Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

September 08, 2014

Seeking a Successful Biometric Solution

As an earlier post noted, advances in technology have spurred the implementation of various biometric authentication methodologies in the consumer market. But as people are discovering, not all methodologies are equally suited for all applications. Those who are implementing such applications have to consider risk level, cost, operating environment, and targeted population. They also have to evaluate a number of other factors to determine if a particular biometric is better suited than another for an intended application. These factors include but are not limited to:

  • Uniqueness. While the biometric doesn't always have to be unique to every individual on the planet, the probability that two people share a particular characteristic should be unlikely enough to prevent an unacceptable number of false acceptances (when one person is wrongly authenticated as another). For example, fingerprints are considered to be unique to every individual, but current smartphone fingerprint readers have such low-resolution scanners that the possibility of a false acceptance is one in 44,000. This rate is most likely sufficient for many applications, but a high-dollar transaction may require supplemental authentication.
  • Universality. The targeted characteristic must be present in the overall population, with only a few exceptions. Only a couple of biometric elements, such as DNA and facial recognition, can provide complete population coverage. Hand geometry and vein recognition, for example, won't work on people who are missing fingers or other body parts.
  • Permanence. The characteristic should not change over time. Even though people can alter almost any physical characteristic through medical procedures, the possibility of such alteration to the characteristic being considered for biometric authentication should be infrequent among the population—and the alteration procedure should be relatively expensive.
  • Collection ease. The more invasive the collection of the biometric sample, the more resistance people will have to it. People tend to view facial and voice recognition and fingerprinting as noninvasive but retinal scans as highly invasive—a light beam scans the back of the person's eye, which can be very uncomfortable.
  • Performance. The biometric element must support the creation of a template that is accurate and quickly obtained while also providing minimal database storage requirements. A system that takes a long time to authenticate someone during peak usage periods will encounter user dissatisfaction and possibly decreased productivity.
  • Accuracy. Individuals should not be able to fool the system. Fingerprint readers should verify that the right fingerprints belong to the right person, that a spoken phrase is live and not recorded, and so on.
  • User-embraced. Even when people have to use certain biometric authentication systems as a condition of their employment, the technology should be one that has a high level of acceptance, with minimal cultural, religious, collective bargaining, or regulatory implications.
  • Cost-effectiveness. As with all risk management practices, the cost of implementing and operating the system must be commensurate with the risk exposure for using a less secure authentication system.

As you consider the possibility of implementing a biometric authentication methodology for your customers, I hope you will find these evaluation elements helpful.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 8, 2014 in authentication, biometrics, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73e104104970d

Listed below are links to blogs that reference Seeking a Successful Biometric Solution:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 18, 2014

Crooks Target Business Clients

Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.

Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:

  • Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
  • Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system

Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.

The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 18, 2014 in authentication, cybercrime, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73e029c67970d

Listed below are links to blogs that reference Crooks Target Business Clients:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 11, 2014

Improving Mobile Security with Biometrics

During the last year, the release of two smartphones with fingerprint readers by two different manufacturers was met with a lot of excitement. People in the payments industry were keen on the ability of the new phones to better authenticate mobile payments. Fingerprints are one of several biometric methods used today to supplement passwords.

Fingerprint

Biometrics refers to techniques that use measurable physical characteristics that lend themselves to automated checking techniques. In addition to fingerprints and vein recognition, biometrics can include voice, facial, and iris recognition, and even DNA matching, among others.

As the Federal Reserve's report Consumers and Mobile Financial Services 2014 noted, consumers' security concerns are a big barrier to the adoption of mobile banking. Mobile proponents believe this barrier can be reduced with the additional security features that mobile phones can provide, along with consumer education. There is no question that the mobile phone offers a number of ways to authenticate the user more positively, using both overt and covert methods. One well-known covert option is the smartphone's geolocation function, which allows verification that the phone is in the location it's supposed to be. Another covert method is "device fingerprinting," whereby a number of digital characteristics about the consumer's phone can be captured and used to verify that the phone being used is the one originally registered.

The most common overt biometric methods being tested today are fingerprint and facial recognition. While only a small number of mobile phones in use today in the United States have fingerprint readers, the vast majority have a camera that could support a facial recognition application. Both of these biometric methods are minimally invasive.

The key difference between biometric verification and user ID and password verification creates the greatest challenge for implementing biometrics authentication: with passwords, unless there is a 100 percent match between the data on file and the data the user enters in trying to gain access, the request is automatically rejected. It may be the legitimate user trying to gain access but maybe he or she forgot the password. Nevertheless, the system rules block access until the user's identity can be authenticated through some other means. On the other hand, the nature of biometrics is such that a 100 percent match between the stored template value and the live template value is rare—possibly because of differences in lighting conditions or angles when biometric measurements are made, or differences between readers, or some other reason. To deal with this gap, the manager of each application has to determine an acceptable accuracy level for both false-positives (whereby a party incorrectly matched is authorized) and false-negatives (whereby the authentic party is denied access). Naturally, false-positives pose the greater threat. False-negatives generally just involve some level of inconvenience until the individual can be authenticated and provided access.

No matter what biometric authentication methodology a system uses, the most important step is validating each customer's biometrics upon enrollment in the program. We will discuss this issue and other challenges for biometric programs in future issues of Portals and Rails.

 

Photo of Douglas A. KingBy Dave Lott, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 11, 2014 in authentication, biometrics, innovation, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a511f452e8970c

Listed below are links to blogs that reference Improving Mobile Security with Biometrics:

Comments

Dave,
PKI based digital certificates can also be used to secure mobile devices and provide a far more reliable means of device ID than geolocation or device fingerprinting

Posted by: Doug Parr | August 19, 2014 at 08:48 AM

When considering usability of biometric authentication on a mobile phone, there is no more "minimally invasive" method than voice biometrics. These devices are first and foremost voice-enabled.

Posted by: Brian Moore | August 12, 2014 at 01:00 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 03, 2014

Call Center Phone Fraud: Are You Really Who You Say You Are?

"Have I reached the party to whom I am speaking?" Lily Tomlin would use this line whenever she would play her character Ernestine the telephone operator on the classic TV comedy show "Laugh-In." But to the thousands of financial institutions that operate call centers, the question of whether their customer service representatives are talking to an actual customer is no laughing matter.

In a recent report on call center phone fraud, Pindrop Security cites a number of alarming statistics based on their clients' actual experiences: one in every 2,500 calls to a call center is fraudulent; the average fraud loss per call received is $0.57; and the average potential loss to an account from phone fraud is more than $42,000. It seems that the call center has become an increasingly attractive target for fraudsters.

A call from someone not authorized to access the bank account in question may not directly result in a financial loss on that call. In fact, Pindrop's research indicates that it takes an average of five calls before the fraudster gathers enough information to strike. They use those preliminary calls to gain account or customer information that will help them subsequently to generate a fraudulent transaction, whether it's through the call center or another channel. Some of the calls are from criminals who are simply trying to get account information such as credit and debit card information that they can sell to others. Some of the calls attempts to change account settings such as statement mailing address or call-back phone numbers. With a simple address change, the criminal can gain more information about the accountholder and also keep the victim from being alerted to fraud on their account. Often, a call that results in a direct loss occurs when the fraudster obtains sufficient account credentials to generate a fraudulent wire transfer or ACH transfer from the targeted account.

While these criminals might be looked at as "low-tech hackers" compared to the sophisticated hackers who probe computer systems or worse, the evidence from law enforcement shows that these groups are just as well-organized and sophisticated. They are often based outside the United States, which makes investigations and prosecutions difficult. Sometimes they use technology to change their voice or to show a fake phone number on the bank's caller ID system. The fake phone number helps the fake caller avoid suspicion when the call is coming from outside the customer's area of residence.

To address this growing attack vector, financial institutions are adopting new technology to help them detect potentially fraudulent calls. Voice biometric technology can detect altered voices or even compare the caller's voice to a database to verify the caller's legitimacy. In addition, phone call and device "fingerprinting" gathers enough information from the caller's device to allows the call to be scored, just like a card transaction, on how likely it is to be fraudulent.

It is clear that criminals are attacking all physical and virtual channels of banks, sometimes using information obtained through one channel to carry out fraud in another channel. Portals and Rails believes it is important that you approach your fraud mitigation strategy from a cross-channel perspective. Please let us hear about your challenges and successes with such efforts.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 3, 2014 in authentication, banks and banking, consumer protection | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d6e311b970d

Listed below are links to blogs that reference Call Center Phone Fraud: Are You Really Who You Say You Are?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 25, 2013

Maintaining a Strong Defense with Layered Security

A medieval castle generally had many lines—or layers—of defense to protect itself and its inhabitants from outside attackers. For example, it would have an outer perimeter with a high berm making the passage of horse-drawn weapons difficult. This berm would surround a vast, open space that allowed the enemy no cover. Closer to the castle would be the moat, which enclosed high fortress walls with ramparts that allowed the human defenders to fire down on attackers while still having protective cover. An enemy that successfully breached all layers of security was a strong enemy indeed—or a friend, someone with proper security clearance, who was permitted to pass through.

This multilayered security is highly effective in today's computer age. Financial institutions that haven't done so already should institute such a strong online authentication process. This process would require an individual who needs to access an account to go through multiple layers of authentication according to the risk level associated with the intended transactions. For someone checking an account balance, for example, a user ID and a password may be sufficient. But for someone initiating a wire transfer request for $50,000, more layers of authentication tools are appropriate and in keeping with the 2005 Federal Financial Institutions Examination Council's supplemental guidance for internet banking to implement more robust controls as the risk level of the transaction increases.

Panel members at a recent forum cosponsored by the Secure Remote Payment Council and the Atlanta Fed's Retail Payment Risk Forum provided their assessment of the security tools that can improve online customer authentication. They did this by assigning scores to individuals tools based on a scale of 1 to 10, with 1 being extremely weak and 10 being extremely strong. While members gave pretty low scores to each individual tool, they pointed that a combination of these tools would significantly raise the strength of the authentication process, and presumably the scores of these combinations would be higher.

As the table shows, only one of the tools had an average score above 5.

Output effects from alternative tax reforms

We cannot say it enough: no single authentication method provides a complete solution. A strong customer/transaction authentication program uses a combination of hardware and software security tools to minimize the success of unauthorized account access. The program also incorporates customer education and training and internal policies and procedures to provide a well-rounded defense.

Portals and Rails is interested in how you would score the various tools and how your institution is implementing a multilayered authentication strategy.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 25, 2013 in authentication, banks and banking, cybercrime | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b01a2f45e970b

Listed below are links to blogs that reference Maintaining a Strong Defense with Layered Security:

Comments

Interesting that Tokens scored that high. With malware bypassing them and the overhead of physical management of the hardware.

But, agree 100%...layered security is only direction to go in.

Posted by: Matthew | November 25, 2013 at 09:24 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 21, 2013

Is Knowledge-Based Authentication Still Effective?

"What is your mother's maiden name? Your oldest daughter's middle name?" Online help sessions or call centers often ask the user to provide answers to a "secret" question or set of questions most often when the user has forgotten an account password and needs to retrieve it or select a new one. This authentication process is called knowledge-based authentication (KBA). The assumption is that if the person knows the correct answers, then that person is the authentic accountholder.

I recently attended a security conference where a panel of security authentication experts all stated that any extra protection KBAs provide is minimal. The high-profile data breaches that we've read about, along with the over-disclosure of personal information on social media sites, often make the answers to these questions easily available. These experts called for the abandonment of KBAs. In further support of this position was a recent article by Brian Krebs (Krebs on Security) that detailed how an identity theft service had hacked into some of the country's largest aggregators of consumer and business information. This service then tried to sell the data over the Internet, compromising the effectiveness of KBAs.

KBA questions can be either static or dynamic. Those that are static instruct the user to select from a list of preformulated questions—such as "What is your mother's maiden name?" Some sites allow users to create their own questions. In either case, the Q&A process is normally done when the user creates the account and selects the password. Dynamic KBAs are created by the website entity and generally request a response to a series of multiple-choice questions created from data not readily available in the public domain—for example, "Select a previous address from the list."

The formulation of KBA questions requires a careful balancing act between making answers easy enough for the authentic user to retain and making them difficult for an outsider to find the answer by looking through public databases and social media sources.

The June 2011 Federal Financial Institutions Examination (FFIEC) supplemental guidance on authentication for Internet banking states about KBAs that "institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique." The guidelines support the more sophisticated dynamic KBAs, adding this caution: "Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program." But we have to ask, have the breaches of the data sources often used to create the dynamic KBAs that have taken place since the issuance of this guidance so weakened them as to negate their value?

To enhance dynamic KBA programs, institutions can time the answer input intervals, tally missed questions, and employ other factors to essentially score the KBA session, which could signal that a criminal is posing as the legitimate customer.

No matter how many questions there are, KBAs are just one identification form factor—the "something you know" part of three-factor authentication. The FFIEC recommends that multiple form factors—including the "something you have" and "something you are" components—be used with higher-risk transactions. These should be used to support a stronger security process under a layered security approach.

Portals and Rails is interested in knowing how your institution currently uses KBAs, and if recent events will change their use.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 21, 2013 in authentication, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b00310712970d

Listed below are links to blogs that reference Is Knowledge-Based Authentication Still Effective?:

Comments

The FFIEC is right. Basic challenge questions will no longer cut it. Device identification is a newer technique that fraud analysts have begun to incorporate into their strategy, but even this innovation may not be enough. As consumers demand further online and mobile platforms for banking and payments, and as fraudsters continue multiplying and focusing their efforts on these very platforms, we need to start looking for more sophisticated strategies.

Posted by: Eric Lindeen | January 07, 2014 at 01:26 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 07, 2013

Fraud Happens. So What Do You Do?

As both a data junkie and someone interested in payments fraud, I must admit that I am envious of my colleagues across the pond in the United Kingdom. The Financial Fraud Action UK recently released Fraud the Facts 2013, its annual report providing insight and data on payments fraud in the U.K. financial services industry. Unfortunately, no such report exists in the United States.

This year's report drives home two key points that were discussed at our July 31 Improving Customer Authentication forum. First, the enrollment process is a critical initial step in securing transactions. Enrolling a fraudster can only result in fraudulent transactions. Second, consumer education remains an important aspect of mitigating fraud—a topic we at the Risk Forum have written and spoken on extensively. Despite the fact that the United Kingdom uses the EMV standard—which is based on chip card technology—overall payment card fraud increased by 14 percent from 2011 to 2012. Among its many insights, the report reinforces the idea that EMV adoption alone will not keep fraud from occurring.

Aside from the usual suspects of card-not-present (CNP) fraud and cross-border fraud in non-EMV countries, the report mentions two other contributors to payment card fraud growth that captured my attention. One, card ID theft fraud, which includes application fraud (using stolen or fake documents to open an account) and account takeover fraud (using another person’s credit or debit card account by posing as the genuine cardholder), increased by 42 percent from 2011 to 2012. Two, criminals have resorted to using "low-tech deception crimes" to convince consumers to part with their cards, PINs, and passwords.

The important takeaway I got from this report is that no matter the technology or standard used on payment cards, it remains critical to keep personally identifiable information protected and to continue to educate consumers about sound payment practices. The industry could use the most sophisticated and secure solutions to authorize and authenticate transactions, but those sophisticated, secure solutions can do very little to prevent the use of accounts established fraudulently.

Criminals are exploiting weaknesses in both the enrollment process and consumer behavior. These weaknesses are not something a chip-embedded card can solve.

So what tools can and should the industry use to prevent a criminal from using a stolen or synthetic identity to open an account? Do you think information available through social media could play a role in this process? We would value your thoughts.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 7, 2013 in authentication, cards, chip-and-pin, EMV, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019affd3f992970b

Listed below are links to blogs that reference Fraud Happens. So What Do You Do?:

Comments

While everyone is focused on the water main, there are millions of slow, steady fraud drips that aren't getting any attention: call center transactions.

Just started a subscription yesterday and read my CC# to some faceless agent in some unknown call center. Did she write it down? The call was recorded. Are the quality monitoring people writing it down and selling it?

There are solutions readily available. They are simple. They are cheap. They work. But there is no hue and cry to use them...from consumers, from banks, from regulators, or from businesses.

Until known solutions to known and supposedly big problems are implemented, the hand wringing about fraud is beginning to look like a Potemkin Village...a veneer of concern with nothing behind it.

Posted by: Dennis Adsit | October 21, 2013 at 12:12 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 09, 2013

Improving Customer Authentication

The Retail Payments Risk Forum recently hosted payment industry participants at the Improving Customer Authentication forum. On July 31, banks, nonbank payment service providers, industry associations, law enforcement officials, and regulators listened as keynote speakers and panelists explored methods and technologies for improving customer authentication so that financial institutions and other payments stakeholders can better mitigate payments fraud. Forum goals were to help participants understand the challenges of current methods of authentication and the legal implications, as well as to explore emerging solutions, along with pros and cons, that can improve authentication in both the face-to-face and remote channels.

Some of the key learnings from the forum include:

  • Customer authentication is critical to proving identity, authority, and consent throughout the entire payment process.
  • Customer authentication can be achieved by any combination of factors within three categories. For best practice, different categories should be used:
    • Something you know (user ID, password)
    • Something you have (card, phone)
    • Something you are (biometrics, activity pattern)
  • Currently, no single, simple, legally approved method for authorizing a payment or ensuring that a particular payment is authorized exists.
  • New payment types are stretching the boundaries of the current payments infrastructure and have created weak points that are being probed and exploited by cybercriminals.
  • While overall payment card fraud levels, as expressed as a percentage of sales, are at an all-time low, certain categories of card fraud such as card-not-present (CNP) are significantly increasing.
  • Financial institutions are encouraged to build relationships with local and federal law enforcement officials and to report fraud—it is possible that a crime at your institution is part of a larger network of criminal activity.

For a more complete summary of the forum and to see video interviews with two of the forum speakers, go to the conference website.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 9, 2013 in authentication, biometrics, emerging payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019aff4777b1970c

Listed below are links to blogs that reference Improving Customer Authentication:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 19, 2013

Curbing Identity Theft and Fraud

To no one's surprise, identity theft and associated fraud losses rose again in 2012. The number of victims climbed to more than 12 million last year, an 11 percent increase over 2011, according to the recently released Javelin 2013 Identity Fraud Report. Losses amounted to almost $21 billion.

Identity Theft Victims and Fraud Amounts

A quick distinction between identity theft and identity fraud: identity theft is when an unauthorized person obtains personal information about an individual, and identity fraud occurs when someone uses that personal information, without the individual's consent, to conduct financial transactions.

Two types of identity theft drove the overall increase: new-account identity and account takeover fraud.

New-account identity fraud takes a number of different forms. The most common form occurs with credit card applications. Someone creates an account using another person's information and makes purchases to the maximum limit, then allows the account to go into default. The next most common type happens with new checking accounts. The fraudster opens up a checking account using false identification credentials, then deposits bad or bogus checks and quickly cashes out.

