Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 26, 2015
Tackling Fraud with Data
As the dust settles on the 2014 retail holiday season, it isn't surprising to learn that e-commerce was once again the winner. ComScore reported that online holiday spending through December 21 was $48.3 billion, a 15 percent increase over 2013. And there is nothing to suggest that this growth trajectory will flatten. While these trends are encouraging for online retailers' sales departments, they must be challenging for their fraud and loss prevention teams. According to the 2013 Federal Reserve Payments Study, card-not-present fraud rates were approximately three times higher than card-present fraud rates in 2012.
Just before the holiday shopping season, CyberSource released its 15th Annual Online Fraud Management Benchmark Study This 2014 study reveals that merchants improved order conversion through lower rejection rates while keeping their fraud losses stable. Naturally, I was curious about the tools that yielded these results and wondered to what extent they might have changed. Using CyberSource's 2012 study to compare, I found some surprises.
In 2012, validation tools were used the most—79 percent of merchants used a card verification number and 77 percent used address verification. Of the merchants who did not use these tools, 81 percent indicated they planned to implement a card verification number and 61 percent planned to use address verification. While merchants can implement these tools with little cost, their effectiveness, according to the surveyed merchants, is limited.
Given the 2014 report's positive findings, coupled with the expected very high use of card verification numbers and address verification reported in 2012, I was expecting merchants to rate the effectiveness of these tools higher. Interestingly, even though these validation tools remained the most prominent, their usage did not increase as expected, despite the number of merchants who planned to implement them following the 2012 study. And there was not there a significant increase in their reported effectiveness.
Here's what did change: the use of proprietary data tools such as customer order history, in-house positive and negative lists, and company-specific fraud scoring models. Purchase device tracking tools, such as fingerprinting, also saw an increase in usage, though not as large of an increase as the proprietary data tools. And it is these tools that, generally speaking, are rated as the most effective fraud management tools by the merchants surveyed.
The 2014 study highlighted improved fraud management. I have several of my own highlights. Merchants appear to be more apt and capable of leveraging their own data today than the preceding several years. And they are finding that using this data is more effective in combating fraud than traditional validation services. I think it's important to note that only two tools (device fingerprinting and a fraud scoring model) were selected by more than 50 percent of merchants as most effective. Even though traditional validation services are still highly used and useful, no single tool is a panacea for fraud management. A layered approach using multiple tools and data elements is critical for success. I suspect this trend of merchants using their own customer data to manage CNP fraud will continue. I also expect that data-centric tools will become more effective as merchants become more sophisticated with data analysis.
What is your view on the future role of proprietary data in CNP fraud management?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 20, 2015
Phone Scams: Still Calling Around
With 2014 filled with news about data breaches and faster payments and new technologies trying to jumpstart various payment applications, it was easy to forget about that old-fashioned device, the telephone, and the role it can play in fraud. (It's been almost a year since I wrote the post "Phone Fraud: Now It's Personal!" about fraud schemes involving telephones.)
Pindrop Security recently released some research on the most frequent consumer phone scams, reminding us of how criminals can use a low-tech device combined with high-tech research tools to scam millions of consumers out of tens of millions of dollars each year.
We can generally place the underlying tactics of the scams into one of four categories:
- Scare tactics. Often, the caller poses as a governmental agency official such as an IRS agent or law enforcement officer and advises the victim they have an outstanding debt or arrest warrant. The caller tells the victim to send in a certain amount of money immediately to cover the debt or pay a fine—or be arrested, have a lien placed against the home, or face other serious actions. The criminal's goal is to obtain funds directly from the victim.
- Attractive offers. In this type of scam, the caller generally wants the victim's payment card or bank account number—although, as we outlined in an earlier post on advance fee scams, the caller may also be after direct payments. The offer may be for anything from a free vacation to a government grant, or from a reduction in the victim's mortgage or credit card interest rate. In any case, the caller insists the victim pay a handling fee. Sometimes, the caller asks questions about the victim's banking accounts to make sure the victim "qualifies" for the special offer. With the information obtained, the fraudsters generate payment transactions or use that information for future identity theft efforts.
- High-pressure techniques. Most scams involve high-pressure techniques; the criminals want to create a sense of urgency to get the victim to act quickly, without thinking. A common scenario is when the caller tells the victim that his or her bank account or payment card has been frozen because of suspicious activity and then urges the victim to provide sensitive account information to restore the account to normal status. The caller can then use the information the victim has provided to initiate fraudulent transactions or identity theft.
- Information-gathering. A criminal may call to get "additional" information about a customer to go into an identity profile that the criminal can use later in committing an identity theft crime. Often the criminal has already gathered some information about the targeted victim through social media or public records to weave into a cover story about why they are requesting the information to make the story more believable.
Since any of us can be a target of such calls, we must educate ourselves—and the public and our colleagues—about these scams constantly so we can all be on the alert and safeguard our accounts and personal information.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 12, 2015
Forming a More Perfect Union (for Faster Payments)
Thus far, conversations about the basic idea of moving ahead with near-real-time payments in the United States have been positive. However, the thorny business of "walking the talk" hasn't begun. When the time comes to do so, I expect less comity.
The degree of fragmentation in the United States—within both the public and the private sector—is significant. Consider the public side first. To avoid listing each entity that has a stake in payments services, let me sum it up by saying that if we had a box of Alpha-Bits, we'd run out of letters long before we put together the acronyms of all the agencies and organizations. On the private side, fragmentation starts with merchants and banks but includes mobile and third-party providers as well. These groups are vital to the success of any effort to improve payments, but they don't move in lockstep. In the end, for a faster scheme to work, the public and private sides have to work through their respective issues—and then come together.
Whether we're considering the public or the private side of things, some of the trickiest questions look like this:
- What will faster payments cost and who will pay?
- Will certain interests lose from the success of faster payments in the United States while others win?
- Can we build a faster system quickly and flexibly enough before the next wave of technological advancement makes the current vision obsolete?
- What are the rules, and who will administer and manage them?
While you ponder those questions, consider this excerpt from the United Kingdom's Payment Systems Regulator consultation paper (November 2014):
The Payment Systems Regulator (PSR)…will become fully operational in April 2015. The PSR is a subsidiary of the Financial Conduct Authority (FCA), but it is an independent economic regulator, with its own objectives and governance.
- UK payment networks that operate for the benefit of all users including consumers
- a UK payments industry that promotes and develops new and existing payment networks
- UK payment networks that facilitate competition by permitting open access to participants or potential participants on reasonable commercial terms and
- UK payment systems that are stable, reliable and efficient.
In setting up the Payment Systems Regulator, the Government highlighted four aims for UK payment systems:
The Government's assessment was that there were problems in each of the first three of these areas, and that the best way to tackle these was to create a payment system regulator. The Government noted particular areas of concern, including ownership, innovation and access to payment systems…. [W]e believe that our regulatory package will address the underlying issues and concerns that led the Government to setting us up. However, should our proposals fail to do this, we will…consider further use of our competition and regulatory powers to take action as appropriate.
That's one way governance issues could be resolved here. Another way is revealed through a study of the evolution of the ATM networks. Consider that landscape circa 1980s and then contrast it to today. I can't do justice to that history in a single post but suffice it to say that the issues faster payments currently face look similar to those the ATM industry faced. Back then, the market figured things out. Such a course may be slower than a mandate, and there will be failures and angst. Will the United States need a PSR to direct us to faster payments, or will the market figure it out?
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
January 05, 2015
Can Insecurity Keep Us from Faster Payments?
Helen Keller once said, “Security is mostly a superstition. It does not exist in nature.… Avoiding danger is no safer in the long run than outright exposure.” It is unlikely that Ms. Keller was considering real-time payments when she offered this perspective, but this post will.
As part of its broad effort to chart a future for payments, the Federal Reserve conducted a Payment Security Landscape Study. It was no surprise that the study highlights “persistent and ever-changing threats” as a given within payment systems. The study suggested several improvement or focus areas:
- Improve industry coordination to increase the timely adoption and implementation of technology, standards and protocols.
- Improve the protection of sensitive data that can be used to perpetrate fraud, including devaluing or eliminating such data from the payments process.
- Strengthen authorization and authentication of parties and devices across all payment methods and channels and adapt approaches as the payment system evolves.
- Improve the collection and reporting of aggregate data on fraud losses and avoidance.
- Broaden access to actionable security and fraud threat information to payments system participants, including less technologically sophisticated participants and end users.
Applying Ms. Keller’s risk perspective to payments systems would suggest that work to prevent security breaches, fraud, or theft is futile. Fortunately, using the foregoing list as evidence, it’s clear that those considering the future of payments haven’t adopted this perspective. The most critical elements for optimizing the security of payments are all there, though some could surmise that detection or prevention measures have a disproportionate emphasis, with response measures perhaps rating as secondary. It is important to make sure that risk management is optimized across all three broad areas—prevention and detection, yes, but also response. In particular, in the context of response, the enforcement landscape will need to be ordered such that consequences for perpetrators are both timely and proportionate to the harm a given incident may cause. User protections will need to evolve as well.
If one agrees that advancing faster payments offers rewards and that holding back doesn’t promise freedom from harm, it’s encouraging to observe industry direction. Indeed, it seems reasonable to conclude that faster payments scheme architects will heed the notion that real-time payments will require real-time security. Particularly encouraging is that the discussion on payment security is at the center of industry dialogue and likely to remain so as the work to advance faster payments continues.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
- Tackling Fraud with Data
- Phone Scams: Still Calling Around
- Forming a More Perfect Union (for Faster Payments)
- Can Insecurity Keep Us from Faster Payments?
- Top 10 Payments Events in 2014
- Under Pressure: The Fate of the Independent ATM Operators
- What’s Unsettled in Faster Payments?
- Consumer Prepaid Protections May Be Catching Up with Prepaid Use
- Virtual Currency Environment Still Fluid after Latest Rulings
- ISO 20022 in the United States: What, When, Why, and How?
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud