About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« June 2017 | Main | August 2017 »

July 28, 2017


Are Consumers Out of Touch?

According to the Identity Theft Resource Center (ITRC), 791 data breaches occurred in the first half of 2017, an increase of 29 percent over the first half of 2016. This rising incidence of data breaches is a continuation of a trend, as the 1,093 data breaches tracked by the ITRC in 2016 represented a 40 percent increase over breaches in 2015. As data breaches continue to proliferate, I would expect consumers to be very concerned that their payment credentials (credit, debit, and bank account numbers) are at risk of being compromised. Apparently, my expectations are a bit off, which is both puzzling and alarming.

In a just-released report on a survey conducted in May, Transaction Network Services found that only 46 percent of U.S. adults believe that a data breach may have exposed their credit or debit card information. In 2015, 60 percent of the respondents had that fear. So evidence exists that data breaches are on the rise, yet consumers have less fear today than they did in the past.

In its review of the 2017 data breaches, the ITRC found that only 13 percent resulted in the exposure of card data. However, this figure is up from 10 percent in 2016. Social Security numbers appear to be the prime target, with 60 percent of breaches exposing them. Small wonder, as this information is critical for committing identity theft. Why steal a card number when you can steal a Social Security number and apply for any number of credit cards?

I would like to think that, because the industry is making great strides in improving both transaction security, with initiatives such as EMV, and data security, with encryption and tokenization, consumers are feeling that their card data is more secure than it used to be. But the pessimist in me believes that consumers may be a bit naïve about the risks associated with data breaches, and may have also been inured by the proliferating occurrences. Or maybe because of limited liability protections, consumers just don’t care about their card data falling into the wrong hands from breaches. But now is not the time for consumers to drop their guard as data breaches—more specifically, breaches of card data—are on the rise. They must continue to take steps to protect themselves from falling victim to card breaches, such as keeping debit card PINs private and examining credit card and bank statements regularly for fraudulent transactions.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 28, 2017 in data security, EMV, identity theft, theft | Permalink

Comments

Neither consumers nor merchants have any incentive to be proactive on fraud and breaches. the law must change!

Posted by: Debra K Stamper | July 31, 2017 at 03:50 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 24, 2017


FIDO Tightens Authentication's Leash

Our blog often covers user authentication challenges confronting financial institutions and merchants. We feel this topic is essential given that consumers are increasingly going online to make payments and their passwords tend to be weak. Financial institutions and merchants face a difficult balancing act. They must be confident that their authentication tools effectively confirm the legitimacy of the individual attempting a transaction, but they also have to make sure these tools don't create a bad experience for the customer.

A meeting in 2009 between a fingerprint-sensor manufacturer and a global, third-party payment provider to fingerprint-enable online payments quickly turned into a conversation on how to develop an industry standard for the general use of biometrics to identify online users. Ultimately, this meeting led to the formation of the FIDO (Fast IDentity Online) Alliance in 2012. FIDO currently has a global membership of more than 250 companies and agencies spanning the payments, mobile, PC, and transaction security industries.

FIDO's principal effort has been to develop a set of specifications and certifications covering consumer devices, mobile and web applications, and biometric authentication methods for e-commerce applications. Products certified to these authentication specs reduce password dependence, transaction friction, and stolen password attacks such as phishing, man-in-the middle attacks, and transaction replays.

FIDO initially focused on mobile devices—which allow authentication with the fingerprint sensor, microphone, and camera—and developed the Universal Authentication Framework. This framework provides enhanced security using public-key cryptography, with the keys and biometric templates remaining on the mobile device. The user goes through a device registration process that creates the biometric template and a cryptographic key pair on the device and registers only the public key with the online service. To perform a transaction, the customer uses one of the phone's biometric sensors to unlock the private key on the device.

To expand these strong cryptographic authentication capabilities to second-factor use cases on the web, FIDO established a second set of specifications known as FIDO U2F, or Universal Second Factor protocol. With this protocol, the user inserts a certified U2F device, also known as a security key, into a device's USB port or uses the device's Bluetooth or near-field communication features. The application running in a FIDO-compliant web browser first challenges the user for a password and then authenticates the user with the cryptographic private key on the U2F device.

Authentication of customers, especially on a remote basis, will always be a challenge as criminals find more and more ways to spoof identities. The industry's efforts to increase the security of remote payments remain ongoing and the cooperative work demonstrated by groups such as the FIDO Alliance plays an important part in that effort.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 24, 2017 in banks and banking, biometrics, consumer fraud, consumer protection, identity theft, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 17, 2017


Staging the ATM

As the installation of the first automated teller machine (ATM) recently reached its 50th anniversary (48 years since the first U.S. installation), the core functionality of the present-day ATMs has changed very little. They remain primarily designed to provide customers with cash at their convenience, but now most full-function ATMs also accept deposits with image capture and currency counting capability. Sure, the machines of today are much more technologically sophisticated and reliable than the initial ones that were more mechanical in operation. The industry, however, has undergone some major changes.

Accessed by a magnetic stripe or chip card and authenticated using a PIN, the ATM has served consumers and financial institutions well. The 2016 Federal Reserve Payment Study showed that ATM withdrawal volume remained flat from 2012 through 2015 at approximately 5.8 billion transactions valued at $700 billion, or an average transaction value of $122.

Banks in a number of South American and Asian-Pacific countries have installed biometric sensors in their ATMs either to eliminate the need for payment cards and PINs or to serve as an additional authentication factor. However, a couple of major U.S. banks have taken a different path in a quest to eliminate the payment card and PIN; they have developed a staged transaction process using the customer's mobile phone. While there are some variations from bank to bank, the process generally works as follows:

  • The customer opens the mobile banking application using the normal authentication process.
  • The customer selects the ATM withdrawal option then identifies the ATM location and amount of withdrawal.
  • When at the designated ATM, the customer selects the function button on the ATM for a cardless transaction.
  • The next step depends on the particular bank.
    • Some banks display a 2D barcode on the ATM screen, which the mobile phone's camera reads to validate the transaction and dispense the requested amount of cash.
    • Other banks, to complete the transaction, may require the customer to enter both the normal payment card PIN and a numeric token value that the application sent to their phone when they made the transaction selection.

This technology offers banks a number of financial benefits over biometric readers. The barcode or token process requires only software development within the mobile banking application and ATM, so banks don't have to purchase, install, and maintain biometric hardware sensors. A drawback is that only the ATMs of the customer's own financial institution supports the staged transaction. In addition, card readers will have to remain a key component of ATMs to service customers of other banks as well as the bank's own customers who wish to continue to use their cards. Because criminals continue to insert card-skimming devices and cameras to capture card data and customer PINs—an industry-wide and global problem—the new functionality will only minimize, not prevent, such fraudulent activity.

Many financial institutions seem to be making a concerted effort to migrate customers from payment card-based transactions to options such as mobile pay wallets and now staged ATM transactions. Mobile wallet adoption rates by consumers have been low to date, so it will be interesting to see if the adoption rate of cardless ATM transactions will be any different. What do you think?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 17, 2017 in banks and banking, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 10, 2017


Can Migrants Teach Us Anything about Millennials?

While attending a recent conference, I became involved in a discussion regarding millennials and their alleged rejection of banks. The other people in this conversation thought that this millennial mindset is negatively affecting banks and other financial institutions (FIs). One person cited a Goldman Sachs report that said 53 percent of millennials surveyed indicated they have no need for a bank in the near future. Another mentioned the Millennial Disruption Index, which found that 71 percent of millennials would prefer to go to the dentist than listen to what banks are saying.

It would come as no surprise to those who know me or have read some of my previous blogs on similar topics that I was the outlier in the conversation. And after reading Inter-American Dialogue's May 2017 report, On the Cusp of Change: Migrants’ Use of the Internet for Remittance Transfers, I feel as strongly as ever that this generation will, in fact, need banking relationships.

While the survey behind the report focused on migrants' use of remittance transfers, Inter-American Dialogue also surveyed migrants on bank account ownership. The survey found that over 70 percent of Mexican migrants in the United States own a bank account, up from only 29 percent in 2005. The report concludes, with support from additional survey data, that bank account ownership is predominantly a function of years being in the United States; those migrants here for 10 years or longer are much likelier to own a bank account.

While millennials may not need traditional FI products today as they wait longer to purchase homes and start families than did previous generations, I believe the day will come when they find they need FIs. Only then will we know whether that wait is shorter or longer than the 10 years it takes for most Mexican migrants to establish banking relationships. Millennials have a host of alternative financial products to choose from—and to ignore—but so do migrant workers. Yet we know that, eventually, most migrant workers recognize they need banks.

I am not suggesting that financial institutions simply wait for millennials to realize their need for a banking relationship. FIs should be actively pursuing new products or developing strategies to attract millennials to traditional products. As millennials establish themselves and grow more prosperous, I believe they will realize banking relationships are extremely important to that process. The notion that millennials never need banks is one that I am not buying (not even with my bitcoins). Are you?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 10, 2017 in banks and banking, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad