Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
October 1, 2018
Safeguarding Things When They’re All Connected
In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.
- Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
- Check with reliable product review sites to see what others have to say about the product’s security features.
- If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.
- Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
- Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
- Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
- Register your device with the manufacturer to be notified of security updates or recalls.
- Add the device to your separate network if available.
If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.
We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.
By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 19, 2018
Mobile Banking and Payments' Weakest Link: Me
What's the biggest hole in mobile banking security? As my colleague Dave Lott reported in January, bankers say it's consumers' lack of protective behavior when using mobile devices. That means you and me.
In response, financial institutions (FI) have implemented controls including inactivity timeouts and multifactor authentication, as noted in Mobile Banking and Payment Practices of U.S. Financial Institutions, which reported the findings of a 2016 Federal Reserve survey.
Baking these controls into mobile apps makes sense because research on consumer behavior suggests that expecting consumers to independently take steps to protect their accounts and data is not realistic. Take as one example: I co-wrote a paper with Joanna Stavins for the Boston Fed reporting the results of our investigation into consumers' responses to the massive Target data breach. We found that while consumers do react to reports of fraud, their reactions can be short-lived. In addition, consumers' opinions may change, but their behavior may not. In other words, considerations aside from security could take priority. (See also a report on the 2012 South Carolina Department of Revenue breach.)
Debit and credit card data for 40 million cards used in Target stores were stolen in late 2013. The breach was widely reported in the news media and caused many financial institutions to reissue cards. Because it was primarily a debit card breach, one might reasonably expect consumers to take a jaundiced view of debit cards after the breach.
And, indeed, that was the case. The Survey of Consumer Payment Choice was in the field at the time of the Target breach. Some consumers answered questions about the security of debit cards before the breach became public. Others answered after.
Consumers who rated card security after the breach rated debit cards more poorly relative to the average rating of the other payment instruments—cash, paper checks, ACH methods, prepaid cards, and credit cards. So in that sense, they reacted to the news.
One year later, consumers in 2014 rated the security of debit cards more poorly both relative to their ratings of other payment instruments and absolutely (that is, a greater percentage of consumers rated debit cards as risky or very risky). In contrast, compared to 2013, the absolute security ratings of cash improved. There was no change in the security ratings of credit cards.
The more important question: Did consumers change their behavior in response to this massive and widely reported data breach? The answer: not according to this survey data. There was no statistically significant change in consumers' method of payment mix in 2014. Debit cards remained the most popular payment instrument among consumers in 2014, accounting for almost one-third of their payments per month.
What does this mean for financial institutions? Realism about my willingness to take action is well placed. You can't count on me.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 19, 2013
Curbing Identity Theft and Fraud
To no one's surprise, identity theft and associated fraud losses rose again in 2012. The number of victims climbed to more than 12 million last year, an 11 percent increase over 2011, according to the recently released Javelin 2013 Identity Fraud Report. Losses amounted to almost $21 billion.
A quick distinction between identity theft and identity fraud: identity theft is when an unauthorized person obtains personal information about an individual, and identity fraud occurs when someone uses that personal information, without the individual's consent, to conduct financial transactions.
Two types of identity theft drove the overall increase: new-account identity and account takeover fraud.
New-account identity fraud takes a number of different forms. The most common form occurs with credit card applications. Someone creates an account using another person's information and makes purchases to the maximum limit, then allows the account to go into default. The next most common type happens with new checking accounts. The fraudster opens up a checking account using false identification credentials, then deposits bad or bogus checks and quickly cashes out.
The prevention of new-account identity fraud rests primarily on the shoulders of the financial institution (FI). What are the steps that FIs can take to help reduce the levels of these types of fraud? They are already required to authenticate the identities of new account applicants to the extent reasonable and practical under the Bank Secrecy Act's Customer Identification Program. The fraudster's goal when opening a fraudulent account is to minimize the verification process and quickly establish the new account. Experienced criminals can falsify government-issued IDs without too much difficulty. The FI representatives authenticating new accounts must rely on their experience and on a number of other factors to detect fraudulent attempts—but it can be difficult to balance the need to authenticate applicants with the wish, and the institutional push, to be polite and welcoming.
Many FIs order abbreviated credit reports as part of the new account process so they can better market credit products to qualified applicants. An address on the credit report that differs from the one on the application or the report showing a rash of new credit inquiries should sound warning bells, and such discrepancies would justify additional verification. Other warning signs include applicants having to read the information from their identification documents rather than reciting it from memory, or incorrect social security numbers, or newly issued identification documents.
Most fraudulent new accounts are opened online or through call centers. In these cases, the subsequent new-customer authentication process is critical. Although individuals can use their own, legitimate credentials to commit new account fraud, industry reports suggest it is much more common for fraudulent accounts to be opened with fraudulent credentials.
As to account takeover fraud, as we have stressed on many occasions, the most critical action that FIs can engage in is frequent customer education through electronic and print media and community and customer seminars. In a recent post on phishing, we outlined a number of steps that FIs should remind individuals to follow to minimize the possibility of having their accounts and identity credentials compromised.
We would like to hear from you as to ways your institution is combating new-account identity and account takeover fraud.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 29, 2013
It's Time for Better Online Authentication Solutions
I recently read a news story in my daily news feed about litigation between a bank and corporate customer related to an account takeover, and the liability of the loss from a fraudulent transfer. Unfortunately, it seems that I am reading these types of stories far too often these days.
Online corporate account takeovers are an important issue in the payments risk world and have been the subject of our blog in the past. Even with stringent security procedures in place, including two-factor authentication (2FA) and out-of-band verification, companies remain high-risk targets. Undoubtedly, employees will slip up and procedures will be ignored, actions that ultimately result in fraudsters getting their hands on account or network credentials that give them access to corporate bank accounts. Although ongoing and comprehensive employee education is vital, improving authentication techniques and requiring their use are critical to better mitigate online account takeover risks.
Requiring some form of authentication is better than requiring none. Yet the current state of our “some” generally consists of a user name coupled with knowledge-based authentication of a password and, if 2FA is being used, usually a set of challenge questions. Knowledge-based authentication is often ineffective due to the use of weak passwords and the ability of fraudsters to find answers to challenge questions through public sources or social engineering. So then, what is the most effective and reasonable authentication standard moving forward? Biometrics? Security tokens? Dynamic password generators?
Fortunately, both the public and private sectors are working to develop improved authentication solutions. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a federal initiative developed to encourage collaboration between the public and private sectors in developing interoperable technology standards and policies whereby individuals and organizations can be authoritatively authenticated. In addition, the FIDO (Fast Identity Online) Alliance is a private-sector initiative created to change the nature of online authentication by developing specifications that will supplant the reliance on passwords. I do not know whether any of these groups or another entity will be successful in solving our authentication challenge, but I do know fraudsters are hoping their success isn’t any time soon. What are your thoughts on improving online authentication?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference It's Time for Better Online Authentication Solutions:
August 20, 2012
Finding a Reasonable Definition of Commercially Reasonable
Corporate account takeovers have cost businesses millions of dollars over the last several years. According to 2011 congressional testimony of Gordon Snow, assistant director of the FBI's cyber division, the FBI was at that time investigating more than 400 reported cases of corporate account takeovers. These 400 cases involved the attempted theft of over $255 million, resulting in actual losses of approximately $85 million.
Corporate accounts are not offered the same protections as consumer accounts, which are protected from financial loss from online fraud through the Electronic Funds Transfer Act and Regulation E. Article 4A of the Uniform Commercial Code (UCC) states that as long as a bank adopts commercially reasonable security measures, its business customers are accountable for fraud losses arising from funds transfers. Unfortunately, Article 4A does not provide a definition for "commercially reasonable," which leaves the term open to interpretation.
A recent ruling by a court of appeals reveals one court's opinion on what is commercially reasonable versus unreasonable. Despite the bank's compliance with Federal Financial Institutions Examination Council (FFIEC) guidance, the court found in favor of the bank's customer. In accordance with the FFIEC guidance, the bank employed multifactor authentication and had the capacity to detect and stop possible fraud. However, the court still found the bank's security measures unreasonable due to two factors.
First, the bank failed to consider the circumstances of its customer's frequency and volume of ACH transactions when implementing security measures and developing security procedures. And second, it failed to monitor and provide notice of possible fraudulent transactions to the customer. A key takeaway from this court's opinion is that financial institutions must take a holistic approach to preventing and detecting fraud. Having the proper prevention and detection tools in place is just one aspect of a fraud mitigation strategy. Financial institutions should also have policies and procedures in place to effectively use their deployed resources and technology for the unique circumstances of each of their customers. Unfortunately, a "one-size-fits-all" approach does not work in the fraud prevention arena.
Though the court did not offer an opinion on the customer's obligations in this particular case, it did recognize that commercial customers also have "obligations and responsibilities" under Article 4A of the UCC. So, at least according to this court's opinion, the holistic approach to fraud prevention does not stop with the financial institution. Corporate customers must also incorporate systems and policies to prevent unauthorized access to its financial accounts and other sensitive documents. With corporate account takeover fraud showing no signs of slowing down, it is imperative that financial institutions and their corporate customers discuss each others' roles and obligations to effectively minimize their risks.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Finding a Reasonable Definition of Commercially Reasonable:
January 31, 2011
Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens
Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.
Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.
Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.
Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.
Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.
Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.
Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
October 18, 2010
Fighting back: Good news on the law enforcement front
I've noticed that blogs by their nature tend to focus on pointing out problems, this blog included. But I think it's also important to identify progress and celebrate victory in a society that appears to approach every topic from a negative angle. So here goes!
In the past, we've reported on all kinds of complications and issues in the cooperative efforts necessary to catch bad actors intent on defrauding folks in the payments space. This includes the sometimes difficult efforts of government and law enforcement to work together across borders. In the past few months, though, we've seen some significant accomplishments with respect to industry collaboration to address payments-related crimes.
First, we reported some time ago that a rift between the European Union and the FBI had resulted in the European Parliament's rescinding the FBI's access to the wire transaction data of SWIFT—short for the Society for Worldwide Interbank Financial Telecommunication. In late June 2010, the European Union, via the European Council, signed with little fanfare a new five-year contract with the United States, allowing U.S. authorities to continue sharing European bank data for the purpose of counterterrorism. The key to the renewal was the promise of stronger controls over data privacy and the presence of a third-party overseer to make sure that data provided to U.S. authorities were accurately maintained and procedures existed to manage redress if a person's private data was abused. This five-year deal ensures that the global fight to address the financial aspects of terror activities can proceed aggressively.
Second, we've spent some time in this space talking about the growing problem of corporate account takeovers over the Internet, in addition to traditional identity theft forays, particularly from foreign sources. We've also described the complexity of U.S. and foreign law enforcement authorities working together to apprehend instigators of such schemes. In the last few weeks, however, we've been delighted to see a spate of successes by European and U.S. authorities—often working together—that will send a message to perpetrators who may believe that they are free to conduct crime in cyberspace.
In partnership with Slovenian Criminal Police and the Spanish Guardia Civil, the FBI announced in July that a two-year investigation into European-based fraud activity had resulted in the arrest of the operators of the Mariposa Botnet, quickly followed by the arrest in Slovenia of the Botnet's creator, who was code-named "Iserdo." All parties lauded the value of the strong law enforcement partnerships present in this effort.
In August, U.S. and French authorities worked together to arrest a notorious cybercriminal owning the moniker of "BadB." Otherwise known as Vladislav Horohorin, BadB had been targeted by the U.S. Secret Service for some time. He was arrested by French authorities while traveling in France. If extradited to the United States, Horohorin faces up to 12 years in prison.
In September, U.S. and British authorities made what seems to be well-coordinated announcements concerning the wide-ranging arrests of Eastern European cybercriminals engaged in hacking and account takeover activities of British and U.S. small businesses. U.K. officials announced that the Metropolitan Police's e-crime Unit arrested in a predawn raid 11 individuals on charges of fraud and money-laundering activities that netted close to $40 million dollars. This announcement was followed by an announcement from the New York U.S. Attorney's office that they had issued 60 arrest warrants and made 20 arrests for U.S.-based perpetrators involved in similar account takeover schemes. At least 37 of the individuals involved were so-called "money mules," hired by overseas criminals to open bank accounts and deposit funds stolen from businesses, then wire the funds overseas after keeping a nice fee. This effort featured extraordinary cooperation among the U.S. Attorney's Office for the Southern District of New York, the FBI, the New York Police Department, the Department of State Diplomatic Security Service, the New York Office of Homeland Security Investigation, and the U.S. Secret Service. The gang appears to have stolen at least $4.2 million from small businesses and security brokers in the United States.
At any rate, our hats are off to the various law enforcement authorities who successfully participated in these actions. We look forward to more such efforts as a growing deterrent to those who use cyberspace as a playground for financial crime. Mr. Horohorin may have plenty of company during his stay in the United States.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Fighting back: Good news on the law enforcement front:
August 30, 2010
Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They're on the rise, but under control
NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.
In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.
Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.
Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.
ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.
Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
May 24, 2010
Bank revenues and fraud detection: A marriage made in heaven?
Recently, a number of instances of account takeovers—or "man in the middle" attacks—have been labeled as ACH or wire transfer fraud because the subsequent fraudulent transactions flowed over the ACH or wire transfer networks. Such schemes frequently involve an interloper using the Internet to hack into a company's payroll system and create fraudulent transactions before the payroll file arrives at the company's originating bank. At first blush, it seems off base to attribute this type of fraud to the payments channel when the channel merely carried already fraudulent payments on to their intended destinations. Once these payments enter the clearing channel, banks and ACH/wire operators do not appear to have any easy way to identify them as fraudulent transactions.
The growing responsibility of banks to help their customers
Clearly, American businesses are in the eye of the storm when it comes to current account takeover attacks, so it's easy, if not appropriate, to attribute the fraud to absent or lax controls over their corporate databases. Needless to say, the smaller the business, the less likely that their knowledge, business model, or budgets include funding for fighting Internet-based fraud attacks. With this idea in mind, a judge recently ruled that such a company's bank was at least partially responsible for a corporate fraud loss because the bank had failed to assist the company by providing reasonable fraud control tools or services.
Such claims stem from a requirement stated in Article 4A of the Uniform Commercial Code (UCC) that makes banks responsible for using "commercially reasonable" security techniques to protect the data assets of the customer and bank. The term commercially reasonable does not have a specific definition but historically has been defined as the use of techniques significantly deployed by other similar industry service providers. Since there is no evidence that many banks provide ACH origination fraud detection services to their corporate customers, the historical test doesn't seem to have held sway in this case. Instead, it appears the judge used a different test for commercial reasonableness by indicating that there are technologies and tools available in the marketplace today, albeit not in wide use in banking, which the bank could have employed to assist the company. As we speak, and in a separate matter, a Texas bank is suing its business customer, claiming that at all times the bank maintained commercially reasonable security measures. The outcome of this action remains to be seen.
The potential for fee-based fraud detection services
Transferring the issue to the ACH payments front, perhaps it would be possible for banks to provide businesses with enhanced account takeover fraud control tools. For example, banks could offer the equivalent of positive pay in the check world for outbound ACH credit entries. That is, the company could update bank resident databases with their eligible payroll (or the bank could retain recent files), and the bank could validate the information on newly deposited payroll files to ensure that a significant amount of new account numbers have not been introduced since the last payroll. Other services could include looking for significant variations in the number or dollar amount of transactions or requiring that companies assert dual controls on all payroll deposits before the payments enter the ACH processing stream at the originating financial institution.
Such services might seem expensive to implement since they would entail the writing or acquisition of new front-end software. However, the provision of such runtime services to client companies could be a revenue opportunity for a fee-starved banking industry whose current fee revenue streams (overdrafts, interchange, credit card interest rates) are under attack on all fronts. Further, such grassroots corporate payments services could better address fraud at the inception point rather than the after-the-fact central monitoring of unauthorized returns by NACHA or the ACH operators. In fact, the ACH operators offer front-end fee-based risk monitoring services to their financial institution customers today, demonstrating the possible value of banks extending the concept to their corporate clients. Finally, one can conceive of the evolution of a suite of such services to include services that could detect potential insider fraud, a growing trend in a recessionary economy.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Bank revenues and fraud detection: A marriage made in heaven?:
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- You Can't Manage What You Can't Measure
- Ransomware Attacks Continue
- The Future of Fraud in a Post-EMV Chip Environment
- A Tip for Summer Travel
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud