Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
August 17, 2020
Executive Spoofing Hits Close to Home
Sitting around a table outdoors, physical distancing with my family, the conversation turns to executive spoofing scams at work.
- Millennial works at a factory automation start- up: "Yeah, right. The CEO is sending me an email [snicker]."
- Millennial working in government contracting: "I get them all the time, sometimes from the CFO."
- Boomer works in software industry: "We got a warning just the other day that one is floating around. Don't send money."
We are talking about three businesses with employees numbered in the low hundreds. All privately held. Small fry, really. Every one of my family considers executive spoofing via phishing to be an everyday, ho-hum event.
Everyday, yes. Ho-hum, not so much. The FBI reports that 114,702 victims of phishing and its cousins vishing, pharming, and smishing lost almost $60 billion in 2019. Phishing is executed via email; vishing, via phone call or voicemail; pharming, via bogus websites; and smishing, via text message. Perpetrators request personal information or money. In addition, business email compromise (BEC), the foundational criminal act for executive spoofing of the sort my family members describe, resulted in more than $1.7 billion in losses related to 24,000 incidents in 2019, reports the FBI. The Association for Financial Professionals (AFP), in a survey of Treasury and finance professionals, found that BEC was the source of six in 10 fraud attempts in 2020.
A number of vendors offer products that use machine learning to fight these forms of fraud. Machine learning holds promise for automatically detecting these attacks. Nevertheless, as with much automation, the human being is the important last line of defense. A few days after that family meal, I see a scam alert. The gist: never, never, never will the Atlanta Fed president text me with a request to purchase $500 in gift cards.
The late Intel CEO Andy Grove said it perfectly: "Success breeds complacency. Complacency breeds failure. Only the paranoid survive." So please don't be ho-hum or complacent about these attacks and warn your family members and others.
April 6, 2020
Will COVID-19 Exacerbate Ecommerce Fraud?
Ecommerce sales in the United States continue to gain a greater share of overall retail sales each year. The Department of Commerce reports that in 2019, total ecommerce sales increased almost 15 percent over 2018 and represented 11 percent of total retail sales. There is no question that with the current COVID-19 environment, our daily habits have undergone tremendous change. As part of that change, I expect that ecommerce sales will increase at a greater rate in 2020 than in 2019.
Following social isolation guidelines, consumers and businesses are turning more and more to conducting their commerce transactions online. Prepaid carry-out, drive-through, and delivery orders now dominate the dining industry as inside dining options have been largely shuttered. Large retailers have been promoting online ordering and ship-to-home delivery options as their stores are closed. TransUnion reports that in the week from March 11 to 17, when the World Health Organization classified COVID-19 as a global pandemic, ecommerce transaction volume increased 23 percent over the previous week.
This spike in ecommerce traffic will likely bring with it a parallel spike in criminal activity, possibly adding to the increasing fraud levels in ecommerce. This shouldn't come as any surprise. It will be important for the good guys not only to be expecting this but also to be prepared for it by making swift adjustments that match the challenge.
One of the key adjustments to consider and apply quickly is properly tuning algorithms for detecting ecommerce fraud. In normal times, anomalous-pattern detection schemes are relied on to expose fraudsters. Elements such as the type of stores commonly used, frequency of usage, average or range of transaction values, and more go into making up an overall usage pattern for a given customer. While these transaction risk models have become very sophisticated over the years, they are challenged by abrupt changes in usage patterns, especially at an individual account level. They need to be smartly and quickly adjusted. Issuers and merchants need to balance the decision of denying transactions—which brings with it the risk of disgruntled legitimate customers and lost revenues—against approving fraudulent transactions and taking financial losses. No easy task, but doable and necessary to undertake, with constant attention.
Working collaboratively with merchants, consumers can help to surprise the criminals as fraud fighting evolves. The good guys win if we exercise patience with one another and remain mindful of the balance between purchase friction and fraud avoidance as fraud-fighting tools and methods adjust. Both sides being considerate of the needs on both sides of the transaction—working together, again, with patience and willingness to engage, perhaps differently than we've been willing to in the past, could yield results that everyone (except the crooks) is happier with, in both the short run and long run.
We know fraud management teams will be busy managing their fraud-detection tools and processes and expect they will rise to the challenge. We also expect consumers are ready and willing to assist in ways that are helpful as well. The constant chess match with the criminal element will continue, and we look forward to seeing a chess piece on the good guys ' side of the board with some new moves to help aid in the fight against the bad guys.
March 30, 2020
Do We Use a Payments Risk Thermostat?
I read a blog post last week that is eerily evocative of the individual actions we take—or don't take—to protect our personal and payments information. You can read it here: Handwashing Can Stop a Virus—So Why Don't We Do it?
The blogger identifies some reasons we don't wash our hands as much—or as thoroughly—as we should, including lack of awareness and inconvenience.
- We are not aware that hand washing is so effective.
- We balk at the least inconvenience or practical barriers—for example, having to take a few extra steps to get to the soap and water.
Sounds a lot like the reasons people may cut corners on payments security. For example, people may not be aware of the efficacy of credit freezes, or they might find imposing them to be inconvenient. People may not be aware that it is not optimal to use the same password for multiple accounts, or they may consider it to be inconvenient to set up different passwords.
I think this paper positing a "risk thermostat" applies not only to handwashing but also to payments security. We use our risk thermostats to make tradeoffs, so taking one kind of preventive measure could increase our willingness to accept more risk in another way. The author writes: "individual risk taking decisions represent a balancing act in which perceptions of risk are weighed against propensity to take risk."
So, for example, maybe you start wearing gloves and stop washing your hands so carefully. (Don't do that, please.) Or maybe you put a credit freeze on your accounts at the major credit bureaus and stop watching your bank and card statements so carefully. (Don't do that, either.)
As these writers on behavioral science note, awareness is the first step. So be aware of payments and other financial risks facing your business and your customers during the coronavirus outbreak. Here are some resources you can use to educate your colleagues and customers:
- U.S. Secret Service : Watch out for phishing scams posing as medical or health providers, charity scams on social media.
- Federal Trade Commission (FTC): Ignore emails claiming to be from the CDC; ignore online offers for vaccinations.
- U.S. Securities and Exchange Commission Beware internet and social media promotions claiming that products or services "prevent, detect, or cure coronavirus" and that the stock of providing companies will increase in value.
As of March 16, the FTC and the Food and Drug Administration already have issued warning letters to seven sellers of unapproved and misbranded products.
Best wishes and good health to you and your families. Now, go wash your hands. And check your bank account when you're done.
February 3, 2020
Fuel Pump EMV Chip Liability Shift Looms Large
It has been quite some time since the Retail Payments Risk Forum has blogged about the state of the EMV chip in the United States. Perhaps the lack of coverage is a nod to the success and growth of EMV chip issuance and acceptance since the point-of-sale (POS) and ATM liability shifts that began in 2015 and 2016, respectively. The Federal Reserve's newly released payments study found that 57 percent of in-person card payments in 2018 used chip authentication compared to 2 percent in 2015. Talk about phenomenal progress over a three-year period! Yet there is more to do, and 2020 will be a big year for closing a big gap—EMV chip acceptance at the fuel pump, or what the industry generally calls automated fuel dispensers (AFDs).
In October, all of the global card networks' liability shifts will be implemented for AFDs. As a brief reminder, this liability shift means that petrol retailers will now be responsible for incurring the fraud losses on all non-EMV-chip-authenticated transactions initiated by EMV cards at their pumps. According to several industry associations that represent the convenience and petroleum store industry, this liability shift date will be a challenge for many station operators to meet given a limited availability of EMV-compatible AFDs as well as the technicians to install and certify the machines as EMV ready.
Through the years, the Risk Forum has stressed that criminals tend to gravitate to the easy targets when it comes to committing card fraud, or really any fraud in general. Card skimmers at AFDs pulling data off a card's magnetic stripe have been a major problem for decades. I have no doubt that the fraudsters are fully aware of the impending liability shift and will be stepping up their AFDs attacks in 2020 before the window of counterfeit card opportunity closes. Those retailers who are delaying their EMV migration or are unable to migrate by the liability shift date will become giant bulls' eyes. Expected card fraud losses in 2020 for the industry are not inconsequential—one industry association has estimated losses of $451 million. I should also note that the costs faced by the industry to migrate to EMV are also significant, at an estimated $3.9 billion.
After witnessing the successful rush by the industry to implement EMV chip at the POS and ATM, I am confident that the AFD EMV chip implementation ahead of the October liability shift will be a success, but all involved will definitely experience challenges. My confidence stems from the positive momentum I have seen from everyone involved in the payments industry working together for the common good to mitigate card fraud. With counterfeit card fraud losses through June 2019 down by over 60 percent since September 2015, I look forward to seeing even more decreases in counterfeit card fraud following this year's AFD liability shift.