Portals & Rails
October 22, 2012
Ignorance Is No Excuse--Or Is It?
Last time I got a speeding ticket (just for the record, it's been a very long time), the officer didn't care that I didn't realize the speed limit was only 35 mph. As he told me, ignorance of the law is no excuse for breaking the law. Contrast that with consumer payments protections. Consumers can practice unsafe computing and expose their account information, yet regulations still protect them if an unauthorized payment is made using the information the consumer revealed. Although an unauthorized payment is transacted by someone else, the consumer, through his or her own behavior, may be aiding and abetting the lawbreaker.
As we study different payment types and channels here at the Retail Payments Risk Forum, a consistent theme has emerged: consumer behavior plays a significant role in payments issues, and consumer education is the antidote. Although the consumer may be protected from financial consequences even when they engage in unsafe online behavior, it is in everyone's best interest, including the consumer's, if the consumer is armed with enough information to behave safely and responsibly.
Take card payments and the conversion under way to EMV standards. As the cards are converted to a chip and reissued to consumers, the consumer will need to understand where and how the card can be used. Education will be critical if the chip implementation also includes the use of PINs. A recent analysis by DataGenetics shows that nearly 27 percent of PINs can easily be guessed by attempting 20 simple combinations such as "1234" or "0000." PINs can be an effective authentication method, if only the consumer is thoughtful in choosing a hard-to-guess PIN.
Consider ACH payments and the dreaded account takeover. The information used to perpetrate an account takeover is sometimes gained through malware that enables key logging. The malware is installed on the consumer's computer most likely because of the consumer's unsafe computing practices, such as clicking on unfamiliar links and opening attachments sent by suspicious or unknown sources.
The same is true for the emerging mobile channel, essentially a handheld computer with security considerations similar to the online channel. The September 2012 GAO report on Mobile Device Security concludes, "Mobile devices face an array of threats that take advantage of numerous vulnerabilities commonly found in such devices. These vulnerabilities can be the result of inadequate technical controls, but they can also result from the poor security practices of consumers." The report recognizes that many education and awareness efforts, both public and private, have occurred or are underway, but it remains unclear whether those efforts have raised consumer security awareness or had any beneficial effect on the security of the mobile device.
Diagnosing is the easy part...
While it's easy to recognize that consumer behavior is a problem in electronic payments, the solution of providing consumer education is elusive. As it turns out, financial institutions are in a good position to provide education. For one thing, consumers tend to trust their financial institutions, with their financial information and with their privacy. From a practical standpoint, financial institutions are commonly the connection point between the consumer and these payment types. However, the traditional connection point of the branch is evolving to the online and mobile channels.
So what can financial institutions do to better educate consumers in the new digital and mobile environment? They already devote significant resources to providing education, but the effectiveness of these efforts can be questioned as the incidences of fraud appear to be rising. Are there best practices for consumer education in the non-face-to-face environment that financial institutions should employ to positively impact fraud?
By Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Ignorance Is No Excuse--Or Is It?: