Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 13, 2011
Avoiding security missteps in the brave new world of pervasive data collection
The emergence and meteoric rise of Internet-based firms and social networks is one of the biggest stories of the last decade. The movie version of Facebook's genesis even won several Oscars this year. The social network and its peers are noteworthy not only for their tremendous growth, but also for instituting a new business model. Facebook, Google, and similar companies generate the bulk of their revenues by collecting massive amounts of customer data to sell for targeted advertising.
Advertising based on such extensive data doesn't just result in higher sales—it also offers unprecedented value to consumers by matching them with the products they might want. However, consumers are also concerned about privacy. An ongoing Wall Street Journal investigation reveals the extent to which consumers' online behavior is being tracked by a multitude of players and the vast amounts of data now available to the highest bidder. And we've all being hearing about how the GPS location functionality of today's smart phones may be making it possible to collect additional consumer information. These trends are disconcerting to consumer advocates who recognize that risks exist along with the promise of valuable contextual and location-based offers. In addition to privacy implications, the broad collection of data raises questions about the security of that data. What are the risks to consumers if criminals gain access to these databases?
Any data that is collected and stored is at risk of being breached. This has been particularly troubling for the payments industry. Merchants and payments processors for years collected payment card data in their systems, regarding the threat of a breach as a low-probability and low-loss event. Eventually, enterprising criminals found ways to exploit this data, and PCI-DSS was born as a remedy. Merchants and processors were forced to play an expensive game of catch-up as they scrambled to become compliant.
Some consumers may not worry about breaches of online behavioral data. Who cares if someone finds out their favorite movies, that they have a weakness for Italian handbags, or that they stopped at Kroger after work on Thursday? These pieces of information seem banal and inconsequential. Further thought, however, reveals more worrisome possibilities. Imagine a data breach that exposed all of your movements for the last year, a complete profile of your preferences and demographic characteristics, or all of your online behavior searches for the past quarter. In the wrong hands, such data could be used for illicit activities like identity theft and payments fraud.
Extensive behavioral information could facilitate financial fraud, allowing criminals to fly under the radar of existing fraud detection systems. In the United States, the use of transaction monitoring systems that rely on behavioral analysis to detect anomalous purchases has proven successful in mitigating card fraud to a certain extent. But if fraudsters have access to a consumer's payment behavior in addition to the stolen card, they could mimic legitimate transactions and decrease the chances of getting caught. Sophisticated international crime rings are likely to harness such advantages whenever they're available.
Behavioral and location data could also be exploited by local criminals. Thieves might take advantage of knowing homeowners' locations to rob their homes while they're out. Stalkers sometimes track their target using the location awareness of the target's mobile phone. Blackmail is also a possibility if a person's online browsing or shopping behavior reveals something this person would wish to keep private.
Online and mobile data collection firms can learn from the experience of the card industry to self-regulate and proactively avoid data breaches. The industry has already shown considerable self-regulation in response to privacy concerns, and could expand these efforts to include broader data security initiatives. Best practice data security practices are known, but require up-front technology investments. For example, data can be made anonymous and delinked from individuals, limiting the risk of criminal misuse. The only question is whether online firms will proactively use available data security tools or if they will be stuck cleaning up after data breaches down the road.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
June 13, 2011 | Permalink
TrackBack URL for this entry:
Listed below are links to blogs that reference Avoiding security missteps in the brave new world of pervasive data collection:
- Under Pressure: The Fate of the Independent ATM Operators
- What’s Unsettled in Faster Payments?
- Consumer Prepaid Protections May Be Catching Up with Prepaid Use
- Virtual Currency Environment Still Fluid after Latest Rulings
- ISO 20022 in the United States: What, When, Why, and How?
- Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?
- Mobile Biometrics: Ready or Not, Here They Come
- Starting Off on the Right Note with Mobile Enrollment
- Let's Talk Token, Part II: Distinguishing Attributes
- New ACH Return Rate Threshold on the Horizon
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud