Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
July 6, 2021
Think Like a Genius for Payments Innovation
Ron Klein filed the patent for the magnetic strip used on credit cards in 1966, and it was awarded in 1969. His invention revolutionized the payments industry, increased efficiency, and reduced fraud. I was fortunate to meet Ron, known as "The Grandfather of Possibilities", at an entrepreneur's conference several years ago. Being in the payments world, I wanted to know how he got the idea for the magnetic strip that is still on the back of credit and debit cards today.
Ron, an engineer by training, said department stores came to him with two problems. It took too long for customers to make charge purchases, and the burden of proof was on the merchant. For example, prior to the magnetic strip and online authorizations, the customer's name and account number were embossed on credit cards. Lost, stolen, canceled or past due accounts were listed in a monthly printed bulletin sent to merchants. Clerks at the point of sale waded through thousands of numbers to see if the card was not listed, and therefore acceptable. A merchant accepting a card listed in the bulletin was liable for the transaction.
Ron's first solution: He compiled the monthly records of negative accounts and stored the information on magnetic drums. The merchant then had a keypad that was connected to the stored data to look up numbers. While that expedited the POS process, it didn't go far enough to solve the problem. Keying in the card number was time-consuming.
Ron said he decided to "put some smarts in that piece of plastic" by applying reel-to-reel tape recorder technology. His idea? Record the account number on the tape, build a device that reads it like a tape recorder, connect it to the stored data, and voila! The credit card validity checking system is born!
At 85, Ron continues to mentor, coach, and inspire others to solve challenges. This requires, he said, a certain mindset: Be smart, daring, and different, and don't be afraid of making mistakes. If you want to solve a problem, you need to take some time to think about it in a certain way. Simply put, Ron said there is a gift behind every challenge that, if explored with an inquisitive mind, can bring forth innovations that can make things better for people.
I was thinking about Ron in the context of today's payments innovations, or the challenges we currently face, such as the chip shortage or fraud. What problems do you think need to be solved? By thinking like a humble genius, we see that every challenge brings an opportunity for advancing innovation.
October 19, 2020
All Things Biometrics
Since 2014, I have written a number of posts in our Take on Payments blog on biometrics technology—the automated capture of an individual's unique physical or behavioral characteristics—and related issues. In fact, the Retail Payments Risk Forum (RPRF) hosted a conference on biometrics in November 2015 that brought experts in the field from all over the world to discuss the present and future state of the biometrics being used in consumer applications. Since that time, we have seen some smartphones move from using fingerprint readers to using facial recognition to authenticate users, with some applications even using voice recognition.
But as developers and users are discovering, not all biometric methodologies are equally suited for all applications. We have to consider factors such as risk level, cost, operating environment, and targeted population to determine if a particular biometric modality is better suited than another for an intended application. And along with the technology, a host of policy issues such as privacy, consent, and trust have emerged.
We had hoped to convene another comprehensive biometrics conference this fall but due to the COVID-19 restrictions on group gatherings, we have postponed the event and hope to convene it in the fall 2021. We continue to seek ways to fulfill the RPRF's mission of research and education on payment risk issues, so will focus on biometrics in our next Talk About Payments webinar, which is scheduled for the afternoon of October 29.
We are excited to have James "Jim" Loudermilk as our guest in discussing the current state of biometrics in authentication as well as related policy issues. Jim was a technology executive with the Federal Bureau of Investigation for 21 years, where he represented the bureau nationally and internationally on identification and innovation issues. He was a member of the FBI Biometric Steering Committee and represented the FBI with the National Science Foundation Center for Identification Technology Research. Jim is highly regarded by his peers for his knowledge of biometrics and their applications.
I hope you will join Jim and me as we discuss all things biometrics on October 29 from 3 to 4 p.m. (ET). The webinar is open to the public and free of charge, but you must register in advance to participate. Once you've registered, you will receive a confirmation email with login and call-in information. You can register here or through our Talk About Payments web page. If you have any questions concerning the webinar please direct them to me at David.firstname.lastname@example.org. Jim and I look forward to seeing you on the 29th.
October 5, 2020
Facial Recognition Bias: Reality or Myth?
In an August post, I wrote about some academic reports that had alleged ethnic and gender bias in facial recognition algorithm programs. These reports resulted in some major technology vendors withholding the sales of their facial recognition software to law enforcement agencies in the United States. Fortunately, we have an objective organization to help provide the answer to the question of whether there is bias in facial recognition algorithms.
That organization is the nonregulatory government agency, the National Institute of Standards and Technology (NIST). NIST, under the umbrella of the U.S. Department of Commerce, was founded in 1901 and operates one of the country's oldest physical science laboratories, providing measurements and standards for a wide range of technologies including biometrics. Its mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life."
Since 2000, NIST has been evaluating the performance of facial recognition algorithms submitted by vendors as part of an ongoing objective measurement effort called the Face Recognition Vendor Test. Testing results are updated and published annually. While vendor participation is voluntary, NIST believes the participants are representative of a substantial part of the facial recognition industry.
The overall testing cycle was composed of three types of facial recognition algorithm testing: one-to-one matching, one-to-many matching, and, the most recent, testing of demographic effects. This testing used a database of approximately 18 million quality facial images representing 8.5 million individuals. The testing included 189 commercial algorithms submitted by 99 developers from companies and academic institutions from all over the world.
The measurements that NIST made were categorized into false negatives (where two images of the same individual are not associated) and false positives (where an image of two different individuals are erroneously identified as the same person). The latter error has far greater consequences, including the risk of giving an unauthorized person access to a secure location or of possibly falsely arresting an individual. The overall results of the testing are too detailed and numerous to list in this post. As one would expect with such a wide set of submissions, the results of the various algorithms ranged from what I would categorize as highly accurate to substandard. I recommend you watch a YouTube video in which Mei Ngan of NIST covers the test results. (The Women In Identity organization produced the video.) I think that, after you see the results, you'll agree with my assessment of whether there is bias in facial recognition: "It depends." Some of the algorithms show no bias and others do, indicating a need for additional improvement in their development.
In my August post, I also raised the issue of how face coverings will affect the performance of facial recognition programs such as those run by the Transportation Security Administration and Customs and Border Protection. NIST has recently tested the algorithms with this restriction and generally found that accuracy was substantially lower, although the developers are making modifications to the algorithms to improve their performance. Ms. Ngan covers this subject in her presentation as well.
Stay tuned for more biometrics information and discussion in our posts, and check out our October 29 Talk About Payments webinar that will feature one of the foremost biometrics experts in the country.
September 28, 2020
Encouraging Password Hygiene
Many offices have closed their doors to protect employees from COVID-19 infections, causing a surge in people working remotely in 2020. This situation has brought data security concerns to the forefront for many businesses. This past blog is a great reminder about the importance of password hygiene to protect valuable data assets. Don't fall victim to credential theft or social attacks.
Practicing good password hygiene such as using strong passwords and never using them for any other application can be a huge nuisance. Many people, including yours truly, would love to see passwords fade into oblivion and be replaced by stronger authentication technologies, such as biometrics. But the fact remains that passwords will continue to be used extensively for the foreseeable future, and for as long as they remain with us, it's imperative that we adhere to good password protocol. Verizon's 2019 Data Breach Investigation Report reveals that more than 60 percent of successful data breach hacks were due to compromised or stolen log-in credentials.
Information that describes good password practices is abundant, but people continue to be careless. So how can we successfully encourage people to actually follow these practices?
Interestingly, while I was pondering this issue, I came across a Wall Street Journal article. Written by a cybersecurity professor, the article describes research that the author and her colleagues did on this very topic—how to get people to create strong passwords—and I thought it would be useful to share their findings.
So what's the secret to getting us to use strong passwords, according to these researchers? It's the simple incentive of time—and by this I mean the length of time we're allowed to keep our passwords. The researchers found that people were willing to use stronger passwords if they could keep them for longer than they had in the past.
The conventional wisdom used to be that we should change passwords at least once a year. Now many financial service providers and others require users to change passwords every 30 days. However, some organizations continue to allow longer time periods, or perhaps don't enforce change at all, but offset the longer duration with stricter rules, requiring longer passwords with a minimum number of special characters. I imagine most of us are accustomed to the strength bar or bubble graphic that shows us the strength of a password as we're creating it. These might be useful in educating us about what strong passwords look like, but the researchers found them to be ineffective in driving people to create strong passwords.
I'll admit I don't always practice the best password hygiene. One of several reasons for this is that it seems my passwords expire so frequently. But I could get fully on board with building stronger, unique passwords if that meant I would have more time before I had to change them.
Have you seen or experienced other tactics or solutions that have pushed you to use better password hygiene? If so, we would love to hear from you!