About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

October 15, 2018


An Ounce of Prevention

Benjamin Franklin coined the phrase "An ounce of prevention is worth a pound of cure," and after attending late September's FinovateFall 2018 Conference in New York City, I find this aphorism as relevant today as it was in 1735. The conference showcased 80 demonstrations of leading-edge financial technology over two days with presenters representing five continents. Demos touched on a wide range of technologies and solutions, including game-based marketing and financial education; "lifestyle" mobile banking applications that integrate social media, news, e-commerce, and financial management to deliver personalized recommendations; lending and home buying; and integration with intelligent personal assistants. What stood out to me most were the many possible technologies offered to authenticate users, cards, and mobile transactions, each with the potential to prevent payments fraud.

As card payments continue to dominate consumer transactions in the United States, usage is increasing in other countries, and remote purchases gather steam, the demand for fast, reliable identity and payment authentication has also grown. So has the even greater demand from consumers for frictionless payments. But how does technology reward the good guys, keep out the bad ones, and prevent cart abandonment or consumer frustration? Here are just a few examples of how some of the fintech companies at the conference propose to satisfy these competing priorities.

SMS—While one company proclaimed that SMS was designed for teenagers and never intended for use as a secure messaging means, another proposed a three-factor authentication method that combined the use of a PIN, Bluetooth communication, and facial recognition via SMS sent to account holders to identify a possible fraud event in real time. Enhancing this technology was artificial intelligence that analyzes facial characteristics such as smiling or frowning.

Biometrics—Developers demonstrated numerous biometrics options, including those using unique, multifactor, non-gesture-based biometric characteristics such as the speed and pressure we use to swipe our mobile devices. Also demonstrated was the process of linking facial recognition to cards for both in-person and e-commerce purchases, as well as "liveness" tests that access the mobile phone's gyroscope to detect slight physical movements not present when a bot is involved. Another liveness test demonstrated was one in which people use their mobile devices to shoot videos of themselves reciting a number or performing randomized movements. Video content is then checked against identity verification documents, such as driver's license photos, that account holders used at setup. The developers noted that using video for liveness testing helps prevent fraudsters from using stolen photos or IDs in the authentication process.

Passwords—Some developers declared that behavioral biometrics would bring about the death of the password, and others offered services that search the corners of the dark web for compromised credentials. Companies presented solutions including a single, unique identification across all platforms and single-use passwords generated automatically at each login. One of the most interesting password technologies displayed involved the use of colors, emojis, numbers, and logos. This password system, which could be as short as four characters, uses a behind-the-scenes "end code," where the definition of individual password characters is unique to each company employing the technology, rendering the password useless in the event of a data breach.

As I sat in the audience fascinated by so many of the demos, I wished I could go to my app store to download and use some of these technologies right away; the perceived security and convenience, combined with ease of use, tugged at the early adopter in me. Alas, most are white-labeled solutions to be deployed by financial institutions, card networks, and merchant acquirers rather than offered for direct consumer use. But I am buoyed by the fact that so many solutions are abiding by the words of Ben Franklin and seek to apply an ounce of prevention.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

 

October 15, 2018 in biometrics, cards, cybersecurity, emerging payments, fintech, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 21, 2018


Heading toward A New Era of POS Portability?

At recent conferences I've attended, exhibitors in the point-of-sale (POS) terminal and acquiring business were all showing off their portable devices. With one of these, a restaurant server could take a payment at the table or a retail employee could conduct a transaction in a store aisle. The exhibitors said that these devices allow for a more high-touch, personalized customer experience than traditional counter-top POS devices. In fact, while walking the exhibit floor, I noted that countertop POS devices were extremely hard to find.

The theme of POS portability was also evident in the session rooms. Multiple panel discussions and keynote speeches focused on the Payment Card Industry's (PCI) PIN-on-glass security standard, which would give already-in-the-marketplace devices for using mobile phones and tablets as card readers the ability to use PIN-based authentication. In essence, the standard allows customers to enter their PINs on merchants' commercial off-the-shelf (COTS) devices—such as bring-your-own-device tablets or phones—rather than on PCI-certified devices that a merchant owns or leases through its acquiring relationship. PIN on glass has been widely implemented in Australia and, based on what I've heard at these conferences, it is probably one to three years from making any headway here in the United States.

I first wrote about portable POS devices in the restaurant industry nearly six years ago. Since then, I can count on my hands the number of times I've swiped or dipped my card at a portable POS terminal (and several of these interactions occurred in Mexico). Most experiences were positive. On numerous occasions, I've used my card with a COTS device, also with mostly positive experiences. I have honestly never envisioned using or yearned to use a PIN for these transactions.

Little has changed in the way of mobile POS adoption since I wrote that post. So, do I believe we are moving towards a new era of POS mobility? Yes, but very slowly. With the proliferation of independent software providers and their mobile-based solutions for payment processing, I think the industry is now better positioned than it was six years ago for a change. However, I learned from speaking with others in the industry that the conversion process remains time consuming and costly. As far as PIN on glass goes, will the consumer be an obstacle to adoption? I'm not convinced that consumers will be comfortable entering their PIN on someone else's mobile device.

What is your take on the future of POS portability?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 21, 2018 in biometrics, card networks, cards, debit cards, emerging payments, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 20, 2017


Webinar: Key Payment Events in 2017

This year has been an exciting one for the payments industry. Topics such as block chain and distributed ledger, card-not-present fraud, and chip-card migration continued to be in the news, and new subjects such as behavioral biometrics and machine learning/artificial intelligence made their way into the spotlight.

In the past, the Retail Payments Risk Forum team has coauthored a year-end post identifying what they believed to have been the major payment events of the year. This year, we are doing something a little bit different and hope you will like the change. Taking advantage of our new webinar series, Talk About Payments, the RPRF team will be sharing our perspectives through a round table discussion in a live webinar. We encourage financial institutions, retailers, payments processors, law enforcement, academia, and other payments system stakeholders to participate in this webinar. Participants will be able to submit questions during the webinar.

The webinar will be held on Thursday, December 14, from 1 to 2 p.m. (ET). Participation in the webinar is complimentary, but you must register in advance. To register, click on the TAP webinar link. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks.

We look forward to you joining us on December 14 and sharing your perspectives on the major payment events that took place in 2017.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 20, 2017 in banks and banking, biometrics, emerging payments, EMV, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 24, 2017


FIDO Tightens Authentication's Leash

Our blog often covers user authentication challenges confronting financial institutions and merchants. We feel this topic is essential given that consumers are increasingly going online to make payments and their passwords tend to be weak. Financial institutions and merchants face a difficult balancing act. They must be confident that their authentication tools effectively confirm the legitimacy of the individual attempting a transaction, but they also have to make sure these tools don't create a bad experience for the customer.

A meeting in 2009 between a fingerprint-sensor manufacturer and a global, third-party payment provider to fingerprint-enable online payments quickly turned into a conversation on how to develop an industry standard for the general use of biometrics to identify online users. Ultimately, this meeting led to the formation of the FIDO (Fast IDentity Online) Alliance in 2012. FIDO currently has a global membership of more than 250 companies and agencies spanning the payments, mobile, PC, and transaction security industries.

FIDO's principal effort has been to develop a set of specifications and certifications covering consumer devices, mobile and web applications, and biometric authentication methods for e-commerce applications. Products certified to these authentication specs reduce password dependence, transaction friction, and stolen password attacks such as phishing, man-in-the middle attacks, and transaction replays.

FIDO initially focused on mobile devices—which allow authentication with the fingerprint sensor, microphone, and camera—and developed the Universal Authentication Framework. This framework provides enhanced security using public-key cryptography, with the keys and biometric templates remaining on the mobile device. The user goes through a device registration process that creates the biometric template and a cryptographic key pair on the device and registers only the public key with the online service. To perform a transaction, the customer uses one of the phone's biometric sensors to unlock the private key on the device.

To expand these strong cryptographic authentication capabilities to second-factor use cases on the web, FIDO established a second set of specifications known as FIDO U2F, or Universal Second Factor protocol. With this protocol, the user inserts a certified U2F device, also known as a security key, into a device's USB port or uses the device's Bluetooth or near-field communication features. The application running in a FIDO-compliant web browser first challenges the user for a password and then authenticates the user with the cryptographic private key on the U2F device.

Authentication of customers, especially on a remote basis, will always be a challenge as criminals find more and more ways to spoof identities. The industry's efforts to increase the security of remote payments remain ongoing and the cooperative work demonstrated by groups such as the FIDO Alliance plays an important part in that effort.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 24, 2017 in banks and banking, biometrics, consumer fraud, consumer protection, identity theft, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 1, 2017


Additional Authentication: Is the Protection Worth the Hassle?

Last week, we discussed some findings from a research study conducted earlier this year to understand consumer knowledge of and attitudes regarding other authentication methodologies.

The survey participants read a brief description of alternative authentication methods and then answered a series of questions regarding their attitudes about the ease of use and willingness to adopt these alternatives. Some of the authentication methodologies reviewed were:

  • Fingerprint biometric
  • Device location
  • Eye vein biometric
  • Facial recognition
  • Device fingerprinting/identification
  • KBA (knowledge-based authentication, or personal data challenge questions)
  • Two-way text message
  • Voice-recognition biometric

The participants were asked to rate the ease of use for the alternative methodologies. The table shows the percentage of respondents rating the methodology as “very easy” or “somewhat easy.”

Chart-one

All age segments rated the user ID and password as the methodology having the greatest ease of use. All the groups ranked the eye vein biometric low in user ease; voice and facial recognition also scored low across the segments.

One key finding, which points out the continuing need for consumer education, was that many people did not understand the various alternative methodologies, even after reading a description and the pros and cons of each. Seniors were more likely to respond “Don’t Know”; millennials indicated a greater level of understanding.

Of particular interest, the study probed the ability of a financial incentive to entice customers to agree to adopt additional authentication tools. Just over half (51 percent) of the respondents indicated they would agree to additional authentication tools without any financial compensation. Offering a one-time $10 cash bonus would result in an additional 15 percent, and raising the ante to $25 would bring in 9 percent more. One-fourth of the respondents indicated they wouldn’t sign up for additional authentication with or without an incentive. Seniors are the least likely group (33 percent) to adopt additional authentication without an incentive, and millennials are the most likely (62 percent).

While the level of resistance by consumers to adopting stronger authentication processes seems to be dropping, there remains a strong need for customer education to demonstrate the benefits over any inconvenience. Meanwhile, a number of financial institutions and merchants are using covert authentication tools such as transaction-pattern anomalies and risk-based transaction scoring based on historical fraud experiences.

Passwords are likely to be around for quite some time as a basic means of authentification, but the payments industry and consumers must work together to provide a higher level of security for transactions. Do you think disincentives such as the service remaining free if you agreed to use additional authentication tools or being charged a monthly fee if you remain with a password as your only means of authentication are viable options? As always, your comments are welcome.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

May 1, 2017 in authentication, biometrics | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 24, 2017


Would Consumers Ever Give Up Their Passwords?

In a post last week, we revisited the issue of passwords and their suitability in serving as a secure authentication method for consumers to gain access to websites and applications. Payment security professionals generally agree that most consumers do not voluntarily adopt strong security practices in selecting and managing their passwords. Consumers often select easily guessed passwords and even use the same password across numerous websites. Given these tendencies, the payments industry is looking for alternative authentication methods that either consumers could adopt or the industry could perform covertly—methods that would ultimately provide for a higher level of customer authentication.

The Aite Group conducted a research study in January 2017 to understand consumer knowledge of and attitudes regarding other authentication methodologies. In particular, the study looked at responses at the generational level, with the respondent base broken into four age segments:

  • Seniors: 70+ years of age
  • Baby boomers: 53–70 years of age
  • Gen X: 37–52 years of age
  • Millennials (Gen Y): 16–36 years of age

The study revealed a universal attitude that passwords are easy to use. Only 7 percent of the seniors indicated they are difficult to use, compared to 1 percent or less for the other three groups. Millennials use the same passwords the most, with 39 percent indicating they use only one or two different passwords and more than three-fourths (77 percent) using five or fewer passwords among all their online accounts.

The participants were asked to rank the importance of different attributes in their consideration for using their financial institution's online banking service. All the age groups indicated that ease of use is topmost. While a majority within each group also cited strong security and fraud prevention as important, seniors especially indicated its importance, giving it equal weight to ease of use.

Although the majority of the respondents in each of the groups indicated some level of willingness to change their authentication method to access their bank account, as the chart show, there was a clear relationship between their age and level of willingness (see the chart).

Chart-one

So what authentication method did the segments favor? Go read the full report or wait until our next post, which will also discuss whether it will be necessary to offer consumers incentives to get them to change their habits.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 24, 2017 in authentication, biometrics | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 21, 2017


The Social Benefits of Biometrics

Based on my experience, most discussions about the authentication of individuals using a biometric modality (such as fingerprints, or voice or facial recognition) often just focus on key issues such as reliability, security, ease of use, cost, and privacy concerns. Certainly these are important issues, but one that is often omitted in the conversation is the use of a biometrics system for health and safety purposes.

My wife and I were recently blessed with the birth of our fifth grandchild, a beautiful baby girl. During the hospital visit, the risk management side of me evaluated the security aspects of the facility. What methods prevent the accidental swapping of babies or the theft of a newborn? While the frequency of such incidents in developed countries is very low, it is a more challenging issue in developing countries where medical recordkeeping is often minimal and limited to paper documents.

Talking to the hospital staff, I found out they have a number of safeguards in place to ensure the right baby is with the right mother:

  • Wristbands with barcodes that have to be scanned each time the nurse visits their room
  • An embedded RFID transmitter in a cut-resistant bracelet on the baby's leg that allows staff to see on a locational display where the baby is at any time and to sound an alarm if the infant is taken outside the protective area

These systems link the baby to the mother, but what actually documents the identity of the baby? The paper card with the baby's left and right footprints and the mother's right thumbprint has been used for decades, but is that sufficient for the future?

This issue of infant authentication reminded me of a presentation I recently attended given by noted educator and biometrics researcher Professor Anil Jain at Michigan State University. Jain and his team worked under a grant from the Bill and Melinda Gates Foundation to develop a reliable, low-cost authentication process for young children. The primary purpose was to enable the tracking of children's vaccination schedules to ensure that the right child receives the full regimen of immunizations. One of the critical issues Jain and his team faced is the difficulty in obtaining usable fingerprints from newborns—the skin on their fingertips is pliable, which results in poor contrast between the pattern of their ridges and valleys.

The goal of the research program was to determine the earliest possible age at which reliable fingerprints could be obtained using current technology. Using a high-resolution optical reader providing a fast capture rate (infants don't like to be still for very long), the research team found that fingerprint enrollment for children older than six months provides acceptance rates of 99 percent. This method can potentially serve as a reliable authentication method for the remainder of their life. Coupled with the creation of an electronic health registry, the health care worker needs only to scan a child's finger to bring up immunization records and determine any future vaccinations required. You can find a short presentation of Jain's work here.

While the public is likely to continue to question the overall benefits of biometrics, Jain's work shows an additional use for biometrics technology. Where else might biometric programs be applied?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 21, 2017 in biometrics | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 23, 2017


Mobile Banking and Payments Survey Results

In the fall of 2016, the Atlanta Fed and six other Federal Reserve Banks asked financial institutions (FI) in their districts to participate in a survey to determine the level and type of mobile financial services they were currently offering or planning to offer. The Atlanta Fed conducted a similar survey in the district in 2014.

Financial institutions completed 117 surveys; they represent FIs of all sizes and types operating in the district (see chart below). The response rate of 8 percent should provide financial institutions with good directional information when comparing their own mobile banking and payments strategy. You can find the full report here. The Federal Reserve Bank of Boston will be preparing a consolidated report for all seven districts later this year.

Chart-one

Key learnings from the responses to this survey include:

  • Mobile banking has become a standard service of financial institutions, with 98 percent indicating they currently or plan to offer mobile banking.
  • Competitive pressure and the retention of existing customers are the primary reasons for offering mobile banking.
  • Consistent with the 2014 survey and numerous other mobile research reports, FIs cite security concerns by consumers as the greatest barrier to mobile banking adoption.
  • FIs identify biometric methodologies as the security tool most likely to be used in their program.
  • Over half (59 percent) currently or plan to support at least one mobile wallet. Their primary reason for offering the service was competitive pressure as mobile payments appear to be gaining traction among some consumers.
  • Most of the survey respondents have a long-term outlook (three years or more) for mobile payments to reach a customer participation level of 50 percent.

Supplemental results breaking the data into the six asset-size segments will be made available in early February. If you have any questions about the survey results, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 23, 2017 in banks and banking, biometrics, mobile banking | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 8, 2016


Will Biometrics Breed Virtual Clones?

In the middle of last November, our group, the Retail Payments Risk Forum, hosted a conference on the application of biometrics for banking applications. For me, one of the important "ah-ha" moments from the conference was hearing about the potential downside to the technology. While the various speakers and panelists certainly pointed out the powerful security improvements that could result from an increased use of biometrics, there were also thoughtful contributions about what could go wrong. To illustrate one of these downsides, let me take you back to the breach that occurred at the United States' Office of Personnel Management (OPM) earlier this year. For those who may have applied for a position with a government agency over the last 20 years or so, the form letter notifying you of the potential breach of your personal data read like this:

Since you applied for a position or submitted a background investigation form, the information in our records may include your name, Social Security number, address, date and place of birth, residency, educational and employment history, personal foreign travel history, information about immediate family as well as business and personal acquaintances, and other information used to conduct and adjudicate your background investigation.
Our records also indicate your fingerprints were likely compromised during the cyber intrusion. Federal experts believe the ability to misuse fingerprint data is currently (emphasis mine) limited.… If new means are identified to misuse fingerprint data, additional information and guidance will be made available.

The conference made clear, to me anyway, that fingerprint data certainly has the potential to be misused—now. Experience leads me to conclude that it is bound to happen, especially if the biometric measurements captured at enrollment are not converted to templates that mask the data.

Biometrics are sure to proliferate in the next few years. I think everyone ought to pause and consider whether or not the security advantages—that have the potential to be turned against us in a moment—are worth it. Consider a future breach and the subsequent form letter from some entity that has built biometrics into its payment process. It could include all of those things noted in the OPM excerpt above. Additionally, victims could also have to be told that their iris, facial, and voice prints along with their DNA were taken. A virtual clone masquerading as me makes me shudder. Imagine standing up when they ask for the real you to do so—and then the dismay at not being believed.

The work to advance biometric security needs not just to be focused on advancing the accuracy and efficacy of the usage, but also to have a heavy emphasis on protecting the data collected—while it's collected and used and when it's at rest, in storage. And no matter how good all of that work is, I hope that choices for transacting business remain. Cash, which requires no authentication, and paper checks, which authenticate with a signature, figure to provide useful alternatives for quite some time.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed

February 8, 2016 in authentication, biometrics, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 13, 2015


Biometrics and Privacy, or Locking Down the Super-Secret Control Room

Consumer privacy has been a topic of concern for many years now, and Take on Payments has contributed its share to the discussions. Rewinding to a post from November 2013, you'll see the focus then was on how robust data collection could affect a consumer's privacy. While biometrics technology—such as fingerprint, voice, and facial recognition for authenticating consumers—is still in a nascent stage, its emergence has begun to take more and more of the spotlight in these consumer privacy conversations. We have all seen the movie and television crime shows that depict one person's fingerprints being planted at the crime scene or severed fingers or lifelike masks being used to fool an access-control system into granting an imposter access to the super-secret control room.

Setting aside the Hollywood dramatics, there certainly are valid privacy concerns about the capture and use of someone's biometric features. The banking industry has a responsibility to educate consumers about how the technology works and how it will be used in providing an enhanced security environment for their financial transaction activities. Understanding how their personal information will be protected will help consumers be likelier to accept it.

As I outlined in a recent working paper, "Improving Customer Authentication," a financial institution should provide the following information about the biometric technology they are looking to employ for their various applications:

  • Template versus image. A system collecting the biometric data elements and processing it through a complex mathematical algorithm creates a mathematical score called a template. The use of a template-based system provides greater privacy than a process that captures an image of the biometric feature and overlays it to the original image captured at enrollment. Image-based systems provide the potential that the biometric elements could be reproduced and used in an unauthorized manner.
  • Open versus closed. In a closed system, the biometric template will not be used for any other purpose than what is stated and will not be shared with any other party without the consumer's prior permission. An open system is one that allows the template to be shared among other groups (including law enforcement) and provides less privacy.
  • User versus institutional ownership. Currently, systems that give the user control and ownership of the biometric data are rare. Without user ownership, it is important to have a complete disclosure and agreement as to how the data can be used and whether the user can request that the template and other information be removed.
  • Retention. Will a user's biometric data be retained indefinitely, or will it be deleted after a certain amount of time or upon a certain event, such as when the user closes the account? Providing this information may soften a consumer's concerns about the data being kept by the financial institution long after the consumer sees no purpose for it.
  • Device versus central database storage. Storing biometric data securely on a device such as a mobile phone provides greater privacy than cloud-based storage system. Of course, the user should use strong security, including setting strong passwords and making sure the phone locks after a period of inactivity.

The more the consumer understands the whys and hows of biometrics authentication technology, I believe the greater their willingness to adopt such technology. Do you agree?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 13, 2015 in biometrics, consumer protection, data security, privacy | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad