About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« March 2014 | Main | May 2014 »

April 28, 2014


Is Personal Data Privacy Going, Going, Gone?

Since last December, it seems that not a week has gone by without a headline about another breach of consumers' payment or personal data. These articles—which are no longer limited to banking or IT industry publications—have created both weariness and concern among consumers. The market research firm GfK conducted a national survey of U.S. consumers in March 2014 to measure the impact of these breaches and better understand how consumers view and manage their personal data. They surveyed 1,000 individuals over the age of 18 and sorted the results by generation. Some of the findings I found most interesting were:

  • All generations are concerned about the protection of their personal data and, overall, 59 percent indicated that their concern has risen over the last 12 months.
    Question: Are you concerned about the protection of your personal data?
  • One-third of the survey participants indicated that they had been the victim of the misuse of their personal data at least once over the past year.
  • Over half (54 percent) of those surveyed don't believe the U.S. government is doing enough to protect their data, with two-thirds of the pre-boomers taking that position.
  • Overall, 80 percent of the respondents believe there should be additional regulations preventing organizations from reselling their personal data to third parties.
  • There is a strong demand from consumers for all consumer-facing industries to change their data privacy and personal data usage policies, but that demand is the highest for credit card companies and social networks.
  • Banks are in the top four trusted organizations regarding the protection of personal data but trailing health care organizations, online payment systems, and online retailers. Social networks, international businesses, and marketers and advertisers are the least trusted.
  • Although more than half of the participants do not agree with the tracking or recording of communication data without their permission, younger generations are not as concerned.
    Agreement with the statement: I accept that my communications data (e.g. phone, online) can be recorded without my approval to prevent crime.

So how are consumers behaving in light of this increased concern? Almost half (48 percent) indicated that they have changed their online practices and are avoiding the use of online auctions, online banking, and online social networks to reduce the likelihood that their personal data might be compromised or misused in some way. I have seen other research indicating that as much as 40 percent of a retailer's customers that have had their personal data compromised through a breach at that retailer will avoid that retailer, at least in the immediate term.

So what is the best approach to develop and maintain safeguards for consumer's personal information and transaction data? The private sector has always championed self-regulation through standards efforts such as PCI-DSS, but we all recognize that being compliant with a common minimum standard is not the same as being totally secure. There has been no shortage of recent congressional discussion on this issue, and future major breaches will likely add to the momentum such that it will be difficult to stop. Is that where you think we are headed—a regulatory fix coming from a legislative mandate? Let us hear from you.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 28, 2014 in consumer fraud, consumer protection, data security, regulations | Permalink

Comments

The Target breach, in which 110 million Americans lost critical personal and financial data, is just the latest problem caused by extending legacy payment networks built in the 1960s to internet originated payments.

In the classic New Yorker cartoon, one dog says to the other, "On the Internet, nobody knows you're a dog." Until we solve this problem, the legacy payment networks cannot be made secure. They were not architected with security built into them to do what we are doing today by extending them to payments generated from the internet. The security of any network is only as good as its weakest node. By moving access to the legacy payment systems to the internet, we added tens of millions of nodes to each legacy payment system and most of those nodes are not securely authenticated or truly secure.

A next generation payment system is required that is architected with security and encryption of all data "end to end", with no data ever “in the clear” and in which all users are "strongly authenticated". It is less expensive by orders of magnitude to build a new next generation payment system that can do that, than to retrofit one of the existing legacy payment systems, as I was once told by the former global CIO of VISA International. The existing legacy payment systems are all designed to have required information "in the clear" at multiple points in the transaction cycle.

The rapid rise of Bitcoin, despite its significant flaws, highlights the hunger in the marketplace for a better and more secure internet based global payment system. It would be better if that next generation payment system was also bank-centric and properly regulated, none of which Bitcoin is.

FYI, the New Yorker cartoon was first published in 1994, so this problem has been building for over 20 years.

Posted by: Stephen Lange Ranzini | April 28, 2014 at 05:31 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 22, 2014


My Bleeding Heart

Over the past week, there has been much discussion about the OpenSSL coding flaw, the Heartbleed bug. OpenSSL is a commonly used implementation of Secure Sockets Layer (SSL). A diverse array of devices use OpenSSL to secure Internet communications. Heartbleed could allow someone to monitor log-in transactions as well as to grab and extract confidential data from affected websites and from hardware such as servers, mobile phones, and laptops. Research indicates that as many as 20 percent of all Internet sites could have been affected by this bug, including many high-profile sites. Google confirmed that phones operating Android 4.1.1 were also vulnerable to the bug, and they will remain so until the user installs its recent patch.

If there is a silver lining from the Heartbleed bug news, perhaps it is that the largest financial institutions have indicated they are not vulnerable. Even so, many smaller and mid-size banks and credit unions could still be vulnerable. Thus, the Federal Financial Institutions Examination Council issued a release urging financial institutions to incorporate patches on systems, applications, and devices that use OpenSSL. But unfortunately, this silver lining from the large banks isn’t enough to stanch this payments risk expert’s bleeding heart.

So what's the reason for my distress if the largest banks don’t appear to be vulnerable? I do not think that I am alone in admitting that I have used my credit card credentials all over the Internet. While I can count the number of cards that I have in my wallet, I couldn't begin to tell anyone the number of websites that those card credentials have been used or stored over the last two years—which is when Heartbleed appeared. Sure, I have a few go-to sites for online shopping, as I suspect many do, but I have used my cards and created accounts on many sites that I rarely visit or maybe even just visited once for a specific purchase. Are some of these sites vulnerable to this bug? I have a sinking feeling that the answer probably is "yes." And if my log-in credentials were extracted from websites other than my financial institution, I'll sheepishly admit that may be bad news as I have not always followed the best practice of maintaining separate IDs and passwords for each site. Is it really feasible to do that for so many sites?

No doubt talk and discussions in the days ahead will revolve around whether or not OpenSSL is a secure implementation of the SSL and transport layer security protocols. However, I think the heart (ahem) of the discussion of the Heartbleed bug should revolve around the use of passwords and card credentials on the Internet. This bug potentially exposes the flaws of relying on user IDs and passwords and highlights the vulnerability of using sensitive card data in the online environment. These flaws are well-documented, and fortunately, solutions are being discussed to mitigate these risks. My bleeding heart anxiously awaits their implementation.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2014 in cybercrime, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01a3fcf4d8c6970b

Listed below are links to blogs that reference My Bleeding Heart:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 14, 2014


Danger Ahead! ATM Cash-Outs

The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed "unlimited operation" by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a post from last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.

These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.

Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.

Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.

Fourth, the criminals get remote access to the financial institutions' card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs' networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.

Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.

FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 14, 2014 in ATM fraud, cards, cybercrime, fraud | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01a5119e4e38970c

Listed below are links to blogs that reference Danger Ahead! ATM Cash-Outs:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 7, 2014


Learning from Experience to Handle Suspicious Payment Transactions

In a post earlier this year, we addressed the difficulty of identifying and tracking remotely created checks (RCCs) in the payments stream. Electronic payment orders (EPOs), which are electronic images of "checks" that never exist in paper form, are another payment vehicle difficult to identify and track. EPOs can be created by the payee as an image of an RCC, or created and electronically signed by the payer.

Financial institutions have to address all suspicious payment transactions, whether they occur with traditional payments, like checks and ACH or these new variants, the RCCs and EPOs. Institutions rely on a variety of ways to become aware of suspicious payment transactions:

  • The institution's anomaly detection processes highlight transaction patterns that are atypical for a customer.
  • A bank customer contacts the bank after identifying an unauthorized transaction on the bank statement.
  • Consumer complaints about a business suddenly increase.
  • Another institution contacts the bank with concerns about a particular business.
  • The bank becomes aware of legal actions taken against a business.
  • Returns for a business's payment transactions increase.

Regardless of payment type, institutions can apply the simple approach in this diagram to handling suspicious payment transactions.

diagram on handling suspicious payment transactions

When an institution becomes aware of suspicious transactions, its first step is to take care of the customer. This may include returning transactions, placing stop payments, monitoring account activity, addressing security protocols, or changing authentication tools.

The next step would be to reach out to other institutions, law enforcement, and regulators. Other institutions may not be aware of the issue and can assist with resolving the customer’s concern and addressing the underlying cause of the problem. Support for information sharing between financial institutions includes the safe harbor provisions within Section 314(b) of the U.S. Patriot Act. Submitting suspicious activity reports, or SARs, and contacting appropriate law enforcement such as the local police or FBI enables law enforcement to address fraudulent behavior, monitor the extent of the fraud, and address areas of concern that are affecting multiple institutions. Information-sharing groups, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and BITS, are other important avenues.

Critical to the approach is the importance of the affected institution consistently adjusting its identification processes based on its experiences with suspicious transactions. For example, if the anomaly detection system has default settings for origination volume or return rates, and the institution learns that those settings were ineffective in identifying a problem, then the institution should adjust the settings.

As the payments industry continues to evolve, with newer payment types such as RCCs and EPOs, criminals will find new ways to use them to their benefit. And as perpetrators of fraudulent payments adjust their approaches, a financial institution must also be a "learning" institution and adjust its approach to identifying the suspicious payments.

How often does your institution adjust its processes for handling suspicious transactions based on current fraud experiences?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 7, 2014 in fraud, payments, remotely created checks | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad