Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 26, 2015
Tackling Fraud with Data
As the dust settles on the 2014 retail holiday season, it isn't surprising to learn that e-commerce was once again the winner. ComScore reported that online holiday spending through December 21 was $48.3 billion, a 15 percent increase over 2013. And there is nothing to suggest that this growth trajectory will flatten. While these trends are encouraging for online retailers' sales departments, they must be challenging for their fraud and loss prevention teams. According to the 2013 Federal Reserve Payments Study, card-not-present fraud rates were approximately three times higher than card-present fraud rates in 2012.
Just before the holiday shopping season, CyberSource released its 15th Annual Online Fraud Management Benchmark Study This 2014 study reveals that merchants improved order conversion through lower rejection rates while keeping their fraud losses stable. Naturally, I was curious about the tools that yielded these results and wondered to what extent they might have changed. Using CyberSource's 2012 study to compare, I found some surprises.
In 2012, validation tools were used the most—79 percent of merchants used a card verification number and 77 percent used address verification. Of the merchants who did not use these tools, 81 percent indicated they planned to implement a card verification number and 61 percent planned to use address verification. While merchants can implement these tools with little cost, their effectiveness, according to the surveyed merchants, is limited.
Given the 2014 report's positive findings, coupled with the expected very high use of card verification numbers and address verification reported in 2012, I was expecting merchants to rate the effectiveness of these tools higher. Interestingly, even though these validation tools remained the most prominent, their usage did not increase as expected, despite the number ofmerchants who planned to implement them following the 2012 study. And there was not a significant increase in their reported effectiveness.
Here's what did change: the use of proprietary data tools such as customer order history, in-house positive and negative lists, and company-specific fraud scoring models. Purchase device tracking tools, such as fingerprinting, also saw an increase in usage, though not as large of an increase as the proprietary data tools. And it is these tools that, generally speaking, are rated as the most effective fraud management tools by the merchants surveyed.
The 2014 study highlighted improved fraud management. I have several of my own highlights. Merchants appear to be more apt and capable of leveraging their own data today than the preceding several years. And they are finding that using this data is more effective in combating fraud than traditional validation services. I think it's important to note that only two tools (device fingerprinting and a fraud scoring model) were selected by more than 50 percent of merchants as most effective. Even though traditional validation services are still highly used and useful, no single tool is a panacea for fraud management. A layered approach using multiple tools and data elements is critical for success. I suspect this trend of merchants using their own customer data to manage CNP fraud will continue. I also expect that data-centric tools will become more effective as merchants become more sophisticated with data analysis.
What is your view on the future role of proprietary data in CNP fraud management?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Tackling Fraud with Data:
August 26, 2013
Caution, Online Payday Lender Ahead
Payday lenders offer consumers short-term unsecured loans with high fees and interest rates. Payday loans—also referred to as deposit advance loans or payday advances—are a form of credit that some consumers may find appealing for a number of reasons, including an inability to qualify for other credit sources. The borrower usually pays the loan back on the next payday—hence the term "payday loan"—which means the underwriting process typically includes a history of payroll and related employment records.
A growing number of payday lenders operate their businesses virtually. Consumers can obtain loans and authorize repayment of the loans and fees during the same online session. In a typical online payday loan scenario, a borrower obtains a loan and provides authorization for the lender to send Automated Clearing House (ACH) debits to the consumer's account at a later date for repayment. The payday lender's bank can originate the debits through the ACH network. Wire transfer and remotely created checks may be other payment options.
Both state and federal regulators are currently focusing on the payday lending industry to protect consumers from illegal payday loans. Payday lending practices are usually regulated on the state level. Some states prohibit payday lending, while others require lenders to be licensed and to comply with maximum fees, loan amounts, and interest rate caps, among other restrictions. On the federal level, the Dodd-Frank Act has given the Consumer Financial Protection Bureau the authority to address deceptive and abusive practices by payday lenders.
Payday lenders' banks should consider all the risks involved with working with online payday lenders. And they should make sure to incorporate due diligence techniques and to become familiar with the available tools.
Reputation, reputation, reputation
First, there is reputational risk. A payday lender's bank should be aware that a business relationship—including ACH origination activity—with a company making illegal payday loans can damage the bank's image. Reputation can suffer even if the bank is not complicit in the illegal activities of its payday lender customer. But once a financial institution determines that facilitating payments on behalf of online payday lenders falls within its risk management model, it should ensure compliance with applicable laws and regulations. Providing periodic reports on ACH customers to the bank's board of directors is one way to facilitate review of whether these customers' activities remain within the bank's risk management model. It is critical that the bank protect its reputation, as that affects every part of its business.
The importance of know-your-customer practices
The payday lender's bank should also develop and follow adequate due diligence procedures. ACH rules require—and regulatory guidance advises—that banks perform "know your customer" (KYC) due diligence. KYC includes a variety of activities such as assessing the nature of the online payday lender's activities, setting appropriate restrictions on the types of entries and exposure limits for the lender, and monitoring origination and return activity.
Due diligence steps can include: 1) identifying the business's principal owners, 2) reviewing ratings for the business from the Better Business Bureau, consumer complaint sites, and credit service companies, and 3) determining if there have been recent legal actions against the business. A thoughtful review of the lender's website, including the terms of the consumer's authorization agreement as well as promotional materials, is advised. These due diligence practices during onboarding and on an ongoing basis for all merchants—including online payday lenders—help the bank with setting and enforcing appropriate restrictions for the customer and therefore mitigate the risk of the bank discovering a problem when it is too late.
Mitigating problems by being proactive
Banks can develop tools that flag potential problems in-house or obtain them from vendors, ACH operators, or NACHA. In addition, incorporating a process to monitor transactions and returns to identify anomalies can be very useful. An anomaly could, for example, be a sudden uptick in returns or an unusual increase in origination volume or average dollar amount. Detecting anomalies can be a trigger to conduct further research with a customer.
Other tools can be NACHA's originator watch list and vendor-terminated originator databases, which can help banks identify customers that may warrant additional scrutiny. Periodic audits can also be a useful tool to identify rules compliance issues.
For a bank, protecting its reputation is paramount when it is considering offering payment services to high-risk originators like online payday lenders. It should exercise caution, performing risk-based due diligence on new customers and then diligently monitoring current customers so it can identify problems early and address them proactively.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Caution, Online Payday Lender Ahead:
April 22, 2013
Are You the Weakest Link?
Okay, maybe not you and maybe not me—unless we haven't heeded the three suggestions provided by my colleague in a recent post. Banks, processors, transaction networks, acquirers, and other stakeholders in the financial payments ecosystem are waging a daily battle against a wide range of antagonists who are constantly seeking ways to access computer systems illegally These criminals are trying to get confidential data, disrupt operations within the company and for its customers, achieve financial gain, or simply seek notoriety for their achievement. By not following a couple of easy steps, are we compromising the battle for the banks and other institutions?
You and I—the consumers and the end users—are important elements in the overall payments ecosystem. It is generally for our use, of course—so that we can access our accounts or perform our daily financial chores conveniently and efficiently—that the other stakeholders are running the various financial applications. If it weren't for us, I think their jobs in protecting their systems would be much easier.
So how are we the weakest link? A basic tenet of security that we often mention in Portals and Rails is that experienced criminals attack the weakest points in the system. Why worry about picking the lock on the highly visible front door when there is an unlocked window at the back? Unfortunately, despite all the research surveys that report consumers' greatest concern about performing mobile or internet electronic transactions is their privacy and the security of the transaction, the evidence clearly demonstrates that, while they may "talk the talk," they often don't "walk the walk."
Panda Lab's 2012 annual report estimates that one-third of the personal computers in the world are infected with some type of malicious software (malware). So how do these computers get infected? The users are not following proper security guidelines when they are using their computers or smartphones. Critical unsafe behaviors include:
- Not using antivirus software or not keeping it updated
- Not using a firewall or disabling the firewall that might have been included in a device's operating system
- Poor password security—using easy-to-guess passwords, using the same password on multiple applications and devices, allowing passwords to be stored in a device
- Not updating software—software vendors frequently post software updates when they become aware of security problems, especially such utility software as Flash and Java
- Visiting unknown websites, often through links on social network website pages, that contain hidden viruses
Here at the Federal Reserve, a combination of recurring education and required security tactics are used to minimize the risk of such poor practices by users such as me. I won't detail those techniques because that could compromise aspects of our network security, but when I place my personal computer, smartphone, and home network against those same criteria, I certainly see some ways in which I have been less than diligent and need to change my habits. What about you?
Be sure to read the Risk Forum's recent paper on account takeovers and how less-than-adequate Internet security practices of a few individuals and businesses can contribute to criminals' ability to obtain sufficient personal information and account credentials to conduct account takeovers and steal your money.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Are You the Weakest Link?:
February 25, 2013
Focus on Fraud: Targeting the Weakest Link
A recent story in the Wall Street Journal recapped how bank robberies had declined almost 50 percent over the last decade. In addition to citing the increased physical security measures at banks and tougher sentencing for bank robbers, especially if a firearm is involved, the alternative criminal target of the Internet was cited as being more lucrative and having a lower risk, and therefore more attractive. The article offers the logic of the proven security adage that the more sophisticated criminal is more likely to focus on the weakest link in the overall security ecosystem of the targeted victim.
Online fraud offers a number of advantages for the criminal over the old-fashioned "stick-'em-up" bank robbery. The criminal doesn't have to be physically present at the point of the crime. In fact, the further away, the better with regards to investigative difficulties and jurisdictional issues. Also, compared to a typical bank robbery, the potential take for card and online fraud is significantly higher. Based on FBI statistics for 2010, the average bank robbery netted about $7,500. The Javelin Research 2011 Identity Fraud Survey (2010 data) reports that the average debit card fraud amount was $2,529, and the average credit card fraud amount was $3,741. Noncard account fraud added an average of another $3,000. Obtaining just a handful of cards or account numbers through skimming or other illegal methods can quickly result in tens of thousands of dollars in ill-gotten proceeds at a relatively low risk to the criminal.
Fraud risk mitigation is a constant effort by the banking industry and merchant community to stay ahead of the criminal element in their criminal techniques and efforts for identity and account theft. As new payment methods emerge and gain adoption, they will increasingly gain attention from the criminal element looking to exploit a weak link. Javelin's 2012 Identity Fraud Industry Report reveals that consumers with smartphones have a higher incidence of fraud than nonsmartphone consumers by approximately one-third. Key behavior weaknesses cited included failure to update the phone operating software with security patches, saving account log-in information on the phone and not using the phone lock feature—allowing the information to be accessed by anyone finding the phone. In the meantime, consumer advocacy and educational groups, the banking industry, and mobile carriers are making efforts to educate consumers on the best way to safeguard their personal and banking information against such attacks.
The Mobile Payments Industry Workgroup (MPIW), facilitated by the Federal Reserve Banks of Atlanta and Boston, regular discusses risk associated with this emerging payments method with telephony and payments security experts. In the coming months, a subgroup of the MPIW will be working to evaluate the various security issues with mobile payments and making recommendations to the overall workgroup to ensure that the mobile payments ecosystem is sound and as safe as necessary. Portals and Rails will continue to report on the efforts of this and other groups to improve the security of our payments system. As always, we encourage your comments.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Focus on Fraud: Targeting the Weakest Link:
October 15, 2012
When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore
This post features a discussion with Terri Sands, senior vice president of electronic banking and fraud management at State Bank & Trust Company in Atlanta, on the landscape for risk management for community banks.
P&R: Terri, we talk a lot about how payments are migrating from paper to electronic methods. How does this affect community banks in payment services today?
Terri Sands: It wasn't long ago that community banks viewed fraud as an issue reserved for their larger brethren. Smaller institutions were able to deal with one-off issues such as the occasional stolen checkbook or bank card or other fraudulent transactions on a case-by-case basis. And while those events may have added some expense for the community bank's bottom line, it was rarely viewed as a material event affecting the institution and its brand.
But over the past several years, fraud's impact on community banking significantly changed. Fraud has become a constant threat to financial institutions and other industries regardless of the size and complexity of the organization. In the midst of increased attacks on financial institutions and their customers' accounts, the industry has become increasingly concerned over how to effectively protect against fraud. Basically, you can't read the newspaper or read e-mails without some form of fraudulent attack that has hit the financial sector—some are minor, others are major. However, when fraud hits close to home, it is always significant, regardless of the dollar amount.
P&R: We've been hearing a lot about corporate account takeovers in recent years. Is this affecting community banks, and what can they do about it?
Sands: For community banks, corporate account takeover attacks initiated by computer viruses have become a particularly sinister problem. In those circumstances, a corporate customer has inadvertently installed a virus on a computer by clicking on a link embedded in an e-mail that then provides a fraudster with critical online banking credentials. The fraudster uses the online banking credentials—that is, the user ID and password—to reroute credit transactions to an account and then immediately withdraws funds or pays a "money mule" to withdraw the funds and wire the money to a designated account.
Corporate customers may not even realize their money has been stolen until they check or the bank checks the account. Regardless of how this virus occurred, the customer may feel uncertainty about security and about the bank's ability to protect their money in the future. So for many community banks, this type of fraud has truly been the turning point as it is hitting their customers and therefore hits closer to home—it has become reality.
Community banks have the same fraud risk management responsibilities as the larger banks. They should network with the industry and law enforcement to share information on attacks in an effort to collaborate on mitigation strategies and share intelligence about other types of attacks affecting their customers. This is a great way to further enhance any bank's risk and fraud management program. Community banks should also include customer education as part of an effective fraud management strategy, to help them to be more proactive in their own defensive practices to ward against fraud. Of course, as the industry is well aware, the interagency regulatory guidance published in June 2011 on authentication in an online banking environment also provides community banks with a roadmap for assessing a bank's risk profile and ensuring adequate protection against risk vulnerabilities.
P&R: Is fraud mainly an online problem today?
Sands: Fraud can happen online or offline. The risk may result from a simple form of social engineering such as a phone call or e-mail attempting to gain customer information or from an internal gap in the payment process that can be exploited. Either way, fraud management is not a one-time fix but an ongoing process. Community banks must remain ever-vigilant in efforts to protect consumers from risk of fraud and possible financial loss.
TrackBack URL for this entry:
Listed below are links to blogs that reference When Fraud Hits Close to Home: Not a Big-Bank Problem Anymore:
August 02, 2010
Fight against payments fraud: The target is moving, but not everybody takes aim
Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.
Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.
This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.
Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.
Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.
Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:
April 26, 2010
Sophisticated hacking software: Making detection and prevention of online banking fraud more difficult
The story is all too common. Malicious software infiltrates an unsuspecting victim's computer. The malware steals the victim's password and user name and gains access to his or her online bank accounts. Often times, the perpetrator steals the victim's funds through fraudulent wire transfers and ACH transactions, and the money ends up in accounts overseas, where the likelihood of recovery quickly diminishes. This year, banks and businesses alike experienced an increased level of cyber-attacks aimed at hijacking online banking accounts.
Although the crime itself is not new, the reason for concern is simple: hacking software is more sophisticated than ever, making detection and prevention more difficult. Because the legal boundaries for the liability of banking institutions are still evolving, this increasing sophistication poses a significant challenge.
Malicious software bypasses bank security
Some of today's most advanced malware can compromise security tokens and authentication techniques, demonstrating that even two-factor and multi-factor security techniques are vulnerable. Real-time Trojan horses—such as Clampi and Zeus—can allow the fraudster to use two- or multi-factor authentication security to steal banking credentials, thereby causing a weak link in the financial security chain. Other infections rewrite the bank's login screen that displays on the victim's computer and intercept the victim's credentials before they reach the bank's Web site.
A significant part of the growing threat to online banking are Zeus variants like the Mariposa botnet, which injects contents directly into Internet pages and intercepts credentials, preventing the user from sending them to legitimate sites. Luckily, online security firms and other officials shut down the Mariposa botnet in March, but not before its impact was felt worldwide.
Identifying the weakest link
Some banks are looking beyond their own security systems and focusing on what they perceive is their weakest security link: the user. A number of types of software are available to banks to help in their efforts to combat unauthorized intrusions. For instance, one type allows banks to remotely analyze the computers of hacked customers. The customer, upon suspecting a breach, downloads the software onto his or her computer, at which point the bank performs a quick search for any digital tracks, software, or other evidence the online hackers may have left behind. The information the software gathers can better inform banks of where attacks originate from, patterns, and trends—and, hopefully, lead to the eventual recovery of lost funds. Other types of software are designed for business banking systems that evaluate risk based on individual online actions and rate overall session activity by identifying inconsistent behaviors for each user.
So, the account has been hacked, now what?
The Electronic Funds Transfer Act and Regulation E protect consumers' online banking transactions from fraudulent electronic money transfers. Businesses accounts, on the other hand, must look elsewhere for similar protections. The Uniform Commercial Code Article 4A governs the allocation of fraud losses arising from funds transfers for business accounts. Under Article 4A, the bank will be held accountable for fraud losses only if it failed to follow a series of procedures, including adopting commercially reasonable security measures.
But what exactly does "commercially reasonable security measures" mean? Generally, banks have followed the practice that as long as the security the bank establishes and follows have been in line with commonly accepted commercial practices within the industry, then these security measures passed muster. Lately, however, this practice has not been as clear as it once was. In fact, this very question—that of what exactly constitutes commercially reasonable is at the center of several ongoing lawsuits, particularly one currently being heard in a Texas court.
Will this case, and the others that will follow, reshape the approach to secure online banking by establishing new standards that outline what counts as commercially reasonable security? And will those new standards require banks to upgrade to software designed to spy on the bad guys, monitor consumers' activities, or both? In reality, fraudulently penetrating banking security systems will occur no matter how sophisticated or reasonable the security measure. But as more consumers and businesses move to online banking, commercially reasonable expectations for securing online transactions should be calibrated against the technological sophistication of hackers and their software to improve detection and protection against online banking fraud.
By Ana Cavazos-Wright, payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed.
TrackBack URL for this entry:
Listed below are links to blogs that reference Sophisticated hacking software: Making detection and prevention of online banking fraud more difficult:
- Friendly Fraud: Nothing to Smile About (Part 1)
- Unsafe at Any Speed?
- Biometrics and Privacy, or Locking Down the Super-Secret Control Room
- Growing, Growing, Gone!
- The More Things Change, the More They Stay the Same
- The Current Tokenization Landscape in the United States
- “Customer, You Have the Conn”
- Is the Conventional Wisdom about EMV Migration Right?
- Follow the Money
- A Presumption of Innocence
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud