Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
December 10, 2018
A Look in the Rearview Mirror of Payments for 2018
I'm sure just about everyone else in the payments industry would agree with me that 2018 was yet another exciting year for payments. The year was filled with a host of newsworthy events, but fintech most certainly took center stage in the financial services industry, including payments. Whether the news highlighted an announcement of a new product to increase financial access or discussed the regulatory challenges and associated concerns within the fintech space, it seemed that fintech made its way into the news on a daily basis. Still, for payments, 2018 will be remembered for more than just fintech.
The Retail Payments Risk Forum's last Talk About Payments webinar of 2018 will feature Doug King, Dave Lott, and Jessica Washington sharing their perspectives and memories on the year-in-payments in a round table discussion. Among the topics they will discuss are consumer payment preferences, the changing retail environment, and the state of fraud—and fintech, of course. We encourage financial institutions, retailers, payments processors, law enforcement, academia, and other payments system stakeholders to participate in this webinar. Participants will be able to submit questions during the webinar.
The webinar will be held on Thursday, December 20, from 1 to 2 p.m. (ET). Participation in the webinar is free, but you must register in advance. To register, click on the TAP webinar link. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks.
We look forward to you joining us on December 20 and sharing your perspectives on the major payment themes of 2018.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 8, 2016
When Fraud Hits Home: Questioning Today’s Authentication Methods
My wife was the recent victim of a vehicle burglary. Unfortunately, the bad guys got away with a wallet that included a driver's license along with several debit and credit cards. Since my wife is a cash-averse individual, I thought little harm, if any, would ensue since she reported the cards stolen within minutes of the crime taking place. What I thought could have been a simple stolen card scenario quickly escalated to a major assault on a demand deposit account (DDA) thanks, in large part, to authentication failures by the financial institutions involved.
Two days after the theft and with only a driver's license and a canceled debit card to identify the bank, the burglar, or an associate, was able to withdraw money from my wife's DDA by using a generic withdrawal slip found at most bank and credit union branches. They also cashed a counterfeit check drawn on another financial institution (FI) that, along with the bad check fee, was charged against my wife's account when the payor bank returned the check. While I am not sure whether the employees at the bank followed proper authentication protocols, there clearly was a breakdown as the thief was able to use the stolen driver's license to first obtain my wife's DDA number and then fraudulently withdraw funds.
While the breakdown in authentication is concerning, the FI's solution for improving authentication with my wife's new account is archaic—a password. The FI suggested that she open a new account and password-protect the account. When making an in-person transaction, she will be required to state the password before a transaction can be completed or account information revealed in addition to other authentication measures that were already in place.
My wife, not comfortable with the new proposed account set-up or with the failure in authentication on the old account, decided to seek a new FI relationship. Clearly she believed that a more technology-driven solution would have been substantially better from both a security and user standpoint than the proposed password solution. And this got me wondering. With all the efforts and investments in authentication technologies, why are passwords still being used for banking and payment transactions in 2016? What will it actually take to "kill the password," which we have been talking about for years? We are in the midst of a technology revolution, yet authentication methods from 2,000 years ago are still being suggested for use today as the primary means to protect money and assets.
In Singapore, the government has mandated two-factor authentication while allowing consumers to retain some choice in the authentication factor. In the United States, the Federal Financial Institutions Examination Council, or FFIEC, issued guidance in 2011 regarding the use of multi-factor authentication for Internet transactions. Is guidance concerning authentication enough? Without favoring any particular solution or technology, is it time to adopt better authentication methods in the United States? I am not advocating mandate like in Singapore, but my wife can give you more than 2,500 good reasons why it should be considered.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
November 30, 2015
Half Full or Half Empty?
My colleagues and I in the Retail Payments Risk Forum participate as speakers or attendees in what sometimes seems to be a nonstop stream of banking and payments conferences that run from mid-September to mid-November. This effort is part of our mission to support the education of the stakeholders in the payments ecosystem with a focus on payments risk. We also use the opportunity to network with other attendees and vendors to stay on top of the latest developments and market solutions that are being deployed to combat payments fraud. These events also give us a chance to provide our perspective on trends and key issues involving payment risk.
At a recent fraud conference, I was on a panel discussing fraud trends and key threat vectors. The moderator of the panel revealed some results from Information Security Media Group's 2014 Faces of Fraud survey of financial institutions (FIs). There was a specific question about whether FIs had seen a change in the level of losses from account takeover fraud since the Federal Financial Institutions Examination Council issued its supplemental guidance on Internet banking authentication in 2011. That guidance directed financial institutions to evaluate "new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks." The survey results are shown in the chart below.
While the moderator and some of the other panelists seemed to focus on the 20 percent who said they had seen an increase in fraud, I had the perspective of the glass being half full by the 55 percent who indicated that the fraud had stayed about the same or decreased. Given the certainty that the number and magnitude of data breaches have increased and that the number of attempts by criminals to commit some sort of payment fraud through account takeovers was significantly up, I opined that since the fraud levels for the majority of the FIs had stayed at the same level or declined should be considered as a victory.
Certainly, I am not saying the tide has turned and the criminals are on their way to retirement, but I think the payments industry stakeholders should take some pride that its efforts to combat payment fraud are making some progress through the continuing development and deployment of anti-fraud tools. Am I being too Pollyannaish?
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 20, 2015
Unsafe at Any Speed?
If you're a Corvair enthusiast, you likely get the title's reference to Ralph Nader's book that polemically accused manufacturers of resistance to the advancement of automotive safety. Shift your thoughts from automobiles, axles, and bumpers to payments, cyberattacks and data breaches. Then consider this question—if we successfully speed up payments, is payment safety more likely to advance or retreat?
I hear the question often. Since I first blogged about this topic in January, I've attended several conferences set in the context of building a better, faster, more efficient payments system. If the conversation hasn't gone straight to "safety," the topic has surely been broached before closing. The answers that presenters offer, in terms of how we make payments more secure, remain unchanged from earlier this year. The updated summary follows.
- Innovate. Make full use of such things as biometrics and tokenization. Do not fear but rather make use of the best things coming from the cryptocurrency world.
- Collaborate and coordinate. Share everything, taking full advantage of groups of all types to facilitate deployment and spread of best practices, among other things.
- Prevent and plan. In a continuous and ever-improving activity, make use of such things as enhanced threat detection and continue to layer security measures. Also, educate fully, across the spectrum of both providers and users.
- Track and report. We must do more of this in a frank, transparent way and it must be timelier.
Emphasizing and pursuing all these goals is still right in my view, yet something seems missing. I believe what's missing is a more expansive, easily accessible law enforcement regime—something that more closely parallels what's available for conventional crime fighting.
There has been good news, of late, in that various law enforcement agencies have both apprehended and successfully prosecuted cybercriminals of all sorts. What's important about this is, as law enforcement has more success, there is hope that miscreants will have an increasing expectation of getting caught. Let's assume a drop in crime rates is highly correlated to the likelihood or certainty of being caught. Self-test the theory by thinking of it this way. How often do you exceed the speed limit (answer silently to yourself). Now consider—how often do you speed when a patrol car is in the lane right next to you? It's imperative that law enforcement continue to evolve and improve such that the criminals who contemplate cybercrime increasingly anticipate they'll be caught.
The cliché that faster payments will mean faster fraud if we don't have faster security is somewhat beside the point. The fact is cybercrime has been and remains a material and looming threat. The world is all but fully a digital one and that means our police have to be able to put more—and more effective—digital patrol cars on the digital highway. Until then, to varying extents, payments are likely to be unsafe—at any speed.
By Julius Weyman, vice president, Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud