Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
November 1, 2010
Beware of cybercrashers to your social network party
According to the Nielsen Company, the overall global traffic to social network sites grew nearly 30 percent in one year, from 244.2 million users in February 2009 to 314.5 million users in February 2010. In the United States alone, the average active social network audience grew 22.8 percent, from 115 million to 149 million during that same time period. If social networks are expanding this rapidly, can the growth of associated risks—specifically, data privacy—be far behind?
Establishing privacy parameters
Privacy is perhaps the most significant concern surrounding the use of online social networking sites. Recently, BBC Mobile reported that consumer confidence in social networking sites has been shaken as issues over privacy concerns have come to light. Results of an RSA 2010 Global Online Consumer Security Survey show that, even as thousands of individuals join social networking websites each day, nearly 65 percent of survey respondents indicated that they are less likely to interact or share information due to growing security concerns. Although most online social networking sites have privacy protections in place that allow users to establish their own level of security settings, online social networks are inherently public, which makes it difficult to secure nonpublic information. But if users are shielding their personal information through security settings, how, then, are hackers able to extract this information and steal their identities? Could the simple act of sharing, friending, or posting make it easier for hackers to attack a social network site and impersonate its users?
Facing incoming threats to social network sites
Corporations that use social networks as communication tools (or corporations whose employees use them without IT's authorization) are faced with significant security and compliance risks. In a survey that FaceTime conducted of IT groups, 14 percent of respondents reported that they've seen data leak through social networks. According to this study, Web 2.0 applications like instant messaging, Skype, and the chat functions within social networks can travel undetected through an organization's network, thus posing the risk that confidential information such as credit card details will leave the organization's control without authorization. Hackers use various means to attack social network sites, including phishing, spam, and malware. Their success is in part due to the trust users place in their networks. The study also notes that users are far more likely to click on a link from a friend on a social network site than in an e-mail.
Using small bits of information to gain entry
Gateway data, a term coined by Herbert Thompson a professor at Columbia University, refers to the confidential information harvested by cybercriminals from social networking sites. According to Thompson and researchers at Carnegie Mellon University, hackers can use such confidential information as someone's mother's maiden name—discovered from a social network site—to answer a challenge question and gain access to the person's account or personal financial data. Users of gateway data can also use these single pieces of information to trick the user into revealing even more sensitive information.
In a 2009 study, researchers from Carnegie Mellon University were able to deduce the Social Security numbers of millions of individuals just by sifting through fragments of data typically shared on social networks and other publicly available sources. Another study, this one by Consumer Reports, found that 52 percent of social network users disclose information that could leave them vulnerable to cybercriminals. Pieces of information such as a mother's maiden name, home address, or home or mobile phone number can lead perpetrators to steal users' identities.
Deterring cybercrime with a healthy dose of skepticism
The global reach and public nature of social networking websites have made them a favored target for online criminals. While consumers enjoy the ease of communication and information sharing on these social networks, these online forums have introduced new and unanticipated risks. Users must take some crucial steps to deter thefts of their identities, included becoming educated in the types of online crime while avoiding such common pitfalls as weak security settings and compulsive information sharing.
A healthy dose of skepticism on what, how much, or with whom to share can go a long way in reducing the exposure of personal, confidential information, because what is shared on the Internet stays on the Internet.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 12, 2010
The confluence of payments, social networks, and malware: Elements of a perfect storm?
Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?
More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.
Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.
Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.
Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.
Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
December 21, 2009
"Money mules" carry load for global cybercriminals
In November, Portals and Rails explored the industry implications of hacking attacks that have resulted in fraudulent funds transfers using online banking interfaces. This week, Portals and Rails revisits this topic, focusing on the tactics these fraudsters use to dupe unsuspecting individuals and organizations.
The FDIC released a special alert on October 29, warning financial institutions of an uptick in schemes to recruit individuals to receive and transmit unauthorized electronic funds transfers (EFTs) from deposit accounts to individuals overseas. These funds transfer agents, also referred to as "money mules," are solicited online by criminals who have gained unauthorized access to the account of a business or consumer. Typically, the criminal will originate unauthorized EFTs from the victim's account to the money mule's deposit account. The money mule is then instructed to quickly withdraw the cash and wire it overseas minus a "commission" of from 8 to 10 percent.
Fraudsters perpetrate work-at-home scams using online job postings and social networking sites
A common hiring tactic for money mules are work-at-home jobs or other seemingly legitimate positions. Fraudsters will use online job search Web sites and social networking sites to persuade individuals to receive and forward stolen funds. According to the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA), victims are often hired to "process payments," "transfer funds," or "reship products." Other victims sign up to be "mystery shoppers" where they receive fraudulent checks with instructions to cash the checks and wire the funds to "test" the performance of a money service business.
The job scams also provide the criminal an opportunity to commit identity theft against the money mule. The personal information provided on the "employment" application (e.g., Social Security number or bank account information) may be used to open credit cards, post online auctions, etc., in the money mule's name and possibly commit additional crimes.
Sophisticated fraudsters use malicious code and money mules to conduct unauthorized funds transfers
An FBI alert issued last month describes how fraudsters are increasingly using malicious code to conduct unauthorized ACH transfers with the help of money mules. Many of these cases involve exploiting the online banking credentials belonging to small and midsized businesses, municipal governments, and school districts.
A typical scenario involves a "spear phishing" e-mail being sent to someone within the company with either an infected attachment or directing the recipient to an infected website. Spear phishing is a phishing attack that targets a specific person and deceptively appears to come from an individual or organization that the potential victim would normally receive e-mails from. The email recipient would usually have authorization to make funds transfers on behalf of the company.
Once the recipient opened the attachment or visited the Web site, malware (malicious software code) containing a key logger would be installed on the recipient's computer. The key logger captures the keystrokes of the recipient's business or corporate bank account login information. Once this information is compromised, the perpetrator either creates another user account with the stolen login or directly initiates funds transfers through either ACH or wire transfer by assuming the legitimate user's identity. The transactions are typically in increments less than $10,000 to avoid currency transaction reporting. Money mules play an important role in these schemes by helping to facilitate the unauthorized transfer of funds.
Small and midsized businesses lose millions to online banking scams
Reportedly, small to midsized businesses in the United States have lost $40 million to online banking fraud since 2004. FBI analysis has found that the main threat from these schemes is not merely the malware but the vulnerabilities presented by the lack of controls at the financial institution or third-party provider. In most cases, the victims' accounts were held at local community banks and credit unions, some of which used third-party service providers to process ACH transactions.
Many believe that the uptick in these types of fraudulent payment activities directly relate to the decline in the economy. Consequently, financial institutions, businesses, and consumers have to be vigilant in looking for signs of this activity. The Federal Financial Institutions Examinations Council (FFIEC) provides guidance to financial institutions and technology service providers on authentication in an Internet banking environment. Money mule activity in particular is addressed by the Bank Secrecy Act and Anti-Money Laundering regulations. There are also resources available to consumers and businesses on how to protect themselves from these types of online scams.
By Jennifer Grier, senior payments risk analyst at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference "Money mules" carry load for global cybercriminals:
September 8, 2009
Will micropayments thrive in social networks? (Part 2 of 2)
This is the second of a two-part series on micropayments and social networks. Last week’s blog posting discussed how some social network sites are exploring the opportunities to offer payment services or are permitting outside payment providers to operate on their social network platforms. Twitpay and Twollars, two third-party platforms used on the Twitter platform, were discussed in Part 1. This week, we examine other players in this emerging market.
Facebook is likewise evolving as an ecosystem for emerging micropayment service providers. Users are increasingly spending real money buying virtual goods on the applications that run on Facebook's platform as well as Facebook credits. Facebook credits are funded using major credit cards and available in U.S. dollars as well as foreign currency denominations. The social network has realized tremendous success since its inception. Recently the research firm Nielsen revealed that Americans spent more time on Facebook sites than other top Internet sites in its June 2009 report.
|Table 1: Top 10 Parent Companies/Divisions for June 2009 (U.S., Home, and Work)|
|Parent||Unique Audience (000)||Time Per Person (hh:mm:ss)|
|5||News Corp. Online||90,308||1:54:59|
|Source: Nielsen NetView|
In addition to providing the platform for other payment application developers, Facebook recently launched its own virtual currency payment service for applications on its network called "Pay with Facebook." The new service is currently live with its application GroupCard, which allows users to purchase items from $3 to $25 and pay for them with a credit card or Facebook credits.
It will be interesting to see if the growth of the Facebook network drives adoption of the newly introduced payment service.
Spare Change is a payment application currently on social networks Facebook, MySpace, and Bebo that lets users make purchases from social network applications and games and then make payment via PayPal. Users can open a Spare Change account and fund it with a credit card, PayPal, bank account, or mobile phone. According to the Web site, consumers can use Spare Change balances to purchase hundreds of applications easily—an "iTunes-style business model for social networks." Spare Change markets itself as the largest micropayments system for social networks, claiming acceptance by more than 700 different games and applications.
Zong is a payment provider that allows consumers to purchase virtual currency, gifts, and other applications on social networks via the mobile phone in lieu of traditional payment methods. Zong uses the mobile carriers with whom it partners to bill customers for their transactions. Once the consumer has paid his or her mobile phone bill, Zong in turn pays the merchant. The distinguishing feature for Zong’s business model for micropayments is its nine-year relationship with mobile carriers globally. However, at this time Zong is currently available for digital goods and services only.
BOKU functions similarly to Zong in that it enables micropayments for games and applications and doesn’t require users to pay via a credit card or traditional bank account. Instead the transaction charges are itemized on the user's monthly cell phone bill. BOKU's partnership with social network hi5 affords it an international presence where users in 24 countries can purchase virtual currency with their mobile phones. BOKU recently expanded into the United States through agreements with mobile carriers AT&T and T-Mobile.
This certainly isn’t an exhaustive list (and is not an endorsement), but it is enough to give you a general idea of some emerging trends. And while the market audience for the goods and services available on social networks is focused on games and applications, it could change as social networks become increasingly ubiquitous. As social networks evolve, the risk environment for virtual and electronic micropayments will be on our radar.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
August 31, 2009
Will micropayments thrive in social networks? (Part 1 of 2)
This is the first of a two-part series on micropayments and social networks.
One of the most recent, and indeed interesting, phenomena is the entrance of social networks into the micropayments arena. Micropayments, generally defined as small-dollar transactions of $25 or less, are inherently inefficient. Converting them into electronic payments from the traditional cash market is costly, since fees such as interchange can consume a large percentage, if not all, of the transaction.
However, things have been changing recently as the environment for small payments has grown more hospitable. Credit card companies have introduced contactless payment devices to address the costs associated with unattended purchases such as parking meters and vending machines. The emergence of online payment network contenders such as PayPal, Amazon, Google, and others has fueled the growth of online micropayment transactions, as has the growth in online media sales, such as the 99-cent songs on Apple’s iTunes.
Several social networks have gained popularity recently as trusted sites for the exchange of information, digital media, and communication. This popularity and trust can help foster the network effect necessary for establishing an effective payment system. However, developing a new payment system is a risky venture, and many micropayment provider start-ups are not successful.
While some social network sites are exploring the opportunities to offer payment services, they are also permitting outside payment providers to place their applications on the social network platforms. These payment providers are able to leverage the social network platforms providing online payment solutions and monetizing digital currency.
The demand for digital currency via social networks and the ability to monetize transactions in virtual economies are garnering attention from venture capitalists—and they’ve captured our attention, for the moment. The remainder of this blog as well as next week’s will examine a few examples of the emerging micropayment service providers that we found. Keep in mind, our list is by no means an endorsement or an exhaustive list.
First, consider Twitter, a social networking site that lets users give short updates to other users about what they are doing. Twitter has, in essence, created an ecosystem in which third-party service providers are leveraging it to enable micropayments. A recent person-to-person (P2P) start-up called Twitpay allows Twitter users to send payments to other Twitter users—that is, as long as they both have PayPal accounts. As a third-party application that merely uses the Twitter platform, Twitpay has no formal ties to Twitter, aside from the similar name.
The user fills in the payment instructions and presses the “tweet” link at https://twitpay.me. The application delivers the payment to the recipient’s Twitter Twitpay account. The recipient pays the cost of the transaction, which currently consists of PayPal’s commercial transaction fee of 2.9 percent of plus 30 cents. A user also can replenish his Twitpay account using PayPal.
Another third-party application that recently started using the Twitter platform is Twollars, a vehicle for charitable giving in small-dollar denominations that allows Twitter account holders to donate to a charity or cause of their choice. Twollars was conceived in January 2009 as a way for people on Twitter to thank one another for sharing digital content and giving advice and information. Symbolic currency on “twollars” can be converted by charities into real currencies, such as dollars and euros, for example, again via PayPal. The Twollars Web site contends that Twollars can only be converted into real currency through donations to good causes. Charities can start campaigns on Twitter to raise funds. Any Twitter user starts with 50 Twollars. The Twitter platform allows even the smallest charity to reach a large audience. The site even allows businesses to reward customers with Twollars to be used for a charitable cause of their choice.
Next week in Part 2, we look at Facebook as well as other players in this emerging market such as Spare Change, Zong, and BOKU.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed
- Hiding in Plain Sight
- A New You: Synthetic Identity Fraud
- Card Fraud Values Often above Average
- A Look in the Rearview Mirror of Payments for 2018
- Building Blocks for the Sandbox
- Smaller FIs Weigh In on Mobile Financial Services
- In Payments, What I Say May Not Match What I Do
- Organizational Muscle Memory and the Right of Boom
- Remote Card Fraud: A Growing Concern
- Three Views of Noncash Payments Fraud
- January 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud