Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
October 1, 2018
Safeguarding Things When They’re All Connected
In a July 6 post, I discussed the explosive growth of internet-of-things (IoT) devices in the consumer market. I expressed my concerns about how poor security practices with those devices could allow criminals to use them as gateways for fraudulent activity. At a recent technology event for Atlanta Fed employees, Ian Perry-Okpara of the Atlanta Fed’s Information Security Department led an information session on better ways to safeguard IoT devices against unauthorized access and usage. Ian and I have collaborated to provide some suggestions for you to secure your IoT device.
- Visit the manufacturer's website and get specific product information regarding security and privacy features. Is encryption being used and, if so, what level? What data is being collected, where and how long is it being stored, and is it shared with any other party? Does the product have firmware that you can update? Does it have a changeable password? (You should avoid devices that cannot receive updates or have their passwords changed.) What IoT standards have been adopted?
- Check with reliable product review sites to see what others have to say about the product’s security features.
- If your home network router supports a secondary "guest" network, create one for your IoT devices to separate them from your more secure devices such as desktop and laptop computers and printers.
- Especially if your device is used or refurbished or was a display model, immediately perform a factory reset if it’s equipped that way in case someone has modified the settings.
- Download the most recent firmware available for the device. Often, a newer firmware will become available during the period the merchant held the device.
- Use strong password techniques and change the user ID and password from the factory settings. Use different passwords for each one of your IoT devices.
- Register your device with the manufacturer to be notified of security updates or recalls.
- Add the device to your separate network if available.
If you adopt these suggestions, you will have a secure IoT network that will minimize your risk of attack. Criminals will be much less able to take over your IoT devices for bot attacks or for going through them to gain entry into other devices on your home network. You do not want the criminals to get at personal information like your credentials to your financial services applications.
We hope this information will be helpful. If you have other suggestions to better secure your IoT devices, we certainly would like to hear from you.
By Ian Perry-Okpara, an information security architect in the Information Security Department at the Atlanta Fed
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 19, 2018
Mobile Banking and Payments' Weakest Link: Me
What's the biggest hole in mobile banking security? As my colleague Dave Lott reported in January, bankers say it's consumers' lack of protective behavior when using mobile devices. That means you and me.
In response, financial institutions (FI) have implemented controls including inactivity timeouts and multifactor authentication, as noted in Mobile Banking and Payment Practices of U.S. Financial Institutions, which reported the findings of a 2016 Federal Reserve survey.
Baking these controls into mobile apps makes sense because research on consumer behavior suggests that expecting consumers to independently take steps to protect their accounts and data is not realistic. Take as one example: I co-wrote a paper with Joanna Stavins for the Boston Fed reporting the results of our investigation into consumers' responses to the massive Target data breach. We found that while consumers do react to reports of fraud, their reactions can be short-lived. In addition, consumers' opinions may change, but their behavior may not. In other words, considerations aside from security could take priority. (See also a report on the 2012 South Carolina Department of Revenue breach.)
Debit and credit card data for 40 million cards used in Target stores were stolen in late 2013. The breach was widely reported in the news media and caused many financial institutions to reissue cards. Because it was primarily a debit card breach, one might reasonably expect consumers to take a jaundiced view of debit cards after the breach.
And, indeed, that was the case. The Survey of Consumer Payment Choice was in the field at the time of the Target breach. Some consumers answered questions about the security of debit cards before the breach became public. Others answered after.
Consumers who rated card security after the breach rated debit cards more poorly relative to the average rating of the other payment instruments—cash, paper checks, ACH methods, prepaid cards, and credit cards. So in that sense, they reacted to the news.
One year later, consumers in 2014 rated the security of debit cards more poorly both relative to their ratings of other payment instruments and absolutely (that is, a greater percentage of consumers rated debit cards as risky or very risky). In contrast, compared to 2013, the absolute security ratings of cash improved. There was no change in the security ratings of credit cards.
The more important question: Did consumers change their behavior in response to this massive and widely reported data breach? The answer: not according to this survey data. There was no statistically significant change in consumers' method of payment mix in 2014. Debit cards remained the most popular payment instrument among consumers in 2014, accounting for almost one-third of their payments per month.
What does this mean for financial institutions? Realism about my willingness to take action is well placed. You can't count on me.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 19, 2013
Curbing Identity Theft and Fraud
To no one's surprise, identity theft and associated fraud losses rose again in 2012. The number of victims climbed to more than 12 million last year, an 11 percent increase over 2011, according to the recently released Javelin 2013 Identity Fraud Report. Losses amounted to almost $21 billion.
A quick distinction between identity theft and identity fraud: identity theft is when an unauthorized person obtains personal information about an individual, and identity fraud occurs when someone uses that personal information, without the individual's consent, to conduct financial transactions.
Two types of identity theft drove the overall increase: new-account identity and account takeover fraud.
New-account identity fraud takes a number of different forms. The most common form occurs with credit card applications. Someone creates an account using another person's information and makes purchases to the maximum limit, then allows the account to go into default. The next most common type happens with new checking accounts. The fraudster opens up a checking account using false identification credentials, then deposits bad or bogus checks and quickly cashes out.
The prevention of new-account identity fraud rests primarily on the shoulders of the financial institution (FI). What are the steps that FIs can take to help reduce the levels of these types of fraud? They are already required to authenticate the identities of new account applicants to the extent reasonable and practical under the Bank Secrecy Act's Customer Identification Program. The fraudster's goal when opening a fraudulent account is to minimize the verification process and quickly establish the new account. Experienced criminals can falsify government-issued IDs without too much difficulty. The FI representatives authenticating new accounts must rely on their experience and on a number of other factors to detect fraudulent attempts—but it can be difficult to balance the need to authenticate applicants with the wish, and the institutional push, to be polite and welcoming.
Many FIs order abbreviated credit reports as part of the new account process so they can better market credit products to qualified applicants. An address on the credit report that differs from the one on the application or the report showing a rash of new credit inquiries should sound warning bells, and such discrepancies would justify additional verification. Other warning signs include applicants having to read the information from their identification documents rather than reciting it from memory, or incorrect social security numbers, or newly issued identification documents.
Most fraudulent new accounts are opened online or through call centers. In these cases, the subsequent new-customer authentication process is critical. Although individuals can use their own, legitimate credentials to commit new account fraud, industry reports suggest it is much more common for fraudulent accounts to be opened with fraudulent credentials.
As to account takeover fraud, as we have stressed on many occasions, the most critical action that FIs can engage in is frequent customer education through electronic and print media and community and customer seminars. In a recent post on phishing, we outlined a number of steps that FIs should remind individuals to follow to minimize the possibility of having their accounts and identity credentials compromised.
We would like to hear from you as to ways your institution is combating new-account identity and account takeover fraud.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 29, 2013
It's Time for Better Online Authentication Solutions
I recently read a news story in my daily news feed about litigation between a bank and corporate customer related to an account takeover, and the liability of the loss from a fraudulent transfer. Unfortunately, it seems that I am reading these types of stories far too often these days.
Online corporate account takeovers are an important issue in the payments risk world and have been the subject of our blog in the past. Even with stringent security procedures in place, including two-factor authentication (2FA) and out-of-band verification, companies remain high-risk targets. Undoubtedly, employees will slip up and procedures will be ignored, actions that ultimately result in fraudsters getting their hands on account or network credentials that give them access to corporate bank accounts. Although ongoing and comprehensive employee education is vital, improving authentication techniques and requiring their use are critical to better mitigate online account takeover risks.
Requiring some form of authentication is better than requiring none. Yet the current state of our “some” generally consists of a user name coupled with knowledge-based authentication of a password and, if 2FA is being used, usually a set of challenge questions. Knowledge-based authentication is often ineffective due to the use of weak passwords and the ability of fraudsters to find answers to challenge questions through public sources or social engineering. So then, what is the most effective and reasonable authentication standard moving forward? Biometrics? Security tokens? Dynamic password generators?
Fortunately, both the public and private sectors are working to develop improved authentication solutions. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a federal initiative developed to encourage collaboration between the public and private sectors in developing interoperable technology standards and policies whereby individuals and organizations can be authoritatively authenticated. In addition, the FIDO (Fast Identity Online) Alliance is a private-sector initiative created to change the nature of online authentication by developing specifications that will supplant the reliance on passwords. I do not know whether any of these groups or another entity will be successful in solving our authentication challenge, but I do know fraudsters are hoping their success isn’t any time soon. What are your thoughts on improving online authentication?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed