June 27, 2011
What are you signing away with a signature instead of a PIN on card transactions?
Recent years have witnessed the commercial banking industry making some surprising risk management decisions. For instance, many financial institutions encourage their customers to choose the credit/signature option of their debit cards rather than the debit option. But the credit option is more vulnerable to fraud, so ultimately is more costly to the industry. In addition, signature debit transactions are processed through the credit card networks, which means the banks earn the higher interchange fee that comes from credit transactions as opposed to debit transactions.
The point of this discussion is not to look at the anticipated effect of the Durbin amendment on interchange practices, but instead to focus on the moral hazard presented by these practices in the context of our nation’s retail payment systems. The reason that signature debit carries a higher interchange fee is that it is less secure than PIN debit transactions. In a recent study by the Federal Reserve Bank of Minneapolis, financial institutions reported that signature debit fraud attempts eclipse fraud with other payment types. The report also says that debit cards along with checks are the payment types most often attacked by fraud schemes, and as a result sustain the highest losses.
Source: 2010 Payments Fraud Survey: Summary of Results,
The Federal Reserve Bank of Minneapolis
However, the study also reported that most financial institutions and other organizations report that actual fraud losses as a percent of their annual revenues are relatively small, at less than 1 percent. This information sheds light on the risk-versus-return decision-making rationale.
As the incidence of payment card fraud in general is on the rise, it is time to take a proactive view of the risk management practices for debit card programs. While persuading customers to process debit card payments on card networks may be more profitable in the short run, the industry may realize an increase in fraud and risk in the retail payments system as a result.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
June 27, 2011 in consumer protection, fraud, interchange, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e896d2ec3970d
Listed below are links to blogs that reference What are you signing away with a signature instead of a PIN on card transactions?:
Comments
May 23, 2011
The dilemma of measuring fraud in the U.S. payments system
Growing up, I was fascinated with books about animals, particularly those focusing on totally unique and strange Australian animals. Kangaroos, wallabies, duck-billed platypuses, and spiny echidnas caught my fancy because they were unique, existing nowhere else on the planet. Perhaps one reason I am so fascinated with the U.S. payments system is that it is totally unique and replicated nowhere else in the world.
Limited government engagement in payments system policies
While part of its uniqueness stems from its size and scope, the true novelty of the U.S. payments system lies in its exceedingly free market roots. That is, relative to most other developed countries, our system is very lightly regulated. Certainly, there are a reasonable number of regulations that afford consumer protection, but in the nearly 30 years from 1980 to 2009, Congress only occasionally addressed payments system issues, most notably with the Expedited Funds Availability Act of 1988 and the Check Truncation Act of 2003. One would normally expect infrequent legislative engagement in situations where a strong government regulator was in place, making legislative activity unnecessary, but there is no government agency specifically charged with regulating the overall U.S. payments system.
This arrangement has created an environment where innovation flourishes, but it also has allowed for a bit of a void when the evolution of the payment system creates public policy issues, either internally or with respect to global compatibility. Recent history bears witness to this point as Congress has suddenly become more engaged in passing the CARD Act of 2009, the overdraft legislation of 2009, and the debit card interchange legislation housed in the Durbin Amendment to the Dodd-Frank financial reform legislation of 2010. While each of these efforts was directed at increasing transparency and promoting choice for consumer and business users of the payments system, there has been little effort to address another important public policy issue—the increasing concern over risk and fraud in the payments system.
Through the creation of the National Strategy for Trusted Identities in Cyberspace, the current administration has proactively addressed growing concerns over ID theft in an increasingly electronic and globally accessible payments system. But many other tangential and separate fraud issues loom on the horizon. In tough economic times, however, organizations make difficult choices about the business case behind any fraud mitigation investments. Individual organizations generally have the data necessary to conduct such assessments, but from a broader national viewpoint, precious little data exist on which to base needed public policy analysis. For example, when the Federal Reserve Board, via the aforementioned Durbin Amendment, was handed the responsibility to oversee debit card interchange and fraud management issues, they had no choice but to begin their work by developing and distributing extensive surveys so they could get a handle on experiences in the marketplace.
Lack of a public fraud measurement systems
Much of what exists publicly today in terms of payments system measurements and metrics for fraud comes from independent survey work initiated by trade associations or consultants, such as the American Bankers Association, the Independent Community Bankers Association, and the Association for Financial Professionals. While the data flowing from these efforts is extremely helpful, each survey has its own focus, methodologies differ, and voluntary participation levels vary the statistical accuracy of results.
In other countries, the government, central bank, or bank-centered payments authorities systematically and accurately gather and report fraud data, and then publish such data for all to use as they go about managing their payments portfolios and making investment decisions in technology. Recently, I have engaged in discussions with many payments leaders about the dilemma of not having good data on which to base fraud-mitigation decisions related to growing concerns about the use of chip-and-pin card technology being implemented across the globe versus the magnetic-stripe technology used in the United States.
As a result, U.S. decision makers have to examine instances of card fraud mitigation in the United Kingdom, or the Netherlands, or Brazil, or Canada, and opine on whether these foreign experiences are pertinent to this country. Moreover, while we have seen some results of surveys looking at fraud losses, there is almost no public data with respect to the perhaps more critical factor of the costs of managing fraud.
Is it time to address the issue?
I have heard increasing industry concern about this lack of data, to the point where it may be time to ask how such a limitation can be addressed. My sense is that any voluntary private sector effort will continue to be snubbed by respondents who have neither the time nor the inclination to share data that they fear may be made public at the individual respondent level. Additionally, entities that could conduct such work are not positioned to address fraud across all channels, but are likely to focus on a single channel, such as check or credit card.
Perhaps it is time for the government or collective industry groups to address this shortcoming and organize an effort to design and support an approach to collecting statistically accurate, cross-channel payments fraud data to be publically shared. Metrics stemming from a data-gathering initiative could go a long way toward helping a troubled industry wrestle with the business case behind more aggressive fraud-management efforts.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
May 23, 2011 in fraud, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538ea8aee5970b
Listed below are links to blogs that reference The dilemma of measuring fraud in the U.S. payments system:
Comments
May 09, 2011
United front needed to prevent EMV card fraud from picking low-hanging fruit
I was pleased to see in the news recently that Chase and Wells Fargo announced the issuance of EMV chip-enabled cards for several of their credit card portfolios. Though these EMV chip-enabled cards will still have mag stripes and are primarily intended for customers who travel internationally, these announcements represent a positive move toward a more secure payment card environment in the United States.
Based on available data from countries around the globe with EMV experience, EMV chip-enabled cards have been highly successful at reducing counterfeit and lost or stolen card fraud within market. However, these cards have had less impact on overall fraud levels. Fraud has simply shifted to different products (from credit to debit), other channels (from card-present to card-not-present, or CNP), or other geographies (fraud perpetrated abroad).
If the U.S. payments industry does decide to move forward with EMV, the experiences in markets that have already undergone or are undergoing the migration to EMV teaches us that issuers, networks, and merchants across all payment channels must make a coordinated effort in order to achieve a positive impact on overall payment card fraud levels. Without coordination, the United States would likely see fraud shifting to other products and channels but not geographies—by then, all developed countries will have converted to EMV, including our neighbors, Canada and Mexico.
EMV migration experience: Card-present fraud shifts to card-not-present fraud
The success of EMV in reducing card-present fraud in countries that have made the move is impressive. Based on the latest figures from the UK Cards Association, face-to-face card fraud at United Kingdom retailers fell by nearly 70 percent after the widespread introduction of EMV in 2004. Yet, during that same time, CNP fraud rose by 50 percent and now represents 62 percent of all payment card fraud in the country. Likewise, according to figures from the Observatory for Payment Cards Security, fraud rates in France on face-to-face transactions with French-issued cards fell from 0.029 percent in 2004 to 0.014 percent in 2009—but then CNP fraud rates for transactions within France rose from 0.177 percent to 0.263 percent. And in Australia, a similar pattern is emerging. According to the Australian Payments Clearing Association's latest release of fraud data for the 12 months ending June 30, 2010, skimming fraud is down significantly, yet overall payment card fraud continues to rise, in part due to a 25 percent increase in CNP fraud.
EMV migration experience: Fraud shifts between products
In Canada, the migration to the EMV standard has been led by the credit networks, namely Visa and MasterCard, who are all but done with the migration. (Liability shift—the movement of liability from the issuer to the merchant—took place March 31.) With a migration completion mandate set for January 2015, Interac, Canada's national debit payment network, has been much slower to migrate to the EMV standard. Criminal Intelligence Service Canada reported a slight decrease in payment card fraud from $512.2 million in 2008 to $500.7 million in 2009. However, as credit cards were the first to migrate, fraud shifted to debit cards. Interac reported a 36 percent increase in fraud in 2009—from $104.5 million in 2008 to $142.3 million. Interac, which Is deploying chip-and-pin in earnest now, recently reported a 2010 fraud loss figure of $119 million, down 16 percent from 2009.
Australia is seeing a similar development. Scheme debit, credit, and charge cards are in the process of migrating to the EMV standard, while proprietary debit cards continue to use mag-stripe technology. Skimming fraud is down on scheme cards, but proprietary debit cards experienced a 94 percent increase in skimming fraud.
Coordination prevents fraudsters from identifying weakest link
The bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging. First, we have a large number of credit and debit networks, payment card issuers, and payment cards in circulation (including closed-loop prepaid and private label), as well as acceptance locations (including ATMs) in the marketplace. Second, the number of card purchases in a CNP environment through the Internet or mobile device is continuing to proliferate.
But the good news for the United States is that not only can we learn from the experiences of the earlier-adopting countries but we can also take advantage of new technologies coming to market. For example, First Data's EMV Go-Cap and SecureKey's One Tap both work in the CNP environment. Also, as my colleague Cindy Merritt recently blogged on, mobile has great potential to address the increasing fraud in the CNP environment.
If all participants in the payments industry coordinate their efforts while also adopting new technologies, we could keep fraudsters scratching their heads as they search for the lowest-hanging fruit during a U.S. migration to EMV.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 9, 2011 in EMV, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538e6115c8970b
Listed below are links to blogs that reference United front needed to prevent EMV card fraud from picking low-hanging fruit:
Comments
March 21, 2011
FinCEN proposed new rule addresses money-laundering risks in prepaid products
While prepaid payment products still represent a small percentage of today's electronic payments, their use is rapidly growing. According to the 2010 Federal Reserve Payments Study, the number of prepaid card transactions increased 21.5 percent each year from 2006 to 2009. Most prepaid payments are enabled by plastic cards, but today's technology can enable the same payment functionality in other form factors, including mobile phones.
As the market for these prepaid products continues to develop and grow, the Financial Crimes Enforcement Network (FinCEN) has been watchful of their potential money-laundering risk exposure and issued a proposed rule addressing various kinds of prepaid access devices. In its proposed rulemaking notice, FinCEN announced that the rule would cover not only cards but also such access devices as mobile phones, key fobs, and any other device that can serve as a portal to funds paid for in advance and allow a consumer to retrieve or transfer these funds.
Prepaid access devices and money laundering risks
Many of the same factors that make prepaid access devices attractive to consumers can make them vulnerable to criminal activity. For instance, the ease with which these devices can be obtained along with the potential for anonymity—which is the case with nonreloadable open-loop cards, for example—as well as the ease with which money can be loaded onto them can make them potential money-laundering vehicles.
To help identify potential risks related to prepaid access devices, FinCEN formed a subcommittee within their Bank Secrecy Act Advisory Group (BSAAG). The subcommittee has identified numerous risks, such as funding with cash from stolen credit cards and virtual money cards that allow individuals without a bank account to access illicit cash via ATMs globally. Some high-profile criminal activities have also surfaced, exposing some of these potential risks.
Because some products are perceived to be less likely than others to be used for money laundering, FinCEN has excluded certain prepaid access devices from its rulemaking, including payroll cards, government benefit cards, heath care access cards, closed-loop cards, and products that allow access amounts less than $1,000.
Disrupting, detecting, and deterring the illicit flow of funds
Disrupting the flow of funds can create a less-than-ideal environment for criminals attempting to conceal the sources of their illicit funds. FinCEN's proposed rule is one way to accomplish this disruption. By implementing additional systemic safeguards and filling gaps in the prepaid environment with stronger regulatory controls, the agency hopes to make it more difficult for criminals to use prepaid payments products for illicit purposes.
Ultimately, the goal of the proposed rule is to enhance the regulatory framework for prepaid access devices while finding ways to promote development and growth in the prepaid industry and discourage wrongdoers from misusing prepaid products. For now, FinCEN's final rule is pending release, but if it is adopted as proposed, it would expand Bank Secrecy Act compliance obligations to prepaid access devices beyond plastic prepaid cards to include emerging prepaid products.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
March 21, 2011 in crime, fraud, money laundering, payments risk, prepaid | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e6003c61a970c
Listed below are links to blogs that reference FinCEN proposed new rule addresses money-laundering risks in prepaid products:
Comments
Posted by:
Timothy Sloane |
March 22, 2011 at 02:32 PM
March 07, 2011
Moving to chip-and-pin: The cost of foresight versus the price of hindsight
As I watched the dramatic events in the Middle East unfold over the past few weeks, I realized that revolution may be the only form of change in the world today that takes less than five years. This seems particularly true in the payments industry, where managing new technology is at the heart of the change process.
It has taken six years to implement Check 21 in the United States. Meanwhile, Canada has established a five-year plan to move to chip-and-pin technology for payment cards. The United Kingdom has announced a plan to eliminate checks in seven years, with a five year checkpoint. In Europe, the goal of achieving seamless cross-border payments services as codified in the Payment Services Directive is in its fourth year of implementation, and talk has turned to setting another set of deadlines for mandating implementation of actual payment traffic, as opposed to technical readiness.
The common thread in each of these as-yet-uncompleted initiatives is that they are all actually under way. They have a start date and an anticipated finish date, a known goal toward which all participants are driving. At such time that each effort was initiated, there was someone, or perhaps many "someones", who determined that there was a compelling societal, if not individual participant, business case for moving forward toward a somewhat distant vision.
Today in the United States, however, in the wake of the economic crisis that has created a backlog of payments and IT initiatives, new investments seem stalled under the jaundiced eyes of senior financial planners. In essence, key projects whose deliverables we know we will need in five years are in danger of never getting started. Why? Because a present business case based in today’s experience is hard to construct, and funding for projects with better short-term results may be given precedence over far more strategic long-term projects with better net-present-value results.
A case in point may be the effort to move from magnetic stripe card technology to the more fraud-resistant chip-and-pin technology now being deployed throughout the rest of the world's developed nations. My colleagues and I have written about this issue previously, and some very smart friends of mine in the industry have assured me that current card losses, and I assume current all-in costs of card fraud management and mitigation, are just not bad enough to create a positive business case for change, particularly for large issuing banks who are potential market movers.
My problem, however, lies in the fact that the business case should not be based on current costs, but rather on the anticipated costs five years from now when implementation is likely to occur and depreciated investment costs actually come on line. Of course, the $64,000 question is, "What costs of fraud should we forecast for 2016?"
Frankly, no one actually knows that number, but we do know that it is very likely to be much higher than today if the United States is the last developed country on the planet to move away from mag-stripe cards. The problem is further complicated by the fact that best estimates for fraud cost growth should be augmented by less quantifiable "soft" costs that also loom in the distance. For example, if other nations decide to no longer dual-provision their cards with mag stripes in order to prevent the immigration of fraud from the United States, what costs will U.S. banks incur to continue to provide services to their globetrotting customers? Will we be the ones now having to dual-provision our cards with chip-and-pin? Several U.S. financial institutions have already announced plans to do that very thing. Additionally, with no planned changes in sight, U.S. banks will be tempted to invest in bridge technology to mitigate the growing cost of mag-stripe fraud, thereby inflating the multiyear cost picture with interim investments.
What then should we do? Perhaps we should follow the lead of the U.K. Payments Council's efforts to signal the end of checks as a payment instrument. That is, establish a long-term roadmap for desired change by picking a reasonable future date for a move to chip-and-pin, set some known interim checkpoints for further reflection, and begin an orchestrated process of educating merchants and other key players on optional ways to make the change. With such a target in place, all parties—merchants, issuers, acquirers, processors, card brands, suppliers—could then make better interim investment choices aimed at minimizing long-run costs while maximizing short term benefits to their customers.
One of my favorite movies is Field of Dreams, in which the owner of an Iowa cornfield devotes some of his acreage to the fanciful construction of a baseball field on which the spirits of great players from the past gather each night to play. The movie's famous line, "Build it and they will come," may be the answer for some of our complicated payment investment decisions. Who then should make the call? Absent a probably not-so-welcomed mandate from Congress or a government agency, the job falls to enlightened market forces anxious to control their own destiny. Many groups like the Smart Card Alliance, the Merchants Advisory Group, and others have begun to lay out multiyear roadmaps. My hope is that huddling around these and other ideas in the very near future might be the best way to proceed. Without such efforts at collaboration, I have a gut feeling that five years from now we may, as an industry, be reflecting on the fact that, regardless of the end date, we should have started sooner.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
March 7, 2011 in chip-and-pin, fraud, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e30e3e51970b
Listed below are links to blogs that reference Moving to chip-and-pin: The cost of foresight versus the price of hindsight:
Comments
February 28, 2011
Gains made in reducing identity theft, but significant fraud losses still loom
Was it a mere coincidence that the day following the release of Javelin Strategy & Research's 2011 Identity Fraud Survey Report, CNBC aired American Greed: Operation Get Rich or Die Tryin'? This show examines Albert Gonzalez's hacking into computer networks of retailers (most notorious, TJX Companies) and a payment processor (Heartland Payment Systems) and the subsequent extensive fraud using compromised credit and debit card information.
While the CNBC story was intriguing, Javelin's 2011 report just might be even more intriguing given the surprising results that identity thefts and the related losses in 2010 were at their lowest levels since 2003, when the survey began. In 2010, the incidence rate for existing card account fraud stood at a lowly 2.3 percent and only 7 percent of consumers were notified of a data breach, compared to 11 percent in 2008. While many factors are responsible for these low levels, it seems that preventive and detection measures by financial institutions, merchants, and consumers are playing a positive role. However, the fact remains that in the current magnetic-stripe environment, all parties could still experience significant losses from counterfeit cards if a large data breach were to occur.
Merchants and PCI implementation: Success in reducing data breaches
At year-end 2010, Visa reported that 96 percent of its Level 1 and 2 merchants (merchants with more than 1 million transactions a year) were compliant with the Payment Card Industry Data Security Standard (PCI DSS), and 100 percent had been validated as not storing prohibited data. For smaller merchants (Level 3 and 4), Visa reports moderate PCI DSS compliance but does not offer any figures. Watching the CNBC special, it was a bit harrowing to fully understand the amount of card and personally identifiable data that merchants and processors store, sometimes without even encrypting the data. The PCI DSS was put into place to not only require the encryption of data, but also prohibit the storage of certain sensitive cardholder authentication data such as full magnetic-stripe data, CVV2 codes, and PINs. In the event that a PCI DSS-compliant merchant is hacked, it would be much more difficult to perpetrate a fraud as extensive as Albert Gonzalez and his accomplices pulled off. It’s possible that these strict data standards have been effective in thwarting fraudsters and hackers.
Financial institutions and consumers working together to reduce detection times
Not only are the incidence of existing card account fraud and related losses stemming from identity theft at all time lows, the detection time—and subsequent losses—for this type of fraud is significantly shorter than for existing noncard fraud and new account fraud. According to Javelin, 31 percent of all existing card fraud is detected within a day or so, and nearly another 30 percent within a week. The top three fraud detection methods as reported by Javelin are notification to a consumer by a financial institution, consumer's monitoring of accounts through paper statements, and consumer's monitoring of accounts through electronic means or ATM. With increased availability, and consumer usage, of online and mobile banking, consumers can more easily monitor their accounts and more quickly identify fraudulent transactions than with the traditional method of a monthly paper statement. Many financial institutions are also being proactive in their battle against fraud by using the mobile channel to push notification alerts of potential fraudulent transactions to the consumer. According to Javelin's 2010 Banking Identity Safety Scorecard, 85 percent of the top 30 banks or credit unions offer mobile phone alerts.
Still vulnerable from the mag stripe, but where to go from here?
Even though we've taken great strides to reduce identity theft and related fraud losses, we can't make the same claim for card technology in the United States. As history shows us, fraudsters are often a step ahead of the industry. And unfortunately, implementation of new standards and technology is often reactive to the latest fraud rather than proactive to fraud that could happen. As long as the United States remains a magnetic-stripe country, we'll continue to have the risk for widespread fraud losses from the counterfeiting of magnetic-stripe cards.
Visa recently recognized the importance of chip-and-pin along with PCI DSS compliance when it announced its Technology Innovation Program (TIP). With TIP, merchants will no longer have to go through costly annual PCI DSS validation if 75 percent of their Visa transactions are completed at chip-and-pin-enabled terminals—but TIP is not available to merchants in the United States. Though much has been written about the lack of a business case for contact or contactless chip form factors in the United States, will continued mag-stripe fraud and the potential for even larger losses—all while the rest of the world migrates to chip-and-pin—finally build that case?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 28, 2011 in chip-and-pin, fraud, theft | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e8663ed46970d
Listed below are links to blogs that reference Gains made in reducing identity theft, but significant fraud losses still loom:
Comments
February 14, 2011
Can mobile address the rising tide of fraud in card-not-present transactions?
Combating fraud in credit and debit card payments is a challenge for all payment system participants, from the banks that issue the cards to the merchants that accept those cards as payments for goods and services. One particularly troubling channel, with a rising incidence of card fraud, is on the Internet. Retailers are increasing their efforts to attract customers online with discounts, online-only specials, and free shipping and returns. While the use of cards for website payments, also known as card-not-present (CNP) transactions, is inherently riskier than face-to-face transactions at a merchant's point-of-sale, the dramatic rise in e-commerce suggests it is a trend that is here to stay. As the mobile channel develops for card payments, can the security capabilities of mobile handsets protect consumers against CNP fraud?
CNP fraud: The U.K. experience
While data regarding fraud loss and mitigation costs are hard to come by in the United States, the U.K. Card Association gathers information that we can use as a good proxy for gauging experiences in other markets. This organization found that as the Internet environment has become an increasingly hospitable environment for commerce, CNP has risen dramatically, from just 16 percent in 1999 to 60 percent of total card fraud losses in 2009.
As we noted in an earlier 2010 post, CNP fraud escalated when the U.K. migrated from magnetic stripe technology to credit cards with microcomputer chips. Consequently, the more secure technology at the point of sale drove fraudsters to the more vulnerable online channel.
However, the U.K. took quick action against CNP fraud, implementing better screening and detection tools and, in 2009, U.K. CNP fraud actually declined 19 percent.
Though not directly measurable, CNP fraud, industry experts agree, has made its way to the United States, where the magnetic stripe card technology remains prevalent. In fact, according to the U.K. Card Association's 2010 report, the majority of online payment fraud involves the use of card data obtained through illicit means such as card skimming, a crime that is actually mitigated with chip technology.
Growing Internet sales and CNP: A perfect storm?
According to a report by Javelin Strategy & Research, which forecasts online retail payments, the United States has fostered a robust online transaction market in recent years despite the economic downturn. This trend is expected to continue as consumers and merchants alike become increasingly comfortable conducting e-commerce for everyday goods and services.
The proliferation of smartphone applications for retailer websites along with a broader use of social media to distribute coupons and loyalty rewards are working together to drive consumers to shop online where card payments are widely accepted.
As merchants embrace a rise in retail sales, how do we mitigate the growing threat of CNP fraud in the United States?
Mobile security advantages
One benefit of a contactless mobile payments system is the potential to reduce fraud by eliminating magnetic stripe technology in favor of more intelligent chip technology, which has better security features for combating CNP fraud. The future mobile payments system introduces the ability to layer security tools unique to both the hardware and software resident in the mobile handset. Furthermore, the chip that enables the payment can contain account credentials and additional authentication factors, including location awareness applications, which can enhance the security of the payments transaction.
It is time that merchants, issuers, and payment regulators seriously consider the growing threat of CNP fraud in the debate on how and when to move to more secure payment methods.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
February 14, 2011 in chip-and-pin, contactless, fraud, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e292a87f970b
Listed below are links to blogs that reference Can mobile address the rising tide of fraud in card-not-present transactions?:
Comments
January 31, 2011
Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens
Play podcast (MP3 7:23)
Transcript
Last July, we spoke with Jane Larimer, executive vice president of ACH network administration and general counsel for NACHA, about fraud in the ACH network via corporate account takeovers. In the latest interview in our Payments Spotlight podcast series, we revisit the issue of corporate account takeovers—this time, from a bank's point of view. Tina Giorgio, senior vice president of operations for Sandy Spring Bank in Columbia, Md., and a member of the Atlanta Fed's Retail Payments Risk Forum's Advisory Group, offered some helpful tips for financial institutions on how to best deter corporate account takeover attacks. The podcast is one that financial institutions would benefit from hearing and one worth sharing with their corporate customers.
Addressing corporate account takeover threats
NACHA's Risk Management Advisory Group (RMAG) published a newsletter in April 2010 detailing how criminals target institutions and what institutions can do to prevent an attack. Tina told us that the RMAG has been actively engaged in addressing corporate account takeovers since they emerged in 2007.
Additionally, Tina said that NACHA's board of directors released a policy statement in October 2010 stressing the importance of implementing sound business practices to mitigate the risk of corporate account takeovers in the ACH network. The RMAG, Tina tells us, is currently working on developing resources to assist businesses and banks alike in assessing, establishing, and strengthening sound business practices.
Taking the first step in the fight against corporate account takeovers
The banking system has been combating large-scale phishing attacks for some time now. In recent years, we've seen more frequent reports of global cybercriminals' successfully stealing the credentials of bank customers through numerous low-value transactions or one-time, large-scale attacks against corporate bank accounts.
Tina said that from a bank's perspective, the first step in detecting and protecting against corporate account takeovers requires diligent risk management from the institution and its corporate customer. Educating business customers about sound and safe business practices is critical; essential educational components include the importance of daily account reconciliation and deployment of up-to-date security patches.
Using the bank's existing tool kit
Cybercriminals use sophisticated commercial online banking malware to attack computers that store sensitive banking credentials. Some of these malicious software programs are reportedly undetectable and capable of defeating multi-factor authentication systems. Tina said she believes that some of the best tools at a bank's disposal for combating these malwares include employing out-of-band authentication and alerts, as well as maintaining the payment file initiation under dual control. She also said that banks may also already have in place some low-tech tools to help prevent these takeovers—exposure limits, origination calendars, and prenotifications all provide added security layers.
Ultimately, Tina said, banks and their corporate customers must remain vigilant in protecting against corporate account takeovers. Otherwise, their risk for these takeovers increases exponentially, and it is each of their responsibilities to act safely and defend against these types of cyberattacks. Fraudsters' attacks will continue to become more sophisticated, but adopting these tips and measures can best prepare banks and its corporate consumers to defend against cyber attacks.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 31, 2011 in account takeovers, ACH, banks and banking, cybercrime, data security, fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0148c823e9d8970c
Listed below are links to blogs that reference Payments Spotlight podcast: The evolving threat of corporate account takeovers as seen through a bank's lens:
Comments
January 03, 2011
Demand deposit accounts: Balancing convenience and risk
Today's demand deposit accounts (DDA) have multiple access points–online, mobile, and ATM–affording consumers a great deal of convenience. At the same time, though, they provide that many more ways for criminals to carry out fraud schemes, as hacking tools (PIN phishing and skimming) become more sophisticated and fraudsters more bold with their attempts to fleece DDAs. According to a white paper by Fiserv, banks are becoming increasingly concerned about DDA fraud. The paper mentions a survey by McKinsey & Co., which revealed that an estimated $5 billion to $7 billion in annual losses can be attributed to DDA fraud, a figure expected to grow at a annual rate of 7 percent.
DDA fraud can take many forms. When it occurs with debit cards, a fraudster can steal or skim the physical card, or use a phishing scheme to steal a PIN, then use that information to deplete the account. When fraud occurs with checks, a perpetrator can empty the DDA by forging check endorsements or drawer signatures, counterfeiting or altering checks, or carrying out check kiting schemes. According to the Fiserv paper, there is also cross-channel fraud, which occurs with accounts that have more than one access point. This type of DDA fraud is increasing most likely because of the introduction of new channels like mobile and account-to-account transfers.
Declining check use but rising check fraud
Interestingly, even as check use declines, losses from check fraud and attempts at such fraud rise. The decline in check usage was recently captured by the Federal Reserve's 2010 Payments Study, which showed that "in 2009 more than 75 percent of all U.S. noncash payments were made electronically, a 9.3 percent annual increase since the Federal Reserve’s last study in 2007."
|
|
|
|
According to a recent speech by an official from the Financial Crimes Enforcement Network (FinCEN), reports of scams involving checks increased 19 percent in the first six months of 2009, and 27 percent of all Suspicious Activity Reports (SAR) filed in 2009 were for fraud-related activities. Check fraud was one of only two categories—the other was money laundering—that had an increase in SARs between 1996 and 2009.
Another study that touched on the prevalence of check fraud is the 2009 Deposit Account Fraud Survey Report of the American Bankers Association, which estimated that check-related losses amounted to $1.024 billion in 2008, up from $969 million in 2006. Of the banks surveyed, 80 percent indicated that they had reported check fraud losses in 2008, the same percentage as in 2006.
Rising debit card use, rising fraud
Debit card fraud is usually carried out through point-of-sale signature, PIN, and ATM transactions. As debit card usage escalates, so does debit card fraud.
According to the Fed's 2010 Payments Study, debit card usage exceeds all other forms of noncash payments. In fact, the annual use of debit cards increased by over 12.8 billion payments, the largest increase by any payment type during the survey period, reaching 37.9 billion payments in 2009.
|
|
|
|
According to the ABA survey, commercial losses from debit card fraud reached an estimated $788 million in 2008. Approximately 92 percent of survey participants reported experiencing debit card fraud, not surprising given the prevalence of debit cards.
Addressing DDA fraud
With consumers more and more often using debit cards and other noncash payments at the point of sale, and with the continued growth of more sophisticated hacking schemes, early detection and mitigation are more critical than ever to resolving payments fraud. The management of DDA fraud risk will have to change in response to the creation of new access points to demand deposit accounts.
Notwithstanding the technological advances in software that help financial institutions prevent and detect DDA fraud, the self-vigilance of consumers can add significant value. As we move further away from paper-form and more towards all-electronic-forms of payments, ultimately, detecting and deterring demand deposit account fraud will continue to be a combined effort between the consumer and its financial institution.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 3, 2011 in financial services, fraud, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e123a0e6970b
Listed below are links to blogs that reference Demand deposit accounts: Balancing convenience and risk:
Comments
December 13, 2010
Numbers don't back up fears about WEB and TEL
Recently, I got word that many banks, particularly small banks, may be bypassing the opportunity to market certain ACH origination services to their corporate customers because they are concerned about the underlying potential for fraud. In particular, banks may be holding back on offering debit origination services to companies selling services or accepting bill payments over the web or telephone. These are recognized as WEB or TEL entries in the parlance of ACH.
Certainly, conscientious, well-controlled financial institutions should be concerned about ensuring that they are not party to fraudulent transactions through the ACH. However, there is nothing inherently risky about WEB and TEL entries compared to any other types of transactions. In fact, in recent presentations, the NACHA-The Electronic Payments Association has revealed encouraging long-term trends with regard to a key statistic in sensing fraud: the level of unauthorized ACH returns.
WEB and TEL return data are favorable
Data collected from the Federal Reserve and the Clearing House Payments Company—the two ACH operators—and aggregated by NACHA show that the overall return rate for WEB transactions stands at 0.03 percent, or three transactions in every 10,000, as of the second quarter of 2010. Interestingly, this rate is actually slightly lower than the rate for all preauthorized debits—such as insurance premiums, car payments, and health club fees—which stands at 0.04 percent over the same period.
For TEL transactions, the rate is somewhat higher at 0.11 percent, or 11 returns for every 10,000 transactions. This higher rate may stem from the fact that a good percentage of TEL transactions flow from telemarketing activities that are sometimes fraudulent or sometimes characterized by "buyer's remorse." In contrast, Federal Reserve data show that return rates for check collection—a business generally thought to be safe by most banks—average something less than 1.0 percent. The point here is that data shows that ACH WEB and TEL transactions do not appear to be risky by common transaction processing measures.
Knowing the customer is still critical
As with all account relationships held by financial institutions, a small dose of due diligence can go a long way to help ensure that an institution does not engage with a fraudulent firm. This "know your customer" process, if applied regularly, can diminish any significant chance of experiencing ACH fraud for TEL transactions. For that matter, the same due diligence is necessary for remote deposit capture, remotely created check relationships, and credit card services. In addition, both the Federal Reserve and the Clearing House offer originating depository financial institutions ACH risk management and monitoring services that allow a bank to quickly detect any dangerous trends in unauthorized return experience. In fact, the Federal Reserve service allows originating financial institutions to reduce their risk exposure by establishing debit and credit origination limits on any of their corporate originators as part of their overall risk management program.
The only thing we have to fear...
It's possible that some of the concerns that small banks have regarding these transactions stem from recent news reports. Some corporations that have fallen victim to so-called account takeovers have accused their banks of not doing enough to help them detect fraudulent activity in their ACH-originated payroll files. As most professionals know by now, Internet-based criminals use the account takeover scheme to insert malware into a company's system through e-mail, spam, or some other vehicle. Banks are still wrestling with ways to help their clients monitor such files, and ACH operators do not have any specific services in place yet to help the banks do this. However, WEB and TEL transactions involve the origination of debit transactions, not credit transactions, as is generally the case with account takeovers.
Small banks may also not be originating WEB and TEL transactions simply because many smaller companies, utilities, manufacturers, and retailers are not yet offering web-based payment services. In essence, the market for selling such services is limited, but it's clear that over time more and more small companies will be able to offer these payment services and will be asking their banks to support ACH WEB and TEL originations. And really, given the data and controls noted above, "The only thing we have to fear is fear itself," to quote a famous president.
Marie Curie said it a little differently: "Nothing in life is to be feared. It is only to be understood." It is important to be risk-conscious, but it is also important to understand the available data and controls for informing decisions about ACH services that could represent opportunities to service a customer's changing needs better.
By Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum
December 13, 2010 in ACH, fraud, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e0a433c8970b
Listed below are links to blogs that reference Numbers don't back up fears about WEB and TEL:
Ana,
My research suggests that these proposed rule changes will have a significant negative impact on the prepaid market and yet I am unable to find anyone in the prepaid industry that believes these proposed rules will prevent most of the crimes you identified. In particular the "high-profile criminal activity" you identified is explicitly not prevented by these proposed rules since payroll cards are excluded.
If FinCEN were to document how these proposed rules would prevent specific criminal activities, I think it is likely the prepaid industry could prove FinCEN wrong. More importantly, if FinCEN were to work directly with the industry, I am positive more effective solutions could be identified that would cause far less disruption to the prepaid market.
Preventing disruption is important because these prepaid products are the best hope for providing low cost access to financial services for the unbanked and under served. Even as the FDIC decries the lack of affordable financial services for Low & Moderate Income families, FinCEN proposes new rules that I believe will greatly increase the cost associated with delivering financial services to that same audience -- but likely with no benefit to law enforcement.