Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« October 2013 | Main | December 2013 »

November 25, 2013

Maintaining a Strong Defense with Layered Security

A medieval castle generally had many lines—or layers—of defense to protect itself and its inhabitants from outside attackers. For example, it would have an outer perimeter with a high berm making the passage of horse-drawn weapons difficult. This berm would surround a vast, open space that allowed the enemy no cover. Closer to the castle would be the moat, which enclosed high fortress walls with ramparts that allowed the human defenders to fire down on attackers while still having protective cover. An enemy that successfully breached all layers of security was a strong enemy indeed—or a friend, someone with proper security clearance, who was permitted to pass through.

This multilayered security is highly effective in today's computer age. Financial institutions that haven't done so already should institute such a strong online authentication process. This process would require an individual who needs to access an account to go through multiple layers of authentication according to the risk level associated with the intended transactions. For someone checking an account balance, for example, a user ID and a password may be sufficient. But for someone initiating a wire transfer request for $50,000, more layers of authentication tools are appropriate and in keeping with the 2005 Federal Financial Institutions Examination Council's supplemental guidance for internet banking to implement more robust controls as the risk level of the transaction increases.

Panel members at a recent forum cosponsored by the Secure Remote Payment Council and the Atlanta Fed's Retail Payment Risk Forum provided their assessment of the security tools that can improve online customer authentication. They did this by assigning scores to individuals tools based on a scale of 1 to 10, with 1 being extremely weak and 10 being extremely strong. While members gave pretty low scores to each individual tool, they pointed that a combination of these tools would significantly raise the strength of the authentication process, and presumably the scores of these combinations would be higher.

As the table shows, only one of the tools had an average score above 5.

Output effects from alternative tax reforms

We cannot say it enough: no single authentication method provides a complete solution. A strong customer/transaction authentication program uses a combination of hardware and software security tools to minimize the success of unauthorized account access. The program also incorporates customer education and training and internal policies and procedures to provide a well-rounded defense.

Portals and Rails is interested in how you would score the various tools and how your institution is implementing a multilayered authentication strategy.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 25, 2013 in authentication, banks and banking, cybercrime | Permalink


Interesting that Tokens scored that high. With malware bypassing them and the overhead of physical management of the hardware.

But, agree 100%...layered security is only direction to go in.

Posted by: Matthew | November 25, 2013 at 09:24 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 18, 2013

Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud

The Retail Payments Risk Forum and the southeastern Regional Payments Associations (RPAs) cohosted an Executive Fraud Forum at the Atlanta Fed on October 30. Forum attendees engaged with speakers and panelists on such issues as the latest payments fraud trends, legislation and regulation, and best practices for financial institutions to mitigate risk in today's dynamic payments environment.

In one session, Federal Reserve Bank of Atlanta senior examiner Tony DaSilva discussed best practices to combat cybercrime. Cybercrime remains top of mind for financial institutions because denial-of-service attacks, which overload an institution's computers so customers cannot access their account information, can affect an institution's reputation and divert attention away from account takeover attempts. Account takeover is when a fraudster uses malware to attempt to steal a customer's valid online credentials and direct payments—often via wire and ACH—out of the customer's account. DaSilva suggests that financial institutions should assume that their systems are infected, and thus constantly, proactively monitor for cybercrime.

DaSilva also highlighted the importance for an institution's board and management to understand the nature of current cyber threats, assigning adequate IT resources and using industry tools to contend with cybercrime. DaSilva also emphasized the importance of following regulatory guidance.

A critical piece of regulatory guidance in this area is the Federal Financial Institutions Examination Council's (FFIEC) 2011 supplement to its 2005 guidance, Authentication in an Internet Banking Environment. The updated guidance recognizes the changing nature of cyber threats, including account takeovers, and emphasizes three area of responsibility for institutions.

  • Periodic risk assessments, at a minimum every 12 months, are important. In these assessments, institutions should consider the current threat landscape, changes in customers, and actual incidents, and then make adjustments to customers' authentication controls
  • Layered security for high-risk Internet-based systems should at a minimum detect and respond to anomalies and have robust controls for system administrators of business clients
  • Education should focus on making consumer and business customers aware of security steps, and should explain federal consumer protection provisions, risk controls offered by the institution and relevant institution contacts

For more on this topic, view Tony DaSliva's video interview and presentation on the conference web page.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 18, 2013 in cybercrime, malware, regulations | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 12, 2013

Is Consumer Privacy Possible?

In January 1999, Scott McNealy, then chief executive officer of Sun Microsystems, told a group of analysts, "You have zero privacy anyway. Get over it." His comment caused quite a stir—at the time, most people had not yet heard the terms "big data," "data warehousing," or "data analytics."

I recently attended two conferences that had sessions on consumer privacy and data collection. All the panelists suggested that there is little data privacy for consumers anymore. And all agreed that "privacy is dead."

Four major forces have brought us to this point: technology advances, emergence of data aggregators, lack of transparency with consumers, and consumer complacency. The first force—advances in the technology of data storage—has created the environment for the other elements. The capacity of hardware to collect and store data has grown at exponential rates at the same time that the cost of that technology has plummeted. A cost analysis from Statistic Brain shows that the cost of storage per gigabyte of memory has dropped 50 percent every 14 months since 1980. Back then, a gigabyte of data storage was priced at about $438,000. Today, the price for storing a gigabyte is a mere nickel.

With the ability to store vast amounts of data so inexpensively, companies have built data warehouses to collect all types of data, ranging from government records to of consumers' product purchases at merchant locations Proponents of the data analytics business emphasize how their work can help identify fraudulent transactions through behavior anomalies and how it can help a company market more effectively. Privacy advocates express concern over how the information is used and the adequacy of safeguards to protect the data from unauthorized access.

Privacy advocates contend that most consumers have no real understanding of the information that is collected and how it is used. Indeed, disclosures are often hidden in fine print. Consumers often must accept the terms of a transaction to receive the product. How often do you click the accept box without reading the disclosure?

With support from the Federal Trade Commission, advocacy groups are working to get companies to make their consumer disclosures clearer so consumers will know exactly what information is being collected, how long it is retained, and who it is being shared with. They also want these data collectors to disclose how consumers can verify the accuracy of the information.

Are you interested in knowing what information the largest data aggregator company in the United States has on you? If so, go to Acxiom's website and scroll to the bottom of the page. You will need to register to look at your profile.

Although consumers themselves are the major source of the data being collected, many may not understand that the information they voluntarily provide on social media sites and through online browsing and purchasing activities is being tracked and collected. And consumers have consistently demonstrated a willingness to provide personal information to secure a coupon or discount.

In addition, with the increased deployment of smartphones, merchants are looking to use the mobile channel for one-to-one marketing. The success of this effort largely depends on knowing the interests of the phone owner. Such determination is made only through data collection and analytics—and these efforts are only going to intensify. This marketing element available through the mobile phone is seen as an advantage over other payment methods, and many are studying how to monetize it.

Even if the most transparent disclosures were available, do you think consumers would dramatically change their information-sharing behavior, especially when doing so would come at the expense of incentives? Or of not expressing their personal interests and posting events on social media sites? Personally, I do not think so. I believed McNealy back then and took his advice to get over it. What about you?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 12, 2013 in consumer protection, data security, privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Is Consumer Privacy Possible?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad