Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
March 15, 2010
Global challenge: Catching crooks while protecting privacy
As I watched the Winter Olympics unfold in Vancouver, I marveled at the stories of athletes who had gained citizenship in other countries in order to pursue their dreams. A Canadian moguls skier moved to Australia (which I kind of get) and a Japanese pairs figure skater fled to Russia (which I don't get). In both cases, their renationalization was rewarded with Olympic medals, and in both cases, I was reminded of how completely we have merged into a one-world family and a one-world economy.
Amidst this clear and widely embraced trend to global industrialization and trade, we find that our payments systems lag miserably behind. Certainly this is not because of the lack of availability of technology to wire us together; in fact, both good guys and bad guys use the Internet to order and ship goods and services, as well as commit fraud, across the globe in minutes. And, certainly, this is not because of trade practices. As I found out from Linda Coven, a senior executive at the Silicon Valley Bank in California, a technology firm born in the Silicon Valley becomes a global firm the minute they put up their Web site. Even a modest-sized bank such as hers can develop the expertise and partnerships to help such companies cope with the financial aspects of worldwide markets.
The fly in the international payments ointment is the complex web of regulatory and law enforcement regimens that quite naturally do not as yet mesh. In fact, this can still be a problem domestically, no less globally. The global version of this dilemma gained center stage on February 2010 when the folks at the European Parliament voted to reject the interim EU-US agreement on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programs (TFTP). These programs were established by the U.S. Treasury in the wake of the September 11, 2001, attacks. The TFTP allows the Treasury law enforcement agencies to issue administrative subpoenas for terrorist-related data, including the records of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), the world's largest network for banking transactions. Privacy laws and liabilities were cited as the major stumbling block in this reversal of form from previous agreements. Efforts by SWIFT to implement new technology to separate their databases into geographical segments may still allow some access to data involving a U.S. institution, but the EU ruling could ultimately impede law enforcement activities aimed at catching criminals that make today's global payments world a bit of the wild, wild West.
For those who feel that today's regulatory/law enforcement climate borders on paranoia, I would counter that in the face of global terrorism and money laundering there may be ample reason for paranoia. It is clear that cross-border payments applications deserve greater scrutiny to make sure they are not vehicles for financing dangerous and unsavory organizations. Strong compliance policies and screening practices are even more critical in this environment than they are domestically. Nevertheless, we see once again the incongruent goals of catching criminals and preserving privacy. In cases where cooperation and trust have been established there have been great successes. Internet corporate takeover rings have been stymied and Nigerian-based fraudulent check schemes have been terminated to the benefit of numerous domestic corporations and consumers.
Building a team
At the Retail Payments Risk Forum, we are working with various parties to find ways to synthesize the conflicting goals of privacy and enforcement to create a more directed and timely approach to catching the bad guys. As we progress, we will have to be ever-mindful of the fact that the next step will be to use our domestic examples as templates for solving the same problems internationally. Useful new work groups and task forces have been established here in the United States, such as the Interagency Payments Fraud Working Group under the current co-chairmanship of the Justice Department and the Federal Reserve Board, that are directed at better cooperation between law enforcement and the bank/non-bank regulatory community. Extending such collaboration into the international arena needs to become a priority for our industry if we are truly going to mitigate payments risk and catch offenders. It is no secret that this will be a difficult challenge, but fighting cyber crime is no longer a domestic issue here in the States or anywhere else. While we cast aside old norms in the payments and technology areas to do business across borders, we must also be open and innovative in regulatory and law enforcement circles if we are to have any chance of keeping up with criminals.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Global challenge: Catching crooks while protecting privacy:
December 21, 2009
"Money mules" carry load for global cybercriminals
In November, Portals and Rails explored the industry implications of hacking attacks that have resulted in fraudulent funds transfers using online banking interfaces. This week, Portals and Rails revisits this topic, focusing on the tactics these fraudsters use to dupe unsuspecting individuals and organizations.
The FDIC released a special alert on October 29, warning financial institutions of an uptick in schemes to recruit individuals to receive and transmit unauthorized electronic funds transfers (EFTs) from deposit accounts to individuals overseas. These funds transfer agents, also referred to as "money mules," are solicited online by criminals who have gained unauthorized access to the account of a business or consumer. Typically, the criminal will originate unauthorized EFTs from the victim's account to the money mule's deposit account. The money mule is then instructed to quickly withdraw the cash and wire it overseas minus a "commission" of from 8 to 10 percent.
Fraudsters perpetrate work-at-home scams using online job postings and social networking sites
A common hiring tactic for money mules are work-at-home jobs or other seemingly legitimate positions. Fraudsters will use online job search Web sites and social networking sites to persuade individuals to receive and forward stolen funds. According to the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA), victims are often hired to "process payments," "transfer funds," or "reship products." Other victims sign up to be "mystery shoppers" where they receive fraudulent checks with instructions to cash the checks and wire the funds to "test" the performance of a money service business.
The job scams also provide the criminal an opportunity to commit identity theft against the money mule. The personal information provided on the "employment" application (e.g., Social Security number or bank account information) may be used to open credit cards, post online auctions, etc., in the money mule's name and possibly commit additional crimes.
Sophisticated fraudsters use malicious code and money mules to conduct unauthorized funds transfers
An FBI alert issued last month describes how fraudsters are increasingly using malicious code to conduct unauthorized ACH transfers with the help of money mules. Many of these cases involve exploiting the online banking credentials belonging to small and midsized businesses, municipal governments, and school districts.
A typical scenario involves a "spear phishing" e-mail being sent to someone within the company with either an infected attachment or directing the recipient to an infected website. Spear phishing is a phishing attack that targets a specific person and deceptively appears to come from an individual or organization that the potential victim would normally receive e-mails from. The email recipient would usually have authorization to make funds transfers on behalf of the company.
Once the recipient opened the attachment or visited the Web site, malware (malicious software code) containing a key logger would be installed on the recipient's computer. The key logger captures the keystrokes of the recipient's business or corporate bank account login information. Once this information is compromised, the perpetrator either creates another user account with the stolen login or directly initiates funds transfers through either ACH or wire transfer by assuming the legitimate user's identity. The transactions are typically in increments less than $10,000 to avoid currency transaction reporting. Money mules play an important role in these schemes by helping to facilitate the unauthorized transfer of funds.
Small and midsized businesses lose millions to online banking scams
Reportedly, small to midsized businesses in the United States have lost $40 million to online banking fraud since 2004. FBI analysis has found that the main threat from these schemes is not merely the malware but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider. In most cases, the victims' accounts were held at local community banks and credit unions, some of which used third-party service providers to process ACH transactions.
Many believe that the uptick in these types of fraudulent payment activities directly relate to the decline in the economy. Consequently, financial institutions, businesses, and consumers have to be vigilant in looking for signs of this activity. The Federal Financial Institutions Examinations Council (FFIEC) provides guidance to financial institutions and technology service providers on authentication in an Internet banking environment. Money mule activity in particular is addressed by the Bank Secrecy Act and Anti-Money Laundering regulations. There are also resources available to consumers and businesses on how to protect themselves from these types of online scams.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference "Money mules" carry load for global cybercriminals:
November 16, 2009
Threats to online banking security may alter payment choice
During the last several months, a variety of government agencies, industry organizations, and the media have alerted banks, their customers, and the public to hacking attacks resulting in fraudulent funds transfers using online banking interfaces. These attacks particularly affected commercial bank accounts. For example, the Federal Deposit Insurance Corporation (FDIC) issued an alert regarding this form of attack earlier this year. Both the FDIC and the FBI have recently issued alerts referring to how this hacker attack is being used in conjunction with "money mule" schemes to attempt to hide the fraudulent funds transfers.
In one variety of these attacks, hackers using phishing techniques direct people to spoofed Web sites where malware Trojans are then downloaded to the affected computer. This malware then allows the hacker to infiltrate online banking connections in a manner that can circumvent the customer authentication mechanisms put in place by banks. In simple terms, hackers have figured out how to "hitchhike" on a computer's secure online connection to a bank account and thereby initiate fraudulent funds transfers out of the account. We found a recorded webinar describing how this technique can work using the "Zeus" malware.
Multifactor authentication of the customer has been referenced but not required by bank regulatory guidance as a means banks should consider in protecting online banking systems generally. The guidance does not make technology-specific recommendations but leaves room for banks to make their own risk assessments regarding appropriate security means.
The recent events described above have now raised significant questions about the effectiveness and sufficiency of reliance on multifactor customer authentication as a means to keep fraudulent transactions out of payment networks accessible through online banking systems.
Some view this as another variant of the "whack-a-mole" problem, in which you might smack down one threat but another one just pops up quickly. In other words, we should not throw the baby out with the bath water by disregarding multifactor customer authentication as an effective method to mitigate fraud. Others have suggested the industry should rethink online banking security entirely by investing in systems that authenticate transactions instead of customers, as is common in card transaction security systems. Others suggest systems that provide out-of-band confirmations of transactions (by phone or by text) to avoid overreliance on the online banking channel alone for security.
While banks consider online banking security investments, their customers are increasingly faced with choices about their own use of these systems as they exist today. Some suggest standalone computers running open source operating systems as a security measure. Bank customers can make further use of "positive pay" arrangements with their banks and can better monitor their account activity daily. Each of these and other available security techniques brings new costs and "frictions" to online banking users. We considered the economic tradeoffs between privacy, data security, and fraud prevention in a prior Portals and Rails post.
At one extreme, some smaller commercial customers of banks may decide not to accept these added costs and instead opt out of online banking access to electronic funds transfer systems altogether if they feel unprotected in this environment. They might even choose to fall back to manual check payments. Is this choice an overreaction or a rational one?
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Threats to online banking security may alter payment choice:
August 10, 2009
Collaboration to address payments risks and fraud
In the world of payments, all players share an interest in seeing that risks are detected and mitigated quickly and effectively. However, when threats emerge, is it everyone for themselves? How does the variety of interests and goals among all the players converge? In a private marketplace mixed with government actors, how can we work better together?
Participants at a 2008 conference hosted by the Retail Payments Risk Forum discussed these issues and described the challenges and potential solutions. A year later, the findings of this forum are worth revisiting.
Real or perceived information-sharing limitations among financial institutions, regulators, law enforcement, and others can substantially impede addressing retail payments risks on a timely and effective basis. Examples include inconsistent or incomplete payments data, varying success levels of intra- and interagency collaborations, varied and overlapping jurisdictions, an incomplete network of memoranda of understanding (MOUs), privacy restrictions, perceived barriers beyond legal restrictions, competitive interests, costs, and trust. Suggestions for improvement in this area focused on:
- collection, consistency, and commonality of payments data, better understanding of its utility, and analysis tools. While data needs vary, a first step would be to focus on data elements of shared interest. A working group could facilitate ongoing payments data compilation and analysis efforts;
- formal and informal dialogue among various agencies and others, including simple measures such as shared contact lists;
- development of a “matrix” of various roles/responsibilities/information sources for shared use to facilitate more timely location of information and expertise available; and
- a more systematic, organized mechanism for information sharing, perhaps by establishing “brokers” for relevant information such as payments data.
Policing bad actors
Many noted that communication about bad actors is often ad hoc and that information is too widely dispersed to be useful and timely. Individual agency efforts, published enforcement actions, SAR filings, interbank collaborations, and industry self-regulatory efforts, while all worthwhile, have not fully promoted effective information gathering and sharing among all the parties who can have an impact. Suggestions for improvement in this area included:
- better understanding of risks across payment channels, both for front-end access point(s) and back-end processing, to mitigate fraudster arbitrage of vulnerabilities;
- publishing enforcement actions and related settlements more effectively as a deterrent;
- establishing a central “negative list” or “watch list” of bad actors;
- extending registration requirements for third parties participating in payments networks beyond existing targeted voluntary efforts;
- strengthening and clarifying regulatory guidance, such as that for counterfeit checks and consumer account statements;
- better educating consumers and banks regarding common issues;
- a more direct means of compensating victims;
- mining specific activity reports and other existing agency databases such as consumer complaints data; and
- potential new SEC codes within ACH to better track risks.
Participants identified collaborative efforts to help detect and/or mitigate retail payments risk issues and identified benefits and gaps. Examples included bank regulatory groups (intra- and interagency), national and regional law enforcement partnerships, interstate collaboration, federal-state working collaborations, joint investigative task forces, examination- or case-driven ad hoc efforts, and industry data-sharing efforts. Potential avenues for improved collaborative action included:
- a law enforcement/regulatory payments fraud working group;
- a virtual collaborative forum via Web sites, e-mail lists, or regular phone calls;
- greater attention paid to requests for comments on proposed NACHA rules;
- examiner and law enforcement training opportunities;
- participation in and/or support for industry database sharing efforts;
- engagement with industry groups to improve best practices;
- a Web-based resource for consumers supported by all (“fraud.gov”);
- implementation of further MOUs among agencies; and
- efforts to identify fraud patterns across agencies, such as the federal government’s Eliminating Improper Payments Initiative.
Substantive areas of concern
Participants were asked to describe substantive retail payments risk issues that keep them up at night. Some common themes emerged, including:
- strengthening the oversight of third-party payments processors and others not covered by the Bank Service Company Act;
- quantifying and better managing the misuse of remotely created checks;
- understanding and mitigating risks associated with “cross-channel” fraud;
- “Know Your Customers’ Customer” due diligence, compliance, and associated risks and potential liabilities for fraud detection/mitigation purposes;
- establishing a common means of redress for consumers regardless of the payment channel; and
- improving the clarity of consumer account statements by instituting standards and reducing jargon.
Progress has been made on a number of these ideas in the past year, including the formation of new working groups and other collaborations. The Retail Payments Risk Forum continues to explore opportunities and implement solutions to help foster collaborative action to address these and other industry concerns. Your input in the form of comments to Portals and Rails on these or other topics is welcomed!
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed.
TrackBack URL for this entry:
Listed below are links to blogs that reference Collaboration to address payments risks and fraud:
July 13, 2009
Consumer complaints may be “canary in a coal mine” for payments risk
For many years in the coal mining industry, a caged canary would be brought into the mines to detect whether toxic gases were present. The canary served as an early warning system of potential danger for the miners. Similarly, consumer complaints data could serve as a harbinger of potential risks in payments for law enforcement and other industry professionals.
Several regulatory agencies receive fraud-related complaints from consumers, including those involving financial institutions. Some of the consumer complaint databases are shared among agencies to help better facilitate fraud investigations and to track trends and developments in consumer fraud activity.
One example is the Federal Trade Commission’s (FTC) Consumer Sentinel Network (Sentinel), a secure online database of consumer complaints that is only available to law enforcement. In addition to storing FTC complaints, the Sentinel also includes complaints filed with more than 100 different U.S. and Canadian federal, state, and nongovernmental organizations. Among the leading partners and data contributors are the Internet Crime Complaint Center, Better Business Bureaus, Canada’s Phone Busters, the U.S. Postal Inspection Service, the Identity Theft Assistance Center, and the National Fraud Information Center.
Established in 1997 to collect fraud and identity theft complaints, the Sentinel database was expanded in 2008 to include complaints about credit reports, debt collection, mortgages, and lending, among other subjects. According to the 2008 Consumer Sentinel Network Data Book, the database has more than 7.2 million complaints.
FTC complaints provide insight into consumer fraud trends
The Sentinel received a total of 1.2 million complaints during calendar year 2008. Of the 30 complaint categories, identity theft ranked first with 26 percent of the overall complaints. Credit card fraud (20 percent) was the most common form of reported identity theft, the majority of which involved new accounts (12.3 percent). Another significant category of identity theft reported by consumers was bank fraud (11 percent). Although identity theft bank fraud, which includes fraud involving checking and savings accounts and electronic fund transfers, has declined since 2006, the most common type continues to be electronic fund transfers.
|January 1 - December 31, 2008
Top 10 Consumer Sentinel Network Complaint Categories
|2||Third Party and Creditor Debt Collection||104,642||9%|
|3||Shop-at-Home and Catalog Sales||52,615||4%|
|5||Foreign Money Offers and Counterfeit Check Scams||38,505||3%|
|6||Credit Bureaus, Information Furnishers, and Report Users||34,940||3%|
|7||Prizes, Sweepstakes, and Lotteries||33,340||3%|
|8||Television and Electronic Media||25,930||2%|
|9||Banks and Lenders||22,890||2%|
|10||Telecom Equipment and Mobile Services||22,387||2%|
|Source: Federal Trade Commission|
The data also give some indication of the preferred payment channel for consumer fraud. In 2008, for those fraud complaints where the consumer reported the method of payment, credit cards was the most common (35 percent) followed by wire transfer (24 percent), bank account debit (19 percent), and check (10 percent). The rankings have been consistent over the past two years, but credit cards have increased from 30 percent and 33 percent for 2006 and 2007, respectively.
Consumer complaint databases can be an important resource in detecting fraud issues
FTC Sentinel data only gives a snapshot of the consumer fraud and risk issues occurring in the payments system. A consumer who has a problem involving an account held at a financial institution may file a complaint with the appropriate bank regulator. The Retail Payments Risk Forum is currently analyzing consumer complaints filed with the Federal Reserve Consumer Help over a four-year period to track whether there are trends that may indicate underlying payments risks. At the very least, the consumer complaints data may provide leading indicators of areas where we may need to focus our attention with research and/or education.
By Jennifer Grier, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
June 29, 2009
Fraud Enforcement and Recovery Act of 2009
On May 20, President Obama signed into law the Fraud Enforcement and Recovery Act of 2009. Among other things, the law "authorizes" substantial funding in 2010 and 2011 for various federal agencies, including the Department of Justice, the Postal Inspection Service, the Securities and Exchange Commission, and the Inspector General of Housing and Urban Development, to investigate and prosecute financial frauds of all types. (Note that an authorization does not necessarily mean any appropriation of additional funding to these agencies above their existing funding will result.)
One of the law's chief sponsors, Sen. Patrick Leahy, included the following in his comments on the law:
"At its core, the Fraud Enforcement and Recovery Act authorizes the resources necessary for the Justice Department, the FBI, and other investigative agencies to respond to this crisis. In total, the bill authorizes $245 million a year over the next two years to hire more than 300 Federal agents, more than 200 prosecutors, and another 200 forensic analysts and support staff to rebuild our nation's 'white collar' fraud enforcement efforts. While the number of fraud cases is now skyrocketing, we need to remember that resources were shifted away from fraud investigations after 9/11. Today, the ranks of fraud investigators and prosecutors are drastically under stocked, and thousands of fraud allegations are going unexamined each month. We need to restore our capacity to fight fraud in these hard economic times, and this bill will do that."
Supporters of the law have promoted the idea that this funding of efforts to fight financial crimes will in effect result in a good return on the government's investment as it will result in higher recovery of funds lost to fraud. Some cite Justice Department estimates that each dollar spent to prosecute fraud results in more than $20 being ordered in restitution and fines for victims and the government.
This law (if funded) could result in a sea change in the focus of federal law enforcement to address a wide array of financial crimes in the future. It bears watching to see if this effort has a measurable impact in tamping down the growth and spread of financial-related fraud and whether it will in particular have any impact on payments fraud issues, such as the persistence of check fraud schemes or the development of new fraud schemes leveraging gaps in emerging payments modes.
By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Fraud Enforcement and Recovery Act of 2009:
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- A Call to Action on Friendly Card Fraud and Loss?
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud