March 04, 2013
Who Am I? Authentication Challenges
It's tax time again. I dread this time of year. It's not just because I don't like paying taxes—who does? It's because I am always a little nervous as a result of an experience my husband once had. Some years ago, my husband was the victim of identity theft and, every so often, we are forced to confront another attempted assault on our finances. We became aware of another assault two years ago when we attempted to file our federal tax return electronically and it was rejected. The IRS already had a record of a processed return under my husband's Social Security number (SSN). For now, we file our returns the old-fashioned way, printing and mailing them.
Juxtapose that low-tech solution against the high-tech approach that fraudsters use. Using ill-gotten SSNs, names, and birth dates, these identity thieves electronically file fraudulent returns as early as possible. They then nab the refunds quickly, either through receipt of a prepaid debit card from the IRS or through direct deposit into a bank account specifically used for obtaining the fraudulent refund, which they immediately cash out.
Filing of fraudulent tax returns has reached epidemic proportions. In 2012, a Treasury Inspector General for tax administration testified before Congress that the IRS detected and stopped almost one million fake returns for 2010, totaling $6.5 billion.
In recent years, the government, through legislation, has encouraged use of other identification methods and greater care in the storing and sharing of SSNs and other personally identifiable information. However, the SSN remains the preferred identification method. Knowing that criminals and taxes will never disappear, the issue then is with the authentication—that is, checking identity at the door.
The IRS is being proactive by requiring taxpayers to supply additional information. Perhaps the agency could use the same technology to combat the criminals that the criminals are using to initiate the crime. A recent Portals and Rails post looked at "Big Data" and discussed how financial institutions can profile consumer behavior to detect fraud. Could the IRS use Big Data techniques to help detect tax returns that seemingly have fraudulent characteristics? For example, the IRS could flag early filings, understanding that historically a particular filer's W-2 information is not available until as late as the end of March. However, the post also discussed the question of when data collection and behavior profiling crosses the line from marketing opportunities to privacy invasion, an issue the IRS would have to consider.
The integrity of mobile payments, online banking, card payments, and any other form of electronic payment rely on the authentication of the payer. Many authentication methods in the payments world are by necessity pretty sophisticated. But criminals are finding ways to compromise these methods, too. As we move headlong into the world of digital payments, proving genuine identity, or authentication, is vital.
By Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Who Am I? Authentication Challenges:
January 23, 2012
PIN authentication versus signature authentication
In the United States, surveys from several organizations help us determine approximate total fraud losses by different payment instruments. For example, the American Bankers Association's 2011 Deposit Account Fraud Survey Report estimates that 2010 industry fraud losses totaled $893 million for checks and $955 million for debit cards. The Nilson Report puts 2010 payment card fraud losses at $3.56 billion. And a 2011 PaymentsSource report estimates that bank card issuers experienced fraud losses of $1.16 billion in 2010.
Some of these industry surveys actually fail to illustrate the complete risk landscape—we must also consider trends in the underlying usage of various payment mechanisms. To better assess risks to financial institutions from various payment types, it is useful to compare fraud losses on a per-unit basis. By doing this for credit card, signature debit, and PIN debit transactions, the effectiveness of PIN authentication in preventing payment card fraud becomes clear (see the chart).
Credit card loss rates are the largest among payment cards and growing
According to PaymentsSource's bank card profitability studies, financial institutions' credit card-related fraud losses grew each year between 2006 and 2008, rising from $1 billion to $1.11 billion. After an aberration in 2009, when credit card fraud losses fell by 14 percent, fraud losses grew again in 2010, by 22 percent. The Nilson Report data showed a similar trend in both the number and dollar value of credit card transactions during this time period.
The Nilson Report data provide the basis for determining per-unit credit card loss estimates for financial institutions. On a per-transaction basis, annual credit card-related fraud losses reached their highest level in 2010, at 7.5 cents per transaction. This figure represents an almost 9 percent increase from the 2006 figure, which was 6.9 cents. Credit card fraud losses on a dollar-volume basis increased by nearly 27 percent during this same time period, from 6.7 basis points (or 0.067 percent) in 2006 to 8.5 basis points in 2010.
Debit card fraud loss rates vary by authentication method
Likewise, financial institutions have seen debit card fraud losses rise steadily since 2004. According to this PULSE Debit Issuer Study, fraud losses from purchase transactions (excluding losses from ATM fraud) were about $201 million in 2004. Looking at PULSE study data in conjunction with data from The Nilson Report shows that debit card fraud losses from point-of-sale transactions peaked at $880 million in 2010.
However, a large disparity exists between debit card fraud based on the authentication method employed. For example, signature debit transactions accounted for an estimated $804 million—91 percent—of the total debit card fraud in 2010.
The increase in fraud losses should come as no surprise given the rapid growth in debit card transactions over the past six years. According to The Nilson Report, debit transactions grew by more than 122 percent, or 14.3 percent on an annualized basis, between 2004 and 2010. Data from PULSE studies show that in 2010, financial institutions experienced a 2.7-cent fraud loss for every signature debit transaction, and a 0.5-cent loss for every PIN debit transaction. This translates to 7.5 basis points for signature transactions and 1.3 basis points for PIN transactions on a per-dollar volume basis. These figures are up from the 2006 numbers of 1.9 cents (or 4.8 basis points) and 0.3 cents (or 0.8 basis points), respectively.
Comparing signature and PIN transactions
Based on per-unit fraud losses of credit and debit cards, financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than from those with PIN authentication. Yet PIN authentication is not accepted for credit transactions, and it accounted for only 32 percent of debit card purchase transactions in 2010. Although the fraud rates for both signature and PIN transactions have increased over time, signature transactions still exhibit significantly higher loss rates, especially when comparing the transactions on a per-dollar volume basis. The large disparity in per-transaction fraud losses between credit card and signature debit transactions stems from credit card transactions having an average ticket size of nearly 2.5 times that of signature debit transactions. Ultimately, PIN debit offers an additional and superior layer of authentication not offered on credit and signature debit transactions.
Admittedly, the limited number of merchants in the face-to-face environment who have the capability to accept PIN-based transactions, combined with the lack of PIN-based acceptance in the card-not-present environment, limits the use of PIN transactions. But given the ongoing displacement of cash and checks by payment cards and other forms of electronic payments, the continued adoption of PIN debit transactions and the potential introduction of PIN authentication for credit card transactions could go a long way toward reducing growing payment card fraud. However, given recent EMV-related statements that Visa and the Merchant Advisory Group have issued, it remains unclear whether or not PIN authentication will become the standard in the United States.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference PIN authentication versus signature authentication:
May 16, 2011
Practical tips for enhanced mobile security
We recently sat down to talk with Soren Bested to discuss mobile security. Soren, who has more than ten years of experience in high-tech industries, currently serves as managing director of Monitise Americas, a leading provider of mobile banking and payments in both the U.K. and U.S. markets. Mobile security is a hot topic at Portals and Rails. Recent posts have covered common myths about mobile banking and payments and laid out foundational principles for a successful mobile payments ecosystem in the United States. Continuing in this vein, Soren offers some practical tips on using mobile devices to secure financial transactions today.
Mobile security is top-of-mind for consumers, and their concerns about the safety of the mobile channel have limited mobile banking and payments adoption. Soren suggests, however, that mobile has the potential to be "super-secure," and even to enhance the security of existing financial service channels. Financial institutions and technology providers might consider the following recommendations in approaching mobile to take advantage of this potential security.
Match service channel to function
The mobile channel incorporates several different technologies, or service channels: SMS (text messages), mobile applications, and mobile browsers. Each of these service channels has a unique security profile,and as such is best suited for different tasks. SMS, for example, transmits information over the air in an unencrypted format, and is therefore inappropriate for carrying payment or personal identification details. However, SMS is perfect for sending notifications because it is immediate, inexpensive, and convenient. Banks might insist that customers use a password-protected mobile application when they conduct more sensitive business, like initiating a peer-to-peer transaction or transferring a balance between accounts. These examples illustrate that the mobile channel cannot be approached with a single security protocol, but rather that security practices should be tailored to each channel and its unique risk profile.
Use existing industry security guidelines
Soren advises that financial institutions not reinvent the wheel when they design mobile security. The industry can instead apply established security guidelines. These are the PCI DSS (Payment Card Industry Data Security Standards) guidelines for card transactions, the SAS70 operational standards, and the FFIEC standards for multi-factor authentication. Conforming to these existing standards decreases the burden on banks by allowing them to take advantage of existing industry expertise in developing a secure product. Banks can then outsource some security development and auditing functions, in the same way that merchants rely on vendors to ensure compliance with existing PCI DSS requirements. Not only does this improve the customer's security, it also lowers the upfront cost and shortens the timeframe to launch a mobile product.
Implement true two-factor authentication
Strong authentication requires multiple unique factors. Possible factors for authentication include "something you know," like a password or your mother's maiden name, "something you have," like an RSA token or an ATM card, and "something you are," which could be a biometric identifier like a fingerprint or voice pattern. Currently, most online banking security consists of username and password, and sometimes challenge questions—all things that the user knows. This approach is not two-factor authentication, but is essentially single-factor authentication twice, and as such offers only limited security. Mobile financial services can also incorporate passwords but can also add the "something-you-have" factor with the mobile device itself. A mobile phone is a personal device unique to the user in a way that computers often are not. While families may share a computer, usually each person has his or her own mobile phone. In addition, technology allows for the unique identification of any mobile device, tying the device to the individual user. Some companies have even experimented with adding a third factor to mobile banking by enabling biometric voice authentication of mobile transactions.
Mobile phones can also increase existing online banking security by acting as a second factor for customer authentication. The user's phone will often be only a few feet away when they log into online banking on the computer, and the user could take a call or SMS to authenticate the session. Mobile technology may be the key that allows banks to fully implement multi-factor authentication, a gold standard of security.
These are just a few of the ways that mobile technology might lead us to greater security in financial services. But we know many of our readers are also mobile experts, and have even more ideas about enhancing security with mobile. Leave a comment or send us an e-mail with your tips on improving mobile security.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Practical tips for enhanced mobile security:
March 29, 2010
Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models
The folks engaging in the early stages of the mobile payments industry have coined the term "mobile ecosystem" to describe the environment into which they are trying to merge the traditional roles of telecommunications with those of payments and banking. While some in this fledgling industry are already becoming disenchanted with the grandeur of the "ecosystem" terminology, the concept does suggest a useful model for thinking about the challenges faced in this new arena.
A few weeks ago I received a new issue of National Geographic that contained a fantastic article (and even more fantastic pictures) of the unique ecosystem of the African island nation of Madagascar. The ecosystem of this large island, located off the southeastern coast of Africa, has yielded an extraordinary collection of plants and animals that live in a tropical setting interrupted by some truly anguished geological formations. The local ecosystem is, of course, actually a collection of subsystems (plants, animals, climate, topography, etc.) that have adapted over time to work seamlessly together. For example, large families of lemurs leap fearlessly and safely among knife-sharp rock formations because their hands and feet have developed coarse, leather-like padding over thousands of years.
In the mobile ecosystem, we see a similar makeup of subsystems that must work together. The technology and operational components, while not trivial, are clearly achievable, and many are in place today. The challenges that lie ahead, however, are in the sub-ecosystems of law, regulation, data security, data privacy, customer care, and profitability. Depending on the nature of some of the mobile payment solution alternatives, the banking and the telecommunications industries find themselves wondering if they can coexist on the same island. Is there enough value to the customer to generate the revenue necessary to fund a mobile payments initiative? Who gets or shares the revenue? Who is responsible for data security and authentication, and how does that credential or certainty get passed along the mobile payment supply chain? Who resolves the customer's problem if a mistake is made? What consumer protection rights exist in case of error or fraud, and do those rights change depending on whether a traditional payments system is used to settle the transaction? Are proven models in other countries transportable, or are the characteristics of the economics and user base too different?
With respect to customer care and protection, I recently asked an audience of representatives from the full span of the mobile payment value chain, "Who owns the customer in a mobile transaction?" Gratifyingly, they agreed they all did. However, the true ownership response may ultimately depend on the nature of the transaction and agreement on who is liable if anything goes wrong. Take the case of a person-to-person payment initiated by Consumer A (Barbara Buyer) to Consumer B (Gloria Girl Scout's Mom) for payment of six boxes of Girl Scout cookies (three Thin Mints and three Trefoils). In a telephone-based clearing model, Barbara would enter the requisite $21 in the payment instruction and designate the phone number of Gloria's mom in the recipient field, and both their phone bills would be adjusted accordingly. Now suppose that Barbara was distracted by her daughter's chiding that she really wanted Samoas and carelessly entered $210. Since the payment never went through the payment system, Barbara Buyer cannot rely on traditional banking regulatory protections or problem resolution processes. She must resolve the problem with her phone provider, who has already credited Gloria's mom. Alternately, given PayPal's March 16 announcement of an iPhone app to send money to another person, PayPal's resolution procedures could be in play.
If, however, Barbara's phone company clears the transaction through a mobile service ACH backend, or Barbara pays Gloria's mom through a P2P service offered by her bank, the error resolution process is likely through normal banking customer service channels, and the adjustment process may be managed differently, assuming an adjustment process is contractually spelled out in either case. In reality, Barbara would probably get Gloria's mom to write her a check for $189 to straighten things out. While this may seem like a trivial example, it does dramatize some of the issues that must be worked out in the new ecosystem of mobile payments to make such services work effectively for the customer's benefit.
Given these difficult challenges, it seems likely that various models will initially emerge within alliance groups (one phone company, one or more application providers, a few partner banks, etc.) before they begin to converge into one or more universal market models. Along the way, one hopes that the key participants can collaborate to anticipate the types of risk issues that could arrive in the real world so that the consumer's experience turns out to be one that encourages growth. In the age of e-mailing, twittering, and facebooking, it is increasingly clear to me that mobile banking and mobile payments are in our future and that they will be a very attractive service to some key sectors of our population. However, they will be extremely slow to develop if critical mass issues such as those mentioned above are not resolved up front. In fact, this would be a good place for banks to try new, customer-friendly approaches to consumer education and disclosure that match the payment channel being used and the customer demographic.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models: