About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

October 29, 2018


Remote Card Fraud: A Growing Concern

Where's the money in card payments? Despite all we hear about e-commerce and other kinds of remote payments, in-person payments remain strong. The total dollar value of in-person card payments exceeded the total dollar value of remote payments in both 2015 and 2016. In-person payments were 56 percent of all card payments by value in 2016, and 58 percent in 2015. By number, the race is not even close: 78 percent of card payments were in person in 2016.

Graph-one

Looking at change from 2015 to 2016, however, another story could be emerging. When we consider the growth in the value of card payments, remote payments grew by 11 percent from 2015 to 2016, compared to about 3 percent growth by value for in-person card payments. By number, in-person card payments increased 5 percent and remote by 17 percent.

It wasn't only remote payments that grew from 2015 to 2016—so did remote fraud. In fact, it grew faster than remote payments did overall. Remote fraud by value grew more than three times faster than the value of remote payments—35 percent compared to 11 percent. By number, remote fraud grew about twice as fast—32 percent compared to 17 percent.

In contrast to the mix of remote and in-person card payments overall, where in-person payments still are the majority, fraudulent remote card payments were more than half of all fraudulent card payments by both value and number in 2016.

Graph-two

These data suggest that remote card payments fraud is likely to be of increasing concern for the U.S. payments system going forward. Additional data are included in the report at www.federalreserve.gov/paymentsystems/fr-payments-study.htm.

To learn more about payments fraud, you can sign up for the Talk About Payments webinar on November 1 at 11 a.m. (ET). This webinar is open to the public but you must register in advance to participate.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

 

October 29, 2018 in cards, consumer fraud, debit cards, fraud, identity theft, mobile payments, online retail, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 1, 2018


Safeguarding Things When They’re All Connected

In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.

Prepurchase

  • Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
  • Check with reliable product review sites to see what others have to say about the product’s security features.
  • If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.

Postpurchase

  • Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
  • Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
  • Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
  • Register your device with the manufacturer to be notified of security updates or recalls.
  • Add the device to your separate network if available.

If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.

We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.

Photo of Ian Perry-Okara  By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed

 

Photo of David Lott  By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 1, 2018 in account takeovers, cybercrime, cybersecurity, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 6, 2018


The FBI Is on the Case

I recently took advantage of a job shadow program in our Information Security Department (ISD). I joked with our chief information security officer that I was ready to "ride along" with his detectives for our own version of the television drama series Crime Scene Investigations (better known as CSI).

All jokes aside, I enjoyed working with ISD as part of the team rather than as an auditor, a role I have played in the past. We spent a good part of the day walking through layered security programs, vulnerability management, and data loss prevention. Underneath these efforts is an important principle for threat management: you can't defend against what you don't know.

Threat investigations absolutely must uncover, enumerate, and prioritize threats in a timely manner. Digging into each vulnerability hinges on information sharing through adaptable reporting mechanisms that allow ISD to react quickly. ISD also greatly depends on knowledge of high-level threat trends and what could be at stake.

It turns out that many payments professionals and law enforcement agencies also spend a large part of their time investigating threats in the payments system. After my job shadowing, I realized even more how important it is for our payments detectives to have access to efficient, modern information-sharing and threat-reporting tools to understand specific threat trends and loss potential.

One such tool is the Internet Crime Complaint Center (IC3). The FBI, which is the lead federal agency for investigating cyberattacks, established the center in May 2000 to receive complaints of internet crime. The mission of the IC3 is two-fold: to provide the public with a reliable and convenient reporting mechanism that captures suspected internet-facilitated criminal activity and to develop effective alliances with industry partners. The agency analyzes and disseminates the information, which contributes to law enforcement work and helps keep the public informed.

The annual IC3 report aggregates and highlights data provided by the general public. The IC3 staff analyze the data to identify trends in internet-facilitated crimes and what those trends may represent. This past year, the most prevalent crime types reported by victims were:

  • Nonpayment/Nondelivery
  • Personal data breach
  • Phishing

The top three crime types with the highest reported losses were:

  • Business email compromise
  • Confidence/Romance fraud
  • Nonpayment/Nondelivery

The report includes threat definitions, how these threats relate to payments businesses, what states are at the highest risk for breaches, and what dollar amounts correspond to each crime type. This is one tool available to uncover, enumerate, and prioritize threats to the payment ecosystem. Do you have other system layers in place to help you start your investigations? If you don't know, it might be time for you to take a "ride along" with your detectives.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 6, 2018 in consumer fraud, consumer protection, cybercrime, cybersecurity, data security, fraud, identity theft, risk management | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 23, 2018


Learning about Card-Not-Present Fraud Mitigation

Over the last year, I have had the pleasure of working with Fed colleagues and other payments industry experts on one of the Accredited Standards Committee's X9A Financial Industry Standards workgroups in writing a technical report on U.S. card-not-present (CNP) fraud mitigation. You can download the final report (at no cost) from the ANSI (American National Standards Institute) web store.

As this blog and other industry publications have been forecasting for years, the migration to payment cards containing EMV chips may already be resulting in a reduction of counterfeit card fraud and an increase in CNP fraud and other fraudulent activity. This has been the trend in other countries that have gone through the chip card migration, and there was no reason to believe that it would be any different in the United States. The purpose of the technical report was to identify the major types of CNP fraud and present guidelines for mitigating these fraud attacks to the various payments industry stakeholders.

Graph-image-b

Source: Data from Card-Not-Present (CNP) Fraud Mitigation in the United States, the 2018 technical report prepared by the Accredited Standards Committee X9, Incorporated Financial Industry Standards

After an initial section identifying the primary stakeholders that CNP fraud affects, the technical report reviews five major CNP transaction scenarios, complete with transaction flow diagrams. The report continues with a detailed section of terms, definitions, and initialisms and acronyms.

The best defense against CNP fraud from an industry standpoint is the protection of data from being breached in the first place. Section 5 of the report reviews the role that data security takes in CNP fraud mitigation. It contains references to other documents providing detailed data protection recommendations.

Criminals will gather personal and payment data in various attacks against those who don't use strong data protection practices, so the next sections deal with the heart of CNP fraud mitigation.

  • Section 6 identifies the major types of CNP fraud attacks, both attacks that steal data and those that use that data to conduct fraudulent activities.
  • Section 7 reviews mitigation tools and approaches to take against such attacks. The section is subdivided into perspectives of various stakeholders, including merchants, merchant acquirers and gateways, issuers and issuer processors, and, finally, payment card networks.
  • Section 8 discusses how a stakeholder should identify key fraud performance metrics and then analyze, report, and track those metrics. While stakeholders will have different elements of metrics, they must each go to a sufficient level so the results will provide key insights and predictive indicators.

The report concludes with several annex sections (appendices) covering a variety of subjects related to CNP fraud. Suggestions for the improvement or revision of the technical report are welcome. Please send them to the X9 Committee Secretariat, Accredited Standards Committee X9 Inc., Financial Industry Standards, 275 West Street, Suite 107, Annapolis, MD 21401. I hope you will distribute this document among those in your institution involved with CNP fraud prevention, detection, and response to use as an educational or reference document. I think it will be quite useful.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

July 23, 2018 in card networks, cards, consumer fraud, consumer protection, cybercrime, cybersecurity, debit cards, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 6, 2018


Attack of the Smart Refrigerator

We've all heard about refrigerators that automatically order groceries when they sense the current supply is running low or out. These smart refrigerators are what people usually point to when giving an example of an "internet-of-things" (IoT) device. Briefly, an IoT device is a physical device connected to the internet wirelessly that transmits data, sometimes without direct human interaction. I suspect most of you have at least one of these devices already operating in your home or office, whether it's a wireless router, baby monitor, or voice-activated assistant or "smart" lights, thermostats, security systems, or TVs.

Experts are forecasting that IoT device manufacturing will be one of the fastest growing industries over the next decade. Gartner estimates there were more than 8 billion connected IoT devices globally in 2017, with about $2 trillion going toward IoT endpoints and services. In 2020, the number of these devices will increase to more than 20 billion. But what security are manufacturers building into these devices to prevent monitoring or outside manipulation? What prevents someone from hacking into your security system and monitoring the patterns of your house or office or turning on your interior security cameras and invading your privacy? For those devices that can generate financial transactions, what authentication processes will ensure that transactions are legitimate? It's one kind of mistake to order an unneeded gallon of milk, but another one entirely to use that connection to access a home computer to monitor one's online banking transaction activity and capture log-on credentials.

As one would probably suspect, there is no simple or consistent answer to these security questions, but the overall track record of device security has not been a great one. There have been major DDOS attacks against websites using botnets composed of millions of IoT devices. Ransomware attacks have been made against consumers' home security systems and thermostats, forcing consumers to pay the extortionist to get their systems working again.

Some of the high-end devices such as the driverless cars and medical devices have been designed with security controls at the forefront, but most other manufacturers have given little thought to the criminal's ability to use a device to access and control other devices running on the same network. Adding to the problem is that many of these devices do not get software updates, including security patches.

With cybersecurity issues grabbing so many headlines, people are paying more and more attention to the role and impact of IoT devices. The National Institute of Standards and Technology (NIST) has begun efforts to develop security standards for cryptology that can operate within IoT devices. However, NIST estimates it will take two to four years to get the standard out.

In the meantime, the Department of Justice has some recommendations for securing IoT devices, including:

  • Research your device to determine security features. Does it have a changeable password? Does the manufacturer deliver security updates?
  • After you purchase a device and before you install it, download security updates and reset any default passwords.
  • If automatic updates are not provided to registered users, check at least monthly to determine if there are updates and download only from reputable sites.
  • Protect your routers and home Wi-Fi networks with firewalls, strong passwords, and security keys.

I see IoT device security as an issue that will continue to grow in importance. In a future post, I will discuss the privacy issues that IoT devices could create.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 6, 2018 in consumer fraud, cybercrime, cybersecurity, fraud, identity theft, innovation, online banking fraud, privacy | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 14, 2018


Is My Identity Still Mine?

I'm sure you've seen the famous cartoon by Peter Steiner published in the New Yorker in 1993. That cartoon alluded to the anonymity of internet users. Twenty-five years later, do you think it's still true? Or is the cartoon by Kaamran Hafeez that appeared in the February 23, 2015, issue of the New Yorker more realistic? Is online anonymity a thing of the past?

Cartoon-image

Having just returned from three days at the Connect: ID conference in Washington, DC, my personal perspective is that numerous key elements of my identity are already shared with thousands of others—businesses, governmental agencies, friends, business colleagues, and, unfortunately, criminals—and the numbers are growing. Some of this information I have voluntarily provided through my posts on various social media sites, but hopefully is available only to "friends." Other bits of my personal life have been captured by various governmental agencies—my property tax and voter registration records, for example. The websites I visit on the internet are tracked by various companies to customize advertisements sent to me. Despite the adamant disavowals of the manufacturers of voice assistant devices, rumors persist that some of the devices used in homes do more than just listen for a mention of their "wake up" name. And, of course, there is the 800-pound gorilla to consider: the numerous data breaches that retailers, financial institutions, health care providers, credit reporting agencies, and governmental agencies have experienced over the last five years.

The conference exhibit hall was filled with almost a hundred vendors who concentrated on this identity security issue. There were hardware manufacturers selling biometric capture devices of fingers, palms, hands, eyes, and faces. Others focused on customer authentication by marrying validation of a government-issued document such as a driver's license to live facial recognition. Remote identification and authentication of end users is becoming more and more common with our virtual storefronts and businesses, but is also becoming more challenging as the fraudsters look for ways to defeat the technology or overall process in some way.

I have yet to have my identity stolen or compromised, but notice I said "yet," and I have probably just jinxed myself. Unfortunately, I believe my identity is no longer just mine and is out there for the taking despite my personal efforts to minimize the availability of personal information. Do you agree?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 14, 2018 in cybercrime, data security, fraud, identity theft, privacy | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 19, 2018


Mobile Banking and Payments' Weakest Link: Me

What's the biggest hole in mobile banking security? As my colleague Dave Lott reported in January, bankers say it's consumers' lack of protective behavior when using mobile devices. That means you and me.

In response, financial institutions (FI) have implemented controls including inactivity timeouts and multifactor authentication, as noted in Mobile Banking and Payment Practices of U.S. Financial Institutions, which reported the findings of a 2016 Federal Reserve survey.

Baking these controls into mobile apps makes sense because research on consumer behavior suggests that expecting consumers to independently take steps to protect their accounts and data is not realistic. Take as one example: I co-wrote a paper with Joanna Stavins for the Boston Fed reporting the results of our investigation into consumers' responses to the massive Target data breach. We found that while consumers do react to reports of fraud, their reactions can be short-lived. In addition, consumers' opinions may change, but their behavior may not. In other words, considerations aside from security could take priority. (See also a report on the 2012 South Carolina Department of Revenue breach.)

Debit and credit card data for 40 million cards used in Target stores were stolen in late 2013. The breach was widely reported in the news media and caused many financial institutions to reissue cards. Because it was primarily a debit card breach, one might reasonably expect consumers to take a jaundiced view of debit cards after the breach.

And, indeed, that was the case. The Survey of Consumer Payment Choice was in the field at the time of the Target breach. Some consumers answered questions about the security of debit cards before the breach became public. Others answered after.

Consumers who rated card security after the breach rated debit cards more poorly relative to the average rating of the other payment instruments—cash, paper checks, ACH methods, prepaid cards, and credit cards. So in that sense, they reacted to the news.

One year later, consumers in 2014 rated the security of debit cards more poorly both relative to their ratings of other payment instruments and absolutely (that is, a greater percentage of consumers rated debit cards as risky or very risky). In contrast, compared to 2013, the absolute security ratings of cash improved. There was no change in the security ratings of credit cards.

The more important question: Did consumers change their behavior in response to this massive and widely reported data breach? The answer: not according to this survey data. There was no statistically significant change in consumers' method of payment mix in 2014. Debit cards remained the most popular payment instrument among consumers in 2014, accounting for almost one-third of their payments per month.

What does this mean for financial institutions? Realism about my willingness to take action is well placed. You can't count on me.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 19, 2018 in account takeovers, banks and banking, cards, debit cards, identity theft, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 20, 2018


Best Practices for Data Privacy Policies

In my last couple of posts, I've discussed the issue of ethical policies related to data collection and analysis.  In the first one, I focused on why there is a need for such policies. The second post focused on ethical elements to include in policies directly involving the end user. Whether or not the customer is actively involved in accepting these policies, any company that collects data should have a strong privacy and protection policy. Unfortunately, based on the sheer number and magnitude of data breaches that have occurred, many companies clearly have not sufficiently implemented the protection element—resulting in the theft of personally identifiable information that can jeopardize an individual's financial well-being. In this post, the last of this series, I look at some best practices that appear in many data policies.

The average person cannot fathom the amount, scope, and velocity of personal data being collected. In fact, the power of big data has led to the origination of a new term. "Newborn data" describes new data created from analyses of multiple databases. While such aggregation can be beneficial in a number of cases—including for marketing, medical research, and fraud detection purposes—it has recently come to light that enemy forces could use data collected from wearable fitness devices worn by military personnel to determine the most likely paths and congregation points of military service personnel. As machine learning technology increases, newborn data will become more common, and it will be used in ways that no one considered when the original data was initially collected.

All this data collecting, sharing, and analyzing has resulted in a plethora of position papers on data policies containing all kinds of best practices, but the elements I see in most policies include the following:

  • Data must not be collected in violation of any regulation or statute, or in a deceptive manner.
  • The benefits and harms of data collection must be thoroughly evaluated, then how collected data will be used and by whom must be clearly defined.
  • Consent from the user should be obtained, when the information comes from direct user interaction, and the user should be given a full disclosure.
  • The quality of the data must be constantly and consistently evaluated.
  • A neutral party should periodically conduct a review to ensure adherence to the policy.
  • Protection of the data, especially data that is individualized, is paramount; there should be stringent protection controls in place to guard against both internal and external risks. An action plan should be developed in case there is a breach.
  • The position of data czar—one who has oversight of and accountability for an organization's data collection and usage—should be considered.
  • In the event of a compromise, the data breach action plan must be immediately implemented.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 20, 2018 in consumer protection, cybercrime, data security, identity theft, privacy | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 16, 2017


No Magic Bullet for Preventing Data Breaches

Much has been written about the Equifax data breach, including a Take On Payments piece several weeks ago. Since the announcement of the breach in early September, my LinkedIn timeline has been filled with articles and messages from sales and development professionals claiming that their technologies and solutions could have prevented the Equifax breach. Unfortunately, the weakest leak isn't a technology problem or issue. It is, and will continue to be, the human element.

Before I hear from the sales and development professionals I just referred to, let me say that I believe that technology does play an important role in mitigating data breaches. For example, statistics show that homes equipped with a security system—"hard targets"—are significantly less likely to be burglarized than homes without them—"soft targets." I suspect the same is true for companies and data breaches in that those who do a better job of securing their data with technology are harder targets than those who do not. However, technology is only one aspect of preventing data breaches—which brings us back to the human element.

We are the weakest link. We architect and program security systems with flaws. We fail to properly update software or install patches on a timely basis. We open suspicious attachments on emails. We sometimes visit dubious websites and click on suspicious ads or links. We divulge too much information over social media. We share sensitive information with people we think we know and who we think are friendly. And we are mistake- and accident-prone. Education does and will continue to help, but humans will continue to make mistakes and be accident-prone, thus data breaches will remain an ongoing problem.

The late, great musician Tom Petty said, "Music is probably the only real magic I have encountered in my life. There's not some trick involved with it. It's pure and it's real." While Petty's remark that music is probably the only real magic is debatable, there is no debating that data breach prevention has no magic bullet. Educating people remains critical, but, as is all too often the case, education also ends up falling short. As a risk expert, I really wish that I had the answer to preventing data breaches. Unfortunately, human actions trump any answers that I might have. Given the grim outlook for data breaches, it is imperative for companies and individuals to have a plan in place to minimize the damage when a data breach occurs.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 16, 2017 in consumer fraud, cybercrime, data security, identity theft, malware | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 2, 2017


A Record-Breaking Season of Hurricanes and Data Breaches

I lived in the panhandle of Florida in 2005, during a record-breaking hurricane season. Four hurricanes that started in the Atlantic—including Katrina—reached Category 5 status that season. That disastrous hurricane season seemed unsurpassable. Yet hurricane Harvey and Irma set new records (both made first landfall in the United States as Category 4 hurricanes).

As Hurricane Irma made its destructive way across the Caribbean, a different kind of disaster was also setting records. On September 7, Equifax announced a data breach potentially affecting most U.S. adults. Could this year also prove to be a record-breaking year for data breaches? According to the Identity Theft Resource Center (ITRC), there are already 976 on the books. Breaches reached a record high of 1,093 in 2016—a substantial hike of 40 percent over the near-record high of 780 reported in 2015.

Truth be told, we can't be sure these data breach "records" are even accurate. Data breach notification laws vary by state in terms of definitions and standard reporting elements. Even the ITRC questions whether there actually are more breaches or the numbers have risen because more states are requiring public release of information on them.

The ITRC Breach Report is a compilation of breaches confirmed by various media sources and notification lists from state governmental agencies. This list is updated daily and published each Tuesday. The ITRC has been tracking breaches since 2005, but only since 2010 has that tracking included the information that has been exposed. Even so, many notifications made available do not include what damages, or types of records, were at stake.

To that point, we don't understand the extent victims will suffer when, for example, card information is stolen along with Social Security numbers. We have yet to see standard data on how fraud trends morph when a certain type of data breach occurs. Lack of correlation could be a risk to consumers.

With data breaches, as with hurricanes, we can respond better if we know what is at stake. Is it time for states to adopt a uniform set of statutes regarding data breach notifications? What do you think?

Photo of Jessica Washington  By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 2, 2017 in cybercrime, data security, identity theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad