Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

June 30, 2014

A Call to Action on Data Breaches?

I recently moved, so I had to go online to change my address with retailers, banks, and everyone else with whom I do business. It also seemed like an ideal opportunity to follow up on the recommendations that came out after the Heartbleed bug and diligently change all my passwords. Like many people, I had a habit of using similar passwords that I could recall relatively easily. Now, I am creating complex and different passwords for each site that would be more difficult for a fraudster to crack (and at the same time more difficult for me to remember) in an attack against my devices.

I have found myself worrying about a breach of my personal information more frequently since news of the Heartbleed bug. Before, if I heard about a breach of a certain retailer, I felt secure if I did not frequent that store or have their card. Occasionally, I would receive notification that my data "may" have been breached, and the threat seemed amorphous. But the frequency and breadth of data breaches are increasing, further evidenced by the recent breach of a major online retailer's customer records. This breach affects about 145 million people.

As a consumer, I find the balance between protecting my own data and my personal bandwidth daunting to maintain. I need to monitor any place that has my personal data, change passwords and security questions, and be constantly aware of the latest threat. Because I work in payments risk, this awareness comes more naturally for me than for most people. But what about consumers who have little time to focus on cybersecurity and need to rely on being notified and told specifically what to do when there's been a breach of their data? And are the action steps usually being suggested comprehensive enough to provide the maximum protection to the affected consumers?

Almost all states have data breach notification laws, and with recent breaches, a number of them are considering strengthening those laws. Congress has held hearings, federal bills have been proposed, and there has been much debate about whether there should be a consistent national data breach notification standard, but no direct action to create such a standard has taken place. Is it time now to do so, or does there need to be more major breaches before the momentum to create such a standard makes it happen?

Photo of Deborah Shaw

June 30, 2014 in consumer protection, cybercrime, data security, privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference A Call to Action on Data Breaches?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 23, 2014

Do Consumers REALLY Care about Payments Privacy and Security?

Consumer research studies have consistently shown that a top obstacle to adopting new payment technologies such as mobile payments is consumers' concern over the privacy and security protections of the technology. Could it be that consumers are indeed concerned but believe that the responsibility for ensuring their privacy and security falls to others? A May 2014 research study by idRADAR revealed the conundrum that risk managers often face: they know that consumers are concerned with security, but they also know they are not active in protecting themselves by adopting strong practices to safeguard their online privacy and security.

The survey asked respondents if they had taken any actions after hearing of the Target breach to protect their privacy or to prevent credit/debit card fraudulent activity. A surprising 79 percent admitted they had done nothing. Despite the scope of the Target data breach, only 4 percent of the respondents indicated that they had signed up for the credit and identity monitoring service that retailers who had been affected offered at no charge (see the chart).

Consumers Post Breach Actions

In response to another question, this one asking about the frequency at which they changed their passwords, more than half (58 percent) admitted that they changed their personal e-mail or online passwords only when forced or prompted to do so. Fewer than 10 percent changed it monthly.

When we compare the results of this study with other consumer attitudinal studies, it becomes clear that the ability to get consumers to actually adopt strong security practices remains a major challenge. At "Portals and Rails, we will continue to stress the importance of efforts to educate consumers, and we ask that you join us in this effort.

Photo of Deborah Shaw

June 23, 2014 in consumer fraud, consumer protection, data security, identity theft, privacy | Permalink


Consumers have been hearing "the horror stories around the campfire" for so long, they have come to believe that if the "boogieman" is going to get you, there is nothing you can do about it. However, this is just not true. The FSO industry needs to promote consumer education efforts to update the public: we are each provided options every day that can serve to reduce our exposure to the fraud/ID theft boogieman - at FraudAvengers.org we call it "anti-fraud activism". Once aware, consumers will find themselves liberated to make choices based on their own risk tolerance about: how they make and receive payments; how they use their communication devices; the places in which they voluntarily place their personal information; ways and frequency of monitoring their financial, medical and other personal records; who and how they do business with people they have never met and/or do not know; etc. By ensuring we always include the "lessons learned" after we tell our horror stories, we serve to educate the public and inform them of protective actions they can take in their own defense. Crime collar criminals are always looking for victims: by reducing one's visibility to them and by proactively knowing what to watch-out for, consumers can greatly reduce the likelihood of becoming victims.

Posted by: Jodi Pratt | June 23, 2014 at 03:19 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 5, 2014

There's No Such Thing as a Good Data Breach

While data breaches have been a persistent problem for many years (see the chart), until recently, their stories would quickly fade from the headlines due to their limited reach. In the three or four months that have passed since the huge data breach at some major retailers, there have been many congressional committee hearings, several new federal legislative bills on data security issues, and countless panels and speakers at industry conferences and workshops discussing this growing problem. Unfortunately, the interactions have occasionally included a little finger-pointing, which doesn’t always lead to effective solutions. Recent efforts to bring banks and merchants together to address the problem hold some promise.

It is important to understand the number of breaches from a trends perspective, but it is more important to understand the magnitude of the breaches in terms of the number of records obtained and the type of data in those records. Because state and territorial laws with differing requirements generally control data breach notifications, the notification reporting information is often incomplete. Additionally, many data security industry experts suspect that data breaches are underreported or even not reported at all. After all, what company wants to confess to having incurred a data breach when the result will be fines and reputational damage?

In the health care industry, the 2013 implementation of the HIPAA Breach Notification Rule (45 CFR §§164.400–414) addressed this reporting concern by involving a monetary cost to the breached company. The rule requires a HIPAA-covered business and its associates to notify its customers and the U.S. Department of Health and Human Services of any breach or it could face significant financial penalties. Because of the stronger notification requirement, it was not surprising to see that the health care industry reported a 63 percent increase in data breaches in 2013 over 2012, according to the Identity Theft Resource Center (ITRC). Health care accounted for the largest share of breaches on an industry segment basis, surpassing the general business segment for the first time since the ITRC began tracking this data in 2005.

But notification requirements are post-event, not preventive. While no data security architecture can provide 100 percent protection, there clearly is the need for improved security in the handling and storage of sensitive data to prevent such breaches from occurring. As with any risk management program, the level of security depends on the sensitive nature of the information that could be monetized in some way by the criminal. Because of the large losses from the production of counterfeit cards, the public has made much of—and justifiably so—the retailer payment data breaches involving more than 40 million accounts.

We must also remember that there was an even larger data breach at the same time as the retailer's payment card data breach, this one involving 70 million accounts. But the criminals obtained such sensitive information as customer's name, address, phone number, and e-mail address—no payment information. Because the data was not related to payment transactions, the incident has not received as much attention. Still, criminals can use such data to foster identity theft operations that generally result in much higher losses and greater customer impact.

These incidents serve as a reminder that not all data breaches are alike and will require different prevention and response methods.

Portals and Rails is interested in what you think is the best way to address the prevention and notification aspects of data breaches.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 5, 2014 in data security, identity theft, privacy | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 12, 2013

Is Consumer Privacy Possible?

In January 1999, Scott McNealy, then chief executive officer of Sun Microsystems, told a group of analysts, "You have zero privacy anyway. Get over it." His comment caused quite a stir—at the time, most people had not yet heard the terms "big data," "data warehousing," or "data analytics."

I recently attended two conferences that had sessions on consumer privacy and data collection. All the panelists suggested that there is little data privacy for consumers anymore. And all agreed that "privacy is dead."

Four major forces have brought us to this point: technology advances, emergence of data aggregators, lack of transparency with consumers, and consumer complacency. The first force—advances in the technology of data storage—has created the environment for the other elements. The capacity of hardware to collect and store data has grown at exponential rates at the same time that the cost of that technology has plummeted. A cost analysis from Statistic Brain shows that the cost of storage per gigabyte of memory has dropped 50 percent every 14 months since 1980. Back then, a gigabyte of data storage was priced at about $438,000. Today, the price for storing a gigabyte is a mere nickel.

With the ability to store vast amounts of data so inexpensively, companies have built data warehouses to collect all types of data, ranging from government records to of consumers' product purchases at merchant locations Proponents of the data analytics business emphasize how their work can help identify fraudulent transactions through behavior anomalies and how it can help a company market more effectively. Privacy advocates express concern over how the information is used and the adequacy of safeguards to protect the data from unauthorized access.

Privacy advocates contend that most consumers have no real understanding of the information that is collected and how it is used. Indeed, disclosures are often hidden in fine print. Consumers often must accept the terms of a transaction to receive the product. How often do you click the accept box without reading the disclosure?

With support from the Federal Trade Commission, advocacy groups are working to get companies to make their consumer disclosures clearer so consumers will know exactly what information is being collected, how long it is retained, and who it is being shared with. They also want these data collectors to disclose how consumers can verify the accuracy of the information.

Are you interested in knowing what information the largest data aggregator company in the United States has on you? If so, go to Acxiom's website and scroll to the bottom of the page. You will need to register to look at your profile.

Although consumers themselves are the major source of the data being collected, many may not understand that the information they voluntarily provide on social media sites and through online browsing and purchasing activities is being tracked and collected. And consumers have consistently demonstrated a willingness to provide personal information to secure a coupon or discount.

In addition, with the increased deployment of smartphones, merchants are looking to use the mobile channel for one-to-one marketing. The success of this effort largely depends on knowing the interests of the phone owner. Such determination is made only through data collection and analytics—and these efforts are only going to intensify. This marketing element available through the mobile phone is seen as an advantage over other payment methods, and many are studying how to monetize it.

Even if the most transparent disclosures were available, do you think consumers would dramatically change their information-sharing behavior, especially when doing so would come at the expense of incentives? Or of not expressing their personal interests and posting events on social media sites? Personally, I do not think so. I believed McNealy back then and took his advice to get over it. What about you?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 12, 2013 in consumer protection, data security, privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Is Consumer Privacy Possible?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 17, 2013

Security versus Privacy: Finding the Right Balance

The national news headlines over the last two weeks have again heated up public discussion on the issue of when the collection of data about the activities of individuals considered necessary to identify criminal or terrorist threats crosses the line to become an invasion of privacy. This issue has become increasingly complicated as data collection, storage, and analytics have advanced and become less expensive, faster, and more sophisticated. At the same time, people are participating more in electronic communications, transactions, and activities creating additional electronic footprints that can be tracked and analyzed.

Many consumers don't seem to mind providing personal information to retailers if they in turn receive some sort of "members only" benefits in the way of rewards programs, preview ads, discount coupons, or other special offers. Many people also appear to be willing to provide individual and family information on social media sites, where it can be gathered by criminals or law enforcement agencies and used with the information that they collect from devices we can’t seem to live without—our mobile phones, our laptops, and so on—to establish profiles of certain behaviors.

I believe that most people in the security and IT industries have a good understanding of the data collection efforts that are under way, both in the public and private sectors. For them, the recent revelations came as no surprise. But I wonder how many consumers, when they click on the "Accept" button to indicate they agree to a site's terms and conditions, really understand what data are being collected or how those data are being used and by whom. This is a question that those in the public sector have debated for some time, as evidenced by the Cyber Intelligence Sharing and Protection Act (CISPA) that passed the House but stalled in the Senate in 2012 after major protests from the online community, which viewed the bill as a threat to individuals’ privacy.

Should there be improved transparency by the various companies that collect the data? Perhaps they could disclose in simple terms what information they collect, how they use it, whom they share it with, and how long they retain it. The fine print of those agreement blurbs may already contain much of this information, but would clearer disclosures make consumers more or less likely to agree to share their personal information and activities? And what about the option for the consumer to select the various types of information they would be willing to share instead of the “all or nothing” option they generally face today? We welcome your thoughts on this subject.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 17, 2013 in privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Security versus Privacy: Finding the Right Balance:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 4, 2013

The Promises and Pitfalls of Big Data

In reviewing one of my recent credit card statements, I noticed a marketing message offering $5 off for an online purchase using their credit card at one of the online retailers I frequently visit. At first I thought this was a bit strange as I had not used that particular credit card at that merchant. Then I realized this was likely "Big Data" in action. Evidently, this credit card issuer had gotten information from some database, perhaps from the retailer, that I was a frequent customer of that retailer. The card issuer then checked its records and found that its card wasn't the one I used for the purchases, so it tried to entice me with $5 savings to switch my card usage habits.

A recent Harris Interactive poll of 1,000 U.S. Internet users showed that the typical consumer has an extremely high level of concern about the amount of personally identifiable data (PID) that is collected about them from public databases, e-mails, web access, and private data aggregators and how that information is being used. Big Data has opened a new world of marketing opportunities for companies with the capability to analyze and use such a wide array of information. In addition to marketing opportunities, Big Data technology can also provide enhanced risk assessment capabilities.

Card issuers have used data analysis at both the macro and individual cardholder level for several decades for fraud management purposes. With sufficient transaction history, the issuer creates a cardholder's purchase profile and evaluates future transactions against that profile. In the early stages of such efforts, if a transaction fell outside the normal profile parameters, the issuer was likely to authorize the purchase and then attempt to contact the cardholder later to verify its legitimacy. Before the wide usage of cell phones or text alerts, contacting the customer was often delayed by days until he or she could be reached on a landline. With advances in software and processing technology, some issuers risk rate transactions as they are received for authorization and may deny a transaction with a high risk score or one that exceeds parameters the customer has personally established. Of course, the downside to such a process is a false denial resulting in a less-than-satisfied cardholder.

While few may find fault with using data for financial risk management purposes, the line is blurry between privacy and data analysis for behavioral activity. Let's say you normally use a particular prescription medication for treatment of a chronic medical condition. Data analysis can tell how frequently you should be getting refills of that medication from your pharmacy. On the positive side, the pharmacy can use this information to send you reminders that it is time to order a refill. But what if the data shows that your refills are spaced further apart than the quantity and dosage level dictate? Is it ethical for the online pharmacy to notify your insurance provider that you appear to have significant lapses in taking your medicine when doing so could affect future coverage? At what point does "Big Data" become "Big Brother"?

In 2013, data security and privacy—the issues associated with Big Data—will be a major area of focus for the Retail Payments Risk Forum. In addition to looking at these issues in our Portals and Rails posts, we will be publishing white papers and convening forums with designated stakeholders to further discuss these issues. We welcome your input on what topics you would like to see us cover.

Oh, and as to that $5 offer, I think I'm going to hold out for a few months and see if they are willing to raise the ante. If this blog is being data scrubbed, I think $10 will do it!

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

On a different note, the Retail Payments Risk Forum would like your feedback on our blog. We would be grateful if you would take a moment to complete our survey. It really is very short.

February 4, 2013 in cards, consumer protection, privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference The Promises and Pitfalls of Big Data:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 29, 2012

Are social security numbers still secure enough for payments?

Identity authentication is becoming increasingly important today as consumers conduct more and more social interactions, commerce, and financial transactions online. Many emerging payment methods are conducted electronically today and will no longer involve the face-to-face interactions that have provided an additional layer of security for our traditional retail payments environment. Unfortunately, our primary means of personal identification is the social security number, and it is becoming more vulnerable to compromise. How do we mitigate the risks in innovative payments going forward with traditional identification methods?

A well-intended system
The social security number was created in 1936 as a way to track workers' benefits for the new pension program. At the time, no other use for the number was envisioned. In 1943, however, President Roosevelt signed an executive order allowing other government agencies to use social security numbers. Today, the numbers are the primary identifiers for many government functions, including filing taxes, receiving all manner of benefits, and enlisting in the military. Social security numbers are also widely used in the private sector, especially in the healthcare and financial industries. They have become the default identifier used by healthcare providers, insurers, credit bureaus, banks, and others when signing up new customers.

Social security numbers—not so secure
You probably believe that your social security number is private. You probably assume that it's kept private by those who use it to verify your identity. But how many different people have seen your number, or some part of it, in the past decade? It's out there every time you've gone to a new healthcare provider, signed up for a new insurance plan, or applied for a credit card, bank account, or cell phone plan. Researchers have even developed an algorithm for guessing a person's number using just their place and date of birth.

The problem with such widespread use of social security numbers is that they are easily exposed and vulnerable to use in identity theft and related crimes, including various types of payment fraud. It goes without saying that new identification and authentication methods will be needed in the future to ensure that the personal information accessible via social security numbers can be protected and kept secure.

Mitigating compromise and improving personal authentication
In 2008, the Federal Trade Commission (FTC) developed recommendations on preventing the misuse of social security numbers for identity theft. First, they recommend using multifactor authentication, including additional processes in addition to the social security number. The FTC recommends further that, whenever possible, users should restrict the public display and transmission of social security numbers from applications, identity cards, and other documents. As crimes in electronic networks grow more prevalent, it will be increasingly important that the industry use multifactor authentication practices to combat the threat of outmoded personal identification methods.

Jennifer WindhBy Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

May 29, 2012 in identity theft, payments, privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Are social security numbers still secure enough for payments?:


FFIEC came up with guidelines for 2FA around seven years ago and followed it up with some more guidelines this year. Despite the passage of so much time and the fact that virtually all other large nations have adopted 2FA, banks and e-commerce merchants in the US are conspicuous by their absence of following even the basics of strong authentication like VbV, etc. Is this because 2FA introduces additional friction and / or false positives that result in greater revenue losses than potential loss by fraud? Given where US is, is there any evidence that fraud loss as a percentage of transaction value is higher in the USA than elsewhere in the world?

Posted by: Ketharaman Swaminathan | May 31, 2012 at 06:49 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 5, 2012

Generations of payment innovations


Bob Kennedy is a director and payments expert in the Fed Atlanta's supervision and regulation department. As Bob prepares for retirement next month, we sat down to talk about his thoughts on the retail payments environment in the United States.

P&R: Bob, you've gained a reputation in industry circles as an expert in the payments field and a frequent speaker at industry events with a long and distinguished career in bank supervision. Can you tell us a little about your background and your retail payments experience?

Bob: I actually come from a banking family. My grandfather actually set up a bank in the 1890s in a small town in rural Alabama to provide simple financial services to businesses and over time it grew and expanded to more consumer-based financial services. My father took over the business and employed me as early as age 12 on the teller line one day a month after school, authenticating customers who came in to cash their social security checks.

Payment services were pretty simple back then. At our little bank, customers had traditional demand deposit accounts but we did not issue checkbooks. So when they wanted to make a purchase at a merchant they would use counter checks and fill in their account information. The merchant would call my father at the bank to verify the customer's identity and funds availability.

By the 1960s, things were getting more complicated. Our customers were starting to shop more in nearby cities, so they asked us for preprinted checkbooks. My father lost an important control when we started to issue these, but we recognized the need to change with our customers so we could keep their business. Then in the 1970s, our customers demanded credit cards. The point of this history summation is that the family bank had to change to adapt to consumer demand. The same holds true today as we continue to see disruptive forces that are changing the payments business.

P&R: How would you characterize the general landscape today for bank adoption of emerging retail payments?

Bob: I would characterize the landscape as exciting because nothing is static—there is a lot going on, and we're seeing community banks beginning to adopt new types of payments. Banks are adapting to consumer demand, as before, but at the same time they need to be able to find a reward for providing the product or service, and that's in the form of revenue or customer retention. They have to have a use case for offering new services.

One of the biggest drivers of change in retail payments these days is the demand for payments data, which has become a virtual treasure trove in the sense that it provides tangible evidence about consumer decisions about products and services. A consumer who buys something has made a clear decision about the product, the retailer, and the date and time when he or she makes the purchase. This is why data mining is becoming so important to merchants in developing marketing strategies.

For example, a large retailer with a decoupled debit card may obtain information about individual consumer spending habits that it uses to help understand future potential consumer choices about products and services. According to a recent article by Charles Duhigg in the New York Times, this retailer has collected tons of data on every regular customer they have. With a "Guest ID" that the store assigns to these regulars, they track everything they buy. I believe this is why a lot of big nonbank firms like Google and PayPal are trying to establish a foothold in retail payments through the introduction of new payment channels. They recognize the monetary value of payments data at the point of sale.

P&R: What are the primary risk concerns for banks in retail payments today?

Bob: There are multiple risks for banks to consider, including operational and liquidity risks. Clearly, for U.S. banks, strategic risk is critical today with nonbank firms introducing disruptive innovations and evolving as a competitive force for banks that must remain relevant and profitable at the same time. They are forced to continually assess their business models as a result. On the positive side, we are seeing new partnerships. I read about the new alliance with Regions Bank and Western Union, leveraging each firm's agent or branch networks to provide remittance and banking services on a complementary, cross-selling versus competitive basis.

That brings us to vendor management. With banks outsourcing and partnering with nonbank, third-party firms, increased oversight for those relationships is required, along with more expertise at the bank level. For many community banks, hiring that level of expertise is challenging, and they need to rely on the risk management services from their core processors.

In addition, liquidity risk for banks in this new payments landscape has been heightened by the more rapid clearing and settlement of payment files.

Finally, security and privacy are big issues for U.S. financial institutions today, not only from a regulatory perspective but also—more importantly—from the need to protect the bank's reputation among its customers as a trusted payments partner.

P&R: What trends should industry stakeholders watch going forward?

Bob: Technological advancements are making our retail payment systems more effective, efficient, and easy. U.S. banks are doing a good job and approaching these new services and partnerships with sound due diligence. Retail payments will continue to change going forward, with disruptive services and nonbank firms appearing in ways we cannot predict. I think it will continue to be an exciting area to watch for a long time.

March 5, 2012 in banks and banking, cards, privacy | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 1, 2010

Beware of cybercrashers to your social network party

According to the Nielsen Company, the overall global traffic to social network sites grew nearly 30 percent in one year, from 244.2 million users in February 2009 to 314.5 million users in February 2010. In the United States alone, the average active social network audience grew 22.8 percent, from 115 million to 149 million during that same time period. If social networks are expanding this rapidly, can the growth of associated risks—specifically, data privacy—be far behind?

Percentage of Americans who own gadgets
Enlarge Enlarge

Establishing privacy parameters
Privacy is perhaps the most significant concern surrounding the use of online social networking sites. Recently, BBC Mobile reported that consumer confidence in social networking sites has been shaken as issues over privacy concerns have come to light. Results of an RSA 2010 Global Online Consumer Security Survey show that, even as thousands of individuals join social networking websites each day, nearly 65 percent of survey respondents indicated that they are less likely to interact or share information due to growing security concerns. Although most online social networking sites have privacy protections in place that allow users to establish their own level of security settings, online social networks are inherently public, which makes it difficult to secure nonpublic information. But if users are shielding their personal information through security settings, how, then, are hackers able to extract this information and steal their identities? Could the simple act of sharing, friending, or posting make it easier for hackers to attack a social network site and impersonate its users?

Facing incoming threats to social network sites
Corporations that use social networks as communication tools (or corporations whose employees use them without IT's authorization) are faced with significant security and compliance risks. In a survey that FaceTime conducted of IT groups, 14 percent of respondents reported that they've seen data leak through social networks. According to this study, Web 2.0 applications like instant messaging, Skype, and the chat functions within social networks can travel undetected through an organization's network, thus posing the risk that confidential information such as credit card details will leave the organization's control without authorization. Hackers use various means to attack social network sites, including phishing, spam, and malware. Their success is in part due to the trust users place in their networks. The study also notes that users are far more likely to click on a link from a friend on a social network site than in an e-mail.

Using small bits of information to gain entry
Gateway data, a term coined by Herbert Thompson a professor at Columbia University, refers to the confidential information harvested by cybercriminals from social networking sites. According to Thompson and researchers at Carnegie Mellon University, hackers can use such confidential information as someone's mother's maiden name—discovered from a social network site—to answer a challenge question and gain access to the person's account or personal financial data. Users of gateway data can also use these single pieces of information to trick the user into revealing even more sensitive information.

In a 2009 study, researchers from Carnegie Mellon University were able to deduce the Social Security numbers of millions of individuals just by sifting through fragments of data typically shared on social networks and other publicly available sources. Another study, this one by Consumer Reports, found that 52 percent of social network users disclose information that could leave them vulnerable to cybercriminals. Pieces of information such as a mother's maiden name, home address, or home or mobile phone number can lead perpetrators to steal users' identities.

Deterring cybercrime with a healthy dose of skepticism
The global reach and public nature of social networking websites have made them a favored target for online criminals. While consumers enjoy the ease of communication and information sharing on these social networks, these online forums have introduced new and unanticipated risks. Users must take some crucial steps to deter thefts of their identities, included becoming educated in the types of online crime while avoiding such common pitfalls as weak security settings and compulsive information sharing.

A healthy dose of skepticism on what, how much, or with whom to share can go a long way in reducing the exposure of personal, confidential information, because what is shared on the Internet stays on the Internet.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

November 1, 2010 in cybercrime, identity theft, privacy, social networks | Permalink


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 20, 2010

Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2)

Untitled Document

Last week, in Part 1, we took a conceptual look at the issue of balancing financial privacy interests with catching criminals. This week we look closer at the subject, with an eye on the legal landscape of financial privacy laws and law enforcement's ability to access financial records under the existing laws.

The legal battle between law enforcement and personal privacy in the United States is as old as privacy law itself, and maintaining a balance between the two has for years required continuous maintenance of financial privacy laws. One of the most recent changes occurred in 2001, with the introduction of the Patriot Act. While the Patriot Act gives law enforcement agencies easier access to financial information so they can intercept terrorist financing and prevent money laundering, the Patriot Act has also been used routinely to combat nonterrorist criminals.

But have we struck the right balance yet? Or are stronger financial privacy parameters needed to tip the scales in favor of either the consumer or law enforcement?

The financial privacy law landscape prior to the Patriot Act
Historically, customers have expected their bank records to be held in confidence, relying largely on their right to financial privacy based on their contractual agreement with the bank. But in 1970, the Bank Secrecy Act (BSA) became law, and turned that expectation upside down. The BSA began requiring financial institutions to maintain certain records on their customers and authorized the Secretary of the Treasury to require financial institutions to report certain financial transactions. That same year, the Fair Credit Reporting Act (FCRA) was passed, whose goal was to safeguard consumer financial information by limiting the availability of consumer credit reports only for specific "permissible purposes."

In 1978, the Right to Financial Privacy Act was passed, which generally precluded the disclosure of a consumer's individual financial records to a government authority without the customer's consent, absent a subpoena or other judicial order. In 1999, Title V of the Gramm-Leach Bliley Act addressed several additional issues relating to the protection of nonpublic personal information maintained by financial institutions. Since their enactment, each of these statutes has undergone several amendments, mostly in response to the competing interests between a consumer's right to financial privacy and law enforcement's legitimate need to access consumers' financial records.

The Patriot Act, enhanced law enforcement provide access to customers' financial records
The Patriot Act allows law enforcement to develop a strategy for catching the bad guys by virtue of significant changes in the regulatory scheme of financial privacy, including new "Know Your Customer" rules, and allowing the sharing of information between law enforcement and financial institutions. Specifically, section 314(a) of the Patriot Act allows law enforcement agencies to gather financial data about a person being investigated.

Under section 314(a), a federal law enforcement agency investigating either terrorist activity or money laundering may request that FinCEN (the U.S. Department of the Treasury's Financial Crimes Enforcement Network) provide certain financial information from a financial institution or group of financial institutions. FinCEN then turns to the financial institutions and asks them to search their records to determine whether they maintain or have maintained accounts for, or conducted transactions with, the individual or entity specified by the law enforcement agency.

If a financial institution has a record of dealing with the subject of the inquiry, it must report back to FinCEN, which in turn shares the collected financial information with the law enforcement agency. Financial institutions may not disclose that FinCEN or the requesting agency made such an information request. No search warrant or subpoena is required.

Section 314(a): Beyond terrorist financing and money laundering
According to FinCEN, investigations incorporating section 314(a) requests have included a Hawala operation, cigarette smuggling, arms trafficking, investment fraud, and an international criminal network. Anonymity stifles the ability of law enforcement to combat criminal activity. Consequently, one of the biggest challenges confronting law enforcement officials is connecting the dots when trying to catch the bad guys. However, given the delicate and often strained balance between the privacy laws and law enforcement’s need to access financial records, can a sacrifice in financial privacy result in a balancing benefit in more effective law enforcement, or does law enforcement have adequate tools today to intercept criminal activity?

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

September 20, 2010 in data security, privacy | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2):


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad