Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

August 18, 2014

Crooks Target Business Clients

Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.

Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:

  • Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
  • Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system

Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.

The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 18, 2014 in authentication, cybercrime, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73e029c67970d

Listed below are links to blogs that reference Crooks Target Business Clients:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 04, 2014

Fishing for Your Private Data

fishing Recently, I received a text from my daughter about an e-mail that appeared to be from her financial institution. The e-mail stated that online access to her bank account would be terminated because she had tried to access her account from several computers. However, she could retain access by clicking on a link. While my daughter's natural reaction was concern that she would lose online access to her bank account, I told her that this was probably a phishing incident.

Unlike the hobby of fishing, phishing is the work of fraudsters. With phishing, fraudsters attempt to dupe a consumer or employee into believing that they must immediately provide personal or private data in response to an e-mail that appears to be (but is not actually) from a legitimate entity. Much like fishing, phishing relies on numerous casts, with the phisher hoping that many of those who receive the e-mail will be fooled and swallow the bait. If they get hooked, malware may be loaded on their computer to monitor their keystrokes and pull out financial service website log-on credentials. Or, in my daughter's case, if she had clicked on the link, it would have most likely taken her to a legitimate-looking web page of the bank and requested her online banking credentials. The volume and velocity by which anyone can send e-mails has created a wide window of opportunity for fraudsters.

In their e-mail, the fraudsters create a sense of urgency by indicating some sort of drastic action will be taken unless the customer acts immediately. Although organizations have repeatedly posted statements that they would never send an e-mail asking for private data, this threatened action often causes the recipient to act without considering the consequences or taking the time to call the company or organization to verify the e-mail's authenticity. If it is not authentic, the individual should immediately delete the e-mail without replying, without clicking on any links embedded in the email, and without opening any attachments.

In addition to the need for consumers and employees to be wary of e-mails that are not legitimate, financial institutions must continually stay abreast of the latest technologies to help combat these schemes and educate customers. In a past post, we discussed steps financial institutions should take to help customers protect themselves from fraudsters. These schemes remain in the news even though banks, businesses, and government entities continue to post educational information and best practices for consumers and employees. As my daughter's example demonstrates, consumers opening bank accounts for the first time are not likely to know these schemes. This example suggests that—in addition to educating both business and consumer customers generally—it would be beneficial for financial institutions to place more emphasis on education concerning these schemes at the time customers open their accounts.

Photo of Deborah Shaw

August 4, 2014 in banks and banking, consumer fraud, consumer protection, data security, fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73dfaf641970d

Listed below are links to blogs that reference Fishing for Your Private Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 30, 2014

A Call to Action on Data Breaches?

I recently moved, so I had to go online to change my address with retailers, banks, and everyone else with whom I do business. It also seemed like an ideal opportunity to follow up on the recommendations that came out after the Heartbleed bug and diligently change all my passwords. Like many people, I had a habit of using similar passwords that I could recall relatively easily. Now, I am creating complex and different passwords for each site that would be more difficult for a fraudster to crack (and at the same time more difficult for me to remember) in an attack against my devices.

I have found myself worrying about a breach of my personal information more frequently since news of the Heartbleed bug. Before, if I heard about a breach of a certain retailer, I felt secure if I did not frequent that store or have their card. Occasionally, I would receive notification that my data "may" have been breached, and the threat seemed amorphous. But the frequency and breadth of data breaches are increasing, further evidenced by the recent breach of a major online retailer's customer records. This breach affects about 145 million people.

As a consumer, I find the balance between protecting my own data and my personal bandwidth daunting to maintain. I need to monitor any place that has my personal data, change passwords and security questions, and be constantly aware of the latest threat. Because I work in payments risk, this awareness comes more naturally for me than for most people. But what about consumers who have little time to focus on cybersecurity and need to rely on being notified and told specifically what to do when there's been a breach of their data? And are the action steps usually being suggested comprehensive enough to provide the maximum protection to the affected consumers?

Almost all states have data breach notification laws, and with recent breaches, a number of them are considering strengthening those laws. Congress has held hearings, federal bills have been proposed, and there has been much debate about whether there should be a consistent national data breach notification standard, but no direct action to create such a standard has taken place. Is it time now to do so, or does there need to be more major breaches before the momentum to create such a standard makes it happen?

Photo of Deborah Shaw

June 30, 2014 in consumer protection, cybercrime, data security, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73de33351970d

Listed below are links to blogs that reference A Call to Action on Data Breaches?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 23, 2014

Do Consumers REALLY Care about Payments Privacy and Security?

Consumer research studies have consistently shown that a top obstacle to adopting new payment technologies such as mobile payments is consumers' concern over the privacy and security protections of the technology. Could it be that consumers are indeed concerned but believe that the responsibility for ensuring their privacy and security falls to others? A May 2014 research study by idRADAR revealed the conundrum that risk managers often face: they know that consumers are concerned with security, but they also know they are not active in protecting themselves by adopting strong practices to safeguard their online privacy and security.

The survey asked respondents if they had taken any actions after hearing of the Target breach to protect their privacy or to prevent credit/debit card fraudulent activity. A surprising 79 percent admitted they had done nothing. Despite the scope of the Target data breach, only 4 percent of the respondents indicated that they had signed up for the credit and identity monitoring service that retailers who had been affected offered at no charge (see the chart).

Consumers Post Breach Actions

In response to another question, this one asking about the frequency at which they changed their passwords, more than half (58 percent) admitted that they changed their personal e-mail or online passwords only when forced or prompted to do so. Fewer than 10 percent changed it monthly.

When we compare the results of this study with other consumer attitudinal studies, it becomes clear that the ability to get consumers to actually adopt strong security practices remains a major challenge. At "Portals and Rails, we will continue to stress the importance of efforts to educate consumers, and we ask that you join us in this effort.

Photo of Deborah Shaw

June 23, 2014 in consumer fraud, consumer protection, data security, identity theft, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fd23a8ce970b

Listed below are links to blogs that reference Do Consumers REALLY Care about Payments Privacy and Security?:

Comments

Consumers have been hearing "the horror stories around the campfire" for so long, they have come to believe that if the "boogieman" is going to get you, there is nothing you can do about it. However, this is just not true. The FSO industry needs to promote consumer education efforts to update the public: we are each provided options every day that can serve to reduce our exposure to the fraud/ID theft boogieman - at FraudAvengers.org we call it "anti-fraud activism". Once aware, consumers will find themselves liberated to make choices based on their own risk tolerance about: how they make and receive payments; how they use their communication devices; the places in which they voluntarily place their personal information; ways and frequency of monitoring their financial, medical and other personal records; who and how they do business with people they have never met and/or do not know; etc. By ensuring we always include the "lessons learned" after we tell our horror stories, we serve to educate the public and inform them of protective actions they can take in their own defense. Crime collar criminals are always looking for victims: by reducing one's visibility to them and by proactively knowing what to watch-out for, consumers can greatly reduce the likelihood of becoming victims.

Posted by: Jodi Pratt | June 23, 2014 at 03:19 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 05, 2014

There's No Such Thing as a Good Data Breach

While data breaches have been a persistent problem for many years (see the chart), until recently, their stories would quickly fade from the headlines due to their limited reach. In the three or four months that have passed since the huge data breach at some major retailers, there have been many congressional committee hearings, several new federal legislative bills on data security issues, and countless panels and speakers at industry conferences and workshops discussing this growing problem. Unfortunately, the interactions have occasionally included a little finger-pointing, which doesn’t always lead to effective solutions. Recent efforts to bring banks and merchants together to address the problem hold some promise.

It is important to understand the number of breaches from a trends perspective, but it is more important to understand the magnitude of the breaches in terms of the number of records obtained and the type of data in those records. Because state and territorial laws with differing requirements generally control data breach notifications, the notification reporting information is often incomplete. Additionally, many data security industry experts suspect that data breaches are underreported or even not reported at all. After all, what company wants to confess to having incurred a data breach when the result will be fines and reputational damage?

In the health care industry, the 2013 implementation of the HIPAA Breach Notification Rule (45 CFR §§164.400–414) addressed this reporting concern by involving a monetary cost to the breached company. The rule requires a HIPAA-covered business and its associates to notify its customers and the U.S. Department of Health and Human Services of any breach or it could face significant financial penalties. Because of the stronger notification requirement, it was not surprising to see that the health care industry reported a 63 percent increase in data breaches in 2013 over 2012, according to the Identity Theft Resource Center (ITRC). Health care accounted for the largest share of breaches on an industry segment basis, surpassing the general business segment for the first time since the ITRC began tracking this data in 2005.

But notification requirements are post-event, not preventive. While no data security architecture can provide 100 percent protection, there clearly is the need for improved security in the handling and storage of sensitive data to prevent such breaches from occurring. As with any risk management program, the level of security depends on the sensitive nature of the information that could be monetized in some way by the criminal. Because of the large losses from the production of counterfeit cards, the public has made much of—and justifiably so—the retailer payment data breaches involving more than 40 million accounts.

We must also remember that there was an even larger data breach at the same time as the retailer's payment card data breach, this one involving 70 million accounts. But the criminals obtained such sensitive information as customer's name, address, phone number, and e-mail address—no payment information. Because the data was not related to payment transactions, the incident has not received as much attention. Still, criminals can use such data to foster identity theft operations that generally result in much higher losses and greater customer impact.

These incidents serve as a reminder that not all data breaches are alike and will require different prevention and response methods.

Portals and Rails is interested in what you think is the best way to address the prevention and notification aspects of data breaches.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 5, 2014 in data security, identity theft, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a511b13758970c

Listed below are links to blogs that reference There's No Such Thing as a Good Data Breach:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 28, 2014

Is Personal Data Privacy Going, Going, Gone?

Since last December, it seems that not a week has gone by without a headline about another breach of consumers' payment or personal data. These articles—which are no longer limited to banking or IT industry publications—have created both weariness and concern among consumers. The market research firm GfK conducted a national survey of U.S. consumers in March 2014 to measure the impact of these breaches and better understand how consumers view and manage their personal data. They surveyed 1,000 individuals over the age of 18 and sorted the results by generation. Some of the findings I found most interesting were:

  • All generations are concerned about the protection of their personal data and, overall, 59 percent indicated that their concern has risen over the last 12 months.
    Question: Are you concerned about the protection of your personal data?
  • One-third of the survey participants indicated that they had been the victim of the misuse of their personal data at least once over the past year.
  • Over half (54 percent) of those surveyed don't believe the U.S. government is doing enough to protect their data, with two-thirds of the pre-boomers taking that position.
  • Overall, 80 percent of the respondents believe there should be additional regulations preventing organizations from reselling their personal data to third parties.
  • There is a strong demand from consumers for all consumer-facing industries to change their data privacy and personal data usage policies, but that demand is the highest for credit card companies and social networks.
  • Banks are in the top four trusted organizations regarding the protection of personal data but trailing health care organizations, online payment systems, and online retailers. Social networks, international businesses, and marketers and advertisers are the least trusted.
  • Although more than half of the participants do not agree with the tracking or recording of communication data without their permission, younger generations are not as concerned.
    Agreement with the statement: I accept that my communications data (e.g. phone, online) can be recorded without my approval to prevent crime.

So how are consumers behaving in light of this increased concern? Almost half (48 percent) indicated that they have changed their online practices and are avoiding the use of online auctions, online banking, and online social networks to reduce the likelihood that their personal data might be compromised or misused in some way. I have seen other research indicating that as much as 40 percent of a retailer's customers that have had their personal data compromised through a breach at that retailer will avoid that retailer, at least in the immediate term.

So what is the best approach to develop and maintain safeguards for consumer's personal information and transaction data? The private sector has always championed self-regulation through standards efforts such as PCI-DSS, but we all recognize that being compliant with a common minimum standard is not the same as being totally secure. There has been no shortage of recent congressional discussion on this issue, and future major breaches will likely add to the momentum such that it will be difficult to stop. Is that where you think we are headed—a regulatory fix coming from a legislative mandate? Let us hear from you.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 28, 2014 in consumer fraud, consumer protection, data security, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fcfb4cc5970b

Listed below are links to blogs that reference Is Personal Data Privacy Going, Going, Gone?:

Comments

The Target breach, in which 110 million Americans lost critical personal and financial data, is just the latest problem caused by extending legacy payment networks built in the 1960s to internet originated payments.

In the classic New Yorker cartoon, one dog says to the other, "On the Internet, nobody knows you're a dog." Until we solve this problem, the legacy payment networks cannot be made secure. They were not architected with security built into them to do what we are doing today by extending them to payments generated from the internet. The security of any network is only as good as its weakest node. By moving access to the legacy payment systems to the internet, we added tens of millions of nodes to each legacy payment system and most of those nodes are not securely authenticated or truly secure.

A next generation payment system is required that is architected with security and encryption of all data "end to end", with no data ever “in the clear” and in which all users are "strongly authenticated". It is less expensive by orders of magnitude to build a new next generation payment system that can do that, than to retrofit one of the existing legacy payment systems, as I was once told by the former global CIO of VISA International. The existing legacy payment systems are all designed to have required information "in the clear" at multiple points in the transaction cycle.

The rapid rise of Bitcoin, despite its significant flaws, highlights the hunger in the marketplace for a better and more secure internet based global payment system. It would be better if that next generation payment system was also bank-centric and properly regulated, none of which Bitcoin is.

FYI, the New Yorker cartoon was first published in 1994, so this problem has been building for over 20 years.

Posted by: Stephen Lange Ranzini | April 28, 2014 at 05:31 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 10, 2014

Who Is Responsible for Consumer Security Education?

A theme that consistently appears in our Portals and Rails blogs is the continual need for consumer education when it comes to protecting account access credentials. Financial institutions have generally taken this responsibility seriously, running frequent verbal and print campaigns reminding customers to safeguard their payment cards, monitor account activity frequently, and adopt strong password and PIN access practices.

But as payment channels and access devices expand outside the bank-controlled environment, who then becomes responsible for customer education? The representatives of mobile phone carriers and handset manufacturers, for example, are often in sales mode. The last thing they want to do is scare off a potential sale by identifying the potential for fraud with their product or service.

When I recently went to purchase a new mobile phone that was equipped with a number of strong security safeguard options, the sales representative was more interested in selling me high-margin accessories than telling me how to safeguard the phone and its contents. While I understand the motivation of the sales representative, especially if he works under a sales incentive compensation plan, wouldn’t it easy for the carrier or phone manufacturer to provide a brochure promoting safe practices?

Unfortunately for the financial institutions, the stakes are high. For them, the financial impact of fraudulent activity on a customer's account is often a one-two punch. First, various regulations and rules are in place to protect consumers from liability, so the financial institutions generally write off the fraud loss. Second, and perhaps more painful, victims of fraud often move their accounts even though their financial institution is not at fault. The challenge of consumer education by the bankers is becoming more and more difficult as the opportunity for direct contact with the customer lessens with every new payment transaction product or service.

As we've seen before, in the aftermath of recent card transaction and customer data breaches, the negative reputational and financial impact from fraud is felt not just by financial institutions but also by the retailer or company that was breached. Will such events cause these other stakeholders to take a more proactive role and join financial institutions in educating their customers?

Portals and Rails is interested in hearing from you as to how the payments industry might best address customer awareness and education regarding security.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 10, 2014 in banks and banking, consumer fraud, consumer protection, data security, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a51180c012970c

Listed below are links to blogs that reference Who Is Responsible for Consumer Security Education?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 10, 2014

Chip-and-PIN, or Chip-and-Choice?

If the comments that legislators and industry representatives made at the recent congressional hearings on data breaches were any indication, any card issuer advocating or adopting a chip-and-signature approach to EMV smartcard implementation would appear to be incautious. Unquestionably, chip-and-PIN is more secure than chip-and-signature because it represents two forms of authentication—something you have (the card) and something you know (the PIN). However, chip-and-signature could be a reasonable first step in that it would generate less friction for the consumer, merchant, and card issuer. Let me explain why.

Most consumers don't know their credit card PINs
Although most people know their debit card PINs—you need one to use an ATM—few U.S. consumers know their credit card PINs. Various studies place consumers' knowledge of their credit card PINs in the 5 to 10 percent range. It would therefore be an educational as well as logistical effort to get consumers to begin using their credit card PINs if the industry moved to a chip-and-PIN-only environment.

Merchants would incur a big expense for the equipment
Only about 25 percent of the 8 million POS terminals operating in the United States are equipped with a PIN pad, according to data provided to the Federal Reserve. Before Regulation II, merchants had a financial incentive to encourage PIN-based debit transactions because the interchange rate was lower than for credit card transactions. However, Reg II eliminated this differential. (This despite the fact that PIN debit transactions have less than one-third of the fraud loss rate of signature debit transactions, according to the 2013 Fed Payments Study Summary.) Although a representative of the National Retail Federation endorsed a chip-and-PIN-only strategy at a congressional hearing, it's difficult to know if merchants will want to make the additional investment required to equip, program, and maintain their POS systems to support PIN transactions. Most merchants have not yet taken this step, so what has changed?

Customer experience would change
A PIN-based transaction, with its single-message authorization and settlement process, creates problems for certain merchants—like car rental and lodging companies—that must run preauthorization transactions before the final amount of the transaction is determined. The separate authorization and settlement process provided by the dual-message format of a signature-based transaction is more conducive to the business needs of these merchant segments. Are fine dining restaurants going to install the even more expensive mobile payment terminals so customers can pay at the table as they currently do? Or will they require the customer to go to a checkout and pay there? These merchants especially will have to consider the impact on their customer experience.

Backup method needed
With debit cards now, a signature authentication can be a backup method of acceptance. But in a chip-and-PIN environment, how high will the rate of incomplete transactions be when cardholders can't remember their PINs and they have no other method of payment?

As with any change, there are a number of positives and negatives to be considered. To avoid unintended consequences, we at Portals and Rails believe that issuers, merchants, and consumer groups should carefully evaluate all the issues to determine the best way to migrate to EMV payment cards. What do you think—chip-and-PIN only or chip-and-choice?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 10, 2014 in chip-and-pin, data security, debit cards, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d743754970d

Listed below are links to blogs that reference Chip-and-PIN, or Chip-and-Choice?:

Comments

All issuers should support a well communicated and simple PIN change process (IVR, ATM or inbranch for example) for EMV cards. If cards are activated through an IVR; PIN selection could be added to the process. Cards can also be issued with unassigned PINs (the PIN is not sent to the cardholder) where the cardholder is forced to select a PIN; this process may encourage cardholders to proactively select a PIN they can remember. Re-issued cards can support PIN continuity (same PIN as previous card).

Support for PIN as the only permitted CVM will be more successful if ALL the card associations follow this practice. If one or more of them allow for signature CVM then cardholders may select the signature card and not bother to learn/select a PIN for the PINned card. This in turn leads to an uneven playing field and all chip cards may eventually revert to signature cards which would certainly be a step backwards.

As long as fallback to magstripe is supported, any cardholder that forgets their PIN can usually have the terminal revert to mag stripe (at least in Canada) by inserting the card backwards (you may have to do this three times). The terminal will attempt to read the chip (but can't because there is plastic where a chip should be) then ask for a mag stripe read while ignoring the service code (chip on board) info.

Posted by: M Ryan | February 11, 2014 at 12:49 PM

Your points are all valid, but I'd like to comment.

You are correct that most consumers don't know their credit card PINs and this would be a learning experience. Some POS application developers are putting in "PIN Bypass" functionality for this reason, although I believe that defeats the purpose of allowing the issuer to prefer PIN.

Merchants will incure some expense for migrating to EMV, but most EMV Card Readers are built into PIN pads, so with or without PIN, the expense is the same.

PIN based Credit transactions will continue to be dual message. PIN Debit transaction sre single message because they are "full financial" transactions that don't require a separate message.

EMV works perfectly fine with Hotels in the rest of the world, with incremental transactions after the original with PIN.

Yes, in Canada and Europe it is common for the customer to pay at the table with a wireless terminal. This supports the philosophy of "not handing your card to a stranger" that was promoted in those countries to support the implementation of EMV.

Yes, there will be a period of adjustment, perhaps painful - but not really much different than when PIN Debit at the POS was first introduced, just a larger scale.

Unfortunately, the more secure a process is, the less convenient it is. The U.S. has chosen convenience in the past, and we are seeing the repercussions of that approach.

Posted by: Allen Friedman | February 10, 2014 at 02:13 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 12, 2013

Is Consumer Privacy Possible?

In January 1999, Scott McNealy, then chief executive officer of Sun Microsystems, told a group of analysts, "You have zero privacy anyway. Get over it." His comment caused quite a stir—at the time, most people had not yet heard the terms "big data," "data warehousing," or "data analytics."

I recently attended two conferences that had sessions on consumer privacy and data collection. All the panelists suggested that there is little data privacy for consumers anymore. And all agreed that "privacy is dead."

Four major forces have brought us to this point: technology advances, emergence of data aggregators, lack of transparency with consumers, and consumer complacency. The first force—advances in the technology of data storage—has created the environment for the other elements. The capacity of hardware to collect and store data has grown at exponential rates at the same time that the cost of that technology has plummeted. A cost analysis from Statistic Brain shows that the cost of storage per gigabyte of memory has dropped 50 percent every 14 months since 1980. Back then, a gigabyte of data storage was priced at about $438,000. Today, the price for storing a gigabyte is a mere nickel.

With the ability to store vast amounts of data so inexpensively, companies have built data warehouses to collect all types of data, ranging from government records to of consumers' product purchases at merchant locations Proponents of the data analytics business emphasize how their work can help identify fraudulent transactions through behavior anomalies and how it can help a company market more effectively. Privacy advocates express concern over how the information is used and the adequacy of safeguards to protect the data from unauthorized access.

Privacy advocates contend that most consumers have no real understanding of the information that is collected and how it is used. Indeed, disclosures are often hidden in fine print. Consumers often must accept the terms of a transaction to receive the product. How often do you click the accept box without reading the disclosure?

With support from the Federal Trade Commission, advocacy groups are working to get companies to make their consumer disclosures clearer so consumers will know exactly what information is being collected, how long it is retained, and who it is being shared with. They also want these data collectors to disclose how consumers can verify the accuracy of the information.

Are you interested in knowing what information the largest data aggregator company in the United States has on you? If so, go to Acxiom's website and scroll to the bottom of the page. You will need to register to look at your profile.

Although consumers themselves are the major source of the data being collected, many may not understand that the information they voluntarily provide on social media sites and through online browsing and purchasing activities is being tracked and collected. And consumers have consistently demonstrated a willingness to provide personal information to secure a coupon or discount.

In addition, with the increased deployment of smartphones, merchants are looking to use the mobile channel for one-to-one marketing. The success of this effort largely depends on knowing the interests of the phone owner. Such determination is made only through data collection and analytics—and these efforts are only going to intensify. This marketing element available through the mobile phone is seen as an advantage over other payment methods, and many are studying how to monetize it.

Even if the most transparent disclosures were available, do you think consumers would dramatically change their information-sharing behavior, especially when doing so would come at the expense of incentives? Or of not expressing their personal interests and posting events on social media sites? Personally, I do not think so. I believed McNealy back then and took his advice to get over it. What about you?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 12, 2013 in consumer protection, data security, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b00fb33fb970b

Listed below are links to blogs that reference Is Consumer Privacy Possible?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 21, 2013

Is Knowledge-Based Authentication Still Effective?

"What is your mother's maiden name? Your oldest daughter's middle name?" Online help sessions or call centers often ask the user to provide answers to a "secret" question or set of questions most often when the user has forgotten an account password and needs to retrieve it or select a new one. This authentication process is called knowledge-based authentication (KBA). The assumption is that if the person knows the correct answers, then that person is the authentic accountholder.

I recently attended a security conference where a panel of security authentication experts all stated that any extra protection KBAs provide is minimal. The high-profile data breaches that we've read about, along with the over-disclosure of personal information on social media sites, often make the answers to these questions easily available. These experts called for the abandonment of KBAs. In further support of this position was a recent article by Brian Krebs (Krebs on Security) that detailed how an identity theft service had hacked into some of the country's largest aggregators of consumer and business information. This service then tried to sell the data over the Internet, compromising the effectiveness of KBAs.

KBA questions can be either static or dynamic. Those that are static instruct the user to select from a list of preformulated questions—such as "What is your mother's maiden name?" Some sites allow users to create their own questions. In either case, the Q&A process is normally done when the user creates the account and selects the password. Dynamic KBAs are created by the website entity and generally request a response to a series of multiple-choice questions created from data not readily available in the public domain—for example, "Select a previous address from the list."

The formulation of KBA questions requires a careful balancing act between making answers easy enough for the authentic user to retain and making them difficult for an outsider to find the answer by looking through public databases and social media sources.

The June 2011 Federal Financial Institutions Examination (FFIEC) supplemental guidance on authentication for Internet banking states about KBAs that "institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique." The guidelines support the more sophisticated dynamic KBAs, adding this caution: "Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program." But we have to ask, have the breaches of the data sources often used to create the dynamic KBAs that have taken place since the issuance of this guidance so weakened them as to negate their value?

To enhance dynamic KBA programs, institutions can time the answer input intervals, tally missed questions, and employ other factors to essentially score the KBA session, which could signal that a criminal is posing as the legitimate customer.

No matter how many questions there are, KBAs are just one identification form factor—the "something you know" part of three-factor authentication. The FFIEC recommends that multiple form factors—including the "something you have" and "something you are" components—be used with higher-risk transactions. These should be used to support a stronger security process under a layered security approach.

Portals and Rails is interested in knowing how your institution currently uses KBAs, and if recent events will change their use.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 21, 2013 in authentication, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b00310712970d

Listed below are links to blogs that reference Is Knowledge-Based Authentication Still Effective?:

Comments

The FFIEC is right. Basic challenge questions will no longer cut it. Device identification is a newer technique that fraud analysts have begun to incorporate into their strategy, but even this innovation may not be enough. As consumers demand further online and mobile platforms for banking and payments, and as fraudsters continue multiplying and focusing their efforts on these very platforms, we need to start looking for more sophisticated strategies.

Posted by: Eric Lindeen | January 07, 2014 at 01:26 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in