Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

April 07, 2014

Learning from Experience to Handle Suspicious Payment Transactions

In a post earlier this year, we addressed the difficulty of identifying and tracking remotely created checks (RCCs) in the payments stream. Electronic payment orders (EPOs), which are electronic images of "checks" that never exist in paper form, are another payment vehicle difficult to identify and track. EPOs can be created by the payee as an image of an RCC, or created and electronically signed by the payer.

Financial institutions have to address all suspicious payment transactions, whether they occur with traditional payments, like checks and ACH or these new variants, the RCCs and EPOs. Institutions rely on a variety of ways to become aware of suspicious payment transactions:

  • The institution's anomaly detection processes highlight transaction patterns that are atypical for a customer.
  • A bank customer contacts the bank after identifying an unauthorized transaction on the bank statement.
  • Consumer complaints about a business suddenly increase.
  • Another institution contacts the bank with concerns about a particular business.
  • The bank becomes aware of legal actions taken against a business.
  • Returns for a business's payment transactions increase.

Regardless of payment type, institutions can apply the simple approach in this diagram to handling suspicious payment transactions.

diagram on handling suspicious payment transactions

When an institution becomes aware of suspicious transactions, its first step is to take care of the customer. This may include returning transactions, placing stop payments, monitoring account activity, addressing security protocols, or changing authentication tools.

The next step would be to reach out to other institutions, law enforcement, and regulators. Other institutions may not be aware of the issue and can assist with resolving the customer’s concern and addressing the underlying cause of the problem. Support for information sharing between financial institutions includes the safe harbor provisions within Section 314(b) of the U.S. Patriot Act. Submitting suspicious activity reports, or SARs, and contacting appropriate law enforcement such as the local police or FBI enables law enforcement to address fraudulent behavior, monitor the extent of the fraud, and address areas of concern that are affecting multiple institutions. Information-sharing groups, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and BITS, are other important avenues.

Critical to the approach is the importance of the affected institution consistently adjusting its identification processes based on its experiences with suspicious transactions. For example, if the anomaly detection system has default settings for origination volume or return rates, and the institution learns that those settings were ineffective in identifying a problem, then the institution should adjust the settings.

As the payments industry continues to evolve, with newer payment types such as RCCs and EPOs, criminals will find new ways to use them to their benefit. And as perpetrators of fraudulent payments adjust their approaches, a financial institution must also be a "learning" institution and adjust its approach to identifying the suspicious payments.

How often does your institution adjust its processes for handling suspicious transactions based on current fraud experiences?

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 7, 2014 in fraud, payments, remotely created checks | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73da3dd6d970d

Listed below are links to blogs that reference Learning from Experience to Handle Suspicious Payment Transactions:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 25, 2013

What's Next in Mobile Payments?

I recently participated in two banking conferences that displayed the full spectrum of strategic options and plans of banks regarding mobile payments. The first event was the annual operations/technology conference of a statewide bankers' association with all the attendees being small- to mid-sized community banks. All these banks currently offer an online banking application to their customers; about half of these have customized their online banking application for mobile device usage. Only one bank indicated they had a mobile payments application currently in operation. I was surprised to find that only a couple other banks planned to offer a mobile payments application within the next 12–18 months.

Later in the day, a panel of four MBA graduate students from a prestigious business school of a private southeastern university gave their views on mobile payments. The objective of this panel was to help the bankers understand the key drivers of this demographic's banking relationships and needs. All four panel members indicated they frequently accessed their banks' online banking services with their mobile devices as well as their laptops and tablets. They also unanimously stated they would switch financial institutions if the banks didn't offer the service or if they began charging a fee for the service. Interestingly, only one panelist used the mobile payments application from his bank, and his usage was infrequent. The reasons the panel members gave for their disinterest in mobile payments included difficulty of use of a mobile phone versus a laptop or tablet for bill payment or little need for the service because they found their existing payment methods to be as or more convenient.

At the Bank Administration Institute's (BAI) Payments Connect 2013 conference the following week, a featured track of the two-and-a-half-day event was the wide range of marketing, operational, risk, and technology issues related to mobile banking and payments. The prognosis for mobile payments couldn't have been more optimistic, with a number of panelists declaring that the tipping point for mobile payments had been realized earlier in the year. They credited the adoption rate for smartphones and other indicators they believed to be key drivers. Of course, we have to realize that many expressing such optimism worked for a company that has a vested interest in the success of mobile payments. However, that optimism was supported by a number of research studies delivered during the conference that concluded that the rate of smartphone penetration, the growing volume of mobile payment transactions, and overall consumer attitudes would translate to successful mobile payments programs.

One of the questions bankers frequently asked during the BAI conference was what a panelist would recommend the bank do regarding their mobile payments strategy. While there were some slight variations, panelists consistently responded that banks should get involved now and try a number of different, small-scale strategies. Several panelists used the gambling analogy of placing a distributed number of bets of small amounts rather than going "all in" with one particular mobile payments scheme. They acknowledged that the technology winner(s) of mobile payments was far from certain at this point, with near field communication, QR codes, and cloud options all in different states of adoption and each with their individual advantages and disadvantages.

The practice of "spreading your bets" is certainly a valid risk management strategy, but how practical is such a strategy for small financial institutions? The large banks have their research-and-development budgets, IT development staff, and other resources that allow them to participate in multiple pilot programs, but smaller institutions do not have such resources. Most would be able to offer only a mobile payments program supported by their core application processing provider.

As with many new payment products in the past, larger banks have led the initial efforts, and the smaller banks followed suit after customer demand for the service became more certain and with the realization that not offer the service would put them at a competitive disadvantage. Could this be the reason many banks, especially the smaller ones, have been sitting on the sidelines for now until the mobile payments picture becomes a bit clearer? Let us know what you think.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 25, 2013 in mobile banking, mobile payments, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee9bac3b9970d

Listed below are links to blogs that reference What's Next in Mobile Payments?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 07, 2013

Boston Fed on mobile phone technology: "Smarter than we thought"

When it comes to mobile payments security, will the most secure solution win out, or will convenience rule the day? Mobile payment services are coming to market, however slowly, and as they do, security in supporting technology platforms is a critical consideration for merchants and consumers. In fact, many consumer surveys, such as this one released by the Federal Reserve Board, have reported that U.S. consumers consider security to be an important factor when deciding if they will use a mobile device to access financial information or engage in a payment service. Because security is a major contributor to the success and ultimate broad adoption of mobile payments, Boston Fed researchers examined how the primary technologies supporting mobile payments at the merchant point-of-sale address payments security. These technologies include near-field communication (or NFC) and cloud solutions.

This post looks at some of the high points of a paper written by the Boston Fed researchers about their analysis. The paper, published November 2012 and titled "Mobile phone technology: 'Smarter than we thought,'" discusses the unique characteristics of each technology and why security practices will vary accordingly.

NFC mobile payment options vary in security and convenience
The three primary approaches to NFC mobile payments all involve storing payment credentials in an encrypted smart card chip within the mobile phone. This chip, also known as the "secure element," may reside in the subscriber identity module (SIM) card, it may reside in the micro secure digital (SD)—or memory—card, or it may be hardwired into the actual device. Each of these approaches has benefits and disadvantages with respect to convenience and security.

For example, the SIM card's storage capability provides an additional layer of security. The wireless carrier can manage the SIM card remotely to prevent unauthorized access if the phone is lost or stolen or if the SIM card is removed. In other words, the mobile network operator controls access to the SIM card, which, depending on your perspective, may also be a drawback.

The memory card is also portable and communicates with apps to enable mobile payments. This method can be speedy to deploy. As a result, several U.S. banks, card networks, and transit authorities have piloted solutions using memory cards. However, these cards typically support only a single application or payment account, so they may not be the best long-term solution. Furthermore, their portability presents security concerns because there is no lock or PIN to prevent removal of the card from the phone and then subsequent unauthorized access to the payment information stored within it.

The third approach has the chip soldered into the hardware, making it relatively tamper-proof. Although it is less costly than the other NFC options, it provides no portability feature. So despite the stronger security features, this lack of portability makes this approach inconvenient because consumers cannot easily transfer payment credentials and applications when they switch phones.

Mobile payments in the cloud: A new security paradigm
While industry stakeholders were discussing the security options of NFC technology deployments, new alternatives emerged that rely on cloud computing. In cloud-based payment business models, the consumer's payment credentials are stored remotely on a server—which a merchant or payment services provider manages—as opposed to on the phone's hardware. Cloud-based services are less costly to deploy than NFC-based services. In addition, because they are hardware-agnostic, they are essentially portable and convenient for the consumer. In some ways, cloud-based payments can be more secure than in-phone solutions, since the consumer's payment credentials are not stored in the mobile phone and are not potentially exposed during transactions. However, it is still necessary to take steps to secure the remote storage of payment credentials and other important data. And, as the paper notes:

There are still many unknowns to be addressed. Because payments data can be compromised in the cloud, it is essential that: 1) payments data is not transmitted via SMS [short message service, or instant messaging] or email because these platforms are not encrypted; and 2) payments to the cloud are transmitted between secure, encrypted endpoints handled either by mobile carrier data networks or merchant-provided secure Wi-Fi hotspots, and are not transmitted unencrypted over any network.

Data privacy remains a critical concern
Cloud providers have a responsibility to protect consumer data. They must comply with privacy laws and obtain explicit permission before sharing data or mining it for other monetization opportunities. Ultimately, cloud providers must make sure that the underlying payment services are secure and resilient.

When it comes to new mobile payment methods in the cloud, how will we make sure that cloud service providers are fulfilling these responsibilities? This new paradigm requires new processes for vendor management, especially for banks in mobile payments. Banks will need to be able to demonstrate to regulators that they have conducted a comprehensive risk assessment on service offerings and done third-party due diligence at the onset of an outsourced relationship. Regulators must provide ongoing oversight for financial stability and fulfillment of contractual responsibility.

Complex business models likely will use combinations of technology
As the paper notes, it is likely that we will see hybrid models that use both NFC and the cloud for managing different pieces of information associated with a payments transaction. As we noted in a previous post, there are benefits and challenges to both NFC and cloud technologies. Numerous complex variables are at play when it comes to their security environments. As these technologies are likely to coexist, it will be important to understand the underlying security features as new mobile payment solutions come to market in the future.

Cynthia MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

January 7, 2013 in consumer protection, mobile banking, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d3f94af97970c

Listed below are links to blogs that reference Boston Fed on mobile phone technology: "Smarter than we thought":

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 13, 2012

Tourism Traffic Boosts Prepaid Cards

Prepaid cards, at least until 2010, were the fastest growing payment method in the United States, according to the Fed's latest payments study. Their use is also growing in other markets, including Latin America in general and Brazil in particular, especially for funding tourism activities. Brazilian tourists are increasingly choosing rechargeable prepaid travel cards loaded with U.S. currency over cash. Interestingly, U.S. banks are also realizing economic benefits from tourists' move from cash to prepaid cards.

Growing South Florida tourism drives Brazilians to spend more
Brazilians make up the second largest tourist group to Florida, next to Canadians (3.3 million of whom visited the United States in 2011). Last year, approximately 1.5 million Brazilians visited Florida. They spent more than a billion dollars total, with a per-visit amount typically exceeding $5,000. Altogether, the Fed Atlanta's Miami Branch paid out $1.7 billion U.S. dollars to Brazil.

A number of factors are contributing to the rise in Brazilian tourists to Florida, including the high number of available flights, expedited processing for travel visas, significantly lower prices for many designer brands coupled with the absence of Brazilian import tax, and relatively cheaper real estate prices.

Brazilian tax rule, other factors influence credit card spending abroad But why are these tourists increasing choosing to use prepaid cards? In 2011, the Brazilian government imposed a new financial operations tax of 6.38 percent on foreign transactions made with Brazilian-issued credit cards. The tax, called the IOF—short for Imposto sobre Operações Financeiras—makes using credit cards abroad very unattractive for Brazilians.

Prepaid travel cards also offer more favorable exchange rates, and they insulate consumers against rate fluctuations by offering a fixed exchange rate on all purchases.

Banks in Brazil also benefit from prepaid cards used abroad. Transportation and custody expenses make it costly for Brazil's commercial banks to obtain and hold U.S. dollars. As a result, these banks are actively promoting prepaid cards. U.S. commercial banks quickly seized the opportunity to compete with their Brazilian counterparts by rolling out marketing campaigns in Brazil promoting the benefits of prepaid travel cards for U.S. travel.

All these conditions and incentives have combined to create a 50 percent rise in travel card applications by Brazilians shortly after the tax regulation was introduced.

Brazil offers an interesting case study of the growth in the use of prepaid payment cards. Just as U.S. consumers beyond the unbanked are recognizing the ease and convenience of this payment device, so are international consumers.

Paul GrahamBy Paul Graham, assistant vice president and branch operations officer, Miami Branch of the Federal Reserve Bank of Atlanta

August 13, 2012 in banks and banking, cards, payments, prepaid | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0177441bd526970d

Listed below are links to blogs that reference Tourism Traffic Boosts Prepaid Cards:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 18, 2012

MintChip: Sounds like ice cream, but it's actually money

A common topic of conversation in payments for many years has been the notion of a cashless society. Although it is hard to imagine a truly cashless society, it is easy to envision what Ron Shevlin, an analyst with the Aite Group, recently referred to as a "less-cash society." Established alternatives to cash, such as credit, debit, and prepaid cards, have been steadily replacing cash payments for years. However, there still remain individuals who prefer cash to other payment means for a variety of reasons, including the anonymity cash provides.

As an alternative to cash payments, new digital currencies have been conceived. While these digital currencies allow for anonymity like cash, they have traditionally not been backed by an asset or a central back. At least up until now. In April, the Royal Canadian Mint (The Mint) announced the development of MintChip, a digital currency backed by the Canadian dollar. The Mint is currently accepting MintChip payment applications from software developers.

Prior to the MintChip announcement, The Mint made headlines as the Canadian government announced in March the elimination of the penny. The Mint produced its last penny on May 4 with the goal of removing the penny from circulation by the fall of this year. So within several months, the Canadian Mint quits producing the penny while developing a new digital currency.

I believe that The Mint is sensing a true opportunity with MintChip in light of a threat to its traditional business as the world moves to a less-cash society. Faced with the threat of a loss of production in coins, the Mint is attempting to capitalize on the demand for a digital currency to make micropayments for goods and services in both the online and physical world. And while MintChip might not provide as much anonymity as other digital currencies, such as BitCoin and Liberty Reserve (which we looked at in an October 2011 post), its backing by the Canadian dollar might make it a more viable alternative to cash and coins.

It will be interesting to watch the developments of MintChip over the next several months as The Mint will select the best applications submitted by outside developers. Should MintChip gain traction in Canada, it is feasible that The Mint will port this concept to other countries where it currently manages the production of coins. (Over time, Canada has made coins for almost two dozen countries, including the Bahamas, Bermuda, Cayman Islands, Iran, and Venezuela.)

The global opportunity in the digital currency space is enormous: there were six billion mobile subscriptions across the globe at the end of 2011, according to the International Telecommunication Union. If MintChip proves to be successful, would the United States Mint attempt to follow suit? And what, if any, would be the regulatory challenges and implications of a digital currency produced by the United States Mint and backed by the U.S. dollar?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 18, 2012 in emerging payments, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016767a69aee970b

Listed below are links to blogs that reference MintChip: Sounds like ice cream, but it's actually money:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 04, 2012

The new consumer protection agency looks at prepaid cards

The prepaid card industry has grown faster than many expected it to in recent years. The industry has a wide range of customers today, including not only the underbanked market but also many other market segments. In fact, in a public hearing on May 23, 2012, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray noted that while many consumers "actually have a bank account, they often use nonbank products to meet their financial needs," including the relatively new prepaid card. As this product has grown in acceptance, consumer advocacy groups have voiced concerns about the potential lack of consumer protections and the need for regulatory clarity for prepaid product providers. In response to these concerns, the CFPB announced its plan to launch a rulemaking initiative to promote safety and transparency in the prepaid market.

Why legal protections differ
While payment law critics cite the fragmented legal landscape for retail payment methods, the differences lie in the underlying mechanics. In the simplest of terms, retail payments can be segmented into three basic genres: "paying now" through a deduction in your account balance at a financial institution through either a check or debit card; "paying later" by using a credit card, which involves a loan from the payment service provider to cover the cost of the purchase in the transaction; and "paying before," by prefunding an account by the consumer for use at a later time.

These inherent funding differences lend themselves to different laws, regulations, and rule sets, since the timing and liability for maintaining the safety of the funds in each case differs. Consumer lending protection laws, for example, have relevance only for credit payment products. The emergence of new prepaid products and nonbanks participating in new business models, along with the sometimes questionable pricing schemes and fees, points to the need for industry dialogue on what new regulatory governance is needed in prepaid services today.

Growth in prepaid
The Federal Reserve’s last triennial payment study revealed that prepaid cards, particularly the general-purpose reloadable (GPR) variety, were the fastest growing retail payment in recent years, even though they represent a relatively small piece of the overall pie of preferred retail payment types. GPR cards allow the consumer—or another party, like an employer—to add funds to the card. This reloadable feature makes the product functional and convenient, and allows consumers who traditionally relied on cash to participate in the electronic economy.

Recent growth in prepaid cards

Increased e-commerce is in turn leading to the use of prepaid in the mobile environment. Payment providers have been experimenting in recent years with bridge technologies such as prepaid card stickers using contactless technology. The sticker is put on the mobile handset, and is intended to influence consumer payment behavior by offering consumers the opportunity to tap their mobile phones at the merchant’s point of sale. As a result, the advanced notice of rulemaking notes that a prepaid "card" may also take the form of other access devices, such as key fobs, or even a cell phone application that accesses a prepaid financial account.

What the CFPB is offering consumers
When it comes to prepaid cards, the public hearing made it clear that the CFPB wants to make sure, first and foremost, that consumers’ funds are safe, especially because not all prepaid accounts are structured so that they are protected by deposit insurance. The agency also wants to make sure that consumers have access to clearly written disclosures on card terms and fees before they even open a prepaid account. In the hearing, the CFPB also discussed a proposal to extend Regulation E protections to include GPR cards specifically. Furthermore, the CFPB also launched "Ask CFPB: Prepaid Cards" on its website to provide consumers with information about prepaid cards in a question-and-answer format.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

June 4, 2012 in consumer protection, payments, prepaid | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ec128349970c

Listed below are links to blogs that reference The new consumer protection agency looks at prepaid cards:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 29, 2012

Are social security numbers still secure enough for payments?

Identity authentication is becoming increasingly important today as consumers conduct more and more social interactions, commerce, and financial transactions online. Many emerging payment methods are conducted electronically today and will no longer involve the face-to-face interactions that have provided an additional layer of security for our traditional retail payments environment. Unfortunately, our primary means of personal identification is the social security number, and it is becoming more vulnerable to compromise. How do we mitigate the risks in innovative payments going forward with traditional identification methods?

A well-intended system
The social security number was created in 1936 as a way to track workers' benefits for the new pension program. At the time, no other use for the number was envisioned. In 1943, however, President Roosevelt signed an executive order allowing other government agencies to use social security numbers. Today, the numbers are the primary identifiers for many government functions, including filing taxes, receiving all manner of benefits, and enlisting in the military. Social security numbers are also widely used in the private sector, especially in the healthcare and financial industries. They have become the default identifier used by healthcare providers, insurers, credit bureaus, banks, and others when signing up new customers.

Social security numbers—not so secure
You probably believe that your social security number is private. You probably assume that it's kept private by those who use it to verify your identity. But how many different people have seen your number, or some part of it, in the past decade? It's out there every time you've gone to a new healthcare provider, signed up for a new insurance plan, or applied for a credit card, bank account, or cell phone plan. Researchers have even developed an algorithm for guessing a person's number using just their place and date of birth.

The problem with such widespread use of social security numbers is that they are easily exposed and vulnerable to use in identity theft and related crimes, including various types of payment fraud. It goes without saying that new identification and authentication methods will be needed in the future to ensure that the personal information accessible via social security numbers can be protected and kept secure.

Mitigating compromise and improving personal authentication
In 2008, the Federal Trade Commission (FTC) developed recommendations on preventing the misuse of social security numbers for identity theft. First, they recommend using multifactor authentication, including additional processes in addition to the social security number. The FTC recommends further that, whenever possible, users should restrict the public display and transmission of social security numbers from applications, identity cards, and other documents. As crimes in electronic networks grow more prevalent, it will be increasingly important that the industry use multifactor authentication practices to combat the threat of outmoded personal identification methods.

Jennifer WindhBy Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

May 29, 2012 in identity theft, payments, privacy | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ebead296970c

Listed below are links to blogs that reference Are social security numbers still secure enough for payments?:

Comments

FFIEC came up with guidelines for 2FA around seven years ago and followed it up with some more guidelines this year. Despite the passage of so much time and the fact that virtually all other large nations have adopted 2FA, banks and e-commerce merchants in the US are conspicuous by their absence of following even the basics of strong authentication like VbV, etc. Is this because 2FA introduces additional friction and / or false positives that result in greater revenue losses than potential loss by fraud? Given where US is, is there any evidence that fraud loss as a percentage of transaction value is higher in the USA than elsewhere in the world?

Posted by: Ketharaman Swaminathan | May 31, 2012 at 06:49 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 09, 2012

Mobile payments malware: Assault and low battery

According to Dr. Markus Jakobsson, principal scientist at PayPal, malware is moving to the mobile channel as mobile handsets replace PCs. Criminals are businessmen and subsequently go for market size in their exploits. Within a year, he says we will see more handsets than PCs, and we can also expect to see more mobile abuse trends as a result. An interview of Markus on YouTube provides some startling facts and general insights on mobile security challenges and trends.

I first wrote about the emerging threat of malware migrating from PCs to the mobile channel in a July 2010 post titled "The confluence of payments, social networks, and malware: Elements of a perfect storm?" As Portals and Rails readers well know, mobile banking and payments and accessing payments via social networking were just beginning to take off. The post noted that the rapid pace of mobile application innovation and deployment creates vulnerabilities in payment systems accessed via mobile devices. Markus's interview reveals why malware-related intrusions are expected to become more commonplace in the mobile channel and offers some thoughts on a new paradigm for thinking about mobile security.

Mobile handset is a social device as well as a computer
This is the big issue. While numerous consumer behavioral surveys report that consumers are concerned about privacy and security, they treat the handset as a social device to interact quickly with websites, businesses, and other people. In short, consumers trust their mobile devices and value the ability to access social media. As a result, they often fail to adopt available safeguards such as password locks. Jakobsson says that people tend to dislike passwords because they are slow to enter and it's easy to make a fat-finger error. As a result, they opt to operate without cumbersome passwords. Jakobsson asserts that we need a new paradigm to encourage safe authentication going forward.

The problem with virus protection for mobile phones
Consumers don't think of their handsets as computers, but they actually are computers, except that they don't have equivalent battery resources. This means that mobile handsets lack the capacity to run the most basic anti-malware software. Antivirus software works by constantly scanning for malware intrusion. Jakobsson says this is fine if you have only a few instances of malware, but frequent incidents require more frequent scanning, which drains the battery. This is going to be a problem for mobile devices, a problem that to date has not received much recognition.

The root cause: Spoofing and spam
Some problems are beginning to arise with fraudulent apps that divert the user to an unintended website. Spoofing, the practice of sending forged e-mails or directing users to malicious websites, is a critical risk that is hard to manage. According to Key Findings of the 2010 Email MAAWG Security Awareness and Usage Survey, consumers admit to risky behaviors online, with four out of ten admitting to opening an e-mail they suspected was spam. The Messaging Anti-Abuse Working Group (or MAAWG) also reported that younger users are more likely than older users to open suspicious e-mails and click on links.

Who is opening spam and why?

Mobile ecosystem will require different assumptions about security
As e-commerce increasingly moves to the mobile channel, handsets and networks will require new protections to protect data used for identity and payments. As consumers share more information via their handsets in social media and broadcast their geolocations to merchants, the mobile channel will become more vulnerable to criminal activity. Malware exposure will occur cross platform through gaming and social applications that are not suitably policed. While mobile malware circulation is not yet prevalent, the projected growth of mobile platforms versus traditional computers will make mobile an attractive target for organized crime. Industry stakeholders should consider the prospective risks of malware in discussions on mobile payments security.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

April 9, 2012 in malware, mobile banking, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016303e2a50c970d

Listed below are links to blogs that reference Mobile payments malware: Assault and low battery:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 02, 2012

What defines an efficient market?

"There was an active debate on whether the Reserve Banks should be involved in card-based systems, but we concluded that card systems were not something that the Reserve Banks needed to become operationally involved in. [We concluded] that the private sector was developing these systems appropriately on their own, and that it didn't need public sector intervention." (From Louise Roseman's keynote address at the November 2011 Retail Payments Risk Forum conference, "The Role of Government in Payments Risk and Fraud.)

I recently re-watched video clips from Louise Roseman's keynote address at our November 2011 Retail Payments Risk Forum conference. In these clips, Roseman, who is the director of Reserve Bank operations and payment systems at the Board of Governors, explained that the Fed occasionally, but not always, provides payments services. She mentioned that when credit cards started to appear, the Fed debated whether or not they had a role in that market. However, the Fed determined that the market was functioning well enough on its own and that intervention was not justified.

Roseman discussed a contrasting example of when the Fed did intervene in a market: check clearing in the 1910s. In the 20th century, paper checks had to be physically presented at the bank they were drawn on in order to clear. While this process was easy for checks drawn on and deposited at banks located in the same major city, it was much more difficult for checks that had to travel inter-city or were drawn on country banks. To process these out-of-town checks, banks had to manage multiple correspondent relationships. Across banks and clearinghouses, this meant frequent handling and duplication of effort. And when a receiving bank did not have a correspondent relationship with the paying bank, these checks did not clear at par—that is, paying banks charged presentment fees for settling checks with noncorrespondents.

To minimize presentment fees, banks would sometimes send checks on a circuitous route. What follows is a real example of one check's meanderings. (This journey is documented in Clearing Houses and Credit Instruments, a 1911 publication of the National Monetary Commission.) Woodward Brothers of Sag Harbor, NY, wrote a check for $43.56 from its account at the Peconic Bank to Berry, Lohman, and Rasch of Hoboken, NJ. The check was deposited at the Second National Bank of Hoboken. The Second National Bank of Hoboken sent the check to Harvey Fisk and Sons, of New York, who sent the check to the Globe National Bank of Boston, who sent it to the First National Bank of Tonawanda (on the far western border of New York). From Tonawanda, the check made its way to the National Exchange Bank of Albany, was forwarded to the First National Bank of Port Jefferson, went on to the Far Rockaway Bank, and ended up going back to the Big Apple at Chase National Bank. From Chase, the check went to Queens County Bank of Brooklyn, and finally back to the Peconic Bank of Sag Harbor!

At the time, many bankers pushed for the Fed to provide check clearing to reduce these inefficiencies. The Fed obliged, which resulted in savings to the whole market and all checks clearing at par.

Check clearing is just one example of a payment system in which the Fed could improve the overall efficiency of clearing and settlement processes. Are there other markets for which we could replicate this success? What defines an efficiently functioning market?

Jennifer WindhBy Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

April 2, 2012 in checks, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e9905116970c

Listed below are links to blogs that reference What defines an efficient market?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 21, 2012

Security in the mobile wallet: Is it good enough yet?

For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.

image of fat wallet

But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.

Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.

A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:

"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."

It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.

Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.

table of Mobile Application Security by Type of Application

Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.

Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

February 21, 2012 in emerging payments, innovation, mobile banking, mobile payments, payments, payments systems | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016301c7d1b3970d

Listed below are links to blogs that reference Security in the mobile wallet: Is it good enough yet?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in