Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 15, 2019
The Future of Fraud in a Post-EMV Chip Environment
"Doug: Your conclusion has me worried about credit-push in an environment where payments are irrevocable." I received this brief email a few days after my latest paper was published on the Atlanta Fed website. In this paper, I explore fraud trends in countries with a fully mature, or close to it, EMV chip card environment—trends we are likely to see in the United States as our EMV chip card implementation matures.
When the topic of EMV chip card fraud comes up, the conversation nearly always makes its way to the documented shift from counterfeit card fraud to card-not-present (CNP) fraud. While that is a fair and valid conversation, times are changing, and we just may need to refocus the fraud conversation, as this email indicates—my emailer was referring to credit-push payments and the fraud that can happen, and is happening, in this environment.
Data clearly show that when countries such as the United Kingdom, France, and Australia migrated to EMV chip cards, CNP fraud rose—in some instances, dramatically. And where the data are available, we can see that the fraud rate for CNP transactions also initially rose. But over the last several years something interesting has happened. Both absolute CNP fraud and CNP fraud rates are declining in some of the countries. While these countries did not have many CNP fraud prevention techniques and tools at their disposal when they first migrated to EMV chip cards, the technology is catching up and they have more tools now. If there was any benefit for the United States from being an EMV laggard, perhaps this is it: we are better equipped to deal with CNP fraud.
But back to push payments. Authorized push payment (APP) fraud, which is a form of credit-push fraud, is a growing problem. In the United Kingdom, the real-time payment system is being used extensively to carry out this type of fraud. Just as other countries didn't have many tools to fight CNP fraud in early EMV chip adoptions, we don't have all the tools yet to mitigate APP fraud.
At the heart of APP fraud is business email compromise, which we've covered in this blog and which was the featured topic in the Atlanta Fed's most recent Economy Matters podcast episode . To read more about this particular fraud trend and other trends the U.S. payments industry should be wary of as our EMV chip card environment matures, be sure to read the paper .
Back to the email I received—it was short, but my reply was even shorter: "You should be worried."
January 7, 2019
A New You: Synthetic Identity Fraud
With the start of the new year, you may have resolved to make a change in your life. Maybe you've even gone so far as to pledge to become a "new you." But someone may have already claimed that "new you," stealing your credentials and using them to create a new identity. Identity theft is a growing problem, resulting in millions of dollars in damage around the world. And now there is a modern twist to this old and costly problem: synthetic identity fraud. Panelists at a forum convened by the Government Accountability Office (GAO) define this problem as a "crime in which perpetrators combine real and/or fictitious information, such as Social Security numbers and names, to create identities with which they may defraud financial institutions, government agencies, or individuals." (Read forum highlights on the GAO website.) According to the U.S. Federal Trade Commission, synthetic identity fraud is the "fastest growing and hardest to detect" form of identity theft.
This graphic from the GAO illustrates how this type of identity fraud differs from what we have traditionally defined as identity theft.
As this image shows, in traditional identity fraud, the criminal pretends to be another (real) person and uses his or her accounts. In synthetic identity fraud, the criminal establishes a new identity using a person's real details (such as social security number), combining this information with fictitious information to create a new credit record.
The challenge for the payments industry is determining whether an identity is planted or legitimate. For example, parents with excellent credit histories sometimes add their children to their existing credit accounts to give their children the benefit of their positive financial behavior. This action allows the children to kick-start their own credit records. Similarly, a criminal could plant a synthetic identity in an existing credit account and from there build a credit history for this identity. (In many cases, the criminal works for years on building a strong credit history for that false identity before "cashing out" and inflicting financial damages on a large scale.)
So what can consumers do to protect themselves? Here are some simple ways to make it harder for a thief to steal your personal information:
- Shred documents containing personal information.
- Do not provide your social security number to businesses unless you absolutely have to.
- Use tools that monitor credit and identity usage.
- Freeze your credit account as well as that of any of your minor children.
- Check your accounts regularly to ensure that all transactions are legitimate and report any suspicious activity immediately.
Staying informed about synthetic identity fraud tactics and taking these steps to protect yourself can help you get one step closer to (preventing) "a new you."
By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed
October 29, 2018
Remote Card Fraud: A Growing Concern
Where's the money in card payments? Despite all we hear about e-commerce and other kinds of remote payments, in-person payments remain strong. The total dollar value of in-person card payments exceeded the total dollar value of remote payments in both 2015 and 2016. In-person payments were 56 percent of all card payments by value in 2016, and 58 percent in 2015. By number, the race is not even close: 78 percent of card payments were in person in 2016.
Looking at change from 2015 to 2016, however, another story could be emerging. When we consider the growth in the value of card payments, remote payments grew by 11 percent from 2015 to 2016, compared to about 3 percent growth by value for in-person card payments. By number, in-person card payments increased 5 percent and remote by 17 percent.
It wasn't only remote payments that grew from 2015 to 2016—so did remote fraud. In fact, it grew faster than remote payments did overall. Remote fraud by value grew more than three times faster than the value of remote payments—35 percent compared to 11 percent. By number, remote fraud grew about twice as fast—32 percent compared to 17 percent.
In contrast to the mix of remote and in-person card payments overall, where in-person payments still are the majority, fraudulent remote card payments were more than half of all fraudulent card payments by both value and number in 2016.
These data suggest that remote card payments fraud is likely to be of increasing concern for the U.S. payments system going forward. Additional data are included in the report at www.federalreserve.gov/paymentsystems/fr-payments-study.htm.
To learn more about payments fraud, you can sign up for the Talk About Payments webinar on November 1 at 11 a.m. (ET). This webinar is open to the public but you must register in advance to participate.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 6, 2018
The FBI Is on the Case
I recently took advantage of a job shadow program in our Information Security Department (ISD). I joked with our chief information security officer that I was ready to "ride along" with his detectives for our own version of the television drama series Crime Scene Investigations (better known as CSI).
All jokes aside, I enjoyed working with ISD as part of the team rather than as an auditor, a role I have played in the past. We spent a good part of the day walking through layered security programs, vulnerability management, and data loss prevention. Underneath these efforts is an important principle for threat management: you can't defend against what you don't know.
Threat investigations absolutely must uncover, enumerate, and prioritize threats in a timely manner. Digging into each vulnerability hinges on information sharing through adaptable reporting mechanisms that allow ISD to react quickly. ISD also greatly depends on knowledge of high-level threat trends and what could be at stake.
It turns out that many payments professionals and law enforcement agencies also spend a large part of their time investigating threats in the payments system. After my job shadowing, I realized even more how important it is for our payments detectives to have access to efficient, modern information-sharing and threat-reporting tools to understand specific threat trends and loss potential.
One such tool is the Internet Crime Complaint Center (IC3). The FBI, which is the lead federal agency for investigating cyberattacks, established the center in May 2000 to receive complaints of internet crime. The mission of the IC3 is two-fold: to provide the public with a reliable and convenient reporting mechanism that captures suspected internet-facilitated criminal activity and to develop effective alliances with industry partners. The agency analyzes and disseminates the information, which contributes to law enforcement work and helps keep the public informed.
The annual IC3 report aggregates and highlights data provided by the general public. The IC3 staff analyze the data to identify trends in internet-facilitated crimes and what those trends may represent. This past year, the most prevalent crime types reported by victims were:
- Personal data breach
The top three crime types with the highest reported losses were:
- Business email compromise
- Confidence/Romance fraud
The report includes threat definitions, how these threats relate to payments businesses, what states are at the highest risk for breaches, and what dollar amounts correspond to each crime type. This is one tool available to uncover, enumerate, and prioritize threats to the payment ecosystem. Do you have other system layers in place to help you start your investigations? If you don't know, it might be time for you to take a "ride along" with your detectives.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 6, 2018
Attack of the Smart Refrigerator
We've all heard about refrigerators that automatically order groceries when they sense the current supply is running low or out. These smart refrigerators are what people usually point to when giving an example of an "internet-of-things" (IoT) device. Briefly, an IoT device is a physical device connected to the internet wirelessly that transmits data, sometimes without direct human interaction. I suspect most of you have at least one of these devices already operating in your home or office, whether it's a wireless router, baby monitor, or voice-activated assistant or "smart" lights, thermostats, security systems, or TVs.
Experts are forecasting that IoT device manufacturing will be one of the fastest growing industries over the next decade. Gartner estimates there were more than 8 billion connected IoT devices globally in 2017, with about $2 trillion going toward IoT endpoints and services. In 2020, the number of these devices will increase to more than 20 billion. But what security are manufacturers building into these devices to prevent monitoring or outside manipulation? What prevents someone from hacking into your security system and monitoring the patterns of your house or office or turning on your interior security cameras and invading your privacy? For those devices that can generate financial transactions, what authentication processes will ensure that transactions are legitimate? It's one kind of mistake to order an unneeded gallon of milk, but another one entirely to use that connection to access a home computer to monitor one's online banking transaction activity and capture log-on credentials.
As one would probably suspect, there is no simple or consistent answer to these security questions, but the overall track record of device security has not been a great one. There have been major DDOS attacks against websites using botnets composed of millions of IoT devices. Ransomware attacks have been made against consumers' home security systems and thermostats, forcing consumers to pay the extortionist to get their systems working again.
Some of the high-end devices such as the driverless cars and medical devices have been designed with security controls at the forefront, but most other manufacturers have given little thought to the criminal's ability to use a device to access and control other devices running on the same network. Adding to the problem is that many of these devices do not get software updates, including security patches.
With cybersecurity issues grabbing so many headlines, people are paying more and more attention to the role and impact of IoT devices. The National Institute of Standards and Technology (NIST) has begun efforts to develop security standards for cryptology that can operate within IoT devices. However, NIST estimates it will take two to four years to get the standard out.
In the meantime, the Department of Justice has some recommendations for securing IoT devices, including:
- Research your device to determine security features. Does it have a changeable password? Does the manufacturer deliver security updates?
- After you purchase a device and before you install it, download security updates and reset any default passwords.
- If automatic updates are not provided to registered users, check at least monthly to determine if there are updates and download only from reputable sites.
- Protect your routers and home Wi-Fi networks with firewalls, strong passwords, and security keys.
I see IoT device security as an issue that will continue to grow in importance. In a future post, I will discuss the privacy issues that IoT devices could create.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 14, 2018
Is My Identity Still Mine?
I'm sure you've seen the famous cartoon by Peter Steiner published in the New Yorker in 1993. That cartoon alluded to the anonymity of internet users. Twenty-five years later, do you think it's still true? Or is the cartoon by Kaamran Hafeez that appeared in the February 23, 2015, issue of the New Yorker more realistic? Is online anonymity a thing of the past?
Having just returned from three days at the Connect: ID conference in Washington, DC, my personal perspective is that numerous key elements of my identity are already shared with thousands of others—businesses, governmental agencies, friends, business colleagues, and, unfortunately, criminals—and the numbers are growing. Some of this information I have voluntarily provided through my posts on various social media sites, but hopefully is available only to "friends." Other bits of my personal life have been captured by various governmental agencies—my property tax and voter registration records, for example. The websites I visit on the internet are tracked by various companies to customize advertisements sent to me. Despite the adamant disavowals of the manufacturers of voice assistant devices, rumors persist that some of the devices used in homes do more than just listen for a mention of their "wake up" name. And, of course, there is the 800-pound gorilla to consider: the numerous data breaches that retailers, financial institutions, health care providers, credit reporting agencies, and governmental agencies have experienced over the last five years.
The conference exhibit hall was filled with almost a hundred vendors who concentrated on this identity security issue. There were hardware manufacturers selling biometric capture devices of fingers, palms, hands, eyes, and faces. Others focused on customer authentication by marrying validation of a government-issued document such as a driver's license to live facial recognition. Remote identification and authentication of end users is becoming more and more common with our virtual storefronts and businesses, but is also becoming more challenging as the fraudsters look for ways to defeat the technology or overall process in some way.
I have yet to have my identity stolen or compromised, but notice I said "yet," and I have probably just jinxed myself. Unfortunately, I believe my identity is no longer just mine and is out there for the taking despite my personal efforts to minimize the availability of personal information. Do you agree?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 22, 2018
Business Email Compromise Is a Growing Threat
In April 2016, I wrote about the work of the FBI’s Internet Crime Center (IC3) and the rise of reported cases of business email compromise (BEC) attempts. BEC involves what looks like a legitimate email from another employee or customer requesting a transfer of funds. Since I wrote that post, BEC attempts—both successful and prevented—have continued to increase dramatically. The latest figures from the IC3 website show that from January 2016 through June 2017, BEC attempts totaled $223 million, with losses at $148 million. BEC scams are also attracting a wider variety of criminals, including individuals, small gangs, and professional groups.
At first, the fraudsters primarily targeted financial institutions and businesses dealing in frequent and large-value transfers, such as law firms handling real estate or trust account transactions. But as fraudsters have proliferated, they've begun targeting companies of all sizes. Last May, the FBI issued another BEC alert, which includes useful descriptions of BEC scenarios based on actual cases.
The BEC attempt is usually not the start of the criminal activity but rather the culmination of an extended effort that began with the criminal hacking a business's financial records. The hack may have occurred when an employee opened an email with a bogus attachment or link that loaded malware on the computer, or when the criminal purchased a user's credentials off the dark web. Once the fraudster has accomplished the intrusion, a period of information gathering begins. The fraudster obtains current accounts payable records, wire transfer transactions, and transfer procedures, and may also comb social media for information that could be useful. Perhaps a targeted company official will be out of town attending a conference, or on vacation and difficult to contact.
BEC attempts generally have the following common elements:
- It is a funds transfer request.
- The request is based on a routine event or legitimate transaction.
- The bank account where the transfer is to be sent is new or has been modified in some way from previous transactions, or the requested method of payment is different.
- The request often carries a sense of urgency—late fees or breach of a contract are threatened—to encourage bypassing of controls.
To avoid falling into this trap, it is imperative that businesses have strong funds transfer controls that are monitored to ensure compliance. Also, businesses should have a continuing program of internal education (and perhaps testing) for all employees involved in funds transfer requests. The FBI suggests that the best control is to verify transactions through a second, independent means, similar to two-factor authentication.
There are several actions a business can take if it becomes a victim of BEC:
- Immediately contact the receiving financial institution to see if the funds can be frozen.
- Notify all relevant employees of the attack—multiple employees are often targeted.
- Contact the FBI or the Secret Service.
- Conduct an internal investigation to determine the point of compromise, and then take the necessary corrective action.
Finally, financial institutions with customer education programs should consider providing business customers with materials regarding this threat.
We are interested in hearing from you about your experiences with BEC and preventive practices. Criminals are constantly changing their attack methods and sharing information is a valuable way to help develop best practices.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 16, 2018
Not Just a Card-Not-Present Problem
In 2012, I published a paper that looked at trends in card fraud in several countries that had adopted or were in the later stages of adopting EMV chip cards. The United States is now in the process of adopting EMV, so I am refreshing that paper with an eye towards fraud trends in what are now mature EMV markets. Payments experts know that card-not-present (CNP) fraud will continue to pose challenges that EMV chip cards do not solve, but are there other challenges lurking in these markets that the U.S. payments industry should note?
Although I'm still gathering data, one particular data point from the United Kingdom—lost and stolen fraud—already has me intrigued. In 2016, losses from this type of fraud stood at more than £96 million (about $130 million), up from more than £44 million (about $60 million) in 2010, a 117 percent increase. In 2010, lost and stolen fraud accounted for 12 percent of overall card fraud in that country. By the end of 2016, it had become 16 percent of card fraud. It is now the second leading type of fraud in the United Kingdom, though it still falls far behind CNP fraud, which accounts for 70 percent.
Remember that in the United Kingdom, PIN usage was adopted to mitigate lost and stolen card fraud at the same time that EMV chip cards were implemented. Yet lost and stolen card fraud is up significantly. According to Financial Fraud Action UK, fraudsters are getting their hands on the PINs—a static data element—through distraction tactics and scams. Other factors, such as the proliferation of contactless transactions and those that have no cardholder verification method, could also be drivers of this fraud, as could an increase of reports of lost or stolen fraud that is actually first-party, or "friendly," fraud. EMV has proven to be an effective tool to authenticate cards, but authenticating an individual using a card, even in a card-present environment, remains a challenge.
The lost and stolen fraud figures out of the United Kingdom lead me to believe that cardholder authentication isn't just a CNP problem. Furthermore, the decades-old PIN solution for the card-present environment is now showing signs of weakness. At the same time, to reduce customer friction, many card networks are eliminating signature verification and relying on data analytics to authenticate transactions. Is this a perfect storm for lost and stolen card fraud? Is it the foreshadowing of the emergence of biometrics, or some lesser known technology? Or will I find that this problem is isolated and should not worry us in the United States?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 19, 2017
Calculating Fraud: Part 2
Part 1 of this two-part series outlined an approach for whittling down credit card transactions to the value or number of authorized and settled payments as the denominator for calculating a fraud rate. This post reviews the elements needed to quantify the numerator.
To summarize from the previous post, when analyzing credit card fraud rates, you should consider what is being measured and compared. To calculate a fraud rate based on value or number, you need a fraud tally in the numerator and a comparison payment tally in the denominator. The formula works out as follows:
Fraud Rate = Numerator
Where, for any given period of time
Numerator = Value, or number of fraudulent payments across the payments under consideration,
Denominator = Value, or number of payments under consideration.
Before calculating the numerator value, you must first decide what types of fraud to include in the measurement. One stratification method divides fraud into the following two categories:
- First-party payments fraud results when a dishonest but seemingly legitimate consumer exploits a merchant or financial institution (FI). That is, the legitimate cardholder authorizes a credit card transaction as part of a scam. One manifestation of this is "friendly fraud," whereby a consumer purchases items online and then falsely claims not to receive the merchandise.
- Third-party payments fraud occurs when a legitimate cardholder does not authorize goods or services purchased with his or her credit card. Besides the victimized cardholder, the other two parties to the transaction are the fraudster and the unsuspecting merchant or FI.
Sometimes no clear delineation between first-party and third-party fraud exists. For example, a valid cardholder may authorize a payment in collusion with a merchant to commit fraud.
The 2016 Federal Reserve Payments Study used only third-party unauthorized transactions that were cleared and settled in tabulating fraud. The study measured and counted fraud as having occurred regardless of whether a subsequent recovery or chargeback occurred. Survey results had to be adjusted because some card networks report gross fraud while others report net fraud, after recoveries and chargebacks. Furthermore, the study made no effort to determine which party, if any, in the payment chain may ultimately bear the loss. Finally, the study did not measure attempted fraud.
Excluding first-party payments fraud
The study excluded first-party fraud due to the greater ambiguity around identifying and measuring it along with the idea that it is difficult to eliminate, given that controls are relatively limited. One control option would be to place repeat offenders on a negative list that, unfortunately, might not be shared with other parties. As a result of excluding first-party fraud, the study focused on fraud specific to the characteristics of the payment instrument being used.
Paraphrasing from page 30 of the 2013 Federal Reserve Payments Study, first-party fraud, while important, is an account-relationship type of fraud and typically would not be included as unauthorized third-party payments fraud because the card or account holder is by definition authorized to make payments. Consequently, first-party fraud can occur no matter how secure the payment method.
As with tallying payments, you could follow a similar process for tallying fraudulent payments for other types of cards payments, with more questionnaire definitions and wording changes needed for other instruments such as ACH and checks.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
June 12, 2017
Watching Your Behavior
Customer authentication has been at the core of the Retail Payments Risk Forum's payments risk education efforts from the beginning. We've stressed not only that there are legal and regulatory requirements for certain parties to "know your customer," but also that it is in the best interest of merchants and issuers to be sure that the party on the other end of a given transaction is who he or she claims to be and is authorized to perform that transaction. After all, if you allow a fraudster in, you have to expect that you or someone else will be defrauded. That said, we also know that performing this authentication, especially remotely, has several challenges.
The recently released 2017 Identity Fraud Study from Javelin Strategy & Research estimated that account takeover (ATO) fraud losses in 2016 amounted to $2.3 billion—a 61 percent increase over 2015's losses. (ATO fraud occurs when an unauthorized individual performs fraudulent transactions through a victim's account.) Additionally, new-account fraud on deposit and credit accounts has increased significantly and generated several public warnings from the FBI.
In payments, the balancing act between imposing additional customer authentication requirements and maintaining a positive, low-friction customer experience has always been a challenge. Retailers, especially online merchants, have been reluctant to add authentication modalities in their checkout process for fear that customers will abandon their shopping carts and move their purchase to another merchant with lower security requirements. Some merchants have recently introduced physical biometrics modalities such as fingerprint or facial recognition for online orders through mobile phones. Although these modalities have gained a high acceptance rate, they still require the consumer to actively participate in the authentication process.
Enter behavioral biometrics for online transactions. Behavioral biometrics develops a pattern of a user's unique, identifiable attributes from when the user is online at a merchant's website or using the merchant's proprietary mobile app. Attributes measured include such elements as typing speed, pressure on the keyboard, use of keyboard shortcuts, mouse movement, phone orientation, and screen navigation. Coupled with device fingerprinting for the customer's desktop, laptop, tablet, or mobile phone, behavioral biometrics gives the merchant and issuer a higher level of confidence in the customer's authenticity. Another benefit is that behavioral biometrics is passive—it is performed without the user's involvement, which eliminates additional friction in the overall customer experience. Proponents claim that while it takes several sessions to develop a strong user profile, they can often spot fraudsters' attempts because fraudsters often exhibit certain recognizable traits.
Behavioral biometrics is still fairly new to the market but over the last couple of years, some major online retailers have adopted it as an additional authentication tool. Like any of the physical biometric modalities, no single behavioral authentication methodology is a silver bullet, and multi-factor authentication is still recommended for moderate- and higher-risk transactions.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- The Future of Fraud in a Post-EMV Chip Environment
- A Tip for Summer Travel
- Ransomware: Hopefully Not Coming Soon to a Computer Near You
- Moving towards Electronic Social Security Number Verification
- Performing and Paying in the Gig Economy
- The ABCs of Elder Financial Exploitation
- Hitting the Brakes on the Cashless Society
- Could Federal Privacy Law Happen in 2019?
- What Can We Learn about Fraud from the United Kingdom?
- Business Email Compromise Moves Mainstream
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- October 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud