Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« September 2013 | Main | November 2013 »

October 28, 2013

New Portals: Established Rails

Rails Do consumers understand that the consumer protection rules that apply to a mobile payment depend on the payment source—such as a debit or credit card—and not the portal—the mobile device? Purchasing goods and services using a mobile device appears to be a brand new way to make payments. But the mobile device is merely a new portal that leads to the same underlying rails: traditional retail payment sources.

Mobile wallet applications, whereby the consumer can access payment options through a mobile device, are typically sourced to the consumer's debit or credit card. The mobile carrier's billing option allows the consumer to charge an inexpensive product directly to the mobile phone bill. The consumer then pays that bill using a traditional method, such as a check. A Federal Trade Commission study of payment funding sources for 19 mobile providers in 2012 reports payment by credit or debit cards as the most common payment type, with 15. Next are bank account debit (7), multiple funding sources (7), then billing to a mobile carrier account (4).

It is important for financial institutions to educate their consumer customers about the rules and regulations related to traditional retail payment sources that support mobile purchases. Consumers should know about the mobile wallet, for example. Consumers can "carry" many payment sources in their mobile wallets, but they should be aware that each source has different consumer protection provisions. For example, the time periods for reporting disputes and liability limits are different. Education by banks can reduce confusion about the process consumers must follow if they experience a problem with any purchases. Additionally, education can make consumers more aware that the rules that apply to card payments, for instance, apply whether they make the payment in person, on the phone, online, or with their mobile devices.

Banks are in a critical position to be able to share their expertise on traditional retail payment sources as consumers increase their usage of the mobile device to initiate payments. How is your institution educating consumers about mobile payments?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 28, 2013 in consumer protection, mobile payments | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 21, 2013

Is Knowledge-Based Authentication Still Effective?

"What is your mother's maiden name? Your oldest daughter's middle name?" Online help sessions or call centers often ask the user to provide answers to a "secret" question or set of questions most often when the user has forgotten an account password and needs to retrieve it or select a new one. This authentication process is called knowledge-based authentication (KBA). The assumption is that if the person knows the correct answers, then that person is the authentic accountholder.

I recently attended a security conference where a panel of security authentication experts all stated that any extra protection KBAs provide is minimal. The high-profile data breaches that we've read about, along with the over-disclosure of personal information on social media sites, often make the answers to these questions easily available. These experts called for the abandonment of KBAs. In further support of this position was a recent article by Brian Krebs (Krebs on Security) that detailed how an identity theft service had hacked into some of the country's largest aggregators of consumer and business information. This service then tried to sell the data over the Internet, compromising the effectiveness of KBAs.

KBA questions can be either static or dynamic. Those that are static instruct the user to select from a list of preformulated questions—such as "What is your mother's maiden name?" Some sites allow users to create their own questions. In either case, the Q&A process is normally done when the user creates the account and selects the password. Dynamic KBAs are created by the website entity and generally request a response to a series of multiple-choice questions created from data not readily available in the public domain—for example, "Select a previous address from the list."

The formulation of KBA questions requires a careful balancing act between making answers easy enough for the authentic user to retain and making them difficult for an outsider to find the answer by looking through public databases and social media sources.

The June 2011 Federal Financial Institutions Examination (FFIEC) supplemental guidance on authentication for Internet banking states about KBAs that "institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique." The guidelines support the more sophisticated dynamic KBAs, adding this caution: "Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program." But we have to ask, have the breaches of the data sources often used to create the dynamic KBAs that have taken place since the issuance of this guidance so weakened them as to negate their value?

To enhance dynamic KBA programs, institutions can time the answer input intervals, tally missed questions, and employ other factors to essentially score the KBA session, which could signal that a criminal is posing as the legitimate customer.

No matter how many questions there are, KBAs are just one identification form factor—the "something you know" part of three-factor authentication. The FFIEC recommends that multiple form factors—including the "something you have" and "something you are" components—be used with higher-risk transactions. These should be used to support a stronger security process under a layered security approach.

Portals and Rails is interested in knowing how your institution currently uses KBAs, and if recent events will change their use.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 21, 2013 in authentication, data security, identity theft | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Is Knowledge-Based Authentication Still Effective?:


The FFIEC is right. Basic challenge questions will no longer cut it. Device identification is a newer technique that fraud analysts have begun to incorporate into their strategy, but even this innovation may not be enough. As consumers demand further online and mobile platforms for banking and payments, and as fraudsters continue multiplying and focusing their efforts on these very platforms, we need to start looking for more sophisticated strategies.

Posted by: Eric Lindeen | January 7, 2014 at 01:26 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 15, 2013

Fighting Counterfeit Currency and Protecting the Integrity of Our Payments System

The Federal Reserve recently introduced the redesigned $100 note into circulation and has begun an extensive public awareness campaign to acquaint consumers and merchants with the new note. The production of this note marks more than 10 years of effort and technology innovation to make U.S. currency more resistant to counterfeiting. The note incorporates two new security features: a 3-D security ribbon and a color-shifting image. These features are in addition to features such as an embedded security thread, portrait watermarks, and microprinting, introduced in the first redesigned note—the $20—back in 2003. The redesign of the $100 completes the current cycle of note redesign; there are no plans to redesign the $1 and $2 notes due to their low appeal to counterfeiters.

Fighting the constant battle against counterfeiters falls officially to the United States Secret Service, although they certainly rely on support from other federal, state, and local law enforcement agencies as well as from the general public. Many people erroneously believe the Secret Service was created in July 1865 as a reaction to President Lincoln’s assassination three months earlier. But the original mission of the Secret Service was to suppress the rampant problem of counterfeit currency being produced by the 1,600-plus private banks. The authority of the Secret Service was broadened two years later to include bootleggers, mail robbers, and others conducting fraudulent activities against the federal government. The Secret Service wasn’t given official responsibility for executive protection until the early 1900s, following the assassination of President William McKinley.

How big is the counterfeiting problem? It is constant, even though electronic financial crimes have more lucrative payoffs and are more difficult to investigate and prosecute. Over the last 10 years, the Secret Service has seized more than $295 million in counterfeit notes. The Secret Service investigates every counterfeiting report since it is often a series of individual reports that leads to a trail of counterfeiting activity by a criminal moving over a geographic area.

Criminals still employ crude counterfeiting techniques, but improvements in printer technology have made detecting counterfeit bills more difficult. Early counterfeiting deterrence relied on the skill needed to operate an offset printing press, along with the high costs of these printers. Now, the weapon of choice of counterfeiters is the advanced laser printer. Since these printers are capable of producing high-quality graphics, the development of the additional anti-counterfeiting technologies now incorporated in the new $100 note (as well as the redesigned $50, $20, $10, and $5 notes) was necessary in this continuous challenge to stay ahead of the criminals.

At Portals and Rails, we urge all financial institutions to maintain communication with your consumer and business customers about the challenges that counterfeit currency present and the steps to take should they come across a note that appears suspicious.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 15, 2013 in crime, fraud, law enforcement | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 7, 2013

Fraud Happens. So What Do You Do?

As both a data junkie and someone interested in payments fraud, I must admit that I am envious of my colleagues across the pond in the United Kingdom. The Financial Fraud Action UK recently released Fraud the Facts 2013, its annual report providing insight and data on payments fraud in the U.K. financial services industry. Unfortunately, no such report exists in the United States.

This year's report drives home two key points that were discussed at our July 31 Improving Customer Authentication forum. First, the enrollment process is a critical initial step in securing transactions. Enrolling a fraudster can only result in fraudulent transactions. Second, consumer education remains an important aspect of mitigating fraud—a topic we at the Risk Forum have written and spoken on extensively. Despite the fact that the United Kingdom uses the EMV standard—which is based on chip card technology—overall payment card fraud increased by 14 percent from 2011 to 2012. Among its many insights, the report reinforces the idea that EMV adoption alone will not keep fraud from occurring.

Aside from the usual suspects of card-not-present (CNP) fraud and cross-border fraud in non-EMV countries, the report mentions two other contributors to payment card fraud growth that captured my attention. One, card ID theft fraud, which includes application fraud (using stolen or fake documents to open an account) and account takeover fraud (using another person’s credit or debit card account by posing as the genuine cardholder), increased by 42 percent from 2011 to 2012. Two, criminals have resorted to using "low-tech deception crimes" to convince consumers to part with their cards, PINs, and passwords.

The important takeaway I got from this report is that no matter the technology or standard used on payment cards, it remains critical to keep personally identifiable information protected and to continue to educate consumers about sound payment practices. The industry could use the most sophisticated and secure solutions to authorize and authenticate transactions, but those sophisticated, secure solutions can do very little to prevent the use of accounts established fraudulently.

Criminals are exploiting weaknesses in both the enrollment process and consumer behavior. These weaknesses are not something a chip-embedded card can solve.

So what tools can and should the industry use to prevent a criminal from using a stolen or synthetic identity to open an account? Do you think information available through social media could play a role in this process? We would value your thoughts.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 7, 2013 in authentication, cards, chip-and-pin, EMV, identity theft | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Fraud Happens. So What Do You Do?:


While everyone is focused on the water main, there are millions of slow, steady fraud drips that aren't getting any attention: call center transactions.

Just started a subscription yesterday and read my CC# to some faceless agent in some unknown call center. Did she write it down? The call was recorded. Are the quality monitoring people writing it down and selling it?

There are solutions readily available. They are simple. They are cheap. They work. But there is no hue and cry to use them...from consumers, from banks, from regulators, or from businesses.

Until known solutions to known and supposedly big problems are implemented, the hand wringing about fraud is beginning to look like a Potemkin Village...a veneer of concern with nothing behind it.

Posted by: Dennis Adsit | October 21, 2013 at 12:12 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad