Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

September 20, 2021

Changing Fraud Strategies: Fraud Fighters

Editor's note: This is the second post in a three-part series.

I recently read about a payment company that responded to emerging fraud schemes by doubling its staff associated with fraud mitigation. The talent the company sought for these roles are in high demand, so I took to the job boards to see what hiring strategies emerged in relation to the trending fraud schemes.

Back in March, I posted the first of a three-part series on changing fraud strategies. That post looked at shifting trends in payments fraud. In this post, I share what I found on the job boards to illustrate how the approach to fighting fraud might be shifting in response to the new types of fraud. (I'll continue that theme in the third post.)

Account takeover fraud
Many of the listings I saw made it clear that organizations want candidates with account takeover expertise. I read statements like "Candidate must be capable and driven to identify, mitigate, and resolve account takeovers" and "Job duties include monitoring accounts, queues, and transactions for possible account takeover and to prevent processing of unauthorized transactions."

Companies are also catching on that account takeover fraud can't be mitigated by a single department of fraud fighters such as information security—it takes collaboration across many lines of defense. In fact, a recent report Adobe PDF file formatOff-site link on account takeover fraud noted the critical need for organizations to ensure that all internal departments understand the organization's liabilities in accessing company networks, databases, employee information, and financial data. Job postings with a focus on account takeover had statements like "will work cross functionally across the enterprise" and "partnering across the enterprise to unify and strengthen strategies to address account takeovers."

New account opening fraud
Sometimes grouped with application fraud, these schemes are hard to detect, leaving many businesses vulnerable. Let's face it, businesses naturally want new accounts. If creating new accounts becomes an area of friction, that can affect a company's bottom line.

That's why mitigating this type of fraud involves balancing the confluence of forces at play, including privacy, customer service, sales, and compliance. Based on some of the job listings I reviewed, organizations are showing signs of adjusting to the rise of risk here. For example, one bank was hiring a salesperson who "must adhere to new account opening procedures to prevent fraud." There were many openings that listed such compliance responsibilities.

One position specifically wanted a subject matter expert in detection, investigation, and prevention of synthetic, identity, and new account application fraud. The job also required extensive collaboration across the enterprise and with law enforcement.

Online fraud
You immediately get a sense of how widespread and varied online fraud is when you look at the listings for companies that are "urgently" hiring fraud analysts or researchers. Some of these companies are in mortgage, health care reporting, home improvement retail, telecommunications, or, of course, e-commerce.

Interestingly, I saw more than just entry-level or intermediate positions for online fraud workers. One e-commerce company was seeking a "head of eCommerce fraud operations." The company said the candidate should "have a passion for managing people" while also wanting to build an organization. A multinational technology company was looking for a "manager of payments trust and safety," who would be tasked with tackling the biggest problems that challenge the safety and integrity of their products.

It takes more than talent
Organizations have a high demand for workers who can help the whole enterprise focus on fighting fraud and who also have analytical and decision-making skills and can make changes to strategies and systems. Of course, talent is only one part of the fraud fight. In the final post in this series, we will explore how technology is being used to tackle the fraud trends.

September 7, 2021

Happy 50th Birthday, ATM

I am an old ATM (automated teller machine) guy, having managed a small network early in my banking career in the 1970s. That was when ATMs first began making their appearance on the walls of banking offices as a way to extend banking convenience to customers. During my years as a management consultant, I was fortunate to have been involved in the formation of several statewide ATM networks that evolved into regional, national, and international debit (ATM and debit POS) networks. Now that the ATM in the United States has passed its 50th birthday, what has it become and what does the future hold for it?

While the ATM has always been primarily a cash dispenser, there were efforts over the early years to introduce new functionality to generate additional revenue. Several banks unsuccessfully attempted to use it to sell postage stamps or transit fare cards. They realized that these types of alternative products required frequent resupply visits, which drove up servicing costs. Another marketing effort included selling advertisements on the back of transaction receipts, but since most receipts ended up in the ATM’s trash can, this, too was short-lived.

The introduction of a Windows operating system with its graphical capability opened a new range of functionality, with on-screen advertising now being played during previous "Please Wait" static instruction screens. Some ATM operators experimented with selling concert and other local event tickets. Such efforts were quickly abandoned when customers wanting quick access to their cash were forced to wait for minutes behind someone deciding on the best seat selection.

A major change in the ATM landscape took place in 1996, when Congress expressly excluded ATMs from being considered branches and eliminated geographical restrictions. Not only did this change create a major expansion of bank-owned, off-premise ATMs, but it also created the opportunity for independent ATM deployers to place ATMs in retail locations. Today, ATMs/cash dispensers owned and operated by nonfinancial institutions represent more than 60 percent of the machines in the United States.

ATMs have played a vital role during the COVID-19 pandemic in maintaining banking services for consumers while banking offices were closed or operating with reduced hours or staffing levels. Many ATMs use imaging for check and cash deposits. Reported usage has increased significantly. With all the successes and failures throughout the ATM’s history, one thing has been consistent for 50 years: the cash dispensers. They are and have always been an excellent tool to handle that functionality 50 years after their introduction. Talk about standing up to the test of time!

So, what is next for the ATM? The Consortium for Next Gen ATMsOff-site link, representing more than 400 companies in 55 countries, has been working for the last five years to develop a globally interoperative software platform for APIs (for application programming interface) for the ATM to support additional functionality such as interactive teller sessions and cardless and contactless transaction support. Our readers have seen previous posts documenting the reduced usage of cash, especially by millennials. The ATM industry is looking to explore new avenues of service and revenue to offset reduced transaction volume.

Are there any additional functions you would like to see at your ATM? We would enjoy hearing your perspective on the ATM’s future.

  

September 7, 2021

Happy 50th Birthday, ATM

I am an old ATM (automated teller machine) guy, having managed a small network early in my banking career in the 1970s. That was when ATMs first began making their appearance on the walls of banking offices as a way to extend banking convenience to customers. During my years as a management consultant, I was fortunate to have been involved in the formation of several statewide ATM networks that evolved into regional, national, and international debit (ATM and debit POS) networks. Now that the ATM in the United States has passed its 50th birthday, what has it become and what does the future hold for it?

While the ATM has always been primarily a cash dispenser, there were efforts over the early years to introduce new functionality to generate additional revenue. Several banks unsuccessfully attempted to use it to sell postage stamps or transit fare cards. They realized that these types of alternative products required frequent resupply visits, which drove up servicing costs. Another marketing effort included selling advertisements on the back of transaction receipts, but since most receipts ended up in the ATM’s trash can, this, too was short-lived.

The introduction of a Windows operating system with its graphical capability opened a new range of functionality, with on-screen advertising now being played during previous "Please Wait" static instruction screens. Some ATM operators experimented with selling concert and other local event tickets. Such efforts were quickly abandoned when customers wanting quick access to their cash were forced to wait for minutes behind someone deciding on the best seat selection.

A major change in the ATM landscape took place in 1996, when Congress expressly excluded ATMs from being considered branches and eliminated geographical restrictions. Not only did this change create a major expansion of bank-owned, off-premise ATMs, but it also created the opportunity for independent ATM deployers to place ATMs in retail locations. Today, ATMs/cash dispensers owned and operated by nonfinancial institutions represent more than 60 percent of the machines in the United States.

ATMs have played a vital role during the COVID-19 pandemic in maintaining banking services for consumers while banking offices were closed or operating with reduced hours or staffing levels. Many ATMs use imaging for check and cash deposits. Reported usage has increased significantly. With all the successes and failures throughout the ATM’s history, one thing has been consistent for 50 years: the cash dispensers. They are and have always been an excellent tool to handle that functionality 50 years after their introduction. Talk about standing up to the test of time!

So, what is next for the ATM? The Consortium for Next Gen ATMsOff-site link, representing more than 400 companies in 55 countries, has been working for the last five years to develop a globally interoperative software platform for APIs (for application programming interface) for the ATM to support additional functionality such as interactive teller sessions and cardless and contactless transaction support. Our readers have seen previous posts documenting the reduced usage of cash, especially by millennials. The ATM industry is looking to explore new avenues of service and revenue to offset reduced transaction volume.

Are there any additional functions you would like to see at your ATM? We would enjoy hearing your perspective on the ATM’s future.

  

August 30, 2021

Is Quantum Computing This Generation's Y2K?

I have a clear memory of December 31, 1999, when the world held its collective breath as the clock ticked down to the new millennium. Were we prepared, or would the doomsday predictions of chaos following a worldwide breakdown of computer infrastructures come to pass? As we now know, midnight came and went and as the sun rose in the east, all was well. Twenty-plus years on from the millennium bug, could developments in quantum computing be this generation's Y2K event? At least with Y2K, we knew when it would happen.

The computer hardware and software we use today operate on a binary number system, combinations of ones and zeroes used in programing code and mathematical formulas ranging from the simple to complex. These binary digits, known as bits, form the basis of digital data. To protect digital data from being manipulated in unauthorized ways, various levels of encryption are employed for data storage and transmission, with 2048-bit RSA cryptography being one of the most common formats. RSA cryptography uses a combination of a public encryption key to transmit data and a private decryption key held by the receiver. (RSA stands for Rivest, Shamir, Adleman—the names of the creators.)

"Man in the middle" attacks occur when cybercriminals intercept secure data transmissions and private decryption keys, often through phishing, malware, and Wi-Fi eavesdropping. While not unbreakable, 2048-bit RSA encryption is considered nearly impenetrable because traditional computers have limitations in their processing capabilities. Estimates for the time it would take for a computer using today's most robust processing capabilities to decrypt a 2048-bit algorithm run from several hundred million to several hundred billion years.

However, quantum computing has the theoretical ability to perform this same calculation in a matter of seconds, minutes, or hours. For this reason, quantum computing has the potential to create significant disruption in data security across all public and private industries.

Unlike traditional computing's use of a binary system, quantum computing video fileOff-site link uses quantum bits, or qubits, as the basic unit of quantum data. Often compared to the physics theory of Schrödinger's cat, where the cat can be simultaneously alive and dead, qubits can have more than one value at the same time, referred to as superposition, where the qubit travels all possible paths at once. In traditional computing, a bit is either a one or a zero. In quantum computing, a qubit can be both a one and a zero at the same time. Qubits and superposition form the foundation of quantum computing and are the source of its never-before-seen processing power.

In the next 20 years, quantum computing capabilities may likely reach the point that 2048-bit RSA encryption is no longer secure, leaving public and private industries exposed. In 2016, the Computer Security Resource Center of the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, initiated work to develop post-quantum cryptography standards. The goal of this work is to develop encryption algorithms that protect systems against attacks from both traditional and quantum computers. Interoperability with existing communications protocols and networks is an additional goal of the Computer Security Resource Center's work.

The potential risks of quantum computing touch all industries, businesses, and consumers, underscoring the need to be informed and risk-aware. Is quantum computing on your organization's information security radar? Are steps being taken to determine your organization's quantum computing risks? Or are we all just holding our collective breath?