February 04, 2013
The Promises and Pitfalls of Big Data
In reviewing one of my recent credit card statements, I noticed a marketing message offering $5 off for an online purchase using their credit card at one of the online retailers I frequently visit. At first I thought this was a bit strange as I had not used that particular credit card at that merchant. Then I realized this was likely "Big Data" in action. Evidently, this credit card issuer had gotten information from some database, perhaps from the retailer, that I was a frequent customer of that retailer. The card issuer then checked its records and found that its card wasn't the one I used for the purchases, so it tried to entice me with $5 savings to switch my card usage habits.
A recent Harris Interactive poll of 1,000 U.S. Internet users showed that the typical consumer has an extremely high level of concern about the amount of personally identifiable data (PID) that is collected about them from public databases, e-mails, web access, and private data aggregators and how that information is being used. Big Data has opened a new world of marketing opportunities for companies with the capability to analyze and use such a wide array of information. In addition to marketing opportunities, Big Data technology can also provide enhanced risk assessment capabilities.
Card issuers have used data analysis at both the macro and individual cardholder level for several decades for fraud management purposes. With sufficient transaction history, the issuer creates a cardholder's purchase profile and evaluates future transactions against that profile. In the early stages of such efforts, if a transaction fell outside the normal profile parameters, the issuer was likely to authorize the purchase and then attempt to contact the cardholder later to verify its legitimacy. Before the wide usage of cell phones or text alerts, contacting the customer was often delayed by days until he or she could be reached on a landline. With advances in software and processing technology, some issuers risk rate transactions as they are received for authorization and may deny a transaction with a high risk score or one that exceeds parameters the customer has personally established. Of course, the downside to such a process is a false denial resulting in a less-than-satisfied cardholder.
While few may find fault with using data for financial risk management purposes, the line is blurry between privacy and data analysis for behavioral activity. Let's say you normally use a particular prescription medication for treatment of a chronic medical condition. Data analysis can tell how frequently you should be getting refills of that medication from your pharmacy. On the positive side, the pharmacy can use this information to send you reminders that it is time to order a refill. But what if the data shows that your refills are spaced further apart than the quantity and dosage level dictate? Is it ethical for the online pharmacy to notify your insurance provider that you appear to have significant lapses in taking your medicine when doing so could affect future coverage? At what point does "Big Data" become "Big Brother"?
In 2013, data security and privacy—the issues associated with Big Data—will be a major area of focus for the Retail Payments Risk Forum. In addition to looking at these issues in our Portals and Rails posts, we will be publishing white papers and convening forums with designated stakeholders to further discuss these issues. We welcome your input on what topics you would like to see us cover.
Oh, and as to that $5 offer, I think I'm going to hold out for a few months and see if they are willing to raise the ante. If this blog is being data scrubbed, I think $10 will do it!
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
On a different note, the Retail Payments Risk Forum would like your feedback on our blog. We would be grateful if you would take a moment to complete our survey. It really is very short.
TrackBack URL for this entry:
Listed below are links to blogs that reference The Promises and Pitfalls of Big Data:
May 29, 2012
Are social security numbers still secure enough for payments?
Identity authentication is becoming increasingly important today as consumers conduct more and more social interactions, commerce, and financial transactions online. Many emerging payment methods are conducted electronically today and will no longer involve the face-to-face interactions that have provided an additional layer of security for our traditional retail payments environment. Unfortunately, our primary means of personal identification is the social security number, and it is becoming more vulnerable to compromise. How do we mitigate the risks in innovative payments going forward with traditional identification methods?
A well-intended system
The social security number was created in 1936 as a way to track workers' benefits for the new pension program. At the time, no other use for the number was envisioned. In 1943, however, President Roosevelt signed an executive order allowing other government agencies to use social security numbers. Today, the numbers are the primary identifiers for many government functions, including filing taxes, receiving all manner of benefits, and enlisting in the military. Social security numbers are also widely used in the private sector, especially in the healthcare and financial industries. They have become the default identifier used by healthcare providers, insurers, credit bureaus, banks, and others when signing up new customers.
Social security numbers—not so secure
You probably believe that your social security number is private. You probably assume that it's kept private by those who use it to verify your identity. But how many different people have seen your number, or some part of it, in the past decade? It's out there every time you've gone to a new healthcare provider, signed up for a new insurance plan, or applied for a credit card, bank account, or cell phone plan. Researchers have even developed an algorithm for guessing a person's number using just their place and date of birth.
The problem with such widespread use of social security numbers is that they are easily exposed and vulnerable to use in identity theft and related crimes, including various types of payment fraud. It goes without saying that new identification and authentication methods will be needed in the future to ensure that the personal information accessible via social security numbers can be protected and kept secure.
Mitigating compromise and improving personal authentication
In 2008, the Federal Trade Commission (FTC) developed recommendations on preventing the misuse of social security numbers for identity theft. First, they recommend using multifactor authentication, including additional processes in addition to the social security number. The FTC recommends further that, whenever possible, users should restrict the public display and transmission of social security numbers from applications, identity cards, and other documents. As crimes in electronic networks grow more prevalent, it will be increasingly important that the industry use multifactor authentication practices to combat the threat of outmoded personal identification methods.
By Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Are social security numbers still secure enough for payments?:
March 05, 2012
Generations of payment innovations
Bob Kennedy is a director and payments expert in the Fed Atlanta's supervision and regulation department. As Bob prepares for retirement next month, we sat down to talk about his thoughts on the retail payments environment in the United States.
P&R: Bob, you've gained a reputation in industry circles as an expert in the payments field and a frequent speaker at industry events with a long and distinguished career in bank supervision. Can you tell us a little about your background and your retail payments experience?
Bob: I actually come from a banking family. My grandfather actually set up a bank in the 1890s in a small town in rural Alabama to provide simple financial services to businesses and over time it grew and expanded to more consumer-based financial services. My father took over the business and employed me as early as age 12 on the teller line one day a month after school, authenticating customers who came in to cash their social security checks.
Payment services were pretty simple back then. At our little bank, customers had traditional demand deposit accounts but we did not issue checkbooks. So when they wanted to make a purchase at a merchant they would use counter checks and fill in their account information. The merchant would call my father at the bank to verify the customer's identity and funds availability.
By the 1960s, things were getting more complicated. Our customers were starting to shop more in nearby cities, so they asked us for preprinted checkbooks. My father lost an important control when we started to issue these, but we recognized the need to change with our customers so we could keep their business. Then in the 1970s, our customers demanded credit cards. The point of this history summation is that the family bank had to change to adapt to consumer demand. The same holds true today as we continue to see disruptive forces that are changing the payments business.
P&R: How would you characterize the general landscape today for bank adoption of emerging retail payments?
Bob: I would characterize the landscape as exciting because nothing is static—there is a lot going on, and we're seeing community banks beginning to adopt new types of payments. Banks are adapting to consumer demand, as before, but at the same time they need to be able to find a reward for providing the product or service, and that's in the form of revenue or customer retention. They have to have a use case for offering new services.
One of the biggest drivers of change in retail payments these days is the demand for payments data, which has become a virtual treasure trove in the sense that it provides tangible evidence about consumer decisions about products and services. A consumer who buys something has made a clear decision about the product, the retailer, and the date and time when he or she makes the purchase. This is why data mining is becoming so important to merchants in developing marketing strategies.
For example, a large retailer with a decoupled debit card may obtain information about individual consumer spending habits that it uses to help understand future potential consumer choices about products and services. According to a recent article by Charles Duhigg in the New York Times, this retailer has collected tons of data on every regular customer they have. With a "Guest ID" that the store assigns to these regulars, they track everything they buy. I believe this is why a lot of big nonbank firms like Google and PayPal are trying to establish a foothold in retail payments through the introduction of new payment channels. They recognize the monetary value of payments data at the point of sale.
P&R: What are the primary risk concerns for banks in retail payments today?
Bob: There are multiple risks for banks to consider, including operational and liquidity risks. Clearly, for U.S. banks, strategic risk is critical today with nonbank firms introducing disruptive innovations and evolving as a competitive force for banks that must remain relevant and profitable at the same time. They are forced to continually assess their business models as a result. On the positive side, we are seeing new partnerships. I read about the new alliance with Regions Bank and Western Union, leveraging each firm's agent or branch networks to provide remittance and banking services on a complementary, cross-selling versus competitive basis.
That brings us to vendor management. With banks outsourcing and partnering with nonbank, third-party firms, increased oversight for those relationships is required, along with more expertise at the bank level. For many community banks, hiring that level of expertise is challenging, and they need to rely on the risk management services from their core processors.
In addition, liquidity risk for banks in this new payments landscape has been heightened by the more rapid clearing and settlement of payment files.
Finally, security and privacy are big issues for U.S. financial institutions today, not only from a regulatory perspective but also—more importantly—from the need to protect the bank's reputation among its customers as a trusted payments partner.
P&R: What trends should industry stakeholders watch going forward?
Bob: Technological advancements are making our retail payment systems more effective, efficient, and easy. U.S. banks are doing a good job and approaching these new services and partnerships with sound due diligence. Retail payments will continue to change going forward, with disruptive services and nonbank firms appearing in ways we cannot predict. I think it will continue to be an exciting area to watch for a long time.
TrackBack URL for this entry:
Listed below are links to blogs that reference Generations of payment innovations:
November 01, 2010
Beware of cybercrashers to your social network party
According to the Nielsen Company, the overall global traffic to social network sites grew nearly 30 percent in one year, from 244.2 million users in February 2009 to 314.5 million users in February 2010. In the United States alone, the average active social network audience grew 22.8 percent, from 115 million to 149 million during that same time period. If social networks are expanding this rapidly, can the growth of associated risks—specifically, data privacy—be far behind?
Establishing privacy parameters
Privacy is perhaps the most significant concern surrounding the use of online social networking sites. Recently, BBC Mobile reported that consumer confidence in social networking sites has been shaken as issues over privacy concerns have come to light. Results of an RSA 2010 Global Online Consumer Security Survey show that, even as thousands of individuals join social networking websites each day, nearly 65 percent of survey respondents indicated that they are less likely to interact or share information due to growing security concerns. Although most online social networking sites have privacy protections in place that allow users to establish their own level of security settings, online social networks are inherently public, which makes it difficult to secure nonpublic information. But if users are shielding their personal information through security settings, how, then, are hackers able to extract this information and steal their identities? Could the simple act of sharing, friending, or posting make it easier for hackers to attack a social network site and impersonate its users?
Facing incoming threats to social network sites
Corporations that use social networks as communication tools (or corporations whose employees use them without IT's authorization) are faced with significant security and compliance risks. In a survey that FaceTime conducted of IT groups, 14 percent of respondents reported that they've seen data leak through social networks. According to this study, Web 2.0 applications like instant messaging, Skype, and the chat functions within social networks can travel undetected through an organization's network, thus posing the risk that confidential information such as credit card details will leave the organization's control without authorization. Hackers use various means to attack social network sites, including phishing, spam, and malware. Their success is in part due to the trust users place in their networks. The study also notes that users are far more likely to click on a link from a friend on a social network site than in an e-mail.
Using small bits of information to gain entry
Gateway data, a term coined by Herbert Thompson a professor at Columbia University, refers to the confidential information harvested by cybercriminals from social networking sites. According to Thompson and researchers at Carnegie Mellon University, hackers can use such confidential information as someone's mother's maiden name—discovered from a social network site—to answer a challenge question and gain access to the person's account or personal financial data. Users of gateway data can also use these single pieces of information to trick the user into revealing even more sensitive information.
In a 2009 study, researchers from Carnegie Mellon University were able to deduce the Social Security numbers of millions of individuals just by sifting through fragments of data typically shared on social networks and other publicly available sources. Another study, this one by Consumer Reports, found that 52 percent of social network users disclose information that could leave them vulnerable to cybercriminals. Pieces of information such as a mother's maiden name, home address, or home or mobile phone number can lead perpetrators to steal users' identities.
Deterring cybercrime with a healthy dose of skepticism
The global reach and public nature of social networking websites have made them a favored target for online criminals. While consumers enjoy the ease of communication and information sharing on these social networks, these online forums have introduced new and unanticipated risks. Users must take some crucial steps to deter thefts of their identities, included becoming educated in the types of online crime while avoiding such common pitfalls as weak security settings and compulsive information sharing.
A healthy dose of skepticism on what, how much, or with whom to share can go a long way in reducing the exposure of personal, confidential information, because what is shared on the Internet stays on the Internet.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Beware of cybercrashers to your social network party:
September 20, 2010
Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2)
Last week, in Part 1, we took a conceptual look at the issue of balancing financial privacy interests with catching criminals. This week we look closer at the subject, with an eye on the legal landscape of financial privacy laws and law enforcement's ability to access financial records under the existing laws.
The legal battle between law enforcement and personal privacy in the United States is as old as privacy law itself, and maintaining a balance between the two has for years required continuous maintenance of financial privacy laws. One of the most recent changes occurred in 2001, with the introduction of the Patriot Act. While the Patriot Act gives law enforcement agencies easier access to financial information so they can intercept terrorist financing and prevent money laundering, the Patriot Act has also been used routinely to combat nonterrorist criminals.
But have we struck the right balance yet? Or are stronger financial privacy parameters needed to tip the scales in favor of either the consumer or law enforcement?
The financial privacy law landscape prior to the Patriot Act
Historically, customers have expected their bank records to be held in confidence, relying largely on their right to financial privacy based on their contractual agreement with the bank. But in 1970, the Bank Secrecy Act (BSA) became law, and turned that expectation upside down. The BSA began requiring financial institutions to maintain certain records on their customers and authorized the Secretary of the Treasury to require financial institutions to report certain financial transactions. That same year, the Fair Credit Reporting Act (FCRA) was passed, whose goal was to safeguard consumer financial information by limiting the availability of consumer credit reports only for specific "permissible purposes."
In 1978, the Right to Financial Privacy Act was passed, which generally precluded the disclosure of a consumer's individual financial records to a government authority without the customer's consent, absent a subpoena or other judicial order. In 1999, Title V of the Gramm-Leach Bliley Act addressed several additional issues relating to the protection of nonpublic personal information maintained by financial institutions. Since their enactment, each of these statutes has undergone several amendments, mostly in response to the competing interests between a consumer's right to financial privacy and law enforcement's legitimate need to access consumers' financial records.
The Patriot Act, enhanced law enforcement provide access to customers' financial records
The Patriot Act allows law enforcement to develop a strategy for catching the bad guys by virtue of significant changes in the regulatory scheme of financial privacy, including new "Know Your Customer" rules, and allowing the sharing of information between law enforcement and financial institutions. Specifically, section 314(a) of the Patriot Act allows law enforcement agencies to gather financial data about a person being investigated.
Under section 314(a), a federal law enforcement agency investigating either terrorist activity or money laundering may request that FinCEN (the U.S. Department of the Treasury's Financial Crimes Enforcement Network) provide certain financial information from a financial institution or group of financial institutions. FinCEN then turns to the financial institutions and asks them to search their records to determine whether they maintain or have maintained accounts for, or conducted transactions with, the individual or entity specified by the law enforcement agency.
If a financial institution has a record of dealing with the subject of the inquiry, it must report back to FinCEN, which in turn shares the collected financial information with the law enforcement agency. Financial institutions may not disclose that FinCEN or the requesting agency made such an information request. No search warrant or subpoena is required.
Section 314(a): Beyond terrorist financing and money laundering
According to FinCEN, investigations incorporating section 314(a) requests have included a Hawala operation, cigarette smuggling, arms trafficking, investment fraud, and an international criminal network. Anonymity stifles the ability of law enforcement to combat criminal activity. Consequently, one of the biggest challenges confronting law enforcement officials is connecting the dots when trying to catch the bad guys. However, given the delicate and often strained balance between the privacy laws and law enforcement’s need to access financial records, can a sacrifice in financial privacy result in a balancing benefit in more effective law enforcement, or does law enforcement have adequate tools today to intercept criminal activity?
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 2 of 2):
September 13, 2010
Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 1 of 2)
Many, many years ago, when I was an elementary school student, I experienced the excitement of that now-defunct practice called "recess." This outdoor break in the school day allowed students to blow off steam, get some exercise, and learn social playground skills. It also allowed weary teachers to have a break from us. One of my favorite things on the playground was the "teeter-totter," the simple, two-person balancing board affixed to a fulcrum. The boredom of just going up and down was interrupted by doing so with force and speed or by surprising one's partner by jumping off, thereby causing the other party to descend rapidly, sometimes causing his/her bottom to hit the ground before the feet. More challenging, however, was the concept of the two riders trying to position themselves so that the teeter-totter would actually balance itself in a way that both parties would be suspended off the ground. Great fun!
Balancing data privacy rights
Strangely, this activity bears a strong resemblance to what we find ourselves doing in the payments system today as we try to balance a consumer's right to data privacy with a service provider's responsibility to protect a customer from financial loss. Achieving this balance has become a time-consuming and expensive activity for the payments industry and for law enforcement agencies charged with catching bad guys after they breach protected files.
The responsibilities inherent in providing data privacy protection are complicated because data privacy laws today are set largely at the state level. Consequently, some variance exists in due diligence. Companies whose customers span multiple states struggle to deal with different requirements and remedial actions should a data breach occur. Frequently, a company adopts procedures that comply with the most rigid of the laws, in essence satisfying the "greatest common denominator," the effect of which is to gravitate toward a de facto national standard in federal laws on data privacy.
Responsibilities in managing data breaches
No fewer than 24 federal laws exist today that attempt to protect the privacy of some aspect of our personal and business lives. However, there is no overarching federal legislation in place that specifically addresses financial data privacy. Such bills have been drafted, but they are logjammed in Congress behind more pressing matters. At the state level, virtually all states have some form of financial data privacy legislation on the books. For the most part, the banking industry has looked at the construct and verbiage of the 2002 California law as the standard of care for all. In essence, the law requires a company to report any breach in which a customer's name is compromised in combination with a Social Security number, a driver's license number, or any bank account information, including debit and credit card numbers. More recently, in March, Massachusetts adopted a seemingly more stringent law that speaks less to the need for post-breach remedial action and more to the prevention of breaches in the first place. In this way, data privacy legislation seems to be converging with the "commercially reasonable" data security requirements of Article 4A of the Uniform Commercial Code.
Ultimately, trouble arises when organizations are forced to guess what standards are commercially reasonable. Trouble also arises when companies attempt to minimize exposure by extending the definition of protected data to include non-personal information, such as company names and other identifiers resident in payment transaction records. While courts will have to sort out the first issue, the practice of businesses adopting self-imposed, expanded data protection standards is another matter.
The problem here is twofold. First, excess caution will inevitably lead to higher costs that have to be recovered elsewhere in a bank's profitability formula. Frequently, this occurs through the institution of some form of account. Second, over-interpretation of laws creates barriers to effective industry controls and processes for detecting and mitigating fraud, as well as making the regulatory and law enforcement aspects of fraud mitigation more cumbersome and expensive. Where, then, is the balance point on this teeter-totter of financial privacy?
Where do we go from here?
Unfortunately, the answer may ultimately lie in creating some umbrella national legislation that tries to strike the right balance. Such legislation must allow for a cadre of "trusted parties" who bear the responsibility for protecting data as a price for collecting it so as to reduce financial crimes. As a consumer, I certainly don't want anyone misusing my personal information, but I also want those who do so to get caught and pay the price. It is only then that the cycle of improvement can take place—more forcible enforcement, more prison terms, fewer bad guys in the market, less privacy invasion, fewer sleepless nights. Inevitably, the balance point on a teeter-totter only occurs when one party pushes off first—and that may be the regulators and law enforcement.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum
TrackBack URL for this entry:
Listed below are links to blogs that reference Playgrounds and privacy: Finding the balance in protecting consumers and catching criminals (Part 1 of 2):