Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
March 6, 2023
Is Your Tax Refund at Risk of Theft?
With the start of a new year, I create a folder labeled "tax documents." This is where I place the W-2s, 1099s, receipts, and other tax-related documents in advance of prepping our tax return, which we begin in earnest on February 1. Fingers crossed that by planning ahead and keeping careful records we avoid mistakes in our filing (and that we underpaid just a little bit).
Now, when I talk about tax return fraud, I'm not talking about mistakes or intentional misstatements, income omissions, or incorrect deductions. I am referring to what is classified as stolen identity refund fraud (SIRF). In this type of fraud, the criminal obtains your name and social security number and then proceeds to file a tax return as early as possible, claiming a refund. You, the victim, don't generally find out this has happened until, in the course of your own filing, you receive a message from the Internal Revenue Service (IRS) that a tax return has already been filed for your social security number. The criminal often arranges to have the refunds sent via the ACH network to money-mule accounts or loaded onto prepaid debit cards. Sometimes the criminal requests that a check be mailed to an address where they can steal the check out of the mail.
The operators of the ACH network have been active in combating tax return fraud, and the IRS and the Department of Justice have made the investigation and prosecution of SIRF a high priority. In 2017, the IRS spearheaded the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (the IDTTRF-ISAC, or just ISAC), a collaborative effort of the IRS, state agencies, and the private-sector tax industry. At the heart of the ISAC operation is a platform that collects SIRF data, performs aggregated analysis, and then distributes anonymized reports to the participants.
The IRS continues to support major education efforts to help filers minimize the threat to the broader issue of identity theft. The IRS's Guide to Identity Theft is available in eight languages on the IRS website. An important tool for consumers to have is the IRS Identity Protection Personal Identification Number (IP PIN). The IP PIN is a six-digit number the IRS provides to the taxpayer to include with an electronic return. Originally available only to filers who had previously experienced tax return fraud, the IP PIN is now available to all consumers as of January 2021. You can find instructions on the IRS's website on obtaining one online or through an application. If you don't already have an IP PIN, I strongly encourage you to get one as soon as possible.
Best wishes as you gather all your tax documentation and that you are able to avoid the tax refund criminals.
May 2, 2022
Taking the Long View: A Visit with Retail Payments Risk Forum Founder Rich Oliver
Rich Oliver, the founder of our Retail Payments Risk Forum (RPRF), paid a visit to our team recently and shared his vision when creating the forum, the challenges facing the payments industry, and the future direction our team could consider as the payments landscape continues to evolve.
In addition to founding our RPRF, Rich's payments expertise goes back to the 1970s when he led the effort to utilize the fledgling US Automated Clearing House (ACH) system to electronically deliver the first government payrolls and social security payments.
Drawing on his expertise, Rich wrote a book with George Warfel Jr. about the payments industry, The Story of Payments: How The Industrialization of Trust Created the Modern Payments System, that "tells the story of how payments—between people, merchants, employers, and governments—emerged from the ancient system of barter and grew, through various technological implementations ranging from coins and paper money to checks, wire transfers, and credit cards, to today's entirely electronic local and international payment systems."
In a wide-ranging conversation about the history of payments and Rich's role in many areas with the Fed, each of us in the RPRF took away some highlights to share with you.
Scarlett Heinbuch: Rich reminded us of the need to be bold in our thinking about the future of payments. We discussed advances in biometrics and how these initiatives could address identity and security concerns and make payments easier for all while also presenting other risks and challenges.
Nancy Donahue: One comment that made me go "hmm" was: "Do we have too many retail payments products that are trying to solve the same problem? Do they all make money? Do they all need to?"
Catherine Thaliath: What resonated with me was when Rich talked about potential risks of Buy Now Pay Later (BNPL). While viewed as a credit offering, it is nevertheless using a payment instrument in ways not previously done.
Claire Greene: "When it comes to product design, you can't assume you know what someone wants without doing the work." This was a humble statement from an innovator that applied in the 1970s and remains relevant today.
Dave Lott: Rich discussed the evolution of the current consumer banking product market where many of the explicit services (on-us ATMs, online banking, mobile banking, pay wallets, etc.) are provided free of charge.
Sally Martin: It resounded with me how much collaboration went on with the payments players in the industry. Also, the amount of time spent brainstorming on what the needs were and how to fill them, and in moving toward new offerings rather than replays of existing products. Rich's talk focused on moving into new territory—he was "agile" before it was cool.
Jessica Washington: We still need to collaborate on fraud mitigation at the strategic level. In the United States, we implemented chip credit cards but not so much chip-and-pin, plus we still have the magstripe, which is a major source of weakness, and we still have much work to do on card-not-present transactions.
As the RPRF founder, Rich challenged each of us to remember its mission: to be a source for non-biased thought leadership, to do original research, challenge norms, and push the envelope to move the payment system forward. Sometimes looking back at history can bring the future into sharper focus, which is what our chat with Rich did for us. As you look to the future of payments and payments risk, what stands out to you?
By the Retail Payments Risk Forum Team: Jessica Washington, Dave Lott, Scarlett Heinbuch, Claire Greene, Nancy Donahue, Catherine Thaliath, and Sally Martin.
March 14, 2022
Thumbs Up: Smartphone Apps versus Websites
Sitting in front of my computer, I recently picked up my smartphone and unlocked my banking app with my thumbprint to see if a check I had written had cleared my account. Before going any further, let me acknowledge that, yes, this payment professional still writes checks every now and again! I learned the check had cleared, logged off the app, and resumed my day in front of my computer. This got me thinking about a change in my behavior that has occurred over time. Even when I am right in front of my computer, I find myself using my smartphone apps almost exclusively instead of visiting the full-function websites from my laptop or desk computer. Why?
The answer is simple: ease of access. I can get to my information through apps on my smartphone using just my thumbprint but accessing that same information from my computer through a website requires me to remember and type in my username and password. In fact, every app on my smartphone that requires a log-in allows me to authenticate using my thumbprint. Truthfully, I’m not so good at remembering my passwords even using the methods I teach others to use: create difficult yet supposedly easy-to-remember passwords. Perhaps this is why password managers remain so popular. I continue to hold out from using a password manager with hopes that biometric authentication will become more common on websites and remembering passwords will be a thing of the past (except when biometric authentication fails). If smartphone apps authenticate me with my fingerprint or face, then why don’t websites do that when my laptop has a fingerprint reader and camera just as smartphones do?
While the same biometric functionality is currently available on my computer, the main barrier is that websites struggle to support and accept biometric validation due to different implementations across various web browsers and operating systems. Several organizations and standards bodies are considering this issue. The FIDO (Fast Identity Online) Alliance was formed in 2013 to produce stronger authentication standards and reduce password reliance. The FIDO2 Project, a joint effort between FIDO and the World Wide Web Consortium (W3C), released specifications in 2019 for W3C’s Web Authentication (WebAuthn) product that allows a website to use the FIDO authentication through a standard API implemented in a browser using public key cryptography and biometric authentication. Unfortunately, its uptake has been slow primarily because of the inconsistent user experience from website to website.
I should note that biometric authentication for apps on phones has not necessarily eliminated passwords, though it certainly feels like it, at least until the biometric authentication fails. Rather, biometrics serve as an alternative method of accessing the app’s username and password combination. The fingerprint and facial recognition is a template algorithm stored in a highly secure location on our phones. When an app requests my thumbprint and the stored algorithm confirms a match, the equivalent of a password manager opens on my phone and I am authenticated.
Is the end drawing any closer for manually entering online passwords, and are you looking forward to that day? Taking it further, will the day ever come when passwords are eliminated? Personally, I hope so and am very much looking forward to that day. If it doesn’t happen, then, based on my own habits, the days of visiting my financial institution’s website and others’ sites might be altogether forgotten.
February 28, 2022
5G and 3DS: A Perfect Pair?
Not that long ago, when you heard the term "5G," you would probably mentally translate it to "five grand" or "five thousand dollars." Today, 5G refers to the fifth generation of mobile network wireless communications technology. Network operators promise that 5G technology will deliver much faster data transmission speeds, lower latency, and greater signal reliability, which consumers may not truly realize on the mobile front for several years as operators upgrade their cell tower networks. But are there benefits on the payments side we're likely to see?
My colleague Doug King first raised this question in a Take On Payments post in September 2018, when the industry thought 5G was on the cusp of becoming a reality. While the pandemic and regulatory concerns about security and safety have slowed implementation, it is now underway.
We have also previously written about the evolution of 3DS (short for "three-domain secure"), which was developed in 2000 to improve the authentication of a legitimate consumer's payment transaction with a merchant. The first version of 3DS was unsuccessful in the United States for a variety of reasons centered on poor consumer experiences that resulted in high shopping cart abandonment rates. However, as the share of digital transactions of overall retail sales continued to grow, the payments industry knew that new tools were needed to combat increasing fraud.
Recognizing that the 3DS process needed an overhaul to meet consumer, issuer, and merchant requirements, EMVCo released EMV 3DS 2.0 specifications in 2016. While this version results in a more complex transaction and was slow to gain traction in the marketplace until recently, its strength relies on the merchant's ability to send additional data to the payment card issuer. This additional information includes transaction, method of payment, and payment device information and is intended to help the issuer to run fraud mitigation tools more effectively, better detecting the fraudulent transactions and not denying the legitimate ones. The issuer, if still concerned about a transaction's legitimacy, can perform stepped-up authorization with the customer, including out-of-band confirmations. An out-of-band confirmation is authentication occurring on a different channel than the one initiating the transaction, such as when a banking app sends an email or text with a password the customer must enter in the app to carry out the transaction. A recent report indicates that 10 percent or less of transactions require this stepped-up authorization, and merchant adoption increased 50 percent during Q4 2021 compared to Q4 2020.
So how will 5G and 3DS work together? Transmitting and handling payment authorization messages with the additional data the EMV 3DS 2.0 specifications require can increase transaction time. Slow response time (latency) is a major factor in a consumer abandoning a shopping cart and the merchant losing a sale. The mobile network benefits of 5G will be realized over time, but many operators have already begun to support local 5G networks for small to mid-sized businesses requiring fast data speeds.
Such networks will allow these businesses to handle the additional message data, as well as additional payment devices, while providing better service levels. While the GSMA (Global Systems for Mobile Communications Association) estimates it will take until 2025 before half of the mobile communications in North America will be on a 5G network, the uptake in the United States is expected to be faster.
I believe that the further adoption of EMV 3DS will be enhanced with the continued implementation of 5G technology in the United States. We will continue to monitor both technologies as well as when their expected benefits start to come about.
Take On Payments Search
- account takeovers
- data security
- digital currency
- financial inclusion
- identity theft
- payments risk
- payments studies/research
- TOP payments inclusion
- supervision and regulation
- workforce development