Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

March 10, 2014

Who Is Responsible for Consumer Security Education?

A theme that consistently appears in our Portals and Rails blogs is the continual need for consumer education when it comes to protecting account access credentials. Financial institutions have generally taken this responsibility seriously, running frequent verbal and print campaigns reminding customers to safeguard their payment cards, monitor account activity frequently, and adopt strong password and PIN access practices.

But as payment channels and access devices expand outside the bank-controlled environment, who then becomes responsible for customer education? The representatives of mobile phone carriers and handset manufacturers, for example, are often in sales mode. The last thing they want to do is scare off a potential sale by identifying the potential for fraud with their product or service.

When I recently went to purchase a new mobile phone that was equipped with a number of strong security safeguard options, the sales representative was more interested in selling me high-margin accessories than telling me how to safeguard the phone and its contents. While I understand the motivation of the sales representative, especially if he works under a sales incentive compensation plan, wouldn’t it easy for the carrier or phone manufacturer to provide a brochure promoting safe practices?

Unfortunately for the financial institutions, the stakes are high. For them, the financial impact of fraudulent activity on a customer's account is often a one-two punch. First, various regulations and rules are in place to protect consumers from liability, so the financial institutions generally write off the fraud loss. Second, and perhaps more painful, victims of fraud often move their accounts even though their financial institution is not at fault. The challenge of consumer education by the bankers is becoming more and more difficult as the opportunity for direct contact with the customer lessens with every new payment transaction product or service.

As we've seen before, in the aftermath of recent card transaction and customer data breaches, the negative reputational and financial impact from fraud is felt not just by financial institutions but also by the retailer or company that was breached. Will such events cause these other stakeholders to take a more proactive role and join financial institutions in educating their customers?

Portals and Rails is interested in hearing from you as to how the payments industry might best address customer awareness and education regarding security.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 10, 2014 in banks and banking, consumer fraud, consumer protection, data security, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a51180c012970c

Listed below are links to blogs that reference Who Is Responsible for Consumer Security Education?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 24, 2014

Phone Fraud: Now It's Personal!

One recent Sunday evening, I received a call on my mobile phone from a number with a 374 area code. I did not recognize this number, and it wasn't in my stored contacts. I answered the call, and there was that brief pause that alerted me it was likely a mass marketing call. I was getting ready to launch into my standard "No, thank you, and this number is on the Do Not Call registry, so please don't call again," when a female voice with a strong foreign accent identified herself as a representative from the Microsoft Windows Security Center. "Microsoft" and "security" are two words that are likely to grab anyone's attention quickly, so I stopped myself. She then asked me to verify that I had a computer running Microsoft Windows. I mean, who doesn't but the most diehard Apple user? All kinds of warning bells were sounding in my head, but I played along to see where this routine was going.

In a recent post, I wrote about the growing problem of criminals targeting bank call centers. Well, criminals target consumers, too. Sometimes the callers claim to be representatives of the consumer's financial institution, and they try to get account or payment card information. I ended the post post with descriptions of some of the new technology being used to fight against this type of fraud. Unfortunately, most consumers don't have access to the technology the banks do to help identify the fraudsters.

But back to my call. The caller informed me that the Microsoft Windows Security Center had received a message that my computer was infected with a virus. She added that the Security Center had a download available to remove the virus and protect my computer, it would cost only $19.99, and she could take payment over the phone with a credit card. I asked which of my computers sent the message because I didn't want to pay to have the download put on noninfected computers. My response seemed to confuse her. But then she said that the download could be installed on up to three computers at no additional charge—what a bargain! I then told her a security scan the night before had found nothing wrong and I didn't believe she was from Microsoft, and I hung up. When I tried to trace the phone number, I learned there is no 374 area code in the United States, but 374 is Armenia's country code.

While the earlier post showed the need for financial institutions to use a cross-channel fraud mitigation strategy, we must always keep in mind that consumers are also under frequent attack. As we at Portals and Rails have stated many times, continuing education is a vital factor in helping customers protect their money, and this experience only reinforces that need. I was informed enough to sniff this call out for the scam that it was, but would my 84-year-old mother-in-law have been as savvy? Maybe I should give her a call to make sure!

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 24, 2014 in consumer fraud, phone fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5117488ad970c

Listed below are links to blogs that reference Phone Fraud: Now It's Personal!:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 13, 2014

Into the Breach: Protecting the Integrity of the Payment System

The breach of Target's point-of-sale system that compromised up to 40 million cardholders during the 2013 holiday shopping period has prompted us to step back and examine this attack—and wonder about its aftereffects. We've certainly seen the expected media attention for a crime of this magnitude, and the filing of class-action lawsuits wasn't far behind despite the lack of any verifiable fraud—as yet. We also have to wonder about its effect on consumers' confidence in the U.S. payment system.

For consumers to have confidence in the payment system, it is critical that they feel their financial information is protected during a payment transaction. And when that information has to be stored, they need to know that it is stored safely and securely. The research shows—and many consumers are well aware—that the creation of synthetic or stolen identities depends primarily on information obtained from data breaches.

All kinds of consumer advice followed the data breach. Many consumer advocates advised cardholders who had used their debit card at Target during the time their POS system was compromised to go to their financial institutions and request a card reissuance to prevent possible fraud. Others focused not on how consumers might recover from the Target breach but on how to prevent problems in the future—that is, they suggested that consumers use credit cards rather than debit cards because with credit cards, unauthorized transactions will not affect the payment of legitimate transactions. Some advocates suggested that people authenticate their debit cards at POS terminals with their signatures rather than their PINs, despite the fact that the level of PIN-based debit card fraud is almost one-third the level of signature-based debit card fraud.

Financial institutions also had varying responses. Some reissued cards when customers requested new cards, while others took a wait-and-see attitude. Still others lowered transaction limits on their customers' debit cards to minimize fraud exposure.

Of course, the Target incident has heated up the magnetic-stripe-versus-EMV conversation. As we've posted many times, the magnetic stripe was never intended to be a secure medium; the sophisticated and highly automated authorization systems were intended to carry the load of fraud detection capabilities. Some in the U.S. payment industry are calling for an acceleration of the migration to chip cards, currently scheduled for October 2015. They argue that EMV/chip cards will virtually eliminate the ability to create counterfeit cards. Some are even requesting that the government or the card networks mandate the technology, which many other countries did in their transitions to EMV. However, the reality is, we will have to keep our magnetic-stripe cards a minimum of five to 10 years, until the vast majority of merchant locations are equipped with EMV-capable terminals. And we should keep in mind that EMV is not a solution by itself—it cannot address card-not-present fraud.

As the authorities complete the forensics of the recent data breach, the industry will develop and implement additional security controls and measures. This added security will then prompt the criminals to look for other weak points. And look they will. So has this major incident shaken consumers' confidence? It is too early to know. What is clear is that the payments industry must come together to develop a cohesive strategy, and they should do so before consumer confidence in the payments system is further compromised.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 13, 2014 in consumer fraud, consumer protection, debit cards, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a510d2b25b970c

Listed below are links to blogs that reference Into the Breach: Protecting the Integrity of the Payment System:

Comments

As the number of consumers affected by the Target breach has risen to 110 million and news of the Neiman Marcus and Michaels breaches surface, much discussion about improving card security has been sparked—including the adoption of EMV technology. While EMV is not the perfect solution, it is only a matter of time before the costs of fraud in the U.S. begin to outweigh the cost of implementing EMV cards or another innovative technology that works within our existing infrastructure. The tipping point may be here for banks to take a step in a new direction to better address card security in the U.S.

Posted by: Karen Gordon | January 28, 2014 at 04:56 PM

Why is the U.S. so behind Europe and Asia in adopting EMV in place of magentic stripe?

Do you think accelerating the migration to chip cards will happen?

Posted by: Saba H | January 21, 2014 at 09:21 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 19, 2013

Curbing Identity Theft and Fraud

To no one's surprise, identity theft and associated fraud losses rose again in 2012. The number of victims climbed to more than 12 million last year, an 11 percent increase over 2011, according to the recently released Javelin 2013 Identity Fraud Report. Losses amounted to almost $21 billion.

Identity Theft Victims and Fraud Amounts

A quick distinction between identity theft and identity fraud: identity theft is when an unauthorized person obtains personal information about an individual, and identity fraud occurs when someone uses that personal information, without the individual's consent, to conduct financial transactions.

Two types of identity theft drove the overall increase: new-account identity and account takeover fraud.

New-account identity fraud takes a number of different forms. The most common form occurs with credit card applications. Someone creates an account using another person's information and makes purchases to the maximum limit, then allows the account to go into default. The next most common type happens with new checking accounts. The fraudster opens up a checking account using false identification credentials, then deposits bad or bogus checks and quickly cashes out.

The prevention of new-account identity fraud rests primarily on the shoulders of the financial institution (FI). What are the steps that FIs can take to help reduce the levels of these types of fraud? They are already required to authenticate the identities of new account applicants to the extent reasonable and practical under the Bank Secrecy Act's Customer Identification Program. The fraudster's goal when opening a fraudulent account is to minimize the verification process and quickly establish the new account. Experienced criminals can falsify government-issued IDs without too much difficulty. The FI representatives authenticating new accounts must rely on their experience and on a number of other factors to detect fraudulent attempts—but it can be difficult to balance the need to authenticate applicants with the wish, and the institutional push, to be polite and welcoming.

Many FIs order abbreviated credit reports as part of the new account process so they can better market credit products to qualified applicants. An address on the credit report that differs from the one on the application or the report showing a rash of new credit inquiries should sound warning bells, and such discrepancies would justify additional verification. Other warning signs include applicants having to read the information from their identification documents rather than reciting it from memory, or incorrect social security numbers, or newly issued identification documents.

Most fraudulent new accounts are opened online or through call centers. In these cases, the subsequent new-customer authentication process is critical. Although individuals can use their own, legitimate credentials to commit new account fraud, industry reports suggest it is much more common for fraudulent accounts to be opened with fraudulent credentials.

As to account takeover fraud, as we have stressed on many occasions, the most critical action that FIs can engage in is frequent customer education through electronic and print media and community and customer seminars. In a recent post on phishing, we outlined a number of steps that FIs should remind individuals to follow to minimize the possibility of having their accounts and identity credentials compromised.

We would like to hear from you as to ways your institution is combating new-account identity and account takeover fraud.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 19, 2013 in account takeovers, authentication, banks and banking, consumer fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0192ac9f8e60970d

Listed below are links to blogs that reference Curbing Identity Theft and Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 22, 2013

Are You the Weakest Link?

Okay, maybe not you and maybe not me—unless we haven't heeded the three suggestions provided by my colleague in a recent post. Banks, processors, transaction networks, acquirers, and other stakeholders in the financial payments ecosystem are waging a daily battle against a wide range of antagonists who are constantly seeking ways to access computer systems illegally These criminals are trying to get confidential data, disrupt operations within the company and for its customers, achieve financial gain, or simply seek notoriety for their achievement. By not following a couple of easy steps, are we compromising the battle for the banks and other institutions?

You and I—the consumers and the end users—are important elements in the overall payments ecosystem. It is generally for our use, of course—so that we can access our accounts or perform our daily financial chores conveniently and efficiently—that the other stakeholders are running the various financial applications. If it weren't for us, I think their jobs in protecting their systems would be much easier.

So how are we the weakest link? A basic tenet of security that we often mention in Portals and Rails is that experienced criminals attack the weakest points in the system. Why worry about picking the lock on the highly visible front door when there is an unlocked window at the back? Unfortunately, despite all the research surveys that report consumers' greatest concern about performing mobile or internet electronic transactions is their privacy and the security of the transaction, the evidence clearly demonstrates that, while they may "talk the talk," they often don't "walk the walk."

Panda Lab's 2012 annual report estimates that one-third of the personal computers in the world are infected with some type of malicious software (malware). So how do these computers get infected? The users are not following proper security guidelines when they are using their computers or smartphones. Critical unsafe behaviors include:

  • Not using antivirus software or not keeping it updated
  • Not using a firewall or disabling the firewall that might have been included in a device's operating system
  • Poor password security—using easy-to-guess passwords, using the same password on multiple applications and devices, allowing passwords to be stored in a device
  • Not updating software—software vendors frequently post software updates when they become aware of security problems, especially such utility software as Flash and Java
  • Visiting unknown websites, often through links on social network website pages, that contain hidden viruses

Here at the Federal Reserve, a combination of recurring education and required security tactics are used to minimize the risk of such poor practices by users such as me. I won't detail those techniques because that could compromise aspects of our network security, but when I place my personal computer, smartphone, and home network against those same criteria, I certainly see some ways in which I have been less than diligent and need to change my habits. What about you?

Be sure to read the Risk Forum's recent paper on account takeovers and how less-than-adequate Internet security practices of a few individuals and businesses can contribute to criminals' ability to obtain sufficient personal information and account credentials to conduct account takeovers and steal your money.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2013 in consumer fraud, consumer protection, malware, online banking fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d430443c3970c

Listed below are links to blogs that reference Are You the Weakest Link?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 01, 2012

Summer Is Gone, but ACH Fraud Remains

As the official summer came to an end this past Saturday, there was a noticeable change in the Atlanta weather that this runner was thrilled to greet. The heat and humidity of the past three months was replaced by cool and much drier air. Much like weather that changes with the seasons, the payments industry is continually evolving. Looking back through payments news over the summer, the industry experienced some shifts, most notably around mobile payments and digital wallets. However, at least one constant in payments grabbed the headlines yet again—a payments scam that could eventually lead to payments fraud.

In late June and early July, news broke of a scam that claimed President Obama or the federal government would help consumers pay their bills. In exchange for providing the scammers with personal data, such as social security number and bank routing and account numbers, consumers were given routing and account numbers to use to pay their bills. Interestingly, this scam went viral not because of scammers' actions, but through social media outlets as consumers caught up in the scam spread the word about “free money.” The routing numbers used in the scam actually turned out to be legitimate routing numbers of financial institutions—but the account numbers were invalid.

Ultimately, this scam negatively affected all involved: consumers, billers, originating depository financial institutions (ODFIs), and receiving depository financial institutions (RDFIs). Consumers' bills went unpaid, and some were saddled with late fees by their billers who had not received payments on time. ODFIs and RDFIs were left with thousands of returned items. Deborah Shaw, a managing director with NACHA, recently shared with us at the forum several procedures and policies for both ODFIs and RDFIs to consider in light of this scam:

  • ODFIs should review files for unusual patterns such as a high number of repeated routing and account number combinations.
  • ODFIs need to educate their business customers on the importance of communicating to consumers that ACH debit payments can be returned.
  • RDFIs should not delay the processing of returns, especially when there is a high volume of them. For most ACH debits, NACHA has a two-day deadline for returning the item back to the ODFI if the RDFI wants to use the ACH system for the return.
  • RDFIs must implement a methodology of monitoring returns so they can detect developing patterns.
  • RDFIs should develop a contingency plan for return volumes that significantly exceed their normal return volumes.

In addition to Deborah's suggestion, we believe that RDFIs should evaluate their systems to ensure that they can handle larger-than-normal return volumes. A large number of RDFIs still rely on manually keying returns; we suggest that these institutions consider developing an automated return process in light of these emerging risks. Further, RDFIs need to ensure that they are well-capitalized or able to access funds should they face a large debit from high return volumes and are unable to quickly return the items.

The seasons will continue to change and blow in new weather, the payments industry will continue to progress, and fraud will without a doubt continue to find its way into the ACH system. And while this fraud will evolve alongside the evolving payments industry, financial institutions can take steps to mitigate the business and financial impact of fraud by proactively instituting policies and procedures to quickly identify and return fraudulent transactions.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 1, 2012 in ACH, consumer fraud, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c32410708970b

Listed below are links to blogs that reference Summer Is Gone, but ACH Fraud Remains:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 02, 2012

Are portable POS devices coming to a table near you?

Can you remember the last time you handed over your mobile phone to a friend, let alone a stranger? Writing from my own experience, I am guessing that it is not something people do very often. Back when our mobile phone's primary functionality was as a phone, we were generally open to letting someone borrow it to make a call. However, as phones become "smarter," we have become less inclined to give someone else access to a device that holds a wealth of information about us.

This behavior is in stark contrast to our behavior with our payment cards. While I can count on my hands the number of people whom I have let use my mobile phone, I have given my payment cards to hundreds of strangers at dine-in restaurants and allowed them to take my cards out of my sight. While an overwhelming majority of these card transactions are safe, this procedure does easily allow for bad characters to capture valuable card information that can lead to card fraud. One highly publicized skimming case that broke last November highlights the fraud risks inherent in a restaurant card transaction. This crime certainly would have been more difficult to perpetrate had the victims' cards been swiped tableside in front of them.

According to a recent Wall Street Journal article, the payment experience at restaurants might be changing. Several large restaurant chains are in the process of testing different portable tablet-type devices at the table. These devices allow restaurant patrons to perform traditional restaurant functions such as viewing menus, placing orders, and ultimately settling the bill. Some of these devices include advertising and, perhaps most intriguing, even allow patrons to play games, watch videos, and peruse news headlines.

While these portable devices have the "cool" factor, they also offer great benefits from a fraud-reduction perspective. Paying your restaurant tab without ever having your card leave your sight is a great first step in preventing the type of fraud described in the New York City incident highlighted above. Restaurants, in general, have shunned portable POS devices in the past due in large part to their expense in an industry that operates on thin margins. What's exciting with these new devices is that the new technology offers both top- and bottom-line benefits to restaurants that traditional portable POS devices don't. These devices can actually help drive an increase in existing revenues (higher average tickets) or even be a source of new revenue (advertising and fees from videogames) while also lowering a restaurant's fraud loss exposure.

I am hopeful that this new technology catches on and restaurants do adopt a safer payment card transaction. For the parent in me, the thought of the device entertaining my small children when our conversation fails to do so or the chips and salsa run out is promising. From my payments risk perspective, I am ready to keep full control of my cards and hopefully avoid that dreaded call, text, or e-mail from my bank that says my card has been compromised.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 2, 2012 in cards, consumer fraud, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0167681824a1970b

Listed below are links to blogs that reference Are portable POS devices coming to a table near you?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 11, 2012

A human firewall? Tips to keep information secure

As we've discussed on Portals and Rails in the past, PIN cardholder verification offered by ATM and debit cards has proven superior in preventing fraudulent transactions compared to signature cardholder verification. And while a PIN is a solid fraud deterrent, it is by no means 100 percent effective in reducing fraud. As we are in the midst of ATM and Debit Card Safety Awareness Month, it is important for consumers to understand their responsibility in the fight against cardholder fraud.

Financial institutions and the ATM and debit card networks have robust fraud detection and prevention systems and measures in place. However, cardholders need to view themselves as "human firewalls" of sensitive data, including ATM and debit card information and PINs. While fraudsters have become highly sophisticated at obtaining this data, weak PIN selection and security by cardholders makes it easier for fraudsters to commit their crimes.

In today's prolific social media world, weak PINs do not just include simple numbers such as "1111" and "1234." With more information than ever about us online, a birth date, address number, or even an anniversary date could prove to be an easily guessed PIN. According to a study by a Cambridge University Computer Laboratory team, one out of every 11 wallets could contain cards with easily discovered PINs. And ATM and debit card fraud can be more costly to cardholders than credit card fraud. Fraudulent ATM and debit card transactions verified by a PIN generally carry a higher consumer liability limit than do credit card or signature debit transactions. This is especially true if a consumer fails to report a card or PIN as lost or stolen or identify a fraudulent transaction in a timely manner.

In the spirit of ATM and debit card safety awareness, we encourage all cardholders to strengthen any weak PINs as well as follow these and other suggested tips from the PULSE ATM/debit network:

  • Monitor your financial account statements.
    Many experts recommend reviewing accounts online daily so that any suspicious activity is spotted quickly. Switch from postal delivery of statements to online access or ensure that mailed statements are sent to locked boxes and not left available to fraudsters.
  • Protect your wallet, purse and PIN.
    Carry only what you need and avoid carrying items with private information such as your Social Security number. Don't share your PIN with anyone. That means don't write it down and don't give it to a clerk or anyone else to enter for you.
  • Be extra alert at ATMs.
    Don't use an ATM if it is in an unlit or hidden area. Block the keypad while entering your PIN so you can't be observed. If an ATM looks phony or has a suspicious card reader that is loose or not part of the main body of the machine, do not use it.
  • Protect your online shopping.
    Update computer anti-virus software, anti-spyware, and firewalls. New attacks come frequently, and your software provider will frequently send updates to stop them. Use only secure sites and network connections when shopping online.
  • Protect personal information online.
    Limit social media access to friends only and don't "friend" people you don't know. Fraudsters use personal information such as birth dates, family and pet names, high schools, and birth cities to "verify" your identity.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 11, 2012 in cards, consumer fraud, identity theft, malware | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01630665afc9970d

Listed below are links to blogs that reference A human firewall? Tips to keep information secure:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 03, 2011

Fighting the rising tide of elder financial abuse

The successes and failures of law enforcement in fighting financial crime are big news here at the Retail Payments Risk Forum. Earlier this year, we highlighted the gains made in reducing identity theft in the United States. Unfortunately, one form of crime continues to grow despite law enforcement's best efforts: financial crimes targeting the elderly. Last month, MetLife released a report indicating that elder financial abuse is widespread and growing. The report estimated $2.9 billion in annual losses to victims. MetLife based these estimates on an analysis of news articles documenting crimes over two three-month periods in mid- and late 2010. Survey research conducted at Cornell confirms that this is a major problem in New York State, where an average 42 out of 1,000 elders were the victims of financial abuse. Furthermore, the report determined that victims reported fewer than 3 percent of incidents to authorities. While the rate of abuse remains subject to debate, fighting this grim crime is an ongoing battle for law enforcement and consumers.

Elder financial abuse encompasses a category of crimes including theft, confidence tricks, Medicare and Medicaid fraud, forgery, and coerced property transfers. AARP has broadly defined the crime as "the illegal or improper use of a vulnerable adult's funds or property for another person's profit or advantage." The abuse is often a betrayal of a trusted relationship, and the victims are left with emotional and psychological scars that leave them feeling even more vulnerable.

Older Americans at risk of telemarketing fraud
MetLife also conducted a literature review and victim interviews to determine why the elderly are particularly vulnerable to financial abuse. Factors include poor physical health and limited mobility, mental health weaknesses related to the onset of dementia or Alzheimer's, and social isolation. Those who are isolated may be particularly susceptible to manipulation by con artists, for example.

Older Americans disproportionately suffer from telemarketing fraud, a scam where the victim is tricked into agreeing to electronic payments for fraudulent transactions. The criminals on the other end of the line are completely shameless in their techniques to gain the victim's trust. Con artists have targeted victims by searching for surviving spouses in local obituary notices or by purchasing lists of contact information for those who have been previously victimized in similar attacks. Banks can also become entangled in this financial abuse if they are not vigilant. In 2008, Wachovia was forced to pay out $125 million to the victims of fraudulent telemarketing businesses.

Consumer education the best defense
Combating elder financial abuse requires educating potential victims about the risks. Part of Wachovia's settlement included funding for financial literacy programs aimed at seniors. However, it is clear from rising crime rates that education alone is not a cure-all. Regulators, law enforcement, and financial institutions must collaborate to create more effective preventative measures. As a starting point, MetLife has published some consumer tips for prevention, and I have consolidated the recommendations of several of the sources cited above:

  • Review financial statements and bills for unauthorized transactions.
  • Use direct deposit and online banking to prevent mail theft.
  • Sign your own checks.
  • Keep passwords and ATM/debit card PINs secret.
  • Review important documents like wills and insurance policies annually.
  • Do not send money to strangers contacting you over the phone or internet: if an offer sounds too good to be true, it probably is.
  • Be aware that abusers may be charismatic individuals or even someone you trust.
  • Do not be afraid or embarrassed to seek help if you've been the victim of financial abuse. The longer you wait, the worse the situation can become.


By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

August 3, 2011 in consumer fraud, consumer protection, crime | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01539065eb06970b

Listed below are links to blogs that reference Fighting the rising tide of elder financial abuse:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 14, 2011

Where will biometric ID technologies fit in fight against fraud?

Biometric systems are designed to recognize individuals based on their unique biological and behavioral traits. Traits such as hand geometry; fingerprints; voice and vein recognition; and retina, iris, and facial scans are all personal characteristics that can authenticate someone's identity. Using biometrics to combat fraud is not novel. In addition, a California-based company introduced in 2008 a risk management solution that identifies fraudsters through the use of voice printing, which allows the company to compare a caller's voice against a database of known criminals before the company authorizes a credit card payment.

In a previous post, we discussed the concept of using biometric technology to combat ATM fraud. Since then, we learned of ATMs abroad that are equipped with voice-based biometric technology that determine user honesty and help prevent consumer credit fraud. In this post, we revisit the issue of biometrics, touching briefly on new developments in the payments industry as well as on issues reported on by companies and researchers.

Biometrics gain trust
Summarizing a poll it took of credit card users, Unisys reported in 2010 that consumers are becoming comfortable with the use of biometrics. In fact, according to the report, about two-thirds of the respondents indicated a preference for fingerprint biometrics over the use of photo verification, PINs, and signatures. A 2009 Gallup survey revealed that 58 percent of survey respondents would use biometrics to verify their identities, and a staggering 93 percent preferred fingerprints as their biometric of choice.

Which of the following biometrics would you prefer to use to verify your identity?

Searching for a secure biometric storage process
The life of biometric data on portable devices such as cards can exist anywhere from six to 12 years. Technology such as Precise Biometrics' Match-on-Card allows cards to be activated with a fingerprint or iris scan instead of a PIN. All biometric information is stored on the card, so the matching of the biometric data takes place on the card.

This type of technology sends a biometric template to the card processor, which is matched to a reference biometric template stored on the card itself. The card protects personal identity information as it is transmitted across a contactless interface using radio frequency technology. Other companies have introduced similar products retaining all the biometric data on the portable device, which can lessen user anxiety since their biometric data is stored in a device the users control. However, user control over biometric data does not necessarily lessen the potential risk for lost, stolen, or damaged credentials.

Recommended considerations for biometric recognition technologies
According to a report by the National Research Council, "no single trait has been identified as stable and distinctive across all groups," so we cannot rely solely on voice printing, for example, or on fingerprints to guarantee security. The report also points out that biometric systems contain numerous "sources of uncertainty" that "need to be considered in system design and operation." For example, biometric characteristics often vary over an individual's lifetime due to a number of factors, including age or disease, and the systems may not capture or account for this variability. Other, more technical, issues may also create variability in these systems, including sensor calibration and data degradation. Even security breaches themselves add variability. As another "source of uncertainty," the report points to the fact that biometric systems may not be "designed and evaluated relative to their specific intended purposes," so they fail to account for factors such as the competence of the systems' users.

A final note
While there is no such thing as an impregnable security system, using multiple forms of credentials and identification components can strengthen most security systems. If biometrics is one of those layers, careful consideration should be given to measuring the merits and risks relative to other authentication technologies, such as PINs and signatures, as well as ensuring that the biometric that is selected functions as intended. Like any other authentication form factor, any biometric identification technology used should undergo a thorough threat assessment to determine its vulnerabilities and its potential for mitigating attacks. Biometrics may or may not become the panacea to authentication, but ensuring that users trust the entire biometric system is integral to its successful implementation and adoption in the fight against payments fraud.

Photo of Ana Cavazos-WrightBy Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

July 14, 2011 in biometrics, consumer fraud, consumer protection | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538fe263d3970b

Listed below are links to blogs that reference Where will biometric ID technologies fit in fight against fraud?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in