Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

March 23, 2015


Balancing Security and Friction

Several weeks ago, my colleague, Dave Lott, wrote a post addressing the question "Does More Security Mean More Friction in Payments?" Having had several weeks to ponder this concept while attending multiple payments conferences and participating in similar discussions, I can say that I believe that securing payments does mean more friction. Friction may not be seen as good for commerce, but it can be good for security. An enormous challenge that those in the payments industry face is determining the right balance of friction and security. This challenge is heightened since consumers have a range of choices in payment types, yet do not often bear financial liability for fraudulent transactions.

It is absolutely critical to secure the enrollment or provisioning of the payment instrument on the front end. However, this introduces friction before a payment transaction is even attempted. And if consumers deem the process too onerous, they can reject that payment instrument or seek alternative providers. The recent media coverage of fraud occurring through Apple Pay highlights the challenge in the onboarding process. Consumers and pundits have raved about the ease of provisioning a card to their Apple Pay wallet through what they already have on file with iTunes. But fraudsters have taken advantage of this easy onboarding process. I should stress that this isn't just a mobile payments or Apple Pay problem—fraudsters are well-versed in opening bank accounts, credit cards, and other payment instruments using synthetic or stolen identities.

Let's assume that a person's payment credentials are in fact legitimate. Verifying that legitimacy introduces more friction into the payment process. A transaction that requires no verification obviously comes with the least friction, but it is the riskiest. Signatures and PINs bring a small amount of friction to the process, with very different results in terms of fraud losses. We don't know yet what kind of friction, if any, different biometric solutions create during both provisioning and the transaction. Issuers must enable the various forms of verification, and it is up to the merchants to implement solutions that will use various verification methods. Yet consumers, who bear less of the risk of financial loss from fraudulent transactions than the merchants, can choose which payment method, and sometimes which verification method, to use—and they often do so according to the amount of friction involved, with little to no regard for the security.

Issuers and merchants will offer the right balance of friction and security based on the risks they are willing to take and the investments they make in security processes and solutions. But it is the consumer who will ultimately decide just by accepting or rejecting the options. With limited or no financial liability, consumers are often willing to trade off security in favor of less friction—and the financial institutions and merchants have to bear the losses. So I'll ask our Take On Payments readers, how do you balance friction and security in this environment?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


March 23, 2015 in biometrics, consumer fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb080d3a99970d

Listed below are links to blogs that reference Balancing Security and Friction:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 20, 2015


Phone Scams: Still Calling Around

With 2014 filled with news about data breaches and faster payments and new technologies trying to jumpstart various payment applications, it was easy to forget about that old-fashioned device, the telephone, and the role it can play in fraud. (It's been almost a year since I wrote the post "Phone Fraud: Now It's Personal!" about fraud schemes involving telephones.)

Pindrop Security recently released some research on the most frequent consumer phone scams, reminding us of how criminals can use a low-tech device combined with high-tech research tools to scam millions of consumers out of tens of millions of dollars each year.

We can generally place the underlying tactics of the scams into one of four categories:

  • Scare tactics. Often, the caller poses as a governmental agency official such as an IRS agent or law enforcement officer and advises the victim they have an outstanding debt or arrest warrant. The caller tells the victim to send in a certain amount of money immediately to cover the debt or pay a fine—or be arrested, have a lien placed against the home, or face other serious actions. The criminal's goal is to obtain funds directly from the victim.
  • Attractive offers. In this type of scam, the caller generally wants the victim's payment card or bank account number—although, as we outlined in an earlier post on advance fee scams, the caller may also be after direct payments. The offer may be for anything from a free vacation to a government grant, or from a reduction in the victim's mortgage or credit card interest rate. In any case, the caller insists the victim pay a handling fee. Sometimes, the caller asks questions about the victim's banking accounts to make sure the victim "qualifies" for the special offer. With the information obtained, the fraudsters generate payment transactions or use that information for future identity theft efforts.
  • High-pressure techniques. Most scams involve high-pressure techniques; the criminals want to create a sense of urgency to get the victim to act quickly, without thinking. A common scenario is when the caller tells the victim that his or her bank account or payment card has been frozen because of suspicious activity and then urges the victim to provide sensitive account information to restore the account to normal status. The caller can then use the information the victim has provided to initiate fraudulent transactions or identity theft.
  • Information-gathering. A criminal may call to get "additional" information about a customer to go into an identity profile that the criminal can use later in committing an identity theft crime. Often the criminal has already gathered some information about the targeted victim through social media or public records to weave into a cover story about why they are requesting the information to make the story more believable.

Since any of us can be a target of such calls, we must educate ourselves—and the public and our colleagues—about these scams constantly so we can all be on the alert and safeguard our accounts and personal information.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


January 20, 2015 in consumer fraud, identity theft, phone fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c73af7e5970b

Listed below are links to blogs that reference Phone Scams: Still Calling Around:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 25, 2014


Forty Years and Still Scamming

I suspect that a lot of us have received a letter or an e-mail supposedly from another country's government official or banker informing us that there were some unexpected riches coming our way. We could become millionaires, these strangers tell us, by claiming a prize from a lottery that we don't remember entering. Or they say we just might become millionaires by helping them transfer money out of their country, since they can't because of some sort of bureaucracy or regulation. Before tossing these letters or e-mails into the trash, did you ever linger for just a moment wondering if these riches could actually be coming to you?

A large number of people, particularly in the United States, think the scam is legitimate and are willing to invest up to tens of thousands of dollars to claim their share of the pot of gold. Sadly, they find not only that there is no gold, but also that there isn't even a pot. This type of fraud is classified as an advance fee fraud because the scam involves the victim having to send money in advance, to cover fees or taxes, before they can receive their share of the bounty. The advance fee fraud is one type of 419 Nigerian fraud, so called because early versions originated in Nigeria, where criminal code 419 describes the fraud. 419 fraud began in the 1970s with letters—often with counterfeit postage marks—that targeted small business owners, requesting their help in handling new oil wealth.

Over the next three decades, the solicitations grew at such a tremendous pace that in 2002, the Department of Justice got a court order to allow postal employees to open every letter from Nigeria that was handled through the United States Postal Service's mail facility at John F. Kennedy Airport. They found that more than 70 percent of these letters contained some sort of fraudulent scheme solicitation.

As law enforcement's focus on Nigeria intensified, the 419 groups moved to other countries. These groups reportedly have major operations in at least 150 countries and the involvement of more than 800,000 people. Ultrascan Advanced Global Investigations (UAGI), an Amsterdam-based association focused on disrupting the operations of criminal networks, stated in a preliminary 2013 report that U.S. victims lost $2.3 billion in 2013—more than in any other country.

As with other types of criminal activity, the techniques that advance fee criminals use have become more sophisticated, evolving alongside technological advances. They've moved their method of solicitation from mail to faxes and then to e-mails. And now, instead of just sending mass mailings or e-mails, many of the criminals are tailoring e-mail messages, lacing them with personalized information obtained from social networks and professional and dating websites. For lottery-themed advance fee schemes, the UAGI estimates that 3 percent of the targets respond and make at least one advance payment.

Even more interesting, the report refutes some common misconceptions about the victims usually being lower income or with less education and desperate for some sort of financial windfall. In fact, a number of high-income professionals are taken in by some of the more sophisticated schemes involving high-dollar ventures including real estate development and medical equipment. The report also notes that, for victims losing more than $200,000, 85 percent of them had recently experienced some sort of life-changing family trauma such as a death, divorce, or major illness.

Education by financial institutions remains the most valuable tool to defend against these schemes. These institutions should use in-house media and other methods, such as public service announcements, to alert consumers to these scams, particularly those that appear in the FIs' service areas. I know of some institutions that train their frontline staff to watch for such unusual transactions, particularly by the elderly, as a supplement to their anti-money-laundering education. Financial institutions and consumers should report advance fee fraud attempts immediately to the local Secret Service or FBI office for investigation.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 25, 2014 in consumer fraud, consumer protection | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73e082622970d

Listed below are links to blogs that reference Forty Years and Still Scamming:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 04, 2014


Fishing for Your Private Data

fishing Recently, I received a text from my daughter about an e-mail that appeared to be from her financial institution. The e-mail stated that online access to her bank account would be terminated because she had tried to access her account from several computers. However, she could retain access by clicking on a link. While my daughter's natural reaction was concern that she would lose online access to her bank account, I told her that this was probably a phishing incident.

Unlike the hobby of fishing, phishing is the work of fraudsters. With phishing, fraudsters attempt to dupe a consumer or employee into believing that they must immediately provide personal or private data in response to an e-mail that appears to be (but is not actually) from a legitimate entity. Much like fishing, phishing relies on numerous casts, with the phisher hoping that many of those who receive the e-mail will be fooled and swallow the bait. If they get hooked, malware may be loaded on their computer to monitor their keystrokes and pull out financial service website log-on credentials. Or, in my daughter's case, if she had clicked on the link, it would have most likely taken her to a legitimate-looking web page of the bank and requested her online banking credentials. The volume and velocity by which anyone can send e-mails has created a wide window of opportunity for fraudsters.

In their e-mail, the fraudsters create a sense of urgency by indicating some sort of drastic action will be taken unless the customer acts immediately. Although organizations have repeatedly posted statements that they would never send an e-mail asking for private data, this threatened action often causes the recipient to act without considering the consequences or taking the time to call the company or organization to verify the e-mail's authenticity. If it is not authentic, the individual should immediately delete the e-mail without replying, without clicking on any links embedded in the email, and without opening any attachments.

In addition to the need for consumers and employees to be wary of e-mails that are not legitimate, financial institutions must continually stay abreast of the latest technologies to help combat these schemes and educate customers. In a past post, we discussed steps financial institutions should take to help customers protect themselves from fraudsters. These schemes remain in the news even though banks, businesses, and government entities continue to post educational information and best practices for consumers and employees. As my daughter's example demonstrates, consumers opening bank accounts for the first time are not likely to know these schemes. This example suggests that—in addition to educating both business and consumer customers generally—it would be beneficial for financial institutions to place more emphasis on education concerning these schemes at the time customers open their accounts.

Photo of Deborah Shaw

August 4, 2014 in banks and banking, consumer fraud, consumer protection, data security, fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dfaf641970d

Listed below are links to blogs that reference Fishing for Your Private Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 23, 2014


Do Consumers REALLY Care about Payments Privacy and Security?

Consumer research studies have consistently shown that a top obstacle to adopting new payment technologies such as mobile payments is consumers' concern over the privacy and security protections of the technology. Could it be that consumers are indeed concerned but believe that the responsibility for ensuring their privacy and security falls to others? A May 2014 research study by idRADAR revealed the conundrum that risk managers often face: they know that consumers are concerned with security, but they also know they are not active in protecting themselves by adopting strong practices to safeguard their online privacy and security.

The survey asked respondents if they had taken any actions after hearing of the Target breach to protect their privacy or to prevent credit/debit card fraudulent activity. A surprising 79 percent admitted they had done nothing. Despite the scope of the Target data breach, only 4 percent of the respondents indicated that they had signed up for the credit and identity monitoring service that retailers who had been affected offered at no charge (see the chart).

Consumers Post Breach Actions

In response to another question, this one asking about the frequency at which they changed their passwords, more than half (58 percent) admitted that they changed their personal e-mail or online passwords only when forced or prompted to do so. Fewer than 10 percent changed it monthly.

When we compare the results of this study with other consumer attitudinal studies, it becomes clear that the ability to get consumers to actually adopt strong security practices remains a major challenge. At "Portals and Rails, we will continue to stress the importance of efforts to educate consumers, and we ask that you join us in this effort.

Photo of Deborah Shaw

June 23, 2014 in consumer fraud, consumer protection, data security, identity theft, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fd23a8ce970b

Listed below are links to blogs that reference Do Consumers REALLY Care about Payments Privacy and Security?:

Comments

Consumers have been hearing "the horror stories around the campfire" for so long, they have come to believe that if the "boogieman" is going to get you, there is nothing you can do about it. However, this is just not true. The FSO industry needs to promote consumer education efforts to update the public: we are each provided options every day that can serve to reduce our exposure to the fraud/ID theft boogieman - at FraudAvengers.org we call it "anti-fraud activism". Once aware, consumers will find themselves liberated to make choices based on their own risk tolerance about: how they make and receive payments; how they use their communication devices; the places in which they voluntarily place their personal information; ways and frequency of monitoring their financial, medical and other personal records; who and how they do business with people they have never met and/or do not know; etc. By ensuring we always include the "lessons learned" after we tell our horror stories, we serve to educate the public and inform them of protective actions they can take in their own defense. Crime collar criminals are always looking for victims: by reducing one's visibility to them and by proactively knowing what to watch-out for, consumers can greatly reduce the likelihood of becoming victims.

Posted by: Jodi Pratt | June 23, 2014 at 03:19 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 28, 2014


Is Personal Data Privacy Going, Going, Gone?

Since last December, it seems that not a week has gone by without a headline about another breach of consumers' payment or personal data. These articles—which are no longer limited to banking or IT industry publications—have created both weariness and concern among consumers. The market research firm GfK conducted a national survey of U.S. consumers in March 2014 to measure the impact of these breaches and better understand how consumers view and manage their personal data. They surveyed 1,000 individuals over the age of 18 and sorted the results by generation. Some of the findings I found most interesting were:

  • All generations are concerned about the protection of their personal data and, overall, 59 percent indicated that their concern has risen over the last 12 months.
    Question: Are you concerned about the protection of your personal data?
  • One-third of the survey participants indicated that they had been the victim of the misuse of their personal data at least once over the past year.
  • Over half (54 percent) of those surveyed don't believe the U.S. government is doing enough to protect their data, with two-thirds of the pre-boomers taking that position.
  • Overall, 80 percent of the respondents believe there should be additional regulations preventing organizations from reselling their personal data to third parties.
  • There is a strong demand from consumers for all consumer-facing industries to change their data privacy and personal data usage policies, but that demand is the highest for credit card companies and social networks.
  • Banks are in the top four trusted organizations regarding the protection of personal data but trailing health care organizations, online payment systems, and online retailers. Social networks, international businesses, and marketers and advertisers are the least trusted.
  • Although more than half of the participants do not agree with the tracking or recording of communication data without their permission, younger generations are not as concerned.
    Agreement with the statement: I accept that my communications data (e.g. phone, online) can be recorded without my approval to prevent crime.

So how are consumers behaving in light of this increased concern? Almost half (48 percent) indicated that they have changed their online practices and are avoiding the use of online auctions, online banking, and online social networks to reduce the likelihood that their personal data might be compromised or misused in some way. I have seen other research indicating that as much as 40 percent of a retailer's customers that have had their personal data compromised through a breach at that retailer will avoid that retailer, at least in the immediate term.

So what is the best approach to develop and maintain safeguards for consumer's personal information and transaction data? The private sector has always championed self-regulation through standards efforts such as PCI-DSS, but we all recognize that being compliant with a common minimum standard is not the same as being totally secure. There has been no shortage of recent congressional discussion on this issue, and future major breaches will likely add to the momentum such that it will be difficult to stop. Is that where you think we are headed—a regulatory fix coming from a legislative mandate? Let us hear from you.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 28, 2014 in consumer fraud, consumer protection, data security, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fcfb4cc5970b

Listed below are links to blogs that reference Is Personal Data Privacy Going, Going, Gone?:

Comments

The Target breach, in which 110 million Americans lost critical personal and financial data, is just the latest problem caused by extending legacy payment networks built in the 1960s to internet originated payments.

In the classic New Yorker cartoon, one dog says to the other, "On the Internet, nobody knows you're a dog." Until we solve this problem, the legacy payment networks cannot be made secure. They were not architected with security built into them to do what we are doing today by extending them to payments generated from the internet. The security of any network is only as good as its weakest node. By moving access to the legacy payment systems to the internet, we added tens of millions of nodes to each legacy payment system and most of those nodes are not securely authenticated or truly secure.

A next generation payment system is required that is architected with security and encryption of all data "end to end", with no data ever “in the clear” and in which all users are "strongly authenticated". It is less expensive by orders of magnitude to build a new next generation payment system that can do that, than to retrofit one of the existing legacy payment systems, as I was once told by the former global CIO of VISA International. The existing legacy payment systems are all designed to have required information "in the clear" at multiple points in the transaction cycle.

The rapid rise of Bitcoin, despite its significant flaws, highlights the hunger in the marketplace for a better and more secure internet based global payment system. It would be better if that next generation payment system was also bank-centric and properly regulated, none of which Bitcoin is.

FYI, the New Yorker cartoon was first published in 1994, so this problem has been building for over 20 years.

Posted by: Stephen Lange Ranzini | April 28, 2014 at 05:31 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 10, 2014


Who Is Responsible for Consumer Security Education?

A theme that consistently appears in our Portals and Rails blogs is the continual need for consumer education when it comes to protecting account access credentials. Financial institutions have generally taken this responsibility seriously, running frequent verbal and print campaigns reminding customers to safeguard their payment cards, monitor account activity frequently, and adopt strong password and PIN access practices.

But as payment channels and access devices expand outside the bank-controlled environment, who then becomes responsible for customer education? The representatives of mobile phone carriers and handset manufacturers, for example, are often in sales mode. The last thing they want to do is scare off a potential sale by identifying the potential for fraud with their product or service.

When I recently went to purchase a new mobile phone that was equipped with a number of strong security safeguard options, the sales representative was more interested in selling me high-margin accessories than telling me how to safeguard the phone and its contents. While I understand the motivation of the sales representative, especially if he works under a sales incentive compensation plan, wouldn’t it easy for the carrier or phone manufacturer to provide a brochure promoting safe practices?

Unfortunately for the financial institutions, the stakes are high. For them, the financial impact of fraudulent activity on a customer's account is often a one-two punch. First, various regulations and rules are in place to protect consumers from liability, so the financial institutions generally write off the fraud loss. Second, and perhaps more painful, victims of fraud often move their accounts even though their financial institution is not at fault. The challenge of consumer education by the bankers is becoming more and more difficult as the opportunity for direct contact with the customer lessens with every new payment transaction product or service.

As we've seen before, in the aftermath of recent card transaction and customer data breaches, the negative reputational and financial impact from fraud is felt not just by financial institutions but also by the retailer or company that was breached. Will such events cause these other stakeholders to take a more proactive role and join financial institutions in educating their customers?

Portals and Rails is interested in hearing from you as to how the payments industry might best address customer awareness and education regarding security.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 10, 2014 in banks and banking, consumer fraud, consumer protection, data security, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a51180c012970c

Listed below are links to blogs that reference Who Is Responsible for Consumer Security Education?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 24, 2014


Phone Fraud: Now It's Personal!

One recent Sunday evening, I received a call on my mobile phone from a number with a 374 area code. I did not recognize this number, and it wasn't in my stored contacts. I answered the call, and there was that brief pause that alerted me it was likely a mass marketing call. I was getting ready to launch into my standard "No, thank you, and this number is on the Do Not Call registry, so please don't call again," when a female voice with a strong foreign accent identified herself as a representative from the Microsoft Windows Security Center. "Microsoft" and "security" are two words that are likely to grab anyone's attention quickly, so I stopped myself. She then asked me to verify that I had a computer running Microsoft Windows. I mean, who doesn't but the most diehard Apple user? All kinds of warning bells were sounding in my head, but I played along to see where this routine was going.

In a recent post, I wrote about the growing problem of criminals targeting bank call centers. Well, criminals target consumers, too. Sometimes the callers claim to be representatives of the consumer's financial institution, and they try to get account or payment card information. I ended the post post with descriptions of some of the new technology being used to fight against this type of fraud. Unfortunately, most consumers don't have access to the technology the banks do to help identify the fraudsters.

But back to my call. The caller informed me that the Microsoft Windows Security Center had received a message that my computer was infected with a virus. She added that the Security Center had a download available to remove the virus and protect my computer, it would cost only $19.99, and she could take payment over the phone with a credit card. I asked which of my computers sent the message because I didn't want to pay to have the download put on noninfected computers. My response seemed to confuse her. But then she said that the download could be installed on up to three computers at no additional charge—what a bargain! I then told her a security scan the night before had found nothing wrong and I didn't believe she was from Microsoft, and I hung up. When I tried to trace the phone number, I learned there is no 374 area code in the United States, but 374 is Armenia's country code.

While the earlier post showed the need for financial institutions to use a cross-channel fraud mitigation strategy, we must always keep in mind that consumers are also under frequent attack. As we at Portals and Rails have stated many times, continuing education is a vital factor in helping customers protect their money, and this experience only reinforces that need. I was informed enough to sniff this call out for the scam that it was, but would my 84-year-old mother-in-law have been as savvy? Maybe I should give her a call to make sure!

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 24, 2014 in consumer fraud, phone fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5117488ad970c

Listed below are links to blogs that reference Phone Fraud: Now It's Personal!:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 13, 2014


Into the Breach: Protecting the Integrity of the Payment System

The breach of Target's point-of-sale system that compromised up to 40 million cardholders during the 2013 holiday shopping period has prompted us to step back and examine this attack—and wonder about its aftereffects. We've certainly seen the expected media attention for a crime of this magnitude, and the filing of class-action lawsuits wasn't far behind despite the lack of any verifiable fraud—as yet. We also have to wonder about its effect on consumers' confidence in the U.S. payment system.

For consumers to have confidence in the payment system, it is critical that they feel their financial information is protected during a payment transaction. And when that information has to be stored, they need to know that it is stored safely and securely. The research shows—and many consumers are well aware—that the creation of synthetic or stolen identities depends primarily on information obtained from data breaches.

All kinds of consumer advice followed the data breach. Many consumer advocates advised cardholders who had used their debit card at Target during the time their POS system was compromised to go to their financial institutions and request a card reissuance to prevent possible fraud. Others focused not on how consumers might recover from the Target breach but on how to prevent problems in the future—that is, they suggested that consumers use credit cards rather than debit cards because with credit cards, unauthorized transactions will not affect the payment of legitimate transactions. Some advocates suggested that people authenticate their debit cards at POS terminals with their signatures rather than their PINs, despite the fact that the level of PIN-based debit card fraud is almost one-third the level of signature-based debit card fraud.

Financial institutions also had varying responses. Some reissued cards when customers requested new cards, while others took a wait-and-see attitude. Still others lowered transaction limits on their customers' debit cards to minimize fraud exposure.

Of course, the Target incident has heated up the magnetic-stripe-versus-EMV conversation. As we've posted many times, the magnetic stripe was never intended to be a secure medium; the sophisticated and highly automated authorization systems were intended to carry the load of fraud detection capabilities. Some in the U.S. payment industry are calling for an acceleration of the migration to chip cards, currently scheduled for October 2015. They argue that EMV/chip cards will virtually eliminate the ability to create counterfeit cards. Some are even requesting that the government or the card networks mandate the technology, which many other countries did in their transitions to EMV. However, the reality is, we will have to keep our magnetic-stripe cards a minimum of five to 10 years, until the vast majority of merchant locations are equipped with EMV-capable terminals. And we should keep in mind that EMV is not a solution by itself—it cannot address card-not-present fraud.

As the authorities complete the forensics of the recent data breach, the industry will develop and implement additional security controls and measures. This added security will then prompt the criminals to look for other weak points. And look they will. So has this major incident shaken consumers' confidence? It is too early to know. What is clear is that the payments industry must come together to develop a cohesive strategy, and they should do so before consumer confidence in the payments system is further compromised.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 13, 2014 in consumer fraud, consumer protection, debit cards, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a510d2b25b970c

Listed below are links to blogs that reference Into the Breach: Protecting the Integrity of the Payment System:

Comments

As the number of consumers affected by the Target breach has risen to 110 million and news of the Neiman Marcus and Michaels breaches surface, much discussion about improving card security has been sparked—including the adoption of EMV technology. While EMV is not the perfect solution, it is only a matter of time before the costs of fraud in the U.S. begin to outweigh the cost of implementing EMV cards or another innovative technology that works within our existing infrastructure. The tipping point may be here for banks to take a step in a new direction to better address card security in the U.S.

Posted by: Karen Gordon | January 28, 2014 at 04:56 PM

Why is the U.S. so behind Europe and Asia in adopting EMV in place of magentic stripe?

Do you think accelerating the migration to chip cards will happen?

Posted by: Saba H | January 21, 2014 at 09:21 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 19, 2013


Curbing Identity Theft and Fraud

To no one's surprise, identity theft and associated fraud losses rose again in 2012. The number of victims climbed to more than 12 million last year, an 11 percent increase over 2011, according to the recently released Javelin 2013 Identity Fraud Report. Losses amounted to almost $21 billion.

Identity Theft Victims and Fraud Amounts

A quick distinction between identity theft and identity fraud: identity theft is when an unauthorized person obtains personal information about an individual, and identity fraud occurs when someone uses that personal information, without the individual's consent, to conduct financial transactions.

Two types of identity theft drove the overall increase: new-account identity and account takeover fraud.

New-account identity fraud takes a number of different forms. The most common form occurs with credit card applications. Someone creates an account using another person's information and makes purchases to the maximum limit, then allows the account to go into default. The next most common type happens with new checking accounts. The fraudster opens up a checking account using false identification credentials, then deposits bad or bogus checks and quickly cashes out.

The prevention of new-account identity fraud rests primarily on the shoulders of the financial institution (FI). What are the steps that FIs can take to help reduce the levels of these types of fraud? They are already required to authenticate the identities of new account applicants to the extent reasonable and practical under the Bank Secrecy Act's Customer Identification Program. The fraudster's goal when opening a fraudulent account is to minimize the verification process and quickly establish the new account. Experienced criminals can falsify government-issued IDs without too much difficulty. The FI representatives authenticating new accounts must rely on their experience and on a number of other factors to detect fraudulent attempts—but it can be difficult to balance the need to authenticate applicants with the wish, and the institutional push, to be polite and welcoming.

Many FIs order abbreviated credit reports as part of the new account process so they can better market credit products to qualified applicants. An address on the credit report that differs from the one on the application or the report showing a rash of new credit inquiries should sound warning bells, and such discrepancies would justify additional verification. Other warning signs include applicants having to read the information from their identification documents rather than reciting it from memory, or incorrect social security numbers, or newly issued identification documents.

Most fraudulent new accounts are opened online or through call centers. In these cases, the subsequent new-customer authentication process is critical. Although individuals can use their own, legitimate credentials to commit new account fraud, industry reports suggest it is much more common for fraudulent accounts to be opened with fraudulent credentials.

As to account takeover fraud, as we have stressed on many occasions, the most critical action that FIs can engage in is frequent customer education through electronic and print media and community and customer seminars. In a recent post on phishing, we outlined a number of steps that FIs should remind individuals to follow to minimize the possibility of having their accounts and identity credentials compromised.

We would like to hear from you as to ways your institution is combating new-account identity and account takeover fraud.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 19, 2013 in account takeovers, authentication, banks and banking, consumer fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0192ac9f8e60970d

Listed below are links to blogs that reference Curbing Identity Theft and Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


May 2015


Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Archives


Categories


Powered by TypePad