Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« March 2010 | Main | May 2010 »

April 26, 2010

Sophisticated hacking software: Making detection and prevention of online banking fraud more difficult

The story is all too common. Malicious software infiltrates an unsuspecting victim's computer. The malware steals the victim's password and user name and gains access to his or her online bank accounts. Often times, the perpetrator steals the victim's funds through fraudulent wire transfers and ACH transactions, and the money ends up in accounts overseas, where the likelihood of recovery quickly diminishes. This year, banks and businesses alike experienced an increased level of cyber-attacks aimed at hijacking online banking accounts.

Although the crime itself is not new, the reason for concern is simple: hacking software is more sophisticated than ever, making detection and prevention more difficult. Because the legal boundaries for the liability of banking institutions are still evolving, this increasing sophistication poses a significant challenge.

Malicious software bypasses bank security
Some of today's most advanced malware can compromise security tokens and authentication techniques, demonstrating that even two-factor and multi-factor security techniques are vulnerable. Real-time Trojan horses—such as Clampi and Zeus—can allow the fraudster to use two- or multi-factor authentication security to steal banking credentials, thereby causing a weak link in the financial security chain. Other infections rewrite the bank's login screen that displays on the victim's computer and intercept the victim's credentials before they reach the bank's Web site.

A significant part of the growing threat to online banking are Zeus variants like the Mariposa botnet, which injects contents directly into Internet pages and intercepts credentials, preventing the user from sending them to legitimate sites. Luckily, online security firms and other officials shut down the Mariposa botnet in March, but not before its impact was felt worldwide.


Identifying the weakest link
Some banks are looking beyond their own security systems and focusing on what they perceive is their weakest security link: the user. A number of types of software are available to banks to help in their efforts to combat unauthorized intrusions. For instance, one type allows banks to remotely analyze the computers of hacked customers. The customer, upon suspecting a breach, downloads the software onto his or her computer, at which point the bank performs a quick search for any digital tracks, software, or other evidence the online hackers may have left behind. The information the software gathers can better inform banks of where attacks originate from, patterns, and trends—and, hopefully, lead to the eventual recovery of lost funds. Other types of software are designed for business banking systems that evaluate risk based on individual online actions and rate overall session activity by identifying inconsistent behaviors for each user.

So, the account has been hacked, now what?
The Electronic Funds Transfer Act and Regulation E protect consumers' online banking transactions from fraudulent electronic money transfers. Businesses accounts, on the other hand, must look elsewhere for similar protections. The Uniform Commercial Code Article 4A governs the allocation of fraud losses arising from funds transfers for business accounts. Under Article 4A, the bank will be held accountable for fraud losses only if it failed to follow a series of procedures, including adopting commercially reasonable security measures.

But what exactly does "commercially reasonable security measures" mean? Generally, banks have followed the practice that as long as the security the bank establishes and follows have been in line with commonly accepted commercial practices within the industry, then these security measures passed muster. Lately, however, this practice has not been as clear as it once was. In fact, this very question—that of what exactly constitutes commercially reasonable is at the center of several ongoing lawsuits, particularly one currently being heard in a Texas court.

Will this case, and the others that will follow, reshape the approach to secure online banking by establishing new standards that outline what counts as commercially reasonable security? And will those new standards require banks to upgrade to software designed to spy on the bad guys, monitor consumers' activities, or both? In reality, fraudulently penetrating banking security systems will occur no matter how sophisticated or reasonable the security measure. But as more consumers and businesses move to online banking, commercially reasonable expectations for securing online transactions should be calibrated against the technological sophistication of hackers and their software to improve detection and protection against online banking fraud.

By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.

April 26, 2010 in malware, online banking fraud | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 19, 2010

Fed aids consumers by providing financial education and tools

This week's blog features a reprinted speech by Federal Reserve Chairman Bernanke on fostering financial literacy in today's economic environment and the financial literacy resources available through the Federal Reserve System. The speech highlights the importance of financial literacy and how poor financial literacy skills can heighten consumers’ vulnerability to financial fraud. The Federal Reserve encourages financial education for all and offers various resources such as online credit card calculators and interactive tools that can help consumers make sound financial choices.

The original speech was released by the Board of Governors of the Federal Reserve System and is available at: http://www.federalreserve.gov/newsevents/speech/bernanke20100413a.htm.

Chairman Ben S. Bernanke
National Bankers Association Foundation Financial Literacy Summit Reception
Washington, D.C.
April 13, 2010

Fostering Financial Literacy

It is a distinct pleasure to visit with the National Bankers Association Foundation this evening. I am very pleased to be among your honorees. The foundation does important work, including helping consumers make wise financial choices, connecting the "unbanked" with mainstream providers of financial services, and providing assistance and support to minority bankers and entrepreneurs.

April is Financial Literacy Month, and so it is fitting that you are hosting this event. I note that you also plan to hold a Financial Literacy Summit later this year on the Howard University campus. The summit will bring scholars, bankers, community activists, and others together to brainstorm strategies for educating consumers of financial products.

Many American families are struggling in the aftermath of the financial crisis, which reinforces the need for reliable and useful information to facilitate good financial choices. Helping people better understand how to borrow and save wisely and how to build personal wealth is one of the best things we can do to improve the well-being of families and communities. The foundation is making great contributions to this effort, for example, through your online library of personal finance educational materials.

The Federal Reserve very much shares your abiding interest in helping consumers successfully navigate the financial marketplace. Our approach is two-pronged. First, we work actively to foster financial and economic education. Second, recognizing that basic financial knowledge is not sufficient to keep people safe from fraud and deceptive practices, we are committed to developing and enforcing strong rules to protect consumers.

On the financial education front, examples of the Federal Reserve's many resources available to the public are

  • an online credit card calculator that helps consumers estimate how long it will take to pay off a credit card bill under different payment scenarios,
  • concise brochures—in both English and Spanish—offering consumer tips on such topics as avoiding mortgage foreclosure scams and protecting their checking accounts, and
  • interactive Web sites that provide consumers with what they need to know about new protections for credit card accounts and overdraft protection programs that recently took effect.

As for consumer protection, the Federal Reserve continues to demonstrate its commitment in this area. We have recently issued rules pertaining to mortgages, credit cards, student loans, and overdraft protection programs, among others. I should note that in recent years we have used extensive consumer testing, both to improve financial disclosures and to highlight practices that simply cannot be understood by consumers even with the best disclosures and thus must be prohibited. We've also stepped up our consumer protection supervision and enforcement, including at the nonbank subsidiaries of bank holding companies and foreign banking organizations.

Again, let me congratulate the foundation for organizing tomorrow's financial literacy summit and for all the good work that it does. I would also like to recognize and congratulate the others honored this evening—John Bryant, founder of Operation Hope; the late Jack Kemp, who served as Secretary of Housing and Urban Development and as congressman of western New York; and Congresswoman Sheila Jackson Lee of Texas. It is wonderful to see so many individuals and organizations working toward the common goal of helping Americans make the best choices for their financial futures.

Thank you again.

April 19, 2010 in consumer protection | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Fed aids consumers by providing financial education and tools:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 12, 2010

Financial literacy for Gen Y: Beyond teaching the basics of how alerts can help combat fraud

April is National Financial Literacy Month. In recognition of the importance of financial literacy, throughout the month of April we will feature blogs discussing the benefits of financial training.

According to a recent study conducted by Cisco, the top priorities for Gen Y (generally those ages 18—29) include debt reduction and financial education. Gen Y's desire for financial education is hardly surprising. What is interesting is how technology is shaping some of that education.

Why the Gen Y interest in financial education?
Gen Y has often lagged behind preceding generations in financial literacy skills. Poor financial literacy skills create greater exposure to fraud and identity theft. And financial education—especially about fraud—is news that Gen Y can use. According to Javelin Strategy & Research, young consumers are particularly interested in knowing how to combat fraud. On this topic, experience has been the teacher for many in Gen Y. For example, a recent Javelin survey shows that Gen Y consumers had a higher incidence of debit card fraud than any other group.

Existing Debit Card Frauds vs. Existing Credit Card Frauds

Non-traditional teaching methods
The financial industry is enlisting technical creativity in hopes of enhancing its education efforts to Gen Y, a demographic described as liking its words abbreviated and its communications instantaneous. As a result, the industry is using virtual mediums such as video games and interactive websites. Financial institutions and private companies have joined the virtual space frenzy by offering various forms of interactive financial education platforms geared toward teaching young adults about money management. One organization, Doorways to Dreams (D2D) uses video games to teach simple financial lessons about credit and debit card management, personal budgeting, and awareness of expensive pitfalls such as payday lending.

Deputizing Gen Y in the fight against fraud
Alerts are an important money management tool because they give Gen Y more control over their finances. Alerts also allow Gen Y to share the responsibility of monitoring for fraudulent activity with their financial institution. Alerts are generally triggered by unique parameters set by the account holder, for instance, to warn when deposits or withdrawals occur, or when an account balance is dangerously low and at risk of having insufficient funds. These tools may also provide notice against unauthorized transactions. But for alerts to work as intended, Gen Y should understand their financial thresholds.

Financial literacy programs, whether taught in a classroom setting or through video games, are important because they can give Gen Y the tools needed to make wise and sound financial choices. However, financial institutions and others have the opportunity to augment their financial education programs with financial management tools such as e-mail and mobile phone alerts, which can also serve as security tools to combat fraud. If financial literacy tools can engage young adults in understanding their financial thresholds, then they will ensure that the established alert parameters will function as intended.

Education is empowering. Effective financial literacy that goes beyond basics and teaches how financial alerts can serve as useful tools to combat fraud is more than empowering—it's a sound investment for all.

By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.

April 12, 2010 in fraud | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 5, 2010

Consumer confidence the key to U.S. mobile payments future

Americans may have been first to put a man on the moon, but when it comes to mobile payments, the United States takes a backseat to countries such as Finland, China, India, and the Philippines, where mobile phones are used regularly to pay for common, everyday items such as public transportation, snacks from vending machines or street vendors, expressway tolls, and newspapers.

Studies by Juniper Research predict that mobile payments for digital goods will exceed $300 billion per year globally by 2013, while mobile payments for low-value purchases will exceed $75 billion for the same period. The leading regions contributing to this phenomenon included China, North America, and Western Europe. Other studies project that widespread adoption of mobile payments in the United States will occur more slowly, taking at least another five years. Factors such as the U.S. payments infrastructure and concerns over security have stalled its adoption, but recent pilot programs for mobile payments offer signs of gaining momentum.

Creating the perfect catalyst for mobile payments
As part of a broader plan to introduce mobile payments into the United States, mobile phone companies and service operators are increasingly looking at untapped market areas and age demographics where mobile payments may spark consumer interest. Recently, we noted such interest with how funds were raised for the Haiti Relief Fund via the mobile phone. Other opportunities for mobile payments growth can occur at popular annual events such as Austin's South-by-Southwest (SXSW). The event attracts thousands of attendees (of various ages) from around the globe with an interest in music, film, and technology.

Mobile phone studies regularly reveal that most users of smartphones fall between the ages of 25 and 34, while all other age groups are close behind. And according to Javelin Strategy & Research, smartphone owners are more likely to try mobile banking and payments than basic cell phone users, making SXSW a prime opportunity for service providers to introduce the latest in mobile payments technology to mass audiences.

US Touch-Screen, Smartphone, and Total Mobile Phone Users, by Age, August 2009

Fittingly, SXSW served as a venue for testing out Apple's latest iPhone application: TabbedOut. The app allows users to order, review, and pay for tabs at participating restaurants and bars in Austin during SXSW. TabbedOut allows the consumer to retain control of the entire transaction: when to pay, review, and order food or drinks. The instant a tab is opened with a participating merchant, the stored payment information is provided upfront, and the user is able to view the tab directly from the venue’s point-of-sale system. Another mobile payments app gaining popularity, and also available in Austin, is Taxi Magic. This app allows users to reserve, pay for, and track their taxi through a mobile phone. The reservations are directly integrated with the dispatch systems of participating taxi companies.

Winning over reluctant consumers
For the value proposition of mobile payments to strike a chord with U.S. consumers, all participants—carriers, manufactures, financial institutions, and retailers—must work collaboratively to successfully establish mobile payments as another trusted and secure payment channel. Yet in the past couple of years, consumer demand for mobile payments has been minimal.

US Mobile Payments Landscape

Is the low consumer demand an indication that consumers are waiting for the resolution of the interrelationships between ease and convenience with security and reliability, and calling for a convergence among industry stakeholders?

Envisioning the future for consumers
The continued progression of mobile payments in the United States is dependent not only on consumer demand, but also on consumer confidence that mobile payments are an effective and reliable method of payment. Pilot programs offering expedient payment ease and efficiency must also effectively address these consumer concerns. Ingenious apps and timely deployment of pilot programs that allow the use of a mobile device as a form of payment are certain to pique consumers' interest, but until the United States is closer to transitioning from cash, debit, and credit cards to mobile payments as the preferred way to pay, mobile payments will remain a novelty and less of a necessity.

By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.

April 5, 2010 in mobile payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad