April 29, 2013
It's Time for Better Online Authentication Solutions
I recently read a news story in my daily news feed about litigation between a bank and corporate customer related to an account takeover, and the liability of the loss from a fraudulent transfer. Unfortunately, it seems that I am reading these types of stories far too often these days.
Online corporate account takeovers are an important issue in the payments risk world and have been the subject of our blog in the past. Even with stringent security procedures in place, including two-factor authentication (2FA) and out-of-band verification, companies remain high-risk targets. Undoubtedly, employees will slip up and procedures will be ignored, actions that ultimately result in fraudsters getting their hands on account or network credentials that give them access to corporate bank accounts. Although ongoing and comprehensive employee education is vital, improving authentication techniques and requiring their use are critical to better mitigate online account takeover risks.
Requiring some form of authentication is better than requiring none. Yet the current state of our “some” generally consists of a user name coupled with knowledge-based authentication of a password and, if 2FA is being used, usually a set of challenge questions. Knowledge-based authentication is often ineffective due to the use of weak passwords and the ability of fraudsters to find answers to challenge questions through public sources or social engineering. So then, what is the most effective and reasonable authentication standard moving forward? Biometrics? Security tokens? Dynamic password generators?
Fortunately, both the public and private sectors are working to develop improved authentication solutions. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a federal initiative developed to encourage collaboration between the public and private sectors in developing interoperable technology standards and policies whereby individuals and organizations can be authoritatively authenticated. In addition, the FIDO (Fast Identity Online) Alliance is a private-sector initiative created to change the nature of online authentication by developing specifications that will supplant the reliance on passwords. I do not know whether any of these groups or another entity will be successful in solving our authentication challenge, but I do know fraudsters are hoping their success isn’t any time soon. What are your thoughts on improving online authentication?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 29, 2013 in account takeovers, cybercrime, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901bae212d970b
Listed below are links to blogs that reference It's Time for Better Online Authentication Solutions:
Comments
January 28, 2013
Do GPR Prepaid Cards Pose Significant Money Laundering Threats?
When it comes to laundering proceeds from illicit activities, criminals have historically had a number of financial instruments and methodologies at their disposal. These choices have ranged from payment products tied to demand deposit accounts such as checks, wires, and debit/ATM card transactions to money transfers via money transmitters. The birth of general purpose reloadable (GPR) prepaid cards in the early 1990s created yet another payment instrument that could potentially be used to clean dirty money.
Although no payment instrument—GPR prepaid cards included—is completely immune to money laundering, the payments industry can adopt risk measures to mitigate the attractiveness of these cards to criminals. But what makes a payment choice attractive to money launderers? Criminals generally seek the fastest method to move their ill-gotten proceeds the furthest away from their illegal activities. Ultimately, they want to distance themselves and their financial gain from the crime in the quickest way possible. Anonymity, accessibility, immediate liquidity, and transportability of funds are all payment characteristics that a money launderer finds attractive.
The Retail Payments Risk Forum dove into the regulatory environment and risk management practice of the GPR prepaid card industry, and wrote up findings in a paper available on the Atlanta Fed's website. Among the paper's findings is that, as GPR prepaid cards have grown in popularity and come under increased scrutiny by regulators, significant regulatory measures and industry-wide adopted practices have greatly reduced, but not eliminated, their money laundering risks. And while U.S. regulators and the card industry have made great strides with anti-money laundering measures, GPR prepaid cards issued internationally do not necessarily face the same stringent risk environment, so they pose significant money laundering risks.
For more details on the money laundering risk environment for GPR prepaid cards, read the paper.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 28, 2013 in fraud, money laundering, prepaid | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee7f99976970d
Listed below are links to blogs that reference Do GPR Prepaid Cards Pose Significant Money Laundering Threats?:
Comments
Posted by:
CMS |
January 28, 2013 at 09:31 AM
November 19, 2012
The Art of Capturing Customers with Mobile Remote Deposit Capture
Last November, Portals and Rails took a look at remote deposit capture (RDC) and wondered if deposit fraud would rise as more financial intuitions roll out the service to more customers. We've seen no evidence in the past year to support an uptick in fraud. However, we have ample evidence demonstrating that the product is becoming mainstream through the mobile channel. With four large financial institutions incorporating RDC with their mobile applications over the summer, eight out of the ten largest depository institutions currently offer the product.
As with any new offering, financial institutions need to understand the risks behind new products and develop strategies to mitigate these risks. At a recent conference, I sat in on a wonderful discussion led by Terri Ferrise and Hunter Wolfe with Cachet Financial Solutions that highlighted the growing demand for mobile RDC and best practices for risk management of the product. Given banks' rapid adoption of the product, Portals and Rails would like to pass along some of the best practices for mobile RDC shared by Terri and Hunter as well as other financial institutions that were engaged in the discussion.
Customer management
"Know your customer" (KYC) is essential with mobile RDC. Financial institutions should prioritize their customers and offer mobile RDC only to their best customers, closely aligning the product offering with customer characteristics. When considering which customers to offer the product to, they should take into consideration these issues:
- The length of the customer's relationship. Some financial institutions require that an account be open for at least 90 or 180 days before offering the service to their customers.
- The depth of the customer's relationship. The more products the customer has with a financial institution, the better the financial institution should know that customer.
- The experience with the customer. For example, has the customer previously used check deposit at the ATM? Has the customer previously attempted to deposit bad checks?
Deposit and velocity limits
Even with strong customer controls in place, financial institutions must also consider and employ deposit and velocity limits, which would include taking these steps:
- Set realistic deposit limits (daily, weekly, and monthly) and availability rules based on the customer profile.
- Consider velocity limits and other tools to analyze individual transactions and customer trends. Have a system in place to flag certain deposited items that are out of the ordinary for closer (or even manual) examination.
- Continually monitor these limits and adjust them depending on the customer's behavior.
Front and back end processes
Financial institutions must also have adequate risk management at both the front end and the back end of the deposit process, which would include some of these strategies:
- Procedures for dealing with RDC items post deposit. Destruction and franking protect against double presentment.
- Strong user and hardware authentication routines.
- Strong image validation and quality guidelines.
- Customer education to ensure that images are not being stored on their mobile devices.
Just like any other successful product launch, mobile RDC creates new risk considerations. To date, it appears that those financial institutions offering the product are successfully controlling their risks. As this product begins to become commoditized, perhaps the biggest risk to financial institutions may be losing customers if they don't offer the product. For additional information on risk management of RDC, I encourage everyone to read the Federal Financial Institutions Examination Council's guidance on the topic.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 19, 2012 in fraud, mobile banking | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee5607a72970d
Listed below are links to blogs that reference The Art of Capturing Customers with Mobile Remote Deposit Capture:
Comments
November 05, 2012
While Stalemate Continues, Another Retailer Data Breach Announced
We haven't heard about significant data breaches at any retailer's brick-and-mortar lately. In fact, the prevalence of cybercrimes and malware-related incidences has momentarily redirected our attention to payments made through online and wireless channels along with related payment crimes such as social engineering and malware-enabled account takeovers and card data theft. However, according to Verizon's 2012 Data Breach Investigations Report, while most attacks are not related to physical tampering, "there was no shortage of payment card skimming in 2011, and there were notable arrests." In fact, a recent press release from a major book retailer is cause to sharpen our focus on in-store card payments and the use of mag-stripe technology at payment terminals.
Tampering with PIN pad devices in stores
On October 24, 2012, the retailer announced that it had "detected tampering with PIN pad devices used in 63 of its stores" and that it had notified federal law enforcement to support an investigation into the criminal activity. Furthermore, it is working with the banks and payment card network brands to identify potential compromised accounts. Much to the retailer's credit, the press release also outlines precautionary steps consumers should take if they have shopped in any of the impacted stores—namely, changing PINs, reviewing account activity for unauthorized transactions, and notifying banks about unusual or unauthorized activity.
PCI compliance is not enough
How can retailers protect themselves from PIN pad tampering fraud? We explored the growing prevalence of card data breach incidents in a May 2011 post describing how a crafts retailer had experienced card terminal tampering that may have led to customer card data compromise. The post noted that while the Payment Card Industry (PCI) Data Security Council guidelines attempt to address advanced security measures, the vulnerabilities inherent in mag-stripe card technology present serious management challenges. The threats to terminals can come in the form of crime rings, company insiders, or the terminal manufacturers themselves.
Will merchants follow the EMV migration roadmap?
Card network brands separately issued announcements in 2011 and 2012 with their own EMV deployment milestones, which can be viewed as a collective roadmap. A summary of these milestones, grouped by payment network, is included in the October 2012 edition of Smart Card Talk and reproduced below. This publication explains the incentives in the form of audit relief from PCI compliance as well as liability shifts for counterfeit card losses for noncompliant banks and merchants.
However, many industry experts surmise that merchants are willing to take their chances on the potential card fraud losses for such a liability shift, judging them to be lower than the costs involved in terminal replacement for chip card acceptance.
Technology adoption stalemate
Industry participants continue to argue about the inequities in the economics for moving forward to a new security environment enabled with more secure chip-based technology. It is highly likely that there will never be a collective path forward considered fair to all, with the large number of industry players and dichotomies in revenue and cost-sharing expectations. So as the U.S. payments industry keeps moving along the same path, with participants arguing the merits and inadequacies of various deployment options for chip-based payments, we can expect to see more crimes at retailer terminals. These crimes will cause merchants to experience technology costs and even customer loss in unexpected and unpredictable ways. And bank issuers will continue to pay for cleanup in the aftermath, by issuing new cards. Perhaps an analysis of the economics of moving to chip-and-PIN should reflect a higher emphasis on the cost of data breach events and their cleanup efforts in the aftermath.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
November 5, 2012 in chip-and-pin, fraud, identity theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee4c5bf78970d
Listed below are links to blogs that reference While Stalemate Continues, Another Retailer Data Breach Announced:
Comments
October 15, 2012
When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore
This post features a discussion with Terri Sands, senior vice president of electronic banking and fraud management at State Bank & Trust Company in Atlanta, on the landscape for risk management for community banks.
P&R: Terri, we talk a lot about how payments are migrating from paper to electronic methods. How does this affect community banks in payment services today?
Terri Sands: It wasn't long ago that community banks viewed fraud as an issue reserved for their larger brethren. Smaller institutions were able to deal with one-off issues such as the occasional stolen checkbook or bank card or other fraudulent transactions on a case-by-case basis. And while those events may have added some expense for the community bank's bottom line, it was rarely viewed as a material event affecting the institution and its brand.
But over the past several years, fraud's impact on community banking significantly changed. Fraud has become a constant threat to financial institutions and other industries regardless of the size and complexity of the organization. In the midst of increased attacks on financial institutions and their customers' accounts, the industry has become increasingly concerned over how to effectively protect against fraud. Basically, you can't read the newspaper or read e-mails without some form of fraudulent attack that has hit the financial sector—some are minor, others are major. However, when fraud hits close to home, it is always significant, regardless of the dollar amount.
P&R: We've been hearing a lot about corporate account takeovers in recent years. Is this affecting community banks, and what can they do about it?
Sands: For community banks, corporate account takeover attacks initiated by computer viruses have become a particularly sinister problem. In those circumstances, a corporate customer has inadvertently installed a virus on a computer by clicking on a link embedded in an e-mail that then provides a fraudster with critical online banking credentials. The fraudster uses the online banking credentials—that is, the user ID and password—to reroute credit transactions to an account and then immediately withdraws funds or pays a "money mule" to withdraw the funds and wire the money to a designated account.
Corporate customers may not even realize their money has been stolen until they check or the bank checks the account. Regardless of how this virus occurred, the customer may feel uncertainty about security and about the bank's ability to protect their money in the future. So for many community banks, this type of fraud has truly been the turning point as it is hitting their customers and therefore hits closer to home—it has become reality.
Community banks have the same fraud risk management responsibilities as the larger banks. They should network with the industry and law enforcement to share information on attacks in an effort to collaborate on mitigation strategies and share intelligence about other types of attacks affecting their customers. This is a great way to further enhance any bank's risk and fraud management program. Community banks should also include customer education as part of an effective fraud management strategy, to help them to be more proactive in their own defensive practices to ward against fraud. Of course, as the industry is well aware, the interagency regulatory guidance published in June 2011 on authentication in an online banking environment also provides community banks with a roadmap for assessing a bank's risk profile and ensuring adequate protection against risk vulnerabilities.
P&R: Is fraud mainly an online problem today?
Sands: Fraud can happen online or offline. The risk may result from a simple form of social engineering such as a phone call or e-mail attempting to gain customer information or from an internal gap in the payment process that can be exploited. Either way, fraud management is not a one-time fix but an ongoing process. Community banks must remain ever-vigilant in efforts to protect consumers from risk of fraud and possible financial loss.
October 15, 2012 in banks and banking, fraud, online banking fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c328a9075970b
Listed below are links to blogs that reference When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore:
Comments
August 27, 2012
Mind the Gap: PIN versus Signature Authentication
In a January post, Portals and Rails considered the difference in fraud rates for payments using signature versus those using PIN authentication. Based on the data at hand, we concluded that "financial institutions have significantly more exposure to fraud losses from card payments with signature authentication than those from PIN authentication." The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions.
Fraud is a concern for issuers
According to the study, which was conducted by the consulting firm Oliver Wyman on 57 banks and credit unions, 74 percent of large financial institutions (asset size greater than $10 billion) and 90 percent of small institutions (asset size under $10 billion) view fraud as a major challenge for 2012. Looking deeper into 2012 fraud concerns, 54 percent of issuers, regardless of their size, expect signature debit fraud to increase, while only 37 percent of issuers expect an increase in PIN debit fraud levels.
With fraud being of such high concern to issuers, I expected EMV card issuance to be high on their priority list, but that is not the case. In fact, 71 percent of the financial institutions have no immediate plans to issue EMV cards. In the past, we've highlighted some of the many possible ways to do an EMV implementation—according to the study, these unknowns of a U.S. EMV implementation have many financial institutions taking a "wait-and-see" approach.
Of particular note, issuers are interested in knowing if PIN authentication will become mandatory or if it will continue to coexist with signature authentication. Hopefully, this issue and others surrounding EMV implementation will soon be addressed by the industry through the recently announced collaborative EMV Migration Forum created by the Smart Card Alliance. The sooner these issues get sorted out, obviously, the better, as signature debit card fraud is showing no signs of slowing down.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 27, 2012 in chip-and-pin, crime, EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0177445db2c5970d
Listed below are links to blogs that reference Mind the Gap: PIN versus Signature Authentication:
Comments
July 16, 2012
Oh, SNAP! Benefit trafficking costs millions
As I watched the local evening news several weeks ago, one particular story caught my attention. A local convenience store owner had been arrested for the repeated abuse of the Supplemental Nutrition Assistance Program (SNAP), formerly known as the food stamp program. The store owner allowed SNAP recipients to exchange their electronic benefit transfer (EBT) cards for such items as cigarettes and alcoholic beverages, charging a premium of anywhere from 25 to 50 percent of the items' values. This type of SNAP fraud is known as "trafficking." Another form of trafficking fraud occurs when the program recipients sell their cards on the black market in exchange for cash. These cards are then reported as lost or stolen, so recipients receive a replacement card.
Upon performing an Internet search on this topic the next day, I was surprised to discover that SNAP trafficking is actually a $300 million-a-year problem. According to a 2011 report of the USDA Food and Nutrition Service, trafficking diverted an estimated $330 million annually from SNAP benefits, or about one cent for each SNAP dollar redeemed. Interestingly, this figure is down significantly from earlier reports published by the USDA. In 1993, trafficking resulted in more than $800 million of fraud, or nearly four cents per SNAP dollar redeemed. Since the first report, the trafficking rate has fallen, leveling off at its current rate of 1 percent. Still, fraud levels for this EBT program are significantly higher than for general purpose credit and debit card cards.
The main reason for this decline has been the electronification of the old food stamp program. During the mid to late 1990s, some states began replacing food stamps with EBT cards. And since June 2004, all states have used EBT cards to distribute SNAP funds.
Though taking this program from paper payments to plastic payments has dramatically reduced trafficking fraud, fraud is still an issue at 1 cent per dollar redeemed—so much so that the USDA recently proposed a new rule that would allow state agencies to deny replacement cards to recipients who make four replacement requests over a 12-month period.
The USDA's proposed rule is currently open for comment through July 30. I encourage anyone with thoughts or ideas on this particular rule and on trafficking fraud in general to make their voice heard and provide feedback to the USDA. The SNAP EBT fraud rate, which is substantially higher than credit and debit card fraud rates, is the burden of all taxpayers. What else can or should we do to further tackle this particular payments fraud?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 16, 2012 in crime, fraud, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0167688b6e94970b
Listed below are links to blogs that reference Oh, SNAP! Benefit trafficking costs millions:
Comments
March 26, 2012
Is the Internet the world's largest crime scene?
"If the Internet is a place, it's probably the world's largest crime scene," said Peter Liske, vice president of product management at Threatmetrix. Listening to Peter talk recently at the 1st annual CARTES in North America conference, I immediately visualized my computer screen filled with chalked outlines of bodies representing victims of online crimes. While crime on the Internet can take on many forms, I am focusing today's blog on online shopping fraud. According to CyberSource's 2012 Online Fraud Report, merchants lost an estimated $3.4 billion in 2011 due to fraud taking place in "the world's largest crime scene."
Although $3.4 billion in losses is nothing to smile about, the report offers some good news in the merchants' ongoing battle against cybercriminals. Most notably, merchants are proving that when technology and other fraud detection tools are implemented effectively, fraud can be reduced. In 2011, merchants reported that 0.6 percent of orders were lost to fraud, a 33 percent decrease from 2010. A key reason for this decline of orders lost to fraud appears to be increased investment or usage of tools by the merchants to identify, track, and prevent fraud. In 2011, merchants used more technology and other tools to automatically detect fraud. They also engaged in more manual reviews of orders. In fact, during 2011, the largest merchants (annual online revenue of over $25 million) used more automated fraud detection tools than did smaller merchants, resulting in substantially lower fraud rates for the largest merchants.
Unfortunately, these fraud detection tools come with a cost, and the manual review of transactions is both an expensive and laborious task. According to the CyberSource report, 75 percent of the merchants surveyed do not plan to increase staffing levels related to fraud management in 2012. Further, 78 percent of the merchants expect to make no increase to their fraud management budgets in 2012.
As sales volume on the Internet continues to grow, merchants will have the difficult task of fighting fraud with their limited resources. To keep battling in "the world's largest crime scene," it will be imperative for them to optimize their automated fraud detection tools in today's constrained environment. As merchants engage in this tight-wire act between fraud losses and prevention costs, will they continue to be able to lower the incidents of fraud?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 26, 2012 in cybercrime, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e9435b56970c
Listed below are links to blogs that reference Is the Internet the world's largest crime scene?:
Comments
March 14, 2012
How do new faces affect risks in money transfer business?
According to a February 21 American Banker article, Facebook has officially entered into the money transfer business. Facebook reported in its S-1 filing last month that it generated about $555 million dollars in 2010 (or 15 percent of its revenue that year) from payments, and that it holds money transmitter licenses in 15 states. Facebook credits are a digital currency that companies use on the site's online applications and games such as Farmville.
Facebook is not the only nonbank business entering the money transmittal business, though it certainly may be one of the more prominent. But as money transmitters are playing an increasingly larger role in our nation's payments system, now may be the time to take stock of the risk environment and continue our discussion on an appropriate strategy for risk governance.
FinCEN SAR filings on the rise for money transfer services
According to FinCEN's May 2011 report The SAR Activity Review: By the Numbers, depository institutions have a greater potential of exposure to money laundering crimes than do nondepository institutions. Nondepository institutions include money service businesses (MSBs), securities and insurance firms, and even casinos. You can see from the following table that over the last five years, the number of depository institution SARs decreased as of December 2010, while nondepository institution SARs have increased.
The report's findings for MSBs in particular are startling. It says, for example, that “in 2010, suspicious activity filings by the MSB industry hit an all time high with 596,494 SARs filed in 2010, up 12% from the prior year and over 18,000 more forms submitted than the previous high in 2007.” In fact, money transfer SAR filings in 2010 comprised 70 percent of all financial services filings by MSBs. SARs by MSBs listing money transfers increased 23 percent from 2009, while money order SARs fell 3 percent for the same period.
Under the radar: When MSBs fail to file
When MSBs were subject to enforcement actions in 2011, their primary infraction often involved failure to register with FinCEN. In addition, according to FinCEN's 2011 Annual Report, filing failures were often accompanied by other legal violations, such as failing to file currency transaction reports and currency structuring.
To help industry partners, regulators, and law enforcement monitor MSBs, FinCEN recently announced the launch of a new MSB registration website. FinCEN updates the database weekly.
As nonbank companies, including social media firms like Facebook, enter the payments business, it will be critical to keep an eye on small innovative and possibly unlicensed start-up money transmitters.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
March 14, 2012 in fraud, money services business (MSB), payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016302bfde96970d
Listed below are links to blogs that reference How do new faces affect risks in money transfer business?:
Comments
February 27, 2012
QR codes versus NFC: Cheaper, but worth the risk?
In recent years, we've seen discussions on the value and viability of near-field communications (NFC) apps morph from the hypothetical to some actual real-life deployments. Google has rolled out an NFC mobile wallet, and others are on their way for trial rollouts, as we discussed in last week's post. As this burgeoning industry takes shape and the costs and barriers become more apparent, some interim and quite disruptive technological alternatives are gaining attention—namely QR (short for "quick response") codes. In fact, many merchants today are touting QR codes as the near-term alternative to a more costly deployment of contact and contactless chip-based payments using NFC and EMV interoperability and security technology standards. They are touting these QR codes despite the superior security that chip technology affords. These discussions beg the question: are short-term economic gains realized from less costly QR code technology adoption at the expense of payment security?
How do QR codes work?
QR codes are a two-dimensional form of barcode whose contents can be decoded electronically at high speed. QR code use exploded in 2011, and telephonic technology has expanded to support their application for storing all kinds of data, including URLs. As a result, consumers are increasingly using QR codes to access magazines and newspapers on the Internet and to find online product reviews by scanning price tags. The camera in a smartphone captures the picture of the QR code, and then decoding software helps the phone connect to a website or a file download.
QR codes and malware
Unfortunately, there is no way to visually discern whether the data contained in the QR code will direct the user to a malicious website or application. Infected QR code problems are just beginning to emerge because most people simply don't know the best way to protect their mobile device. According to Marian Merritt, a Norton online safety advocate, "fewer than 5 percent of people have got some form of security on their mobile devices." 2011 in particular witnessed an upsurge in hackers using QR codes as a means of transmitting mobile viruses in Russia. According to a recent report by AVG Technologies, scanning a QR code and executing its hidden applications on a mobile device is akin to "running an unknown executable on your computer." Mobile-related hacking events are expected to rise in 2012 with the advent of more advanced QR code-enabled mobile applications.
Should economy trump security?
QR codes fulfill a wide range of functionalities, but should they be used for payments? Starbucks has realized considerable success with its QR code-based mobile payment app with millions of transactions since it launched one year ago, and merchants are receptive to a more affordable point-of-sale payment acceptance system generally.
The risk of fraud in micropayments and closed-loop payment systems—such as the QR code prepaid business model that Starbucks uses for a cup of coffee—may not be as significant as for larger, open-loop transactions. Ultimately, QR codes may play a viable role in some smaller, and less risky, payment applications. Payments industry participants should carefully consider the ramifications of a strategy that expands their use more generally in lieu of NFC-enabled payments.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
February 27, 2012 in contactless, fraud, mobile payments, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e812f994970c
Listed below are links to blogs that reference QR codes versus NFC: Cheaper, but worth the risk?:
Interesting paper. The DoJ paper and rebuttal go into greater depth on the actual risks of GPR's in money laundering.
GPR's are not really like any other financial tool. Most are tied to a bank DDA with explicit account opening procedures.
What would be interesting is an analysis of recent GPR innovations which allow individuals "deposit-only" capability. Basically these are simple pieces of plastic that allow ground level drug dealers to deposit cash sales into a master account any where in the country.
Of course, it could be a parent funding a child.