Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

February 27, 2012

QR codes versus NFC: Cheaper, but worth the risk?

In recent years, we've seen discussions on the value and viability of near-field communications (NFC) apps morph from the hypothetical to some actual real-life deployments. Google has rolled out an NFC mobile wallet, and others are on their way for trial rollouts, as we discussed in last week's post. As this burgeoning industry takes shape and the costs and barriers become more apparent, some interim and quite disruptive technological alternatives are gaining attention—namely QR (short for "quick response") codes. In fact, many merchants today are touting QR codes as the near-term alternative to a more costly deployment of contact and contactless chip-based payments using NFC and EMV interoperability and security technology standards. They are touting these QR codes despite the superior security that chip technology affords. These discussions beg the question: are short-term economic gains realized from less costly QR code technology adoption at the expense of payment security?

How do QR codes work?
example qr code QR codes are a two-dimensional form of barcode whose contents can be decoded electronically at high speed. QR code use exploded in 2011, and telephonic technology has expanded to support their application for storing all kinds of data, including URLs. As a result, consumers are increasingly using QR codes to access magazines and newspapers on the Internet and to find online product reviews by scanning price tags. The camera in a smartphone captures the picture of the QR code, and then decoding software helps the phone connect to a website or a file download.

QR codes and malware
Unfortunately, there is no way to visually discern whether the data contained in the QR code will direct the user to a malicious website or application. Infected QR code problems are just beginning to emerge because most people simply don't know the best way to protect their mobile device. According to Marian Merritt, a Norton online safety advocate, "fewer than 5 percent of people have got some form of security on their mobile devices." 2011 in particular witnessed an upsurge in hackers using QR codes as a means of transmitting mobile viruses in Russia. According to a recent report by AVG Technologies, scanning a QR code and executing its hidden applications on a mobile device is akin to "running an unknown executable on your computer." Mobile-related hacking events are expected to rise in 2012 with the advent of more advanced QR code-enabled mobile applications.

Should economy trump security?
QR codes fulfill a wide range of functionalities, but should they be used for payments? Starbucks has realized considerable success with its QR code-based mobile payment app with millions of transactions since it launched one year ago, and merchants are receptive to a more affordable point-of-sale payment acceptance system generally.

The risk of fraud in micropayments and closed-loop payment systems—such as the QR code prepaid business model that Starbucks uses for a cup of coffee—may not be as significant as for larger, open-loop transactions. Ultimately, QR codes may play a viable role in some smaller, and less risky, payment applications. Payments industry participants should carefully consider the ramifications of a strategy that expands their use more generally in lieu of NFC-enabled payments.

Cindy MerrittBy Cynthia Merritt, assistant director of the Retail Payments Risk Forum

February 27, 2012 in contactless, fraud, mobile payments, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e812f994970c

Listed below are links to blogs that reference QR codes versus NFC: Cheaper, but worth the risk?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 22, 2011

Is recent EMV announcement the catalyst the U.S. needs to catch up?

During this past year, the team at Portals and Rails has published several articles exploring the growing risks in card-based payments and the need to move to a more sophisticated and secure enabling technology. But overhauling a payment system is no easy task, as there are many players that need to collaborate, from the card networks to the bank issuers and merchants. How does the industry organize itself to orchestrate a much-needed transition?

The merchant community in particular has rightfully expressed concerns over the infrastructure investment costs for card acceptance terminals. While they acknowledge the need to migrate to a more secure payment system that does not rely on outmoded magnetic stripe card technology, they understandably want a future-proof investment strategy.

Visa's recent announcement about its plans to accelerate chip migration and the adoption of mobile payments may just provide the clarity in direction and sufficient incentives to get merchants moving.

Reduced PCI compliance requirements and liability shifts: Carrots and sticks
Visa's plan will require merchants to invest in chip-acceptance terminals as well as bear responsibility for losses resulting from magnetic stripe card fraud if they continue to accept those cards beyond a specific transition period. Right now, the banks that issue the cards bear those costs. So Visa is essentially imposing a counterfeit fraud liability shift as the metaphorical stick to encourage merchants to comply with the plan. Since the United States is currently the last developed country to implement a plan to migrate to chip-based card payments and agree to such a liability shift, this is a significant move.

But Visa's plan also contains some compelling incentives for the merchant community. PCI data security compliance requirements are costly and increasingly ineffective in combating card fraud schemes like card skimming. The Visa plan will eliminate certain PCI compliance requirements for merchants for whom at least 75 percent of their Visa transactions originate from chip-enabled acceptance terminals. Merchants will still have responsibility for protecting customer authentication information such as security codes and PINs. The prospect for improved security coupled with the reduced PCI compliance costs should be a welcome benefit to merchants.

Building a future for mobile payments
By initiating a plan to migrate to both contact and contactless chip technology at the merchant point-of-sale, the Visa plan may actually speed up the adoption of mobile payments. Building out the acceptance infrastructure will be necessary to support contactless payments and other chip-based emerging technologies in the future.

Conclusion
The growing incidence of global card fraud schemes is drawing critical attention to the need to overhaul the U.S. card payment system. Not only are countries in the European Union moving to chip-and-PIN technology to support their card payments, but they've also discussed banning the acceptance of magnetic stripe cards as a possibility. What this means is U.S. travelers will not be able to use their payment cards abroad. As a matter of fact, if you've traveled to Europe lately, you've undoubtedly discovered that some merchants are not equipped to accept our U.S. payment cards now. The move to chip technology for card payments has been coming—but no one knew exactly when or how. Clearly for merchants, the Visa announcement represents a roadmap for the future.

Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum

August 22, 2011 in chip-and-pin, payments, payments risk, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015390e620d5970b

Listed below are links to blogs that reference Is recent EMV announcement the catalyst the U.S. needs to catch up?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 15, 2011

Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud

It is a fortunate thing that video games were not yet invented when I was a youngster because I was clearly a candidate for addiction. Even as an adult, I have been sucked into many hours of PacMan (remember?), Mario Brothers, Medal of Honor, Tiger Woods (remember?) Golf, and a wide range of Wii games. Many of these games involve negotiating difficult challenges to get to certain destinations or achieve certain goals necessary to advance to the next level of the game. Jumping, fighting, racing, searching, and other actions were pivotal to avoiding obstacles and a myriad of evildoers to achieve eventual victory.

Although pursuing visionary goals in the payments world is hardly a game, negotiating the landscape of today's payments systems has many of the same challenges and, perhaps, prerequisite skills to achieve success. Focusing the analogy a bit more tightly, the goal of evolving to a "fraud-efficient" or "risk-efficient" payments system is constantly obstructed by any number of challenges and bad actors. It's tempting to hope that we can discover the one secret key that allows us to advance to a new level, but it's increasingly obvious to me that several high-level strategic initiatives must be adopted to vanquish our demons. Let me illustrate.

Measuring the level of distress is critical
A key survival strategy in many video games that involve fighting or racing is to measure what resources you have left. A visible "meter" of strength or inventory of weapons is available, and certain actions can replenish resources. In the U.S. payments system, we are constantly engaged in addressing new attacks and making investments of resources, but for the most part, we do not have good measures of the level of fraud costs and fraud losses, nor do we have a very good appreciation of the magnitude of future risks. Some of this confusion is just environmental uncertainty, but some comes from the lack of any type of comprehensive and statistically credible fraud data that can then be used to assess future investment options. Progress in addressing the lack of central data, whether it comes from industry- or government-led initiatives, will be a pivotal element in driving future actions.

Realigning incentives and disincentives can rationalize change
A lot of electronic games provide incentives to players to take somewhat riskier courses of action in order to obtain bonus points, protective gear, or more powerful weapons that can lower future risks. Those who choose not to do so are generally exposed to greater vulnerabilities or liabilities than those who have invested. The same holds true in payments, where those who have invested more aggressively in fraud mitigation tend to have better results, while others suffer more heavily. However, many of the current approaches to absorbing risk do not seem to allocate the costs of fraud management to those who are in the best position to prevent it, thereby distorting business cases for change. Historically, markets in the aggregate react rationally and predictably to the proper use of incentives and disincentives directed at achieving specific strategic goals. Given increasing fraud trends and the changing economics of the payments industry, it is time for all parties to rebase their business cases around fraud and consider the use of meaningful incentives to drive behavior.

Removing silo walls to pursue overall industry goals
Rigid silos of operation and responsibility have hampered recent efforts to enhance the efficiency and integrity of the payment system within individual organizations and across payment options. Many organizations, particularly in the banking space, find themselves organized to promote the attainment of very specific goals within business silos, as opposed to maximizing the bottom line of the whole organization. Many video games teach us to find allies of like mind to strengthen our forces—or, in games like SimCity (or FarmVille!), to acquire various diverse resources and blend them into a greater whole. Creating an organizational structure with one executive responsible for all payments and related risk will ensure that everyone pursues the overall corporate strategies and financial goals rather than the goals of individual units. At the industry level, fostering better sharing of fraud information across industry payment silos is needed to attack bad actors that simply move to the channel of least resistance.

Self-regulation versus government help: The best defense is a good offense
Over the past three years, we have witnessed a greater enthusiasm in Washington to address emerging problems in our payments systems. This is largely because the outcry about unfair practices reached the halls of Congress, which then acted by passing the CARD Act, overdraft legislation, and the Durbin interchange amendment. Most video games I have played reward smart offensive action as opposed to defensive approaches. It is increasingly clear to me that there is room for the payments industry to develop guidelines, rules, and best practices that can mitigate the possibility that government might choose to "help," particularly in the area of protecting consumers and even as the Consumer Financial Protection Bureau gears up to implement their new rule. Taking the offensive with creative "self-regulation" has resulted in better outcomes in other countries.

Getting it done
The question then becomes, "Who should instigate these actions?" It is tempting to answer, "Anyone who cares." However, a better and more directed answer might be: key industry players or associations that represent widespread constituencies and can bring the power of aggregate thinking and decision making to the table.

Visa just announced that it would be moving to EMV-compliant chip technology for cards and mobile phones. This decision is a clear example of an effort to move the ball in the direction I just talked about. Don't get me wrong. Not everyone in the ecosystem will be happy about the way that Visa is going about it, but Visa is defining a roadmap for implementing more secure technologies—the company is clearly playing offense—and creating a system of incentives that will help the program move forward.

Photo of Rich OliverBy Rich Oliver, executive vice president of the Atlanta Fed and director of the Retail Payments Risk Forum

August 15, 2011 in consumer protection, fraud, payments systems, regulators, risk, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0154348a930e970c

Listed below are links to blogs that reference Lessons from the Mario Brothers: Finding the Keys to Fighting Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 27, 2011

What are you signing away with a signature instead of a PIN on card transactions?

Recent years have witnessed the commercial banking industry making some surprising risk management decisions. For instance, many financial institutions encourage their customers to choose the credit/signature option of their debit cards rather than the debit option. But the credit option is more vulnerable to fraud, so ultimately is more costly to the industry. In addition, signature debit transactions are processed through the credit card networks, which means the banks earn the higher interchange fee that comes from credit transactions as opposed to debit transactions.

The point of this discussion is not to look at the anticipated effect of the Durbin amendment on interchange practices, but instead to focus on the moral hazard presented by these practices in the context of our nation’s retail payment systems. The reason that signature debit carries a higher interchange fee is that it is less secure than PIN debit transactions. In a recent study by the Federal Reserve Bank of Minneapolis, financial institutions reported that signature debit fraud attempts eclipse fraud with other payment types. The report also says that debit cards along with checks are the payment types most often attacked by fraud schemes, and as a result sustain the highest losses.

Payment types with hihgest number of fraud attempts by % of respondents

Source: 2010 Payments Fraud Survey: Summary of Results,
The Federal Reserve Bank of Minneapolis

However, the study also reported that most financial institutions and other organizations report that actual fraud losses as a percent of their annual revenues are relatively small, at less than 1 percent. This information sheds light on the risk-versus-return decision-making rationale.

As the incidence of payment card fraud in general is on the rise, it is time to take a proactive view of the risk management practices for debit card programs. While persuading customers to process debit card payments on card networks may be more profitable in the short run, the industry may realize an increase in fraud and risk in the retail payments system as a result.

Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum

June 27, 2011 in consumer protection, fraud, interchange, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e896d2ec3970d

Listed below are links to blogs that reference What are you signing away with a signature instead of a PIN on card transactions?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 25, 2011

Bank-enabled P2P payments: Do potential data compromise risks outweigh the benefits?

I paid little attention when news broke on the April 1 announcement by the marketing services firm Epsilon that a subset of their clients' data—e-mail addresses and names—was compromised. However, my interest in the story grew as I began receiving numerous e-mails from various financial institutions and merchants letting me know that my name and e-mail address, which I voluntarily supplied to them at some time, were part of the compromise. Unbeknownst to me, these companies had provided my data to Epsilon for marketing services.

Perhaps if I had taken the time to read the service agreements and privacy notices from these companies, I would have been more aware that my data might be shared with a third party. But in today's digital and mobile world that's all about speed and convenience, does anyone really take the time to read these privacy notices before submitting personal information? And I have to think that for most people, the e-mails and snail mail about changes to privacy policies that seem to come on a monthly basis from various companies quickly find their way unread into the trash. Do current bank-enabled P2P offerings present data compromise risks for customers and are banks offering other P2P alternatives that offer convenience without the potential risks?

The current bank-enabled P2P environment
The Epsilon data compromise comes on the heels of my recent experience with two different bank-enabled P2P products that caught me by surprise with the amount of personally identifiable information (PII) required for a transaction. In one experience, all I had to do was enter the recipient's e-mail address. But when the recipient received notice of the payment, she had to enter her name, address, telephone number, e-mail address, and bank routing and account numbers as well as agree to the terms of service and privacy policy of the institution in order to receive the funds.

In the other experience, I was required to enter the recipient's PII before actually initiating the payment. For this provider, depending on the type of transfer being conducted, I might also have had to include a passport/driver license number or a Social Security number. Because my recipient banked with a different institution than I do, she had to authenticate the account by entering her online banking username or Social Security number and password and finally agree to the terms of the service and privacy policy of the institution.

In light of the Epsilon data compromise, it seems only fair for consumers to be fearful about the amount of personal (and highly sensitive) information they hand over to financial institutions to complete a P2P transaction. These institutions could potentially share this data with third parties that provide P2P services for banks or with companies that provide marketing services—such as Epsilon. Once a consumer provides information to the bank, he or she does not necessarily know how much of the data is shared and with whom it is shared. This person is left in the dark about who actually has access to PII and the corresponding privacy and security policies of those companies.

Are today's bank-enabled P2P services solid replacements for cash and checks?
Based on my two recent experiences with these bank-enabled P2P solutions, their value—even ignoring the cost of the service—appears to be small for one-time, small-dollar payments between individuals. The idea of bank-enabled P2P payments may be cool and trendy. However, the amount of information the sender’s bank requires about the receiver to complete the transaction not only is time-consuming to enter but also presents risk issues that outweigh any perceived benefits, especially for the recipient. Perhaps banks are realizing the challenges behind P2P services for small value, one-time payments given the recent proliferation of banks offering an alternative to traditional check depositing, remote deposit image capture (RDIC), which is potentially simpler and less risky for the consumer than banks' current P2P offerings.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 25, 2011 in P2P, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c015431f1175c970c

Listed below are links to blogs that reference Bank-enabled P2P payments: Do potential data compromise risks outweigh the benefits?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 18, 2011

Retail Payments Risk Forum hosts 4th annual "Emerging Risks in Emerging Payments" conference

On November 15–16, 2010, law enforcement, regulators, and other selected payments experts gathered once again to exchange ideas, research, and business expertise at the "Emerging Risks in Emerging Payments" conference at the Atlanta Fed. The conference provided a platform for sharing retail payments knowledge and insights among payment industry participants, regulators, and law enforcement. The conference also expanded networking opportunities for industry stakeholders essential to the payments industry, all of whom have a common interest in improving the detection and mitigation of emerging risks and fraud in emerging retail payments systems.

Opening remarks were made by Patrick Barron, first vice president of the Atlanta Fed. He was followed by Richard Oliver, executive vice president and director of the Retail Payments Risk Forum. Five expert panels with representatives from law enforcement, corporations, service providers, and other stakeholders discussed a range of themes related to emerging risks in emerging payments. Each panel provided a high-level overview of the state of the retail payments environment.

The following brief summary captures some of the key themes discussed during the event. Additional presentation materials are available on the Atlanta Fed's website.

Emerging trends in retail payments
Recent technological advances have changed the way retail payments are conducted. For instance, innovations in the card space are providing better ways to combat card fraud. Countries that have adopted Europay, MasterCard, and VISA (EMV) have seen a marked reduction in skimming fraud compared with countries that use magstripe cards, including card-not-present transactions over the Internet.

The mobile payments panelists predict that consumers will eventually migrate to mobile wallets—the speed and convenience of payment both for the merchant and consumer enhance this likelihood. However, the panelists agreed that some of the challenges to mobile payment adoption in the United States include lack of standardization, merchant investment hurdles, perceived security requirements, and lack of a clear value proposition for consumers.

Emerging risks in retail payments
Innovation introduces new risk factors. Several panelists highlighted the ongoing importance of protecting consumer information as the sophistication of financial crimes continues to increase. For instance, one panelist explained that in the card space, virtual prepaid cards can be funded by a transfer from another card or by phone or Internet, often times anonymously. In some cases, illicit funds can become instantly available from ATMs in more than 200 countries, without sharing confidential or bank information, which makes it very difficult for law enforcement to trace and monitor these funds.

Another panelist discussed the risk profiles of the different person-to-person (P2P) business models. For example, while the mobile channel is emerging as a viable method for P2P payments, telecom customer data—and, to a lesser extent, e-mail addresses—have become reliable ways to identify individuals to receive messages. However, they are not 100 percent reliable public directories. Some of the key risk distribution issues in a P2P environment include unauthorized transactions, intermediary error (such as misdirected payments), and fraud.

Additionally, panelists discussed the emergence of payments in the social network realm. One panelist discussed how fraudsters use social network sites and the data they gather from those sites to commit cybercrimes such as identity theft and "clickjacking scams," which trick users into clicking on ads and other sites that divert them from safe and reputable sites. Another panelist discussed the rapidly growing new segment of social network "businesses" that leverage the payments platform but turn out to be shell or fraudulent businesses.

How to address emerging risks in new retail payments?
Fraud and risk detection and mitigation must keep pace with emerging payments trends. Advances in payments technology enable new ways to conduct retail payments but can also create new channels for criminals to exploit and commit payments crimes.

The panelists highlighted these issues and more while proffering ways for regulators, law enforcement, and others to work together towards mitigating and deterring risks and fraud in the emerging payments environment. All in attendance recognized that the challenges ahead are common to all parties involved, and information sharing along with collaborative action is imperative for achieving the goal of ensuring a safe and efficient payments system.

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

January 18, 2011 in emerging payments, mobile payments, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e1b52c4c970b

Listed below are links to blogs that reference Retail Payments Risk Forum hosts 4th annual "Emerging Risks in Emerging Payments" conference:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 02, 2010

Fight against payments fraud: The target is moving, but not everybody takes aim

Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.

Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.


Changes in Types of Suspicious Activity, 2008-09
ENLARGE

This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.


FinCEN Suspicious activity report filings by depository institutions
ENLARGE

Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.


Prevalence of Payments Fraud in 2009
ENLARGE

Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.

Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.


Reasons for Not Using Positive Pay, Debit Blocks or UPIC
ENLARGE

Looking forward
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

August 2, 2010 in ACH, card networks, check fraud, consumer fraud, fraud, online banking fraud, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485f0df70970c

Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 19, 2010

Soccer balls and payment cards: A push for global standards

I am generally not a soccer fan but over the past few weeks I found myself curiously engaged in that nationalistic spectacle called the World Cup. Despite my general disinterest in low-scoring games and Oscar-quality performances by slightly injured players, I got caught up in the intensity of play and extraordinary skill levels displayed by these world class athletes. Then one day a debate erupted regarding standards. Apparently, soccer balls are not standardized and the one being used seemed hard and "skitterish." How bizarre!

Of course, my thoughts immediately turned to a more consequential global-standards issue taking place in the payments card world—the debate about the United States' reliance on the magnetic-stripe card standard as opposed to the chip-and-pin standard being adopted throughout the world, including in neighboring Canada.

Chip-and-pin technology has been deployed in Europe over the last decade as a means of reducing fraud by using the enhanced capabilities of a computer chip embedded in the plastic card to store and manage customer authentication data. Its success has been widely documented in recent fraud studies. This standard has been implemented using a specification called EMV, an acronym of Eurocard, MasterCard, and VISA, the original founders of the standard. In fact, EMV is now a corporation whose ownership has been expanded to include JCB (a Japanese card company) and American Express. So, what's the big deal? We survived the soccer ball dispute, so can't we survive the fact that the United States is not on board with the emerging global payments card standard? The answer may be a resounding "No!"

Various reports from payments research firms such as AITE have suggested that as many as 10 million U.S. travelers experienced difficulties with incompatible card technologies when traveling abroad during the past year. I learned some time ago that the least expensive and most secure way to acquire cash overseas is from an ATM machine. I now foresee a time when I will have to ask a European hotel concierge for the location of an American ATM (one capable of reading mag stripes), only to find out the nearest one is two miles away.

So why doesn't the United States adopt the emerging global standard? While there are many technological and political issues in play, the bottom line is that the overall cost of deployment to the U.S. payments system as a whole, and to merchants specifically, is a staggering number made even more daunting by the current state of the economy and available investment dollars. The Smartcard Alliance estimates that as many as six million merchant terminal devices may need to be replaced or upgraded to embrace chip-and-pin technology, with the bulk of the cost falling on the shoulders of merchants. Consequently, we are left to assume that we are likely to have to travel a long and winding road to migrate to the emerging global standard.

This observation is not in itself calamitous since past roads to worldwide standards are littered with the relics of failure (remember the push to implement the metric system?), but the stakes here are considerably higher in two important ways. First, we may become the only substantial economic power dependent on a payments standard that is less secure than that of the rest of the world. That means that criminals, intent on profiting from card fraud, will continue to migrate to the United States in growing numbers. The second issue is that chip-and-pin technology is a critical element in progressing toward an even more secure and visionary goal—the deployment of mobile phone-based payments capabilities using a chip embedded in the phone. Industry conference agendas are crowded with sessions describing the way a smartphone can be waved near or tapped against a merchant terminal device using radio wave-based near-field communications (NFC) technology to capture the customer's payment credentials. Chips embedded in the phone, coupled with applications loaded on the phone from card-issuing banks, will create the effect of a "mobile wallet" that promises to be more convenient and, yes, more secure than what we use today.

So what should we do about this mess of the United States being out of step with respect to payments card technology? I would suggest that this issue could eventually reach the public policy level. Perhaps it is time for policymakers to consider whether migrating to an increasingly adopted world standard is in our best national interest. After all, we just mandated a move to digital television. While this change facilitated my ability to watch the World Cup in high definition, it cannot possibly be of the same importance as this brewing card issue. If we want to mitigate the possibility of the United States being a center of card fraud and enable our consumers and business folks to travel abroad more easily, it may be time to charge someone in government with developing a well-thought-out, participatory, multi-year plan to move this country to the emerging global payments card standard.

By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum

July 19, 2010 in consumer fraud, mobile payments, risk, telecom | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348589ba65970c

Listed below are links to blogs that reference Soccer balls and payment cards: A push for global standards:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 12, 2010

The confluence of payments, social networks, and malware: Elements of a perfect storm?

Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?

More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.


Fastest-growing-content-categories-via-application-access-on-mobile-devices
ENLARGE

Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.


Impressions-for-each-type-of-phishing-site
ENLARGE

Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.

Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.

Conclusion
Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

July 12, 2010 in fraud, identity theft, malware, mobile banking, mobile payments, risk, social networks | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485620cfb970c

Listed below are links to blogs that reference The confluence of payments, social networks, and malware: Elements of a perfect storm?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 29, 2010

Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks

ACH volumes have grown rapidly over the past decade, as the network has expanded beyond prearranged, recurring payments between known and trusted parties to include converted checks and one-time transactions originated over the Internet or by telephone. New ACH services have heightened concerns about risk because of the potential associated growth in ACH returns for reasons such as insufficient funds, presentment to closed accounts, and unauthorized transactions, to name just a few. To gauge the level of risk in a financial institution’s ACH origination business, it may seem reasonable to use the rate of these returned items as a possible benchmark. If an ACH originator's return rate is consistently below the industry average, we should be confident that its ACH risk management practices are generally sound, shouldn't we?

Not necessarily, according to a new Federal Reserve study. The researchers—Olivier Armantier, Michele Braun, and Dennis Kuo of the New York Fed and Ron Feldman, Mark Lueck, and Richard Todd of the Minneapolis Fed—recently conducted a study using FedACH data to look at ways to improve the benchmarks used to monitor ACH returns to shed some light on today's ACH risk environment. The study held some interesting and noteworthy findings.

Average return rates are not necessarily a good benchmark for measuring risk
The Federal Reserve study shows that about 75 percent of all consumer debit originators were below the FedACH average for consumer debit return rates during spring 2006. This large percentage stems from the fact that the average is elevated by a small number of very large originators who also have higher return rates. Consequently, some originators who fall below the average may still have rates significant enough to deserve attention. In short, while average return rates are almost the only benchmark currently available, they do not provide the most effective proxy for assessing ACH return risk management.

Better benchmarks could be constructed
The Fed study illustrates how more informative benchmarks could be computed by exploiting the ACH transactions data. The authors used FedACH data on all consumer debit forward and return items originated for a period in mid-2006. By developing a methodology that matched about 90 percent of return items to their original forward item, they could tabulate rich sets of statistics, covering the whole distribution of ACH return rates, not just the average. Their analysis tabulates return rate distributions for several individual standard entry class (SEC) codes, as well as the overall distribution of ACH transaction types, leading to the following additional results:

  • Size doesn't matter much. ACH return rates for small and large originators are not very different for most SEC codes. In fact, overall and for most types of consumer debits, the median small originator has a slightly lower return rate than the median large originator, when size is measured by deposits. Return rates were also not strongly related to the originating depository financial institution's volume of originations. Thus, it would be a mistake to read deposit size or institution size as a proxy for sophistication in managing the quality of ACH originations.
  • TEL and WEB are both risky, but in different ways. The average return rates for both telephone-initiated transactions (SEC code TEL) and web-initiated transactions (SEC code WEB) were high relative to most other types of consumer debits, but in different ways. TEL risks were higher across the board, so that well-below-median TEL return rates were still high compared to typical consumer debit return rates. By contrast, most WEB originators experienced lower returns on WEB than on consumer debits generally. However, a minority of WEB originators with significant volumes and very high return rates pulled the average return rate for WEB somewhat above the average return rate of all consumer debits.
  • Returns come fast and are mostly the result of insufficient funds. In mid-2006, more than 98 percent of all returns occurred within five days of origination, with more than 70 percent returned due to insufficient funds. For the small minority of returns that take more than five days, authorization issues predominate.

Better benchmarks can help banks manage ACH risk
Using and customizing the type of analysis done in the Fed study has the potential to help originating banks better understand risks and therefore more efficiently deter fraud. For example, both originating banks and bank regulators could analyze the distribution of return rates and reason codes by bank peer group to gain a better sense of an individual institution's risk management practices. At the broadest level, linking returns to forward items can efficiently provide a rich array of benchmarks to help originators better monitor their ACH returns and enhance the quality of information they provide to their boards of directors. Similarly, by going beyond the average return rate concept, regulators could use the approaches adopted in the Fed study to better supervise ACH originators, or industry associations could use them to improve industry standards. In short, the sun could be setting on the days of taking false comfort from the Lake Woebegonish achievement of a below-average return rate.

By guest blogger Richard M. Todd, vice president, Community Affairs and Banking and Policy Studies at the Minneapolis Fed

June 29, 2010 in ACH, bank supervision, fraud, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133f1f0d951970b

Listed below are links to blogs that reference Managing risk in the ACH network: Minneapolis Fed study uses FedACH data to identify better benchmarks:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in