Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
February 25, 2019
Fighting Discipline with Discipline
When I meet with law enforcement officers, they often describe the growing sophistication of criminal groups that commit large-scale fraud. Just like legitimate enterprises, these global organizations follow a disciplined process to reach their business goals. As a successful salesperson follows specific steps from prospecting to closing, successful criminal enterprises follow defined steps that improve their chances of successfully executing financial crimes.
Let's take a look at a disciplined, five-step process that criminals generally follow to successfully execute a business email compromise (BEC) attack. The process can also apply to other types of cybercrimes, such as account takeover.
- Identify targets. Fraudsters scan specific industries to identify firms to attack. While firms handling real estate closings and trusts remain primary targets of BEC attempts, other businesses, across multiple industries, that have large-value accounts payable have increasingly become targets.
- Gain access. Fraudsters attempt a variety of methods to gain entry to the business accounting or IT system. With BEC, the most common way in is to get an employee to open an email or click on a link containing malware that will result in the compromise of the employee's log-in credentials. Another method is to exploit a security gap in the company's IT access control system. Social engineering is also becoming more frequent.
- Establish a foothold. Upon gaining access to the business records of the company, the fraudsters are likely to create hidden paths to enter and exit the company's systems without detection.
- Conduct surveillance. More and more often, fraudsters take their time monitoring the activity and records of the company, sometimes for months. Doing so helps them better understand the company's controls related to authorizing large-dollar-value transactions and customer records maintenance. When they eventually conduct their misdeed, they stay within normal controls and therefore don't set off any additional oversight.
- Steal and retreat. When the criminals have gained the necessary knowledge—by conducting their thorough, sometimes lengthy surveillance—they make a funds transfer request. In a BEC, this is generally an email from a senior official of the company to the finance department conveying some sense of urgency. In most cases, the request refers to a valid invoice or customer account number in an attempt to appear legitimate. Of course, the criminal controls the account that would receive the funds. If the request succeeds, the criminal may make additional funds transfer attempts. When they're done, they try to erase any evidence of their intrusion.
These sophisticated criminals achieve their results with discipline, but you can successfully stop BEC and similar attacks by relying on your own discipline in several areas. BEC is totally preventable if a business combines employee education and testing with meticulous authorization control processes, audit oversight, and IT security techniques. Instill this discipline and you won't be a victim.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 14, 2019
Hiding in Plain Sight
Over the holidays when our family is all together, we always try to watch A Christmas Story. There are so many memorable moments in the movie, from the triple-dog-dare-you, tongue-frozen-to-the-flagpole scene to the leg lamp breakage. When the story revolves around Ralphie and the Little Orphan Annie secret decoder ring, it triggers my childhood memories of having a similar decoder ring that came with a pair of P.F. Flyers sneakers (think pre-Nike and Adidas). This year, our movie-watching led to a storytelling session of techniques worthy of any spy movie for passing secret notes. Many of the examples were like the decoder ring—they used some sort of secret alphanumeric table as a key to solve the cryptic message. In other words, we were talking about a rudimentary form of encryption, which, in today's technology, renders data useless to those without a key, whether they're bad guys or good guys.
But our conversation didn't stop there. I told a childhood story of dipping a toothpick in lemon juice and writing a message on paper. After the juice dried, the message became invisible, and I would then write an innocuous—and visible—message on the paper with pen or pencil. The recipient would carefully hold the paper over a flame to slowly reveal the hidden message. (Kids, try this only under adult supervision!) Little did I know I was using a technique called steganography—hiding a message within another message—that people also use today to protect information online.
Various forms of the technique date back to Greek civilization when untrusted messengers had to convey sensitive or classified information, or a message was at risk of being intercepted. (There is an entertaining and educational video on steganography by Richard Buckland, a professor at the University of New South Wales in Australia.) Today, technology has created a new technique in the form of digital steganography, which is the practice of hiding an image, audio, or data file within another image, audio, or data file.
A recent article in infoRisk Today highlighted the darker side of steganography, with its use by the criminal element. That article prompted me to conduct more research on the technique as a payments risk. From a cybersecurity standpoint, the greatest risk to consumers appears to be when the criminal hides a malware file within an image, audio, or other data file that, when opened, will load malware onto the device for future eavesdropping or control. Such an event could lead to the compromise of PII (or personally identifiable information), online credentials, or other sensitive information on the device without the owner's knowledge. In an August 2017 release, Kaspersky Lab warned about the difficulty for existing data protection processes to detect embedded malicious code.
Account takeover fraud is a major criminal activity that generally begins with the compromise of an individual's legitimate banking log-in credentials. A criminal who obtains this information can execute payment transaction fraud and, ultimately, synthetic identity fraud (see last week's post). While there are valid uses for steganography as an alternative to encryption, the criminal element will continue to develop uses of digital steganography to further their criminal operations and, as the infoRisk article notes, this usage is becoming more sophisticated and harder to detect.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 17, 2018
Card Fraud Values Often above Average
Recent data from the Federal Reserve Payments Study remind me of my first experience with payments fraud as a 20-something college grad freshly arrived in Boston. I left my wallet in a conference room, and someone lifted my credit card. I still remember the metaphorical punch to the stomach when the telephone operator at the card company asked, "Did you spend $850 at Filene's Basement?" $850! That was more than twice my rent, and far more than I could conceive of spending at Boston's bargain hunters' paradise in a year, let alone on a one-night spree.
Decades later, the first thing I do to check my card and bank statements is to scan the amounts and pay attention to anything in the three digits. For noticing high-value card fraud, this is a pretty good habit.
That's because, on average, fraudulent card payments are for greater dollar values than nonfraudulent card payments. In 2016, the average value of a fraudulent credit card payment was $128, almost 50 percent more than $88 for a nonfraudulent credit card payment. For debit cards, the relationship was more pronounced: $75 for the average fraudulent payment, about twice the $38 average nonfraudulent payment, according to the Federal Reserve Payments Study.
Even to the noncriminal mind, this relationship makes sense: get as much value from the card before the theft or other unauthorized use is discovered. For a legitimate user, budgetary constraints (like mine way back when) and other considerations can come into play.
Interestingly, this relationship does not hold for remote payments. In 2016, the average dollar values of remote debit card payments, fraudulent and nonfraudulent, were the same: $68. And the average value of a nonfraudulent remote credit card payment, $151, exceeded that of a fraudulent remote credit card payment, $130. Why the switcheroo?
A couple of possibilities: Remote card payments include online bill payments, which often are associated with a verified street address and are of high value. So that could be pushing the non-fraudulent remote payments toward a high value relative to the fraudulent remote payments. Another factor could be that fraud detection methods used by ecommerce sites look for values that could be outliers, so perpetrators avoid making purchases that would trigger detection—and thus average values for remote fraud are closer to average values for remote purchases generally. But this is speculation. What do you think?
The relationships described here are depicted in figures 21 and 28 of the recent report of the Federal Reserve Payments Study, Changes in the U.S. Payments Fraud Landscape from 2012 to 2016. You can explore other relationships among average values of payments, and more, on the payments study web page.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
December 10, 2018
A Look in the Rearview Mirror of Payments for 2018
I'm sure just about everyone else in the payments industry would agree with me that 2018 was yet another exciting year for payments. The year was filled with a host of newsworthy events, but fintech most certainly took center stage in the financial services industry, including payments. Whether the news highlighted an announcement of a new product to increase financial access or discussed the regulatory challenges and associated concerns within the fintech space, it seemed that fintech made its way into the news on a daily basis. Still, for payments, 2018 will be remembered for more than just fintech.
The Retail Payments Risk Forum's last Talk About Payments webinar of 2018 will feature Doug King, Dave Lott, and Jessica Washington sharing their perspectives and memories on the year-in-payments in a round table discussion. Among the topics they will discuss are consumer payment preferences, the changing retail environment, and the state of fraud—and fintech, of course. We encourage financial institutions, retailers, payments processors, law enforcement, academia, and other payments system stakeholders to participate in this webinar. Participants will be able to submit questions during the webinar.
The webinar will be held on Thursday, December 20, from 1 to 2 p.m. (ET). Participation in the webinar is free, but you must register in advance. To register, click on the TAP webinar link. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks.
We look forward to you joining us on December 20 and sharing your perspectives on the major payment themes of 2018.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed