Portals and Rails

About


Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

« April 2012 | Main | June 2012 »

May 29, 2012


Are social security numbers still secure enough for payments?

Identity authentication is becoming increasingly important today as consumers conduct more and more social interactions, commerce, and financial transactions online. Many emerging payment methods are conducted electronically today and will no longer involve the face-to-face interactions that have provided an additional layer of security for our traditional retail payments environment. Unfortunately, our primary means of personal identification is the social security number, and it is becoming more vulnerable to compromise. How do we mitigate the risks in innovative payments going forward with traditional identification methods?

A well-intended system
The social security number was created in 1936 as a way to track workers' benefits for the new pension program. At the time, no other use for the number was envisioned. In 1943, however, President Roosevelt signed an executive order allowing other government agencies to use social security numbers. Today, the numbers are the primary identifiers for many government functions, including filing taxes, receiving all manner of benefits, and enlisting in the military. Social security numbers are also widely used in the private sector, especially in the healthcare and financial industries. They have become the default identifier used by healthcare providers, insurers, credit bureaus, banks, and others when signing up new customers.

Social security numbers—not so secure
You probably believe that your social security number is private. You probably assume that it's kept private by those who use it to verify your identity. But how many different people have seen your number, or some part of it, in the past decade? It's out there every time you've gone to a new healthcare provider, signed up for a new insurance plan, or applied for a credit card, bank account, or cell phone plan. Researchers have even developed an algorithm for guessing a person's number using just their place and date of birth.

The problem with such widespread use of social security numbers is that they are easily exposed and vulnerable to use in identity theft and related crimes, including various types of payment fraud. It goes without saying that new identification and authentication methods will be needed in the future to ensure that the personal information accessible via social security numbers can be protected and kept secure.

Mitigating compromise and improving personal authentication
In 2008, the Federal Trade Commission (FTC) developed recommendations on preventing the misuse of social security numbers for identity theft. First, they recommend using multifactor authentication, including additional processes in addition to the social security number. The FTC recommends further that, whenever possible, users should restrict the public display and transmission of social security numbers from applications, identity cards, and other documents. As crimes in electronic networks grow more prevalent, it will be increasingly important that the industry use multifactor authentication practices to combat the threat of outmoded personal identification methods.

Jennifer WindhBy Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

May 29, 2012 in identity theft, payments, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ebead296970c

Listed below are links to blogs that reference Are social security numbers still secure enough for payments?:

Comments

FFIEC came up with guidelines for 2FA around seven years ago and followed it up with some more guidelines this year. Despite the passage of so much time and the fact that virtually all other large nations have adopted 2FA, banks and e-commerce merchants in the US are conspicuous by their absence of following even the basics of strong authentication like VbV, etc. Is this because 2FA introduces additional friction and / or false positives that result in greater revenue losses than potential loss by fraud? Given where US is, is there any evidence that fraud loss as a percentage of transaction value is higher in the USA than elsewhere in the world?

Posted by: Ketharaman Swaminathan | May 31, 2012 at 06:49 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 21, 2012


Cramming and bill-to-mobile payments: Managing the risk

An interesting market segment in the evolving mobile payments industry is bill-to-mobile payments, which is a service that permits wireless carriers to add charges to consumers' mobile phone bills for generally small-value transactions involving digital and virtual goods purchased over the Internet. At the same time, the telecommunications industry is accommodating the addition of more third-party charges to consumers' mobile phone bills. Naturally, fraudsters are finding opportunities to apply unauthorized charges to these bills, a practice known as "cramming." As bill-to-mobile services grow more popular, how do we mitigate the potential risk of this fraudulent activity?

Telecoms and bill-to-mobile services
Telecoms have license to add charges to bills for a variety of call-based services. The advent of bill-to-mobile as a type of mobile payment began as intermediary platform providers—namely, Zong and Boku—entered the market to facilitate payments from consumers to online merchants through mobile carrier billing. Even Facebook allows the purchase of Facebook credits for games and apps to be billed to the customer's mobile phone bill in lieu of a credit or debit card payment. These services have become hugely popular as an electronic micropayment solution alternative to credit and debit cards. This makes a lot of sense when you consider the younger demographic market segment for online games and their social reliance on mobile for day-to-day interaction.

Regulation and law enforcement
As mobile phone usage grows, the incidence of criminal activity is growing in lockstep. In fact, since deregulation of the telecommunications industry, according to one state's Department of Justice report, complaints about erroneous charges on telephone bills have grown. Crammers bet on consumers not reading their phone bills carefully, and thereby failing to notice an extra dollar or two fraudulently charged each month.

The Federal Communications Commission's (FCC) Truth-in-Billing rule requires that telecom firms organize bills clearly by complying with specific requirements, such as including "clear and conspicuous notification" of charges that would be apparent to a reasonable consumer and that the name of the merchant associated with each charge is clearly identified on the bill. It also requires that the bill contain clear and conspicuous disclosure of inquiry contacts in the event of a billing dispute so that the consumer will know who to contact to dispute unauthorized charges.

While the FCC's rule might not have envisioned a mobile-payment-enabled environment and associated charges for financial services, the rule should provide adequate consumer protections for victims of phone bill cramming.

Managing the cramming risk for mobile payments
Currently, U.S. wireless carriers are limiting bill-to-mobile services to micropayments for virtual and digital goods. Purchases are typically limited to $100 a month because so far the carriers have not demonstrated an appetite for managing credit risk. Telecom firms generally resolve complaints quickly, as the cost associated with time spent by staff devoted to error disputes far exceeds the value of the charge in a complaint. As these services grow, however, this may not always be the case.

With appropriate consumer protection regulation in place, risk mitigation lies with the consumer, who should consider the following steps to protect against cramming:

  • Read your bill monthly, just as you would a credit card bill.
  • Be alert for changes in your bill, particularly those with language including words like "activation" and "service fee."
  • Address irregularities as soon as possible. The FCC's Truth-in-Billing rule requires phone bills to include a toll-free number to make it easy for a consumer to quickly report a dispute about a charge.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

May 21, 2012 in crime, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016305b2d682970d

Listed below are links to blogs that reference Cramming and bill-to-mobile payments: Managing the risk:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 14, 2012


Cooperating competitors? Yes, when it comes to payment standards

Standard sizes allow us to efficiently pick out clothing to try on at any store we go to, and even to shop online. Standard file formats enable the exchange of documents between computers with different operating systems and software programs. Similarly, standard payment formats ensure that our payment cards work at a wide range of merchants regardless of where we bank. Although we often take standards for granted, they are absolutely critical to the efficient functioning of the payment system.

Standard formats are a classic public good: they can be used by multiple people at no marginal cost per user and it is difficult to exclude people from using them. Typically, public goods have to be provided by the government, because no individual firm has sufficient incentive to provide them privately. However, in the payments industry, standard payment formats have frequently been adopted without government intervention. Instead, private firms generally cooperate to develop payment standards through membership organizations like NACHA, the Accredited Standards Committee X9, and EMVCo. These organizations are direct competitors who choose to cooperate in developing shared industry utilities. Atlanta Fed payments risk expert Doug King has written extensively on industry efforts to implement the EMV payment card standard in the United States.

The payments industry might be able to supply its own public goods due to the relatively low transaction costs of doing so. While a small number of companies manage the majority of card payments across the globe, the U.S. industry includes several well-established companies and numerous smaller competitors as well as start-ups. Most of the companies are already members of established industry organizations that facilitate collaboration. This is much simpler than the market providing a public good like low pollution in a river, for example. Somehow the many consumers and firms who access that river must assemble and agree on the pollution level, develop an enforcement mechanism, and implement the agreement—and many of these stakeholders will likely never have worked together before.

The effect of payment standards on competition is unclear. It’s possible that standards increase competition in the payments industry by leveling the playing field between established firms and start-ups. However, some payments standards are proprietary and may inherently favor the companies that most influenced their development. For example, to the extent that the largest card networks dictate the specifications for the EMV standard, this may disadvantage smaller networks. Those smaller networks are left in the unenviable position of having to comply with standards in which they had little voice in developing. Thus, although the payments industry seems to have been effective in developing standards cooperatively, it’s possible that this market activity has favored the dominant players. How will the move to the EMV payment card standard affect competition in the U.S. market?

Jennifer WindhBy Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

May 14, 2012 in collaboration, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016305884fd2970d

Listed below are links to blogs that reference Cooperating competitors? Yes, when it comes to payment standards:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 07, 2012


Regulating mobile: Distinguishing the payment from the channel

The handset is just a device, not a payment
Policymakers and regulators are just beginning to discuss the regulatory environment for mobile banking and payments in the United States. The added dialogue to existing industry conversations can lead to mixed messages about where regulatory and policy action may be needed. Recently we've heard from industry and regulatory agencies that the payments industry should carefully consider introducing new regulations and supervisory guidance.

The mobile handset is "just a device, not a payment," noted Mallory Duncan, senior vice president and general counsel at the National Retail Federation. Duncan, who spoke at the workshop "Paper, Plastic...or Mobile," hosted by the Federal Trade Commission, also said that regulation should be no more stringent than that of the underlying payment. In essence, the laws, regulations, and rule sets associated with a payment type—be it a credit card, debit card, or online payment—should follow that payment through the mobile channel for clearing and settlement. I offered similar conclusions in a previous Portals and Rails post on dispelling myths in mobile payments, adding that "while new networks...may emerge in the future, at present, the payment network systems remain the same."

Fragmented framework on an expanded landscape
One problem the payments industry faces as technology enables new intermediary payment methods (they all start off as something we already use: cash, checks, or cards) is that the legal and regulatory framework includes different consumer protections, disclosure requirements, and error resolution provisions depending on the payment type. While all these payments are used in an Internet environment—whether the Internet is accessed by phone or a traditional PC—the addition of the mobile channel and its telecom partners has seemingly created a tipping point for confusion and speculation. Many of the issues raised about consumer protection for prepaid cards, for example, exist now and have nothing to do with a consumer's ability to use a prepaid account with a mobile device.

Can existing regulatory infrastructure handle new mobile payment business models?
The United States has a more complicated banking system than most countries. National laws, for example, govern national banks, which are preempted from state law. State-chartered banks and nondepository money service businesses (like payday lenders and money transmitters), on the other hand, are responsible for complying with the laws of every state in which they do business. These laws are different from state to state, and sometimes even conflict.

Industry players in each of these separate chartering authorities are stepping into the mobile channel as a way to expand their footprint. While telecoms and technology firms are entering into partnerships with banks to establish new business models in the delivery of mobile payments, so far they're sticking to their knitting and leaving the clearing and settlement, and the extension of credit, to the financial services industry. As long as banks remain the payment issuers in these still nascent business models, caution in rethinking the regulatory infrastructure is probably a good idea as well.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

May 7, 2012 in innovation, mobile banking, mobile payments, regulators | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168eb46b266970c

Listed below are links to blogs that reference Regulating mobile: Distinguishing the payment from the channel:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


December 2014


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Archives


Categories


Powered by TypePad