Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

May 04, 2015


Keeping Up with the Criminals: Improving Customer Authentication

The interesting thing about authenticating customers for checks and PIN-based debit transactions is that the customer's authentication credentials are within the transaction media themselves—a signature, a PIN. But for the rest of the transaction types, authentication is more difficult. The payments industry has responded to this challenge in a few different ways, and may be turning increasingly to the use of biometrics—that is, the use of physical and behavioral characteristics to validate a person's identity.

Improving customer authentication in the payments industry has been a focal point for the Retail Payments Risk Forum since its formation. After all, authenticating the parties in a payment transaction efficiently and with a high level of confidence is critical to the ongoing safety and soundness of the U.S. payments system. We have intensified our focus over the last two years, including holding a forum on the topic in mid-2013. The Forum has also just released a working paper that explores the challenges and potential solutions of customer authentication.

The working paper examines the evolution of customer authentication methods from the early days of identifying someone visually to the present environment of using biometrics. The paper reviews each method regarding its process, advantages and disadvantages, and applicability to the payments environment.

Much of the paper looks at biometrics, an authentication method that has received increased attention over the last year—partly because smartphones keep getting smarter as folks keep adding new applications, and as manufacturers keep improving microphones, cameras, accelerometers, touch sensors, and more.

The table lays out six key characteristics that we can use to evaluate a biometric system for a particular application.

New_characteristics_table

The use of biometrics will be the subject of an upcoming forum hosted by the Retail Payments Research Forum later this fall, so stay tuned as we finalize the date and agenda. In the meantime, if you have any comments or questions about the working paper, please let us know.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 4, 2015 in authentication, biometrics, emerging payments, innovation, mobile banking, mobile payments, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d10cb742970c

Listed below are links to blogs that reference Keeping Up with the Criminals: Improving Customer Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 09, 2015


Who's to Stand in for Mom?

You have likely heard about the fraud that's clouding one of the newest mobile payment solutions. Credit where it is due, the security underpinning the mobile payments themselves represents an amalgamation of strong advances including such things as tokenization, biometric authentication (at the time of the transaction), encryption, and on-device secure storage. The problem that's generating the latest buzz pivots around a gap in authentication—specifically, verification of the legitimacy of those registering the cards that will be used to effect subsequent transactions. Truth is, this isn't a misstep by a singular entity. We've seen this trouble pop up in any number of payment channels.

Some institutions have put a lot of thought into enrollment authentication while others may have felt a need to rush to market at the expense of developing a fully effective authentication process. In November 2014, First Annapolis Consulting/M & A Advisory Services documented various approaches in use by issuers and followed up this past February with emerging best practices and recommendations.

To tack in the way I want for this topic, I will quote a thought provided in one of our recent forums that was given by Peter Tapling, president and CEO of Authentify Inc.: authentication is proving "you are who your mother says you are." This could be key to the best practice of all. But if moms everywhere prove disinclined to authenticate all of us rascals at the provisioning stage (and let's be frank, they're a little busy) can another stand for Mom in this place?

Since we're talking about payments, banks seem a logical option. Consider these highlights of their responsibilities related to "customer due diligence" (CDD) as detailed by the Federal Financial Institutions Examination Council:

  • The concept of CDD begins with verifying the customer's identity….
  • The cornerstone of a strong… compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all (emphasis added) customers…
  • CDD policies, procedures, and processes are critical to the bank because they can aid in:
    • Avoiding criminal exposure from persons who use or attempt to use the bank's products and services for illicit purposes.
    • Adher(ing) to safe and sound banking practices….
    • Provid(ing) guidance for resolving issues when insufficient or inaccurate information is obtained.

The context of the excerpt above is BSA/AML—or Bank Secrecy Act/anti-money laundering—compliance and is generally applied to customers in the business space. However, it seems reasonable to think the skill set might be brought to bear wherever there is need. Banks are clearly best positioned to determine who is setting up a payment and whether or not that person should be. Yet the responsibility is a broad one. Those party to any payment solution, including innovators, provisioning banks, and consumers, should demand that new and extant solutions include enrollment authentication that is well considered and properly coordinated using the best techniques for thwarting fraud. To get the best authentication, it's about who you know—and also, who knows you, besides your mother.

Photo of Julius Weyman By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed


March 9, 2015 in authentication, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb0801aa6c970d

Listed below are links to blogs that reference Who's to Stand in for Mom?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 14, 2014


Mobile Biometrics: Ready or Not, Here They Come

Apple's recent announcement about the release of its mobile wallet app—called Apple Pay—energized the mobile payments community. One reason for the spike of interest is Apple Pay's use of fingerprint biometrics as an additional layer of security in validating customers and their transactions. What may have gotten a little a little lost in the chatter that followed this announcement was another, related announcement. As reported in a September 19 FinExtra story, MasterCard (MC) announced it had completed a pilot project that used a combination of facial and voice recognition on a smartphone. MC said that the trial program—which involved MC employees around the globe conducting 14,000 transactions—had a successful validation rate of 98 percent.

The Apple and MC announcements together certainly show that the future of the additional security options on smartphones looks promising. As a recent post noted, consumer research has consistently found that consumers' largest concern about using mobile phones for financial transactions is security. But are biometric technologies ready for prime time? Will their application in the payments ecosystem really give payment providers more confidence that the person they are dealing with is not an imposter?

The latest generations of Apple and Android smartphones are equipped with fingerprint scanners, cameras, and microphones, which allow for the use of fingerprint, voice, and facial recognition. But limitations exist for each of the techniques. The Apple and Android fingerprint readers, for example, were compromised within days of their initial release. And facial and voice recognition applications work best in controlled conditions of lighting and with limited background noise—an unlikely environment for a smartphone user on the go.

But security experts agree that additional customer authentication methodologies—beyond the common user ID and password entry fields—increase the overall authenticity of transactions. Numerous companies are continuing to focus their research and development efforts on improving the reliability and use of their authentication products. So while there is no "one size fits all" authentication solution over the weak and easily compromised ID-and-password method, these biometric methods represent a step forward, and are likely to improve over time.

The Retail Payments Risk Forum is taking a close look at biometrics technology and its impact on the payments system. We are working on a paper assessing biometrics and authentication methodologies that will probably be released by the end of the year. We're planning a forum to be held this upcoming spring on mobile authentication technologies. And we're continuing to write posts on the topic in Portals and Rails.

Please feel free to contact us with your suggestions on biometric issues you would like to see us address in our continuing efforts.

Lott_david_01 By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 14, 2014 in authentication, biometrics, innovation, mobile banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb07987236970d

Listed below are links to blogs that reference Mobile Biometrics: Ready or Not, Here They Come:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 06, 2014


Starting Off on the Right Note with Mobile Enrollment

In Rogers and Hammerstein’s Sound of Music, the classic song “Do-Re-Mi” begins “Let's start at the very beginning / A very good place to start...” Such a suggestion is essential in ensuring that the person enrolling in a payments system is, in fact, who he or she claims to be. The USA Patriot Act requires financial institutions (FIs) to develop a formal customer identification program that validates the customer when the account is opened. This program must specify the documentation that is used for authentication.

However, once the account is open, FIs have greater latitude in their procedures for identifying customers when the FIs handle account access requests, such as when a customer requests a change of address or enrolls in a third-party program that uses a card that the FI has issued to the customer. At that stage, it’s up to an FI’s own risk-management policies as to what documentation to require.

This situation can be risky. For example, let’s look at what happens when a customer wants to add a payment card to a mobile wallet that a third party operates. When the customer adds the card—enrolls with the third party—how can the FI that issued the card know that not only the payment card being added but also the mobile phone itself belongs to the right individual? How can the issuer efficiently and effectively ensure that the payment card information being loaded on a phone hasn’t been stolen? Adding any sort of verification process increases the friction of the experience and can result in the legitimate user abandoning the process.

Most mobile wallet operators use several techniques to validate that both the mobile phone with the wallet and the payment card belong to the rightful customer. (These operators send a request to the issuing FI as part of their enrollment process.) Some FIs require the operator to have customers submit their payment card information along with their cards’ security code and additional data, such as the last four digits of the social security number. Others may require just the payment card number, expiration date, and card security code, although such a minimal requirement offers little protection against a stolen card being added to a criminal’s phone. Still others require the customer to submit a photo of the payment card taken with their phone to verify possession of the card. If the issuer can obtain some of the phone’s device information, it can increase the level of confidence that the authorized cardholder is using their phone.

Regardless of what process is used, having strong identification controls during the initial enrollment step is essential to a sound risk management program.

Photo of Douglas A. King

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 6, 2014 in authentication, financial services, mobile banking, mobile payments, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d078369c970c

Listed below are links to blogs that reference Starting Off on the Right Note with Mobile Enrollment:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 29, 2014


Let's Talk Token, Part II: Distinguishing Attributes

Several weeks ago, Portals and Rails embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. Since writing the first post, payment tokens has jumped front and center in the payments community when Apple introduced Apple Pay, which uses tokenization. Also, the Mobile Payments Industry Workgroup just released a detailed white paper recounting their recent meeting on the current tokenization landscape in the United States.

In today's installment, we look at some distinguishing attributes of the end-to-end token initiatives currently under way and consider their impact on mitigating risk in payments transactions.

  • Token format: Common ground exists in the payments industry in terms of the token format. The end-to-end token solution relies on the creation of a token, known as a device account number (DAN), to initiate a payment in place of the original primary account number (PAN). To mitigate operational risks and make use of existing messaging rules and applications associated with the payment transaction, it is imperative that the format of the DAN preserves the format structure of the PAN. This means that DAN generation should be as random as possible, even while preserving the original PAN format structures to maintain basic card or account validation rules associated with the PAN.

  • Token type: Payment tokens can be dynamic or static. Dynamic tokens are valid either for a single transaction or for a limited number of transactions occurring in a very short time. By the time a fraudster intercepts a dynamic token, it has likely already expired, so the fraudster can’t use it. However, there is a slight down side to dynamic tokens—they can work against loyalty programs as well as some back-end fraud detection systems. Because each transaction has a different DAN, merchants and processors cannot consolidate multiple transaction information for an individual cardholder.

    On the other hand, static tokens are multi-use, so they allow merchants to connect the token user with past transactions. But given their multi-use nature, they are not as secure as dynamic tokens. For additional security, each transaction with a static token can include an additional element: a uniquely generated cryptogram.

  • Device coverage: Tokens can be created and stored either on a secure element on a mobile phone or in a cloud. Much industry discussion focuses on which approach is more secure, but the approach also has an impact on device access to the token. Storing a token only on secure elements limits tokens to mobile phones, a situation that does not address the significant volume of card-not-present payments that consumers conduct on computers and other devices. Alternatively, storing a token in a cloud would allow any connected device (mobile, tablet, laptop, or computer) to access the token, so all e-commerce transactions would be covered.

  • Token service provider: A number of parties can play the critical provider role. The provider is ultimately responsible for generating and issuing the DAN, maintaining the DAN vault, and mapping the DAN to the PAN for presentment to the issuer that ultimately authorizes the transaction. A network, issuer, processor, or another third-party provider can perform this role. We can make a case for any of these parties to play the role, but the critical risk mitigation factor to note is that the merchant should never see the PAN, thereby preventing a breach of payment card data within their systems.

To date, a standards body controlled by the largest global card networks and a company representing the largest global banks has driven most of the payment tokenization standardization efforts. Although these organizations have advocated for public discussions and input in an open environment, some critics argue that the management of standards development should be left to an open-standards body such as X9 or ISO. Tokenization efforts and standards will continue to evolve as tokenization may play a critical role in mitigating payment risk in the future. Still, security challenges will remain even with its adoption. In the next installment of this tokenization series, we will examine risks that that a tokenized payments environment won't resolve, and risks that will be all new.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


September 29, 2014 in authentication, fraud, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c6e9606d970b

Listed below are links to blogs that reference Let's Talk Token, Part II: Distinguishing Attributes:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 08, 2014


Seeking a Successful Biometric Solution

As an earlier post noted, advances in technology have spurred the implementation of various biometric authentication methodologies in the consumer market. But as people are discovering, not all methodologies are equally suited for all applications. Those who are implementing such applications have to consider risk level, cost, operating environment, and targeted population. They also have to evaluate a number of other factors to determine if a particular biometric is better suited than another for an intended application. These factors include but are not limited to:

  • Uniqueness. While the biometric doesn't always have to be unique to every individual on the planet, the probability that two people share a particular characteristic should be unlikely enough to prevent an unacceptable number of false acceptances (when one person is wrongly authenticated as another). For example, fingerprints are considered to be unique to every individual, but current smartphone fingerprint readers have such low-resolution scanners that the possibility of a false acceptance is one in 44,000. This rate is most likely sufficient for many applications, but a high-dollar transaction may require supplemental authentication.
  • Universality. The targeted characteristic must be present in the overall population, with only a few exceptions. Only a couple of biometric elements, such as DNA and facial recognition, can provide complete population coverage. Hand geometry and vein recognition, for example, won't work on people who are missing fingers or other body parts.
  • Permanence. The characteristic should not change over time. Even though people can alter almost any physical characteristic through medical procedures, the possibility of such alteration to the characteristic being considered for biometric authentication should be infrequent among the population—and the alteration procedure should be relatively expensive.
  • Collection ease. The more invasive the collection of the biometric sample, the more resistance people will have to it. People tend to view facial and voice recognition and fingerprinting as noninvasive but retinal scans as highly invasive—a light beam scans the back of the person's eye, which can be very uncomfortable.
  • Performance. The biometric element must support the creation of a template that is accurate and quickly obtained while also providing minimal database storage requirements. A system that takes a long time to authenticate someone during peak usage periods will encounter user dissatisfaction and possibly decreased productivity.
  • Accuracy. Individuals should not be able to fool the system. Fingerprint readers should verify that the right fingerprints belong to the right person, that a spoken phrase is live and not recorded, and so on.
  • User-embraced. Even when people have to use certain biometric authentication systems as a condition of their employment, the technology should be one that has a high level of acceptance, with minimal cultural, religious, collective bargaining, or regulatory implications.
  • Cost-effectiveness. As with all risk management practices, the cost of implementing and operating the system must be commensurate with the risk exposure for using a less secure authentication system.

As you consider the possibility of implementing a biometric authentication methodology for your customers, I hope you will find these evaluation elements helpful.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 8, 2014 in authentication, biometrics, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73e104104970d

Listed below are links to blogs that reference Seeking a Successful Biometric Solution:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 18, 2014


Crooks Target Business Clients

Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.

Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:

  • Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
  • Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system

Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.

The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 18, 2014 in authentication, cybercrime, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73e029c67970d

Listed below are links to blogs that reference Crooks Target Business Clients:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 11, 2014


Improving Mobile Security with Biometrics

During the last year, the release of two smartphones with fingerprint readers by two different manufacturers was met with a lot of excitement. People in the payments industry were keen on the ability of the new phones to better authenticate mobile payments. Fingerprints are one of several biometric methods used today to supplement passwords.

Fingerprint

Biometrics refers to techniques that use measurable physical characteristics that lend themselves to automated checking techniques. In addition to fingerprints and vein recognition, biometrics can include voice, facial, and iris recognition, and even DNA matching, among others.

As the Federal Reserve's report Consumers and Mobile Financial Services 2014 noted, consumers' security concerns are a big barrier to the adoption of mobile banking. Mobile proponents believe this barrier can be reduced with the additional security features that mobile phones can provide, along with consumer education. There is no question that the mobile phone offers a number of ways to authenticate the user more positively, using both overt and covert methods. One well-known covert option is the smartphone's geolocation function, which allows verification that the phone is in the location it's supposed to be. Another covert method is "device fingerprinting," whereby a number of digital characteristics about the consumer's phone can be captured and used to verify that the phone being used is the one originally registered.

The most common overt biometric methods being tested today are fingerprint and facial recognition. While only a small number of mobile phones in use today in the United States have fingerprint readers, the vast majority have a camera that could support a facial recognition application. Both of these biometric methods are minimally invasive.

The key difference between biometric verification and user ID and password verification creates the greatest challenge for implementing biometrics authentication: with passwords, unless there is a 100 percent match between the data on file and the data the user enters in trying to gain access, the request is automatically rejected. It may be the legitimate user trying to gain access but maybe he or she forgot the password. Nevertheless, the system rules block access until the user's identity can be authenticated through some other means. On the other hand, the nature of biometrics is such that a 100 percent match between the stored template value and the live template value is rare—possibly because of differences in lighting conditions or angles when biometric measurements are made, or differences between readers, or some other reason. To deal with this gap, the manager of each application has to determine an acceptable accuracy level for both false-positives (whereby a party incorrectly matched is authorized) and false-negatives (whereby the authentic party is denied access). Naturally, false-positives pose the greater threat. False-negatives generally just involve some level of inconvenience until the individual can be authenticated and provided access.

No matter what biometric authentication methodology a system uses, the most important step is validating each customer's biometrics upon enrollment in the program. We will discuss this issue and other challenges for biometric programs in future issues of Portals and Rails.

 

Photo of Douglas A. KingBy Dave Lott, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 11, 2014 in authentication, biometrics, innovation, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a511f452e8970c

Listed below are links to blogs that reference Improving Mobile Security with Biometrics:

Comments

Dave,
PKI based digital certificates can also be used to secure mobile devices and provide a far more reliable means of device ID than geolocation or device fingerprinting

Posted by: Doug Parr | August 19, 2014 at 08:48 AM

When considering usability of biometric authentication on a mobile phone, there is no more "minimally invasive" method than voice biometrics. These devices are first and foremost voice-enabled.

Posted by: Brian Moore | August 12, 2014 at 01:00 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 03, 2014


Call Center Phone Fraud: Are You Really Who You Say You Are?

"Have I reached the party to whom I am speaking?" Lily Tomlin would use this line whenever she would play her character Ernestine the telephone operator on the classic TV comedy show "Laugh-In." But to the thousands of financial institutions that operate call centers, the question of whether their customer service representatives are talking to an actual customer is no laughing matter.

In a recent report on call center phone fraud, Pindrop Security cites a number of alarming statistics based on their clients' actual experiences: one in every 2,500 calls to a call center is fraudulent; the average fraud loss per call received is $0.57; and the average potential loss to an account from phone fraud is more than $42,000. It seems that the call center has become an increasingly attractive target for fraudsters.

A call from someone not authorized to access the bank account in question may not directly result in a financial loss on that call. In fact, Pindrop's research indicates that it takes an average of five calls before the fraudster gathers enough information to strike. They use those preliminary calls to gain account or customer information that will help them subsequently to generate a fraudulent transaction, whether it's through the call center or another channel. Some of the calls are from criminals who are simply trying to get account information such as credit and debit card information that they can sell to others. Some of the calls attempts to change account settings such as statement mailing address or call-back phone numbers. With a simple address change, the criminal can gain more information about the accountholder and also keep the victim from being alerted to fraud on their account. Often, a call that results in a direct loss occurs when the fraudster obtains sufficient account credentials to generate a fraudulent wire transfer or ACH transfer from the targeted account.

While these criminals might be looked at as "low-tech hackers" compared to the sophisticated hackers who probe computer systems or worse, the evidence from law enforcement shows that these groups are just as well-organized and sophisticated. They are often based outside the United States, which makes investigations and prosecutions difficult. Sometimes they use technology to change their voice or to show a fake phone number on the bank's caller ID system. The fake phone number helps the fake caller avoid suspicion when the call is coming from outside the customer's area of residence.

To address this growing attack vector, financial institutions are adopting new technology to help them detect potentially fraudulent calls. Voice biometric technology can detect altered voices or even compare the caller's voice to a database to verify the caller's legitimacy. In addition, phone call and device "fingerprinting" gathers enough information from the caller's device to allows the call to be scored, just like a card transaction, on how likely it is to be fraudulent.

It is clear that criminals are attacking all physical and virtual channels of banks, sometimes using information obtained through one channel to carry out fraud in another channel. Portals and Rails believes it is important that you approach your fraud mitigation strategy from a cross-channel perspective. Please let us hear about your challenges and successes with such efforts.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 3, 2014 in authentication, banks and banking, consumer protection | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d6e311b970d

Listed below are links to blogs that reference Call Center Phone Fraud: Are You Really Who You Say You Are?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 25, 2013


Maintaining a Strong Defense with Layered Security

A medieval castle generally had many lines—or layers—of defense to protect itself and its inhabitants from outside attackers. For example, it would have an outer perimeter with a high berm making the passage of horse-drawn weapons difficult. This berm would surround a vast, open space that allowed the enemy no cover. Closer to the castle would be the moat, which enclosed high fortress walls with ramparts that allowed the human defenders to fire down on attackers while still having protective cover. An enemy that successfully breached all layers of security was a strong enemy indeed—or a friend, someone with proper security clearance, who was permitted to pass through.

This multilayered security is highly effective in today's computer age. Financial institutions that haven't done so already should institute such a strong online authentication process. This process would require an individual who needs to access an account to go through multiple layers of authentication according to the risk level associated with the intended transactions. For someone checking an account balance, for example, a user ID and a password may be sufficient. But for someone initiating a wire transfer request for $50,000, more layers of authentication tools are appropriate and in keeping with the 2005 Federal Financial Institutions Examination Council's supplemental guidance for internet banking to implement more robust controls as the risk level of the transaction increases.

Panel members at a recent forum cosponsored by the Secure Remote Payment Council and the Atlanta Fed's Retail Payment Risk Forum provided their assessment of the security tools that can improve online customer authentication. They did this by assigning scores to individuals tools based on a scale of 1 to 10, with 1 being extremely weak and 10 being extremely strong. While members gave pretty low scores to each individual tool, they pointed that a combination of these tools would significantly raise the strength of the authentication process, and presumably the scores of these combinations would be higher.

As the table shows, only one of the tools had an average score above 5.

Output effects from alternative tax reforms

We cannot say it enough: no single authentication method provides a complete solution. A strong customer/transaction authentication program uses a combination of hardware and software security tools to minimize the success of unauthorized account access. The program also incorporates customer education and training and internal policies and procedures to provide a well-rounded defense.

Portals and Rails is interested in how you would score the various tools and how your institution is implementing a multilayered authentication strategy.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 25, 2013 in authentication, banks and banking, cybercrime | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b01a2f45e970b

Listed below are links to blogs that reference Maintaining a Strong Defense with Layered Security:

Comments

Interesting that Tokens scored that high. With malware bypassing them and the overhead of physical management of the hardware.

But, agree 100%...layered security is only direction to go in.

Posted by: Matthew | November 25, 2013 at 09:24 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


July 2015


Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Archives


Categories


Powered by TypePad