About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

May 20, 2019


Could Federal Privacy Law Happen in 2019?

Some payments people have suggested that this could be the year for mobile payments to take off. My take? Nah. I gave up on that thought several years ago, as I've made clear in some of my previous posts. I'm actually wondering if this will be the year that federal privacy legislation is enacted in the United States. The effects of the European Union's General Data Protection Regulation (GDPR) that took effect a year ago (see this Take on Payments post) are being felt in the United States and across the globe. The GDPR essentially has created a global standard for how companies should protect citizens' personal data and the rights of everyone to understand what data is being collected as well as how to opt out of this collection. While technically the GDPR applies only to EU citizens, even when traveling outside the European Union, most businesses have taken a cautious approach and are treating every transaction—financial or informational—that they process as something that could be covered under the GDPR.

A tangible impact of the GDPR in the United States is that the state of California has passed a data privacy law known as the California Consumer Privacy Act of 2018Off-site link (CCPA) that is partly patterned after the GDPR. The CCPA gives California residents five basic rights related to data privacy:

  • The right to know what personal information a business has collected about them, where it was obtained, how it is being used, and whether it is being disclosed or sold to other parties and, if so, to whom it is being disclosed or sold
  • The right to access that personal information free of charge up to two times within a 12-month period
  • The right to opt out of allowing a business to sell their personal information to third parties
  • The right to have a business delete their personal information, except for information that is required to effect a transaction or comply with other regulatory requirements.
  • The right to receive equal service and pricing from a business, even if they have exercised their privacy rights under the CCPA.

According to the National Conference of State Legislatures (NCSL) 17 statesOff-site link have mandated that their governmental websites and access portals state privacy policies and procedures. Additionally, other states have privacy laws related to privacy, such as children's online privacy, the monitoring of employee email, and e-reader policies.

Take On Payments has previously discussed the numerous efforts to introduce federal legislation regarding privacy and data breach notification with little traction. So why do I think change is in the air? The growing trend of states implementing privacy legislation is putting pressure on Congress to take action in order to have a consistent national policy and process that businesses operating across state lines can understand and follow.

What do you think?

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

-payments">Retail Payments Risk Forum at the Atlanta Fed

May 20, 2019 in data security, privacy, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 6, 2019


Business Email Compromise Moves Mainstream

The Retail Payments Risk Forum has blogged extensively on business email compromise (BEC) over the past few years. With losses attributed to BEC already in the billions of dollars and the number of attacks increasing over 475 percent from fourth-quarter 2017 to fourth-quarter 2018, the topic warrants continued attention. As the "business email" part of the phrase suggests, businesses and executives of businesses have been the primary targets of this type of fraud. The goal of most of these incidents is to trick businesses into moving funds into the criminals' accounts using wire transfers.

When perpetrators of this fraud scheme experienced great success with businesses and executives as their primary targets, they quickly moved to include ordinary individuals. That is, the fraud has gone mainstream, evolving beyond businesses and executives with wire transfers as the key payment platform. As the scheme has begun to involve employees as victims and reached the person-to-person payment arena, fraudulent transactions are occurring more often using ACH, not just wire transfers. Since BEC is not just for businesses and their executives anymore, BEC is sometimes more aptly referred to as EAC—that is, email account compromise.

In April, CNBC reported a new scheme whereby the fraudsters are targeting the human resources function of businesses to change employees' direct deposit payroll information to an account held by the fraudster. The fraudster either spoofs an employee's email account or gets access to it and then sends a message to human resources requesting a change to the banking account associated with their direct deposit. While the amounts fraudulently transferred in this scheme are generally well below those of the traditional BEC scheme, they are simple and cheap to execute and could become more attractive for criminals.

In more troubling news on this fraud scheme, the Association for Financial Professionals (AFP) reported that the number of businesses reporting that they had been victims of actual or attempted fraud increased significantly for both ACH credit and debit transactions, while instances of fraud involving checks, cards, and wire transfers declined. And what could be the reason behind this increase in ACH fraud? According to a representative with the AFP, "a likely explanation for the higher fraud lies in the popularity of ACH…for schemes like business email fraud."

And as I mentioned earlier, fraudsters aren't limiting this scheme to businesses. In fact, I was a target of an EAC scam earlier this year when fraudsters took control of a relative's email account. But for a bit of good news (at least for me), I was immediately suspicious and a phone call to the relative confirmed that my gut feeling was accurate. This image is a screenshot of the text conversation I had with my "relative."

IM screenshot

To piggyback on a recent post by my colleague on using discipline to fight BEC: having the discipline to make a follow-up call to the person emailing a request for funds or a change to bank account information can make the difference between being a victim and being a spoiler.

How are you attacking this growing threat, and what are you doing to educate your employees and customers?

May 6, 2019 in ACH, data security, P2P, wire transfer fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 14, 2019


Hiding in Plain Sight

Over the holidays when our family is all together, we always try to watch A Christmas Story. There are so many memorable moments in the movie, from the triple-dog-dare-you, tongue-frozen-to-the-flagpole scene to the leg lamp breakage. When the story revolves around Ralphie and the Little Orphan Annie secret decoder ring, it triggers my childhood memories of having a similar decoder ring that came with a pair of P.F. Flyers sneakers (think pre-Nike and Adidas). This year, our movie-watching led to a storytelling session of techniques worthy of any spy movie for passing secret notes. Many of the examples were like the decoder ring—they used some sort of secret alphanumeric table as a key to solve the cryptic message. In other words, we were talking about a rudimentary form of encryption, which, in today's technology, renders data useless to those without a key, whether they're bad guys or good guys.

But our conversation didn't stop there. I told a childhood story of dipping a toothpick in lemon juice and writing a message on paper. After the juice dried, the message became invisible, and I would then write an innocuous—and visible—message on the paper with pen or pencil. The recipient would carefully hold the paper over a flame to slowly reveal the hidden message. (Kids, try this only under adult supervision!) Little did I know I was using a technique called steganography—hiding a message within another message—that people also use today to protect information online.

Various forms of the technique date back to Greek civilization when untrusted messengers had to convey sensitive or classified information, or a message was at risk of being intercepted. (There is an entertaining and educational video on steganography by Richard Buckland, a professor at the University of New South Wales in Australia.) Today, technology has created a new technique in the form of digital steganography, which is the practice of hiding an image, audio, or data file within another image, audio, or data file.

A recent article in infoRisk Today highlighted the darker side of steganography, with its use by the criminal element. That article prompted me to conduct more research on the technique as a payments risk. From a cybersecurity standpoint, the greatest risk to consumers appears to be when the criminal hides a malware file within an image, audio, or other data file that, when opened, will load malware onto the device for future eavesdropping or control. Such an event could lead to the compromise of PII (or personally identifiable information), online credentials, or other sensitive information on the device without the owner's knowledge. In an August 2017 release, Kaspersky Lab warned about the difficulty for existing data protection processes to detect embedded malicious code.

Account takeover fraud is a major criminal activity that generally begins with the compromise of an individual's legitimate banking log-in credentials. A criminal who obtains this information can execute payment transaction fraud and, ultimately, synthetic identity fraud (see last week's post). While there are valid uses for steganography as an alternative to encryption, the criminal element will continue to develop uses of digital steganography to further their criminal operations and, as the infoRisk article notes, this usage is becoming more sophisticated and harder to detect.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 14, 2019 in crime, cybercrime, cybersecurity, data security, malware | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 7, 2019


A New You: Synthetic Identity Fraud

With the start of the new year, you may have resolved to make a change in your life. Maybe you've even gone so far as to pledge to become a "new you." But someone may have already claimed that "new you," stealing your credentials and using them to create a new identity. Identity theft is a growing problem, resulting in millions of dollars in damage around the world. And now there is a modern twist to this old and costly problem: synthetic identity fraud. Panelists at a forum convened by the Government Accountability Office (GAO) define this problem as a "crime in which perpetrators combine real and/or fictitious information, such as Social Security numbers and names, to create identities with which they may defraud financial institutions, government agencies, or individuals." (Read forum highlights on the GAO website.) According to the U.S. Federal Trade Commission, synthetic identity fraud is the "fastest growing and hardest to detect" form of identity theft.

This graphic from the GAO illustrates how this type of identity fraud differs from what we have traditionally defined as identity theft.

GAPSIF

As this image shows, in traditional identity fraud, the criminal pretends to be another (real) person and uses his or her accounts. In synthetic identity fraud, the criminal establishes a new identity using a person's real details (such as social security number), combining this information with fictitious information to create a new credit record.

The challenge for the payments industry is determining whether an identity is planted or legitimate. For example, parents with excellent credit histories sometimes add their children to their existing credit accounts to give their children the benefit of their positive financial behavior. This action allows the children to kick-start their own credit records. Similarly, a criminal could plant a synthetic identity in an existing credit account and from there build a credit history for this identity. (In many cases, the criminal works for years on building a strong credit history for that false identity before "cashing out" and inflicting financial damages on a large scale.)

So what can consumers do to protect themselves? Here are some simple ways to make it harder for a thief to steal your personal information:

  • Shred documents containing personal information.
  • Do not provide your social security number to businesses unless you absolutely have to.
  • Use tools that monitor credit and identity usage.
  • Freeze your credit account as well as that of any of your minor children.
  • Check your accounts regularly to ensure that all transactions are legitimate and report any suspicious activity immediately.

Staying informed about synthetic identity fraud tactics and taking these steps to protect yourself can help you get one step closer to (preventing) "a new you."

Photo of Catherine Thaliath By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed

January 7, 2019 in authentication, consumer fraud, consumer protection, data security, fraud, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 17, 2018


Card Fraud Values Often above Average

Recent data from the Federal Reserve Payments Study remind me of my first experience with payments fraud as a 20-something college grad freshly arrived in Boston. I left my wallet in a conference room, and someone lifted my credit card. I still remember the metaphorical punch to the stomach when the telephone operator at the card company asked, "Did you spend $850 at Filene's Basement?" $850! That was more than twice my rent, and far more than I could conceive of spending at Boston's bargain hunters' paradise in a year, let alone on a one-night spree.

Decades later, the first thing I do to check my card and bank statements is to scan the amounts and pay attention to anything in the three digits. For noticing high-value card fraud, this is a pretty good habit.

That's because, on average, fraudulent card payments are for greater dollar values than nonfraudulent card payments. In 2016, the average value of a fraudulent credit card payment was $128, almost 50 percent more than $88 for a nonfraudulent credit card payment. For debit cards, the relationship was more pronounced: $75 for the average fraudulent payment, about twice the $38 average nonfraudulent payment, according to the Federal Reserve Payments Study.

Chart-average-value-per-payment-2016

Even to the noncriminal mind, this relationship makes sense: get as much value from the card before the theft or other unauthorized use is discovered. For a legitimate user, budgetary constraints (like mine way back when) and other considerations can come into play.

Interestingly, this relationship does not hold for remote payments. In 2016, the average dollar values of remote debit card payments, fraudulent and nonfraudulent, were the same: $68. And the average value of a nonfraudulent remote credit card payment, $151, exceeded that of a fraudulent remote credit card payment, $130. Why the switcheroo?

A couple of possibilities: Remote card payments include online bill payments, which often are associated with a verified street address and are of high value. So that could be pushing the non-fraudulent remote payments toward a high value relative to the fraudulent remote payments. Another factor could be that fraud detection methods used by ecommerce sites look for values that could be outliers, so perpetrators avoid making purchases that would trigger detection—and thus average values for remote fraud are closer to average values for remote purchases generally. But this is speculation. What do you think?

The relationships described here are depicted in figures 21 and 28 of the recent report of the Federal Reserve Payments Study, Changes in the U.S. Payments Fraud Landscape from 2012 to 2016. You can explore other relationships among average values of payments, and more, on the payments study web page.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 17, 2018 in cards, cybercrime, cybersecurity, data security, debit cards, mobile banking, mobile payments, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 1, 2018


Safeguarding Things When They’re All Connected

In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.

Prepurchase

  • Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
  • Check with reliable product review sites to see what others have to say about the product’s security features.
  • If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.

Postpurchase

  • Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
  • Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
  • Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
  • Register your device with the manufacturer to be notified of security updates or recalls.
  • Add the device to your separate network if available.

If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.

We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.

Photo of Ian Perry-Okara  By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed

 

Photo of David Lott  By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 1, 2018 in account takeovers, cybercrime, cybersecurity, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 24, 2018


Racing Ahead in the Wireless Space

This past Sunday, Eliud Kipchoge smashed the marathon world record at the Berlin Marathon, with a time of 2:01:39, shaving 1 minute 22 seconds off the previous world record. Though some running experts claim a marathon under two hours will never happen, I think elite runners will continue to push the speed envelope and we will witness a sub-two-hour marathon one day.

The marathon isn’t the only area where the speed envelope is being pushed. Another area, and the focus of today’s blog, is in the wireless space.

It was in 2002 when the first commercial 3G network launched in the United States. 3G made it possible for our phones to run applications using a global positioning system (GPS) or using videoconferencing, among other things. The second half of 2010 marked the first commercial launch of 4G in the United States, with many of the mobile network operators launching this service. 4G expanded on the speed of 3G and made it possible for consumers to access the web with their mobile devices, stream high-definition video, and connect Internet of Things devices.

Now, as we approach the fourth quarter of 2018, we are on the cusp of 5G networks, which will be 10 times as fast as our 4G networks. According to a recent Wall Street Journal article on 5G that sparked my interest in the topic, the speed of 5G networks will allow the proliferation of applications such as self-driving cars, virtual reality, and remote surgery. And this got me thinking, what impact will 5G have on the future of commerce, payments, and security?

I haven’t spent any time researching that last question, but no doubt there will be significant benefits and risks that 5G networks will introduce into retail payments. I can draw inspiration from one of my favorite cartoons, the Jetsons, and think ahead to what a Jetson house might look like in 2025: one that is filled with connected devices that communicate with not only us but also each other. Close your eyes and imagine a house with a robotic vacuum that communicates with a virtual home assistant when it needs new bags—and zero human interaction is needed in the process. Or imagine a vehicle that drives itself to the nearest gas station when the low-fuel light appears. Undoubtedly, this new faster-speed wireless world will create security threats that we have yet to face.

So as we at the Risk Forum think about the possibilities and new risks of a 5G world and its impact on commerce, payments, and security, what should we be paying attention to?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 24, 2018 in data security, emerging payments, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 6, 2018


The FBI Is on the Case

I recently took advantage of a job shadow program in our Information Security Department (ISD). I joked with our chief information security officer that I was ready to "ride along" with his detectives for our own version of the television drama series Crime Scene Investigations (better known as CSI).

All jokes aside, I enjoyed working with ISD as part of the team rather than as an auditor, a role I have played in the past. We spent a good part of the day walking through layered security programs, vulnerability management, and data loss prevention. Underneath these efforts is an important principle for threat management: you can't defend against what you don't know.

Threat investigations absolutely must uncover, enumerate, and prioritize threats in a timely manner. Digging into each vulnerability hinges on information sharing through adaptable reporting mechanisms that allow ISD to react quickly. ISD also greatly depends on knowledge of high-level threat trends and what could be at stake.

It turns out that many payments professionals and law enforcement agencies also spend a large part of their time investigating threats in the payments system. After my job shadowing, I realized even more how important it is for our payments detectives to have access to efficient, modern information-sharing and threat-reporting tools to understand specific threat trends and loss potential.

One such tool is the Internet Crime Complaint Center (IC3). The FBI, which is the lead federal agency for investigating cyberattacks, established the center in May 2000 to receive complaints of internet crime. The mission of the IC3 is two-fold: to provide the public with a reliable and convenient reporting mechanism that captures suspected internet-facilitated criminal activity and to develop effective alliances with industry partners. The agency analyzes and disseminates the information, which contributes to law enforcement work and helps keep the public informed.

The annual IC3 report aggregates and highlights data provided by the general public. The IC3 staff analyze the data to identify trends in internet-facilitated crimes and what those trends may represent. This past year, the most prevalent crime types reported by victims were:

  • Nonpayment/Nondelivery
  • Personal data breach
  • Phishing

The top three crime types with the highest reported losses were:

  • Business email compromise
  • Confidence/Romance fraud
  • Nonpayment/Nondelivery

The report includes threat definitions, how these threats relate to payments businesses, what states are at the highest risk for breaches, and what dollar amounts correspond to each crime type. This is one tool available to uncover, enumerate, and prioritize threats to the payment ecosystem. Do you have other system layers in place to help you start your investigations? If you don't know, it might be time for you to take a "ride along" with your detectives.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 6, 2018 in consumer fraud, consumer protection, cybercrime, cybersecurity, data security, fraud, identity theft, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 30, 2018


Are You at Risk from Zombie Credit Cards?

Do you have any infrequently used credit cards hiding in the back of a drawer? Maybe a card you applied for to get a discount on a new washing machine? Or a card you used frequently a few years ago that has been superseded by a newer card with better rewards or a lower interest rate? You know, the kind of card you might think is dead but isn't quite.

I had a card like that in the back of a drawer, until my bank canceled it a few weeks ago. The bank pointed out that I hadn't used the card in years but offered me the opportunity to reactivate.

No, thanks. I don't need the extra exposure of a forgotten card that has long outlived its usefulness. It's enough trouble keeping track of the cards I do use.

When it comes to inactive credit cards, it turns out I'm not alone. The 2016 Federal Reserve Payments Study finds that, of general-purpose credit cards issued to consumers, 42 percent were not used to make at least one purchase a month during 2015. As a percentage share, this is about the same as 2012, when 44 percent of credit cards were not used at least once a month. ("General-purpose" cards use one of the four major credit card networks, while "private-label" cards can be used only at a particular merchant or limited set of merchants.)

In 2015, there were 192 million consumer general-purpose credit cards outstanding and inactive. That's about four inactive credit cards for every five adults in the United States. (The adult U.S. population in 2015 was 247 million.)

Of course, inactive cards are not necessarily abandoned cards, as mine was. Perhaps their owners reserve them for a special purpose, or keep them around for times when particular retailers offer discounts. Perhaps they are backups in case primary cards are compromised. Or perhaps they serve as an emergency credit cushion—a "just-in-case" line of credit.

Nevertheless, these account numbers are out there. Mine could be sitting in the database of a magazine that is automatically renewed every year or maybe attached to an expired membership at a website I don't use anymore. It's good to have that card canceled, to avoid the risk that the card will rack up charges, zombie-like.

So what about those infrequently used cards at your house? Are you holding on to an older card because a longer lifespan card could possibly improve your credit score? If not, today might be a good day to cancel and then cut them up.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 30, 2018 in cards, consumer fraud, data security | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 4, 2018


The GDPR's Impact on U.S. Consumers

If your email inbox is like mine, it's recently been flooded with messages from companies you’ve done online business with about changes in their terms and conditions, particularly regarding privacy. What has prompted this wave of notices is the May 25 implementation of Europe's General Data Protection Regulation (GDPR). Approved by the European Parliament in April 2016 after considerable debate, the regulation standardizes data privacy regulations across Europe for the protection of EU citizens.

The regulation applies to both data "controllers" and data "processors." A data controller is the organization that owns the data, while the data processor is an outside company that helps to manage or process that data. The focus of the GDPR requirements is on controllers and processors directly conducting business in the 28 countries that make up the European Union (EU). But the GDPR has the potential to affect businesses based in any country, including the United States, that collect or process the personal data of any EU citizen. Penalties for noncompliance can be quite severe. For that reason, many companies are choosing to err on the side of caution and sending to all their customers notices of changes to their privacy disclosure terms and conditions. Some companies have even gone so far as to provide the privacy protections contained in the GDPR to all their customers, EU citizens or not.

The GDPR has a number of major consumer protections:

  • Individuals can request that controllers erase all information collected on them that is not required for transaction processing. They can also ask the controller to stop companies from distributing that data any further and, with some exceptions, have third parties stop processing the data. (This provision is known as "data erasure" or the "right to be forgotten.")
  • Companies must design information technology systems to include privacy protection features. In addition, they must have a robust notification system in place for when breaches occur. After a breach, the data processor must notify the data controller "without undue delay." When the breach threatens "risk for the rights and freedoms of individuals," the data controller must notify the supervisory authority within 72 hours of discovery of the breach. Data controllers must also notify "without undue delay" the individuals whose information has been affected.
  • Individuals can request to be informed if the companies are obtaining their personal data and, if so, how they will use that data. Individual also have the right to obtain without charge electronic copies of collected data, and they may send that data to another company if they choose.

In addition, the GDPR requires large processing companies, as well as public authorities and other specified businesses, to designate a data protection officer to oversee the companies' compliance with the GDPR.

There have been numerous efforts in the United States to pass uniform privacy legislation, with little or no change. My colleague Doug King authored a post back in May 2015 about three cybersecurity bills under consideration that included privacy rights. Three years later, for each bill, either action has been suspended or it's still in committee. It will be interesting to see, as the influence of the GDPR spreads globally, whether there will be any additional efforts to pass similar legislation in the United States. What do you think?

And by the way, fraudsters are always looking for opportunities to install malware on your phones and other devices. We've heard reports of the criminal element using "update notice" emails. The messages, which appear to be legitimate, want the unsuspecting recipient to click on a link or open an attachment containing malware or a virus. So be careful!

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 4, 2018 in consumer protection, cybersecurity, data security, privacy, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad