February 07, 2011
Cash acceptance: A risky proposition for merchants
This blog frequently deals with the risks of electronic transactions—debit and credit card payments, mobile payments, international money transfers, etc. These modern instruments often replace cash, a payment method with its own, sometimes overlooked, risks. While new threats against electronic payments continue to emerge, the transition away from cash may drive down other important risks. Robbery, employee theft, and counterfeit currency are key threats facing merchants and others who accept cash for payment.
More robberies (lower tips)
Businesses dealing primarily in cash run increased risks of robbery. The Occupational Safety and Health Administration (OSHA) lists handling cash as a major risk factor in workplace violence, primarily due to the danger of violent robbery. The Centers for Disease Control and Prevention (CDC) recommends moving to cashless transactions when possible to decrease workplace violence, further supporting OSHA's assessment. Taxi driver, retail and convenience store worker, and restaurant delivery worker are all occupations vulnerable to violence because they exchange cash directly with the public. According to the Department of Justice, taxi drivers suffer the highest rate of robbery of any profession, along with a high rate of robbery-motivated assault and homicide. OSHA recommends that cab drivers shift to credit card payments to mitigate these risks. The Center for Problem-Oriented Policing also suggests that convenience stores limit cash in the till and taxis eliminate cash payments to deter robbery.
However, merchants have largely failed to implement these recommendations. The Police Chief Magazine found that while cash control is the most effective strategy in reducing robberies, it is also the least frequently implemented. Regulation seems to be the most effective way to discourage the acceptance of cash payments. In New York City and Philadelphia, for example, local authorities require taxis to accept credit and debit card payments. These cities met with stiff resistance from drivers at first, but the realization of other benefits, including higher tips, has led to broader acceptance of the mandate. Anecdotal evidence suggests that crime may already be decreasing as a result of the shift away from cash to credit and debit card payments in recent decades.
|
|
|
|
More employee theft
The 2009 National Retail Security Survey finds that employees were responsible for 43 percent of inventory shrinkage, or theft, resulting in an annual cost to retailers of $14.4 billion. Although this survey focuses on inventory losses, it also indicates that employees pose the single greatest threat of losses for retailers. Cash is more vulnerable to employee theft than electronic payment methods because unlike cards, cash does not leave an electronic audit trail. Card payments are also automatically deposited to merchant accounts, while cash must first pass through employee hands, where it can be pilfered.
More counterfeiting
Merchants that accept cash payments occasionally suffer losses from accepting a counterfeit note. The Federal Reserve Bank of Chicago found that there is a low incidence of counterfeits in U.S. currency: fewer one in 10,000 notes by both volume and value is counterfeit. Actual losses were lower still, as many low-quality notes can be detected with basic anti-counterfeit procedures. However, according to the Secret Service's Annual Report, the agency removed more than $182 million of counterfeit currency from circulation in 2009, more than double the amount recovered in 2008. Although these losses may be small relative to the entire economy, individual businesses can still experience nontrivial losses, like the bar in New York that received $700 in counterfeit bills in one night last year.
Cash acceptance entails risks distinct from those related to electronic payments. While it is unlikely that any merchant can eliminate all cash transactions, key questions have yet to be answered. Are merchants underestimating the risks posed by cash acceptance? How can the industry and regulators move to mitigate the risks posed by cash acceptance? While there are many possible responses, the most effect answer may lie in the adoption of technology emphasizing the use of debit, credit, and prepaid cards.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
February 7, 2011 in crime, payments, payments risk, workplace fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e2631320970b
Listed below are links to blogs that reference Cash acceptance: A risky proposition for merchants:
Comments
October 12, 2010
New study examines the effectiveness of U.S. payments security
As everyday citizens, we are all responsible for understanding the threat of identity theft and its potential to facilitate payments fraud. The proliferation of identity theft is not solely a by-product of the high-tech world in which we live; it has been around from time immemorial. In the pre-Internet era, identity theft and payments fraud were more commonly committed by a "familiar"—a family member or someone with access to the victim's home, office, or mailbox. This type of white-collar crime still exists today, of course, and its success rate, measured in terms of the number of fraud attempts that result in a monetary loss, remains high. But today's identity theft schemes are more complex and involve larger-scale data breaches, so they pose a more significant threat to the retail payments industry and demand stronger security management techniques.
This evolution has created the need for more sophisticated compliance initiatives to keep identity and payment information secure. Retailers are on the first line of defense, in many respects, since they are the receivers and keepers of payment card data used to facilitate purchases at the point of sale.
So, along those lines, how is the retail industry faring? A new study from Verizon—released Oct. 4—reports on how well the U.S. retail sector keeps payment card data secure.
PCI security compliance: A first line of defense
There is an industry-organized defense procedure, or set of procedures, created to guard against large-scale thefts of payment card data. This procedure is called the Payment Card Industry Data Security Standard, or PCI-DSS for short. The Verizon report notes a high correlation between an organization's PCI compliance and its resistance to data breaches.
Most large retail enterprises in the United States claim compliance with PCI-DSS, and they have their operational systems periodically audited to ensure continued compliance. Although many of the largest retailers are compliant—with some, like Heartland, even working now to go above and beyond the minimum requirements—the Verizon study reveals just how far U.S. retailers are from full PCI-DSS compliance.
The following table summarizes the findings of the Verizon report for PCI compliance rates.
|
|
|
|
Meeting the challenge—and going above and beyond
The study concludes that complying with PCI is a complex challenge for many retailers, but the outlook is good—the retail sector is heading in the right direction. On average, it reports, organizations meet 81 percent of the procedures required by PCI, and 75 percent of organizations meet at least 70 percent of the testing procedures required.
Some industry experts even contend that PCI-DSS compliance in and of itself is not enough, which is why Heartland Payment Systems—one of the largest U.S. card processors, and which in 2009 suffered a serious data breach—is raising the bar and requiring its merchants to use additional security measures for data encryption. All data messages must be encrypted when in transit and when at rest in temporary storage along the way. For now, organizations responsible for storing and transmitting this data will continue to be challenged with the responsibility for safeguarding its data from breaches that facilitate identity theft and payment fraud.
By guest blogger Dan Littman, Economist, Federal Reserve Bank of Cleveland
October 12, 2010 in data security, fraud, payments, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348822ec96970c
Listed below are links to blogs that reference New study examines the effectiveness of U.S. payments security:
Comments
September 07, 2010
Is KYC DOA? The tribulations of trying to know your customer
Based on recent nightly news coverage, it appears that armed robbery has entered a new era of "brazenness," as robbers seem to commit their crimes without the cover of a disguise, despite the growing omnipresence of security cameras. I seem to recall that in the good old days of TV westerns, the robbers always wore disguises—at least they covered their faces with bandanas. Unfortunately, in the world of cybercrime, the disguises are still a basic part of the uniform as bad actors go about the business of laundering money, financing terrorists, and committing general computer crimes.
Increasingly in the wake of the Sept. 11 attacks, the responsibility for wrestling with detecting criminal financial activity lies with banks, subject to the provisions of Section 326 of the Patriot Act. In essence, the Patriot Act extended the earlier requirements of the Bank Secrecy Act to place financial institutions in the center of a process to know more and more about their account holders. Generally described as the "Know Your Customer" (or KYC) provisions of the act, Section 326 requires financial institutions (now broadly defined to include everything from traditional banks to gambling casinos) to gather, record, and report a great deal of specific information about their business and consumer customers.
Customers have reacted to this heightened information-gathering process with some frustration, yet it is simply the consequence of the global village in which we now live. The standards for such information gathering are cataloged in the Customer Identification Program (CIP) requirements of the Patriot Act, but many institutions, in an effort to protect their bank's financial welfare and avoid criticism from regulators about adhering to the letter of the law only, have extended their programs into the area of customer due diligence (CDD). CDD embraces broader information gathering that may frequently seem intrusive to the customer. For example, CDD may ask customers to describe the nature of transactions flowing through their accounts so that the bank can establish a risk rating for the accounts. However, in today's reality of global cybercrime, have we come to the point where even extended CDD may not be sufficient?
The emergence of third parties in the payments arena
This question is accentuated by the increasing roles of third parties in the payments system. Many third parties are legitimately engaged in providing services and technology support to businesses and banks alike in order to facilitate a more efficient use of the payments system. For example, some companies offer ACH or electronic check origination services to smaller businesses that cannot easily afford the acquisition of in-house systems to accomplish certain payment functions. While it is reasonable to assume that a bank can perform due diligence reviews on such third parties, history has been a harsh teacher in revealing that the third party (the bank's customer) can be well intentioned, but some of the companies they provide services to (the customer's customer) may be less honorable. Consequently, we talk in the trade of the fact that banks must now know their customer's customer (KYCC).
It turns out that this is not an easy thing to do. Nor is it easy to tell their customer's customer how to do it. For instance, many of the customer's customers may be startup companies, entrepreneurs pursuing the dream, or relatively small niche businesses. Some such firms start legitimately and intentionally act innocently until such time that they are positioned to commit significant fraud. In other words, the robbery suspects in cyber space do wear bandanas and they do disguise themselves so that no one can make an easy determination in advance as to their trustworthiness. In fact, they do it so well that we must ask, "Is KYC dead on arrival?" in this modern world of payments.
It is increasingly apparent that the answer is, "No, KYC isn't dead, but neither is it enough." A good KYC plan is better than no plan and is needed to comply with the Patriot Act, but we cannot possibly expect such a plan to be foolproof. Instead, we need to anticipate the possibility of a rogue player and complement KYC with other controls. Ultimately, this means that noncard transaction processing systems need to begin to adopt many of the practices used in card systems, including data forensics to detect and address potentially fraudulent behavior before it happens or as soon after it happens as possible.
In addition, it may be time for the industry, working with regulators, to examine the growing importance and risk profiles of nonbank entities engaged in the payments space. Most of today's fraudsters fall outside of the regulatory purview of bank supervisors and examiners, leaving the field to agencies such as the Federal Trade Commission. In 1850, the Pinkerton Agency was formed to assist the government in finding and arresting bank robbers. Perhaps we need a modern-day cyber version of the Pinkertons, armed with powerful networked computers to reach out and oversee the operations of a bank's customer's customer on behalf of regulators and law enforcement bodies everywhere. At any rate, a fresh look at this topic couldn't hurt.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
September 7, 2010 in fraud, KYC, law enforcement, payments, payments risk, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133f3efe0e1970b
Listed below are links to blogs that reference Is KYC DOA? The tribulations of trying to know your customer:
Comments
August 09, 2010
Shopping at the Fraud Mall: Fictional fantasy or harsh reality?
One of the most fascinating scenes in the cavalcade of Harry Potter movies is the requisite trip to Diagon Alley, the quaint London backstreet where the Hogwarts students go shopping in various specialty stores for their school supplies, such as books, potions, strange pets, magic wands, capes, and, of course, flying brooms. Over the past several weeks, battered by the never-ending news of one new payments fraud scheme after another, I lapsed into a daydream in my office about a mythical, but similar, Fraud Village, where fraudsters go to shop for their wares. My vivid recollections follow.
Wandering down Fraudster Alley
As I entered Fraudster Alley, I saw John Doe's ID Shoppe on the right, apparently a business selling payment credentials. On the various shelves, I saw arrays of credit and debit card numbers arranged by issuer, as well as actual bank account numbers sorted by geographical locations in order to minimize the confusion associated with those silly routing number assignments. The data is priced from $1 to $100, the cost depending on the relative credit lines and payment histories of the actual cardholders.
In the premium product aisle I saw a card with a glittering $95 tag for a person with a $30,000 limit that travels frequently and pays off monthly. At the back of the store I located the bank account number case priced from $2 to $1,000 with the top of the line offering belonging to a high balance account holder with several electronic withdrawals and a home banking service with a bank who has notoriously weak access controls. Keeping a couple of good sale items in mind, I slipped outside and gazed up at a remarkable billboard advertising a school for hackers.
|
|
Easing past a street vendor selling memory sticks, I did some window shopping at Willie's Web Emporium, a small shop hawking a variety of e-mail credentials that listed businesses with poorly protected financial software. A gaudy red $12 tag is affixed to a URL touted as hosting a poorly protected payroll system. I chatted with the clerk to see why these credentials were on sale, and he said that the market has been flooded in recent months by an oversupply that has driven the price down.
I got his business card and eased next door into a software/hardware store called Mystic Malware. I was overpowered by flashing displays of various fraud solutions, including a vast array of nearly 500 variations of Zeus malware packages designed to take over small business systems. Like my local Kroger cereal section, the options were bewildering—key-logging variations, with or without icons to be loaded onto desktops, call detection modules, and payment duplication engines. I noticed that some of the older products, like Win32/Conflicker were marked way down in light of the implementation of successful security blockers, while Renos and Vundo versions are premium priced, reflecting their recent success and popularity. In another area, I found a treasure trove of hardware devices, such as ATM skimmers, in bins labeled for the various makes and models of cash dispensers.
Across the street was Mikhail's Money Mule shop, where I browsed through employment applications for folks interested in being "financial managers" for Internet firms. They are arranged by cities, which made it particularly convenient for me to target accounts at choice banks trying to grow their retail base. I briefly scanned a number of "personals" arranged on a bulletin board, each highlighted by a special skill, such as the ability to break Triple DES encryption on a particular server. Next door was the Fraudsters Training Academy, an attractive storefront with a small auditorium running periodic films and live interviews with well-known fraudsters with names like Dark Vader and Card Warrior. Travel posters for Nigeria, the Ukraine, and Romania added a bit of gaiety to the walls.
Fiction turns to fact
I was startled awake from my daydream by a colleague calling for a coffee break. Sipping an overpriced Starbucks, I came to the disturbing realization that much of what I dreamed is simply the harsh reality of today's world of payments. While there is no such physical fraud village, the Internet has in fact become a virtual shopping mall for crooks intent on striking innocent, poorly educated, and singularly unaware business owners and consumers. The possible prices for illegal wares noted above are taken from a recently published study by First Data Corporation that refers to other studies by Symantec and Microsoft.
The billboard shown above actually stands on Interstate 75 near downtown Atlanta. In just the past week, I have read these headlines: "FBI, Slovenian and Spanish Police Arrest Botnet Creator, Operator", "Two Arrested in Massive Scheme: Investigators Recover Skimmers, Fake Cards, 1,000 Pages of ID's," and "Atlanta Security Company Startled At Check Stealing Software."
Alarmingly, it is time for all of us in the payments world to realize that yesterday's fiction is today's reality in the harsh world of payments fraud and protecting our assets, our people, and our reputations is going to take more time an effort than ever before.
By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
August 9, 2010 in consumer fraud, cybercrime, fraud, identity theft, malware, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348607ca64970c
Listed below are links to blogs that reference Shopping at the Fraud Mall: Fictional fantasy or harsh reality?:
Comments
March 15, 2010
Global challenge: Catching crooks while protecting privacy
As I watched the Winter Olympics unfold in Vancouver, I marveled at the stories of athletes who had gained citizenship in other countries in order to pursue their dreams. A Canadian moguls skier moved to Australia (which I kind of get) and a Japanese pairs figure skater fled to Russia (which I don't get). In both cases, their renationalization was rewarded with Olympic medals, and in both cases, I was reminded of how completely we have merged into a one-world family and a one-world economy.
Amidst this clear and widely embraced trend to global industrialization and trade, we find that our payments systems lag miserably behind. Certainly this is not because of the lack of availability of technology to wire us together; in fact, both good guys and bad guys use the Internet to order and ship goods and services, as well as commit fraud, across the globe in minutes. And, certainly, this is not because of trade practices. As I found out from Linda Coven, a senior executive at the Silicon Valley Bank in California, a technology firm born in the Silicon Valley becomes a global firm the minute they put up their Web site. Even a modest-sized bank such as hers can develop the expertise and partnerships to help such companies cope with the financial aspects of worldwide markets.
Tangled web
The fly in the international payments ointment is the complex web of regulatory and law enforcement regimens that quite naturally do not as yet mesh. In fact, this can still be a problem domestically, no less globally. The global version of this dilemma gained center stage on February 2010 when the folks at the European Parliament voted to reject the interim EU-US agreement on the processing and transfer of financial messaging data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programs (TFTP). These programs were established by the U.S. Treasury in the wake of the September 11, 2001, attacks. The TFTP allows the Treasury law enforcement agencies to issue administrative subpoenas for terrorist-related data, including the records of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), the world's largest network for banking transactions. Privacy laws and liabilities were cited as the major stumbling block in this reversal of form from previous agreements. Efforts by SWIFT to implement new technology to separate their databases into geographical segments may still allow some access to data involving a U.S. institution, but the EU ruling could ultimately impede law enforcement activities aimed at catching criminals that make today's global payments world a bit of the wild, wild West.
For those who feel that today's regulatory/law enforcement climate borders on paranoia, I would counter that in the face of global terrorism and money laundering there may be ample reason for paranoia. It is clear that cross-border payments applications deserve greater scrutiny to make sure they are not vehicles for financing dangerous and unsavory organizations. Strong compliance policies and screening practices are even more critical in this environment than they are domestically. Nevertheless, we see once again the incongruent goals of catching criminals and preserving privacy. In cases where cooperation and trust have been established there have been great successes. Internet corporate takeover rings have been stymied and Nigerian-based fraudulent check schemes have been terminated to the benefit of numerous domestic corporations and consumers.
Building a team
At the Retail Payments Risk Forum, we are working with various parties to find ways to synthesize the conflicting goals of privacy and enforcement to create a more directed and timely approach to catching the bad guys. As we progress, we will have to be ever-mindful of the fact that the next step will be to use our domestic examples as templates for solving the same problems internationally. Useful new work groups and task forces have been established here in the United States, such as the Interagency Payments Fraud Working Group under the current co-chairmanship of the Justice Department and the Federal Reserve Board, that are directed at better cooperation between law enforcement and the bank/non-bank regulatory community. Extending such collaboration into the international arena needs to become a priority for our industry if we are truly going to mitigate payments risk and catch offenders. It is no secret that this will be a difficult challenge, but fighting cyber crime is no longer a domestic issue here in the States or anywhere else. While we cast aside old norms in the payments and technology areas to do business across borders, we must also be open and innovative in regulatory and law enforcement circles if we are to have any chance of keeping up with criminals.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
March 15, 2010 in cybercrime, fraud, law enforcement, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01310f823141970c
Listed below are links to blogs that reference Global challenge: Catching crooks while protecting privacy:
Comments
January 25, 2010
Connecting the dots needed to reduce payment risks
Some say baseball is not only America's Game, but also a metaphor for life in America. As a lifelong fan I have noticed that each year a couple of rookie players explode onto the scene in April, putting up terrific numbers and establishing themselves as the sport's next great icons. Usually by mid-May they have disappeared from the league leader boards as their numbers fall precipitously. Why? Because the league knows very little about the players' strengths and weaknesses in April, but as time wears on, pitchers make adjustments to exploit the rookies' weaknesses. Don Sutton, an announcer for the Atlanta Braves, says that baseball is a game of continuous adjustments. The rookie wunderkinds will only be successful over the long run if they are able to make the adjustments necessary to counter the pitchers' new approach.
In today's payments world, rookie fraudsters are having significant success penetrating corporate payroll and accounting systems using Trojan horse and key-logging software to insert bogus payments into the company's disbursement streams without the company realizing until it is much too late. So called "money mules," hired by the kingpin fraudster, receive the "stolen" funds in new accounts and immediately wire them to faraway places after taking their promised cut. Such schemes have been much discussed in the payments industry press over the past few months.
My wife's sister is the bookkeeper for a small firm, and in that role she is responsible for most of the company's disbursements, including payroll. Over a glass of eggnog or some acceptable substitute, I told her about these schemes and she listened, wide-eyed. We discussed the controls that were in place in the company that could detect and prevent them from becoming a victim, and I began to realize the problem we face as an industry in addressing such new threats. Like the rookie baseball player, we must begin to adopt a mentality of constantly adjusting to the ploys of the fraudsters to ensure our future success. For example, a company could add a new step to their disbursement process that would check payroll totals for reasonableness in terms of numbers and dollars, scan preliminary logs of payees, names or accounts, etc., before pressing the transmit button. The challenge is to figure out how to share threat information broadly enough to reach the point of common sense protection. There can be no remedy if there is no awareness.
A number of organizations are working on education and communications efforts within their industries, but the best protection is always a first-line defense at the point of greatest vulnerability—the corporate originator of payments. While we in banking view the depth and breadth of our industry as daunting, it is trivial compared to the universe of American business, from large mega-corporations who can invest millions in protection to small entrepreneurs engaged in realizing their lifelong dreams, totally oblivious to the dangers of the brave new world. What, then, can we do to address this seemingly impossible challenge?
The answer would seem to lie in harnessing the amazing technology present in the world today, the same technology being used by the bad guys. Just as nuclear technology can be used to pursue both good and bad objectives, so can e-mail systems, social networking, twittering, and other yet-to-be-discovered advents of the new century. My sense is that the problem lies in discerning how to connect the dots. In other words, how can we as a society create a massive web of "community of interest" associations that allows information to reach the eyes and ears of all (or most) of those who need to hear it?
From my background as a math major, I know that the shortest distance between two points is a straight line (actually, I think you can get this from high school geometry). Noting that every company needs a bank, my sense is that the straight line for this effort runs directly from the central industry sources of fraud knowledge, to the banking community, to a bank's business customer base. Simultaneously, another connection at the top of the chain runs from industry sources to other parties in the regulatory and law enforcement businesses.
Over the past few months, we at the Retail Payments Risk Forum have become aware of and frequently engaged with several organizations who are interested in and trying to enhance the current communications and education process. For example, a new interagency fraud working group, co-chaired by the Department of Justice and the Federal Reserve Board, has been created to share information between bank and nonbank regulators and the law enforcement community. An effort to construct an educational toolkit for banks to use to report fraudulent activity is being developed under the auspices of BITS. In an ideal world, we would all work together to harvest the unique capabilities of each of the many efforts under way and try to coordinate them in such a way as to minimize duplication, maximize knowledge, ensure accuracy, and expedite wide distribution of information. In the months ahead, the Forum will be trying to work across many interested parties to see if there is a model for accomplishing this goal that could be deployed to the benefit of all possible victims in the "fraud value chain."
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
January 25, 2010 in fraud, payments risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0128770e3999970c
Listed below are links to blogs that reference Connecting the dots needed to reduce payment risks:
