Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

About

Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

Disclaimer

Comment Standards

Subscribe by Email Email icon

Subscribe by RSS RSS icon


May 13, 2013

Which Is Riskier, Change or Avoiding It?

There is no denying that any level of change brings with it some level of risk. However, sometimes avoiding change can result in even greater risk. That is the quandary many retail banks find themselves in today as they grapple with the issues of mobile banking and payments and their role in the bank's overall delivery-channel strategy. Sustainability and regeneration are principles normally associated with the community development and environmental arenas, but they can be easily applied to the banking industry and its consumer delivery channels.

Numerous research studies document a large gap in banking attitudes and product or channel usage between the Gen Y or millennial customers and the older customer segments (those who are over 35, if you consider that old). (The Retail Payments Risk Forum discussed some of this research in a paper posted on our website in April.) Younger customers have less loyalty to bank brand, readily adopt new technology, are highly influenced by advertising and peers, expect free or low-cost banking products and services, and are driven by convenience. While they do have a higher overall trust level of banks compared to nonbanks, the gap is not anywhere near as large as that of the older customer segment. The younger segments have eagerly adopted online and mobile banking and are viewed as the early adopters of mobile payments. In fact, when they select a financial institution, the quality and expansiveness of the mobile banking offering is a major factor in their decision.

So what does this changing landscape have for the future of the traditional brick-and-mortar-branch delivery channel? For some time, banks have tried to establish branches primarily as sales centers while moving basic service transactions to alternative automated, less-expensive delivery channels. This effort will continue, but banks must also regenerate their overall delivery-channel strategy to provide sales and service capabilities through virtual channels in order to attract and retain the growing Gen Y customer segment. This regeneration and sustainability effort involves the "right sizing" of each channel to provide their existing and future customers with the appropriate level of services and features as well as capacity to meet service quality goals. Not only will this effort require risk assessments to be continually made for each delivery channel, but also to develop a holistic risk assessment of each customer across all delivery channels.

Let us know what changes, if any, you are making in your overall delivery-channel strategy to address the changing demographics of existing and potential bank customers.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 13, 2013 in mobile banking, mobile payments | Permalink | Comments (0) | TrackBack (0)

May 06, 2013

Staying One Step Ahead of ATM Attacks

Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.

The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.

As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.

Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.

It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.

These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 6, 2013 in ATM fraud, crime, identity theft, risk management | Permalink | Comments (0) | TrackBack (0)

April 29, 2013

It's Time for Better Online Authentication Solutions

I recently read a news story in my daily news feed about litigation between a bank and corporate customer related to an account takeover, and the liability of the loss from a fraudulent transfer. Unfortunately, it seems that I am reading these types of stories far too often these days.

Online corporate account takeovers are an important issue in the payments risk world and have been the subject of our blog in the past. Even with stringent security procedures in place, including two-factor authentication (2FA) and out-of-band verification, companies remain high-risk targets. Undoubtedly, employees will slip up and procedures will be ignored, actions that ultimately result in fraudsters getting their hands on account or network credentials that give them access to corporate bank accounts. Although ongoing and comprehensive employee education is vital, improving authentication techniques and requiring their use are critical to better mitigate online account takeover risks.

Requiring some form of authentication is better than requiring none. Yet the current state of our “some” generally consists of a user name coupled with knowledge-based authentication of a password and, if 2FA is being used, usually a set of challenge questions. Knowledge-based authentication is often ineffective due to the use of weak passwords and the ability of fraudsters to find answers to challenge questions through public sources or social engineering. So then, what is the most effective and reasonable authentication standard moving forward? Biometrics? Security tokens? Dynamic password generators?

Fortunately, both the public and private sectors are working to develop improved authentication solutions. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a federal initiative developed to encourage collaboration between the public and private sectors in developing interoperable technology standards and policies whereby individuals and organizations can be authoritatively authenticated. In addition, the FIDO (Fast Identity Online) Alliance is a private-sector initiative created to change the nature of online authentication by developing specifications that will supplant the reliance on passwords. I do not know whether any of these groups or another entity will be successful in solving our authentication challenge, but I do know fraudsters are hoping their success isn’t any time soon. What are your thoughts on improving online authentication?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 29, 2013 in account takeovers, cybercrime, fraud | Permalink | Comments (0) | TrackBack (0)

April 22, 2013

Are You the Weakest Link?

Okay, maybe not you and maybe not me—unless we haven't heeded the three suggestions provided by my colleague in a recent post. Banks, processors, transaction networks, acquirers, and other stakeholders in the financial payments ecosystem are waging a daily battle against a wide range of antagonists who are constantly seeking ways to access computer systems illegally These criminals are trying to get confidential data, disrupt operations within the company and for its customers, achieve financial gain, or simply seek notoriety for their achievement. By not following a couple of easy steps, are we compromising the battle for the banks and other institutions?

You and I—the consumers and the end users—are important elements in the overall payments ecosystem. It is generally for our use, of course—so that we can access our accounts or perform our daily financial chores conveniently and efficiently—that the other stakeholders are running the various financial applications. If it weren't for us, I think their jobs in protecting their systems would be much easier.

So how are we the weakest link? A basic tenet of security that we often mention in Portals and Rails is that experienced criminals attack the weakest points in the system. Why worry about picking the lock on the highly visible front door when there is an unlocked window at the back? Unfortunately, despite all the research surveys that report consumers' greatest concern about performing mobile or internet electronic transactions is their privacy and the security of the transaction, the evidence clearly demonstrates that, while they may "talk the talk," they often don't "walk the walk."

Panda Lab's 2012 annual report estimates that one-third of the personal computers in the world are infected with some type of malicious software (malware). So how do these computers get infected? The users are not following proper security guidelines when they are using their computers or smartphones. Critical unsafe behaviors include:

  • Not using antivirus software or not keeping it updated
  • Not using a firewall or disabling the firewall that might have been included in a device's operating system
  • Poor password security—using easy-to-guess passwords, using the same password on multiple applications and devices, allowing passwords to be stored in a device
  • Not updating software—software vendors frequently post software updates when they become aware of security problems, especially such utility software as Flash and Java
  • Visiting unknown websites, often through links on social network website pages, that contain hidden viruses

Here at the Federal Reserve, a combination of recurring education and required security tactics are used to minimize the risk of such poor practices by users such as me. I won't detail those techniques because that could compromise aspects of our network security, but when I place my personal computer, smartphone, and home network against those same criteria, I certainly see some ways in which I have been less than diligent and need to change my habits. What about you?

Be sure to read the Risk Forum's recent paper on account takeovers and how less-than-adequate Internet security practices of a few individuals and businesses can contribute to criminals' ability to obtain sufficient personal information and account credentials to conduct account takeovers and steal your money.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2013 in consumer fraud, consumer protection, malware, online banking fraud | Permalink | Comments (0) | TrackBack (0)

Next »