Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

December 23, 2013

Here We Go: Number 10!

As the year draws to a close, the Portals and Rails team would like to share its own Top 10 list of major payment-related events that took place in the United States this year.

  1. The Consumer Financial Protection Bureau finalized Dodd-Frank 1073 money transfer rules.
  2. The payments industry experienced increased regulatory scrutiny of third-party processors and high-risk business customers.
  3. Major global ATM cash-out fraud attacks—including many U.S. ATMs—totaled $45 million.
  4. FTC issued a proposal to ban telemarketers from using remotely created checks and payment orders.
  5. Debit networks sought a compromise on an EMV interface—while there is little movement on the issuance of EMV cards.
  6. The newly designed $100 bill with additional security features was released.
  7. Several major data breaches occurred, and identity theft occurrences skyrocketed.
  8. Cyber Monday online sales were up 17 percent, with phones and tablets representing almost a third of the total.
  9. Virtual currencies received increased public, legislative, and regulatory awareness after the U.S. Department of Justice took action to close down virtual currency operators Liberty Reserve and Silk Road.
  10. U.S. District Court Judge Richard Leon threw out Regulation II debit card interchange fees and routing rules.

And as we head into 2014, here are a few payments-related topics we will be following closely:

  • As regulators continue to monitor developments in the virtual currency market, will the usage of virtual currency as a legitimate medium of exchange expand among the merchant community?
  • Will 2014 finally be the “Year of the Mobile Payment” as stakeholders have yearned for over the last several years? What progress will be made in addressing the awareness, security, and education aspects of mobile payments?
  • With online and mobile commerce showing no signs of slowing down, what authentication solutions will be most widely adopted to prevent a rising tide of card-not-present fraud?
  • How will merchants and card issuers deal with EMV implementation?
  • What effects will the regulatory attention on third parties and high-risk businesses have on the due diligence practices of financial institutions?

Wishing you all happy holidays and a fraud-free 2014!

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 23, 2013 in ATM fraud, crime, EMV, identity theft, regulators | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b03847b7e970d

Listed below are links to blogs that reference Here We Go: Number 10!:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 21, 2013

Is Knowledge-Based Authentication Still Effective?

"What is your mother's maiden name? Your oldest daughter's middle name?" Online help sessions or call centers often ask the user to provide answers to a "secret" question or set of questions most often when the user has forgotten an account password and needs to retrieve it or select a new one. This authentication process is called knowledge-based authentication (KBA). The assumption is that if the person knows the correct answers, then that person is the authentic accountholder.

I recently attended a security conference where a panel of security authentication experts all stated that any extra protection KBAs provide is minimal. The high-profile data breaches that we've read about, along with the over-disclosure of personal information on social media sites, often make the answers to these questions easily available. These experts called for the abandonment of KBAs. In further support of this position was a recent article by Brian Krebs (Krebs on Security) that detailed how an identity theft service had hacked into some of the country's largest aggregators of consumer and business information. This service then tried to sell the data over the Internet, compromising the effectiveness of KBAs.

KBA questions can be either static or dynamic. Those that are static instruct the user to select from a list of preformulated questions—such as "What is your mother's maiden name?" Some sites allow users to create their own questions. In either case, the Q&A process is normally done when the user creates the account and selects the password. Dynamic KBAs are created by the website entity and generally request a response to a series of multiple-choice questions created from data not readily available in the public domain—for example, "Select a previous address from the list."

The formulation of KBA questions requires a careful balancing act between making answers easy enough for the authentic user to retain and making them difficult for an outsider to find the answer by looking through public databases and social media sources.

The June 2011 Federal Financial Institutions Examination (FFIEC) supplemental guidance on authentication for Internet banking states about KBAs that "institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique." The guidelines support the more sophisticated dynamic KBAs, adding this caution: "Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program." But we have to ask, have the breaches of the data sources often used to create the dynamic KBAs that have taken place since the issuance of this guidance so weakened them as to negate their value?

To enhance dynamic KBA programs, institutions can time the answer input intervals, tally missed questions, and employ other factors to essentially score the KBA session, which could signal that a criminal is posing as the legitimate customer.

No matter how many questions there are, KBAs are just one identification form factor—the "something you know" part of three-factor authentication. The FFIEC recommends that multiple form factors—including the "something you have" and "something you are" components—be used with higher-risk transactions. These should be used to support a stronger security process under a layered security approach.

Portals and Rails is interested in knowing how your institution currently uses KBAs, and if recent events will change their use.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 21, 2013 in authentication, data security, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b00310712970d

Listed below are links to blogs that reference Is Knowledge-Based Authentication Still Effective?:

Comments

The FFIEC is right. Basic challenge questions will no longer cut it. Device identification is a newer technique that fraud analysts have begun to incorporate into their strategy, but even this innovation may not be enough. As consumers demand further online and mobile platforms for banking and payments, and as fraudsters continue multiplying and focusing their efforts on these very platforms, we need to start looking for more sophisticated strategies.

Posted by: Eric Lindeen | January 07, 2014 at 01:26 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 07, 2013

Fraud Happens. So What Do You Do?

As both a data junkie and someone interested in payments fraud, I must admit that I am envious of my colleagues across the pond in the United Kingdom. The Financial Fraud Action UK recently released Fraud the Facts 2013, its annual report providing insight and data on payments fraud in the U.K. financial services industry. Unfortunately, no such report exists in the United States.

This year's report drives home two key points that were discussed at our July 31 Improving Customer Authentication forum. First, the enrollment process is a critical initial step in securing transactions. Enrolling a fraudster can only result in fraudulent transactions. Second, consumer education remains an important aspect of mitigating fraud—a topic we at the Risk Forum have written and spoken on extensively. Despite the fact that the United Kingdom uses the EMV standard—which is based on chip card technology—overall payment card fraud increased by 14 percent from 2011 to 2012. Among its many insights, the report reinforces the idea that EMV adoption alone will not keep fraud from occurring.

Aside from the usual suspects of card-not-present (CNP) fraud and cross-border fraud in non-EMV countries, the report mentions two other contributors to payment card fraud growth that captured my attention. One, card ID theft fraud, which includes application fraud (using stolen or fake documents to open an account) and account takeover fraud (using another person’s credit or debit card account by posing as the genuine cardholder), increased by 42 percent from 2011 to 2012. Two, criminals have resorted to using "low-tech deception crimes" to convince consumers to part with their cards, PINs, and passwords.

The important takeaway I got from this report is that no matter the technology or standard used on payment cards, it remains critical to keep personally identifiable information protected and to continue to educate consumers about sound payment practices. The industry could use the most sophisticated and secure solutions to authorize and authenticate transactions, but those sophisticated, secure solutions can do very little to prevent the use of accounts established fraudulently.

Criminals are exploiting weaknesses in both the enrollment process and consumer behavior. These weaknesses are not something a chip-embedded card can solve.

So what tools can and should the industry use to prevent a criminal from using a stolen or synthetic identity to open an account? Do you think information available through social media could play a role in this process? We would value your thoughts.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 7, 2013 in authentication, cards, chip-and-pin, EMV, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019affd3f992970b

Listed below are links to blogs that reference Fraud Happens. So What Do You Do?:

Comments

While everyone is focused on the water main, there are millions of slow, steady fraud drips that aren't getting any attention: call center transactions.

Just started a subscription yesterday and read my CC# to some faceless agent in some unknown call center. Did she write it down? The call was recorded. Are the quality monitoring people writing it down and selling it?

There are solutions readily available. They are simple. They are cheap. They work. But there is no hue and cry to use them...from consumers, from banks, from regulators, or from businesses.

Until known solutions to known and supposedly big problems are implemented, the hand wringing about fraud is beginning to look like a Potemkin Village...a veneer of concern with nothing behind it.

Posted by: Dennis Adsit | October 21, 2013 at 12:12 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 19, 2013

Curbing Identity Theft and Fraud

To no one's surprise, identity theft and associated fraud losses rose again in 2012. The number of victims climbed to more than 12 million last year, an 11 percent increase over 2011, according to the recently released Javelin 2013 Identity Fraud Report. Losses amounted to almost $21 billion.

Identity Theft Victims and Fraud Amounts

A quick distinction between identity theft and identity fraud: identity theft is when an unauthorized person obtains personal information about an individual, and identity fraud occurs when someone uses that personal information, without the individual's consent, to conduct financial transactions.

Two types of identity theft drove the overall increase: new-account identity and account takeover fraud.

New-account identity fraud takes a number of different forms. The most common form occurs with credit card applications. Someone creates an account using another person's information and makes purchases to the maximum limit, then allows the account to go into default. The next most common type happens with new checking accounts. The fraudster opens up a checking account using false identification credentials, then deposits bad or bogus checks and quickly cashes out.

The prevention of new-account identity fraud rests primarily on the shoulders of the financial institution (FI). What are the steps that FIs can take to help reduce the levels of these types of fraud? They are already required to authenticate the identities of new account applicants to the extent reasonable and practical under the Bank Secrecy Act's Customer Identification Program. The fraudster's goal when opening a fraudulent account is to minimize the verification process and quickly establish the new account. Experienced criminals can falsify government-issued IDs without too much difficulty. The FI representatives authenticating new accounts must rely on their experience and on a number of other factors to detect fraudulent attempts—but it can be difficult to balance the need to authenticate applicants with the wish, and the institutional push, to be polite and welcoming.

Many FIs order abbreviated credit reports as part of the new account process so they can better market credit products to qualified applicants. An address on the credit report that differs from the one on the application or the report showing a rash of new credit inquiries should sound warning bells, and such discrepancies would justify additional verification. Other warning signs include applicants having to read the information from their identification documents rather than reciting it from memory, or incorrect social security numbers, or newly issued identification documents.

Most fraudulent new accounts are opened online or through call centers. In these cases, the subsequent new-customer authentication process is critical. Although individuals can use their own, legitimate credentials to commit new account fraud, industry reports suggest it is much more common for fraudulent accounts to be opened with fraudulent credentials.

As to account takeover fraud, as we have stressed on many occasions, the most critical action that FIs can engage in is frequent customer education through electronic and print media and community and customer seminars. In a recent post on phishing, we outlined a number of steps that FIs should remind individuals to follow to minimize the possibility of having their accounts and identity credentials compromised.

We would like to hear from you as to ways your institution is combating new-account identity and account takeover fraud.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 19, 2013 in account takeovers, authentication, banks and banking, consumer fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0192ac9f8e60970d

Listed below are links to blogs that reference Curbing Identity Theft and Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 15, 2013

In Memory of a Beloved Colleague: Protecting Your Bank Account

This repost of a blog post, originally published on April 8, 2013, is in memory of our beloved colleague and friend, Michelle Castell. Michelle died earlier this month after a long and courageous battle against cancer. The blog summarizes a white paper Michelle wrote earlier this year concerning online account takeovers, a topic that is still timely. Michelle was new to the world of payments when she joined the Retail Payments Risk Forum in mid-2012. In her enthusiasm to learn about payments, she experimented with different payment types and channels to gain a personal understanding of how they work and the risks they pose. Michelle was immediately intrigued and concerned by the account takeover risks posed to consumers and businesses from the alarming growth of malware on mobile phones. It was through her personal and enthusiastic approach to her work that Michelle became an advocate for improved consumer education when it comes to payments security—which is the conclusion of this post and her account takeover white paper. You can find a link to the white paper at the end of the post.

Today's news is loaded with stories of account takeovers of both businesses and individuals. With an alarming frequency, accounts are hacked, identities are stolen, and money disappears. Have the availability of smartphones and their increased use for conducting social, financial, and personal business sparked this increase? With a 78 percent penetration rate in the United States alone, mobile phones are not going away, and smartphone growth is catching up.

Currently, there are 6 billion mobile subscribers worldwide, with more than 1.2 billion of them accessing the web at any given time. These individuals are shopping, banking, watching videos, playing interactive games with other players, texting, or e-mailing on their devices. Smartphone users are actually three times more likely to provide their log-in information when prompted than those accessing the Internet from a personal computer, according to the computer and network security company RSA. Given these trends, fraudsters are once again taking advantage of the weak spot and using technology to spread malware onto mobile phones.

Less than 50% of Mobile Consumers Find Many Dangerous Behaviors to be Risky

While the number of individuals accessing the web is staggering, perhaps even more amazing is the increased usage of mobile devices for sending text messages. In 2011 alone, more than eight trillion text messages were sent. As such, text messaging fraud—or “smishing,” a term created from the abbreviation for short message service SMS—is now becoming a tool of choice for fraudsters.

Is your phone protected? Studies conducted in the United States and abroad show that only 4 to 10 percent of all phones have antivirus software, compared to over 80 percent for personal computers. It's just as easy for a cybercriminal to gain access to your financial institution through a mobile text or a mobile e-mail account as it would be on a computer. Could protection and education about mobile security be the ticket to reducing account takeovers? I believe it can. Taking a bite out of that 90-percent statistic for unprotected smartphones most certainly will deflect attacks that could penetrate through to the financial environment. T-Mobile recently announced it was teaming up with Lookout virus protection to begin shipping most Android models with out-of-the-box protection against malware and viruses. This move could be a significant first step in virus protection, especially if other phone manufactures were to follow suit.

What can you do? Well, there are a few things, including:

  • Install a certified virus application on all family devices and set them to run weekly (many good options are free).
  • Don't change the default security restrictions by jail breaking your device. Only download applications from a reputable vendor application marketplace (Google Play store or iTunes, for example).
  • Review and make sure you understand any pop-ups, e-mails, or texts before you click.

For more information related to account takeovers, check out the Risk Forum's recent survey paper, "Mitigating Online Account Takeovers: The Case for Education."

Michelle CastellBy Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

July 15, 2013 in cybercrime, identity theft, mobile banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901e4679ba970b

Listed below are links to blogs that reference In Memory of a Beloved Colleague: Protecting Your Bank Account:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 08, 2013

Money Mules: Unwitting Accomplices?

Recent news articles about the two major ATM cash-out frauds that yielded $45 million for the perpetrators have noted a critical element of the global crime—the extensive network of criminals that performed thousands of cash withdrawals over a few hours at ATMs in approximately 24 countries. Known as "money mules," these individuals help transport or launder stolen money and merchandise in exchange for a small share of the ill-gotten gains.

The mules in the ATM cash-out scheme were willing participants, but in many cases, individuals serving the role of a money mule may not be aware of their criminal involvement and may even themselves become victims of fraud. The most common tactics for enlisting the help of unknowing money mules are posting work-at-home advertisements on major legitimate employment websites, purchasing pop-up ads, or sending e-mails.

Earlier recruiting efforts were easy to spot because they often used poor grammar or spelling, were not specific in describing the job, and usually based the hiring company outside the United States. More recently, recruitment efforts have used well-written ads with high-quality graphics. These ads often stress the convenience of the position for the worker and the significant earnings potential. When hired, the individual is sometimes engaged as a mystery shopper or in some similar function to make the transfer of money or goods seem normal to the business operation. Some schemes initially engage the person in conducting legitimate transactions with the goal of developing a level of comfort for the individual with the process and the promise of bigger, more lucrative transactions to come in the future.

As with many crimes involving multi-level organizations, it is not the masterminds but the money mules who are most often apprehended. They are the ones whom law enforcement officers can locate relatively easily because they are the ones who provide their financial account information or shipping address as part of the transaction. Unknowing money mules risk criminal prosecution, financial loss, and smearing of their reputations. It’s also possible that they will themselves experience identity theft or fraud against their financial accounts because they may have provided sensitive personal information during the recruitment process.

As cybercrimes continue to spread, the mule recruitment efforts will expand and probably become more sophisticated. Individuals must exercise safer computer security practices, and financial institutions, consumer protection agencies, and law enforcement must continue to provide education about this type of scheme to help increase everyone’s ability to detect such fraud. Not only will early detection help prevent individuals from becoming unwilling victims, but also it will aid in the investigation of these criminal efforts by law enforcement.

Brian Krebs (KrebsonSecurity) has a good article, which includes a money-mule training video, providing more information about this type of crime to help individuals avoid getting caught up in one of these schemes. We welcome your suggestions on how the educational effort can be strengthened.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 8, 2013 in ATM fraud, identity theft, money laundering | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019104230264970c

Listed below are links to blogs that reference Money Mules: Unwitting Accomplices?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 06, 2013

Staying One Step Ahead of ATM Attacks

Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.

The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.

As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.

Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.

It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.

These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 6, 2013 in ATM fraud, crime, identity theft, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017eeadcbd0a970d

Listed below are links to blogs that reference Staying One Step Ahead of ATM Attacks:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 08, 2013

Can These Three Steps Protect Your Bank Account?

Today's news is loaded with stories of account takeovers of both businesses and individuals. With an alarming frequency, accounts are hacked, identities are stolen, and money disappears. Have the availability of smartphones and their increased use for conducting social, financial, and personal business sparked this increase? With a 78 percent penetration rate in the United States alone, mobile phones are not going away, and smartphone growth is catching up.

Currently, there are 6 billion mobile subscribers worldwide, with more than 1.2 billion of them accessing the web at any given time. These individuals are shopping, banking, watching videos, playing interactive games with other players, texting, or e-mailing on their devices. Smartphone users are actually three times more likely to provide their log-in information when prompted than those accessing the Internet from a personal computer, according to the computer and network security company RSA. Given these trends, fraudsters are once again taking advantage of the weak spot and using technology to spread malware onto mobile phones.

Less than 50% of Mobile Consumers Find Many Dangerous Behaviors to be Risky

While the number of individuals accessing the web is staggering, perhaps even more amazing is the increased usage of mobile devices for sending text messages. In 2011 alone, more than eight trillion text messages were sent. As such, text messaging fraud—or “smishing,” a term created from the abbreviation for short message service SMS—is now becoming a tool of choice for fraudsters.

Is your phone protected? Studies conducted in the United States and abroad show that only 4 to 10 percent of all phones have antivirus software, compared to over 80 percent for personal computers. It's just as easy for a cybercriminal to gain access to your financial institution through a mobile text or a mobile e-mail account as it would be on a computer. Could protection and education about mobile security be the ticket to reducing account takeovers? I believe it can. Taking a bite out of that 90-percent statistic for unprotected smartphones most certainly will deflect attacks that could penetrate through to the financial environment. T-Mobile recently announced it was teaming up with Lookout virus protection to begin shipping most Android models with out-of-the-box protection against malware and viruses. This move could be a significant first step in virus protection, especially if other phone manufactures were to follow suit.

What can you do? Well, there are a few things, including:

  • Install a certified virus application on all family devices and set them to run weekly (many good options are free).
  • Don't change the default security restrictions by jail breaking your device. Only download applications from a reputable vendor application marketplace (Google Play store or iTunes, for example).
  • Review and make sure you understand any pop-ups, e-mails, or texts before you click.

For more information related to account takeovers, check out the Risk Forum's recent survey paper, "Mitigating Online Account Takeovers: The Case for Education."

Michelle CastellBy Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

April 8, 2013 in cybercrime, identity theft, mobile banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d42a1a985970c

Listed below are links to blogs that reference Can These Three Steps Protect Your Bank Account?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 04, 2013

Who Am I? Authentication Challenges

It's tax time again. I dread this time of year. It's not just because I don't like paying taxes—who does? It's because I am always a little nervous as a result of an experience my husband once had. Some years ago, my husband was the victim of identity theft and, every so often, we are forced to confront another attempted assault on our finances. We became aware of another assault two years ago when we attempted to file our federal tax return electronically and it was rejected. The IRS already had a record of a processed return under my husband's Social Security number (SSN). For now, we file our returns the old-fashioned way, printing and mailing them.

Juxtapose that low-tech solution against the high-tech approach that fraudsters use. Using ill-gotten SSNs, names, and birth dates, these identity thieves electronically file fraudulent returns as early as possible. They then nab the refunds quickly, either through receipt of a prepaid debit card from the IRS or through direct deposit into a bank account specifically used for obtaining the fraudulent refund, which they immediately cash out.

Filing of fraudulent tax returns has reached epidemic proportions. In 2012, a Treasury Inspector General for tax administration testified before Congress that the IRS detected and stopped almost one million fake returns for 2010, totaling $6.5 billion.

In recent years, the government, through legislation, has encouraged use of other identification methods and greater care in the storing and sharing of SSNs and other personally identifiable information. However, the SSN remains the preferred identification method. Knowing that criminals and taxes will never disappear, the issue then is with the authentication—that is, checking identity at the door.

The IRS is being proactive by requiring taxpayers to supply additional information. Perhaps the agency could use the same technology to combat the criminals that the criminals are using to initiate the crime. A recent Portals and Rails post looked at "Big Data" and discussed how financial institutions can profile consumer behavior to detect fraud. Could the IRS use Big Data techniques to help detect tax returns that seemingly have fraudulent characteristics? For example, the IRS could flag early filings, understanding that historically a particular filer's W-2 information is not available until as late as the end of March. However, the post also discussed the question of when data collection and behavior profiling crosses the line from marketing opportunities to privacy invasion, an issue the IRS would have to consider.

The integrity of mobile payments, online banking, card payments, and any other form of electronic payment rely on the authentication of the payer. Many authentication methods in the payments world are by necessity pretty sophisticated. But criminals are finding ways to compromise these methods, too. As we move headlong into the world of digital payments, proving genuine identity, or authentication, is vital.

Mary KeplerBy Mary Kepler, vice president and director of the Retail Payments Risk Form at the Atlanta Fed

March 4, 2013 in authentication, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c374c01b0970b

Listed below are links to blogs that reference Who Am I? Authentication Challenges:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 05, 2012

While Stalemate Continues, Another Retailer Data Breach Announced

We haven't heard about significant data breaches at any retailer's brick-and-mortar lately. In fact, the prevalence of cybercrimes and malware-related incidences has momentarily redirected our attention to payments made through online and wireless channels along with related payment crimes such as social engineering and malware-enabled account takeovers and card data theft. However, according to Verizon's 2012 Data Breach Investigations Report, while most attacks are not related to physical tampering, "there was no shortage of payment card skimming in 2011, and there were notable arrests." In fact, a recent press release from a major book retailer is cause to sharpen our focus on in-store card payments and the use of mag-stripe technology at payment terminals.

Tampering with PIN pad devices in stores
On October 24, 2012, the retailer announced that it had "detected tampering with PIN pad devices used in 63 of its stores" and that it had notified federal law enforcement to support an investigation into the criminal activity. Furthermore, it is working with the banks and payment card network brands to identify potential compromised accounts. Much to the retailer's credit, the press release also outlines precautionary steps consumers should take if they have shopped in any of the impacted stores—namely, changing PINs, reviewing account activity for unauthorized transactions, and notifying banks about unusual or unauthorized activity.

PCI compliance is not enough
How can retailers protect themselves from PIN pad tampering fraud? We explored the growing prevalence of card data breach incidents in a May 2011 post describing how a crafts retailer had experienced card terminal tampering that may have led to customer card data compromise. The post noted that while the Payment Card Industry (PCI) Data Security Council guidelines attempt to address advanced security measures, the vulnerabilities inherent in mag-stripe card technology present serious management challenges. The threats to terminals can come in the form of crime rings, company insiders, or the terminal manufacturers themselves.

Will merchants follow the EMV migration roadmap?
Card network brands separately issued announcements in 2011 and 2012 with their own EMV deployment milestones, which can be viewed as a collective roadmap. A summary of these milestones, grouped by payment network, is included in the October 2012 edition of Smart Card Talk and reproduced below. This publication explains the incentives in the form of audit relief from PCI compliance as well as liability shifts for counterfeit card losses for noncompliant banks and merchants.

However, many industry experts surmise that merchants are willing to take their chances on the potential card fraud losses for such a liability shift, judging them to be lower than the costs involved in terminal replacement for chip card acceptance.

Technology adoption stalemate
Industry participants continue to argue about the inequities in the economics for moving forward to a new security environment enabled with more secure chip-based technology. It is highly likely that there will never be a collective path forward considered fair to all, with the large number of industry players and dichotomies in revenue and cost-sharing expectations. So as the U.S. payments industry keeps moving along the same path, with participants arguing the merits and inadequacies of various deployment options for chip-based payments, we can expect to see more crimes at retailer terminals. These crimes will cause merchants to experience technology costs and even customer loss in unexpected and unpredictable ways. And bank issuers will continue to pay for cleanup in the aftermath, by issuing new cards. Perhaps an analysis of the economics of moving to chip-and-PIN should reflect a higher emphasis on the cost of data breach events and their cleanup efforts in the aftermath.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

November 5, 2012 in chip-and-pin, fraud, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee4c5bf78970d

Listed below are links to blogs that reference While Stalemate Continues, Another Retailer Data Breach Announced:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in