Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 28, 2019
A Cryptocurrency Primer
Every day, my newsfeed is full of stories about cryptocurrency, blockchain, and distributed ledger technology. I even see stories on how we can create our own digital currency, a notion that conjures up for me visions of my face on a coin, just like suffragette Susan B. Anthony. Could my own digital currency, known hereafter as the NEDNote, become a reality? My husband is a software engineer, so the technical piece is covered, but maybe offering a primer on the history of cryptocurrency and its confusing and rapidly changing nomenclature is the best place to start before I launch the NEDNote into the cryptographic biosphere.
The concept of virtual currency as a substitute for fiat currency dates back to the 1980s, with David Chaum being credited with introducing digital cash. (Fiat currency, often referred to in cryptocurrency discussions, is legal tender backed by a government or central bank.) Although early attempts at virtual currencies were made in the late ’90s, the anonymous white paper published in 2009 under the pseudonym Satoshi Nakamoto is credited for creating the first decentralized cryptocurrency, Bitcoin, and the blockchain database. And with that paper, a new lexicon began to emerge, some of which I define here.
- Cryptocurrency, short for cryptographic currency, is a subset of digital currency.
- Cryptography in the cryptocurrency world refers to the algorithms that encrypt data for transmission. In the analog world, think how the Navajo language was used to transmit secure messages during World War II.
- Distributed ledger technology (DLT) refers to the infrastructure that allows a repeated digital copy of data to be available at multiple locations. With DLT, transactions take place over a peer-to-peer network, and do not require the use of a central administrator to govern or validate the transaction, but rather employ consensus algorithms to replicate the data across locations.
- Blockchain is a type of DLT that organizes records in blocks, which are then linked with cryptographic hashes to create the chain. Each block consists of these hashes, data, and a unique timestamp. Because no trusted source or authority exists for the blockchain, it is necessary that data somehow be validated before anything can be added.
- Validation protocols include “proof-of-work” and “proof-of-stake,” the two primary methods of validating transactions on a blockchain.
- Proof-of-work involves mining and timestamping, which are key validation computations. Mining both validates transactions and obtains new cryptocurrency. The mathematical calculations performed in the mining process build the hash function that links the block to the chain. Miners are rewarded with new cryptocurrency for their contributions to the validation process. Timestamping tracks historical changes made to the data contained in the block.
- Proof-of-stake employs a consensus method to determine ownership of the cryptocurrency. This method requires less computing power to complete than does proof-of-work validation but does not reward miners with new currency.
- A crypto wallet provider is a cryptocurrency storage service that is online (hot wallet) or offline (cold storage). Hot wallets are connected to the internet and are frequently hosted by an online exchange platform. Cold storage, which is not connected to the internet, is viewed as more secure.
For many years, my husband allowed the SETI Institute to harness the excess processing power of our home computers in the search for extraterrestrial intelligence, when we could have been mining for cryptocurrency and making the NEDNote a reality. In my next post, I’ll talk about how cryptocurrencies are exchanged and some of the associated risks.
By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed
January 22, 2019
Why Are Millennials So Risk-Averse?
Although millennials have been known to be the most charitable age group compared to earlier generations, they are, ironically, holding their money very close when it comes to taking financial risks. According to a recent study from the Federal Reserve, millennials are less well off than previous generations of young adults. They tend to have higher levels of student debt, lower incomes, and fewer assets to their name. In addition, millennials have grown up watching various financial crises in the United States and around the world, including the bursting of the housing bubble, the dot-com collapse, and the Great Recession. The last crisis was unfortunately around the time this generation began entering the workforce. Dealing with these financial obstacles has negatively impacted their attitude towards financial risk-taking, including investing and even opening up a new credit card. A 2017 survey, for example, found that millennials are more afraid of credit card debt than of dying or war.
Source: credible.com, "Survey: Millennials Fear Credit Card Debt More Than Threat of War and Dying"
Millennials’ tend to see credit cards—mistakenly—only as one more way to take on additional debt. But are they doing themselves a disservice by not taking advantage of an opportunity to quickly build up or improve their credit? Doing so could better enable them to qualify for a loan to purchase a home or start a new business. Furthermore, using credit cards wisely could actually help millennials save money in the long run through rewards and cash-back programs. And when it comes to investments, millennials are opting out of long-term investments like mutual funds, preferring instead to spend their money on immediate experiences, such as traveling and going to concerts, where they can see the "return on their investment" instantly.
The misconceptions and overall distrust in the financial system from this generation speak to a need for more millennial-focused financial education tools and advisers, especially those who understand the struggles of this generation as they navigate through mounds of student debt. Tools and advice that are more dedicated to millennials’ specific needs—whether it’s through a millennial-focused financial management gaming app or a generation Y robo adviser—would go a long way toward helping millennials increase their financial literacy and begin to trust the financial system. The Federal Reserve has many financial education tools. For example, the Atlanta Fed offers financial tips, updated monthly, in the Atlanta Fed’s digital magazine Economy Matters. And check out these resources from the St. Louis Fed:
- Credit Bureaus: The Record Keepers (Page One Economics)
- Online Course for Consumers (Credit Cred)
- Credit Card Statement (Personal Finance 101 Financial Forms Explained
- Credit Report (Personal Finance 101 Financial Forms Explained)
- Build Credit and Control Debt (Building Wealth: A Beginner’s Guide to Securing Your Financial Future)
With some financial education, this generation might gain greater confidence and take more risks with their money so they could build more wealth.
By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed
January 14, 2019
Hiding in Plain Sight
Over the holidays when our family is all together, we always try to watch A Christmas Story. There are so many memorable moments in the movie, from the triple-dog-dare-you, tongue-frozen-to-the-flagpole scene to the leg lamp breakage. When the story revolves around Ralphie and the Little Orphan Annie secret decoder ring, it triggers my childhood memories of having a similar decoder ring that came with a pair of P.F. Flyers sneakers (think pre-Nike and Adidas). This year, our movie-watching led to a storytelling session of techniques worthy of any spy movie for passing secret notes. Many of the examples were like the decoder ring—they used some sort of secret alphanumeric table as a key to solve the cryptic message. In other words, we were talking about a rudimentary form of encryption, which, in today's technology, renders data useless to those without a key, whether they're bad guys or good guys.
But our conversation didn't stop there. I told a childhood story of dipping a toothpick in lemon juice and writing a message on paper. After the juice dried, the message became invisible, and I would then write an innocuous—and visible—message on the paper with pen or pencil. The recipient would carefully hold the paper over a flame to slowly reveal the hidden message. (Kids, try this only under adult supervision!) Little did I know I was using a technique called steganography—hiding a message within another message—that people also use today to protect information online.
Various forms of the technique date back to Greek civilization when untrusted messengers had to convey sensitive or classified information, or a message was at risk of being intercepted. (There is an entertaining and educational video on steganography by Richard Buckland, a professor at the University of New South Wales in Australia.) Today, technology has created a new technique in the form of digital steganography, which is the practice of hiding an image, audio, or data file within another image, audio, or data file.
A recent article in infoRisk Today highlighted the darker side of steganography, with its use by the criminal element. That article prompted me to conduct more research on the technique as a payments risk. From a cybersecurity standpoint, the greatest risk to consumers appears to be when the criminal hides a malware file within an image, audio, or other data file that, when opened, will load malware onto the device for future eavesdropping or control. Such an event could lead to the compromise of PII (or personally identifiable information), online credentials, or other sensitive information on the device without the owner's knowledge. In an August 2017 release, Kaspersky Lab warned about the difficulty for existing data protection processes to detect embedded malicious code.
Account takeover fraud is a major criminal activity that generally begins with the compromise of an individual's legitimate banking log-in credentials. A criminal who obtains this information can execute payment transaction fraud and, ultimately, synthetic identity fraud (see last week's post). While there are valid uses for steganography as an alternative to encryption, the criminal element will continue to develop uses of digital steganography to further their criminal operations and, as the infoRisk article notes, this usage is becoming more sophisticated and harder to detect.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 7, 2019
A New You: Synthetic Identity Fraud
With the start of the new year, you may have resolved to make a change in your life. Maybe you've even gone so far as to pledge to become a "new you." But someone may have already claimed that "new you," stealing your credentials and using them to create a new identity. Identity theft is a growing problem, resulting in millions of dollars in damage around the world. And now there is a modern twist to this old and costly problem: synthetic identity fraud. Panelists at a forum convened by the Government Accountability Office (GAO) define this problem as a "crime in which perpetrators combine real and/or fictitious information, such as Social Security numbers and names, to create identities with which they may defraud financial institutions, government agencies, or individuals." (Read forum highlights on the GAO website.) According to the U.S. Federal Trade Commission, synthetic identity fraud is the "fastest growing and hardest to detect" form of identity theft.
This graphic from the GAO illustrates how this type of identity fraud differs from what we have traditionally defined as identity theft.
As this image shows, in traditional identity fraud, the criminal pretends to be another (real) person and uses his or her accounts. In synthetic identity fraud, the criminal establishes a new identity using a person's real details (such as social security number), combining this information with fictitious information to create a new credit record.
The challenge for the payments industry is determining whether an identity is planted or legitimate. For example, parents with excellent credit histories sometimes add their children to their existing credit accounts to give their children the benefit of their positive financial behavior. This action allows the children to kick-start their own credit records. Similarly, a criminal could plant a synthetic identity in an existing credit account and from there build a credit history for this identity. (In many cases, the criminal works for years on building a strong credit history for that false identity before "cashing out" and inflicting financial damages on a large scale.)
So what can consumers do to protect themselves? Here are some simple ways to make it harder for a thief to steal your personal information:
- Shred documents containing personal information.
- Do not provide your social security number to businesses unless you absolutely have to.
- Use tools that monitor credit and identity usage.
- Freeze your credit account as well as that of any of your minor children.
- Check your accounts regularly to ensure that all transactions are legitimate and report any suspicious activity immediately.
Staying informed about synthetic identity fraud tactics and taking these steps to protect yourself can help you get one step closer to (preventing) "a new you."
By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- You Can't Manage What You Can't Measure
- Ransomware Attacks Continue
- The Future of Fraud in a Post-EMV Chip Environment
- A Tip for Summer Travel
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud