Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
March 20, 2023
The Ransomware Battleground in 2022
The Retail Payments Risk Forum team has been writing a lot about ransomware in Take on Payments since 2018, when criminals shifted their targets from consumers with small ransom payouts to large government entities, educational institutions, and healthcare industries with their deeper pockets. Some of the initial victims in the United States were the cities of Atlanta and Baltimore and Florida's Monroe County School District. As with consumer attacks, criminals get to the bigger targets primarily by using phishing or smishing messages to obtain account credentials. They then exploit known software security gaps and make brute force attacks.
The number of ransomware attacks has ebbed and flowed over these last five years. The FBI's Internet Crime Complaint Center (IC3) receives voluntary reports on ransomware attacks and, according to the most recent data, in 2021 there were 3,729 reported attacks with net losses of approximately $50 million. This was an increase of 51 percent from the previous year. Our June 2022 post highlighted findings of IC3's annual report and some of the tactical shifts made by the criminal organizations to further their success rate.
While the IC3 report for 2022 has not been released, reports from some private cybersecurity firms (for example, here and here) give perspective on the current ransomware environment. The findings in these reports reveal a dynamic battleground:
- The number of attacks in 2021 declined but the focus on large companies and educational institutions continues. Some experts attribute the decline to the disruption of criminal organizations in Eastern Europe by the Russian invasion of Ukraine.
- While initial ransomware attacks were limited to file encryption, criminals now also deploy data extraction. They threaten to sell or publish that data to coerce an increased ransom payment.
- Ransom payments increased 144 percent in 2021 over 2020. The average reported ransomware payment in 2022 was $4.7 million. These attacks reflect a more diverse target base including smaller businesses, health care providers, and municipal governmental agencies.
- Ransomware-as-a-service offerings have increased, making it easier for less sophisticated criminals to perpetrate these attacks.
From my perspective, the ransomware battle between the criminals and their targets continues unabated. Despite increased security and education efforts, ransomware is still identified by the FBI as the major cyber threat against business. Law enforcement has had some victories with high profile arrests but still struggles to keep up with the pace of ransomware activity.
Defenders against ransomware crime must remain agile. What new tactics and weapons can businesses and law enforcement deploy? Let us know what you think.
March 6, 2023
Is Your Tax Refund at Risk of Theft?
With the start of a new year, I create a folder labeled "tax documents." This is where I place the W-2s, 1099s, receipts, and other tax-related documents in advance of prepping our tax return, which we begin in earnest on February 1. Fingers crossed that by planning ahead and keeping careful records we avoid mistakes in our filing (and that we underpaid just a little bit).
Now, when I talk about tax return fraud, I'm not talking about mistakes or intentional misstatements, income omissions, or incorrect deductions. I am referring to what is classified as stolen identity refund fraud (SIRF). In this type of fraud, the criminal obtains your name and social security number and then proceeds to file a tax return as early as possible, claiming a refund. You, the victim, don't generally find out this has happened until, in the course of your own filing, you receive a message from the Internal Revenue Service (IRS) that a tax return has already been filed for your social security number. The criminal often arranges to have the refunds sent via the ACH network to money-mule accounts or loaded onto prepaid debit cards. Sometimes the criminal requests that a check be mailed to an address where they can steal the check out of the mail.
The operators of the ACH network have been active in combating tax return fraud, and the IRS and the Department of Justice have made the investigation and prosecution of SIRF a high priority. In 2017, the IRS spearheaded the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (the IDTTRF-ISAC, or just ISAC), a collaborative effort of the IRS, state agencies, and the private-sector tax industry. At the heart of the ISAC operation is a platform that collects SIRF data, performs aggregated analysis, and then distributes anonymized reports to the participants.
The IRS continues to support major education efforts to help filers minimize the threat to the broader issue of identity theft. The IRS's Guide to Identity Theft is available in eight languages on the IRS website. An important tool for consumers to have is the IRS Identity Protection Personal Identification Number (IP PIN). The IP PIN is a six-digit number the IRS provides to the taxpayer to include with an electronic return. Originally available only to filers who had previously experienced tax return fraud, the IP PIN is now available to all consumers as of January 2021. You can find instructions on the IRS's website on obtaining one online or through an application. If you don't already have an IP PIN, I strongly encourage you to get one as soon as possible.
Best wishes as you gather all your tax documentation and that you are able to avoid the tax refund criminals.
January 30, 2023
What Does Generative AI Mean for Payments?
When the latest news in natural language processing (NLP) hits the newspaper comics on a Sunday, you know you've got a phenomenon on your hands. Perhaps you, like me, are asking yourself some questions: What the heck is ChatGTP? What does it mean for payments? How can I think about the risks? And what new ideas will the capabilities of NLP inspire?
What is ChatGPT? Like a lot of people in the past few weeks, I asked ChatGPT to tell me. The answer: "ChatGPT is a large language model that has been trained to generate human-like text. It can be used for a variety of natural language processing tasks such as language translation, question answering, and text generation."
Let's unpack this answer. "Large" means that the model is trained on vast amounts of data—that is, text created by humans. A "language model" is designed to understand written or spoken text. "Generate" means create content, which is a key capability to think about in the context of payments. Large language models like this one, using a massive amount of computing power and human training, are taught to pretend to be human in responding to written or spoken text.
How successful is this charade? A lot depends on the questions you ask and how you ask them. Your human input is still important. When you give the model a prompt, you are "programming" it to give you a list of Alfred Hitchcock's most famous movies or the ingredients for coq au vin. When you "program" a search engine by asking such a question, you see a list with links (that is, sources for the information). When you program a natural language model, you get sentences and no source for the information. The lack of sourcing is a critical distinction when it comes to assessing accuracy or bias.
Setting accuracy aside, the answers I got sounded human enough to me, maybe a bit stilted. Let's look at the opportunities and risks for payments.
Opportunity. Generative AI has the potential to make customers feel like they are chatting with a person when they are interacting with a bot. For customers like me, that could cut down on trudging through FAQs to get an answer—or even a hint to an answer—depending, of course, on how well trained the bot is. Chatbots could become more responsive to me personally.
Risk. Generative AI has the potential to enable fraud. New tech = new fraud, as we learned with new tech for making remote payments. The ability to create plausible content and mimic human conversation is chilling in the context of phishing—for example. ChatGPT already can pretend to be an ATM information screen.
Opportunity. Generative AI has the potential to prevent fraud. NLP tools can find patterns in data, perhaps leading them to detect fraud created with these very same tools. We've seen this pattern before in payments, with innovations in fraud followed by innovations in fraud prevention and detection, et cetera, et cetera, et cetera. As previously pointed out by the Federal Trade Commission, however, AI is no silver bullet in fighting fraud.
When I asked the model, "What practices are most important to prevent payments fraud?," I got an error message. Too complicated? Too dependent on common sense? Too speculative? Therefore, without AI assistance, here are this earthling's thoughts about ways to prevent payments fraud in the era of generative AI:
- Keep your tech and tools up to date.
- Share information across the payments industry.
- Educate employees and end users.
- Use dual controls when possible.
- Practice password hygiene.
- Always keep an eye out for The Next Big Thing.
To learn more, check out two podcasts I found informative:
October 17, 2022
Webinars Address ATM Crimes, Financial Exploitation
ATM attacks don't generally appear in the news, despite their growing threat. As we've written before, these attacks can be both cyber and physical, and the physical attacks can be against both machine and the personnel servicing the machine. Another disturbing crime that may not appear enough in the headlines is the financial exploitation of senior adults. Two upcoming events in our Talk About Payments webinar series will give you the opportunity to learn more about these issues from the experts. The first, on November 3, covers ATM attacks. The second webinar takes place the following week, on November 10, and addresses the exploitation of seniors and community-based approaches to help mitigate vulnerabilities. More details about these webinars, as well as registration links, are below. We hope you will join us for both events.
November 3: ATM Attacks and Defenses
Because many financial institutions have closed or reduced the operating hours of many of their banking offices since the start of the pandemic, customer withdrawals of cash from ATMs have increased significantly. Unfortunately, the criminal element has shifted some resources to attacking ATMs and the personnel servicing them, including those who make currency deliveries. More than half of all ATM attacks in the United States involve thefts of the ATMs themselves, according to ATM Security Association data. The growth in dispenser jackpotting is also troubling. Because the methods of ATM crime can vary from city to city and month to month, it is critical that that ATM operators stay informed about current trends.
A panel of ATM experts join moderator David Tente, executive director of the ATM Industry Association, in discussing trends in cyber and physical attacks against ATM terminals and service personnel along with measures that can mitigate the risks. The panelists are:
- Brenda Born, supervisory special agent, Federal Bureau of Investigation
- Brad Moody, executive vice president of operations, Lowers & Associates
- John Toneatto, vice president of security and investigations, Loomis
The webinar takes place on November 3 from 1 to 2 p.m. (ET). To participate in the free webinar, please register.
November 10: Financial Exploitation of Aging Adults
Did you know that more than 10,000 US adults turn 65 every day, and that many of them will be victims of financial fraud? Elder financial exploitation is a growing problem, according to the National Council on Aging, which estimates financial losses of at least $36.5 billion dollars a year. With the rapidly aging population, we must identify and protect elderly citizens exposed to financial exploitation risks.
In the November 10 episode of our Talk About Payments webinar series, Drs. Thomas Blomberg and Julie Brancale, criminologists from Florida State University, describe the current research, theory, and policy responses associated with this growing social problem. They also address the patterns and variations of financial exploitation of older adults and discuss why some older adults may be more or less vulnerable than others. The presentation concludes with a discussion of areas in need of additional research and policy attention. Scarlett Heinbuch, a payments risk expert at the Atlanta Fed, moderates the discussion.
The webinar takes place on November 10 from 1 to 2 p.m. (ET). To participate in the free webinar, please register.
We encourage financial institutions, retailers, payments processors, law enforcement officials, academics, and other payments system stakeholders to join us for these informative webinars. You will be able to submit questions during the webinar. Please let your colleagues know about these webinars!
Take On Payments Search
- account takeovers
- data security
- digital currency
- financial inclusion
- identity theft
- payments risk
- payments studies/research
- TOP payments inclusion
- supervision and regulation
- workforce development