Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

March 24, 2014

The Fraudsters Are Omni-Channel--and Omnipresent

"Omni-channel banking" is an in-vogue term for what bankers have known for quite some time: customers can access multiple channels to conduct their banking, have a preference for one over the others, and that preference to a large degree reflects their ages. Despite their primary preference, these consumers are likely to use multiple delivery channels, and when they do, they want a seamless experience when moving from one to another. The banking industry has struggled to successfully implement such an experience. Achieving this seamlessness is difficult because the industry has historically had a vertical organizational structure, in which each distribution channel has its own strategic plan and sometimes even an independent technology, which leads to differences among the channels. For example, if a customer were to check his or her account balance from an ATM or automated call center, the balance can be different from the balance they would get from a teller inside a branch.

Unfortunately, criminals have also adopted omni-channel usage, and at an even faster pace—they are not concerned with having a transparent or seamless experience. In fact, they seem to be more successful when there are disparate systems because that makes the detection of fraudulent activity more difficult. For example, we have seen criminal attacks move from in-branch armed robberies to ATM cash-out cyberheists. Why risk a physical confrontation and mandatory jail sentence when you can work anonymously and actually get a greater haul? We are also aware of cross-channel fraud activity within the electronic channels. In one case, e-mail phishing attacks led to a customer unwittingly disclosing online banking credentials (user ID and password) and then fraudulent payments or wires being initiated through the online channel. In a recent post, we talked about how criminals often target call centers. They use social engineering techniques to gain sufficient account information to fraudulently access accounts through a variety of channels.

A lesson from these incidents is that financial institutions must take a holistic view of fraudulent activity and not just a channel-specific view. For major losses, they have to perform forensics to determine the channel where the fraudulent effort began not just the channel where the actual fraudulent transaction occurred. Only after such investigative work can the financial institution identify the weak points in its system and processes and take the necessary steps to fortify them to provide a higher level of protection against future attacks.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 24, 2014 in banks and banking, crime, cybercrime, financial services | Permalink | Comments (0) | TrackBack (0)

March 17, 2014

The Challenge to Create an Awesome Mobile Payments Experience

Almost every year for the last decade, those who have followed the mobile payments industry have heard the expectant statement, "This is the year for mobile payments." This year is no exception. We see the stories about mass adoption of mobile payments in other parts of the world, so we wonder, why not here in the United States? A U.S.-centric mobile payments conference I attended recently had as a recurring theme the notion that mobile payments in the United States had not yet caught on because providers had not yet developed an overall package of elements that would create a compelling mobile experience for the user.

In 1998, former Intel chief executive officer Andy Grove, coined the term "strategic inflection point" to describe a fundamental change in any business, technological or not. He said that for a change to achieve mass adoption by consumers, it had to be at least 10 times better than consumers' current experience—something Grove referred to as the "10X" factor. Achieving the 10X factor for mobile payments will likely involve lower costs, increased comfort with security and privacy, new functionality, enhanced user friendliness, increased convenience, or a "cool" factor, such as new technology often offers.

Conference panelists in general shared the view that the payment transaction itself is one small—but critical—element of the overall mobile experience. One point they made is that, because of their experience with other payment methods, consumers expect the mobile payment to be secure, fast, and accurate. These panelists echoed the work of the Mobile Payments Industry Workgroup (MPIW), a joint endeavor between the Federal Reserve Banks of Boston and Atlanta and the major stakeholders in the U.S. mobile ecosystem. The MPIW was created four years ago to facilitate the development of a vision for a mobile payments environment that will be effective, secure, and ubiquitous. This group has met frequently to address the issues of technology, standards, security, privacy, functionality, regulation, and adoption barriers. You can read results of these efforts on the Boston Fed's website.

Smartphone penetration levels continue to rise and are expected to approach saturation level within the next five years. Nevertheless, consumer research studies consistently show that not only are consumers very concerned about security and privacy when it comes to using their smartphones for mobile banking and payments, but they also are highly satisfied with their current payment method. The industry can address the security and privacy issues through a strong consumer education and awareness campaign. However, moving consumers from their current habits will require the achievement of a strategic inflection point—something that many payments industry stakeholders have tried to achieve over the years but have failed to do so.

Portals and Rails would like to know what you think are the other elements of the overall mobile experience needed to achieve the 10X factor?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 17, 2014 in innovation, mobile payments | Permalink | Comments (0) | TrackBack (0)

March 10, 2014

Who Is Responsible for Consumer Security Education?

A theme that consistently appears in our Portals and Rails blogs is the continual need for consumer education when it comes to protecting account access credentials. Financial institutions have generally taken this responsibility seriously, running frequent verbal and print campaigns reminding customers to safeguard their payment cards, monitor account activity frequently, and adopt strong password and PIN access practices.

But as payment channels and access devices expand outside the bank-controlled environment, who then becomes responsible for customer education? The representatives of mobile phone carriers and handset manufacturers, for example, are often in sales mode. The last thing they want to do is scare off a potential sale by identifying the potential for fraud with their product or service.

When I recently went to purchase a new mobile phone that was equipped with a number of strong security safeguard options, the sales representative was more interested in selling me high-margin accessories than telling me how to safeguard the phone and its contents. While I understand the motivation of the sales representative, especially if he works under a sales incentive compensation plan, wouldn’t it easy for the carrier or phone manufacturer to provide a brochure promoting safe practices?

Unfortunately for the financial institutions, the stakes are high. For them, the financial impact of fraudulent activity on a customer's account is often a one-two punch. First, various regulations and rules are in place to protect consumers from liability, so the financial institutions generally write off the fraud loss. Second, and perhaps more painful, victims of fraud often move their accounts even though their financial institution is not at fault. The challenge of consumer education by the bankers is becoming more and more difficult as the opportunity for direct contact with the customer lessens with every new payment transaction product or service.

As we've seen before, in the aftermath of recent card transaction and customer data breaches, the negative reputational and financial impact from fraud is felt not just by financial institutions but also by the retailer or company that was breached. Will such events cause these other stakeholders to take a more proactive role and join financial institutions in educating their customers?

Portals and Rails is interested in hearing from you as to how the payments industry might best address customer awareness and education regarding security.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 10, 2014 in banks and banking, consumer fraud, consumer protection, data security, mobile payments | Permalink | Comments (0) | TrackBack (0)

March 03, 2014

An Efficient Mobile P2P Payment: The Paper Check

Having had the chance to spend some time reviewing the 2013 Federal Reserve Payments Study, I was struck by the lasting power of the check in the consumer-to-consumer (or P2P) space. Although overall check usage has declined (checks written by businesses and by consumers to businesses have all declined significantly), check usage in the P2P space increased between 2006 and 2009 and was stable from 2009 to 2012. And this has occurred when the number of bank and nonbank mobile P2P payment solutions that have entered the marketplace or matured during the past few years.

As a parent of two young children, I have acquired ample experience in the P2P payments space—that is, in paying babysitters. As a self-proclaimed payments geek, I am always interested in learning how the babysitter prefers to be paid. Cash remains king with most, at least the high school-aged ones. We have one college-aged sitter who likes being paid through a nonbank P2P payment provider. And most recently, another college-aged sitter wanted to be paid by check, which really caught me off guard. She informed me that she uses her mobile banking app to process her checks through mobile remote deposit capture (RDC) and that she prefers having access to the funds through her debit card over cash. The amazing thing that has struck me from these weekly transactions is the efficiency of this P2P payment transaction.

If the babysitter makes the mobile deposit before 9 p.m. (ET), she has access to the funds the following day. If after 9 p.m. , the funds are available to her in two days. On my end, the transaction appears in my banking activity the morning following the deposit. Talk about efficient—fast and inexpensive (no fees paid by either of us)!

Obviously, the efficiency of this transaction would have been diminished were this not a face-to-face transaction. And maybe that is where the true value of online or mobile P2P payments comes into play. However, the resilient check and mobile RDC banking application worked really well in this face-to-face setting. According to a recent report, mobile RDC was offered by approximately 20 percent of U.S. banks in 2013, up from 7 percent at the end of 2012. As more financial institutions roll out the offering in the upcoming year, maybe it will be the case that the old paper check is here to stay and will flourish in the P2P payments space. And based on my experience, that might not be a bad thing!

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 3, 2014 in checks, mobile banking, mobile payments, payments study | Permalink | Comments (0) | TrackBack (0)

February 24, 2014

Phone Fraud: Now It's Personal!

One recent Sunday evening, I received a call on my mobile phone from a number with a 374 area code. I did not recognize this number, and it wasn't in my stored contacts. I answered the call, and there was that brief pause that alerted me it was likely a mass marketing call. I was getting ready to launch into my standard "No, thank you, and this number is on the Do Not Call registry, so please don't call again," when a female voice with a strong foreign accent identified herself as a representative from the Microsoft Windows Security Center. "Microsoft" and "security" are two words that are likely to grab anyone's attention quickly, so I stopped myself. She then asked me to verify that I had a computer running Microsoft Windows. I mean, who doesn't but the most diehard Apple user? All kinds of warning bells were sounding in my head, but I played along to see where this routine was going.

In a recent post, I wrote about the growing problem of criminals targeting bank call centers. Well, criminals target consumers, too. Sometimes the callers claim to be representatives of the consumer's financial institution, and they try to get account or payment card information. I ended the post post with descriptions of some of the new technology being used to fight against this type of fraud. Unfortunately, most consumers don't have access to the technology the banks do to help identify the fraudsters.

But back to my call. The caller informed me that the Microsoft Windows Security Center had received a message that my computer was infected with a virus. She added that the Security Center had a download available to remove the virus and protect my computer, it would cost only $19.99, and she could take payment over the phone with a credit card. I asked which of my computers sent the message because I didn't want to pay to have the download put on noninfected computers. My response seemed to confuse her. But then she said that the download could be installed on up to three computers at no additional charge—what a bargain! I then told her a security scan the night before had found nothing wrong and I didn't believe she was from Microsoft, and I hung up. When I tried to trace the phone number, I learned there is no 374 area code in the United States, but 374 is Armenia's country code.

While the earlier post showed the need for financial institutions to use a cross-channel fraud mitigation strategy, we must always keep in mind that consumers are also under frequent attack. As we at Portals and Rails have stated many times, continuing education is a vital factor in helping customers protect their money, and this experience only reinforces that need. I was informed enough to sniff this call out for the scam that it was, but would my 84-year-old mother-in-law have been as savvy? Maybe I should give her a call to make sure!

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 24, 2014 in consumer fraud, phone fraud | Permalink | Comments (0) | TrackBack (0)

February 18, 2014

The Mythical End State of Security

As a proponent of secure payments, I am happy to see the EMV (chip card technology) discussion take center stage with national media outlets and on the Hill after the recent revelation of data breaches involving payment card data at merchants. Having written and spoken extensively on the benefits (as well as the shortcomings) of migrating to the EMV standard here in the United States, I am a strong believer in EMV's ability to reduce counterfeit card-present fraud. But I do feel that a bigger story is getting lost in these EMV discussions—that of payment card data security.

Security approaches are not static, but must be constantly improving and evolving, thanks in large part to a rapidly changing technology environment and evolving tactics of criminals. A solution that is implemented today will more than likely become obsolete or in need of additional investment to remain viable in the future. There is no "end state" when it comes to security. A wait-and-see approach for this hypothetical end state is flawed.

Consider my home security system to which I recently added video monitoring capabilities. This addition to my system made my upgrade to glass-breaking sensors several years ago seem like a bad investment. But had I waited for the camera technology, perhaps I would have suffered the same fate of several of my neighbors who ended up with bad guys breaking windows to gain entrance into an empty house. And though I feel better protected now than I was several years ago, I realize that it is inevitable that another upgrade with additional costs will be necessary in due time to best protect my property and family.

EMV is a solution ready to have a positive and immediate impact on reducing the value of stolen card data. And because of that, I am an advocate for its adoption in the United States according to the adoption plans set by the card networks. However, EMV alone does not provide complete protection of card data, and stolen card data retains value to fraudsters even in an EMV world. Magnetic stripes will not disappear overnight with a migration to EMV. (The UK began their migration in earnest seven years ago and mag stripes are still commonly found on their cards.) And stolen card data can easily be used in the card-not-present environment.

The payment industry must strive to secure payments data so that data stolen from breaches cannot be exploited for monetary value by criminals. Until the industry does that, it is reasonable to believe that data breaches and the subsequent effort to monetize the information will continue. EMV is a step in the right direction, but it is not the final and only step. EMV will be costly to implement. It will not and cannot be the final investment spent on securing card payments.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 18, 2014 in chip-and-pin, EMV, innovation | Permalink | Comments (1) | TrackBack (0)

February 10, 2014

Chip-and-PIN, or Chip-and-Choice?

If the comments that legislators and industry representatives made at the recent congressional hearings on data breaches were any indication, any card issuer advocating or adopting a chip-and-signature approach to EMV smartcard implementation would appear to be incautious. Unquestionably, chip-and-PIN is more secure than chip-and-signature because it represents two forms of authentication—something you have (the card) and something you know (the PIN). However, chip-and-signature could be a reasonable first step in that it would generate less friction for the consumer, merchant, and card issuer. Let me explain why.

Most consumers don't know their credit card PINs
Although most people know their debit card PINs—you need one to use an ATM—few U.S. consumers know their credit card PINs. Various studies place consumers' knowledge of their credit card PINs in the 5 to 10 percent range. It would therefore be an educational as well as logistical effort to get consumers to begin using their credit card PINs if the industry moved to a chip-and-PIN-only environment.

Merchants would incur a big expense for the equipment
Only about 25 percent of the 8 million POS terminals operating in the United States are equipped with a PIN pad, according to data provided to the Federal Reserve. Before Regulation II, merchants had a financial incentive to encourage PIN-based debit transactions because the interchange rate was lower than for credit card transactions. However, Reg II eliminated this differential. (This despite the fact that PIN debit transactions have less than one-third of the fraud loss rate of signature debit transactions, according to the 2013 Fed Payments Study Summary.) Although a representative of the National Retail Federation endorsed a chip-and-PIN-only strategy at a congressional hearing, it's difficult to know if merchants will want to make the additional investment required to equip, program, and maintain their POS systems to support PIN transactions. Most merchants have not yet taken this step, so what has changed?

Customer experience would change
A PIN-based transaction, with its single-message authorization and settlement process, creates problems for certain merchants—like car rental and lodging companies—that must run preauthorization transactions before the final amount of the transaction is determined. The separate authorization and settlement process provided by the dual-message format of a signature-based transaction is more conducive to the business needs of these merchant segments. Are fine dining restaurants going to install the even more expensive mobile payment terminals so customers can pay at the table as they currently do? Or will they require the customer to go to a checkout and pay there? These merchants especially will have to consider the impact on their customer experience.

Backup method needed
With debit cards now, a signature authentication can be a backup method of acceptance. But in a chip-and-PIN environment, how high will the rate of incomplete transactions be when cardholders can't remember their PINs and they have no other method of payment?

As with any change, there are a number of positives and negatives to be considered. To avoid unintended consequences, we at Portals and Rails believe that issuers, merchants, and consumer groups should carefully evaluate all the issues to determine the best way to migrate to EMV payment cards. What do you think—chip-and-PIN only or chip-and-choice?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 10, 2014 in chip-and-pin, data security, debit cards, EMV | Permalink | Comments (2) | TrackBack (0)

February 03, 2014

Call Center Phone Fraud: Are You Really Who You Say You Are?

"Have I reached the party to whom I am speaking?" Lily Tomlin would use this line whenever she would play her character Ernestine the telephone operator on the classic TV comedy show "Laugh-In." But to the thousands of financial institutions that operate call centers, the question of whether their customer service representatives are talking to an actual customer is no laughing matter.

In a recent report on call center phone fraud, Pindrop Security cites a number of alarming statistics based on their clients' actual experiences: one in every 2,500 calls to a call center is fraudulent; the average fraud loss per call received is $0.57; and the average potential loss to an account from phone fraud is more than $42,000. It seems that the call center has become an increasingly attractive target for fraudsters.

A call from someone not authorized to access the bank account in question may not directly result in a financial loss on that call. In fact, Pindrop's research indicates that it takes an average of five calls before the fraudster gathers enough information to strike. They use those preliminary calls to gain account or customer information that will help them subsequently to generate a fraudulent transaction, whether it's through the call center or another channel. Some of the calls are from criminals who are simply trying to get account information such as credit and debit card information that they can sell to others. Some of the calls attempts to change account settings such as statement mailing address or call-back phone numbers. With a simple address change, the criminal can gain more information about the accountholder and also keep the victim from being alerted to fraud on their account. Often, a call that results in a direct loss occurs when the fraudster obtains sufficient account credentials to generate a fraudulent wire transfer or ACH transfer from the targeted account.

While these criminals might be looked at as "low-tech hackers" compared to the sophisticated hackers who probe computer systems or worse, the evidence from law enforcement shows that these groups are just as well-organized and sophisticated. They are often based outside the United States, which makes investigations and prosecutions difficult. Sometimes they use technology to change their voice or to show a fake phone number on the bank's caller ID system. The fake phone number helps the fake caller avoid suspicion when the call is coming from outside the customer's area of residence.

To address this growing attack vector, financial institutions are adopting new technology to help them detect potentially fraudulent calls. Voice biometric technology can detect altered voices or even compare the caller's voice to a database to verify the caller's legitimacy. In addition, phone call and device "fingerprinting" gathers enough information from the caller's device to allows the call to be scored, just like a card transaction, on how likely it is to be fraudulent.

It is clear that criminals are attacking all physical and virtual channels of banks, sometimes using information obtained through one channel to carry out fraud in another channel. Portals and Rails believes it is important that you approach your fraud mitigation strategy from a cross-channel perspective. Please let us hear about your challenges and successes with such efforts.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 3, 2014 in authentication, banks and banking, consumer protection | Permalink | Comments (0) | TrackBack (0)

January 27, 2014

The Importance of Partnerships between the Private Sector and Law Enforcement

Helen Keller once said, "Alone we can do so little; together we can do so much." As the "forum" part of our name implies, we tend to agree with Helen Keller's comment on collaboration. The mission of the Retail Payments Risk Forum (RPRF) is to identify, detect, educate, and encourage mitigation of risk in retail payment systems. We firmly believe that one of the ways to achieve our mission is to collaborate with industry participants, regulators, and law enforcement. And while we convene our own forums to encourage collaboration, ample opportunities for collaboration between law enforcement and the private sector exist beyond the boundaries of the RPRF.

Below are descriptions of organizations that are built on such collaborations.

  • Financial Services Information Sharing and Analysis Center (FS-ISAC): An organization dedicated to gathering and disseminating reliable and timely information from financial services providers, security firms, local, state, and federal law enforcement agencies, and other trusted resources related to physical and cyber threats against the financial services community.
  • National Cyber-Forensics &l Training Alliance (NCFTA): A nonprofit corporation with formal partnerships/agreements with more than 40 U.S. private-sector organizations and more than 15 U.S. and international law enforcement or regulatory agencies. The NCFTA enlists subject matter experts from stakeholder organizations to share real-time intelligence regarding cyber threats and supports the development of joint proactive strategies to better identity, mitigate, and ultimately neutralize threats.
  • Electronic Crimes Task Forces: Led by the United States Secret Service, these groups bring together federal, state, and local law enforcement with prosecutors, private industry, and academia for the purpose of preventing, detecting, investigating, and mitigating attacks on the nation’s financial infrastructures. Groups are structured through local field offices and organized in most major metropolitan areas.
  • InfraGard: Led by the Federal Bureau of Investigation, this association with representatives from the private sector, academia, and state, local, and federal law enforcement agencies is dedicated to sharing information and intelligence to prevent hostile acts against the United States. Like the Electronic Crimes Task Force, InfraGard is comprised of groups organized by FBI field offices in major metropolitan areas.
  • Anti-Phishing Working Group (APWG): An organization that seeks to unify the global response to cybercrime across industry, government, and law enforcement through data sharing, education, and standards development.

Each of these groups is different, but the common thread is information sharing between the private sector and law enforcement. This collaboration increases knowledge and awareness of threats and is often required to effectively capture and prosecute the masterminds behind attacks on financial institutions and their customers. I encourage our readers to learn more about and take advantage of these opportunities and others for collaboration between law enforcement and the private sector.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 27, 2014 in collaboration, cybercrime, law enforcement | Permalink | Comments (0) | TrackBack (0)

January 21, 2014

Online Payday Lenders: An Illustration of the Importance of Bank Due Diligence

3-legged stool Because of a series of incidents involving illegal payday loans, online payday lenders have been featured in news articles of late. They've also been the focus of increasing enforcement actions to ensure that adequate consumer protection is in place. States are stepping up their enforcement actions against online payday lenders that violate state laws, and federal regulators are stepping up enforcement of federal and state laws. Meanwhile, online lenders and their third-party payment processors are defending their roles in providing this borrowing option to consumers.

The recent uptick in attention on online payday lenders is an impetus for us to stress the importance of banks conducting their due diligence process for any payment processor or business for which they provide payment services. It's useful to look at this due diligence as a three-legged stool, with regulatory compliance, know your customer (KYC), and know your customer's customer (KYCC) all working together to keep the stool upright.

In an August 2013 post, we examined the risks incurred by banks that originate payments for online payday lenders. Much debate has focused on whether online payday lenders—and those who provide services to them—are unfairly targeted by regulators and enforcement agencies. The reality is that businesses that comply with state and federal law are not the reason for increased guidance and enforcement.

When it comes to online payday lending, the law—one leg of the stool—is quite complex. At the state level, laws can significantly differ from state to state. Some states, including Georgia, do not even allow online payday lending. But many online payday lenders operate virtually, and are therefore more likely to operate nationally, which can add to the confusion about complying with all relevant state and federal laws. When conducting their due diligence processes, banks should always consider their customers' ability to operate within the law.

KYC and KYCC are also two very important components of a bank's due diligence process with any customer for which they originate transactions. The better the bank understands the business lines of its originator from the very beginning, and the better they understand it over time by way of continuous monitoring, the greater their chance to quickly identify and address any problems.

Like any business, online payday lenders can use the services of a third-party payment processor. As we explained in a September 2013 post, payment processors are a bank's direct customer in providing payment services to businesses . This adds another layer to the bank's due diligence processes. With this kind of relationship, banks now need to know their customer's customer—in this case, the online payday lender.

Banks should use the recent attention to online payday lenders as a reminder to review and improve their due diligence practices for all their customers. They should make sure that all three legs—KYC, KYCC, and compliance with the law—are in place so that the stool doesn't topple.

What lessons has your bank learned from the recent attention to payday lenders?

Photo of Deborah ShawBy Deborah Shaw, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 21, 2014 in banks and banking, consumer protection | Permalink | Comments (0) | TrackBack (0)