Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

June 10, 2019

The ABCs of Elder Financial Exploitation

In 2011, the World Health Organization designated June 15 as World Elder Abuse Awareness Day. So each year, a number of organizations supporting the elderly run educational campaigns throughout the month of June aimed at increasing awareness of elder abuse. This crime has a number of different forms: physical, emotional, or sexual abuse, neglect and abandonment, and financial exploitation.

We covered the growing impact of elder financial abuse in terms of numbers in a post last August. That growth is being driven by a double whammy: the surge in the senior population and the proliferation of available exploitation attack channels, thanks to the internet. Because none of this is likely to slow down for some time, education is critical. As the Retail Payments Risk Forum has stressed before, education is an important element in curbing fraud, and this area is no exception.

Here are some of the more common financial scams targeting the elderly:

  • Charity: The victim receives a request, usually over the telephone or in a public place, for donations for natural disaster relief or other good causes, but the funds are not used for such purposes.
  • Sweepstakes/lottery: The victim receives a letter, email, or telephone call with the news that they have won a lottery or cash sweepstakes—but they have to pay a tax or administrative fee in advance.
  • Home repairs: Someone tells the victim that some aspect of their property needs repair—for example, the driveway, roof shingles, or gutters—and it can be done inexpensively since there is a "crew already in the area." The victim must pay by cash or check in advance, but the crew never appears to do the work.
  • Romance: The fraudster, often posing under a false identity, makes romantic overtures and eventually asks the victim to send money so he or she can travel to meet them.
  • Tax: The victim receives a phone call from the fraudster claiming to be an IRS agent pursuing back taxes and unless the victim sends funds immediately, they will be subject to arrest. A variant of this scam involves the perpetrator posing as a police officer pursuing unpaid traffic tickets or other infractions.
  • Virus: A "technical support" company calls the victim, claiming that a virus has infected the victim’s computer. For the payment of a "modest fee," the company can download software that can kill the virus and protect the computer against future attacks. Often, the software downloaded actually contains some form of malware that may allow the criminal to compromise the banking credentials of the victim.
  • Other advance fee fraud: The fraudster requests money to help a relative in jail or stranded on the roadside. The situations are completely false but might contain some element of truth as the scammer may have found information on social media providing a name or that the named individual is out of town.
  • Identity theft: The criminal communicates with the victim through social media, telephone, or email to obtain bank account or other information allowing them to attempt a wide variety of fraudulent activities including credit applications, unauthorized account transactions, and more.
  • Investments: The victim is convinced to purchase an annuity or some other investment with a supposed lucrative payback.

Sadly, most elder financial abuse is committed by family or other people who are trusted with care of the elderly, which makes the crime more difficult to detect. Such abuses range from the transfer of property or securities to the theft of liquid assets through check writing or ATM withdrawals.

While researching this issue, I was heartened to learn that various organizations are developing or improving software products to help spot potential financial exploitation or to provide training materials. The American Association of Retired Persons recently launched a pilot program for financial institutions called BankSafe. It is a free online training program with educational material presented in different formats, including video games, distributed by the Independent Community Bankers of America and the Credit Union National Association, and, directly, by some financial institutions. In addition, a recent Dow Jones Institutional News article highlighted some fintech products designed to alert trustees of unusual or suspicious activity.

If you know of any valuable programs or organizational efforts to increase awareness of elder financial abuse, please let us know.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 14, 2019

Hiding in Plain Sight

Over the holidays when our family is all together, we always try to watch A Christmas Story. There are so many memorable moments in the movie, from the triple-dog-dare-you, tongue-frozen-to-the-flagpole scene to the leg lamp breakage. When the story revolves around Ralphie and the Little Orphan Annie secret decoder ring, it triggers my childhood memories of having a similar decoder ring that came with a pair of P.F. Flyers sneakers (think pre-Nike and Adidas). This year, our movie-watching led to a storytelling session of techniques worthy of any spy movie for passing secret notes. Many of the examples were like the decoder ring—they used some sort of secret alphanumeric table as a key to solve the cryptic message. In other words, we were talking about a rudimentary form of encryption, which, in today's technology, renders data useless to those without a key, whether they're bad guys or good guys.

But our conversation didn't stop there. I told a childhood story of dipping a toothpick in lemon juice and writing a message on paper. After the juice dried, the message became invisible, and I would then write an innocuous—and visible—message on the paper with pen or pencil. The recipient would carefully hold the paper over a flame to slowly reveal the hidden message. (Kids, try this only under adult supervision!) Little did I know I was using a technique called steganography—hiding a message within another message—that people also use today to protect information online.

Various forms of the technique date back to Greek civilization when untrusted messengers had to convey sensitive or classified information, or a message was at risk of being intercepted. (There is an entertaining and educational video on steganography by Richard Buckland, a professor at the University of New South Wales in Australia.) Today, technology has created a new technique in the form of digital steganography, which is the practice of hiding an image, audio, or data file within another image, audio, or data file.

A recent article in infoRisk Today highlighted the darker side of steganography, with its use by the criminal element. That article prompted me to conduct more research on the technique as a payments risk. From a cybersecurity standpoint, the greatest risk to consumers appears to be when the criminal hides a malware file within an image, audio, or other data file that, when opened, will load malware onto the device for future eavesdropping or control. Such an event could lead to the compromise of PII (or personally identifiable information), online credentials, or other sensitive information on the device without the owner's knowledge. In an August 2017 release, Kaspersky Lab warned about the difficulty for existing data protection processes to detect embedded malicious code.

Account takeover fraud is a major criminal activity that generally begins with the compromise of an individual's legitimate banking log-in credentials. A criminal who obtains this information can execute payment transaction fraud and, ultimately, synthetic identity fraud (see last week's post). While there are valid uses for steganography as an alternative to encryption, the criminal element will continue to develop uses of digital steganography to further their criminal operations and, as the infoRisk article notes, this usage is becoming more sophisticated and harder to detect.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 10, 2018

A Look in the Rearview Mirror of Payments for 2018

I'm sure just about everyone else in the payments industry would agree with me that 2018 was yet another exciting year for payments. The year was filled with a host of newsworthy events, but fintech most certainly took center stage in the financial services industry, including payments. Whether the news highlighted an announcement of a new product to increase financial access or discussed the regulatory challenges and associated concerns within the fintech space, it seemed that fintech made its way into the news on a daily basis. Still, for payments, 2018 will be remembered for more than just fintech.

The Retail Payments Risk Forum's last Talk About Payments webinar of 2018 will feature Doug King, Dave Lott, and Jessica Washington sharing their perspectives and memories on the year-in-payments in a round table discussion. Among the topics they will discuss are consumer payment preferences, the changing retail environment, and the state of fraud—and fintech, of course. We encourage financial institutions, retailers, payments processors, law enforcement, academia, and other payments system stakeholders to participate in this webinar. Participants will be able to submit questions during the webinar.

The webinar will be held on Thursday, December 20, from 1 to 2 p.m. (ET). Participation in the webinar is free, but you must register in advance. To register, click on the TAP webinar link. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks.

We look forward to you joining us on December 20 and sharing your perspectives on the major payment themes of 2018.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


February 26, 2018

Explosive News Regarding ATMs

You've probably seen at least one video of a criminal attaching a chain from a truck an ATM to try to pull the ATM out of its mounts. Or maybe you've seen one of someone using a sledgehammer to try to smash an ATM open. Although these types of attacks are destructive, they do not rise to the level of the explosive attacks that have been taking place in Europe, Australia, and South America—and, just recently, in the United States. First reported about 10 years ago in Europe, their frequency has increased dramatically over the last several years.

I learned a bit about these and other ATM dangers at a conference I recently attended in Las Vegas on emerging functionality for ATMs and cash dispensers. One of the most interesting sessions was a presentation on ATM crimes that a U.S. Secret Service agent gave. The agent talked about the two major categories of ATM terminal crimes: logical and physical attacks. Criminals carry out logical attacks using software, skimming devices, or cameras. With software, they aim to gain access to the ATM software or operating system so they can intercept data transmissions or issue commands to dispense currency. With skimming or shimming devices and cameras, they can capture card and PIN data. A recent logical attack "jackpotted" an ATM—that was the first time in the United States that a criminal forced an ATM to dispense all its currency.

Criminals trying to blow up ATMs in Europe have predominately used gas. They pump a combustible gas like oxyacetylene, used in welding, into the ATM enclosure through a drilled hole, currency slot, or other entry point, and then detonate it. This 2015 Bloomberg Businessweek article describes explosive attacks in England in great detail.

Unfortunately, reports indicate that solid explosives such as dynamite, explosive gel, and C4 are becoming more common in Europe and South America. In Brazil, dynamite is the predominant explosive, in part because a large supply of dynamite was stolen from a mining operation. As expected, these attacks are highly destructive, not only to the ATM but also to the surrounding building, which you can see in the photo below (this ATM attack recently took place in Atlanta). Normally these attacks are carried out at ATMs in isolated locations at off-hours. Fortunately, I have not heard of any loss of life or injuries to innocent people from these attacks.

From tweet
Source: WSB-TV

Because the frequency of these attacks is growing, ATM manufacturers and other third parties have developed countermeasures either to detect and thwart the attacks or to reduce the monetary value of a successful attack. For gas attacks, detection sensors installed in the ATM may do several things: trigger an audible—and monitored—alarm, release a gas-suppression system to prevent detonation, open a cover to prevent the gas pressure from building to a level that will detonate, or trigger a currency-staining mechanism that would put an ink stain on the currency in the machine, neutralizing its ability to be used. Additionally, penetration mats may be installed inside the ATM fascia that could detect drilling. Regrettably, attacks with solid explosives are more difficult to mitigate, but the industry has responded with harder enclosures and currency-inking neutralization systems.

We can hope that such attacks will not grow in frequency the United States, but security folks will probably tell us that we are being a bit Pollyannaish. Best be prepared.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed