Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
August 30, 2010
Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They're on the rise, but under control
NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.
In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.
Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.
Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.
ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.
Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 23, 2010
Payments Spotlight podcast explores impact of economic downturn on insider bank fraud
The recent economic crisis has taken a toll on the finances of many U.S. households. Many Americans are still grappling with unemployment, foreclosures, and lost savings. Unfortunately, these types of financial pressures can sometimes cause otherwise good people to do bad things, including steal from their employers.
Employee, or insider, fraud can be a problem for all types of organizations but may be particularly challenging for financial institutions that have the fiduciary responsibility to hold and protect their customers' money and personal information. Consequently, managing this risk is of utmost importance in maintaining the trust relationship between customer and bank.
We explored this issue and others in our interview with Shirley Inscoe, director of financial services solutions at Memento, a provider of enterprise fraud management software. Inscoe previously spent 29 years in the banking industry, during which she held various senior positions in payments strategy and enterprise fraud. She also recently co-authored a book on insider fraud titled Insidious: How Trusted Employees Steal Millions and Why It's So Hard for Banks to Stop Them.
Potential for insider bank fraud can reach beyond branch network
The branch network presents obvious vulnerabilities to fraud because bank employees have direct access to cash, the general ledger, customer data, and other critical systems. Consequently, most people think of tellers, customer service representatives, and branch managers as having the most opportunity to commit fraud in a bank. However, as Inscoe points out, there are many other types of employees who are involved because there are many other ways that employees of financial institutions can commit fraud.
Inscoe explains that there is opportunity for fraud in the lending area, whether it is in the form of mortgage fraud, fictitious loans, or loan lapping. Loan lapping is a scheme involving lenders who make fictitious loans over a period of time. The lender makes new loans and uses part of the proceeds to make payments on or to pay off older loans—and pockets the rest. An FBI case from earlier this year illustrates how a similar scheme can be perpetrated with certificates of deposit. A former bank employee was sentenced to 27 months in federal prison for making more than $962,000 in unauthorized withdrawals from CD accounts over a six-and-a-half year period. In this case, the employee monitored the CDs' maturity dates in order to replace what had been taken by making additional unauthorized withdrawals from other CD accounts.
Organized crime rings target bank employees for fraudulent schemes
In addition, there have been numerous cases in recent years of gangs getting involved in fraudulent bank activity. The comparative ease of committing financial crimes has made it appealing to street gangs as a way to support their other criminal activities. Inscoe related three ways that organized crime rings—both internal and external to the United States—are involved in insider bank fraud.
First, they infiltrate the financial institution by having their members hired into targeted areas of the bank. Not surprisingly, one target area is the loss prevention department. The gang members are acutely aware that this is where they can find out when the bank changes its parameters or policies on loss prevention systems so they can adapt their fraud attempts accordingly.
Second, gang members use threats to coerce bank employees into committing fraud. They may threaten the employees with kidnapping a child or loved one if the employee refuses to cooperate. Inscoe suggested that banks educate their employees about what to do if they are threatened.
Third, the gangs solicit bank employees with bribes. For example, employees may be offered payment to not put a hold on a check or to approve a loan. According to Inscoe, the current economic environment has made it easier for fraudsters to find easy targets within a bank. Even the most loyal, long-standing employees may be susceptible to these types of bribes if they are experiencing financial difficulties.
Proactive approach needed to address problem
The economic downturn may have fueled more incidents of insider bank fraud, but employee fraud is an ongoing challenge for institutions of all sizes. In most cases, it will require a multi-pronged solution that involves employee training, monitoring systems, and detailed analytics. Ultimately, the institution has to assume a proactive approach in addressing the issue in order to minimize any losses and protect its customers.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
August 23, 2010 | Permalink
August 16, 2010
States tackle information security with a focus on payments fraud
In response to increased data breaches like the Heartland Payment System incident, some states have passed laws requiring businesses to comply with the Payment Card Industry Data Security Standard (PCI DSS), while others have passed laws with enhanced privacy and encryption requirements for organizations that handle consumers' credit and debit card numbers. But can state laws be changed quickly enough to keep pace with the creative approaches of individuals who commit fraud?
According to Javelin Strategy & Research's 2010 Data Breach Prevention and Response study, approximately 26 percent of U.S. consumers received data breach notifications in 2009. The study also found that one in four consumers had their credit or debit card replaced in 2009 due to security concerns. Additionally, data collected by the Identity Theft Resource Center shows that though the number of breaches may rise and fall, overall, the number data breaches has doubled since 2007.
*Adjusted Heartland number from 30 million to 130 million as per alleged breaches in Justice Department documentation.
Enhanced state encryption and payment card laws
States such as Massachusetts, Arizona, and Nevada have enacted encryption laws, while other states such as Washington and Minnesota have enacted payment card laws. However, to date, only Nevada and Washington have enacted a combination of both encryption and payment card laws.
Massachusetts was the first state to adopt enhanced encryption standards for organizations that own, license, store or maintain personal financial data about its residents. Massachusetts' new encryption law is said to add teeth to a key requirement that many security breach notification laws lack by specifically delineating the security requirements that organizations must adopt to ensure their security measures are "reasonable" and "adequate." Some of those specifications include securing user authentication protocols, encrypting all personal information that travels across public networks and wirelessly, monitoring systems for unauthorized use or access, and updating security systems.
States that have adopted both enhanced encryption and payment card laws go a step further, requiring not only compliance with PCI DSS but also that the organization have an annual security assessment validating its compliance. The assessment must be performed annually to ensure compliance with PCI DSS.
What about out-of-state business?
Businesses that transact with consumers from one of the states that have enacted these laws may be required to comply with the new state laws. For instance, the Nevada encryption law applies to businesses in the state of Nevada but may extend its reach to businesses outside the state if they have a strong enough presence in Nevada.
Laws assign liability to payments participants
Some state laws address liability among payments participants to ensure that the participant in the best position to prevent loss carries its share, if not all, of the costs associated with the loss and subsequent loss prevention efforts. Determining which participant is responsible has undergone changes in the states that have adopted enhanced payment card laws. The states of Washington, Nevada and Minnesota, for example, make merchants who are not compliant with PCI DSS liable to financial institutions for associated costs in instances of security breaches. Washington state holds a business or processor liable to a financial institution for costs related to a data breach even if the financial institution has suffered no loss. Under Washington state's new payment card law, a vendor may also be held liable to a financial institution for damages that occurred as a direct result of the vendor's negligence.
Since the loss of data can be an indicator that fraud is being perpetrated, these latest state laws look to ensure that businesses who hold such data do so in a manner that appropriately safeguards consumers' privacy. Data breach and loss containment are ongoing challenges for organizations that handle consumers' nonpublic personal information, including credit and debit card numbers. The new encryption and payment card laws may require organizations handling consumer payments information to fundamentally reexamine their corporate security compliance obligations and evaluate the technical resources required to comply with specific state standards.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 9, 2010
Shopping at the Fraud Mall: Fictional fantasy or harsh reality?
One of the most fascinating scenes in the cavalcade of Harry Potter movies is the requisite trip to Diagon Alley, the quaint London backstreet where the Hogwarts students go shopping in various specialty stores for their school supplies, such as books, potions, strange pets, magic wands, capes, and, of course, flying brooms. Over the past several weeks, battered by the never-ending news of one new payments fraud scheme after another, I lapsed into a daydream in my office about a mythical, but similar, Fraud Village, where fraudsters go to shop for their wares. My vivid recollections follow.
Wandering down Fraudster Alley
As I entered Fraudster Alley, I saw John Doe's ID Shoppe on the right, apparently a business selling payment credentials. On the various shelves, I saw arrays of credit and debit card numbers arranged by issuer, as well as actual bank account numbers sorted by geographical locations in order to minimize the confusion associated with those silly routing number assignments. The data is priced from $1 to $100, the cost depending on the relative credit lines and payment histories of the actual cardholders.
In the premium product aisle I saw a card with a glittering $95 tag for a person with a $30,000 limit that travels frequently and pays off monthly. At the back of the store I located the bank account number case priced from $2 to $1,000 with the top of the line offering belonging to a high balance account holder with several electronic withdrawals and a home banking service with a bank who has notoriously weak access controls. Keeping a couple of good sale items in mind, I slipped outside and gazed up at a remarkable billboard advertising a school for hackers.
Easing past a street vendor selling memory sticks, I did some window shopping at Willie's Web Emporium, a small shop hawking a variety of e-mail credentials that listed businesses with poorly protected financial software. A gaudy red $12 tag is affixed to a URL touted as hosting a poorly protected payroll system. I chatted with the clerk to see why these credentials were on sale, and he said that the market has been flooded in recent months by an oversupply that has driven the price down.
I got his business card and eased next door into a software/hardware store called Mystic Malware. I was overpowered by flashing displays of various fraud solutions, including a vast array of nearly 500 variations of Zeus malware packages designed to take over small business systems. Like my local Kroger cereal section, the options were bewildering—key-logging variations, with or without icons to be loaded onto desktops, call detection modules, and payment duplication engines. I noticed that some of the older products, like Win32/Conflicker were marked way down in light of the implementation of successful security blockers, while Renos and Vundo versions are premium priced, reflecting their recent success and popularity. In another area, I found a treasure trove of hardware devices, such as ATM skimmers, in bins labeled for the various makes and models of cash dispensers.
Across the street was Mikhail's Money Mule shop, where I browsed through employment applications for folks interested in being "financial managers" for Internet firms. They are arranged by cities, which made it particularly convenient for me to target accounts at choice banks trying to grow their retail base. I briefly scanned a number of "personals" arranged on a bulletin board, each highlighted by a special skill, such as the ability to break Triple DES encryption on a particular server. Next door was the Fraudsters Training Academy, an attractive storefront with a small auditorium running periodic films and live interviews with well-known fraudsters with names like Dark Vader and Card Warrior. Travel posters for Nigeria, the Ukraine, and Romania added a bit of gaiety to the walls.
Fiction turns to fact
I was startled awake from my daydream by a colleague calling for a coffee break. Sipping an overpriced Starbucks, I came to the disturbing realization that much of what I dreamed is simply the harsh reality of today's world of payments. While there is no such physical fraud village, the Internet has in fact become a virtual shopping mall for crooks intent on striking innocent, poorly educated, and singularly unaware business owners and consumers. The possible prices for illegal wares noted above are taken from a recently published study by First Data Corporation that refers to other studies by Symantec and Microsoft.
The billboard shown above actually stands on Interstate 75 near downtown Atlanta. In just the past week, I have read these headlines: "FBI, Slovenian and Spanish Police Arrest Botnet Creator, Operator", "Two Arrested in Massive Scheme: Investigators Recover Skimmers, Fake Cards, 1,000 Pages of ID's," and "Atlanta Security Company Startled At Check Stealing Software."
Alarmingly, it is time for all of us in the payments world to realize that yesterday's fiction is today's reality in the harsh world of payments fraud and protecting our assets, our people, and our reputations is going to take more time an effort than ever before.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
August 2, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud