About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« June 2013 | Main | August 2013 »

July 29, 2013


Suspicious Activity Reports: What the Numbers Show

Initially intended to help law enforcement identify individuals and organizations involved in money laundering and terrorist financing, Suspicious Activity Report (SAR) filings are also used to help detect activities related to consumer fraud and identity theft. Depository institutions (DIs) and money services businesses (MSBs) together file about 98 percent of all SARs submitted annually to the Financial Crimes Enforcement Network (FinCEN). Industry groups are constantly working to educate SAR filers about the various types of activities that they should document so these activities can be properly tracked. FinCEN recently updated its statistics to include SAR activity in 2012, and the summary volumes are shown in the chart below. The Retail Payments Risk Forum believes that an ongoing educational effort of customers, as well as DI employees, is a vital element in recognizing and mitigating fraud in our payments system. As part of that effort, I think there would be benefit in examining the shifts among the different SAR activities and gain an understanding as to possible reasons for these shifts.

SAR Filings by DIs and MSBs: 2013-12

As the above chart shows, the number of SARs filed by DIs has risen steadily over the last two years. SARs from MSBs, on the other hand, dropped 14 percent from 2011 after seeing an average annual increase of 15 percent over the previous two years. So why the ups and downs?

From a pure numbers standpoint, the answer to the question lies in the details of the activities that can trigger a SAR. In the case of SAR filings from DIs, for example, 2012 saw a dramatic increase in identity theft and check fraud filings, while mortgage loan fraud SARs dropped. This shift is explained by the increased diligence being placed on mortgage loans and the alarming growth of identity theft and check fraud incidents. By contrast, SAR filings from MSBs showed a substantial decrease in the category where the person reduced the amount of money order or traveler's check purchase to avoid having to complete a funds transfer record (but still generating a SAR). One wonders whether this reduction represents progress in the fight against money laundering and terrorist financing, or have the individuals engaged in these illegal activities changed their money handling tactics by performing lower dollar value transactions to avoid suspicion and identification?

Every federal judicial district has a SAR review team. This team of regulators and federal and local law enforcement reviews SARs to determine whether they need to initiate new investigations or supplement the filings to existing cases. The efforts of these teams illustrates how more comprehensive reporting, improved data analysis, and stronger monitoring capabilities can help detect and address fraud and abuse within our payments system. FinCEN publishes a semiannual report—Trends, Tips & Issues—that provides a summary of key findings from the teams' reviews of SARs. These reports let involved parties know how they can use the information to provide greater protection to potential victims of fraud. We encourage you to read copies of FinCEN's reports to better understand current fraud trends so you can educate your employees and customers.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 29, 2013 in money laundering, regulations, regulators | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 22, 2013


Fighting the Enemy Within

Portals and Rails frequently focuses on external threats that pose risk for financial organizations and others involved in the payments value chain. However, insider threats can pose just as large of a risk as external threats. One need look no further than the recent National Security Agency (NSA) information leak to understand the magnitude of insider risk. These risks can be reputation-damaging and cause significant financial harm.

Although security and control procedures can mitigate the risk of insider threats, it is extremely challenging to thwart a rogue insider committed to stealing or leaking sensitive information or implanting malicious software. The following access and security management principles, while not exhaustive, provide a solid base for any organization maintaining sensitive data to mitigate the risk of an insider letting this data out the door.

  1. Never-alone: Certain sensitive and critical functions and procedures (such as modifying hardware and security software) should be carried out by more than one person, or they should be performed by one person then automatically reported and immediately checked by another.
  2. Access rights: Data access rights and system privileges should be based on job responsibility and the need to perform job duties properly, and should be kept current.
  3. Limited tenure: Employees with access to sensitive data or in security-related positions should never believe their position is exclusive or permanent. Some ideas for implementation include: employees in these roles should be randomly rotated and required to take mandatory leave without having access to the systems during their absence.
  4. Concurrent access: An employee should not have simultaneous access to production systems and backup systems, particularly data files and computer facilities.
  5. Close supervision: Employees with system and data access entitlements should be closely supervised and have all their system activities logged. Access to these logs should be off-limits for these employees. Changes to highly sensitive data records should be immediately reported through messaging to supervisors for immediate review.

On the heels of the leak, the NSA director stated that the agency would institute the "never-alone" policy going forward. This approach may be better late than never, but perhaps it is a signal that the leadership of this organization recognizes and values the importance of data security, an important overarching principle in the Risk Forum's opinion.

Has your organization incorporated all or some of these principles into data access and system security procedures? What other principles has your organization put into place to mitigate insider threat to data security?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 22, 2013 in data security | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01901e62c5d4970b

Listed below are links to blogs that reference Fighting the Enemy Within:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 15, 2013


In Memory of a Beloved Colleague: Protecting Your Bank Account

This repost of a blog post, originally published on April 8, 2013, is in memory of our beloved colleague and friend, Michelle Castell. Michelle died earlier this month after a long and courageous battle against cancer. The blog summarizes a white paper Michelle wrote earlier this year concerning online account takeovers, a topic that is still timely. Michelle was new to the world of payments when she joined the Retail Payments Risk Forum in mid-2012. In her enthusiasm to learn about payments, she experimented with different payment types and channels to gain a personal understanding of how they work and the risks they pose. Michelle was immediately intrigued and concerned by the account takeover risks posed to consumers and businesses from the alarming growth of malware on mobile phones. It was through her personal and enthusiastic approach to her work that Michelle became an advocate for improved consumer education when it comes to payments security—which is the conclusion of this post and her account takeover white paper. You can find a link to the white paper at the end of the post.

Today's news is loaded with stories of account takeovers of both businesses and individuals. With an alarming frequency, accounts are hacked, identities are stolen, and money disappears. Have the availability of smartphones and their increased use for conducting social, financial, and personal business sparked this increase? With a 78 percent penetration rate in the United States alone, mobile phones are not going away, and smartphone growth is catching up.

Currently, there are 6 billion mobile subscribers worldwide, with more than 1.2 billion of them accessing the web at any given time. These individuals are shopping, banking, watching videos, playing interactive games with other players, texting, or e-mailing on their devices. Smartphone users are actually three times more likely to provide their log-in information when prompted than those accessing the Internet from a personal computer, according to the computer and network security company RSA. Given these trends, fraudsters are once again taking advantage of the weak spot and using technology to spread malware onto mobile phones.

Less than 50% of Mobile Consumers Find Many Dangerous Behaviors to be Risky

While the number of individuals accessing the web is staggering, perhaps even more amazing is the increased usage of mobile devices for sending text messages. In 2011 alone, more than eight trillion text messages were sent. As such, text messaging fraud—or “smishing,” a term created from the abbreviation for short message service SMS—is now becoming a tool of choice for fraudsters.

Is your phone protected? Studies conducted in the United States and abroad show that only 4 to 10 percent of all phones have antivirus software, compared to over 80 percent for personal computers. It's just as easy for a cybercriminal to gain access to your financial institution through a mobile text or a mobile e-mail account as it would be on a computer. Could protection and education about mobile security be the ticket to reducing account takeovers? I believe it can. Taking a bite out of that 90-percent statistic for unprotected smartphones most certainly will deflect attacks that could penetrate through to the financial environment. T-Mobile recently announced it was teaming up with Lookout virus protection to begin shipping most Android models with out-of-the-box protection against malware and viruses. This move could be a significant first step in virus protection, especially if other phone manufactures were to follow suit.

What can you do? Well, there are a few things, including:

  • Install a certified virus application on all family devices and set them to run weekly (many good options are free).
  • Don't change the default security restrictions by jail breaking your device. Only download applications from a reputable vendor application marketplace (Google Play store or iTunes, for example).
  • Review and make sure you understand any pop-ups, e-mails, or texts before you click.

For more information related to account takeovers, check out the Risk Forum's recent survey paper, "Mitigating Online Account Takeovers: The Case for Education."

Michelle CastellBy Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

July 15, 2013 in cybercrime, identity theft, mobile banking | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 8, 2013


Money Mules: Unwitting Accomplices?

Recent news articles about the two major ATM cash-out frauds that yielded $45 million for the perpetrators have noted a critical element of the global crime—the extensive network of criminals that performed thousands of cash withdrawals over a few hours at ATMs in approximately 24 countries. Known as "money mules," these individuals help transport or launder stolen money and merchandise in exchange for a small share of the ill-gotten gains.

The mules in the ATM cash-out scheme were willing participants, but in many cases, individuals serving the role of a money mule may not be aware of their criminal involvement and may even themselves become victims of fraud. The most common tactics for enlisting the help of unknowing money mules are posting work-at-home advertisements on major legitimate employment websites, purchasing pop-up ads, or sending e-mails.

Earlier recruiting efforts were easy to spot because they often used poor grammar or spelling, were not specific in describing the job, and usually based the hiring company outside the United States. More recently, recruitment efforts have used well-written ads with high-quality graphics. These ads often stress the convenience of the position for the worker and the significant earnings potential. When hired, the individual is sometimes engaged as a mystery shopper or in some similar function to make the transfer of money or goods seem normal to the business operation. Some schemes initially engage the person in conducting legitimate transactions with the goal of developing a level of comfort for the individual with the process and the promise of bigger, more lucrative transactions to come in the future.

As with many crimes involving multi-level organizations, it is not the masterminds but the money mules who are most often apprehended. They are the ones whom law enforcement officers can locate relatively easily because they are the ones who provide their financial account information or shipping address as part of the transaction. Unknowing money mules risk criminal prosecution, financial loss, and smearing of their reputations. It’s also possible that they will themselves experience identity theft or fraud against their financial accounts because they may have provided sensitive personal information during the recruitment process.

As cybercrimes continue to spread, the mule recruitment efforts will expand and probably become more sophisticated. Individuals must exercise safer computer security practices, and financial institutions, consumer protection agencies, and law enforcement must continue to provide education about this type of scheme to help increase everyone’s ability to detect such fraud. Not only will early detection help prevent individuals from becoming unwilling victims, but also it will aid in the investigation of these criminal efforts by law enforcement.

Brian Krebs (KrebsonSecurity) has a good article, which includes a money-mule training video, providing more information about this type of crime to help individuals avoid getting caught up in one of these schemes. We welcome your suggestions on how the educational effort can be strengthened.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 8, 2013 in ATM fraud, identity theft, money laundering | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c019104230264970c

Listed below are links to blogs that reference Money Mules: Unwitting Accomplices?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 1, 2013


The Cost of "Free"

Many retail-centric banks have found themselves in a fee-revenue dilemma as the impact of regulations regarding overdraft fees and debit card interchange revenue begins to be felt. After decades of providing "free" services to consumers, these banks are under significant customer pressure to continue this practice even as they roll out new products and services. But this pricing model poses financial risk. The operating expenses of the bank are increasing at the same time that the banks are receiving minimal—if any—incremental revenue.

I recently participated in a conference that had a session comprised of a panel of four MBA students. The goal of the session was for the audience of bankers to better understand the driving forces for financial service decisions by the Gen Y, or millennial, customer. (I wrote a bit about this panel in a previous post.) One eye-opening statement universally shared by the panel was the expectation that mobile banking and mobile banking services be provided free of charge. When asked for a justification, they believe that by using the mobile channel they "saved" the bank money over writing a check or going into a branch office. When further questioned as to how the bank was going to pay for the development and operating expenses of such new products and services, their response was essentially that they believe the bank earns sufficient revenue from its lending operations, including credit cards and installment and mortgage loans. I am sure that many other consumer segment groups have this attitude as well.

After Regulation II capped debit card interchange fees for banks with assets exceeding $10 billion, some banks announced they would begin charging a monthly debit card fee. Consumer and media response was so negative that banks withdrew the proposed fee changes. Subsequently, many banks changed their checking account service fee waiver conditions by raising minimum balance requirements, requiring other account relationships (to provide additional revenue support), or eliminating some previously bundled services. The Bankrate 2012 Checking Survey found that only 39 percent of banks were offering free checking without a minimum balance requirement or maintenance fee. This percentage is down from 45 percent in 2011 and 76 percent in 2009. Credit unions have not followed suit—the number of them offering free checking is holding fairly steady at around 72 percent.

Is there anything banks can do to shift consumers' expectations and ease some of the financial risk associated with controlling operating expense levels? We would like to hear from you.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 1, 2013 in financial services, mobile banking, regulations | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c0192abd00149970d

Listed below are links to blogs that reference The Cost of "Free":

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad