Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

October 28, 2019

Should We Throw in the Towel When It Comes to Data Breach Prevention?

We've all heard it said—we've probably, cynically, said it ourselves: "It's not a matter of if but when your company will be hit by a data breach." Reports about cyberattacks and network breaches fill my daily newsfeed with headlines on ransomware attacks, attacks on multifactor authentication, and 5G network vulnerabilities. For each new, better, stronger, faster solution the industry comes up with, criminals find a way to circumvent it in seemingly short order. Is there anyone whose personal information hasn't been stolen once, twice, five times? I've lost count of how many times I've received six months of free credit monitoring.

In today's world, is there any way for an organization to fully protect itself against the broad spectrum of ever-evolving threats and still have time, resources, and capital left over to conduct its everyday business? Or should we assume that breaches are a foregone conclusion, throw in the towel when it comes to prevention, and turn our focus instead to incident response?

According to Verizon's 2019 Data Breach Investigations Report , small businesses were frequent targets of breaches. (The report looked at incidents occurring from November 1, 2017, to October 31, 2018.) Other findings it reported: outside actors perpetrated 69 percent of breaches, 52 percent were the result of hacking, and it took months or longer to discover 56 percent of the incidents.

Last year, I wrote about committing to muscle memory your organization's plan for the right of boom. A Google search on "data breach response" returns pages of results with guides, resources, and services, but the midst of a cyber-event is probably not the best time to come up with a plan. Turns out, there's an app for that! At a recent fintech conference, I saw a demo of a dynamic breach response solution that turns response into a routine business process. The company likens its app to "an airbag for network breaches" and claims the tool helps organizations prepare for, detect, and respond to data breaches. Another company demonstrated a white-labeled application for financial institutions that aims to reduce post-breach fraud and identity theft of consumers through algorithmic risk assessments that produce recommendations for actions to take to mitigate these risks.

National Cybersecurity Awareness Month bannerOctober is National Cybersecurity Awareness Month. It's a good time to review your own right of boom plan or take steps to implement one. One resource: the Department of Homeland Security's Cybersecurity Resources Road Map  for small and midsize businesses.

While it is not hyperbole to assert that criminals will breach your organization's network, you should not throw in the towel or lower your defenses against such threats. Rather, you should avail yourself of technological innovations to support breach prevention and response preparedness so your organization can restore normal business operations as quickly as possible. What approach has your organization taken to adopting threat prevention and response preparedness?

June 24, 2019

Moving towards Electronic Social Security Number Verification

Earlier this year, a colleague wrote a Take on Payments post about synthetic identity fraud. Throughout the year, we've found ourselves talking often with representatives from law enforcement and financial institutions about the growth of this particular type of fraud. There are different estimates that try to catalogue the damage, but one that strikes me is that synthetic identity fraud could account for as much as 5 percent of uncollected debt and be responsible for approximately 20 percent of credit losses.

A major challenge to mitigating this fraud is the difficulty financial institutions and other lenders have in confirming that a social security number (SSN) being presented actually belongs with the name of the person presenting it and that their date of birth actually matches the SSN. Prior to June 2011, the first three numbers of the SSN provided geographical clues to the number holder's birth state, which allowed for some basic verification, but the Social Security Administration (SSA) now randomizes all numbers making this minimal form of verification impossible for any SSN issued after this date. Currently, the SSN verification process requires that the requester complete a wet signature consent form that is submitted in hard copy to the SSA. Hardly a speedy process in a day and age when financial institutions and lenders are striving to make many lending decisions in hours or minutes, not days! But change from the SSA is in the air.

On June 7, the SSA published a notice to the Federal Register announcing initial enrollment for a new electronic consent-based SSN verification service. The notice is full of details about this program and its initial enrollment is open to all financial institutions (FI) and FI service providers as defined by the SSA. Participation in the pilot program requires that enrollees pay an initial administrative fee followed by volume-based pricing according to the annual number of transactions. The initial enrollment period opens on July 17 and will run through July 31. Following this period, the SSA will select a limited number of enrollees across several different categories for participation in the program, which is set to begin June 2020. Even if an applicant company is not selected to participate in the initial program, it would be eligible to participate when the program expands. Otherwise, new applicants will have to wait until the next enrollment period, which could be as long as two years.

This new SSA program would be a positive step toward reducing synthetic identity fraud. However, there is a balancing act between the costs for combating fraud and the actual cost of fraud. It will be interesting to follow the enrollment figures and other metrics to determine how effective this measure turns out to be. How do you feel about these efforts by the SSA?

June 10, 2019

The ABCs of Elder Financial Exploitation

In 2011, the World Health Organization designated June 15 as World Elder Abuse Awareness Day. So each year, a number of organizations supporting the elderly run educational campaigns throughout the month of June aimed at increasing awareness of elder abuse. This crime has a number of different forms: physical, emotional, or sexual abuse, neglect and abandonment, and financial exploitation.

We covered the growing impact of elder financial abuse in terms of numbers in a post last August. That growth is being driven by a double whammy: the surge in the senior population and the proliferation of available exploitation attack channels, thanks to the internet. Because none of this is likely to slow down for some time, education is critical. As the Retail Payments Risk Forum has stressed before, education is an important element in curbing fraud, and this area is no exception.

Here are some of the more common financial scams targeting the elderly:

  • Charity: The victim receives a request, usually over the telephone or in a public place, for donations for natural disaster relief or other good causes, but the funds are not used for such purposes.
  • Sweepstakes/lottery: The victim receives a letter, email, or telephone call with the news that they have won a lottery or cash sweepstakes—but they have to pay a tax or administrative fee in advance.
  • Home repairs: Someone tells the victim that some aspect of their property needs repair—for example, the driveway, roof shingles, or gutters—and it can be done inexpensively since there is a "crew already in the area." The victim must pay by cash or check in advance, but the crew never appears to do the work.
  • Romance: The fraudster, often posing under a false identity, makes romantic overtures and eventually asks the victim to send money so he or she can travel to meet them.
  • Tax: The victim receives a phone call from the fraudster claiming to be an IRS agent pursuing back taxes and unless the victim sends funds immediately, they will be subject to arrest. A variant of this scam involves the perpetrator posing as a police officer pursuing unpaid traffic tickets or other infractions.
  • Virus: A "technical support" company calls the victim, claiming that a virus has infected the victim’s computer. For the payment of a "modest fee," the company can download software that can kill the virus and protect the computer against future attacks. Often, the software downloaded actually contains some form of malware that may allow the criminal to compromise the banking credentials of the victim.
  • Other advance fee fraud: The fraudster requests money to help a relative in jail or stranded on the roadside. The situations are completely false but might contain some element of truth as the scammer may have found information on social media providing a name or that the named individual is out of town.
  • Identity theft: The criminal communicates with the victim through social media, telephone, or email to obtain bank account or other information allowing them to attempt a wide variety of fraudulent activities including credit applications, unauthorized account transactions, and more.
  • Investments: The victim is convinced to purchase an annuity or some other investment with a supposed lucrative payback.

Sadly, most elder financial abuse is committed by family or other people who are trusted with care of the elderly, which makes the crime more difficult to detect. Such abuses range from the transfer of property or securities to the theft of liquid assets through check writing or ATM withdrawals.

While researching this issue, I was heartened to learn that various organizations are developing or improving software products to help spot potential financial exploitation or to provide training materials. The American Association of Retired Persons recently launched a pilot program for financial institutions called BankSafe. It is a free online training program with educational material presented in different formats, including video games, distributed by the Independent Community Bankers of America and the Credit Union National Association, and, directly, by some financial institutions. In addition, a recent Dow Jones Institutional News article highlighted some fintech products designed to alert trustees of unusual or suspicious activity.

If you know of any valuable programs or organizational efforts to increase awareness of elder financial abuse, please let us know.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 29, 2019

Next-Gen Security

In early April in Boston, I happened by the annual conference and competition of the Massachusetts School Bank Association (MSBA). Two hundred eighty-four students from 30 high schools competed in three segments: product design, marketing, and a quiz show that covered financial literacy topics. The MSBA is an association of schools with financial literacy programs and financial institutions that operate educational branch offices in schools.

I learned that next-gen security is firmly within the sights of the next gen of Massachusetts bankers. The conference theme of “personal financial security” played out in each segment. It was clear that the organizers—high school teachers and executives at financial institutions—had the financial safety of the next gen firmly in view:

  • The trivia contest consisted of general banking and personal finance questions including questions related to identity theft awareness, financial fraud, and financial cybersecurity.
  • The marketing challenge tackled the need to educate customers about security and, according to the prompt, "the need to use good security practices and tools to protect [customers] from identity theft and/or fraudulent use of their accounts."
  • In product design, the winning team from Taunton High School designed an app to help students determine if they were more or less likely to be victims of identity theft.

I chatted with students from Chelsea High School about their app: "Are you smarter than a fraudster?" Teaching others is a good way to learn yourself, and these young people were on top of best practices for protecting their payments cards (don't give out info in email or on the phone), preventing identity theft (shred documents), and keeping email safe (don't click on links from unknown parties).

When they aren't designing apps, the Chelsea students work as interns at the Chelsea High School branch of Metro Credit Union.

What is your bank doing to educate the next gen of security ninjas?