About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

April 1, 2019


Contactless Cards: The Future King of Payments?

Just over two years ago, my colleague Doug King penned a post lamenting the lack of dual interface, or "contactless," chip payment cards in the United States. In addition to having the familiar embedded chip, a dual interface card contains a hidden antenna that allows the holder to tap the card on or wave it near the POS terminal. This is the same technology—near field communications (NFC)—that various pay wallets inside mobile devices use.

Doug is now doing his daily fitness runs with a bigger smile on his face as the indicators appear more and more promising that 2019 will be the year of the contactless card. Large issuers have been announcing plans to distribute dual interface cards either in mass reissues or as a cardholder's current card expires. Earlier this year, some of the global brand networks launched advertising campaigns to make customers aware of the convenience that contactless cards offer.

So why have U.S. issuers not moved on this idea before now? I think there have been several reasons. First, for the last several years, financial institutions have focused a lot of their resources on chip card migration. Contactless cards will create an additional expense for issuers and many of them wanted to let the market mature as it has done in a number of other countries. They were also concerned about the failure of contactless card programs that some of the large FIs introduced in the early 2000s—most merchants lacked terminals capable of handling the technology.

The EMV chip migration solved much of the merchant terminal acceptance problem as the vast majority of POS terminals upgraded to support EMV chips can also support contactless cards. (While a terminal may have the ability to support the technology, the merchant has to enable that support.) Visa claims that as of mid-2018, half of POS transactions in the United States were occurring at terminals that were contactless-enabled. Another factor favoring contactless transactions is the plan by major U.S. mass transit agencies to begin accepting contactless payment cards. According to the American Public Transportation Association's 2017 Ridership Report, there were 41 transit agencies in the United States with annual passenger trip volumes of over 20 million trips.

Given that consumer payments is largely a total sum environment, these developments have led me to ask myself and others what effect contactless cards will have on consumers' use of other payment forms—in particular, mobile payments. As my colleagues and I have written numerous times in this blog, mobile payments continue to struggle to obtain consumer adoption, despite earlier predictions that they would catch on quickly. There are some who believe that the convenience of ubiquity and fast transaction speed will favor the dual purpose card. Others think that the increased merchant acceptance of contactless will help push the mobile phone into becoming the primary payment form.

My personal perspective is that contactless cards will hinder the growth of in-person mobile payments. There are those who claim to leave their wallet at home and never their phone, and they will continue to be strong users of mobile payments. But the reality is that mobile payments are not accepted at all merchant locations, whereas payment cards are practically ubiquitous. While I am a frequent user of mobile payments, simply waving or tapping a card appeals to me. It's much more convenient than having to open the pay application on my phone, sign on, and then authorize the transaction.

Do you believe the adoption of contactless cards by consumers and merchants will be as successful as it was for EMV chip cards? And do you think that contactless cards will help or hinder the growth of mobile payments? Let us hear from you.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

April 1, 2019 in card networks, cards, emerging payments, EMV, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 25, 2019


Safeguarding Privacy and Ethics in AI

In a recent post I referred to the privacy and ethical guidelines that the nonprofit advocacy group EPIC (Electronic Privacy Information Center) is promoting. According to this group, these guidelines are based on existing regulatory and legal guidelines in the United States and Europe regarding data protection, human rights doctrine, and general ethical principles. Given the continued attention to advancements in machine learning and other computing technology advancements falling under the marketing term of “artificial intelligence” (AI), I thought it would be beneficial for our readers if we were to review these guidelines so the reader can assess their validity and completeness. The heading and the italicized text in these guidelines are EPIC’s specific wording; additional text is my commentary. It is important to point out that neither the Federal Reserve System nor the Board of Governors has endorsed these guidelines.

  • Right to Transparency. All individuals have the right to know the basis of an AI decision that concerns them. This includes access to the factors, the logic, and techniques that produced the outcome. EPIC says the main elements of this principle can be found in the U.S. Privacy Act and a number of directives from the European Union. It is unlikely that the average person would be able to fully understand the complex computations generating a decision, but everyone still has the right to an explanation of and validation for the decision.
  • Right to Human Determination. All individuals have the right to a final determination made by a person. This ensures that a person, not a machine, is ultimately accountable for a final decision.
  • Identification Obligation. The institution responsible for an AI system must be made known to the public. There may be many different parties that contribute to an AI system, so it is important that anyone be able to determine which party has overall responsibility and accountability.
  • Fairness Obligation. Institutions must ensure that AI systems do not reflect unfair bias or make impermissible discriminatory decisions. I understand the intent of this principle—any program developed by a person will have some level of inherent bias—but how is it determined that the level of bias has reached an “unfair” level, and who makes such a determination?
  • Assessment and Accountability Obligation. An AI system should be deployed only after an adequate evaluation of its purpose and objectives, its benefits, as well as its risks. Institutions must be responsible for decisions made by an AI system. An AI system that presents significant risks, especially in the areas of public safety and cybersecurity, should be evaluated carefully before a deployment decision is made.
  • Accuracy, Reliability, and Validity Obligations. Institutions must ensure the accuracy, reliability, and validity of decisions. This basic principle will be monitored by the institution as well as independent organizations.
  • Data Quality Obligation. Institutions must establish data provenance, and assure quality and relevance for the data input into algorithms. As an extension of number 6, detailed documentation and secure retention of the data input help other parties replicate the decision-making process to validate the final decision.
  • Public Safety Obligation. Institutions must assess the public safety risks that arise from the deployment of AI systems that direct or control physical devices, and implement safety controls. As more Internet-of-Things applications are deployed, this principle will increase in importance.
  • Cybersecurity Obligation. Institutions must secure AI systems against cybersecurity threats. AI systems, especially those that could have a significant impact on public safety, are potential targets for criminals and terrorist groups and must be made secure.
  • Prohibition on Secret Profiling. No institution shall establish or maintain a secret profiling system. This principle ensures that the institution will not establish or maintain a separate, clandestine profiling system to assure the possibility of independent accountability.
  • Prohibition on Unitary Scoring. No national government shall establish or maintain a general-purpose score on its citizens or residents. The concern this principle addresses is that such a score could be used to establish predetermined outcomes across a number of activities. For example, in the private sector, a credit rating score can be a factor not only in credit decisions but also in other types of decisions, such as for vehicle, life, and medical insurance underwriting.
  • Termination Obligation. An institution that has established an AI system has an affirmative obligation to terminate the system if human control of the system is no longer possible. I refer to this final principal as the “HAL principle” from 2001: A Space Odyssey, where the crew tries to shut down HAL (a Heuristically programmed ALgorithmic computer) after it starts making faulty decisions. A crew member finally succeeds in shutting HAL down only after it has killed all the other crew members. HAL is an extreme example, but the principle ensures that an AI system’s actions do not override or contradict the actions and decision of the people responsible for the system.

On February 11, 2019, the president signed an executive order promoting the United States as a leader in the use of AI. In addition to addressing technical standards and workforce training, the order called for the protection of “civil liberties, privacy, and American values” in the application of AI systems. As the development of AI systems increases pace, it seems important that an ethical framework be put in place. Do you think these are reasonable and realistic guidelines that should be adopted? Do you think some of them will hinder the pace of AI application development? Are any principles missing?

Let us know what you think.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

March 25, 2019 in emerging payments, fintech, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 18, 2019


The Patriots of the Payments Landscape

Last February, the New England Patriots and their future first-ballot Hall of Fame quarterback, Tom Brady, won their sixth Super Bowl title since 2002. Over this 17-year period, they have played for the National Football League title nine times. In college football, a similar scenario has emerged, with two teams (the University of Alabama and Clemson University) winning seven out of the last 10 collegiate football national titles. It is proving to be very difficult to upend the dominant players in this sport, and many football fans and pundits believe that such domination makes the overall sport less interesting (especially if your favorite team isn’t Alabama, Clemson, or the Patriots). They think it’s bad for the sport and argue it would be better to see more variety in championship teams. As I think about that perspective, my mind drifts to a payments conversation that I am often a part of in both business and social settings: Where are payments going to be in the next three to five years?

While it would be much "more entertaining" in my social settings to be able to discuss some great shift in payments on the horizon, the fact is that right now payments is in a place similar to football’s. Card-based payments are sitting on top of the non-cash-based payments world and will be difficult to dethrone anytime soon. According to the Federal Reserve Payments Study 2016 (the last report that provided annual estimates for both automated clearinghouse (ACH) and check payments), card payments, by number of transactions, made up 72 percent of noncash payments. Now the latest figures from the payments study’s 2018 Annual Supplement report reveal that there were 123.5 billion card transactions in 2017, a figure representing robust growth of 10.1 percent from 2016. The report also highlights that, during this 2016–17 period, the number of network ACH payment transactions grew at an accelerated pace of 5.7 percent while large-institution check payments declined in number of transactions at an accelerated pace of 4.8 percent. The Federal Reserve is currently conducting its triennial payments study, which will provide updated national estimates on all noncash payments for 2018.

In the future, we might be dipping cards more often, tapping contactless cards, or even tapping our phones more, but it’s hard to envision a new payment channel making much headway in the next three to five years. Cards just have too big of a share and are experiencing accelerating growth. Consumers are not only accustomed to using them, but they also find that cards work very efficiently for them. And just like the football fans and pundits who talk or write about the need for different champions in the football world, payments professionals and pundits are enamored with writing about and discussing how blockchain, distributed ledger technology, faster payments, or some other brave, new technology are going to be the next frontier in payments. And you know, they might be right one day, but it’s not going to happen anytime soon, certainly not before Mr. Brady finds his way into the Hall of Fame.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

March 18, 2019 in credit cards, debit cards, emerging payments, fintech, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 11, 2019


AI and Privacy: Achieving Coexistence

In a post early last year, I raised the issue of privacy rights in the use of big data. After attending the AI (artificial intelligence) Summit in New York City in December, I believe it is necessary to expand that call to the wider spectrum of technology that is under the banner of AI, including machine learning. There is no question that increased computing power, reduced costs, and improved developer skills have made machine learning programs more affordable and powerful. As discussed at the conference, the various facets of AI technology have reached far past financial services and fraud detection into numerous aspects of our life, including product marketing, health care, and public safety.

In May 2018, the White House announced the creation of the Select Committee on Artificial Intelligence. The main mission of the committee is "to improve the coordination of Federal efforts related to AI to ensure continued U.S. leadership in this field." It will operate under the National Science and Technology Committee and will have senior research and development officials from key governmental agencies. The White House's Office of Science and Technology Policy will oversee the committee.

Soon after, Congress established the National Security Commission on Artificial Intelligence in Title II, Section 238 of the 2019 John McCain National Defense Authorization Act. While the commission is independent, it operates within the executive branch. Composed of 15 members appointed by Congress and the Secretaries of Defense and Commerce—including representatives from Silicon Valley, academia, and NASA—the commission's aim is to "review advances in artificial intelligence, related machine learning developments, and associated technologies." It is also charged with looking at technologies that keep the United States competitive and considering the legal and ethical risks.

While the United States wants to retain its leadership position in AI, it cannot overlook AI's privacy and ethical implications. A national privacy advocacy group, EPIC (or the Electronic Privacy Information Center), has been lobbying hard to ensure that both the Select Committee on Artificial Intelligence and the National Security Commission on Artificial Intelligence obtain public input. EPIC has asked these groups to adopt the 12 Universal Guidelines for Artificial Intelligence released in October 2018 at the International Data Protection and Privacy Commissioners Conference in Brussels.

These guidelines, which I will discuss in more detail in a future post, are based on existing regulatory guidelines in the United States and Europe regarding data protection, human rights doctrine, and general ethical principles. They call out that any AI system with the potential to impact an individual's rights should have accountability and transparency and that humans should retain control over such systems.

As the strict privacy and data protection elements of the European Union's General Data Privacy Regulation take hold in Europe and spread to other parts of the world, I believe that privacy and ethical elements will gain a brighter spotlight and AI will be a major topic of discussion in 2019. What do you think?

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 11, 2019 in consumer protection, emerging payments, fintech, innovation, privacy, regulations | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 28, 2019


A Cryptocurrency Primer

Every day, my newsfeed is full of stories about cryptocurrency, blockchain, and distributed ledger technology. I even see stories on how we can create our own digital currency, a notion that conjures up for me visions of my face on a coin, just like suffragette Susan B. Anthony. Could my own digital currency, known hereafter as the NEDNote, become a reality? My husband is a software engineer, so the technical piece is covered, but maybe offering a primer on the history of cryptocurrency and its confusing and rapidly changing nomenclature is the best place to start before I launch the NEDNote into the cryptographic biosphere.

The concept of virtual currency as a substitute for fiat currency dates back to the 1980s, with David Chaum being credited with introducing digital cash. (Fiat currency, often referred to in cryptocurrency discussions, is legal tender backed by a government or central bank.) Although early attempts at virtual currencies were made in the late ’90s, the anonymous white paper published in 2009 under the pseudonym Satoshi Nakamoto is credited for creating the first decentralized cryptocurrency, Bitcoin, and the blockchain database. And with that paper, a new lexicon began to emerge, some of which I define here.

  • Cryptocurrency, short for cryptographic currency, is a subset of digital currency.
  • Cryptography in the cryptocurrency world refers to the algorithms that encrypt data for transmission. In the analog world, think how the Navajo language was used to transmit secure messages during World War II.
  • Distributed ledger technology (DLT) refers to the infrastructure that allows a repeated digital copy of data to be available at multiple locations. With DLT, transactions take place over a peer-to-peer network, and do not require the use of a central administrator to govern or validate the transaction, but rather employ consensus algorithms to replicate the data across locations.
  • Blockchain is a type of DLT that organizes records in blocks, which are then linked with cryptographic hashes to create the chain. Each block consists of these hashes, data, and a unique timestamp. Because no trusted source or authority exists for the blockchain, it is necessary that data somehow be validated before anything can be added.
  • Validation protocols include “proof-of-work” and “proof-of-stake,” the two primary methods of validating transactions on a blockchain.
    • Proof-of-work involves mining and timestamping, which are key validation computations. Mining both validates transactions and obtains new cryptocurrency. The mathematical calculations performed in the mining process build the hash function that links the block to the chain. Miners are rewarded with new cryptocurrency for their contributions to the validation process. Timestamping tracks historical changes made to the data contained in the block.
    • Proof-of-stake employs a consensus method to determine ownership of the cryptocurrency. This method requires less computing power to complete than does proof-of-work validation but does not reward miners with new currency.
  • A crypto wallet provider is a cryptocurrency storage service that is online (hot wallet) or offline (cold storage). Hot wallets are connected to the internet and are frequently hosted by an online exchange platform. Cold storage, which is not connected to the internet, is viewed as more secure.

For many years, my husband allowed the SETI Institute to harness the excess processing power of our home computers in the search for extraterrestrial intelligence, when we could have been mining for cryptocurrency and making the NEDNote a reality. In my next post, I’ll talk about how cryptocurrencies are exchanged and some of the associated risks.

Photo of Nancy-Donahue  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

January 28, 2019 in currency, fintech, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 10, 2018


A Look in the Rearview Mirror of Payments for 2018

I'm sure just about everyone else in the payments industry would agree with me that 2018 was yet another exciting year for payments. The year was filled with a host of newsworthy events, but fintech most certainly took center stage in the financial services industry, including payments. Whether the news highlighted an announcement of a new product to increase financial access or discussed the regulatory challenges and associated concerns within the fintech space, it seemed that fintech made its way into the news on a daily basis. Still, for payments, 2018 will be remembered for more than just fintech.

The Retail Payments Risk Forum's last Talk About Payments webinar of 2018 will feature Doug King, Dave Lott, and Jessica Washington sharing their perspectives and memories on the year-in-payments in a round table discussion. Among the topics they will discuss are consumer payment preferences, the changing retail environment, and the state of fraud—and fintech, of course. We encourage financial institutions, retailers, payments processors, law enforcement, academia, and other payments system stakeholders to participate in this webinar. Participants will be able to submit questions during the webinar.

The webinar will be held on Thursday, December 20, from 1 to 2 p.m. (ET). Participation in the webinar is free, but you must register in advance. To register, click on the TAP webinar link. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks.

We look forward to you joining us on December 20 and sharing your perspectives on the major payment themes of 2018.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


December 10, 2018 in banking regulations, banks and banking, crime, cybercrime, emerging payments, fintech, innovation, payments fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 3, 2018


Building Blocks for the Sandbox

I just returned from a leave of absence to welcome my third child to this world. As I catch up on payments news, one theme emerging is the large number of state and federal regulatory bodies launching their own fintech sandboxes. Typically, these testing grounds allow businesses to experiment with various "building blocks" while they innovate. Some businesses are even allowed regulatory relief as they work out the kinks. As I've researched, I've found myself daydreaming about how my new little human also needs to work with the right building blocks, or core principles, to ensure he develops properly and "plays nice" in the sandbox.

But—back to work. What guidance do fintechs have available to them to grow and prosper?.

On July 31 of this year, the U.S. Department of the Treasury released a report suggesting regulatory reform to promote financial technology and innovation among both traditional financial institutions and nonbanks. The report in its entirety is worth a review, but I'll highlight some of it here.

The blueprint for a unified regulatory sandbox is still up for discussion, but the Treasury suggests a hierarchical structure, either overseen by a single regulator or by an entirely new regulator. The Treasury suggests that Congress will likely have to assist by passing legislation with the necessary preemptions to grant authority to the newly created agency or a newly named authoritative agency.

The report outlines these core principles of a unified regulatory sandbox:

  • Promote the adoption and growth of innovation and technological transformation in financial services.
  • Provide equal access to companies in various stages of the business lifecycle (e.g., startups and incumbents). [The regulator should define when a business could or should participate.]
  • Delineate clear and public processes and procedures, including a process by which firms enter and exit.
  • Provide targeted relief across multiple regulatory frameworks.
  • Offer the ability to achieve international regulatory cooperation or appropriate deference where applicable.
  • Maintain financial integrity, consumer protections, and investor protections commensurate with the scope of the project, not be based on the organization type (whether it's a bank or nonbank).
  • Increase the timeliness of regulator feedback offered throughout the product or service development lifecycle. [Slow regulator feedback is typically a deterrent for start-up participation.]

Clearly, the overarching intent of these principles is to help align guidance, standards, and regulation to meet the needs of a diverse group of participants. Should entities offering the same financial services be regulated similarly? More importantly, is such a mission readily achievable?

People have long recognized the fragmentation of the U.S. financial regulatory system. The number of agencies at the federal and state levels with a hand in financial services oversight creates inconsistencies and overlaps of powers. Fintech innovations even sometimes invite attention from regulators outside of the financial umbrella, regulators like the Federal Communications Commission or the Federal Trade Commission.

In the domain of financial services are kingdoms of industry. Take the payments kingdom, for example. Payments are interstate, global, and multi-schemed (each scheme with its own rules framework). And let's be honest, in the big picture of financial services innovations and in the minds of fintechs, payments are an afterthought, and they aren't front and center in business plans. Consumers want products or services; payments connect the dots. (In fact, the concept of invisible payments is only growing stronger.)

What is more, a fintech, even though it may have a payments component in its technology, might not identify itself as a fintech. And a business that doesn't see itself as a fintech is not going to get in line for a unified financial services regulator sandbox (though it might want to play in a payments regulator sandbox).

When regulatory restructuring takes place, I hope it will build a dedicated infrastructure to nurture the payments piece of fintech, so that all can play nice in the payments sandbox. (Insert crying baby.)

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 3, 2018 in bank supervision, emerging payments, financial services, fintech, innovation, regulations, regulators | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 15, 2018


An Ounce of Prevention

Benjamin Franklin coined the phrase "An ounce of prevention is worth a pound of cure," and after attending late September's FinovateFall 2018 Conference in New York City, I find this aphorism as relevant today as it was in 1735. The conference showcased 80 demonstrations of leading-edge financial technology over two days with presenters representing five continents. Demos touched on a wide range of technologies and solutions, including game-based marketing and financial education; "lifestyle" mobile banking applications that integrate social media, news, e-commerce, and financial management to deliver personalized recommendations; lending and home buying; and integration with intelligent personal assistants. What stood out to me most were the many possible technologies offered to authenticate users, cards, and mobile transactions, each with the potential to prevent payments fraud.

As card payments continue to dominate consumer transactions in the United States, usage is increasing in other countries, and remote purchases gather steam, the demand for fast, reliable identity and payment authentication has also grown. So has the even greater demand from consumers for frictionless payments. But how does technology reward the good guys, keep out the bad ones, and prevent cart abandonment or consumer frustration? Here are just a few examples of how some of the fintech companies at the conference propose to satisfy these competing priorities.

SMS—While one company proclaimed that SMS was designed for teenagers and never intended for use as a secure messaging means, another proposed a three-factor authentication method that combined the use of a PIN, Bluetooth communication, and facial recognition via SMS sent to account holders to identify a possible fraud event in real time. Enhancing this technology was artificial intelligence that analyzes facial characteristics such as smiling or frowning.

Biometrics—Developers demonstrated numerous biometrics options, including those using unique, multifactor, non-gesture-based biometric characteristics such as the speed and pressure we use to swipe our mobile devices. Also demonstrated was the process of linking facial recognition to cards for both in-person and e-commerce purchases, as well as "liveness" tests that access the mobile phone's gyroscope to detect slight physical movements not present when a bot is involved. Another liveness test demonstrated was one in which people use their mobile devices to shoot videos of themselves reciting a number or performing randomized movements. Video content is then checked against identity verification documents, such as driver's license photos, that account holders used at setup. The developers noted that using video for liveness testing helps prevent fraudsters from using stolen photos or IDs in the authentication process.

Passwords—Some developers declared that behavioral biometrics would bring about the death of the password, and others offered services that search the corners of the dark web for compromised credentials. Companies presented solutions including a single, unique identification across all platforms and single-use passwords generated automatically at each login. One of the most interesting password technologies displayed involved the use of colors, emojis, numbers, and logos. This password system, which could be as short as four characters, uses a behind-the-scenes "end code," where the definition of individual password characters is unique to each company employing the technology, rendering the password useless in the event of a data breach.

As I sat in the audience fascinated by so many of the demos, I wished I could go to my app store to download and use some of these technologies right away; the perceived security and convenience, combined with ease of use, tugged at the early adopter in me. Alas, most are white-labeled solutions to be deployed by financial institutions, card networks, and merchant acquirers rather than offered for direct consumer use. But I am buoyed by the fact that so many solutions are abiding by the words of Ben Franklin and seek to apply an ounce of prevention.

Photo of Ian Perry-Okara  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

 

October 15, 2018 in biometrics, cards, cybersecurity, emerging payments, fintech, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 1, 2018


Safeguarding Things When They’re All Connected

In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.

Prepurchase

  • Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
  • Check with reliable product review sites to see what others have to say about the product’s security features.
  • If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.

Postpurchase

  • Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
  • Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
  • Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
  • Register your device with the manufacturer to be notified of security updates or recalls.
  • Add the device to your separate network if available.

If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.

We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.

Photo of Ian Perry-Okara  By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed

 

Photo of David Lott  By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 1, 2018 in account takeovers, cybercrime, cybersecurity, data security, identity theft, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 24, 2018


Racing Ahead in the Wireless Space

This past Sunday, Eliud Kipchoge smashed the marathon world record at the Berlin Marathon, with a time of 2:01:39, shaving 1 minute 22 seconds off the previous world record. Though some running experts claim a marathon under two hours will never happen, I think elite runners will continue to push the speed envelope and we will witness a sub-two-hour marathon one day.

The marathon isn’t the only area where the speed envelope is being pushed. Another area, and the focus of today’s blog, is in the wireless space.

It was in 2002 when the first commercial 3G network launched in the United States. 3G made it possible for our phones to run applications using a global positioning system (GPS) or using videoconferencing, among other things. The second half of 2010 marked the first commercial launch of 4G in the United States, with many of the mobile network operators launching this service. 4G expanded on the speed of 3G and made it possible for consumers to access the web with their mobile devices, stream high-definition video, and connect Internet of Things devices.

Now, as we approach the fourth quarter of 2018, we are on the cusp of 5G networks, which will be 10 times as fast as our 4G networks. According to a recent Wall Street Journal article on 5G that sparked my interest in the topic, the speed of 5G networks will allow the proliferation of applications such as self-driving cars, virtual reality, and remote surgery. And this got me thinking, what impact will 5G have on the future of commerce, payments, and security?

I haven’t spent any time researching that last question, but no doubt there will be significant benefits and risks that 5G networks will introduce into retail payments. I can draw inspiration from one of my favorite cartoons, the Jetsons, and think ahead to what a Jetson house might look like in 2025: one that is filled with connected devices that communicate with not only us but also each other. Close your eyes and imagine a house with a robotic vacuum that communicates with a virtual home assistant when it needs new bags—and zero human interaction is needed in the process. Or imagine a vehicle that drives itself to the nearest gas station when the low-fuel light appears. Undoubtedly, this new faster-speed wireless world will create security threats that we have yet to face.

So as we at the Risk Forum think about the possibilities and new risks of a 5G world and its impact on commerce, payments, and security, what should we be paying attention to?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 24, 2018 in data security, emerging payments, innovation | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad