August 18, 2014
Crooks Target Business Clients
Fraudsters are always looking for ways to take advantage of trusted relationships, such as between a business and their established vendors. The fraudster's goal is to trick the business into thinking they are paying their vendor when the dollars are actually being diverted to the crook. A common scheme is for a business to receive instructions on a spoofed but legitimate-seeming e-mailed invoice to send a wire transfer to the vendor or business partner immediately. The business may pay, not realizing until it's too late that the funds are actually going to a fraudster or money mule. The Internet Crime Complaint Center (IC3) recently issued a scam alert on this scheme noting reported losses averaging $55,000, with some losses exceeding $800,000.
Criminals can perpetrate this type of fraud in many ways. Devon Marsh, an operational risk manager at Wells Fargo and chairman of the Risk Management Advisory Group for NACHA–the Electronic Payments Association, addressed some of the ways at a Payments 2014 conference session "Supply Chain Fraud Necessitates Authentication for Everyone," including these:
- Calling or e-mailing the business, pretending to be the vendor, to change payment instructions
- Sending counterfeit invoices that appear genuine because they are patterned after actual invoices obtained through a breach of the business's e-mail system or a vendor's accounts receivable system
Marsh also discussed important ways to reduce the risk of falling victim to these schemes. As with any e-mail that seems questionable, the business should verify the legitimacy of the vendor's request by reaching out to the vendor with a phone call—and not using the number on the questionable e-mail or invoice. The business should also educate its accounts payable department to review any vendor's payment requests carefully, verifying that the goods or services were received or performed and questioning and checking on anything at all that does not look right, such as an incorrect or different vendor name or e-mail address.
The Federal Financial Institutions Examination Council's 2011 supplement to its guidance stresses the need in an internet environment for financial institutions to authenticate their customers. The concepts this guidance addresses are also sound practices for businesses to use in authenticating their vendors.
By Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 11, 2014
Improving Mobile Security with Biometrics
During the last year, the release of two smartphones with fingerprint readers by two different manufacturers was met with a lot of excitement. People in the payments industry were keen on the ability of the new phones to better authenticate mobile payments. Fingerprints are one of several biometric methods used today to supplement passwords.
Biometrics refers to techniques that use measurable physical characteristics that lend themselves to automated checking techniques. In addition to fingerprints and vein recognition, biometrics can include voice, facial, and iris recognition, and even DNA matching, among others.
As the Federal Reserve's report Consumers and Mobile Financial Services 2014 noted, consumers' security concerns are a big barrier to the adoption of mobile banking. Mobile proponents believe this barrier can be reduced with the additional security features that mobile phones can provide, along with consumer education. There is no question that the mobile phone offers a number of ways to authenticate the user more positively, using both overt and covert methods. One well-known covert option is the smartphone's geolocation function, which allows verification that the phone is in the location it's supposed to be. Another covert method is "device fingerprinting," whereby a number of digital characteristics about the consumer's phone can be captured and used to verify that the phone being used is the one originally registered.
The most common overt biometric methods being tested today are fingerprint and facial recognition. While only a small number of mobile phones in use today in the United States have fingerprint readers, the vast majority have a camera that could support a facial recognition application. Both of these biometric methods are minimally invasive.
The key difference between biometric verification and user ID and password verification creates the greatest challenge for implementing biometrics authentication: with passwords, unless there is a 100 percent match between the data on file and the data the user enters in trying to gain access, the request is automatically rejected. It may be the legitimate user trying to gain access but maybe he or she forgot the password. Nevertheless, the system rules block access until the user's identity can be authenticated through some other means. On the other hand, the nature of biometrics is such that a 100 percent match between the stored template value and the live template value is rare—possibly because of differences in lighting conditions or angles when biometric measurements are made, or differences between readers, or some other reason. To deal with this gap, the manager of each application has to determine an acceptable accuracy level for both false-positives (whereby a party incorrectly matched is authorized) and false-negatives (whereby the authentic party is denied access). Naturally, false-positives pose the greater threat. False-negatives generally just involve some level of inconvenience until the individual can be authenticated and provided access.
No matter what biometric authentication methodology a system uses, the most important step is validating each customer's biometrics upon enrollment in the program. We will discuss this issue and other challenges for biometric programs in future issues of Portals and Rails.
By Dave Lott, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 04, 2014
Fishing for Your Private Data
Recently, I received a text from my daughter about an e-mail that appeared to be from her financial institution. The e-mail stated that online access to her bank account would be terminated because she had tried to access her account from several computers. However, she could retain access by clicking on a link. While my daughter's natural reaction was concern that she would lose online access to her bank account, I told her that this was probably a phishing incident.
Unlike the hobby of fishing, phishing is the work of fraudsters. With phishing, fraudsters attempt to dupe a consumer or employee into believing that they must immediately provide personal or private data in response to an e-mail that appears to be (but is not actually) from a legitimate entity. Much like fishing, phishing relies on numerous casts, with the phisher hoping that many of those who receive the e-mail will be fooled and swallow the bait. If they get hooked, malware may be loaded on their computer to monitor their keystrokes and pull out financial service website log-on credentials. Or, in my daughter's case, if she had clicked on the link, it would have most likely taken her to a legitimate-looking web page of the bank and requested her online banking credentials. The volume and velocity by which anyone can send e-mails has created a wide window of opportunity for fraudsters.
In their e-mail, the fraudsters create a sense of urgency by indicating some sort of drastic action will be taken unless the customer acts immediately. Although organizations have repeatedly posted statements that they would never send an e-mail asking for private data, this threatened action often causes the recipient to act without considering the consequences or taking the time to call the company or organization to verify the e-mail's authenticity. If it is not authentic, the individual should immediately delete the e-mail without replying, without clicking on any links embedded in the email, and without opening any attachments.
In addition to the need for consumers and employees to be wary of e-mails that are not legitimate, financial institutions must continually stay abreast of the latest technologies to help combat these schemes and educate customers. In a past post, we discussed steps financial institutions should take to help customers protect themselves from fraudsters. These schemes remain in the news even though banks, businesses, and government entities continue to post educational information and best practices for consumers and employees. As my daughter's example demonstrates, consumers opening bank accounts for the first time are not likely to know these schemes. This example suggests that—in addition to educating both business and consumer customers generally—it would be beneficial for financial institutions to place more emphasis on education concerning these schemes at the time customers open their accounts.
July 28, 2014
Where's the Mobile Payment?
I was a big fan of the '80s Wendy's commercials that featured an older woman uttering the phrase, "Where's the beef?" I recently found myself muttering something similar to myself: "Where's the mobile payment?" In early July, I came across the American Banker website headline "Six Fintech Startups That Wowed Bankers." The article highlighted six tech startups that recently pitched their financial products and services to executives from 15 of the largest banks at a one-day event. I was expecting to read about several mobile payment or mobile wallet startups, but surprisingly, none were mentioned.
According to the article's author, for a fintech startup to capture a banking executive's attention, it must address a need in the marketplace that few others are meeting. Could it be that the executives don't view mobile proximity payments as a customer need? I recently blogged about mobile payments fatigue and received some mixed feedback—but I heard little from our banking community readers. From a mobile payments perspective, they are extremely active in both person-to-person and bill payment initiatives. But outside of a few limited pilot programs, financial institutions have made little noise regarding mobile proximity payments or mobile wallets.
Given the prominent role financial institutions are playing in mobile payments through person-to-person and bill payments, why aren't they actively participating in proximity payments at retailers? Are they failing to meet the needs of their customers? According to the J.D. Power 2014 Retail Banking Study, customer satisfaction with banks is at an all-time high. And though the study found that some banks are falling short of meeting their customers' needs, the large banks covered in the survey experienced a significant rise in customer satisfaction scores, leading me to believe these banks are doing as good of a job as ever in listening to their customers and fulfilling their needs.
Is it possible that there isn't currently a driving consumer need for banks to deliver a mobile proximity payment or mobile wallet solution? My colleague Dave Lott suggested earlier this year that for mobile adoption to take place, the experience needs to follow Andy Grove's 10x rule and be 10 times better than what consumers are used to. What do you think it will take to catch the eyes of banking executives in the mobile proximity payments space?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 21, 2014
How Much Will Chip-Card Technology Affect ATM Owners?
Last week, my colleague Doug King wrote a post about the impact of the migration to chip-card technology on financial institutions that issue cards, with a focus on the smaller issuers. What happens with ATMs is an aspect of the chip-card migration that hasn't received much media attention. This may be because the liability shift timetable for ATMs—for MasterCard, it's October 2016; for Visa, October 2017—comes after the merchants' October 2015 deadline.
Of the roughly 430,000 ATMs in the country, nonfinancial institutions own just over half. The size of these independent ATM deployers (called IADs) range from two large companies with installed ATM bases of 60,000+ machines to thousands of small independent owners with a handful of ATMs. The conversion to support chip cards can cost these businesses up to $500–800 per machine. This impending ATM upgrade has echoes of the Triple DES (or Triple Data Encryption Standard) upgrade that Visa and MasterCard mandated in 2003, with a 2007 deadline. That upgrade involved strengthening ATM transaction security to better protect cardholder's personal identification numbers. Like today's chip-card upgrade, some of the older ATMs did not have the computing power necessary to support the upgrade, which meant the owners had the additional expense of replacing or decommissioning these machines. The independent-ATM installed base declined by more than 12 percent from 2007 to 2009 because many of the owners could not afford the Triple DES upgrade.
The costs of the current upgrade come at a time when the operators are seeing a constriction of their revenues. ATM usage has not kept up with the increased number of machines, which has resulted in lower average volumes per ATM and lower transaction revenues. The increased use of debit cards at retailers along with the cash-back option that many retailers offer are primary reasons for the lower usage.
The ATM owner has two main sources of revenue: interchange fees and surcharge fees. The card issuer pays the interchange fee; the cardholder pays the surcharge, which the ATM owner adds to the transaction amount. (The cardholder may also incur a "foreign transaction" fee from their financial institution for using an ATM outside their financial institution's network, but the ATM owner receives no portion of that fee.)
For 10 years, net interchange revenue to the IADs been steadily decreased. An industry survey showed that average interchange revenue per cash withdrawal dropped from $0.555 in 2006 to $0.3625 in 2012. ATM owners have some ability to raise their surcharge amount, but they have to remain competitive. (The average ATM surcharge amount for ATMs is about $2.50, according to Bankrate.com’s 2012 Checking Survey.) To offset these profitability constrictions, ATM owners are continuing to look for additional revenue sources, such as video advertising or branding their ATM with the name of a financial institution.
As the chip-card deadline for ATMs gets closer, Portals and Rails will continue to monitor and report on its impact.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed.
July 14, 2014
EMV Train is Gathering Steam: Procrastinators Take Warning
With each passing day it becomes more apparent that the United States’ EMV train—the one carrying the chip-embedded credit and debit cards—has left the station and is gaining steam for the ride towards the October 2015 POS liability shift timetable. In a June 12 press release, the EMV Migration Forum estimates that 100 million EMV cards (approximately 9 percent of the card base) will be issued by the end of 2014 plus an estimated 4.5 million chip-capable terminals (approximately 40 percent of terminals) will be installed by year’s end. Demonstrating different perspectives on the speed of the EMV train, two research groups, Aite Group and Javelin Strategy & Research, released their card conversion estimates:
Javelin also projects that 53 percent of POS terminals will be chip-enabled by the end of 2015.
The newly released PULSE 2014 Debit Issuer Study perhaps best captures EMV’s gathering speed. Of the issuers surveyed for this study, 86 percent plan to issue EMV cards in the next two years, compared to only 50 percent in the previous year’s study. However, the study reveals there is a bit of discrepancy between the EMV plans of large and small financial institutions. About 22 percent of community banks and 17 percent of credit unions have no EMV issuance plans compared to only 4 percent of large banks.
We know from experience that fraud generally migrates to the weakest link. So the EMV issuance findings are a bit troublesome, especially when we consider that the study found credit unions and community banks had already experienced significant increases to their signature debit fraud rates in 2013 from 2012 compared to large banks. Further, in 2013, credit unions and community banks had fraud rates approximately 25 percent and 15 percent, respectively, greater than that of large banks.
Despite the EMV naysayers, the U.S. payments industry is moving ahead with this initiative. For those smaller financial institutions waiting to see how EMV will unfold, the future has become clearer. By not acting, those financial institutions could become the "weakest link" and an easier target for the fraudsters compared to peers and competitors that do migrate. The train is rumbling down the EMV tracks, but there still is time to get an issuance plan in place.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 07, 2014
Fighting the High-Tech Criminals
The days of small gangs or the lone criminal committing "grab-and-go" robberies or counterfeiting checks and currency are certainly not over. However, crime stories involving millions of dollars and criminal networks that span the globe tend to grab the headlines these days. Just about everyone has heard about the recent data breaches at major retailers and ATM cash-outs that have netted criminals millions of dollars. A presentation at a recent payments security conference addressed the role of high-tech criminal groups in such crimes and the major threat they present to the security and reputation of our payment system. The speaker described how law enforcement agencies are working vigilantly to shut down these large global criminal enterprises and their cybercriminal activities.
The speaker detailed the composition of a criminal network, which closely resembles the organizational structure of a multinational corporation with numerous subsidiaries. This image shows the major components of the criminal enterprise.
- Executives—These people serve as the originating group and ultimate beneficiaries of the spoils of their successful attacks. They identify the types of criminal cyberactivity to pursue, including identifying the target companies or computer systems.
- Financiers—If the executives don't have the financial resources to carry out their scheme, they often link to a funding source. The financiers may receive a share of the executives' profits as compensation, or they may simply treat the transaction as a loan, charging interest until the loan proceeds are repaid.
- Exploiters—The hackers and software personnel identify vulnerabilities in software or systems and write malware code to compromise a target's account credentials. They normally receive compensation based on the type of attack and the level of sophistication.
- Botnet operators—A botnet is a network of compromised computers. The botnet operators, sometimes called "bot herders," control these systems. They run automated programs in the background, so they are often undetected by the legitimate computer owners, to send massive amounts of spam, conduct spear phishing attacks, or in some other way launch attacks against their targets. Botnet operators receive payment based on the number of compromised computers they use and the time required for the attack.
- Money mules—These players are in the most vulnerable group; they are the people on the street, retrieving the stolen funds and sending them, minus their cut, to the executives. Some law enforcement authorities have said that mules' share of the ill-gotten proceeds can be as high as 60 percent, depending on an operation's level of risk.
While these players are closely linked, they are generally separate criminal groups that have developed niche roles. The separation provides some safety to the executive group in that if members of one of the linked groups are arrested, executives can find another group to take their place so they can continue their illegal activities.
The major global criminal networks have proven to be formidable because of their resilience, but they are not invulnerable. Law enforcement agencies in the United States and other countries are working together to attack these networks through a variety of strategies. Unfortunately, in many cases, the core criminal leaders are physically located in safe havens, so called because local policies may prevent extradition or because governmental officials may be complicit or corrupt so they ignore the criminal activity as long as the targets of the crime are outside their borders.
Portals and Rails salutes the law enforcement personnel for their tireless efforts in this constant battle.
June 30, 2014
A Call to Action on Data Breaches?
I recently moved, so I had to go online to change my address with retailers, banks, and everyone else with whom I do business. It also seemed like an ideal opportunity to follow up on the recommendations that came out after the Heartbleed bug and diligently change all my passwords. Like many people, I had a habit of using similar passwords that I could recall relatively easily. Now, I am creating complex and different passwords for each site that would be more difficult for a fraudster to crack (and at the same time more difficult for me to remember) in an attack against my devices.
I have found myself worrying about a breach of my personal information more frequently since news of the Heartbleed bug. Before, if I heard about a breach of a certain retailer, I felt secure if I did not frequent that store or have their card. Occasionally, I would receive notification that my data "may" have been breached, and the threat seemed amorphous. But the frequency and breadth of data breaches are increasing, further evidenced by the recent breach of a major online retailer's customer records. This breach affects about 145 million people.
As a consumer, I find the balance between protecting my own data and my personal bandwidth daunting to maintain. I need to monitor any place that has my personal data, change passwords and security questions, and be constantly aware of the latest threat. Because I work in payments risk, this awareness comes more naturally for me than for most people. But what about consumers who have little time to focus on cybersecurity and need to rely on being notified and told specifically what to do when there's been a breach of their data? And are the action steps usually being suggested comprehensive enough to provide the maximum protection to the affected consumers?
Almost all states have data breach notification laws, and with recent breaches, a number of them are considering strengthening those laws. Congress has held hearings, federal bills have been proposed, and there has been much debate about whether there should be a consistent national data breach notification standard, but no direct action to create such a standard has taken place. Is it time now to do so, or does there need to be more major breaches before the momentum to create such a standard makes it happen?
June 23, 2014
Do Consumers REALLY Care about Payments Privacy and Security?
Consumer research studies have consistently shown that a top obstacle to adopting new payment technologies such as mobile payments is consumers' concern over the privacy and security protections of the technology. Could it be that consumers are indeed concerned but believe that the responsibility for ensuring their privacy and security falls to others? A May 2014 research study by idRADAR revealed the conundrum that risk managers often face: they know that consumers are concerned with security, but they also know they are not active in protecting themselves by adopting strong practices to safeguard their online privacy and security.
The survey asked respondents if they had taken any actions after hearing of the Target breach to protect their privacy or to prevent credit/debit card fraudulent activity. A surprising 79 percent admitted they had done nothing. Despite the scope of the Target data breach, only 4 percent of the respondents indicated that they had signed up for the credit and identity monitoring service that retailers who had been affected offered at no charge (see the chart).
In response to another question, this one asking about the frequency at which they changed their passwords, more than half (58 percent) admitted that they changed their personal e-mail or online passwords only when forced or prompted to do so. Fewer than 10 percent changed it monthly.
When we compare the results of this study with other consumer attitudinal studies, it becomes clear that the ability to get consumers to actually adopt strong security practices remains a major challenge. At "Portals and Rails, we will continue to stress the importance of efforts to educate consumers, and we ask that you join us in this effort.
June 16, 2014
Banking on the Financial Institutions as Gatekeepers
With all the changes and new participants in the payment industry, financial institutions remain the participants in the best position to know their customers. They still play a central role in transactions, so laws, regulations, and rules view them as gatekeepers, best able to protect consumers from unauthorized payments and fraudulent business practices. This gatekeeper role has never been simple, but the increase in the number and type of businesses conducting transactions over the internet and mobile devices has added to its complexity and difficulty. Complicating the gatekeeper role further is the increasing number of intermediaries involved in the payments stream.
Over the years, regulators have issued guidance to institutions highlighting issues related to high-risk businesses and service providers. In the fourth quarter of 2013, both the Office of the Comptroller of the Currency and the Federal Reserve Board issued guidance on third-party risk management for financial institutions. The new guidance highlights the growing importance of managing relationships with payment participants and makes it clear that institutions have to focus on managing customer relationships, which starts at onboarding.
Regulatory pressure is one approach to keeping the payments system safe, and so is the pressure that law enforcement agencies put on financial institutions. A recent example includes the crackdown of the New York Department of Financial Services on unlawful payday lending practices.
Payments system rules are also effective in keeping financial institutions focused on indicators of the fraudulent use of a payment type. For instance, NACHA Operating Rules include a provision that says an institution is out of compliance if its businesses have a return rate for unauthorized transactions over 1 percent. (A previous post addressed proposed enhancements to the NACHA Operating Rules to address additional indicators of fraud.)
An even stronger type of pressure exerted on financial institutions is when an agency bans a payment type entirely or restricts its usage. For instance, the Federal Trade Commission issued a proposal last year to ban the use of remotely created checks by telemarketers. If a payment type is banned, the financial institution's role is to enforce the ban with its business clients.
The emphasis on the financial institution's gatekeeper role underscores the continued importance of protecting consumers from fraudulent payment practices. It also highlights the fact that this role is not an easy one and brings with it certain risks and costs.