Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
June 27, 2022
The Ransomware Threat Continues to Grow
For more than five years, this blog; federal, state, and local law enforcement agencies; and multiple industry associations have continued to warn businesses about the threat of ransomware attacks. Nevertheless, the FBI's Internet Crime Complaint Center's (IC3) 2021 crime report shows that in 2021, IC3 received 3,729 ransomware complaints, representing losses of $49.2 million. These numbers reflect a 51 percent increase in the number of victims and a 69 percent increase in losses. The report notes that these figures are likely higher as the crimes are underreported, and that these financial losses don't “include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim.” According to the report, the industries most frequently targeted were health care, financial services, information technology, critical manufacturing, and government but water systems, energy, and transportation networks were also attacked.
In the beginning, criminals carried out ransomware attacks by gaining network access to a company's computer system, which they would accomplish by getting an employee to unknowingly load malware or load it themselves by exploiting an operating software vulnerability or using a remote access channel. The malware would then encrypt the targeted files so the company could not access them, and the criminal would demand a ransom and promise a decryption key once it was paid.
Last year saw an evolution of the attacks, when criminals began to seek higher payouts. In addition to making the regular ransomware demands, criminals threatened to release sensitive information they'd gathered before encrypting the files unless the victims paid an additional ransom. Regardless of any promises they make and money they get, criminals often sell this information on the Dark Web for even more money.
The defenses against a ransomware attack remain the same:
- Conduct employee training and phishing tests to educate and increase awareness. • Implement a process for employees to report suspected phishing emails and investigate them immediately.
- Make frequent offline data backups and regularly test the backup process.
- Install security patches and software updates as soon as possible.
- Monitor remote desktop protocols, if they're used, and carefully review access controls.
What defensive measures has your company implemented to defend against a ransomware attack? Let us know I've missed any.
June 13, 2022
Quishing: Another "Fish" in the Fraud Ocean
We should all be knowledgeable about phishing attacks by now, given the number of warnings consumers and businesses get about this type of email fraud. We've even warned about it, in this Take On Payments post last year, and in others. We've also warned about smishing, a variation that uses SMS text messaging rather than email. Vishing is another form of social engineering that we've also mentioned in the blog. It's like phishing but comes through a telephone, often from a spoofed number—one that looks like a legitimate number of a company or agency. All of these varieties of fraudulent attacks have the same goal: to "fish" for your login or account information.
And now there's quishing. Again.
Quishing is not new but has experienced a revival within the criminal element as a result of the increased use of QR codes for digital payments. We first wrote about the risks and benefits of QR codes back in 2012, when they were used predominantly on printed media such as billing statements. The account holder could scan the QR code to go to the biller's payment website to pay their bill. We wrote about them again in late 2020, when merchants used them in the pandemic as an alternative contactless payment technology to near field communication. Since then, the use of QR codes has exploded—not just for payment applications, but also for other contactless usages born from health concerns: to let people access digital restaurant menus, for example, or to get detailed product information. QR codes are easy to implement, but that also makes them easy to alter without detection. The criminal sends an email with a QR code that, when captured by the victim's camera, opens a counterfeit website that may look like a merchant's legitimate website but is intended to steal account credentials. The email may contain a coupon to give the victim further incentive to capture the QR code. Unfortunately, detecting quishing attacks is difficult for email malware applications since the QR code is embedded in the email message.
QR code manipulation can also take place on printed material. Cases have been reported where stickers with altered QR codes have been placed on event posters at a venue or in other public places. When the person accesses the fraudulent QR code to purchase event tickets, the criminal captures the payment card information then uses that information to make fraudulent purchases. Meanwhile, the victim shows up at the event and is told their ticket confirmation is invalid.
The same defensive measures used to spot phishing, smishing, and vishing attacks should be used to guard against quishing attacks. Be wary of messages from unknown sources, especially if they offer an incentive or convey a sense of urgency. Always be suspicious of any request for you to "confirm" your account credentials. Keeping a solid defensive position will help keep you safe from these attacks.
May 2, 2022
Taking the Long View: A Visit with Retail Payments Risk Forum Founder Rich Oliver
Rich Oliver, the founder of our Retail Payments Risk Forum (RPRF), paid a visit to our team recently and shared his vision when creating the forum, the challenges facing the payments industry, and the future direction our team could consider as the payments landscape continues to evolve.
In addition to founding our RPRF, Rich's payments expertise goes back to the 1970s when he led the effort to utilize the fledgling US Automated Clearing House (ACH) system to electronically deliver the first government payrolls and social security payments.
Drawing on his expertise, Rich wrote a book with George Warfel Jr. about the payments industry, The Story of Payments: How The Industrialization of Trust Created the Modern Payments System, that "tells the story of how payments—between people, merchants, employers, and governments—emerged from the ancient system of barter and grew, through various technological implementations ranging from coins and paper money to checks, wire transfers, and credit cards, to today's entirely electronic local and international payment systems."
In a wide-ranging conversation about the history of payments and Rich's role in many areas with the Fed, each of us in the RPRF took away some highlights to share with you.
Scarlett Heinbuch: Rich reminded us of the need to be bold in our thinking about the future of payments. We discussed advances in biometrics and how these initiatives could address identity and security concerns and make payments easier for all while also presenting other risks and challenges.
Nancy Donahue: One comment that made me go "hmm" was: "Do we have too many retail payments products that are trying to solve the same problem? Do they all make money? Do they all need to?"
Catherine Thaliath: What resonated with me was when Rich talked about potential risks of Buy Now Pay Later (BNPL). While viewed as a credit offering, it is nevertheless using a payment instrument in ways not previously done.
Claire Greene: "When it comes to product design, you can't assume you know what someone wants without doing the work." This was a humble statement from an innovator that applied in the 1970s and remains relevant today.
Dave Lott: Rich discussed the evolution of the current consumer banking product market where many of the explicit services (on-us ATMs, online banking, mobile banking, pay wallets, etc.) are provided free of charge.
Sally Martin: It resounded with me how much collaboration went on with the payments players in the industry. Also, the amount of time spent brainstorming on what the needs were and how to fill them, and in moving toward new offerings rather than replays of existing products. Rich's talk focused on moving into new territory—he was "agile" before it was cool.
Jessica Washington: We still need to collaborate on fraud mitigation at the strategic level. In the United States, we implemented chip credit cards but not so much chip-and-pin, plus we still have the magstripe, which is a major source of weakness, and we still have much work to do on card-not-present transactions.
As the RPRF founder, Rich challenged each of us to remember its mission: to be a source for non-biased thought leadership, to do original research, challenge norms, and push the envelope to move the payment system forward. Sometimes looking back at history can bring the future into sharper focus, which is what our chat with Rich did for us. As you look to the future of payments and payments risk, what stands out to you?
By the Retail Payments Risk Forum Team: Jessica Washington, Dave Lott, Scarlett Heinbuch, Claire Greene, Nancy Donahue, Catherine Thaliath, and Sally Martin.
November 8, 2021
An Update on UK Consumer Payment Protection
In 2020, approximately 150,000 fraudulent advanced push payments (APP) cases in the United Kingdom resulted in the equivalent of US$660 million in losses, according to a report from the UK's financial services regulator, the Financial Conduct Authority (FCA). The report also notes that 81 percent of these losses were on personal accounts. APPs are the equivalent of peer-to-peer payments and, for the most part, are irrevocable.
We ran a post in June last year about steps the FCA had taken to address the growing incidence of consumers falling victim to scams and sending funds to the scammers through APPs. As I discussed in that post, one step the FCA took was to initiate the Contingent Reimbursable Model (CRM) Code, which specifies the extent to which a consumer might be liable for financial losses from an APP scam. Under the provisions of the code, according to a press release from UK Finance, "any customer of a bank or payment service provider (PSP) which is signed up to the Code will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code." Although the CRM Code is considered voluntary, the major UK banks, representing 85 percent of all APPs, have adopted it. The CRM Code applies to push payments between UK-domiciled accounts handled by the PSPs.
The code requires that the originating and receiving PSPs provide educational programs to consumers to alert them to such scams and to investigate claims by consumers alleging they were victims of a scam that was beyond their control. Importantly, it also gives the financial institution the authority to delay or stop transactions that it believes are fraudulent to allow for additional investigation. Pay.UK, the industry’s retail payment operator, has also implemented a program that requires the originator to check that the transaction’s payee name matches the name on the account receiving the funds.
So how has the CRM Code worked so far in addressing the APP scam fraud problem? While the 150,000 cases in 2020 represented a 22 percent increase over the previous year, the value of APP losses in 2020 increased only 5 percent. This small increase is attributed to PSPs' efforts to implement more effective monitoring software to detect money mule accounts and other suspicious transactions.
Consumer groups criticize the CRM Code for the uneven reimbursement rates (which the PSPs report anonymously). While the overall reimbursement rate in 2020 was 47 percent, the individual reimbursement rates among the PSPs ranged from 10 percent to 99 percent. The critics maintain that the criteria for determining if a customer is fully or partially at fault and ineligible for full reimbursement are highly subjective. As an example, the CRM Code says, "The customer’s capacity to protect themselves includes their knowledge, skills and capability in engaging with financial services and systems...." But how do the PSPs objectively determine the level of the customer's knowledge, skills, and capability?
In February of this year, the UK’s Payment System Regulator, commonly known as the PSR, issued a request for comment regarding three proposed changes to the CRM Code:
- Mandate that PSPs publish their APP fraud and reimbursement data publicly.
- Require that PSPs develop a standard approach to sharing information about APP scams with the intent to stop them from occurring or spreading.
- Extend the liability protection to all UK-domiciled consumer accounts operating in the United Kingdom to at least a minimal level.
The comment period for these proposals closed in April. We will continue to follow this activity and report the final outcome of this issue when it becomes available.