About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

November 5, 2018


Organizational Muscle Memory and the Right of Boom

"Left of boom" is a military term that refers to crisis prevention and training. The idea is that resources are focused on preparing soldiers to prevent an explosion or crisis—the "boom!" The training they undergo in left of boom also helps the soldiers commit their response to a crisis, if it does happen, to muscle memory, so they will act quickly and efficiently in life-threatening situations.

Image-one

The concept of the boom timeline has been applied to many other circumstances, as I can personally attest. More years ago than I will admit to, I was a teller and had to participate in quarterly bank-robbery training that focused on each employee's role during and immediately after a robbery. The goal was to help us commit these procedures to muscle memory so that when we were faced with a high-stress situation, our actions would be second nature. My training was tested one day when I came face-to-face with a motorcycle-helmet-wearing bank robber who leaped over the counter into the teller area. Like most bank robbers, he was in and out fast, but thanks to muscle memory, we were springing into action as soon as he was leaping back over the counter and running out of the branch.

This type of muscle memory preparation has also been applied to cybersecurity. Organizations commit significant human and capital resources to the left of boom to help prevent and detect threats to their networks. Unfortunately, cybersecurity experts must get things right 100 percent of the time while bad actors have to be right only once. So how do organizations prepare for the right of boom?

Recently, I had the opportunity to observe a right-of-boom exercise that simulated a systemic cyberbreach of the payments system. This event, billed as the first of its kind, was sponsored by P20 and held in Cambridge, Massachusetts. Cybersecurity leaders from the payments industry convened to engage in a war games exercise that was ripped from the headlines. The scenario: a Thanksgiving Day cyberbreach, the day before the biggest shopping day of the year, of a multinational financial services company that included the theft and online posting of 75 million customer records, along with a ransomware attack that shut down the company's computer systems. The exercise began with a phone call from a reporter asking for the company's response to the posting of customer records online—BOOM! Immediately, the discussion turned to an incident response plan. What actions would be taken first? Who do you call? How do you communicate with employees if your system has been overtaken by a ransomware attack? How do you serve your customers? What point is the "in case of fire break glass" moment, meaning, has your organization defined what constitutes a crisis and agreed on when to initiate the crisis response plan?

An overarching theme was the importance of the "commander's intent," which reflects the priorities of the organization in the event of an incident. It empowers employees to exercise "disciplined initiative" and "accept prudent risk"—both principles associated with the military philosophy of "mission command"—so the company can return to its primary business as quickly as possible. In the context of a cyberbreach that has shut down communication channels within an organization, employees, in the absence of management guidance, can analyze the situation, make decisions, and then take action. The commander's intent forms the basis of an organization's comprehensive incident response plan and helps to create a shared understanding of organizational goals by identifying the key things your organization must execute to maintain operations.

Here is an example of a commander's intent statement:

Process all deposits and electronic transactions to ensure funds availability for all customers within established regulatory timeframes.

Having a plan in place where everyone from the top of the organization down understands their role and then practicing that plan until it becomes rote, much like my bank robbery experience, is critical today.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed

 

November 5, 2018 in consumer protection, cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 22, 2018


Three Views of Noncash Payments Fraud

Despite what we might gather from the headlines, payments fraud is a small fraction of the value of all payments.In 2015, by value, it was only about 1/200 of 1 percent of noncash payment transactions. The pie chart shows what a tiny slice of the pie that payments fraud is.

Image-one-sm

This view of the value of payments fraud in 2015 is one of three views that today's post will offer, using data from a recently released payments fraud report.

The report, based on data from the Federal Reserve Payments Study, quantifies noncash payments fraud by value and number in 2012 and 2015 and provides information that can help inform efforts to prevent and detect payments fraud. Data include detail on different payment instruments and transaction types.

Fraud value is defined in the report to be the value of unauthorized third-party payments that were cleared and settled, before any chargebacks, returns, or recoveries. It does not include the costs of any prevention, detection, or remediation methods. The report covers noncash payments used for everyday consumer and business transactions, including automated clearinghouse (ACH), check, and card payments. (Wires are excluded.)

Here's the next view of payments fraud by value: most payments fraud is by card. Slightly more than three-quarters of noncash payments fraud by value are credit card, debit card (prepaid and non-prepaid), and ATM withdrawal fraud; almost half is credit card fraud. The second chart shows that by value, ACH fraud is 14 percent of noncash payments fraud and check fraud is 8.6 percent.

Image-two-sm

Finally, fraud rates by value for cards increased from 2012 to 2015 while fraud rates for check payments decreased and fraud rates for ACH stayed flat. That rate increase for cards means that the value of fraudulent card payments grew faster than the dollar-value growth overall, which is concerning. Indeed, card fraud by value grew more than three times faster than the growth in card payments and ATM withdrawals by value—64 percent compared to 21 percent. ACH fraud grew more in line with the growth rate in ACH payments, with fraud by value increasing 11 percent compared to a 13 percent increase in the value of total ACH payments.

Image-three-sm
You can find additional data in the report at https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm.

To learn more about the payments fraud report, join our next Talk About Payments webinar on November 1 at 11 a.m. (ET). The webinar is open to the public but you must register in advance to participate. (Registration is free.) Once registered, you will receive a confirmation email with login and call-in information. Also, be sure to check back next Monday for another Take On Payments post about the report.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 22, 2018 in cards, consumer fraud, cybercrime, cybersecurity, debit cards, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 15, 2018


An Ounce of Prevention

Benjamin Franklin coined the phrase "An ounce of prevention is worth a pound of cure," and after attending late September's FinovateFall 2018 Conference in New York City, I find this aphorism as relevant today as it was in 1735. The conference showcased 80 demonstrations of leading-edge financial technology over two days with presenters representing five continents. Demos touched on a wide range of technologies and solutions, including game-based marketing and financial education; "lifestyle" mobile banking applications that integrate social media, news, e-commerce, and financial management to deliver personalized recommendations; lending and home buying; and integration with intelligent personal assistants. What stood out to me most were the many possible technologies offered to authenticate users, cards, and mobile transactions, each with the potential to prevent payments fraud.

As card payments continue to dominate consumer transactions in the United States, usage is increasing in other countries, and remote purchases gather steam, the demand for fast, reliable identity and payment authentication has also grown. So has the even greater demand from consumers for frictionless payments. But how does technology reward the good guys, keep out the bad ones, and prevent cart abandonment or consumer frustration? Here are just a few examples of how some of the fintech companies at the conference propose to satisfy these competing priorities.

SMS—While one company proclaimed that SMS was designed for teenagers and never intended for use as a secure messaging means, another proposed a three-factor authentication method that combined the use of a PIN, Bluetooth communication, and facial recognition via SMS sent to account holders to identify a possible fraud event in real time. Enhancing this technology was artificial intelligence that analyzes facial characteristics such as smiling or frowning.

Biometrics—Developers demonstrated numerous biometrics options, including those using unique, multifactor, non-gesture-based biometric characteristics such as the speed and pressure we use to swipe our mobile devices. Also demonstrated was the process of linking facial recognition to cards for both in-person and e-commerce purchases, as well as "liveness" tests that access the mobile phone's gyroscope to detect slight physical movements not present when a bot is involved. Another liveness test demonstrated was one in which people use their mobile devices to shoot videos of themselves reciting a number or performing randomized movements. Video content is then checked against identity verification documents, such as driver's license photos, that account holders used at setup. The developers noted that using video for liveness testing helps prevent fraudsters from using stolen photos or IDs in the authentication process.

Passwords—Some developers declared that behavioral biometrics would bring about the death of the password, and others offered services that search the corners of the dark web for compromised credentials. Companies presented solutions including a single, unique identification across all platforms and single-use passwords generated automatically at each login. One of the most interesting password technologies displayed involved the use of colors, emojis, numbers, and logos. This password system, which could be as short as four characters, uses a behind-the-scenes "end code," where the definition of individual password characters is unique to each company employing the technology, rendering the password useless in the event of a data breach.

As I sat in the audience fascinated by so many of the demos, I wished I could go to my app store to download and use some of these technologies right away; the perceived security and convenience, combined with ease of use, tugged at the early adopter in me. Alas, most are white-labeled solutions to be deployed by financial institutions, card networks, and merchant acquirers rather than offered for direct consumer use. But I am buoyed by the fact that so many solutions are abiding by the words of Ben Franklin and seek to apply an ounce of prevention.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

 

October 15, 2018 in biometrics, cards, cybersecurity, emerging payments, fintech, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 1, 2018


Safeguarding Things When They’re All Connected

In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.

Prepurchase

  • Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
  • Check with reliable product review sites to see what others have to say about the product’s security features.
  • If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.

Postpurchase

  • Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
  • Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
  • Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
  • Register your device with the manufacturer to be notified of security updates or recalls.
  • Add the device to your separate network if available.

If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.

We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.

Photo of Ian Perry-Okara  By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed

 

Photo of David Lott  By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 1, 2018 in account takeovers, cybercrime, cybersecurity, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 4, 2018


The First Step in Risk Management

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

Chart-image

One of the main objectives of information security is having a solid risk management strategy, which involves several areas: policy, compliance, third-party risk management, continuous improvement, and security automation and assessment, to name a few. This diagram illustrates at a high level the full cycle of a risk management strategy: adopting and implementing a framework or standards, which leads to conducting effective risk assessments, which then leads to maintaining continuous improvement.

There are more than 250 different security frameworks globally. Examples include the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity, the Capability Maturity Model Integration (CMMI)®, and the Center for Information Security's Critical Security Controls. (In addition, many industries have industry-specific standards and laws, such as health care's HIPAA, created by the Health Insurance Portability and Accountability Act.) Each framework is essentially a set of best practices that enables organizations to improve performance, important capabilities, and critical business processes surrounding information technology security.

But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.

So, outside of complying with legal and regulatory requirements, how do you determine which framework or frameworks to adopt?

It depends! A Tenable Network Security report, Trends in Security Framework Adoption, provides insight into commonly adopted frameworks as well as the reasons companies have adopted them and how fully. Typically, organizations first consider security frameworks that have a strong reputation in their industries or for specific activities. They then look at compliance with regulations or mandates made by business relationships.

This chart shows reasons organizations have adopted the popular NIST Cybersecurity Framework.

Improving-critical-infrasture-cybersecurity-graph

The study found that there is no single security framework that the majority of companies use. Only 40 percent of respondents reported using a single security framework; many reported plans to adopt additional frameworks in the short term. Close to half of organizations (44 percent) reported they are using multiple frameworks in their security program; 15 percent of these are using three or more.

This year, the Federal Reserve System's Secure Payments Taskforce released Payment Lifecycles and Security Profiles, an informative resource that provides an overview of payments. Each payment type accompanies a list of applicable legal, regulatory, and industry-specific standards or frameworks. Spoiler alert: the lists are long and complex!

Let me point out a subsection appearing with each payment type that is of particular interest to this blog: "Challenges and Improvement Opportunities." Scroll through these subsections to see specific examples calling for more work on standards or frameworks.

Organizations need choices. But having too many frameworks to choose from, coupled with their constantly changing nature and the fluid payments environment, can complicate the implementation of a risk management strategy. With so many choices and so much in flux, how did you manage with step one of your risk management strategy?

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 4, 2018 in consumer protection, cybercrime, cybersecurity, payments risk, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 20, 2018


With Social Engineering, It Takes Only One

I recently wrote a post about the time I spent job shadowing in my employer's Information Security Department (ISD). One of the main objectives of the job shadow program is to allow ISD to introduce their communication, education, and outreach efforts to employees. This department works constantly to make employees aware of trending security threats, especially social engineering, and they have to do it in a way that gets the employees' attention. Creating a security-aware culture is critical because it takes just one employee, just one time, to cause a significant risk event. ISD has found that if they deliver messages in a fun way—such as an annual chili cook-off—more ears are open to hear them.

The Retail Payments Risk Forum follows social engineering trends closely since social engineering presents a major security risk and it directly affects payments. These attacks can easily open a gateway for criminals to access payment systems or any protected information system. Here's a quick review of social engineering: it relies on manipulating human behaviors through direct or indirect communication, and it does not necessarily involve technology. As computer security grows increasingly sophisticated, some criminals have found it can be easier to manipulate an individual than to game a machine. Some reports say that social engineering schemes have cost U.S. businesses nearly $3 billion since 2013. It's no wonder that social engineering is a growing concern.

A common social engineering attack is phishing, which is when the criminal uses an email that appears to be from a legitimate company to get people to respond with personal information such as account credentials. According to one company's report, phishing and pretexting in 2017 represented 98 percent of social incidents and 93 percent of breaches. (Pretexting often involves a scam whereby one individual lies to get personal information from another individual. A pretexter, for example, might pretend to be conducting a survey.) At 96 percent, email continues to be the most common vector. The good news is that 78 percent of people who were phished last year didn't open a single email, according to the same report.

But the bad news is that, on average, 4 percent of people in any given phishing campaign open an attachment or click a link—and it takes only one person to put a company or even an industry at risk. Does your overall strategy address that 4 percent and have a plan in place for their clicks? The report also found that the more phishing emails someone has clicked, the more they are likely to click in the future.

Psychological manipulation is a powerful tool to try to influence someone to divulge sensitive information. Since social engineer fraudsters need to reel in just one victim, we need to ensure that every single employee hears the message. Promoting security awareness scratches the surface in fighting social engineering, but it needs to be fun and creative constantly.

Look for one more post in this series describing my time in the job shadowing program in my employer's Information Security Department.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 20, 2018 in cybercrime, cybersecurity | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 6, 2018


The FBI Is on the Case

I recently took advantage of a job shadow program in our Information Security Department (ISD). I joked with our chief information security officer that I was ready to "ride along" with his detectives for our own version of the television drama series Crime Scene Investigations (better known as CSI).

All jokes aside, I enjoyed working with ISD as part of the team rather than as an auditor, a role I have played in the past. We spent a good part of the day walking through layered security programs, vulnerability management, and data loss prevention. Underneath these efforts is an important principle for threat management: you can't defend against what you don't know.

Threat investigations absolutely must uncover, enumerate, and prioritize threats in a timely manner. Digging into each vulnerability hinges on information sharing through adaptable reporting mechanisms that allow ISD to react quickly. ISD also greatly depends on knowledge of high-level threat trends and what could be at stake.

It turns out that many payments professionals and law enforcement agencies also spend a large part of their time investigating threats in the payments system. After my job shadowing, I realized even more how important it is for our payments detectives to have access to efficient, modern information-sharing and threat-reporting tools to understand specific threat trends and loss potential.

One such tool is the Internet Crime Complaint Center (IC3). The FBI, which is the lead federal agency for investigating cyberattacks, established the center in May 2000 to receive complaints of internet crime. The mission of the IC3 is two-fold: to provide the public with a reliable and convenient reporting mechanism that captures suspected internet-facilitated criminal activity and to develop effective alliances with industry partners. The agency analyzes and disseminates the information, which contributes to law enforcement work and helps keep the public informed.

The annual IC3 report aggregates and highlights data provided by the general public. The IC3 staff analyze the data to identify trends in internet-facilitated crimes and what those trends may represent. This past year, the most prevalent crime types reported by victims were:

  • Nonpayment/Nondelivery
  • Personal data breach
  • Phishing

The top three crime types with the highest reported losses were:

  • Business email compromise
  • Confidence/Romance fraud
  • Nonpayment/Nondelivery

The report includes threat definitions, how these threats relate to payments businesses, what states are at the highest risk for breaches, and what dollar amounts correspond to each crime type. This is one tool available to uncover, enumerate, and prioritize threats to the payment ecosystem. Do you have other system layers in place to help you start your investigations? If you don't know, it might be time for you to take a "ride along" with your detectives.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 6, 2018 in consumer fraud, consumer protection, cybercrime, cybersecurity, data security, fraud, identity theft, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 23, 2018


Learning about Card-Not-Present Fraud Mitigation

Over the last year, I have had the pleasure of working with Fed colleagues and other payments industry experts on one of the Accredited Standards Committee's X9A Financial Industry Standards workgroups in writing a technical report on U.S. card-not-present (CNP) fraud mitigation. You can download the final report (at no cost) from the ANSI (American National Standards Institute) web store.

As this blog and other industry publications have been forecasting for years, the migration to payment cards containing EMV chips may already be resulting in a reduction of counterfeit card fraud and an increase in CNP fraud and other fraudulent activity. This has been the trend in other countries that have gone through the chip card migration, and there was no reason to believe that it would be any different in the United States. The purpose of the technical report was to identify the major types of CNP fraud and present guidelines for mitigating these fraud attacks to the various payments industry stakeholders.

Graph-image-b

Source: Data from Card-Not-Present (CNP) Fraud Mitigation in the United States, the 2018 technical report prepared by the Accredited Standards Committee X9, Incorporated Financial Industry Standards

After an initial section identifying the primary stakeholders that CNP fraud affects, the technical report reviews five major CNP transaction scenarios, complete with transaction flow diagrams. The report continues with a detailed section of terms, definitions, and initialisms and acronyms.

The best defense against CNP fraud from an industry standpoint is the protection of data from being breached in the first place. Section 5 of the report reviews the role that data security takes in CNP fraud mitigation. It contains references to other documents providing detailed data protection recommendations.

Criminals will gather personal and payment data in various attacks against those who don't use strong data protection practices, so the next sections deal with the heart of CNP fraud mitigation.

  • Section 6 identifies the major types of CNP fraud attacks, both attacks that steal data and those that use that data to conduct fraudulent activities.
  • Section 7 reviews mitigation tools and approaches to take against such attacks. The section is subdivided into perspectives of various stakeholders, including merchants, merchant acquirers and gateways, issuers and issuer processors, and, finally, payment card networks.
  • Section 8 discusses how a stakeholder should identify key fraud performance metrics and then analyze, report, and track those metrics. While stakeholders will have different elements of metrics, they must each go to a sufficient level so the results will provide key insights and predictive indicators.

The report concludes with several annex sections (appendices) covering a variety of subjects related to CNP fraud. Suggestions for the improvement or revision of the technical report are welcome. Please send them to the X9 Committee Secretariat, Accredited Standards Committee X9 Inc., Financial Industry Standards, 275 West Street, Suite 107, Annapolis, MD 21401. I hope you will distribute this document among those in your institution involved with CNP fraud prevention, detection, and response to use as an educational or reference document. I think it will be quite useful.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

July 23, 2018 in card networks, cards, consumer fraud, consumer protection, cybercrime, cybersecurity, debit cards, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 6, 2018


Attack of the Smart Refrigerator

We've all heard about refrigerators that automatically order groceries when they sense the current supply is running low or out. These smart refrigerators are what people usually point to when giving an example of an "internet-of-things" (IoT) device. Briefly, an IoT device is a physical device connected to the internet wirelessly that transmits data, sometimes without direct human interaction. I suspect most of you have at least one of these devices already operating in your home or office, whether it's a wireless router, baby monitor, or voice-activated assistant or "smart" lights, thermostats, security systems, or TVs.

Experts are forecasting that IoT device manufacturing will be one of the fastest growing industries over the next decade. Gartner estimates there were more than 8 billion connected IoT devices globally in 2017, with about $2 trillion going toward IoT endpoints and services. In 2020, the number of these devices will increase to more than 20 billion. But what security are manufacturers building into these devices to prevent monitoring or outside manipulation? What prevents someone from hacking into your security system and monitoring the patterns of your house or office or turning on your interior security cameras and invading your privacy? For those devices that can generate financial transactions, what authentication processes will ensure that transactions are legitimate? It's one kind of mistake to order an unneeded gallon of milk, but another one entirely to use that connection to access a home computer to monitor one's online banking transaction activity and capture log-on credentials.

As one would probably suspect, there is no simple or consistent answer to these security questions, but the overall track record of device security has not been a great one. There have been major DDOS attacks against websites using botnets composed of millions of IoT devices. Ransomware attacks have been made against consumers' home security systems and thermostats, forcing consumers to pay the extortionist to get their systems working again.

Some of the high-end devices such as the driverless cars and medical devices have been designed with security controls at the forefront, but most other manufacturers have given little thought to the criminal's ability to use a device to access and control other devices running on the same network. Adding to the problem is that many of these devices do not get software updates, including security patches.

With cybersecurity issues grabbing so many headlines, people are paying more and more attention to the role and impact of IoT devices. The National Institute of Standards and Technology (NIST) has begun efforts to develop security standards for cryptology that can operate within IoT devices. However, NIST estimates it will take two to four years to get the standard out.

In the meantime, the Department of Justice has some recommendations for securing IoT devices, including:

  • Research your device to determine security features. Does it have a changeable password? Does the manufacturer deliver security updates?
  • After you purchase a device and before you install it, download security updates and reset any default passwords.
  • If automatic updates are not provided to registered users, check at least monthly to determine if there are updates and download only from reputable sites.
  • Protect your routers and home Wi-Fi networks with firewalls, strong passwords, and security keys.

I see IoT device security as an issue that will continue to grow in importance. In a future post, I will discuss the privacy issues that IoT devices could create.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 6, 2018 in consumer fraud, cybercrime, cybersecurity, fraud, identity theft, innovation, online banking fraud, privacy | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 4, 2018


The GDPR's Impact on U.S. Consumers

If your email inbox is like mine, it's recently been flooded with messages from companies you’ve done online business with about changes in their terms and conditions, particularly regarding privacy. What has prompted this wave of notices is the May 25 implementation of Europe's General Data Protection Regulation (GDPR). Approved by the European Parliament in April 2016 after considerable debate, the regulation standardizes data privacy regulations across Europe for the protection of EU citizens.

The regulation applies to both data "controllers" and data "processors." A data controller is the organization that owns the data, while the data processor is an outside company that helps to manage or process that data. The focus of the GDPR requirements is on controllers and processors directly conducting business in the 28 countries that make up the European Union (EU). But the GDPR has the potential to affect businesses based in any country, including the United States, that collect or process the personal data of any EU citizen. Penalties for noncompliance can be quite severe. For that reason, many companies are choosing to err on the side of caution and sending to all their customers notices of changes to their privacy disclosure terms and conditions. Some companies have even gone so far as to provide the privacy protections contained in the GDPR to all their customers, EU citizens or not.

The GDPR has a number of major consumer protections:

  • Individuals can request that controllers erase all information collected on them that is not required for transaction processing. They can also ask the controller to stop companies from distributing that data any further and, with some exceptions, have third parties stop processing the data. (This provision is known as "data erasure" or the "right to be forgotten.")
  • Companies must design information technology systems to include privacy protection features. In addition, they must have a robust notification system in place for when breaches occur. After a breach, the data processor must notify the data controller "without undue delay." When the breach threatens "risk for the rights and freedoms of individuals," the data controller must notify the supervisory authority within 72 hours of discovery of the breach. Data controllers must also notify "without undue delay" the individuals whose information has been affected.
  • Individuals can request to be informed if the companies are obtaining their personal data and, if so, how they will use that data. Individual also have the right to obtain without charge electronic copies of collected data, and they may send that data to another company if they choose.

In addition, the GDPR requires large processing companies, as well as public authorities and other specified businesses, to designate a data protection officer to oversee the companies' compliance with the GDPR.

There have been numerous efforts in the United States to pass uniform privacy legislation, with little or no change. My colleague Doug King authored a post back in May 2015 about three cybersecurity bills under consideration that included privacy rights. Three years later, for each bill, either action has been suspended or it's still in committee. It will be interesting to see, as the influence of the GDPR spreads globally, whether there will be any additional efforts to pass similar legislation in the United States. What do you think?

And by the way, fraudsters are always looking for opportunities to install malware on your phones and other devices. We've heard reports of the criminal element using "update notice" emails. The messages, which appear to be legitimate, want the unsuspecting recipient to click on a link or open an attachment containing malware or a virus. So be careful!

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 4, 2018 in consumer protection, cybersecurity, data security, privacy, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad