Portals and Rails

About


Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

October 20, 2014


Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?

Portals and Rails recently embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. In the second installment, we examined several different attributes of the issuer-centric end-to-end token initiatives currently under way and considered their impact on mitigating risk. In this post, we examine the shortcomings of end-to-end token initiatives and question if they are really a coup in mitigating risks in today's environment.

The goal of payment tokenization is to substitute sensitive data—such as account numbers, expiration dates, and security codes—that criminals can use to extract monetary value with surrogate values that lack monetary value. In light of the number and depth of recent data breaches, tokenization seems like a grand idea—let's get data that fraudsters can use out of the payment transaction flow and the merchants' systems.

But current uses for these end-to-end initiatives are limited to card-on-file transactions for in-app or e-commerce payments and mobile proximity payments. I know you have to start somewhere but, in the near future, only a small percentage of transactions will use tokenization. These end-to-end initiatives are solid solutions, but are currently extremely limited. Thus, there will be a continued need for the industry to use a variety of methods to fight fraud, including the merchant-centric enterprise tokenization solutions the first installment discussed.

And isn't the point of the significant EMV investment currently under way to mitigate risks associated with counterfeit cards using compromised card data? In other words, it should render compromised card data useless. But I am hearing the EMV naysayers claiming that, in an EMV world, data compromises will still take place and, while fraudsters may not be able to counterfeit cards, they can still use that data to shop on the Internet.

Those naysayers are correct.

But let's circle back to the use cases for the current issuer-centric end-to-end token initiatives. Is tokenizing payment data for card-on-file and mobile proximity payments really going to have a material impact on preventing card-not-present fraud? Are these tokenization efforts really the best solution for this challenge? It could be many years before we regularly use our mobile phones for proximity payments. I am confident that we will be using chip-enabled cards for a significant number of transactions within two to three years. Would it be wiser to rely on solutions that leverage the chip or other security features of cards? Or maybe it's time we realize that cards weren't designed for card-not-present uses and place a higher priority on the broader adoption of existing and emerging non-card-based payment solutions in a multi-layered security approach.

Unfortunately, I do not have the answers. But these questions and topics will certainly be discussed during the upcoming Securing Remote Payments conference that the Retail Payments Risk Forum and the Secure Remote Payment Council is hosting. If you are interested in attending, please reach out to us. We will be in touch with more details.

In the next installment in this series, we'll look at new security and operational risks introduced with these token initiatives.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


October 20, 2014 in cards, data security, EMV | Permalink | Comments (0) | TrackBack (0)

October 14, 2014


Mobile Biometrics: Ready or Not, Here They Come

Apple's recent announcement about the release of its mobile wallet app—called Apple Pay—energized the mobile payments community. One reason for the spike of interest is Apple Pay's use of fingerprint biometrics as an additional layer of security in validating customers and their transactions. What may have gotten a little a little lost in the chatter that followed this announcement was another, related announcement. As reported in a September 19 FinExtra story, MasterCard (MC) announced it had completed a pilot project that used a combination of facial and voice recognition on a smartphone. MC said that the trial program—which involved MC employees around the globe conducting 14,000 transactions—had a successful validation rate of 98 percent.

The Apple and MC announcements together certainly show that the future of the additional security options on smartphones looks promising. As a recent post noted, consumer research has consistently found that consumers' largest concern about using mobile phones for financial transactions is security. But are biometric technologies ready for prime time? Will their application in the payments ecosystem really give payment providers more confidence that the person they are dealing with is not an imposter?

The latest generations of Apple and Android smartphones are equipped with fingerprint scanners, cameras, and microphones, which allow for the use of fingerprint, voice, and facial recognition. But limitations exist for each of the techniques. The Apple and Android fingerprint readers, for example, were compromised within days of their initial release. And facial and voice recognition applications work best in controlled conditions of lighting and with limited background noise—an unlikely environment for a smartphone user on the go.

