Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 11, 2020
Seeing the Future through a Morning with Fifth Graders
Early in March, I spent the morning with four fifth-grade classes at an elementary school as part of their college and career day. My son had asked me not to talk about writing blogs and papers but rather to talk about "cool" things in payments and fraud. So that's exactly what I did with each class for 15 minutes, leaving the remaining 10 minutes of the time for questions or discussion. Looking back, I wish I had allotted more time for the final portion because these fifth graders were as engaging an audience as I have ever had. I left the school with two thoughts that I think the payments industry could find valuable, so thought it would be worthy of sharing with our readers today.
First, I was surprised by the general level of awareness that the fifth graders exhibited around online safety. Many had stories to share of both successful and unsuccessful attempts of their relatives being scammed online or through the phone. Others shared stories of their parents' bank accounts or cards being compromised. Several students talked about how they search safely on the internet. I was probably naïve going into the day about their level of knowledge and awareness seeing that these kids have grown up with this technology a part of their daily lives, but call me impressed that many of them are well aware of dangers lurking and eager to learn how to better protect themselves.
Second, I was blown away by the kids' access to and use of smart-assistant speakers. I have heard a number of people project that speech recognition is the future of commerce and if the kids I met with are any indication of their generation, then I think I can get on board with those projections. In an unscientific survey, I would estimate that nearly 90 percent of the kids had access to at least one smart-assistant speaker, and amazingly 75 percent had one in their room. Without naming any names, one company dominated this space for the group. While the "phone" aspect of the mobile phone for many kids is foreign as it's primarily used as a camera or texting device, it seems that they actually are comfortable having a conversation with a speaker.
As I walked back to my car, my mind was filled with thoughts about the future. On the one hand, I was smiling because this young generation is going to be better prepared in understanding the risks of the cyberworld that will continue to play a more prominent role in our lives. People will always be vulnerable but I left with confidence that our young people are aware that there are bad people lurking behind computer screens. On the other hand, my mind was spinning because I predict that commerce through a smart-assistant speaker will be as common a practice for them as dipping a card is for me. How different that world will look from where we are today!
May 4, 2020
Economic Impact Payments a Target for Fraud
Take Sutton's law, an old crook's advice—"Go where the money is"—and apply it to the fact that times of crisis are also times of prime hunting for fraudsters. And, in this time of crisis, the money is where the Economic Impact Payments (EIPs) are. This post breaks down some of the common fraud schemes the criminals are using to go after these payments.
The IRS has begun sending EIPs to eligible taxpayers. The EIPs are being disbursed either through direct deposit (via ACH) or by paper check. The first wave, an estimated 81 million payments, went to those who had provided their bank account information when filing their 2018 or 2019 taxes or through other federal programs. The IRS will continue sending payments over the coming months.
The first round of check EIPs were mailed with a pay date of April 24. It is estimated that five to seven million EIP checks will be mailed every week. Mailbox check theft and counterfeit checks are the two biggest concerns for EIP checks. Citizens, retailers, and financial institutions should know how to protect themselves from being victims of counterfeit U.S. Treasury Checks. To mitigate fraud risk, the U.S. Secret Service is partnering with the U.S. Treasury in a Know Your U.S. Treasury Check Campaign .
The direct deposit EIPs, which first posted April 15, are proving a little more difficult to combat. While fraudsters may not be able to misroute the EIP funds, they are using phishing emails or vishing calls to pose as EIP recipients' legitimate payments service providers and extracting personal information to facilitate future fraudulent transactions.
So expect a significant increase in account takeover attempts as fraudsters go after these funds. Cash-outs using person-to-person transfer services is often the first-choice channel, especially given the dollar values. Account takeover is often accomplished with social engineering or scams including pleas for help. Anticipate attempts of fraud by fake or spoofed websites, as well as social media messages requesting money or personal information. Some scammers are trying to collect "fees" from consumers to allow them to receive their EIPs. Others are impersonating the IRS in calls, emails, or texts, claiming they need to verify receipt of EIPs by getting financial, banking, or personal information. The IRS does not and will not communicate in this manner.
A further consideration around ACH EIPs is that financial institutions receiving these direct deposits are not required to match the name of the account with the name on the EIP, which means that a recipient's funds could be deposited into another person's account. Taxpayers should be aware that if they provided the account information of their tax preparers (or of the preparers' third-party vendor) on their tax returns, there will be delays in receiving their payments. Compounding this is the risk that those third parties may be unscrupulous and pocket the return money. This has happened with regular tax refunds, but the risk is heightened when so many are experiencing extreme economic hardship.
Stay up to date on trends and report fraud attempts using the following resources:
- FTC Coronovirus EIP Scams and FTC Complaints
- NACHA Current Fraud Threats
- Federal Bureau of Investigation Internet Crime Complaint Center (IC3)—accepts online internet crime complaints
- Internal Revenue Service information about phishing and other scams; forward suspicious emails to firstname.lastname@example.org
April 27, 2020
My Internet Journey of Self-Discovery
I don't know how many times my social security number has been compromised, much less any other personally identifiable information (PII). Knock on wood, so far I have avoided identity theft, synthetic or otherwise. I have taken all of the recommended steps to protect myself—I get fraud alerts on my credit reports, I've implemented identity monitoring, and so forth. However, given that hackers frequently sell stolen data online, I fear my social security number lingers on the dark web in perpetuity, waiting to be compromised at any time. My curiosity being what it is, I set off on the interwebs to see what I could find.
An internet search string asking "How many times has my personal data been breached?" returned some interesting results. According to the website Have I Been Pwned?, a searchable repository of data breaches, my personal email address has been breached at least a dozen times going back to 2008. Not all these instances were known to me—I do not recall having a MySpace page! I have also been notified of other breaches that were not listed here, including from financial services companies and medical providers, so the number is surely higher.
I was surprised to learn that my email address was discovered in multiple credential stuffing lists, including "Collection #1," a large collection of credential stuffing lists discovered in January 2019. According to Have I Been Pwned, 773 million unique email addresses and passwords were included. Credential stuffing is an automated cyberattack where criminals attempt to gain fraudulent access to user accounts through use of these types of collections of user names and passwords. On the bright side, if there is one, the website indicated that none of my information had been "pasted," meaning posted on public content-sharing websites frequented by hackers. For over a decade, I have used a password vault to generate and store all of my user profiles and account logins and currently have over 200 different records. I do not reuse passwords, especially for profiles that have payments instruments tied to them, and I believe this practice has provided some measure of protection from this type of activity.
The next stop on my journey was the credit bureau to see what else I could learn about the state of my PII. Experian offers consumers a free "Dark Web Internet Surveillance Report." Although five associated records were located, according to this source, my social security number is currently not on the dark web.
My identity protection monitoring service was the final stop to review my digital exposure report on information about me found on the internet. Relief! My exposure is consistent with the reports from the other sources.
I would rate myself as average in terms of my digital footprint and doubt my internet habits differ from most people's. I doubt my breach experience differs much, either, but from this journey, I've discovered that the safeguards I have in place to protect my personal information seem to be working. Have you taken an internet journey to discover where your personal information may reside? What steps have you taken to ensure your identity remains safe?
April 20, 2020
Privacy Versus Biometrics and Other Technology in Our Novel COVID-19 World
More than three years ago, a Take on Payments post discussed some of the social benefits biometrics technology offers. The post highlighted work by Michigan State University's Distinguished Professor and biometrics expert Anil Jain on a project in India showing how the capture of an infant's fingerprints over the age of six months can be used to identify that child on future visits to ensure that the child had received vaccinations and other care.
Since that time, biometric authentication has found its way into a growing number of financial and nonfinancial applications. We are all familiar with the use of fingerprint or facial recognition to unlock applications on our smartphones. At our hometown Atlanta airport and airports across the nation, the Transportation Security Administration (TSA) has improved the efficiency of the TSA PreCheck process by using technology that compares the photograph on your identification document (passport or driver's license) to an image of your face captured by a high-definition camera at the officer's station, eliminating the need for you to produce your boarding pass. Not only is the system making sure that the images match, but it also verifies that you have PreCheck clearance and are scheduled on a flight out of that airport on that day.
The COVID-19 pandemic has also led to the development of a number of applications using various combinations of such technologies as facial recognition, thermal imaging, and geolocation. A number of airports in the United States are using thermal imaging to detect passengers with a fever. Some countries have used a combination of these three technologies to detect that a person has a fever, identify that person, and track that person to determine who they might be infecting. (Of course, an individual can have a fever for other reasons.)
This particular use of the applications has led to concerns about privacy rights in those countries. While contact tracing can provide a social benefit in helping identify additional individuals that could become infected, what are the privacy rights of the ones being tracked? The greatest threat is when biometrics and other data are being collected without an individual's knowledge. Who has access to that information, how else it is being used and how long will it be retained?
In the United States, a number of states (including Illinois) have biometrics information privacy laws, but rights and responsibilities are inconsistent from state to state. The Health Insurance Portability and Accountability Act, or HIPAA, provides additional safeguards for the privacy of a person's medical information. But how do you balance the privacy rights of the individual against the need for the overall safety of the general public?