Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« March 2013 | Main | May 2013 »

April 29, 2013

It's Time for Better Online Authentication Solutions

I recently read a news story in my daily news feed about litigation between a bank and corporate customer related to an account takeover, and the liability of the loss from a fraudulent transfer. Unfortunately, it seems that I am reading these types of stories far too often these days.

Online corporate account takeovers are an important issue in the payments risk world and have been the subject of our blog in the past. Even with stringent security procedures in place, including two-factor authentication (2FA) and out-of-band verification, companies remain high-risk targets. Undoubtedly, employees will slip up and procedures will be ignored, actions that ultimately result in fraudsters getting their hands on account or network credentials that give them access to corporate bank accounts. Although ongoing and comprehensive employee education is vital, improving authentication techniques and requiring their use are critical to better mitigate online account takeover risks.

Requiring some form of authentication is better than requiring none. Yet the current state of our “some” generally consists of a user name coupled with knowledge-based authentication of a password and, if 2FA is being used, usually a set of challenge questions. Knowledge-based authentication is often ineffective due to the use of weak passwords and the ability of fraudsters to find answers to challenge questions through public sources or social engineering. So then, what is the most effective and reasonable authentication standard moving forward? Biometrics? Security tokens? Dynamic password generators?

Fortunately, both the public and private sectors are working to develop improved authentication solutions. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a federal initiative developed to encourage collaboration between the public and private sectors in developing interoperable technology standards and policies whereby individuals and organizations can be authoritatively authenticated. In addition, the FIDO (Fast Identity Online) Alliance is a private-sector initiative created to change the nature of online authentication by developing specifications that will supplant the reliance on passwords. I do not know whether any of these groups or another entity will be successful in solving our authentication challenge, but I do know fraudsters are hoping their success isn’t any time soon. What are your thoughts on improving online authentication?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 29, 2013 in account takeovers, cybercrime, fraud | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference It's Time for Better Online Authentication Solutions:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 22, 2013

Are You the Weakest Link?

Okay, maybe not you and maybe not me—unless we haven't heeded the three suggestions provided by my colleague in a recent post. Banks, processors, transaction networks, acquirers, and other stakeholders in the financial payments ecosystem are waging a daily battle against a wide range of antagonists who are constantly seeking ways to access computer systems illegally These criminals are trying to get confidential data, disrupt operations within the company and for its customers, achieve financial gain, or simply seek notoriety for their achievement. By not following a couple of easy steps, are we compromising the battle for the banks and other institutions?

You and I—the consumers and the end users—are important elements in the overall payments ecosystem. It is generally for our use, of course—so that we can access our accounts or perform our daily financial chores conveniently and efficiently—that the other stakeholders are running the various financial applications. If it weren't for us, I think their jobs in protecting their systems would be much easier.

So how are we the weakest link? A basic tenet of security that we often mention in Portals and Rails is that experienced criminals attack the weakest points in the system. Why worry about picking the lock on the highly visible front door when there is an unlocked window at the back? Unfortunately, despite all the research surveys that report consumers' greatest concern about performing mobile or internet electronic transactions is their privacy and the security of the transaction, the evidence clearly demonstrates that, while they may "talk the talk," they often don't "walk the walk."

Panda Lab's 2012 annual report estimates that one-third of the personal computers in the world are infected with some type of malicious software (malware). So how do these computers get infected? The users are not following proper security guidelines when they are using their computers or smartphones. Critical unsafe behaviors include:

  • Not using antivirus software or not keeping it updated
  • Not using a firewall or disabling the firewall that might have been included in a device's operating system
  • Poor password security—using easy-to-guess passwords, using the same password on multiple applications and devices, allowing passwords to be stored in a device
  • Not updating software—software vendors frequently post software updates when they become aware of security problems, especially such utility software as Flash and Java
  • Visiting unknown websites, often through links on social network website pages, that contain hidden viruses

Here at the Federal Reserve, a combination of recurring education and required security tactics are used to minimize the risk of such poor practices by users such as me. I won't detail those techniques because that could compromise aspects of our network security, but when I place my personal computer, smartphone, and home network against those same criteria, I certainly see some ways in which I have been less than diligent and need to change my habits. What about you?

Be sure to read the Risk Forum's recent paper on account takeovers and how less-than-adequate Internet security practices of a few individuals and businesses can contribute to criminals' ability to obtain sufficient personal information and account credentials to conduct account takeovers and steal your money.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2013 in consumer fraud, consumer protection, malware, online banking fraud | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Are You the Weakest Link?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 15, 2013

Do Cyberattacks Threaten Confidence in Our Payment Systems?

This past October, former Defense Secretary and CIA Director Leon Panetta said, "A cyberattack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11." In the days leading up to this statement, multiple major U.S. banks were the targets of cyberattacks known as distributed denial of service (DDOS). In these attacks, which continue to take place on a steady basis, a bank's servers are overwhelmed by a flood of messages from networks of computers infected with malicious software (botnets) leading to website outages. Frequently, these attacks are politically motivated and are undertaken by foreign states. They are intended to be disruptive and create customer service dissatisfaction rather than to commit fraud.

At a recent conference I attended, security expert and former senior White House Advisor Richard Clarke suggested that technology and automated tools currently used to detect and prevent these attacks aren't always effective. For instance, firewalls can be penetrated and, although antivirus tools are good protection against the general hacker, they may not be as effective against the sophisticated malware that the well-organized bad guys are creating at alarming rates. The primary goal of implementing security measures is prevention, of course, but we have to be realistic in accepting there will always be some number of successful attacks requiring post attack countermeasures.

To date, these DDOS attacks have created only short-term inconveniences for consumers. I believe that consumers' overall confidence in payment systems remains high, and rightfully so. But the threat for a mass disruption to financial institutions and the payments community through a cyberattack on U.S. companies is real. Consider the potential ramifications that a nationwide cyberattack could have on the U.S. banking and payment systems. We need only look at the cash crunch that Hurricane Sandy caused to the payment system in the Northeast last October, when the area experienced prolonged electrical and resulting communication outages. The banking community, led by FS-ISAC and others, must continue its efforts to not only prevent, but also plan for a response to an extended, widespread cyberattack to avoid even worse disruptions and a subsequent loss in confidence in our payment systems.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 15, 2013 in cybercrime, malware | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Do Cyberattacks Threaten Confidence in Our Payment Systems?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 8, 2013

Can These Three Steps Protect Your Bank Account?

Today's news is loaded with stories of account takeovers of both businesses and individuals. With an alarming frequency, accounts are hacked, identities are stolen, and money disappears. Have the availability of smartphones and their increased use for conducting social, financial, and personal business sparked this increase? With a 78 percent penetration rate in the United States alone, mobile phones are not going away, and smartphone growth is catching up.

Currently, there are 6 billion mobile subscribers worldwide, with more than 1.2 billion of them accessing the web at any given time. These individuals are shopping, banking, watching videos, playing interactive games with other players, texting, or e-mailing on their devices. Smartphone users are actually three times more likely to provide their log-in information when prompted than those accessing the Internet from a personal computer, according to the computer and network security company RSA. Given these trends, fraudsters are once again taking advantage of the weak spot and using technology to spread malware onto mobile phones.

Less than 50% of Mobile Consumers Find Many Dangerous Behaviors to be Risky

While the number of individuals accessing the web is staggering, perhaps even more amazing is the increased usage of mobile devices for sending text messages. In 2011 alone, more than eight trillion text messages were sent. As such, text messaging fraud—or “smishing,” a term created from the abbreviation for short message service SMS—is now becoming a tool of choice for fraudsters.

Is your phone protected? Studies conducted in the United States and abroad show that only 4 to 10 percent of all phones have antivirus software, compared to over 80 percent for personal computers. It's just as easy for a cybercriminal to gain access to your financial institution through a mobile text or a mobile e-mail account as it would be on a computer. Could protection and education about mobile security be the ticket to reducing account takeovers? I believe it can. Taking a bite out of that 90-percent statistic for unprotected smartphones most certainly will deflect attacks that could penetrate through to the financial environment. T-Mobile recently announced it was teaming up with Lookout virus protection to begin shipping most Android models with out-of-the-box protection against malware and viruses. This move could be a significant first step in virus protection, especially if other phone manufactures were to follow suit.

What can you do? Well, there are a few things, including:

  • Install a certified virus application on all family devices and set them to run weekly (many good options are free).
  • Don't change the default security restrictions by jail breaking your device. Only download applications from a reputable vendor application marketplace (Google Play store or iTunes, for example).
  • Review and make sure you understand any pop-ups, e-mails, or texts before you click.

For more information related to account takeovers, check out the Risk Forum's recent survey paper, "Mitigating Online Account Takeovers: The Case for Education."

Michelle CastellBy Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

April 8, 2013 in cybercrime, identity theft, mobile banking | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad