Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
August 2, 2021
Ransomware: To Pay or Not to Pay?
Ransomware attacks against high-profile corporate, educational, and governmental entities continue to make the news. What the media often overlook, however, are the continuing attacks against consumers' home networks and devices. Imagine your panic when you turn on your personal computer and you get a message demanding $500 in cybercurrency or gift cards for your tax, banking, investment management, family photo, and other important files that a criminal has encrypted. Do you pay or not?
Law enforcement and cybersecurity professionals almost all say "no.” A March 2021 report from a cybersecurity firm described a study of 15,000 consumer ransomware attacks in 2020 worldwide. In more than half of these attacks (56 percent), the victims paid the ransom—but only 17 percent of those making payment regained full access to their files. Adults 55 and older were the age group least likely to pay a ransom (11 percent), while the 35–44 age group, at 65 percent, were most likely to pay.
Arguments against payment are threefold:
- It encourages further attacks because the victim has already shown willingness to pay.
- It rewards criminal behavior and provides funds for additional attacks.
- It may not result in 100 percent recovery of files.
Those consumers making a ransomware payment do it because they hope the payment will restore their files faster and they'll soon resume normal use of their computer.
As this type of cybersecurity attack against consumers and business continues to increase, education about its process and the defenses that should be undertaken are critical. What is the best way to provide that? Let us know what you think.
July 26, 2021
Do You Want Bitcoin with Your Coffee?
Seeing the "Buy Bitcoin here" sign in the window stopped me in my tracks on my quick run into the convenience store around the corner. Bitcoin is for sale where I get coffee and candy, too? While I don't go to convenience stores often, I am used to seeing the cash dispensing ATM and Lotto kiosks. It never occurred to me that I could buy Bitcoin from a kiosk—just like getting money from an ATM.
My perception of most cryptocurrencies has been that they are laden with mystery and in the hands of an elite few. It has to be mined electronically, it isn't tethered to any payments safety policy, its value is wildly volatile, it's dependent on a convoluted password that cannot be recovered if lost (think about recent headlines about those who lost their passwords and can't retrieve millions in languishing Bitcoins), and its anonymous nature lends itself to perhaps nefarious activities.
A bit of history: Bitcoin was launched in 2009 by an anonymous source. It was the first blockchain-based cryptocurrency and remains the most popular, valued today at more than $600 billion. Currently, there are more than 10,000 publicly traded cryptocurrencies valued at more than $1.29 trillion as of July 22, 2021. From July 2020 to July 2021, the number of U.S. Bitcoin crypto kiosks increased from 6,445 to 19,545, a huge jump in just one year. For more details about Bitcoin, read this excellent overview by my colleague Doug King.
I tend to be risk-averse, so buying cryptocurrencies wouldn't be something I would sink significant money into. I wonder, though, how many people are buying Bitcoin to have made it worthwhile for the store to give up premium space to house the machine? Has Bitcoin become so mainstream that people purchase it like a lottery ticket? Are these machines as easy to operate as an ATM?
I later brought my informal payments research partner (also known as my husband) to the store to make a trial Bitcoin purchase. As he tapped the screen to make his selections, I snapped photos to track his progress. The machine was fairly easy to operate: he keyed in his cell phone number, received a text message with a code to validate on the kiosk, created a PIN, entered his birth date, read the terms and agreed to them, selected the dollar amount he wanted to buy from three tiers (a minimum of $5 up to $499; $500 to $1,999; and $2,000 to $15,000), inserted a $5 bill (they take cash only for smaller purchases), and received a printed QR code and password to use for later redemption, with an option for an emailed receipt. The cost of the convenience was 20 percent of the value purchased (the percentage decreases to 15 percent in the next higher tier, and so on).
We paid $5 to learn about it (0.00013032 was the amount of Bitcoin it purchased). Soon after, my husband lost his ticket. Fortunately, he found it and is trying to figure out how much his investment is worth. Maybe it will be enough to buy a cup of coffee at our next visit.
July 19, 2021
Will the Chip Shortage Affect Payments?
Sitting down to eat at our favorite Mexican restaurant the other evening, my wife and I started our usual conversation on how it's impossible not to devour the chips and salsa that are always immediately placed in front of us. And it seems that there is always an endless supply of these chips, so much so that there are usually always chips left in the basket when we leave the table. Unfortunately, this country and others around the globe are not experiencing a similar oversupply of semiconductor chips. In fact, it's quite the opposite, as many industries, including the payments industry, are facing a shortage of microchips.
The effects of this chip shortage on the automotive, smartphone, and video gaming industry have been covered extensively. But did you know that it has the potential to disrupt the payments industry as well? A recent American Banker article highlights how the global chip supply shortage affects the payment card industry and discusses the potential implications for cardholders.
Recently, someone representing a technology provider for chip-enabled cards told me that approximately 400 million chip cards are issued to U.S. cardholders each year. These cards include replacements for expired, damaged, and lost or stolen cards as well as cards for new accounts. He said he believes that with an approximate chip shortage of 30 percent, the industry may not be able to produce up to 126 million cards in the coming year.
With a shortage of chips and issuers unable to produce their usual allotment of cards, some cardholders could lose access to a revolving credit line from a credit card or to funds in their bank account through their debit card when their current cards expire. As the American Banker article states, it seems logical that to mitigate the shortage, issuers may choose not to reissue inactive or less used cards. This possibility could affect those consumers with credit or debit cards expiring soon who might only use their cards sparingly. As an alternative to physical cards, issuers could choose to issue virtual cards, which could be loaded into a mobile wallet and used anywhere contactless payments are accepted. Though mobile payments are growing, I am not convinced that consumers are ready to adopt virtual cards.
My wife and I will continue to visit our favorite local Mexican restaurant. I also am certain that I won't be able to resist that endless supply of chips that will meet me at our table. But with the current semiconductor chip shortage, I am not as certain about having access to all my accounts, because several of the cards in my wallet are set to expire over the next year.
July 12, 2021
Young and Old Want to Keep Their Money Safe
My colleague Doug King recently moderated a panel about age-related attitudes toward banking and payment practices. He spoke with a boomer, a gen-Xer, a millennial, and a gen-Zer.
Most notable about these panelists: not how different they were from each other but how alike. Keeping in mind that a sample of four is not representative and that all were Federal Reserve employees, panelists of every age agreed about risk when it comes to their money: they hate it.
All four had used a brick-and-mortar bank one way or another in the last year, and there was no interest in switching to a digital-only bank or fintech option—even though all panelists struggled to remember the last time they had written a check. One panelist said, "I stick with what I know." Another: "I just don't have time to do the research." A third, "I'm staying with the traditional, just in case." They wanted not the bricks, not the mortar, but rather the security implied by the existence of solid real estate.
They admitted to more risk-averse behavior: no one—not the youngest, not the IT guy—owned crypto assets. Too risky, they said. Most are storing card numbers with an online merchant with high brand recognition but not at other online shopping websites. It's worth the small amount of time to put in the number at lesser known sites, said three of the four.
Do you see a marketing opportunity out there? Some newer services are selling the idea of speed—that is, payments that are fast and frictionless. Or the social benefits of tagging payments with emojis. Or convenience. Or a user-friendly app. But these four people, at least, want safety.
Of course, newer ways to pay do offer security enhancements—for example, two-factor authentication when you use a phone with fingerprint or face ID authentication to pay. And, with so many choices available, panelists said they would like to better understand their payment options. This means that maybe customers are waiting to hear more about product features and benefits that emphasize security and, according to these four, at least, that are delivered by recognized brands they already know and trust.