The prevention of new-account identity fraud rests primarily on the shoulders of the financial institution (FI). What are the steps that FIs can take to help reduce the levels of these types of fraud? They are already required to authenticate the identities of new account applicants to the extent reasonable and practical under the Bank Secrecy Act's Customer Identification Program. The fraudster's goal when opening a fraudulent account is to minimize the verification process and quickly establish the new account. Experienced criminals can falsify government-issued IDs without too much difficulty. The FI representatives authenticating new accounts must rely on their experience and on a number of other factors to detect fraudulent attempts—but it can be difficult to balance the need to authenticate applicants with the wish, and the institutional push, to be polite and welcoming.

Many FIs order abbreviated credit reports as part of the new account process so they can better market credit products to qualified applicants. An address on the credit report that differs from the one on the application or the report showing a rash of new credit inquiries should sound warning bells, and such discrepancies would justify additional verification. Other warning signs include applicants having to read the information from their identification documents rather than reciting it from memory, or incorrect social security numbers, or newly issued identification documents.

Most fraudulent new accounts are opened online or through call centers. In these cases, the subsequent new-customer authentication process is critical. Although individuals can use their own, legitimate credentials to commit new account fraud, industry reports suggest it is much more common for fraudulent accounts to be opened with fraudulent credentials.

As to account takeover fraud, as we have stressed on many occasions, the most critical action that FIs can engage in is frequent customer education through electronic and print media and community and customer seminars. In a recent post on phishing, we outlined a number of steps that FIs should remind individuals to follow to minimize the possibility of having their accounts and identity credentials compromised.

We would like to hear from you as to ways your institution is combating new-account identity and account takeover fraud.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 19, 2013 in account takeovers, authentication, banks and banking, consumer fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0192ac9f8e60970d

Listed below are links to blogs that reference Curbing Identity Theft and Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 04, 2013

Who Am I? Authentication Challenges

It's tax time again. I dread this time of year. It's not just because I don't like paying taxes—who does? It's because I am always a little nervous as a result of an experience my husband once had. Some years ago, my husband was the victim of identity theft and, every so often, we are forced to confront another attempted assault on our finances. We became aware of another assault two years ago when we attempted to file our federal tax return electronically and it was rejected. The IRS already had a record of a processed return under my husband's Social Security number (SSN). For now, we file our returns the old-fashioned way, printing and mailing them.

Juxtapose that low-tech solution against the high-tech approach that fraudsters use. Using ill-gotten SSNs, names, and birth dates, these identity thieves electronically file fraudulent returns as early as possible. They then nab the refunds quickly, either through receipt of a prepaid debit card from the IRS or through direct deposit into a bank account specifically used for obtaining the fraudulent refund, which they immediately cash out.

Filing of fraudulent tax returns has reached epidemic proportions. In 2012, a Treasury Inspector General for tax administration testified before Congress that the IRS detected and stopped almost one million fake returns for 2010, totaling $6.5 billion.

In recent years, the government, through legislation, has encouraged use of other identification methods and greater care in the storing and sharing of SSNs and other personally identifiable information. However, the SSN remains the preferred identification method. Knowing that criminals and taxes will never disappear, the issue then is with the authentication—that is, checking identity at the door.

The IRS is being proactive by requiring taxpayers to supply additional information. Perhaps the agency could use the same technology to combat the criminals that the criminals are using to initiate the crime. A recent Portals and Rails post looked at "Big Data" and discussed how financial institutions can profile consumer behavior to detect fraud. Could the IRS use Big Data techniques to help detect tax returns that seemingly have fraudulent characteristics? For example, the IRS could flag early filings, understanding that historically a particular filer's W-2 information is not available until as late as the end of March. However, the post also discussed the question of when data collection and behavior profiling crosses the line from marketing opportunities to privacy invasion, an issue the IRS would have to consider.

The integrity of mobile payments, online banking, card payments, and any other form of electronic payment rely on the authentication of the payer. Many authentication methods in the payments world are by necessity pretty sophisticated. But criminals are finding ways to compromise these methods, too. As we move headlong into the world of digital payments, proving genuine identity, or authentication, is vital.

Mary KeplerBy Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed

March 4, 2013 in authentication, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c374c01b0970b

Listed below are links to blogs that reference Who Am I? Authentication Challenges:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in