August 30, 2010
Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They’re on the rise, but under control
Play podcast (MP3 15:07)
Transcript
NACHA—The Electronic Payments Association (formerly the National Automated Clearinghouse Association) describes ACH fraud risk as "the risk that ACH data will be compromised through the introduction of false transactions, the alteration of valid transactions or the alteration of static data that controls the routing or settlement of valid ACH transactions." Fraud in the ACH network can occur in a number of ways, including through corporate account takeovers, direct-access relationships, and possibly person-to-person payments.
In our latest podcast interview, Jane Larimer, executive vice president of ACH network administration, general counsel for NACHA, and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, explores these risks and some of the steps financial institutions can take to mitigate them.
Corporate account takeovers
The incidence of corporate account takeovers—when cybercriminals use malicious software to steal user credentials to originate wire transfers and ACH batches—has been a significant fraud issue in the past year. Criminals have stolen the banking credentials of several small businesses, municipalities, and even school districts, which they have then used to make unauthorized ACH transactions and wire transfers.
Larimer says that the best way to safeguard against this type of ACH fraud is to be aware of your surroundings and follow safe best practices like using multifactor and multichannel authentication as well as multilayer controls. Financial institutions can also employ red-flag controls and out-of-band verification for transactions. Most importantly, businesses should monitor their activities by conducting daily account reconcilements. This is important advice, she says, even if it may seem old school. Also critical is ensuring that anti-spyware, anti-malware, and security software for computer workstations and laptops used for online banking and payments are up to date. Larimer also recommends using a dedicated computer for online banking functions and not using it for other activities such as browsing at a Wi-Fi hotspot or coffee shop.
ACH risk measures show a downward trend
A common measure of risk in the ACH network is the number of unauthorized debits returned to institutions originating transactions. NACHA reported that this measure has declined for the past several years, including last year, which saw a 9.6 percent decline. The reason? Larimer attributes the success story to effective risk management, targeted rulemaking, and rule enforcement. Thanks to new network enforcement and company name rules, NACHA has seen a continued decline in return rates and unauthorized debits, especially in the first quarter of 2010, when the volume of unauthorized debits declined 16 percent over the first quarter of 2009.
Direct-access relationships
In March 2010, NACHA released an ACH Operations Bulletin that requires financial institutions to register or report their direct-access relationships with originators or third parties. Larimer explains that the new registration requirement helps NACHA track and promote due diligence in accordance with originating depository financial institutions' (ODFI) risk-management policies. An ODFI that permits its originator or third parties direct access to the ACH network potentially exposes itself to a host of risks. Larimer says that it is essential for an ODFI participating in these relationships to effectively mitigate the risks by appropriately underwriting, managing, and monitoring its customer relationships.
Partnerships in the fight against ACH network fraud and risk
ACH fraud and risk impact financial institutions and businesses, and while their goals may vary according to their unique roles, they all share a common responsibility to safeguard the network against fraud through sound controls and processes. Larimer believes that risk mitigation and prevention are the responsibility of every party in the ACH network, and that establishing partnerships between financial institutions and business is a move towards reducing fraud and risk in the ACH network.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 30, 2010 in account takeovers, ACH, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134868ebe44970c
Listed below are links to blogs that reference Latest Payments Spotlight podcast focuses on fraud and risk in the ACH network: They’re on the rise, but under control:
Comments
Posted by:
Marcie J. Haitema |
August 31, 2010 at 06:00 AM
August 16, 2010
States tackle information security with a focus on payments fraud
In response to increased data breaches like the Heartland Payment System incident, some states have passed laws requiring businesses to comply with the Payment Card Industry Data Security Standard (PCI DSS), while others have passed laws with enhanced privacy and encryption requirements for organizations that handle consumers' credit and debit card numbers. But can state laws be changed quickly enough to keep pace with the creative approaches of individuals who commit fraud?
According to Javelin Strategy & Research's 2010 Data Breach Prevention and Response study, approximately 26 percent of U.S. consumers received data breach notifications in 2009. The study also found that one in four consumers had their credit or debit card replaced in 2009 due to security concerns. Additionally, data collected by the Identity Theft Resource Center shows that though the number of breaches may rise and fall, overall, the number data breaches has doubled since 2007.
Source: http://idtheftcenter.org
*Adjusted Heartland number from 30 million to 130 million as per alleged breaches in Justice Department documentation.
Enhanced state encryption and payment card laws
States such as Massachusetts, Arizona, and Nevada have enacted encryption laws, while other states such as Washington and Minnesota have enacted payment card laws. However, to date, only Nevada and Washington have enacted a combination of both encryption and payment card laws.
Massachusetts was the first state to adopt enhanced encryption standards for organizations that own, license, store or maintain personal financial data about its residents. Massachusetts' new encryption law is said to add teeth to a key requirement that many security breach notification laws lack by specifically delineating the security requirements that organizations must adopt to ensure their security measures are "reasonable" and "adequate." Some of those specifications include securing user authentication protocols, encrypting all personal information that travels across public networks and wirelessly, monitoring systems for unauthorized use or access, and updating security systems.
States that have adopted both enhanced encryption and payment card laws go a step further, requiring not only compliance with PCI DSS but also that the organization have an annual security assessment validating its compliance. The assessment must be performed annually to ensure compliance with PCI DSS.
What about out-of-state business?
Businesses that transact with consumers from one of the states that have enacted these laws may be required to comply with the new state laws. For instance, the Nevada encryption law applies to businesses in the state of Nevada but may extend its reach to businesses outside the state if they have a strong enough presence in Nevada.
Laws assign liability to payments participants
Some state laws address liability among payments participants to ensure that the participant in the best position to prevent loss carries its share, if not all, of the costs associated with the loss and subsequent loss prevention efforts. Determining which participant is responsible has undergone changes in the states that have adopted enhanced payment card laws. The states of Washington, Nevada and Minnesota, for example, make merchants who are not compliant with PCI DSS liable to financial institutions for associated costs in instances of security breaches. Washington state holds a business or processor liable to a financial institution for costs related to a data breach even if the financial institution has suffered no loss. Under Washington state's new payment card law, a vendor may also be held liable to a financial institution for damages that occurred as a direct result of the vendor's negligence.
Conclusion
Since the loss of data can be an indicator that fraud is being perpetrated, these latest state laws look to ensure that businesses who hold such data do so in a manner that appropriately safeguards consumers' privacy. Data breach and loss containment are ongoing challenges for organizations that handle consumers' nonpublic personal information, including credit and debit card numbers. The new encryption and payment card laws may require organizations handling consumer payments information to fundamentally reexamine their corporate security compliance obligations and evaluate the technical resources required to comply with specific state standards.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
August 16, 2010 in consumer fraud, consumer protection, fraud, law enforcement | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134863da345970c
Listed below are links to blogs that reference States tackle information security with a focus on payments fraud:
Comments
August 09, 2010
Shopping at the Fraud Mall: Fictional fantasy or harsh reality?
One of the most fascinating scenes in the cavalcade of Harry Potter movies is the requisite trip to Diagon Alley, the quaint London backstreet where the Hogwarts students go shopping in various specialty stores for their school supplies, such as books, potions, strange pets, magic wands, capes, and, of course, flying brooms. Over the past several weeks, battered by the never-ending news of one new payments fraud scheme after another, I lapsed into a daydream in my office about a mythical, but similar, Fraud Village, where fraudsters go to shop for their wares. My vivid recollections follow.
Wandering down Fraudster Alley
As I entered Fraudster Alley, I saw John Doe's ID Shoppe on the right, apparently a business selling payment credentials. On the various shelves, I saw arrays of credit and debit card numbers arranged by issuer, as well as actual bank account numbers sorted by geographical locations in order to minimize the confusion associated with those silly routing number assignments. The data is priced from $1 to $100, the cost depending on the relative credit lines and payment histories of the actual cardholders.
In the premium product aisle I saw a card with a glittering $95 tag for a person with a $30,000 limit that travels frequently and pays off monthly. At the back of the store I located the bank account number case priced from $2 to $1,000 with the top of the line offering belonging to a high balance account holder with several electronic withdrawals and a home banking service with a bank who has notoriously weak access controls. Keeping a couple of good sale items in mind, I slipped outside and gazed up at a remarkable billboard advertising a school for hackers.
|
|
Easing past a street vendor selling memory sticks, I did some window shopping at Willie's Web Emporium, a small shop hawking a variety of e-mail credentials that listed businesses with poorly protected financial software. A gaudy red $12 tag is affixed to a URL touted as hosting a poorly protected payroll system. I chatted with the clerk to see why these credentials were on sale, and he said that the market has been flooded in recent months by an oversupply that has driven the price down.
I got his business card and eased next door into a software/hardware store called Mystic Malware. I was overpowered by flashing displays of various fraud solutions, including a vast array of nearly 500 variations of Zeus malware packages designed to take over small business systems. Like my local Kroger cereal section, the options were bewildering—key-logging variations, with or without icons to be loaded onto desktops, call detection modules, and payment duplication engines. I noticed that some of the older products, like Win32/Conflicker were marked way down in light of the implementation of successful security blockers, while Renos and Vundo versions are premium priced, reflecting their recent success and popularity. In another area, I found a treasure trove of hardware devices, such as ATM skimmers, in bins labeled for the various makes and models of cash dispensers.
Across the street was Mikhail's Money Mule shop, where I browsed through employment applications for folks interested in being "financial managers" for Internet firms. They are arranged by cities, which made it particularly convenient for me to target accounts at choice banks trying to grow their retail base. I briefly scanned a number of "personals" arranged on a bulletin board, each highlighted by a special skill, such as the ability to break Triple DES encryption on a particular server. Next door was the Fraudsters Training Academy, an attractive storefront with a small auditorium running periodic films and live interviews with well-known fraudsters with names like Dark Vader and Card Warrior. Travel posters for Nigeria, the Ukraine, and Romania added a bit of gaiety to the walls.
Fiction turns to fact
I was startled awake from my daydream by a colleague calling for a coffee break. Sipping an overpriced Starbucks, I came to the disturbing realization that much of what I dreamed is simply the harsh reality of today's world of payments. While there is no such physical fraud village, the Internet has in fact become a virtual shopping mall for crooks intent on striking innocent, poorly educated, and singularly unaware business owners and consumers. The possible prices for illegal wares noted above are taken from a recently published study by First Data Corporation that refers to other studies by Symantec and Microsoft.
The billboard shown above actually stands on Interstate 75 near downtown Atlanta. In just the past week, I have read these headlines: "FBI, Slovenian and Spanish Police Arrest Botnet Creator, Operator", "Two Arrested in Massive Scheme: Investigators Recover Skimmers, Fake Cards, 1,000 Pages of ID's," and "Atlanta Security Company Startled At Check Stealing Software."
Alarmingly, it is time for all of us in the payments world to realize that yesterday's fiction is today's reality in the harsh world of payments fraud and protecting our assets, our people, and our reputations is going to take more time an effort than ever before.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
August 9, 2010 in consumer fraud, cybercrime, fraud, identity theft, malware, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348607ca64970c
Listed below are links to blogs that reference Shopping at the Fraud Mall: Fictional fantasy or harsh reality?:
Comments
August 02, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
|
|
| ENLARGE |
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
|
|
| ENLARGE |
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
|
|
| ENLARGE |
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
|
|
| ENLARGE |
Looking forward
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
August 2, 2010 in ACH, card networks, check fraud, consumer fraud, fraud, online banking fraud, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485f0df70970c
Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:
Comments
July 26, 2010
Can chip-and-pin technology address payment card fraud in the United States?
Last week's blog discussed how the United States has been slow to adopt the chip-and-pin payments card technology that many other countries are already using. We suggested that the continued reliance of the United States on the magnetic-stripe standard leaves consumers here more vulnerable to fraud. In fact, the Federal Reserve Bank of Kansas City recently published a paper that looked at global security standards within the payment card industry and found that "the difference between U.S. fraud rates and those in other countries is sufficiently large."
This week's blog looks a little closer at some of the numbers behind magnetic-stripe and chip-and-pin payment cards, including the cost of payment card fraud in the United States and what it would take to move to the EMV chip-and-pin technology. (Recall that EMV is an abbreviation for the originators of the standard: Europay, MasterCard, and VISA. EMV is now also owned by other card companies: the Japanese company JCB and American Express.)
Fraud losses on credit, debit, and prepaid cards in the United States totaled $6.89 billion in 2009, up 7 percent from 2008—a figure said to be on pace to reach $10 billion by 2015. According to PULSE 2010 Debit Issuer Study debit card fraud for signature-based debit card fraud increased 43 percent last year and personal identification number (PIN) debit card fraud loss rose by 24 percent.
|
|
| ENLARGE |
Exploiting the weakest link
The magnetic stripe stores data on a band of magnetic material on the back of a credit card. The stored data on a magnetic stripe can be read by swiping the card through a reader. The chip-and-pin card, on the other hand, most commonly exists as a smart card embedded with a microchip. The microchip can store a unique PIN, which ultimately replaces the cardholder's signature and can be used in contact or contactless mode. Chip-and-pin cards can therefore protect against card swipe fraud, cloning, and stolen data from lost or stolen cards—the most common kinds of fraud experienced by magnetic stripe cards.
Protecting payment cards: Security versus cost concerns
The implementation of chip technology will require a merchant to use new hardware and the consumer to use a new smart card with a microchip. Javelin Strategy & Research estimates the basic cost for the implementation of the EMV chip standard stands at $8.6 billion. Is this a figure the payments industry is ready and willing to dispense in this current economic climate? Today, we know of at least one U.S. financial institutions that have migrated to EMV. Will this cause others to migrate, or is it too early to tell?
Defining the next logical approach
Some experts predict that the globalization of the EMV standard will drive the initial issuance of chip-and-pin cards in the United States. Other experts do not foresee the United States' immediate migration to chip-and-pin cards. Yet the growth of U.S. chip payment cards may prove migration to EMV sooner than most believe.
Continuously guarding against debit and credit card fraud loss solidifies consumers' confidence in card payments and the financial system. EMV chip-and-pin and its methods for combating payments card fraud seems like a natural choice to replace the magnetic stripe card in the United States. With Europe, and other parts of the world, documented success rate in combating payments card fraud since their move to EMV chip and pin, it may turn out that EMV chip and pin's global interoperability may become the next security vehicle that can rein in magnetic stripe card fraud.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
July 26, 2010 in chip-and-pin, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485a00088970c
Listed below are links to blogs that reference Can chip-and-pin technology address payment card fraud in the United States?:
Comments
As an argument against adopting EMV, critics have pointed to EMV fraud weaknesses, such as susceptibility to man-in-the-middle-attacks. On the other hand, other countries that have adopted EMV and Chip-and-PIN have witnessed a reduction in counterfeit and skimming fraud. While EMV may not be foolproof, it is important to keep in mind that any single fraud deterrent solution needs to be part of an larger, overarching fraud strategy. Financial institutions still need build in layered security into their products and implement vigorous application screening controls when issuing cards to new clients. Also, financial institutions should integrate enterprise fraud management systems and real-time analytics to more accurately predict fraudulent transactions as they happen.
Also, to address the debate as to whether or not the U.S. should adopt EMV, the good news is that we are ready for it. The smart card technology infrastructure that supports EMV or Chip and PIN is already available today and will even be able to evolve with next-generation chip-based card innovations.
Thanks, Jim!
Posted by:
Jim Schlegel |
August 04, 2010 at 01:44 PM
EMV in the U.S. business case:
U.S. EMV Migration Cost = $8.6 billion (once off);
U.S. Card Fraud = $6.89 billion (per annum);
ROI = 1.25 years!
Cost savings over next 5 years = $34 billion!
Even assuming a 100% error in the migration estimates, its still an ROI less than the average 3 years a card is valid.
I'm not an Economist, but this looks like a pretty good investment to me. I say go, go, go! :)
Posted by:
Wynand Vermeulen |
August 04, 2010 at 06:24 AM
July 12, 2010
The confluence of payments, social networks, and malware: Elements of a perfect storm?
Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?
More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.
|
|
| ENLARGE |
Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.
|
|
| ENLARGE |
Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.
Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.
Conclusion
Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
July 12, 2010 in fraud, identity theft, malware, mobile banking, mobile payments, risk, social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485620cfb970c
Listed below are links to blogs that reference The confluence of payments, social networks, and malware: Elements of a perfect storm?:
Comments
July 06, 2010
Identity thieves still using low-tech tactics to get into your wallet
If you make it easy for people to steal from you, they will.
-Frank W. Abagnale
Identity theft continues to be a major problem in the United States and, in most instances, does not involve a complex operation. Although the risks with online financial transactions receive a lot of focus, recent surveys have shown that identity thieves perpetrate their crimes using more traditional methods of access like stealing wallets or purses. In addition, too many victims are unfortunately serving as unwitting accomplices by giving personal information to the criminals over the phone.
According to Javelin's 2009 Identity Fraud Survey Report, the number of U.S. identity fraud victims increased 22 percent in 2008 to 9.9 million adults. Among the reasons cited for this upsurge in incidents are the economic downturn, the secondary market for financial information, and the availability of fraud toolkits online.
Although how-to guides on defrauding consumers are readily available on the Internet, identity thieves are taking a decidedly low-tech approach. Javelin also reported that of the 35 percent of identity theft victims surveyed who knew how their information was accessed, only 11 percent had their information stolen by an online hacker. In fact, 43 percent of identity theft was perpetrated via a lost or stolen wallet, checkbook, or credit card.
Convicted fraudster able to steal identities from behind bars
A recent FBI case involving a massive, two-year identity theft and bribery scheme provides an example of how fairly unsophisticated tactics are used to perpetrate fraud. The already-convicted fraudster who orchestrated the crime received a 309-year prison sentence, which is reportedly the fourth-longest in the history of white collar crime in the United States.
According to the FBI press release, the crime started in a Louisiana prison, where the perpetrator was serving time for a previous fraud conviction. A joint FBI-Department of Justice (DOJ) investigation revealed that he used the personal and financial information (such as dates of birth, Social Security numbers, and bank account numbers) of 61 individuals, churches, financial institutions, and businesses to attempt to steal more than $20 million. How was a prisoner able to get this information? Good question. Apparently, as the saying goes, he did it with the help of his friends (or co-conspirators) and a few phone calls.
One typical ruse involved the perpetrator calling a bank and pretending to be an elderly stroke victim who had been hospitalized. He would claim that he did not have his checkbook and needed access to his account. Most banks did not fall for it, but some did. He also called individual victims directly sometimes, saying he was a state trooper who needed to verify personal details after an identity theft arrest.
The perpetrator had several accomplices in the operation, including a corrections officer that he bribed with $10,000 to use his cell phone when prison officials put him on lockdown. Through the collaborative efforts of federal, local, and state law enforcement agencies, the perpetrator and at least eight coconspirators were charged in the investigation.
Common sense precautions key to avoid becoming a victim
The FBI case is a compelling reminder for people to be "crime smart" by not sharing personal information over the phone unless they can verify the identity of the caller. However, phone sense is just one of many ways that businesses and individuals must be vigilant in protecting themselves against becoming victims of identity theft. The DOJ has used the acronym "SCAM" to encapsulate four steps to reduce or minimize this risk. First, be stingy about giving personal information to others unless there is a reason to trust them. Second, check financial information regularly to monitor for unauthorized transactions. Third, ask periodically for a copy of your credit report to determine whether someone has wrongfully opened accounts in your name. Fourth, maintain careful records of banking and financial accounts in case you need to dispute a transaction.
It is possible to follow these steps and still become an identity theft victim. However, an added benefit of taking these proactive measures is that victims are typically faster at detecting fraud against themselves than are entities such as law enforcement, lenders, and creditors. In fact, Javelin's 2009 identity theft report found that the detection time of fraud through police or law enforcement was 264 days compared to eight days when the victims were monitoring their accounts electronically (that is, via the Internet or ATM). Ultimately, customers who actively monitor their accounts not only reduce the risk of fraud but also minimize their losses if they are victimized.
By Jennifer Grier, senior payments risk analyst in the Atlanta Fed's Retail Payment Risk Forum
July 6, 2010 in fraud, identity theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348525445e970c
Listed below are links to blogs that reference Identity thieves still using low-tech tactics to get into your wallet:
Comments
June 29, 2010
Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks
ACH volumes have grown rapidly over the past decade, as the network has expanded beyond prearranged, recurring payments between known and trusted parties to include converted checks and one-time transactions originated over the Internet or by telephone. New ACH services have heightened concerns about risk because of the potential associated growth in ACH returns for reasons such as insufficient funds, presentment to closed accounts, and unauthorized transactions, to name just a few. To gauge the level of risk in a financial institution’s ACH origination business, it may seem reasonable to use the rate of these returned items as a possible benchmark. If an ACH originator's return rate is consistently below the industry average, we should be confident that its ACH risk management practices are generally sound, shouldn't we?
Not necessarily, according to a new Federal Reserve study. The researchers—Olivier Armantier, Michele Braun, and Dennis Kuo of the New York Fed and Ron Feldman, Mark Lueck, and Richard Todd of the Minneapolis Fed—recently conducted a study using FedACH data to look at ways to improve the benchmarks used to monitor ACH returns to shed some light on today's ACH risk environment. The study held some interesting and noteworthy findings.
Average return rates are not necessarily a good benchmark for measuring risk
The Federal Reserve study shows that about 75 percent of all consumer debit originators were below the FedACH average for consumer debit return rates during spring 2006. This large percentage stems from the fact that the average is elevated by a small number of very large originators who also have higher return rates. Consequently, some originators who fall below the average may still have rates significant enough to deserve attention. In short, while average return rates are almost the only benchmark currently available, they do not provide the most effective proxy for assessing ACH return risk management.
Better benchmarks could be constructed
The Fed study illustrates how more informative benchmarks could be computed by exploiting the ACH transactions data. The authors used FedACH data on all consumer debit forward and return items originated for a period in mid-2006. By developing a methodology that matched about 90 percent of return items to their original forward item, they could tabulate rich sets of statistics, covering the whole distribution of ACH return rates, not just the average. Their analysis tabulates return rate distributions for several individual standard entry class (SEC) codes, as well as the overall distribution of ACH transaction types, leading to the following additional results:
- Size doesn't matter much. ACH return rates for small and large originators are not very different for most SEC codes. In fact, overall and for most types of consumer debits, the median small originator has a slightly lower return rate than the median large originator, when size is measured by deposits. Return rates were also not strongly related to the originating depository financial institution's volume of originations. Thus, it would be a mistake to read deposit size or institution size as a proxy for sophistication in managing the quality of ACH originations.
- TEL and WEB are both risky, but in different ways. The average return rates for both telephone-initiated transactions (SEC code TEL) and web-initiated transactions (SEC code WEB) were high relative to most other types of consumer debits, but in different ways. TEL risks were higher across the board, so that well-below-median TEL return rates were still high compared to typical consumer debit return rates. By contrast, most WEB originators experienced lower returns on WEB than on consumer debits generally. However, a minority of WEB originators with significant volumes and very high return rates pulled the average return rate for WEB somewhat above the average return rate of all consumer debits.
- Returns come fast and are mostly the result of insufficient funds. In mid-2006, more than 98 percent of all returns occurred within five days of origination, with more than 70 percent returned due to insufficient funds. For the small minority of returns that take more than five days, authorization issues predominate.
Better benchmarks can help banks manage ACH risk
Using and customizing the type of analysis done in the Fed study has the potential to help originating banks better understand risks and therefore more efficiently deter fraud. For example, both originating banks and bank regulators could analyze the distribution of return rates and reason codes by bank peer group to gain a better sense of an individual institution's risk management practices. At the broadest level, linking returns to forward items can efficiently provide a rich array of benchmarks to help originators better monitor their ACH returns and enhance the quality of information they provide to their boards of directors. Similarly, by going beyond the average return rate concept, regulators could use the approaches adopted in the Fed study to better supervise ACH originators, or industry associations could use them to improve industry standards. In short, the sun could be setting on the days of taking false comfort from the Lake Woebegonish achievement of a below-average return rate.
By guest blogger Richard M. Todd, vice president, Community Affairs and Banking and Policy Studies at the Minneapolis Fed
June 29, 2010 in ACH, bank supervision, fraud, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133f1f0d951970b
Listed below are links to blogs that reference Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks:
Comments
April 12, 2010
Financial literacy for Gen Y: Beyond teaching the basics of how alerts can help combat fraud
April is National Financial Literacy Month. In recognition of the importance of financial literacy, throughout the month of April we will feature blogs discussing the benefits of financial training.
According to a recent study conducted by Cisco, the top priorities for Gen Y (generally those ages 18—29) include debt reduction and financial education. Gen Y's desire for financial education is hardly surprising. What is interesting is how technology is shaping some of that education.
Why the Gen Y interest in financial education?
Gen Y has often lagged behind preceding generations in financial literacy skills. Poor financial literacy skills create greater exposure to fraud and identity theft. And financial education—especially about fraud—is news that Gen Y can use. According to Javelin Strategy & Research, young consumers are particularly interested in knowing how to combat fraud. On this topic, experience has been the teacher for many in Gen Y. For example, a recent Javelin survey shows that Gen Y consumers had a higher incidence of debit card fraud than any other group.
|
|
| ENLARGE |
Non-traditional teaching methods
The financial industry is enlisting technical creativity in hopes of enhancing its education efforts to Gen Y, a demographic described as liking its words abbreviated and its communications instantaneous. As a result, the industry is using virtual mediums such as video games and interactive websites. Financial institutions and private companies have joined the virtual space frenzy by offering various forms of interactive financial education platforms geared toward teaching young adults about money management. One organization, Doorways to Dreams (D2D) uses video games to teach simple financial lessons about credit and debit card management, personal budgeting, and awareness of expensive pitfalls such as payday lending.
Deputizing Gen Y in the fight against fraud
Alerts are an important money management tool because they give Gen Y more control over their finances. Alerts also allow Gen Y to share the responsibility of monitoring for fraudulent activity with their financial institution. Alerts are generally triggered by unique parameters set by the account holder, for instance, to warn when deposits or withdrawals occur, or when an account balance is dangerously low and at risk of having insufficient funds. These tools may also provide notice against unauthorized transactions. But for alerts to work as intended, Gen Y should understand their financial thresholds.
Financial literacy programs, whether taught in a classroom setting or through video games, are important because they can give Gen Y the tools needed to make wise and sound financial choices. However, financial institutions and others have the opportunity to augment their financial education programs with financial management tools such as e-mail and mobile phone alerts, which can also serve as security tools to combat fraud. If financial literacy tools can engage young adults in understanding their financial thresholds, then they will ensure that the established alert parameters will function as intended.
Education is empowering. Effective financial literacy that goes beyond basics and teaches how financial alerts can serve as useful tools to combat fraud is more than empowering—it's a sound investment for all.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.
April 12, 2010 in fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01347fd35f8f970c
Listed below are links to blogs that reference Financial literacy for Gen Y: Beyond teaching the basics of how alerts can help combat fraud:
Comments
March 29, 2010
Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models
The folks engaging in the early stages of the mobile payments industry have coined the term "mobile ecosystem" to describe the environment into which they are trying to merge the traditional roles of telecommunications with those of payments and banking. While some in this fledgling industry are already becoming disenchanted with the grandeur of the "ecosystem" terminology, the concept does suggest a useful model for thinking about the challenges faced in this new arena.
A few weeks ago I received a new issue of National Geographic that contained a fantastic article (and even more fantastic pictures) of the unique ecosystem of the African island nation of Madagascar. The ecosystem of this large island, located off the southeastern coast of Africa, has yielded an extraordinary collection of plants and animals that live in a tropical setting interrupted by some truly anguished geological formations. The local ecosystem is, of course, actually a collection of subsystems (plants, animals, climate, topography, etc.) that have adapted over time to work seamlessly together. For example, large families of lemurs leap fearlessly and safely among knife-sharp rock formations because their hands and feet have developed coarse, leather-like padding over thousands of years.
In the mobile ecosystem, we see a similar makeup of subsystems that must work together. The technology and operational components, while not trivial, are clearly achievable, and many are in place today. The challenges that lie ahead, however, are in the sub-ecosystems of law, regulation, data security, data privacy, customer care, and profitability. Depending on the nature of some of the mobile payment solution alternatives, the banking and the telecommunications industries find themselves wondering if they can coexist on the same island. Is there enough value to the customer to generate the revenue necessary to fund a mobile payments initiative? Who gets or shares the revenue? Who is responsible for data security and authentication, and how does that credential or certainty get passed along the mobile payment supply chain? Who resolves the customer's problem if a mistake is made? What consumer protection rights exist in case of error or fraud, and do those rights change depending on whether a traditional payments system is used to settle the transaction? Are proven models in other countries transportable, or are the characteristics of the economics and user base too different?
With respect to customer care and protection, I recently asked an audience of representatives from the full span of the mobile payment value chain, "Who owns the customer in a mobile transaction?" Gratifyingly, they agreed they all did. However, the true ownership response may ultimately depend on the nature of the transaction and agreement on who is liable if anything goes wrong. Take the case of a person-to-person payment initiated by Consumer A (Barbara Buyer) to Consumer B (Gloria Girl Scout's Mom) for payment of six boxes of Girl Scout cookies (three Thin Mints and three Trefoils). In a telephone-based clearing model, Barbara would enter the requisite $21 in the payment instruction and designate the phone number of Gloria's mom in the recipient field, and both their phone bills would be adjusted accordingly. Now suppose that Barbara was distracted by her daughter's chiding that she really wanted Samoas and carelessly entered $210. Since the payment never went through the payment system, Barbara Buyer cannot rely on traditional banking regulatory protections or problem resolution processes. She must resolve the problem with her phone provider, who has already credited Gloria's mom. Alternately, given PayPal's March 16 announcement of an iPhone app to send money to another person, PayPal's resolution procedures could be in play.
If, however, Barbara's phone company clears the transaction through a mobile service ACH backend, or Barbara pays Gloria's mom through a P2P service offered by her bank, the error resolution process is likely through normal banking customer service channels, and the adjustment process may be managed differently, assuming an adjustment process is contractually spelled out in either case. In reality, Barbara would probably get Gloria's mom to write her a check for $189 to straighten things out. While this may seem like a trivial example, it does dramatize some of the issues that must be worked out in the new ecosystem of mobile payments to make such services work effectively for the customer's benefit.
Given these difficult challenges, it seems likely that various models will initially emerge within alliance groups (one phone company, one or more application providers, a few partner banks, etc.) before they begin to converge into one or more universal market models. Along the way, one hopes that the key participants can collaborate to anticipate the types of risk issues that could arrive in the real world so that the consumer's experience turns out to be one that encourages growth. In the age of e-mailing, twittering, and facebooking, it is increasingly clear to me that mobile banking and mobile payments are in our future and that they will be a very attractive service to some key sectors of our population. However, they will be extremely slow to develop if critical mass issues such as those mentioned above are not resolved up front. In fact, this would be a good place for banks to try new, customer-friendly approaches to consumer education and disclosure that match the payment channel being used and the customer demographic.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
March 29, 2010 in authentication, data security, fraud, mobile banking, mobile payments, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133ec4d8601970b
Listed below are links to blogs that reference Synthesizing the mobile ecosystem: Resolving customer problems in mobile payments clearing and settlement models:
To underscore the blog post, please see the folowing post from my blog: thepaymentsblog.com
Everything You Read Is Not Always Accurate
Last week I Tweeted about an article published by Digital Transactions on August 19, 2010 whose headline "A Survey Reveals a Rising Volume of Disputed ACH Debits" could have led readers to believe that all hell was breaking loose within the ACH industry. The article cited a survey conducted by eGistics in which financial institutions and payment processors indicated a 63% rise in disputed or unauthorized ACH transactions in 2009 when compared to 2008.
Well that article troubled me because I know through firsthand experience in running ACH businesses and as a NACHA Board member, how much real progress has been made to effectively manage ACH risk, especially the risks posed by unauthorized ACH transactions. So much work has been done by NACHA, the Risk Management Group and subsequent rules changes to reduce return item risk and volumes. Therefore, I did some investigation to better understand how eGistics came up with their numbers and cross-referenced them to the return numbers tracked and published by NACHA - the organization responsible for establishing and enforcing adherence to ACH rules within the network and NACHA’s numbers depict a far different picture than eGistics.
eGistics conducted a webinar last week to discuss their survey results. In that webinar, eGistics was asked to better describe the processors and financial institutions participating in the survey. eGitics indicated that many of their respondents experienced ACH growth far beyond the industry rate of 2%. These respondents had actually seen their ACH volume grow 20% or more - which then explains how return rates for these specific FI's and processors were higher due their individual origination growth rates; not a true indication that return rates, as an industry, were once gain climbing; nor a true reflection of the experience of all ACH originators. But it did explain to me the Digital Transaction headline – that is and was not representative of all ACH participants. The simple truth is that return rates of all kinds will increase as one’s origination volumes grow. However, the experience of a few does not a trend make and returns ARE going down, not up.
So I hope this provides a more complete picture; dispels any unwarranted fear and set the record straight - return item volume has been declining ever since NACHA’s network rules and enforcement efforts became more robust.
So don’t believe everything you read (and I say that to me too) and ask questions to see what is really behind the headlines.