Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
September 20, 2021
Changing Fraud Strategies: Fraud FightersEditor's note: This is the second post in a three-part series.
I recently read about a payment company that responded to emerging fraud schemes by doubling its staff associated with fraud mitigation. The talent the company sought for these roles are in high demand, so I took to the job boards to see what hiring strategies emerged in relation to the trending fraud schemes.
Back in March, I posted the first of a three-part series on changing fraud strategies. That post looked at shifting trends in payments fraud. In this post, I share what I found on the job boards to illustrate how the approach to fighting fraud might be shifting in response to the new types of fraud. (I'll continue that theme in the third post.)
Account takeover fraud
Many of the listings I saw made it clear that organizations want candidates with account takeover expertise. I read statements like "Candidate must be capable and driven to identify, mitigate, and resolve account takeovers" and "Job duties include monitoring accounts, queues, and transactions for possible account takeover and to prevent processing of unauthorized transactions."
Companies are also catching on that account takeover fraud can't be mitigated by a single department of fraud fighters such as information security—it takes collaboration across many lines of defense. In fact, a recent report on account takeover fraud noted the critical need for organizations to ensure that all internal departments understand the organization's liabilities in accessing company networks, databases, employee information, and financial data. Job postings with a focus on account takeover had statements like "will work cross functionally across the enterprise" and "partnering across the enterprise to unify and strengthen strategies to address account takeovers."
New account opening fraud
Sometimes grouped with application fraud, these schemes are hard to detect, leaving many businesses vulnerable. Let's face it, businesses naturally want new accounts. If creating new accounts becomes an area of friction, that can affect a company's bottom line.
That's why mitigating this type of fraud involves balancing the confluence of forces at play, including privacy, customer service, sales, and compliance. Based on some of the job listings I reviewed, organizations are showing signs of adjusting to the rise of risk here. For example, one bank was hiring a salesperson who "must adhere to new account opening procedures to prevent fraud." There were many openings that listed such compliance responsibilities.
One position specifically wanted a subject matter expert in detection, investigation, and prevention of synthetic, identity, and new account application fraud. The job also required extensive collaboration across the enterprise and with law enforcement.
You immediately get a sense of how widespread and varied online fraud is when you look at the listings for companies that are "urgently" hiring fraud analysts or researchers. Some of these companies are in mortgage, health care reporting, home improvement retail, telecommunications, or, of course, e-commerce.
Interestingly, I saw more than just entry-level or intermediate positions for online fraud workers. One e-commerce company was seeking a "head of eCommerce fraud operations." The company said the candidate should "have a passion for managing people" while also wanting to build an organization. A multinational technology company was looking for a "manager of payments trust and safety," who would be tasked with tackling the biggest problems that challenge the safety and integrity of their products.
It takes more than talent
Organizations have a high demand for workers who can help the whole enterprise focus on fighting fraud and who also have analytical and decision-making skills and can make changes to strategies and systems. Of course, talent is only one part of the fraud fight. In the final post in this series, we will explore how technology is being used to tackle the fraud trends.
August 30, 2021
Is Quantum Computing This Generation's Y2K?
I have a clear memory of December 31, 1999, when the world held its collective breath as the clock ticked down to the new millennium. Were we prepared, or would the doomsday predictions of chaos following a worldwide breakdown of computer infrastructures come to pass? As we now know, midnight came and went and as the sun rose in the east, all was well. Twenty-plus years on from the millennium bug, could developments in quantum computing be this generation's Y2K event? At least with Y2K, we knew when it would happen.
The computer hardware and software we use today operate on a binary number system, combinations of ones and zeroes used in programing code and mathematical formulas ranging from the simple to complex. These binary digits, known as bits, form the basis of digital data. To protect digital data from being manipulated in unauthorized ways, various levels of encryption are employed for data storage and transmission, with 2048-bit RSA cryptography being one of the most common formats. RSA cryptography uses a combination of a public encryption key to transmit data and a private decryption key held by the receiver. (RSA stands for Rivest, Shamir, Adleman—the names of the creators.)
"Man in the middle" attacks occur when cybercriminals intercept secure data transmissions and private decryption keys, often through phishing, malware, and Wi-Fi eavesdropping. While not unbreakable, 2048-bit RSA encryption is considered nearly impenetrable because traditional computers have limitations in their processing capabilities. Estimates for the time it would take for a computer using today's most robust processing capabilities to decrypt a 2048-bit algorithm run from several hundred million to several hundred billion years.
However, quantum computing has the theoretical ability to perform this same calculation in a matter of seconds, minutes, or hours. For this reason, quantum computing has the potential to create significant disruption in data security across all public and private industries.
Unlike traditional computing's use of a binary system, quantum computing uses quantum bits, or qubits, as the basic unit of quantum data. Often compared to the physics theory of Schrödinger's cat, where the cat can be simultaneously alive and dead, qubits can have more than one value at the same time, referred to as superposition, where the qubit travels all possible paths at once. In traditional computing, a bit is either a one or a zero. In quantum computing, a qubit can be both a one and a zero at the same time. Qubits and superposition form the foundation of quantum computing and are the source of its never-before-seen processing power.
In the next 20 years, quantum computing capabilities may likely reach the point that 2048-bit RSA encryption is no longer secure, leaving public and private industries exposed. In 2016, the Computer Security Resource Center of the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, initiated work to develop post-quantum cryptography standards. The goal of this work is to develop encryption algorithms that protect systems against attacks from both traditional and quantum computers. Interoperability with existing communications protocols and networks is an additional goal of the Computer Security Resource Center's work.
The potential risks of quantum computing touch all industries, businesses, and consumers, underscoring the need to be informed and risk-aware. Is quantum computing on your organization's information security radar? Are steps being taken to determine your organization's quantum computing risks? Or are we all just holding our collective breath?
August 2, 2021
Ransomware: To Pay or Not to Pay?
Ransomware attacks against high-profile corporate, educational, and governmental entities continue to make the news. What the media often overlook, however, are the continuing attacks against consumers' home networks and devices. Imagine your panic when you turn on your personal computer and you get a message demanding $500 in cybercurrency or gift cards for your tax, banking, investment management, family photo, and other important files that a criminal has encrypted. Do you pay or not?
Law enforcement and cybersecurity professionals almost all say "no.” A March 2021 report from a cybersecurity firm described a study of 15,000 consumer ransomware attacks in 2020 worldwide. In more than half of these attacks (56 percent), the victims paid the ransom—but only 17 percent of those making payment regained full access to their files. Adults 55 and older were the age group least likely to pay a ransom (11 percent), while the 35–44 age group, at 65 percent, were most likely to pay.
Arguments against payment are threefold:
- It encourages further attacks because the victim has already shown willingness to pay.
- It rewards criminal behavior and provides funds for additional attacks.
- It may not result in 100 percent recovery of files.
Those consumers making a ransomware payment do it because they hope the payment will restore their files faster and they'll soon resume normal use of their computer.
As this type of cybersecurity attack against consumers and business continues to increase, education about its process and the defenses that should be undertaken are critical. What is the best way to provide that? Let us know what you think.
June 14, 2021
Four years ago, in a May 2017, Take on Payments post, my colleague Doug King echoed the concern of cybersecurity experts, warning that 2017 and 2018 were going to be the “Year(s) of Ransomware.” This warning came as ransomware attacks were increasing in frequency and being carried out against higher-profile targets. In 2018, the City of Atlanta was attacked. Following the recommendations of law enforcement officials, the city refused to pay the $51,000 ransom. Many city services involving utility billing and traffic court were disrupted for as long as a year, and officials estimated the price tag of investigation and remediation at $17 million.
In its latest report, cybersecurity firm Group-iB described the results of its analysis of more than 500 ransomware attacks: not only did the numbers of attacks in 2020 increase by more than 150 percent over the previous year, but also the sophistication of the attacks themselves had substantially increased.
Over the last month, high-profile attacks against an oil pipeline operation, meat processor, and digital services provider have been reported. While attacks against corporate targets often have limited impact on the general public, the Colonial Pipeline attack led to a shutdown of a major supply pipeline servicing the eastern United States, triggering panic buying and complete outages at more than 11,000 gas stations in addition to a spike in retail gasoline prices, according to a Newsweek article.
Ransomware attack strategies have a number of variables, including the type of criminal organization behind the attack, the target industry, or the size and method of infiltration, whether that’s phishing or finding a network or software security vulnerability or something else. One of the largest concerns of law enforcement is the emergence over the last few years of criminal organizations that provide ransomware as a service (RaaS), as was the case in the Colonial Pipeline cyberattack. Under this scheme, the criminal organization sells or leases their ransomware programming code to users who use it to attack their targets. The Group-iB report indicated that RaaS was used in approximately two-thirds of the ransomware attacks in 2020.
The Ransomware Task Force—an international group of cybersecurity experts from industry, government, law enforcement, and the public sector—was formed in early 2019 to address this threat. In early April, it delivered to the U.S. government a report with recommendations for combatting ransomware attacks. The following list includes some of the 48 recommendations:
- Make proactive diplomatic and law enforcement efforts to reduce and eliminate nation-states from providing protection to ransomware criminals.
- The United States should take a lead role in implementing a comprehensive anti-ransomware campaign including creating a task force composed of government agencies and private industry.
- Organizations should be mandated to report ransomware payments and to consider alternatives before making such payments.
- Since cryptocurrency is predominantly used for ransomware payments, the cryptocurrency operators should be more closely regulated.
On April 21, the U.S. Department of Justice (DOJ) announced the formation of the Ransomware and Digital Extortion Task Force to “bring the full authorities and resources of the Department to bear to confront the many dimensions and root causes of this threat.” An early success of the departments working through the Task Force was detailed on June 7, when the DOJ announced that it had recovered approximately $2.3 million of the $4.4 million ransom paid by Colonial Pipeline.
We will continue to follow the ransomware threat, recognizing that no type of industry or size of business is safe from such an attack.