About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

February 25, 2019


Fighting Discipline with Discipline

When I meet with law enforcement officers, they often describe the growing sophistication of criminal groups that commit large-scale fraud. Just like legitimate enterprises, these global organizations follow a disciplined process to reach their business goals. As a successful salesperson follows specific steps from prospecting to closing, successful criminal enterprises follow defined steps that improve their chances of successfully executing financial crimes.

Let's take a look at a disciplined, five-step process that criminals generally follow to successfully execute a business email compromise (BEC) attack. The process can also apply to other types of cybercrimes, such as account takeover.

  • Identify targets. Fraudsters scan specific industries to identify firms to attack. While firms handling real estate closings and trusts remain primary targets of BEC attempts, other businesses, across multiple industries, that have large-value accounts payable have increasingly become targets.
  • Gain access. Fraudsters attempt a variety of methods to gain entry to the business accounting or IT system. With BEC, the most common way in is to get an employee to open an email or click on a link containing malware that will result in the compromise of the employee's log-in credentials. Another method is to exploit a security gap in the company's IT access control system. Social engineering is also becoming more frequent.
  • Establish a foothold. Upon gaining access to the business records of the company, the fraudsters are likely to create hidden paths to enter and exit the company's systems without detection.
  • Conduct surveillance. More and more often, fraudsters take their time monitoring the activity and records of the company, sometimes for months. Doing so helps them better understand the company's controls related to authorizing large-dollar-value transactions and customer records maintenance. When they eventually conduct their misdeed, they stay within normal controls and therefore don't set off any additional oversight.
  • Steal and retreat. When the criminals have gained the necessary knowledge—by conducting their thorough, sometimes lengthy surveillance—they make a funds transfer request. In a BEC, this is generally an email from a senior official of the company to the finance department conveying some sense of urgency. In most cases, the request refers to a valid invoice or customer account number in an attempt to appear legitimate. Of course, the criminal controls the account that would receive the funds. If the request succeeds, the criminal may make additional funds transfer attempts. When they're done, they try to erase any evidence of their intrusion.

These sophisticated criminals achieve their results with discipline, but you can successfully stop BEC and similar attacks by relying on your own discipline in several areas. BEC is totally preventable if a business combines employee education and testing with meticulous authorization control processes, audit oversight, and IT security techniques. Instill this discipline and you won't be a victim.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 25, 2019 in cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 14, 2019


Hiding in Plain Sight

Over the holidays when our family is all together, we always try to watch A Christmas Story. There are so many memorable moments in the movie, from the triple-dog-dare-you, tongue-frozen-to-the-flagpole scene to the leg lamp breakage. When the story revolves around Ralphie and the Little Orphan Annie secret decoder ring, it triggers my childhood memories of having a similar decoder ring that came with a pair of P.F. Flyers sneakers (think pre-Nike and Adidas). This year, our movie-watching led to a storytelling session of techniques worthy of any spy movie for passing secret notes. Many of the examples were like the decoder ring—they used some sort of secret alphanumeric table as a key to solve the cryptic message. In other words, we were talking about a rudimentary form of encryption, which, in today's technology, renders data useless to those without a key, whether they're bad guys or good guys.

But our conversation didn't stop there. I told a childhood story of dipping a toothpick in lemon juice and writing a message on paper. After the juice dried, the message became invisible, and I would then write an innocuous—and visible—message on the paper with pen or pencil. The recipient would carefully hold the paper over a flame to slowly reveal the hidden message. (Kids, try this only under adult supervision!) Little did I know I was using a technique called steganography—hiding a message within another message—that people also use today to protect information online.

Various forms of the technique date back to Greek civilization when untrusted messengers had to convey sensitive or classified information, or a message was at risk of being intercepted. (There is an entertaining and educational video on steganography by Richard Buckland, a professor at the University of New South Wales in Australia.) Today, technology has created a new technique in the form of digital steganography, which is the practice of hiding an image, audio, or data file within another image, audio, or data file.

A recent article in infoRisk Today highlighted the darker side of steganography, with its use by the criminal element. That article prompted me to conduct more research on the technique as a payments risk. From a cybersecurity standpoint, the greatest risk to consumers appears to be when the criminal hides a malware file within an image, audio, or other data file that, when opened, will load malware onto the device for future eavesdropping or control. Such an event could lead to the compromise of PII (or personally identifiable information), online credentials, or other sensitive information on the device without the owner's knowledge. In an August 2017 release, Kaspersky Lab warned about the difficulty for existing data protection processes to detect embedded malicious code.

Account takeover fraud is a major criminal activity that generally begins with the compromise of an individual's legitimate banking log-in credentials. A criminal who obtains this information can execute payment transaction fraud and, ultimately, synthetic identity fraud (see last week's post). While there are valid uses for steganography as an alternative to encryption, the criminal element will continue to develop uses of digital steganography to further their criminal operations and, as the infoRisk article notes, this usage is becoming more sophisticated and harder to detect.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 14, 2019 in crime, cybercrime, cybersecurity, data security, malware | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 17, 2018


Card Fraud Values Often above Average

Recent data from the Federal Reserve Payments Study remind me of my first experience with payments fraud as a 20-something college grad freshly arrived in Boston. I left my wallet in a conference room, and someone lifted my credit card. I still remember the metaphorical punch to the stomach when the telephone operator at the card company asked, "Did you spend $850 at Filene's Basement?" $850! That was more than twice my rent, and far more than I could conceive of spending at Boston's bargain hunters' paradise in a year, let alone on a one-night spree.

Decades later, the first thing I do to check my card and bank statements is to scan the amounts and pay attention to anything in the three digits. For noticing high-value card fraud, this is a pretty good habit.

That's because, on average, fraudulent card payments are for greater dollar values than nonfraudulent card payments. In 2016, the average value of a fraudulent credit card payment was $128, almost 50 percent more than $88 for a nonfraudulent credit card payment. For debit cards, the relationship was more pronounced: $75 for the average fraudulent payment, about twice the $38 average nonfraudulent payment, according to the Federal Reserve Payments Study.

Chart-average-value-per-payment-2016

Even to the noncriminal mind, this relationship makes sense: get as much value from the card before the theft or other unauthorized use is discovered. For a legitimate user, budgetary constraints (like mine way back when) and other considerations can come into play.

Interestingly, this relationship does not hold for remote payments. In 2016, the average dollar values of remote debit card payments, fraudulent and nonfraudulent, were the same: $68. And the average value of a nonfraudulent remote credit card payment, $151, exceeded that of a fraudulent remote credit card payment, $130. Why the switcheroo?

A couple of possibilities: Remote card payments include online bill payments, which often are associated with a verified street address and are of high value. So that could be pushing the non-fraudulent remote payments toward a high value relative to the fraudulent remote payments. Another factor could be that fraud detection methods used by ecommerce sites look for values that could be outliers, so perpetrators avoid making purchases that would trigger detection—and thus average values for remote fraud are closer to average values for remote purchases generally. But this is speculation. What do you think?

The relationships described here are depicted in figures 21 and 28 of the recent report of the Federal Reserve Payments Study, Changes in the U.S. Payments Fraud Landscape from 2012 to 2016. You can explore other relationships among average values of payments, and more, on the payments study web page.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 17, 2018 in cards, cybercrime, cybersecurity, data security, debit cards, mobile banking, mobile payments, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 5, 2018


Organizational Muscle Memory and the Right of Boom

"Left of boom" is a military term that refers to crisis prevention and training. The idea is that resources are focused on preparing soldiers to prevent an explosion or crisis—the "boom!" The training they undergo in left of boom also helps the soldiers commit their response to a crisis, if it does happen, to muscle memory, so they will act quickly and efficiently in life-threatening situations.

Image-one

The concept of the boom timeline has been applied to many other circumstances, as I can personally attest. More years ago than I will admit to, I was a teller and had to participate in quarterly bank-robbery training that focused on each employee's role during and immediately after a robbery. The goal was to help us commit these procedures to muscle memory so that when we were faced with a high-stress situation, our actions would be second nature. My training was tested one day when I came face-to-face with a motorcycle-helmet-wearing bank robber who leaped over the counter into the teller area. Like most bank robbers, he was in and out fast, but thanks to muscle memory, we were springing into action as soon as he was leaping back over the counter and running out of the branch.

This type of muscle memory preparation has also been applied to cybersecurity. Organizations commit significant human and capital resources to the left of boom to help prevent and detect threats to their networks. Unfortunately, cybersecurity experts must get things right 100 percent of the time while bad actors have to be right only once. So how do organizations prepare for the right of boom?

Recently, I had the opportunity to observe a right-of-boom exercise that simulated a systemic cyberbreach of the payments system. This event, billed as the first of its kind, was sponsored by P20 and held in Cambridge, Massachusetts. Cybersecurity leaders from the payments industry convened to engage in a war games exercise that was ripped from the headlines. The scenario: a Thanksgiving Day cyberbreach, the day before the biggest shopping day of the year, of a multinational financial services company that included the theft and online posting of 75 million customer records, along with a ransomware attack that shut down the company's computer systems. The exercise began with a phone call from a reporter asking for the company's response to the posting of customer records online—BOOM! Immediately, the discussion turned to an incident response plan. What actions would be taken first? Who do you call? How do you communicate with employees if your system has been overtaken by a ransomware attack? How do you serve your customers? What point is the "in case of fire break glass" moment, meaning, has your organization defined what constitutes a crisis and agreed on when to initiate the crisis response plan?

An overarching theme was the importance of the "commander's intent," which reflects the priorities of the organization in the event of an incident. It empowers employees to exercise "disciplined initiative" and "accept prudent risk"—both principles associated with the military philosophy of "mission command"—so the company can return to its primary business as quickly as possible. In the context of a cyberbreach that has shut down communication channels within an organization, employees, in the absence of management guidance, can analyze the situation, make decisions, and then take action. The commander's intent forms the basis of an organization's comprehensive incident response plan and helps to create a shared understanding of organizational goals by identifying the key things your organization must execute to maintain operations.

Here is an example of a commander's intent statement:

Process all deposits and electronic transactions to ensure funds availability for all customers within established regulatory timeframes.

Having a plan in place where everyone from the top of the organization down understands their role and then practicing that plan until it becomes rote, much like my bank robbery experience, is critical today.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed

 

November 5, 2018 in consumer protection, cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 22, 2018


Three Views of Noncash Payments Fraud

Despite what we might gather from the headlines, payments fraud is a small fraction of the value of all payments.In 2015, by value, it was only about 1/200 of 1 percent of noncash payment transactions. The pie chart shows what a tiny slice of the pie that payments fraud is.

Image-one-sm

This view of the value of payments fraud in 2015 is one of three views that today's post will offer, using data from a recently released payments fraud report.

The report, based on data from the Federal Reserve Payments Study, quantifies noncash payments fraud by value and number in 2012 and 2015 and provides information that can help inform efforts to prevent and detect payments fraud. Data include detail on different payment instruments and transaction types.

Fraud value is defined in the report to be the value of unauthorized third-party payments that were cleared and settled, before any chargebacks, returns, or recoveries. It does not include the costs of any prevention, detection, or remediation methods. The report covers noncash payments used for everyday consumer and business transactions, including automated clearinghouse (ACH), check, and card payments. (Wires are excluded.)

Here's the next view of payments fraud by value: most payments fraud is by card. Slightly more than three-quarters of noncash payments fraud by value are credit card, debit card (prepaid and non-prepaid), and ATM withdrawal fraud; almost half is credit card fraud. The second chart shows that by value, ACH fraud is 14 percent of noncash payments fraud and check fraud is 8.6 percent.

Image-two-sm

Finally, fraud rates by value for cards increased from 2012 to 2015 while fraud rates for check payments decreased and fraud rates for ACH stayed flat. That rate increase for cards means that the value of fraudulent card payments grew faster than the dollar-value growth overall, which is concerning. Indeed, card fraud by value grew more than three times faster than the growth in card payments and ATM withdrawals by value—64 percent compared to 21 percent. ACH fraud grew more in line with the growth rate in ACH payments, with fraud by value increasing 11 percent compared to a 13 percent increase in the value of total ACH payments.

Image-three-sm
You can find additional data in the report at https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm.

To learn more about the payments fraud report, join our next Talk About Payments webinar on November 1 at 11 a.m. (ET). The webinar is open to the public but you must register in advance to participate. (Registration is free.) Once registered, you will receive a confirmation email with login and call-in information. Also, be sure to check back next Monday for another Take On Payments post about the report.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 22, 2018 in cards, consumer fraud, cybercrime, cybersecurity, debit cards, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 15, 2018


An Ounce of Prevention

Benjamin Franklin coined the phrase "An ounce of prevention is worth a pound of cure," and after attending late September's FinovateFall 2018 Conference in New York City, I find this aphorism as relevant today as it was in 1735. The conference showcased 80 demonstrations of leading-edge financial technology over two days with presenters representing five continents. Demos touched on a wide range of technologies and solutions, including game-based marketing and financial education; "lifestyle" mobile banking applications that integrate social media, news, e-commerce, and financial management to deliver personalized recommendations; lending and home buying; and integration with intelligent personal assistants. What stood out to me most were the many possible technologies offered to authenticate users, cards, and mobile transactions, each with the potential to prevent payments fraud.

As card payments continue to dominate consumer transactions in the United States, usage is increasing in other countries, and remote purchases gather steam, the demand for fast, reliable identity and payment authentication has also grown. So has the even greater demand from consumers for frictionless payments. But how does technology reward the good guys, keep out the bad ones, and prevent cart abandonment or consumer frustration? Here are just a few examples of how some of the fintech companies at the conference propose to satisfy these competing priorities.

SMS—While one company proclaimed that SMS was designed for teenagers and never intended for use as a secure messaging means, another proposed a three-factor authentication method that combined the use of a PIN, Bluetooth communication, and facial recognition via SMS sent to account holders to identify a possible fraud event in real time. Enhancing this technology was artificial intelligence that analyzes facial characteristics such as smiling or frowning.

Biometrics—Developers demonstrated numerous biometrics options, including those using unique, multifactor, non-gesture-based biometric characteristics such as the speed and pressure we use to swipe our mobile devices. Also demonstrated was the process of linking facial recognition to cards for both in-person and e-commerce purchases, as well as "liveness" tests that access the mobile phone's gyroscope to detect slight physical movements not present when a bot is involved. Another liveness test demonstrated was one in which people use their mobile devices to shoot videos of themselves reciting a number or performing randomized movements. Video content is then checked against identity verification documents, such as driver's license photos, that account holders used at setup. The developers noted that using video for liveness testing helps prevent fraudsters from using stolen photos or IDs in the authentication process.

Passwords—Some developers declared that behavioral biometrics would bring about the death of the password, and others offered services that search the corners of the dark web for compromised credentials. Companies presented solutions including a single, unique identification across all platforms and single-use passwords generated automatically at each login. One of the most interesting password technologies displayed involved the use of colors, emojis, numbers, and logos. This password system, which could be as short as four characters, uses a behind-the-scenes "end code," where the definition of individual password characters is unique to each company employing the technology, rendering the password useless in the event of a data breach.

As I sat in the audience fascinated by so many of the demos, I wished I could go to my app store to download and use some of these technologies right away; the perceived security and convenience, combined with ease of use, tugged at the early adopter in me. Alas, most are white-labeled solutions to be deployed by financial institutions, card networks, and merchant acquirers rather than offered for direct consumer use. But I am buoyed by the fact that so many solutions are abiding by the words of Ben Franklin and seek to apply an ounce of prevention.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

 

October 15, 2018 in biometrics, cards, cybersecurity, emerging payments, fintech, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 1, 2018


Safeguarding Things When They’re All Connected

In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.

Prepurchase

  • Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
  • Check with reliable product review sites to see what others have to say about the product’s security features.
  • If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.

Postpurchase

  • Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
  • Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
  • Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
  • Register your device with the manufacturer to be notified of security updates or recalls.
  • Add the device to your separate network if available.

If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.

We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.

Photo of Ian Perry-Okara  By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed

 

Photo of David Lott  By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 1, 2018 in account takeovers, cybercrime, cybersecurity, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 4, 2018


The First Step in Risk Management

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

Chart-image

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

There are more than 250 different security frameworks globally. Examples include the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity, the Capability Maturity Model Integration (CMMI)®, and the Center for Information Security's Critical Security Controls. (In addition, many industries have industry-specific standards and laws, such as health care's HIPAA, created by the Health Insurance Portability and Accountability Act.) Each framework is essentially a set of best practices that enables organizations to improve performance, important capabilities, and critical business processes surrounding information technology security.

But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.

So, outside of complying with legal and regulatory requirements, how do you determine which framework or frameworks to adopt?

It depends! A Tenable Network Security report, Trends in Security Framework Adoption, provides insight into commonly adopted frameworks as well as the reasons companies have adopted them and how fully. Typically, organizations first consider security frameworks that have a strong reputation in their industries or for specific activities. They then look at compliance with regulations or mandates made by business relationships.

This chart shows reasons organizations have adopted the popular NIST Cybersecurity Framework.

Improving-critical-infrasture-cybersecurity-graph

The study found that there is no single security framework that the majority of companies use. Only 40 percent of respondents reported using a single security framework; many reported plans to adopt additional frameworks in the short term. Close to half of organizations (44 percent) reported they are using multiple frameworks in their security program; 15 percent of these are using three or more.

This year, the Federal Reserve System's Secure Payments Taskforce released Payment Lifecycles and Security Profiles, an informative resource that provides an overview of payments. Each payment type accompanies a list of applicable legal, regulatory, and industry-specific standards or frameworks. Spoiler alert: the lists are long and complex!

Let me point out a subsection appearing with each payment type that is of particular interest to this blog: "Challenges and Improvement Opportunities." Scroll through these subsections to see specific examples calling for more work on standards or frameworks.

Organizations need choices. But having too many frameworks to choose from, coupled with their constantly changing nature and the fluid payments environment, can complicate the implementation of a risk management strategy. With so many choices and so much in flux, how did you manage with step one of your risk management strategy?

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 4, 2018 in consumer protection, cybercrime, cybersecurity, payments risk, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 20, 2018


With Social Engineering, It Takes Only One

I recently wrote a post about the time I spent job shadowing in my employer's Information Security Department (ISD). One of the main objectives of the job shadow program is to allow ISD to introduce their communication, education, and outreach efforts to employees. This department works constantly to make employees aware of trending security threats, especially social engineering, and they have to do it in a way that gets the employees' attention. Creating a security-aware culture is critical because it takes just one employee, just one time, to cause a significant risk event. ISD has found that if they deliver messages in a fun way—such as an annual chili cook-off—more ears are open to hear them.

The Retail Payments Risk Forum follows social engineering trends closely since social engineering presents a major security risk and it directly affects payments. These attacks can easily open a gateway for criminals to access payment systems or any protected information system. Here's a quick review of social engineering: it relies on manipulating human behaviors through direct or indirect communication, and it does not necessarily involve technology. As computer security grows increasingly sophisticated, some criminals have found it can be easier to manipulate an individual than to game a machine. Some reports say that social engineering schemes have cost U.S. businesses nearly $3 billion since 2013. It's no wonder that social engineering is a growing concern.

A common social engineering attack is phishing, which is when the criminal uses an email that appears to be from a legitimate company to get people to respond with personal information such as account credentials. According to one company's report, phishing and pretexting in 2017 represented 98 percent of social incidents and 93 percent of breaches. (Pretexting often involves a scam whereby one individual lies to get personal information from another individual. A pretexter, for example, might pretend to be conducting a survey.) At 96 percent, email continues to be the most common vector. The good news is that 78 percent of people who were phished last year didn't open a single email, according to the same report.

But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.

Psychological manipulation is a powerful tool to try to influence someone to divulge sensitive information. Since social engineer fraudsters need to reel in just one victim, we need to ensure that every single employee hears the message. Promoting security awareness scratches the surface in fighting social engineering, but it needs to be fun and creative constantly.

Look for one more post in this series describing my time in the job shadowing program in my employer's Information Security Department.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 20, 2018 in cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 6, 2018


The FBI Is on the Case

I recently took advantage of a job shadow program in our Information Security Department (ISD). I joked with our chief information security officer that I was ready to "ride along" with his detectives for our own version of the television drama series Crime Scene Investigations (better known as CSI).

All jokes aside, I enjoyed working with ISD as part of the team rather than as an auditor, a role I have played in the past. We spent a good part of the day walking through layered security programs, vulnerability management, and data loss prevention. Underneath these efforts is an important principle for threat management: you can't defend against what you don't know.

Threat investigations absolutely must uncover, enumerate, and prioritize threats in a timely manner. Digging into each vulnerability hinges on information sharing through adaptable reporting mechanisms that allow ISD to react quickly. ISD also greatly depends on knowledge of high-level threat trends and what could be at stake.

It turns out that many payments professionals and law enforcement agencies also spend a large part of their time investigating threats in the payments system. After my job shadowing, I realized even more how important it is for our payments detectives to have access to efficient, modern information-sharing and threat-reporting tools to understand specific threat trends and loss potential.

One such tool is the Internet Crime Complaint Center (IC3). The FBI, which is the lead federal agency for investigating cyberattacks, established the center in May 2000 to receive complaints of internet crime. The mission of the IC3 is two-fold: to provide the public with a reliable and convenient reporting mechanism that captures suspected internet-facilitated criminal activity and to develop effective alliances with industry partners. The agency analyzes and disseminates the information, which contributes to law enforcement work and helps keep the public informed.

The annual IC3 report aggregates and highlights data provided by the general public. The IC3 staff analyze the data to identify trends in internet-facilitated crimes and what those trends may represent. This past year, the most prevalent crime types reported by victims were:

  • Nonpayment/Nondelivery
  • Personal data breach
  • Phishing

The top three crime types with the highest reported losses were:

  • Business email compromise
  • Confidence/Romance fraud
  • Nonpayment/Nondelivery

The report includes threat definitions, how these threats relate to payments businesses, what states are at the highest risk for breaches, and what dollar amounts correspond to each crime type. This is one tool available to uncover, enumerate, and prioritize threats to the payment ecosystem. Do you have other system layers in place to help you start your investigations? If you don't know, it might be time for you to take a "ride along" with your detectives.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 6, 2018 in consumer fraud, consumer protection, cybercrime, cybersecurity, data security, fraud, identity theft, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad