Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 29, 2019
You Can't Manage What You Can't Measure
Peter Drucker famously applied the adage you can't manage what you can't measure to widgets at General Motors. Researchers, fintech entrepreneurs, elected leaders, and others who are trying to ensure economic mobility for all would do well to remember this advice. To be able to interpret or conclude that real improvements are occurring due to financial innovation, it is important to understand the metrics used for assessing economic mobility.
One important resource for data on financial inclusion is the Group of Twenty (G20) Global Partnership for Financial Inclusion (GPFI). This group has produced a number of excellent documents on financial inclusion. I want to bring special attention to the G20 Financial Inclusion Indicators and the interactive dashboard.
These indicators grew out of the original Basic Set of Financial Inclusion Indicators, which was created in 2012. Updated this past April, the indicators are meant to measure achievements and disparities in the use of digital financial services along with the technology or environment that is needed to enable use of these services. The dashboard interprets recent data collected for certain indicators. You can download country-level raw data based on variables that you customize. Also on the G20 site is an interactive data visualizer that will let you see how the United States compares to other countries by each indicator.
There are three dimensions to the measurement: (1) access to financial services, (2) use of financial services, and (3) quality of products and service delivery. Here are some indicator categories related specifically to payments:
- Retail cashless transactions
- Adults using digital payments
- Mobile phone or Internet-based payments
- Payments using a bank card
- Debit card ownership
- Proximity to physical points of service (i.e. branches, ATMs, access to internet)
- Enterprises that send or receive digital payments
- Received wages or government transfers into an account
The GPFI encourages individual countries to supplement the G20 Indicators with country-specific metrics. Following are several additional sources contributing to measurements of financial inclusion for the United States:
- U.S. Financial Health Pulse by the Financial Health Network: Measures financial health using the Center for Financial Services Innovation Financial Health Score measurement methodology, consumer surveys, and transactional records.
- The Opportunity Atlas by the U.S. Census Bureau and Opportunity Insights: Maps the neighborhoods in the United States that offer children the best chance to rise out of poverty.
- Small City Economic Dynamism Index by the Federal Reserve Bank of Atlanta: Provides a snapshot of the economic trajectory and current conditions of 816 small and midsized cities across the United States. It includes 13 indicators of economic dynamism for metropolitan and micropolitan areas with populations above 12,000 and below 500,000.
- Payment Volume Charts Treasury-Disbursed Agencies> by Bureau of the Fiscal Service:: Offers downloadable reports that compare monthly and cumulative electronic funds transfer payment volumes for different time periods.
- Model Safe Accounts by the Federal Deposit Insurance Corporation: Offers an overview and report of a pilot program designed to evaluate the feasibility of financial institutions offering safe, low-cost transactional and savings accounts that are responsive to the needs of underserved consumers.
Keeping data at the forefront of the discussion on financial inclusion will better inform strategies, help organizations and entrepreneurs build better products and services, and help policymakers and many others monitor the effect of initiatives.
By Jessica Washington, AAP, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 22, 2019
Ransomware Attacks Continue
Ransomware attacks have only continued since I addressed the problem in a recent post, and they've continued to target municipal and state agencies. Riviera Beach (May) and Lake City (June), both in Florida, were successfully attacked. Lake City paid a bitcoin ransom of approximately $470,000 while Riviera Beach paid about $600,000, also in bitcoin. These attacks took place soon after the one in Jackson County, Georgia, whose government paid $400,000 for decryption keys. While law enforcement officials recommend that victims not pay ransom for fear that doing so encourages the criminals to continue their attacks, the affected agencies often view paying the ransom as a cost-effective way to restore operations as soon as possible. Moreover, Lake City and Riviera Beach were both insured against such attacks, with a $10,000 and a $25,000 deductible, respectively. It appears that in all three of these instances, when they got their ransom, the criminals supplied the necessary data that allowed officials to regain control of the systems.
So how can governments, schools, hospitals and doctors' offices, financial services, and consumers best protect their systems from these nefarious attacks? It's not easy—criminals are constantly developing new malware to get into systems. However, here are some critical guidelines from IT security professionals that can help us all avoid or minimize the impact of a ransomware attack.
- Perform data backups at least daily, and keep at least one backup copy offsite or on portable storage devices not connected to the network.
- Avoid using end-of-life operating systems and software that cannot be updated to address known vulnerabilities.
- Install software updates and security patches as soon as possible, and follow established change control guidelines.
- Evaluate segmenting your network into separate zones to minimize the spread of a ransomware infection.
- Train and test employees regularly about how criminals use phishing attacks to load malware onto computers that can then compromise system access credentials.
- Require employees to use strong passwords.
- The IT security community is divided about how frequently passwords should be changed, but do so at least every six months.
- Maintain comprehensive access controls so that only the employees that require access to individual system have such rights, especially regarding remote access.
- Use reliable security software and, as the second bulleted item recommends, keep it updated. Evaluate adding special trusted anti-ransomware tools, some of which are free.
- Evaluate your cybersecurity insurance policy in terms of its ransomware coverage.
In addition, every agency and organization should develop a ransomware response plan that can be implemented as soon as an attack has been detected. While the immediate focus should be on minimizing the impact of the attack, elements for business continuity, law enforcement notification, media communications must also be part of the plan.
We hope you won't be a victim, but simply keeping your fingers crossed isn't an effective plan.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 15, 2019
The Future of Fraud in a Post-EMV Chip Environment
"Doug: Your conclusion has me worried about credit-push in an environment where payments are irrevocable." I received this brief email a few days after my latest paper was published on the Atlanta Fed website. In this paper, I explore fraud trends in countries with a fully mature, or close to it, EMV chip card environment—trends we are likely to see in the United States as our EMV chip card implementation matures.
When the topic of EMV chip card fraud comes up, the conversation nearly always makes its way to the documented shift from counterfeit card fraud to card-not-present (CNP) fraud. While that is a fair and valid conversation, times are changing, and we just may need to refocus the fraud conversation, as this email indicates—my emailer was referring to credit-push payments and the fraud that can happen, and is happening, in this environment.
Data clearly show that when countries such as the United Kingdom, France, and Australia migrated to EMV chip cards, CNP fraud rose—in some instances, dramatically. And where the data are available, we can see that the fraud rate for CNP transactions also initially rose. But over the last several years something interesting has happened. Both absolute CNP fraud and CNP fraud rates are declining in some of the countries. While these countries did not have many CNP fraud prevention techniques and tools at their disposal when they first migrated to EMV chip cards, the technology is catching up and they have more tools now. If there was any benefit for the United States from being an EMV laggard, perhaps this is it: we are better equipped to deal with CNP fraud.
But back to push payments. Authorized push payment (APP) fraud, which is a form of credit-push fraud, is a growing problem. In the United Kingdom, the real-time payment system is being used extensively to carry out this type of fraud. Just as other countries didn't have many tools to fight CNP fraud in early EMV chip adoptions, we don't have all the tools yet to mitigate APP fraud.
At the heart of APP fraud is business email compromise, which we've covered in this blog and which was the featured topic in the Atlanta Fed's most recent Economy Matters podcast episode . To read more about this particular fraud trend and other trends the U.S. payments industry should be wary of as our EMV chip card environment matures, be sure to read the paper .
Back to the email I received—it was short, but my reply was even shorter: "You should be worried."
July 8, 2019
A Tip for Summer Travel
Because I study payments, people like to brag to me about the ways they pay. "I never use cash." "I don't carry cash, even when I travel." "I buy a pack of gum with my phone." "I haven't seen a dollar bill in five years." Et cetera.
Lots of times, I get these comments while I'm traveling. Like me, the people I chat with are traveling. Handing over a bag to a skycap. Getting housekeeping services in a hotel. Eating a burger at the bar.
So please tell me, all you smartphone-carrying, thin-wallet sophisticates, how do you tip?
When I was a kid, hotel rooms had tiny paper envelopes "for the maid," my father said. Filling the envelope was the last step before loading kids and caboodle into the car. Before we got to drink Tang and eat powdered-sugar donuts, we thanked the housekeeper. Like Tang, those envelopes are becoming an artifact of the past, with the result that you might expect: declining tip income for service workers.
Plea to app developers: find a way to make it easy to tip on the go. There are plenty of tipping apps out there, and from my point of view, they work fine for relationship tips—for example, an app payment to a hair stylist. But what about the one-time tip? When I'm running for the subway I can't (or won't) stop to open or download an app and key in a dozen letters or numbers to thank Keytar Bear, a busker who performs here and there in Boston.
This brings up a key obstacle to apps for tipping: not only do I have to have the app, but the service person does also.
What could be easier to adopt and use than the $2 bill I keep in the outside pocket of my backpack for Carlos, the best guitar player in Harvard Square? I don't have to ask, "Do you accept this or that?" I don't scan or key. I just wave to Carlos, drop the cash, and keep moving.
To tip in cash, we need to carry cash. About 20 percent of respondents to the 2017 Diary of Consumer Payment Choice reported that they carried no cash on any of their three reporting days. My Atlanta Fed colleague Oz Shy cites Rule #1 of tipping: "There are no rules about tipping." So I'll offer a guideline, not a rule: "Carry a bit of cash."
If you haven't found a cashless solution, go to a bank or credit union and get yourself a stack of $2 bills (Thomas Jefferson on the front, signing of the Declaration of Independence on the back, so appropriate in July). Stash them with your carryon bag.
It's summer travel season. In 40 states, the minimum wage requirements are lower for tipped workers. How do you thank the people who made your stay clean and comfortable? How do you tip?
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 1, 2019
Ransomware: Hopefully Not Coming Soon to a Computer Near You
In March 2018, the city of Atlanta fell victim to a ransomware attack. Criminals gained access to the city's computer network and loaded SamSam Ransomware, a malicious software. The criminals demanded a payment of approximately $51,000 in virtual currency to provide the decryption keys necessary to regain access to the infected and locked systems. The attack laid siege to the city by rendering police, utility billing, traffic court, and other systems unusable. The city refused to pay the ransom, and has since spent at least $6 million in forensic and remediation work with as much as an additional $11 million earmarked for system upgrades and other resources to combat future attacks.
Ransomware attacks have been a growing threat. While studies such as the Symantec Internet Threat Security Report show that the overall incident rate has decreased slightly, they also indicate that the range of targets has shifted. From 2013 until last year, consumers were the most frequent targets, with ransom requests in the hundreds of dollars. In the early years of these attacks, individuals would get a message that their computers had been infected and they had to pay a fee to download a fix. In many cases, the infection claim was false. Beginning in 2018, businesses—including municipalities, hospitals, and health care networks—have become primary targets, with ransom demands in the tens or hundreds of thousands of dollars. Typically, the criminals demand that the ransom be paid in cryptocurrency (nearly always bitcoin). As in the Atlanta case, these attacks often prevent customers from making payments, whether for traffic violations, business permits, or even marriage licenses.
Should ransomware targets pay the ransom? Law enforcement communities officially say "no." In some cases, when victims pay the ransom, they never receive the decryption keys to regain access to their data, or the keys don't work. There is concern that payments only encourage the criminals to commit further attacks, sometimes against the same business and demanding additional money. It is not illegal for a business to make ransomware payments, and many, including Newark, New Jersey ($30,000), have done so.
Is your computer or network prepared to defend against such an attack? Ransomware attacks typically exploit weak passwords or known security vulnerabilities in applications and operating systems. But a common entry point is through phishing of an employee to compromise legitimate system access credentials. As in business email compromise, the criminal conducts surveillance to learn about the different systems in operation and plans the initial attack to have the greatest possible impact. As we have stressed so often, prevention starts with employee education and the adoption of security best practices. In a future post, I will write about more prevention and mitigation best practices.
As for the Atlanta ransomware attack, last December, a federal grand jury returned indictments against two foreign nationals for the attack. The grand jury indicated these two people were also behind the April 2017 attack on Newark, New Jersey. There was hope in the law enforcement and cybersecurity communities that the arrest of these individuals would dampen enthusiasm for this threat vector, but attacks this year against Akron, Ohio (January), Albany, New York (March), and Baltimore, Maryland (May) suggest otherwise. None of these cities made any ransom payments.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud