Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

March 10, 2014

Who Is Responsible for Consumer Security Education?

A theme that consistently appears in our Portals and Rails blogs is the continual need for consumer education when it comes to protecting account access credentials. Financial institutions have generally taken this responsibility seriously, running frequent verbal and print campaigns reminding customers to safeguard their payment cards, monitor account activity frequently, and adopt strong password and PIN access practices.

But as payment channels and access devices expand outside the bank-controlled environment, who then becomes responsible for customer education? The representatives of mobile phone carriers and handset manufacturers, for example, are often in sales mode. The last thing they want to do is scare off a potential sale by identifying the potential for fraud with their product or service.

When I recently went to purchase a new mobile phone that was equipped with a number of strong security safeguard options, the sales representative was more interested in selling me high-margin accessories than telling me how to safeguard the phone and its contents. While I understand the motivation of the sales representative, especially if he works under a sales incentive compensation plan, wouldn’t it easy for the carrier or phone manufacturer to provide a brochure promoting safe practices?

Unfortunately for the financial institutions, the stakes are high. For them, the financial impact of fraudulent activity on a customer's account is often a one-two punch. First, various regulations and rules are in place to protect consumers from liability, so the financial institutions generally write off the fraud loss. Second, and perhaps more painful, victims of fraud often move their accounts even though their financial institution is not at fault. The challenge of consumer education by the bankers is becoming more and more difficult as the opportunity for direct contact with the customer lessens with every new payment transaction product or service.

As we've seen before, in the aftermath of recent card transaction and customer data breaches, the negative reputational and financial impact from fraud is felt not just by financial institutions but also by the retailer or company that was breached. Will such events cause these other stakeholders to take a more proactive role and join financial institutions in educating their customers?

Portals and Rails is interested in hearing from you as to how the payments industry might best address customer awareness and education regarding security.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 10, 2014 in banks and banking, consumer fraud, consumer protection, data security, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a51180c012970c

Listed below are links to blogs that reference Who Is Responsible for Consumer Security Education?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 03, 2014

Call Center Phone Fraud: Are You Really Who You Say You Are?

"Have I reached the party to whom I am speaking?" Lily Tomlin would use this line whenever she would play her character Ernestine the telephone operator on the classic TV comedy show "Laugh-In." But to the thousands of financial institutions that operate call centers, the question of whether their customer service representatives are talking to an actual customer is no laughing matter.

In a recent report on call center phone fraud, Pindrop Security cites a number of alarming statistics based on their clients' actual experiences: one in every 2,500 calls to a call center is fraudulent; the average fraud loss per call received is $0.57; and the average potential loss to an account from phone fraud is more than $42,000. It seems that the call center has become an increasingly attractive target for fraudsters.

A call from someone not authorized to access the bank account in question may not directly result in a financial loss on that call. In fact, Pindrop's research indicates that it takes an average of five calls before the fraudster gathers enough information to strike. They use those preliminary calls to gain account or customer information that will help them subsequently to generate a fraudulent transaction, whether it's through the call center or another channel. Some of the calls are from criminals who are simply trying to get account information such as credit and debit card information that they can sell to others. Some of the calls attempts to change account settings such as statement mailing address or call-back phone numbers. With a simple address change, the criminal can gain more information about the accountholder and also keep the victim from being alerted to fraud on their account. Often, a call that results in a direct loss occurs when the fraudster obtains sufficient account credentials to generate a fraudulent wire transfer or ACH transfer from the targeted account.

While these criminals might be looked at as "low-tech hackers" compared to the sophisticated hackers who probe computer systems or worse, the evidence from law enforcement shows that these groups are just as well-organized and sophisticated. They are often based outside the United States, which makes investigations and prosecutions difficult. Sometimes they use technology to change their voice or to show a fake phone number on the bank's caller ID system. The fake phone number helps the fake caller avoid suspicion when the call is coming from outside the customer's area of residence.

To address this growing attack vector, financial institutions are adopting new technology to help them detect potentially fraudulent calls. Voice biometric technology can detect altered voices or even compare the caller's voice to a database to verify the caller's legitimacy. In addition, phone call and device "fingerprinting" gathers enough information from the caller's device to allows the call to be scored, just like a card transaction, on how likely it is to be fraudulent.

It is clear that criminals are attacking all physical and virtual channels of banks, sometimes using information obtained through one channel to carry out fraud in another channel. Portals and Rails believes it is important that you approach your fraud mitigation strategy from a cross-channel perspective. Please let us hear about your challenges and successes with such efforts.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 3, 2014 in authentication, banks and banking, consumer protection | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d6e311b970d

Listed below are links to blogs that reference Call Center Phone Fraud: Are You Really Who You Say You Are?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 21, 2014

Online Payday Lenders: An Illustration of the Importance of Bank Due Diligence

3-legged stool Because of a series of incidents involving illegal payday loans, online payday lenders have been featured in news articles of late. They've also been the focus of increasing enforcement actions to ensure that adequate consumer protection is in place. States are stepping up their enforcement actions against online payday lenders that violate state laws, and federal regulators are stepping up enforcement of federal and state laws. Meanwhile, online lenders and their third-party payment processors are defending their roles in providing this borrowing option to consumers.

The recent uptick in attention on online payday lenders is an impetus for us to stress the importance of banks conducting their due diligence process for any payment processor or business for which they provide payment services. It's useful to look at this due diligence as a three-legged stool, with regulatory compliance, know your customer (KYC), and know your customer's customer (KYCC) all working together to keep the stool upright.

In an August 2013 post, we examined the risks incurred by banks that originate payments for online payday lenders. Much debate has focused on whether online payday lenders—and those who provide services to them—are unfairly targeted by regulators and enforcement agencies. The reality is that businesses that comply with state and federal law are not the reason for increased guidance and enforcement.

When it comes to online payday lending, the law—one leg of the stool—is quite complex. At the state level, laws can significantly differ from state to state. Some states, including Georgia, do not even allow online payday lending. But many online payday lenders operate virtually, and are therefore more likely to operate nationally, which can add to the confusion about complying with all relevant state and federal laws. When conducting their due diligence processes, banks should always consider their customers' ability to operate within the law.

KYC and KYCC are also two very important components of a bank's due diligence process with any customer for which they originate transactions. The better the bank understands the business lines of its originator from the very beginning, and the better they understand it over time by way of continuous monitoring, the greater their chance to quickly identify and address any problems.

Like any business, online payday lenders can use the services of a third-party payment processor. As we explained in a September 2013 post, payment processors are a bank's direct customer in providing payment services to businesses . This adds another layer to the bank's due diligence processes. With this kind of relationship, banks now need to know their customer's customer—in this case, the online payday lender.

Banks should use the recent attention to online payday lenders as a reminder to review and improve their due diligence practices for all their customers. They should make sure that all three legs—KYC, KYCC, and compliance with the law—are in place so that the stool doesn't topple.

What lessons has your bank learned from the recent attention to payday lenders?

Photo of Deborah ShawBy Deborah Shaw, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 21, 2014 in banks and banking, consumer protection | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b0515c579970d

Listed below are links to blogs that reference Online Payday Lenders: An Illustration of the Importance of Bank Due Diligence :

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 13, 2014

Into the Breach: Protecting the Integrity of the Payment System

The breach of Target's point-of-sale system that compromised up to 40 million cardholders during the 2013 holiday shopping period has prompted us to step back and examine this attack—and wonder about its aftereffects. We've certainly seen the expected media attention for a crime of this magnitude, and the filing of class-action lawsuits wasn't far behind despite the lack of any verifiable fraud—as yet. We also have to wonder about its effect on consumers' confidence in the U.S. payment system.

For consumers to have confidence in the payment system, it is critical that they feel their financial information is protected during a payment transaction. And when that information has to be stored, they need to know that it is stored safely and securely. The research shows—and many consumers are well aware—that the creation of synthetic or stolen identities depends primarily on information obtained from data breaches.

All kinds of consumer advice followed the data breach. Many consumer advocates advised cardholders who had used their debit card at Target during the time their POS system was compromised to go to their financial institutions and request a card reissuance to prevent possible fraud. Others focused not on how consumers might recover from the Target breach but on how to prevent problems in the future—that is, they suggested that consumers use credit cards rather than debit cards because with credit cards, unauthorized transactions will not affect the payment of legitimate transactions. Some advocates suggested that people authenticate their debit cards at POS terminals with their signatures rather than their PINs, despite the fact that the level of PIN-based debit card fraud is almost one-third the level of signature-based debit card fraud.

Financial institutions also had varying responses. Some reissued cards when customers requested new cards, while others took a wait-and-see attitude. Still others lowered transaction limits on their customers' debit cards to minimize fraud exposure.

Of course, the Target incident has heated up the magnetic-stripe-versus-EMV conversation. As we've posted many times, the magnetic stripe was never intended to be a secure medium; the sophisticated and highly automated authorization systems were intended to carry the load of fraud detection capabilities. Some in the U.S. payment industry are calling for an acceleration of the migration to chip cards, currently scheduled for October 2015. They argue that EMV/chip cards will virtually eliminate the ability to create counterfeit cards. Some are even requesting that the government or the card networks mandate the technology, which many other countries did in their transitions to EMV. However, the reality is, we will have to keep our magnetic-stripe cards a minimum of five to 10 years, until the vast majority of merchant locations are equipped with EMV-capable terminals. And we should keep in mind that EMV is not a solution by itself—it cannot address card-not-present fraud.

As the authorities complete the forensics of the recent data breach, the industry will develop and implement additional security controls and measures. This added security will then prompt the criminals to look for other weak points. And look they will. So has this major incident shaken consumers' confidence? It is too early to know. What is clear is that the payments industry must come together to develop a cohesive strategy, and they should do so before consumer confidence in the payments system is further compromised.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 13, 2014 in consumer fraud, consumer protection, debit cards, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a510d2b25b970c

Listed below are links to blogs that reference Into the Breach: Protecting the Integrity of the Payment System:

Comments

As the number of consumers affected by the Target breach has risen to 110 million and news of the Neiman Marcus and Michaels breaches surface, much discussion about improving card security has been sparked—including the adoption of EMV technology. While EMV is not the perfect solution, it is only a matter of time before the costs of fraud in the U.S. begin to outweigh the cost of implementing EMV cards or another innovative technology that works within our existing infrastructure. The tipping point may be here for banks to take a step in a new direction to better address card security in the U.S.

Posted by: Karen Gordon | January 28, 2014 at 04:56 PM

Why is the U.S. so behind Europe and Asia in adopting EMV in place of magentic stripe?

Do you think accelerating the migration to chip cards will happen?

Posted by: Saba H | January 21, 2014 at 09:21 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 12, 2013

Is Consumer Privacy Possible?

In January 1999, Scott McNealy, then chief executive officer of Sun Microsystems, told a group of analysts, "You have zero privacy anyway. Get over it." His comment caused quite a stir—at the time, most people had not yet heard the terms "big data," "data warehousing," or "data analytics."

I recently attended two conferences that had sessions on consumer privacy and data collection. All the panelists suggested that there is little data privacy for consumers anymore. And all agreed that "privacy is dead."

Four major forces have brought us to this point: technology advances, emergence of data aggregators, lack of transparency with consumers, and consumer complacency. The first force—advances in the technology of data storage—has created the environment for the other elements. The capacity of hardware to collect and store data has grown at exponential rates at the same time that the cost of that technology has plummeted. A cost analysis from Statistic Brain shows that the cost of storage per gigabyte of memory has dropped 50 percent every 14 months since 1980. Back then, a gigabyte of data storage was priced at about $438,000. Today, the price for storing a gigabyte is a mere nickel.

With the ability to store vast amounts of data so inexpensively, companies have built data warehouses to collect all types of data, ranging from government records to of consumers' product purchases at merchant locations Proponents of the data analytics business emphasize how their work can help identify fraudulent transactions through behavior anomalies and how it can help a company market more effectively. Privacy advocates express concern over how the information is used and the adequacy of safeguards to protect the data from unauthorized access.

Privacy advocates contend that most consumers have no real understanding of the information that is collected and how it is used. Indeed, disclosures are often hidden in fine print. Consumers often must accept the terms of a transaction to receive the product. How often do you click the accept box without reading the disclosure?

With support from the Federal Trade Commission, advocacy groups are working to get companies to make their consumer disclosures clearer so consumers will know exactly what information is being collected, how long it is retained, and who it is being shared with. They also want these data collectors to disclose how consumers can verify the accuracy of the information.

Are you interested in knowing what information the largest data aggregator company in the United States has on you? If so, go to Acxiom's website and scroll to the bottom of the page. You will need to register to look at your profile.

Although consumers themselves are the major source of the data being collected, many may not understand that the information they voluntarily provide on social media sites and through online browsing and purchasing activities is being tracked and collected. And consumers have consistently demonstrated a willingness to provide personal information to secure a coupon or discount.

In addition, with the increased deployment of smartphones, merchants are looking to use the mobile channel for one-to-one marketing. The success of this effort largely depends on knowing the interests of the phone owner. Such determination is made only through data collection and analytics—and these efforts are only going to intensify. This marketing element available through the mobile phone is seen as an advantage over other payment methods, and many are studying how to monetize it.

Even if the most transparent disclosures were available, do you think consumers would dramatically change their information-sharing behavior, especially when doing so would come at the expense of incentives? Or of not expressing their personal interests and posting events on social media sites? Personally, I do not think so. I believed McNealy back then and took his advice to get over it. What about you?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 12, 2013 in consumer protection, data security, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b00fb33fb970b

Listed below are links to blogs that reference Is Consumer Privacy Possible?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 28, 2013

New Portals: Established Rails

Rails Do consumers understand that the consumer protection rules that apply to a mobile payment depend on the payment source—such as a debit or credit card—and not the portal—the mobile device? Purchasing goods and services using a mobile device appears to be a brand new way to make payments. But the mobile device is merely a new portal that leads to the same underlying rails: traditional retail payment sources.

Mobile wallet applications, whereby the consumer can access payment options through a mobile device, are typically sourced to the consumer's debit or credit card. The mobile carrier's billing option allows the consumer to charge an inexpensive product directly to the mobile phone bill. The consumer then pays that bill using a traditional method, such as a check. A Federal Trade Commission study of payment funding sources for 19 mobile providers in 2012 reports payment by credit or debit cards as the most common payment type, with 15. Next are bank account debit (7), multiple funding sources (7), then billing to a mobile carrier account (4).

It is important for financial institutions to educate their consumer customers about the rules and regulations related to traditional retail payment sources that support mobile purchases. Consumers should know about the mobile wallet, for example. Consumers can "carry" many payment sources in their mobile wallets, but they should be aware that each source has different consumer protection provisions. For example, the time periods for reporting disputes and liability limits are different. Education by banks can reduce confusion about the process consumers must follow if they experience a problem with any purchases. Additionally, education can make consumers more aware that the rules that apply to card payments, for instance, apply whether they make the payment in person, on the phone, online, or with their mobile devices.

Banks are in a critical position to be able to share their expertise on traditional retail payment sources as consumers increase their usage of the mobile device to initiate payments. How is your institution educating consumers about mobile payments?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 28, 2013 in consumer protection, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b0066e1cf970d

Listed below are links to blogs that reference New Portals: Established Rails:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 30, 2013

Securing All the Links in the Chain: Third-Party Payment Processors

Consumers may not know when a payment transaction involves more than the merchant who they buy from and the bank that has the debited account. They have no reason to know that there are often other "links" in the payment processing "chain." One such link is the third-party payment processor (processor).

The processor works between the business and the bank, providing payments services to the business while serving as a connection point to the banking system. The processor facilitates automated clearing house, or ACH, payments; credit, debit, and prepaid card payments; and remotely created check payments.

Banks that have processors as their customers must be careful to minimize the risk associated with adding another link to the payments process. Central to this risk mitigation is for the bank to conduct due diligence, including "know your customer" (KYC)—in this case, the processor—and also "know your customer's customer" (KYCC)—in this case, the businesses on whose behalf the processor is transmitting payments. Regulators, including the Federal Deposit Insurance Corporation and the Office of Comptroller of the Currency, have published and updated guidance emphasizing the essential importance of banks' risk-based management of their processor relationships.

Bank risk mitigation includes taking steps at the time of onboarding new processors as well as on an ongoing basis to monitor for any problems related to changes in those relationships. Recommended practices during onboarding include verifying the legitimacy of the business by visiting the processor's office and reviewing marketing materials and websites. It is essential that the bank understand the business lines that the processor's customers support and be aware of any payments-related concerns. For example, processors should provide the bank information on any law enforcement actions and consumer complaints related to its customers.

A bank's ongoing monitoring should include knowing about changes with either the processor or its business customers. Requiring the processor to inform the bank of new customers or business lines is one way to identify developments that require further study. Banks should also require processors to report any changes in the nature of consumer complaints, particularly if they include claims of unfair and deceptive practices that a business customer may have used. Monitoring for warning signs of potential fraud can be aided by receiving reports from the processor on its return rates and those of its business clients. High return rates for certain reasons, such as unauthorized or insufficient funds, should be investigated for the underlying cause and then addressed with the processor.

Furthermore, banks are advised to keep their board members aware of processor relationships by providing periodic reporting on transaction volumes, return rates, and types of businesses served.

Banks that focus on securing the processor link in payments transactions will mitigate their risk, support the payment efficiencies that processors bring to their merchant clients, and protect the payments system for the benefit of consumers.

We would like to hear what processes your institution has in place to monitor processors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 30, 2013 in banks and banking, consumer protection, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019affb14827970d

Listed below are links to blogs that reference Securing All the Links in the Chain: Third-Party Payment Processors:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 26, 2013

Caution, Online Payday Lender Ahead

Payday lenders offer consumers short-term unsecured loans with high fees and interest rates. Payday loans—also referred to as deposit advance loans or payday advances—are a form of credit that some consumers may find appealing for a number of reasons, including an inability to qualify for other credit sources. The borrower usually pays the loan back on the next payday—hence the term "payday loan"—which means the underwriting process typically includes a history of payroll and related employment records.

A growing number of payday lenders operate their businesses virtually. Consumers can obtain loans and authorize repayment of the loans and fees during the same online session. In a typical online payday loan scenario, a borrower obtains a loan and provides authorization for the lender to send Automated Clearing House (ACH) debits to the consumer's account at a later date for repayment. The payday lender's bank can originate the debits through the ACH network. Wire transfer and remotely created checks may be other payment options.

Both state and federal regulators are currently focusing on the payday lending industry to protect consumers from illegal payday loans. Payday lending practices are usually regulated on the state level. Some states prohibit payday lending, while others require lenders to be licensed and to comply with maximum fees, loan amounts, and interest rate caps, among other restrictions. On the federal level, the Dodd-Frank Act has given the Consumer Financial Protection Bureau the authority to address deceptive and abusive practices by payday lenders.

Payday lenders' banks should consider all the risks involved with working with online payday lenders. And they should make sure to incorporate due diligence techniques and to become familiar with the available tools.

Reputation, reputation, reputation
First, there is reputational risk. A payday lender's bank should be aware that a business relationship—including ACH origination activity—with a company making illegal payday loans can damage the bank's image. Reputation can suffer even if the bank is not complicit in the illegal activities of its payday lender customer. But once a financial institution determines that facilitating payments on behalf of online payday lenders falls within its risk management model, it should ensure compliance with applicable laws and regulations. Providing periodic reports on ACH customers to the bank's board of directors is one way to facilitate review of whether these customers' activities remain within the bank's risk management model. It is critical that the bank protect its reputation, as that affects every part of its business.

The importance of know-your-customer practices
The payday lender's bank should also develop and follow adequate due diligence procedures. ACH rules require—and regulatory guidance advises—that banks perform "know your customer" (KYC) due diligence. KYC includes a variety of activities such as assessing the nature of the online payday lender's activities, setting appropriate restrictions on the types of entries and exposure limits for the lender, and monitoring origination and return activity.

Due diligence steps can include: 1) identifying the business's principal owners, 2) reviewing ratings for the business from the Better Business Bureau, consumer complaint sites, and credit service companies, and 3) determining if there have been recent legal actions against the business. A thoughtful review of the lender's website, including the terms of the consumer's authorization agreement as well as promotional materials, is advised. These due diligence practices during onboarding and on an ongoing basis for all merchants—including online payday lenders—help the bank with setting and enforcing appropriate restrictions for the customer and therefore mitigate the risk of the bank discovering a problem when it is too late.

Mitigating problems by being proactive
Banks can develop tools that flag potential problems in-house or obtain them from vendors, ACH operators, or NACHA. In addition, incorporating a process to monitor transactions and returns to identify anomalies can be very useful. An anomaly could, for example, be a sudden uptick in returns or an unusual increase in origination volume or average dollar amount. Detecting anomalies can be a trigger to conduct further research with a customer.

Other tools can be NACHA's originator watch list and vendor-terminated originator databases, which can help banks identify customers that may warrant additional scrutiny. Periodic audits can also be a useful tool to identify rules compliance issues.

For a bank, protecting its reputation is paramount when it is considering offering payment services to high-risk originators like online payday lenders. It should exercise caution, performing risk-based due diligence on new customers and then diligently monitoring current customers so it can identify problems early and address them proactively.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 26, 2013 in ACH, consumer protection, online banking fraud, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901f04d739970b

Listed below are links to blogs that reference Caution, Online Payday Lender Ahead:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 22, 2013

Are You the Weakest Link?

Okay, maybe not you and maybe not me—unless we haven't heeded the three suggestions provided by my colleague in a recent post. Banks, processors, transaction networks, acquirers, and other stakeholders in the financial payments ecosystem are waging a daily battle against a wide range of antagonists who are constantly seeking ways to access computer systems illegally These criminals are trying to get confidential data, disrupt operations within the company and for its customers, achieve financial gain, or simply seek notoriety for their achievement. By not following a couple of easy steps, are we compromising the battle for the banks and other institutions?

You and I—the consumers and the end users—are important elements in the overall payments ecosystem. It is generally for our use, of course—so that we can access our accounts or perform our daily financial chores conveniently and efficiently—that the other stakeholders are running the various financial applications. If it weren't for us, I think their jobs in protecting their systems would be much easier.

So how are we the weakest link? A basic tenet of security that we often mention in Portals and Rails is that experienced criminals attack the weakest points in the system. Why worry about picking the lock on the highly visible front door when there is an unlocked window at the back? Unfortunately, despite all the research surveys that report consumers' greatest concern about performing mobile or internet electronic transactions is their privacy and the security of the transaction, the evidence clearly demonstrates that, while they may "talk the talk," they often don't "walk the walk."

Panda Lab's 2012 annual report estimates that one-third of the personal computers in the world are infected with some type of malicious software (malware). So how do these computers get infected? The users are not following proper security guidelines when they are using their computers or smartphones. Critical unsafe behaviors include:

  • Not using antivirus software or not keeping it updated
  • Not using a firewall or disabling the firewall that might have been included in a device's operating system
  • Poor password security—using easy-to-guess passwords, using the same password on multiple applications and devices, allowing passwords to be stored in a device
  • Not updating software—software vendors frequently post software updates when they become aware of security problems, especially such utility software as Flash and Java
  • Visiting unknown websites, often through links on social network website pages, that contain hidden viruses

Here at the Federal Reserve, a combination of recurring education and required security tactics are used to minimize the risk of such poor practices by users such as me. I won't detail those techniques because that could compromise aspects of our network security, but when I place my personal computer, smartphone, and home network against those same criteria, I certainly see some ways in which I have been less than diligent and need to change my habits. What about you?

Be sure to read the Risk Forum's recent paper on account takeovers and how less-than-adequate Internet security practices of a few individuals and businesses can contribute to criminals' ability to obtain sufficient personal information and account credentials to conduct account takeovers and steal your money.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 22, 2013 in consumer fraud, consumer protection, malware, online banking fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d430443c3970c

Listed below are links to blogs that reference Are You the Weakest Link?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 04, 2013

The Promises and Pitfalls of Big Data

In reviewing one of my recent credit card statements, I noticed a marketing message offering $5 off for an online purchase using their credit card at one of the online retailers I frequently visit. At first I thought this was a bit strange as I had not used that particular credit card at that merchant. Then I realized this was likely "Big Data" in action. Evidently, this credit card issuer had gotten information from some database, perhaps from the retailer, that I was a frequent customer of that retailer. The card issuer then checked its records and found that its card wasn't the one I used for the purchases, so it tried to entice me with $5 savings to switch my card usage habits.

A recent Harris Interactive poll of 1,000 U.S. Internet users showed that the typical consumer has an extremely high level of concern about the amount of personally identifiable data (PID) that is collected about them from public databases, e-mails, web access, and private data aggregators and how that information is being used. Big Data has opened a new world of marketing opportunities for companies with the capability to analyze and use such a wide array of information. In addition to marketing opportunities, Big Data technology can also provide enhanced risk assessment capabilities.

Card issuers have used data analysis at both the macro and individual cardholder level for several decades for fraud management purposes. With sufficient transaction history, the issuer creates a cardholder's purchase profile and evaluates future transactions against that profile. In the early stages of such efforts, if a transaction fell outside the normal profile parameters, the issuer was likely to authorize the purchase and then attempt to contact the cardholder later to verify its legitimacy. Before the wide usage of cell phones or text alerts, contacting the customer was often delayed by days until he or she could be reached on a landline. With advances in software and processing technology, some issuers risk rate transactions as they are received for authorization and may deny a transaction with a high risk score or one that exceeds parameters the customer has personally established. Of course, the downside to such a process is a false denial resulting in a less-than-satisfied cardholder.

While few may find fault with using data for financial risk management purposes, the line is blurry between privacy and data analysis for behavioral activity. Let's say you normally use a particular prescription medication for treatment of a chronic medical condition. Data analysis can tell how frequently you should be getting refills of that medication from your pharmacy. On the positive side, the pharmacy can use this information to send you reminders that it is time to order a refill. But what if the data shows that your refills are spaced further apart than the quantity and dosage level dictate? Is it ethical for the online pharmacy to notify your insurance provider that you appear to have significant lapses in taking your medicine when doing so could affect future coverage? At what point does "Big Data" become "Big Brother"?

In 2013, data security and privacy—the issues associated with Big Data—will be a major area of focus for the Retail Payments Risk Forum. In addition to looking at these issues in our Portals and Rails posts, we will be publishing white papers and convening forums with designated stakeholders to further discuss these issues. We welcome your input on what topics you would like to see us cover.

Oh, and as to that $5 offer, I think I'm going to hold out for a few months and see if they are willing to raise the ante. If this blog is being data scrubbed, I think $10 will do it!

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


On a different note, the Retail Payments Risk Forum would like your feedback on our blog. We would be grateful if you would take a moment to complete our survey. It really is very short.

February 4, 2013 in cards, consumer protection, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee8360ee4970d

Listed below are links to blogs that reference The Promises and Pitfalls of Big Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in