But security experts agree that additional customer authentication methodologies—beyond the common user ID and password entry fields—increase the overall authenticity of transactions. Numerous companies are continuing to focus their research and development efforts on improving the reliability and use of their authentication products. So while there is no "one size fits all" authentication solution over the weak and easily compromised ID-and-password method, these biometric methods represent a step forward, and are likely to improve over time.

The Retail Payments Risk Forum is taking a close look at biometrics technology and its impact on the payments system. We are working on a paper assessing biometrics and authentication methodologies that will probably be released by the end of the year. We're planning a forum to be held this upcoming spring on mobile authentication technologies. And we're continuing to write posts on the topic in Portals and Rails.

Please feel free to contact us with your suggestions on biometric issues you would like to see us address in our continuing efforts.

Lott_david_01 By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

October 14, 2014 in authentication, biometrics, innovation, mobile banking | Permalink | Comments (0) | TrackBack (0)

October 06, 2014


Starting Off on the Right Note with Mobile Enrollment

In Rogers and Hammerstein’s Sound of Music, the classic song “Do-Re-Mi” begins “Let's start at the very beginning / A very good place to start...” Such a suggestion is essential in ensuring that the person enrolling in a payments system is, in fact, who he or she claims to be. The USA Patriot Act requires financial institutions (FIs) to develop a formal customer identification program that validates the customer when the account is opened. This program must specify the documentation that is used for authentication.

However, once the account is open, FIs have greater latitude in their procedures for identifying customers when the FIs handle account access requests, such as when a customer requests a change of address or enrolls in a third-party program that uses a card that the FI has issued to the customer. At that stage, it’s up to an FI’s own risk-management policies as to what documentation to require.

This situation can be risky. For example, let’s look at what happens when a customer wants to add a payment card to a mobile wallet that a third party operates. When the customer adds the card—enrolls with the third party—how can the FI that issued the card know that not only the payment card being added but also the mobile phone itself belongs to the right individual? How can the issuer efficiently and effectively ensure that the payment card information being loaded on a phone hasn’t been stolen? Adding any sort of verification process increases the friction of the experience and can result in the legitimate user abandoning the process.

Most mobile wallet operators use several techniques to validate that both the mobile phone with the wallet and the payment card belong to the rightful customer. (These operators send a request to the issuing FI as part of their enrollment process.) Some FIs require the operator to have customers submit their payment card information along with their cards’ security code and additional data, such as the last four digits of the social security number. Others may require just the payment card number, expiration date, and card security code, although such a minimal requirement offers little protection against a stolen card being added to a criminal’s phone. Still others require the customer to submit a photo of the payment card taken with their phone to verify possession of the card. If the issuer can obtain some of the phone’s device information, it can increase the level of confidence that the authorized cardholder is using their phone.

Regardless of what process is used, having strong identification controls during the initial enrollment step is essential to a sound risk management program.

Photo of Douglas A. King

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 6, 2014 in authentication, financial services, mobile banking, mobile payments, payments systems | Permalink | Comments (0) | TrackBack (0)

September 29, 2014


Let's Talk Token, Part II: Distinguishing Attributes

Several weeks ago, Portals and Rails embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. Since writing the first post, payment tokens has jumped front and center in the payments community when Apple introduced Apple Pay, which uses tokenization. Also, the Mobile Payments Industry Workgroup just released a detailed white paper recounting their recent meeting on the current tokenization landscape in the United States.

In today's installment, we look at some distinguishing attributes of the end-to-end token initiatives currently under way and consider their impact on mitigating risk in payments transactions.

  • Token format: Common ground exists in the payments industry in terms of the token format. The end-to-end token solution relies on the creation of a token, known as a device account number (DAN), to initiate a payment in place of the original primary account number (PAN). To mitigate operational risks and make use of existing messaging rules and applications associated with the payment transaction, it is imperative that the format of the DAN preserves the format structure of the PAN. This means that DAN generation should be as random as possible, even while preserving the original PAN format structures to maintain basic card or account validation rules associated with the PAN.

  • Token type: Payment tokens can be dynamic or static. Dynamic tokens are valid either for a single transaction or for a limited number of transactions occurring in a very short time. By the time a fraudster intercepts a dynamic token, it has likely already expired, so the fraudster can’t use it. However, there is a slight down side to dynamic tokens—they can work against loyalty programs as well as some back-end fraud detection systems. Because each transaction has a different DAN, merchants and processors cannot consolidate multiple transaction information for an individual cardholder.

    On the other hand, static tokens are multi-use, so they allow merchants to connect the token user with past transactions. But given their multi-use nature, they are not as secure as dynamic tokens. For additional security, each transaction with a static token can include an additional element: a uniquely generated cryptogram.

  • Device coverage: Tokens can be created and stored either on a secure element on a mobile phone or in a cloud. Much industry discussion focuses on which approach is more secure, but the approach also has an impact on device access to the token. Storing a token only on secure elements limits tokens to mobile phones, a situation that does not address the significant volume of card-not-present payments that consumers conduct on computers and other devices. Alternatively, storing a token in a cloud would allow any connected device (mobile, tablet, laptop, or computer) to access the token, so all e-commerce transactions would be covered.

  • Token service provider: A number of parties can play the critical provider role. The provider is ultimately responsible for generating and issuing the DAN, maintaining the DAN vault, and mapping the DAN to the PAN for presentment to the issuer that ultimately authorizes the transaction. A network, issuer, processor, or another third-party provider can perform this role. We can make a case for any of these parties to play the role, but the critical risk mitigation factor to note is that the merchant should never see the PAN, thereby preventing a breach of payment card data within their systems.

To date, a standards body controlled by the largest global card networks and a company representing the largest global banks has driven most of the payment tokenization standardization efforts. Although these organizations have advocated for public discussions and input in an open environment, some critics argue that the management of standards development should be left to an open-standards body such as X9 or ISO. Tokenization efforts and standards will continue to evolve as tokenization may play a critical role in mitigating payment risk in the future. Still, security challenges will remain even with its adoption. In the next installment of this tokenization series, we will examine risks that that a tokenized payments environment won't resolve, and risks that will be all new.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


September 29, 2014 in authentication, fraud, mobile payments | Permalink | Comments (0) | TrackBack (0)

September 22, 2014


New ACH Return Rate Threshold on the Horizon

In a December 2013 post, we asked the question, Is it the right time for lower ACH return rate thresholds? We can now say that the answer is "Yes." The voting membership of NACHA-The Electronic Payments Association recently approved a NACHA Operating Rule amendment that will reduce the unauthorized debit return rate threshold.

The process of returning payment transactions is a pain point for the receiving financial institutions that incur the costs of exception processing, which includes handling customer service inquiries and the returns. Unauthorized transactions are also a pain point for customers who have experienced such postings to their accounts. For the financial institution originating transactions on behalf of businesses and third-party customers, ongoing and proactive monitoring of return rates can help them quickly identify potential problems and determine if those problems have been addressed.

The NACHA Operating Rule amendment will reduce the threshold for returns of unauthorized debit entries from 1 percent to 0.5 percent, effective September 18, 2015. An originating depository financial institution will be subject to possible reporting and fines if they have an originator or third-party sender whose return rate for unauthorized debits exceeds the current threshold.

As NACHA states in its information on the new rule, this 0.5 percent threshold is more than 16 times higher than the average network return rate of 0.03 percent for unauthorized debit entries in 2013. This new threshold will continue to emphasize the importance of institutions focusing on high return rates and working with their customers to bring any excessive rates down. The amendment also establishes a review process for when returns for "administrative" or "overall return" reasons exceed certain levels. For administrative returns, this will be 3 percent, and for overall returns, it will be 15 percent. Administrative returns include debits returned for reasons such as closed account, invalid account number structure, or the account number not corresponding to an existing account. Overall returns for ACH debits include unauthorized and administrative reasons, as well as others such as insufficient funds and stop payments.

Unlike the unauthorized return threshold, breaching return rate levels for administrative and overall return reasons will not result in an automatic requirement to reduce the return rate or undergo a rules enforcement proceeding. Instead, exceeding these return rates will lead to a process to determine if the origination practices of a given originator or third-party sender need to be modified to achieve lower exception levels.

The timeframe for implementing this rule allows originating financial institutions to look carefully at their current return monitoring processes and determine whether customers are near these return rates and to put into place practices that would address problem areas. Will this new rule affect your due diligence processes? Does your current monitoring already show that your customers' return rates are lower than the new thresholds?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 22, 2014 in ACH, debit cards, regulations | Permalink | Comments (0) | TrackBack (0)

September 15, 2014


Let’s Talk Token: Authenticating Payments

It's challenging to have a conversation about EMV cards—cards with chip technology—given their well-documented fraud-mitigating shortcomings, without diving into a conversation on tokenization. And these conversations just intensified with Apple announcing the use of tokenization with its soon-to-be launched mobile payment application. Tokenization of payment card data can provide an additional layer of security to EMV cards for in-person payments and mitigates fraud risks that these cards don't address in the non-face-to-face environment.

I recently spoke at a forum on EMV cards, where it became evident to me that there is a high degree of confusion in the payments industry, especially within the merchant community, about tokenization. Currently, multiple standards initiatives around a new tokenization framework are under way, so Portals and Rails is embarking on a series of posts on tokenization. In this first installment, we define tokenization and distinguish between tokens generated within the merchant's environment (an enterprise solution) and payment tokens generated as an end-to-end-solution. A future post will compare the various payment end-to-end tokenization initiatives that have been announced to date.

In the data security and payments environment, tokenization is the substitution of sensitive data with a surrogate value representing the original data but having no monetary value. For payment cards, tokenization refers to the substitution of part or all of a card’s PAN, or primary account number, with a totally randomized value, or token. A true token cannot be mathematically reversed to determine the original PAN, but a token service provider in a highly secure environment can subsequently link it to its associated PAN.

Tokenization of payment credentials has been around since the mid-2000s, driven primarily by the issuance in 2004 of the Payment Card Industry Data Security Standard (PCI-DSS), which defines merchant requirements for protecting cardholder data. Merchants historically stored PANs for a variety of reasons, including to use in settlement reconciliation, perform incremental authorizations, handle chargebacks, and identify cardholder transactions for loyalty programs. With tokenization, merchants can remove PANs from their data environment and replace them with tokens—and thereby reduce their PCI-DSS compliance requirements. However, this enterprise solution still requires that the PAN enter the merchant environment before the tokenization process taking place.

Under the tokenization initiatives currently under way from the Clearing House and EMVCo, a financial institution would issue a token replacing a cardholder's PAN to the person's mobile handset, tablet, or computer device before initiating a digital payment transaction. So the merchant, rather than receiving the cardholder's PAN for initiating a transaction, would receive a token value associated with that PAN, which would then be de-tokenized outside the merchant's environment to obtain the necessary authorization and complete the transaction. The merchant never has knowledge of the cardholder's PAN—and that is a significant difference between these tokenization initiatives and the enterprise solution related to handling payment credentials.

The Clearing House's and EMVCo's concepts for payment tokenization are similar in many ways, but they also have differences. A future post will delve into the end-to-end tokenization initiatives and consider the impact on mitigating risk in payment transactions.

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 15, 2014 in cards, chip-and-pin, EMV | Permalink | Comments (0) | TrackBack (0)

September 08, 2014


Seeking a Successful Biometric Solution

As an earlier post noted, advances in technology have spurred the implementation of various biometric authentication methodologies in the consumer market. But as people are discovering, not all methodologies are equally suited for all applications. Those who are implementing such applications have to consider risk level, cost, operating environment, and targeted population. They also have to evaluate a number of other factors to determine if a particular biometric is better suited than another for an intended application. These factors include but are not limited to:

  • Uniqueness. While the biometric doesn't always have to be unique to every individual on the planet, the probability that two people share a particular characteristic should be unlikely enough to prevent an unacceptable number of false acceptances (when one person is wrongly authenticated as another). For example, fingerprints are considered to be unique to every individual, but current smartphone fingerprint readers have such low-resolution scanners that the possibility of a false acceptance is one in 44,000. This rate is most likely sufficient for many applications, but a high-dollar transaction may require supplemental authentication.
  • Universality. The targeted characteristic must be present in the overall population, with only a few exceptions. Only a couple of biometric elements, such as DNA and facial recognition, can provide complete population coverage. Hand geometry and vein recognition, for example, won't work on people who are missing fingers or other body parts.
  • Permanence. The characteristic should not change over time. Even though people can alter almost any physical characteristic through medical procedures, the possibility of such alteration to the characteristic being considered for biometric authentication should be infrequent among the population—and the alteration procedure should be relatively expensive.
  • Collection ease. The more invasive the collection of the biometric sample, the more resistance people will have to it. People tend to view facial and voice recognition and fingerprinting as noninvasive but retinal scans as highly invasive—a light beam scans the back of the person's eye, which can be very uncomfortable.
  • Performance. The biometric element must support the creation of a template that is accurate and quickly obtained while also providing minimal database storage requirements. A system that takes a long time to authenticate someone during peak usage periods will encounter user dissatisfaction and possibly decreased productivity.
  • Accuracy. Individuals should not be able to fool the system. Fingerprint readers should verify that the right fingerprints belong to the right person, that a spoken phrase is live and not recorded, and so on.
  • User-embraced. Even when people have to use certain biometric authentication systems as a condition of their employment, the technology should be one that has a high level of acceptance, with minimal cultural, religious, collective bargaining, or regulatory implications.
  • Cost-effectiveness. As with all risk management practices, the cost of implementing and operating the system must be commensurate with the risk exposure for using a less secure authentication system.

As you consider the possibility of implementing a biometric authentication methodology for your customers, I hope you will find these evaluation elements helpful.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 8, 2014 in authentication, biometrics, innovation | Permalink | Comments (0) | TrackBack (0)

September 02, 2014


Not All Digital Currencies Are Virtual

Besides a few classic novels, my summer reading list has largely consisted of various papers and reports on virtual and digital currencies. Not all digital currencies are virtual currencies, though these two terms are often incorrectly used interchangeably. For example, the Consumer Financial Protection Bureau recently issued a warning about the risks associated with Bitcoin and other virtual currencies, yet some media outlets reported that the agency issued a warning about digital currencies. And while the media statements are technically correct since virtual currency is one form of digital currency, they fail to recognize that digital currencies are broader than just virtual currencies. In an effort to clear up confusion and create a better understanding of digital currencies, Portals and Rails offers the following simple framework and definitions.

Framework-image

Digital currency is a digital representation of value and consists of both electronic and virtual currency. Digital currency can be used to purchase physical, digital, and virtual goods. Some, but not all, digital currencies use cryptography as their primary method of security.

Electronic currency, also referred to as e-money, is pegged to a fiat currency. It is a digital representation of value that is government-issued legal tender. The link between electronic currency and fiat currency is preserved and has a legal foundation. The funds of an electronic currency are expressed in the same unit of account as the fiat currency. Examples of electronic currency transactions include payments via credit, debit, and prepaid cards; ACH; and PayPal.

Virtual currency is not pegged to a fiat currency. It is a digital representation of value that is not government-issued legal tender. The funds of a virtual currency are not expressed in a fiat currency. There are currently more than 300 tracked virtual currencies, and as we noted in a Portals and Rails post last year, these currencies can take on multiple characteristics. Examples of virtual currencies include Bitcoin, Ripple, Ven, and Dogecoin.

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 2, 2014 in currency | Permalink | Comments (0) | TrackBack (0)

August 25, 2014


Forty Years and Still Scamming

I suspect that a lot of us have received a letter or an e-mail supposedly from another country's government official or banker informing us that there were some unexpected riches coming our way. We could become millionaires, these strangers tell us, by claiming a prize from a lottery that we don't remember entering. Or they say we just might become millionaires by helping them transfer money out of their country, since they can't because of some sort of bureaucracy or regulation. Before tossing these letters or e-mails into the trash, did you ever linger for just a moment wondering if these riches could actually be coming to you?

A large number of people, particularly in the United States, think the scam is legitimate and are willing to invest up to tens of thousands of dollars to claim their share of the pot of gold. Sadly, they find not only that there is no gold, but also that there isn't even a pot. This type of fraud is classified as an advance fee fraud because the scam involves the victim having to send money in advance, to cover fees or taxes, before they can receive their share of the bounty. The advance fee fraud is one type of 419 Nigerian fraud, so called because early versions originated in Nigeria, where criminal code 419 describes the fraud. 419 fraud began in the 1970s with letters—often with counterfeit postage marks—that targeted small business owners, requesting their help in handling new oil wealth.

Over the next three decades, the solicitations grew at such a tremendous pace that in 2002, the Department of Justice got a court order to allow postal employees to open every letter from Nigeria that was handled through the United States Postal Service's mail facility at John F. Kennedy Airport. They found that more than 70 percent of these letters contained some sort of fraudulent scheme solicitation.

As law enforcement's focus on Nigeria intensified, the 419 groups moved to other countries. These groups reportedly have major operations in at least 150 countries and the involvement of more than 800,000 people. Ultrascan Advanced Global Investigations (UAGI), an Amsterdam-based association focused on disrupting the operations of criminal networks, stated in a preliminary 2013 report that U.S. victims lost $2.3 billion in 2013—more than in any other country.

As with other types of criminal activity, the techniques that advance fee criminals use have become more sophisticated, evolving alongside technological advances. They've moved their method of solicitation from mail to faxes and then to e-mails. And now, instead of just sending mass mailings or e-mails, many of the criminals are tailoring e-mail messages, lacing them with personalized information obtained from social networks and professional and dating websites. For lottery-themed advance fee schemes, the UAGI estimates that 3 percent of the targets respond and make at least one advance payment.

Even more interesting, the report refutes some common misconceptions about the victims usually being lower income or with less education and desperate for some sort of financial windfall. In fact, a number of high-income professionals are taken in by some of the more sophisticated schemes involving high-dollar ventures including real estate development and medical equipment. The report also notes that, for victims losing more than $200,000, 85 percent of them had recently experienced some sort of life-changing family trauma such as a death, divorce, or major illness.

Education by financial institutions remains the most valuable tool to defend against these schemes. These institutions should use in-house media and other methods, such as public service announcements, to alert consumers to these scams, particularly those that appear in the FIs' service areas. I know of some institutions that train their frontline staff to watch for such unusual transactions, particularly by the elderly, as a supplement to their anti-money-laundering education. Financial institutions and consumers should report advance fee fraud attempts immediately to the local Secret Service or FBI office for investigation.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 25, 2014 in consumer fraud, consumer protection | Permalink | Comments (0) | TrackBack (0)

August 18, 2014


Crooks Target Business Clients

Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.

Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:

  • Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
  • Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system

Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.

The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 18, 2014 in authentication, cybercrime, data security, identity theft | Permalink | Comments (0) | TrackBack (0)

Google Search



Recent Posts


November 2014


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Archives


Categories


Powered by TypePad