Diary of Consumer Payment Choice reported that they carried no cash on any of their three reporting days. My Atlanta Fed colleague Oz Shy cites Rule #1 of tipping: "There are no rules about tipping." So I'll offer a guideline, not a rule: "Carry a bit of cash."
If you haven't found a cashless solution, go to a bank or credit union and get yourself a stack of $2 bills (Thomas Jefferson on the front, signing of the Declaration of Independence on the back, so appropriate in July). Stash them with your carryon bag.
It's summer travel season. In 40 states, the minimum wage requirements are lower for tipped workers. How do you thank the people who made your stay clean and comfortable? How do you tip?
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 1, 2019
Ransomware: Hopefully Not Coming Soon to a Computer Near You
In March 2018, the city of Atlanta fell victim to a ransomware attack. Criminals gained access to the city's computer network and loaded SamSam Ransomware, a malicious software. The criminals demanded a payment of approximately $51,000 in virtual currency to provide the decryption keys necessary to regain access to the infected and locked systems. The attack laid siege to the city by rendering police, utility billing, traffic court, and other systems unusable. The city refused to pay the ransom, and has since spent at least $6 million in forensic and remediation work with as much as an additional $11 million earmarked for system upgrades and other resources to combat future attacks.
Ransomware attacks have been a growing threat. While studies such as the Symantec Internet Threat Security Report show that the overall incident rate has decreased slightly, they also indicate that the range of targets has shifted. From 2013 until last year, consumers were the most frequent targets, with ransom requests in the hundreds of dollars. In the early years of these attacks, individuals would get a message that their computers had been infected and they had to pay a fee to download a fix. In many cases, the infection claim was false. Beginning in 2018, businesses—including municipalities, hospitals, and health care networks—have become primary targets, with ransom demands in the tens or hundreds of thousands of dollars. Typically, the criminals demand that the ransom be paid in cryptocurrency (nearly always bitcoin). As in the Atlanta case, these attacks often prevent customers from making payments, whether for traffic violations, business permits, or even marriage licenses.
Should ransomware targets pay the ransom? Law enforcement communities officially say "no." In some cases, when victims pay the ransom, they never receive the decryption keys to regain access to their data, or the keys don't work. There is concern that payments only encourage the criminals to commit further attacks, sometimes against the same business and demanding additional money. It is not illegal for a business to make ransomware payments, and many, including Newark, New Jersey ($30,000), have done so.
Is your computer or network prepared to defend against such an attack? Ransomware attacks typically exploit weak passwords or known security vulnerabilities in applications and operating systems. But a common entry point is through phishing of an employee to compromise legitimate system access credentials. As in business email compromise, the criminal conducts surveillance to learn about the different systems in operation and plans the initial attack to have the greatest possible impact. As we have stressed so often, prevention starts with employee education and the adoption of security best practices. In a future post, I will write about more prevention and mitigation best practices.
As for the Atlanta ransomware attack, last December, a federal grand jury returned indictments against two foreign nationals for the attack. The grand jury indicated these two people were also behind the April 2017 attack on Newark, New Jersey. There was hope in the law enforcement and cybersecurity communities that the arrest of these individuals would dampen enthusiasm for this threat vector, but attacks this year against Akron, Ohio (January), Albany, New York (March), and Baltimore, Maryland (May) suggest otherwise. None of these cities made any ransom payments.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 24, 2019
Moving towards Electronic Social Security Number Verification
Earlier this year, a colleague wrote a Take on Payments post about synthetic identity fraud. Throughout the year, we've found ourselves talking often with representatives from law enforcement and financial institutions about the growth of this particular type of fraud. There are different estimates that try to catalogue the damage, but one that strikes me is that synthetic identity fraud could account for as much as 5 percent of uncollected debt and be responsible for approximately 20 percent of credit losses.
A major challenge to mitigating this fraud is the difficulty financial institutions and other lenders have in confirming that a social security number (SSN) being presented actually belongs with the name of the person presenting it and that their date of birth actually matches the SSN. Prior to June 2011, the first three numbers of the SSN provided geographical clues to the number holder's birth state, which allowed for some basic verification, but the Social Security Administration (SSA) now randomizes all numbers making this minimal form of verification impossible for any SSN issued after this date. Currently, the SSN verification process requires that the requester complete a wet signature consent form that is submitted in hard copy to the SSA. Hardly a speedy process in a day and age when financial institutions and lenders are striving to make many lending decisions in hours or minutes, not days! But change from the SSA is in the air.
On June 7, the SSA published a notice to the Federal Register announcing initial enrollment for a new electronic consent-based SSN verification service. The notice is full of details about this program and its initial enrollment is open to all financial institutions (FI) and FI service providers as defined by the SSA. Participation in the pilot program requires that enrollees pay an initial administrative fee followed by volume-based pricing according to the annual number of transactions. The initial enrollment period opens on July 17 and will run through July 31. Following this period, the SSA will select a limited number of enrollees across several different categories for participation in the program, which is set to begin June 2020. Even if an applicant company is not selected to participate in the initial program, it would be eligible to participate when the program expands. Otherwise, new applicants will have to wait until the next enrollment period, which could be as long as two years.
This new SSA program would be a positive step toward reducing synthetic identity fraud. However, there is a balancing act between the costs for combating fraud and the actual cost of fraud. It will be interesting to follow the enrollment figures and other metrics to determine how effective this measure turns out to be. How do you feel about these efforts by the SSA?
- The Future of Fraud in a Post-EMV Chip Environment
- A Tip for Summer Travel
- Ransomware: Hopefully Not Coming Soon to a Computer Near You
- Moving towards Electronic Social Security Number Verification
- Performing and Paying in the Gig Economy
- The ABCs of Elder Financial Exploitation
- Hitting the Brakes on the Cashless Society
- Could Federal Privacy Law Happen in 2019?
- What Can We Learn about Fraud from the United Kingdom?
- Business Email Compromise Moves Mainstream
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud