Please enable JavaScript to view the comments powered by Disqus.


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

June 10, 2019

The ABCs of Elder Financial Exploitation

In 2011, the World Health Organization designated June 15 as World Elder Abuse Awareness Day. So each year, a number of organizations supporting the elderly run educational campaigns throughout the month of June aimed at increasing awareness of elder abuse. This crime has a number of different forms: physical, emotional, or sexual abuse, neglect and abandonment, and financial exploitation.

We covered the growing impact of elder financial abuse in terms of numbers in a post last August. That growth is being driven by a double whammy: the surge in the senior population and the proliferation of available exploitation attack channels, thanks to the internet. Because none of this is likely to slow down for some time, education is critical. As the Retail Payments Risk Forum has stressed before, education is an important element in curbing fraud, and this area is no exception.

Here are some of the more common financial scams targeting the elderly:

  • Charity: The victim receives a request, usually over the telephone or in a public place, for donations for natural disaster relief or other good causes, but the funds are not used for such purposes.
  • Sweepstakes/lottery: The victim receives a letter, email, or telephone call with the news that they have won a lottery or cash sweepstakes—but they have to pay a tax or administrative fee in advance.
  • Home repairs: Someone tells the victim that some aspect of their property needs repair—for example, the driveway, roof shingles, or gutters—and it can be done inexpensively since there is a "crew already in the area." The victim must pay by cash or check in advance, but the crew never appears to do the work.
  • Romance: The fraudster, often posing under a false identity, makes romantic overtures and eventually asks the victim to send money so he or she can travel to meet them.
  • Tax: The victim receives a phone call from the fraudster claiming to be an IRS agent pursuing back taxes and unless the victim sends funds immediately, they will be subject to arrest. A variant of this scam involves the perpetrator posing as a police officer pursuing unpaid traffic tickets or other infractions.
  • Virus: A "technical support" company calls the victim, claiming that a virus has infected the victim’s computer. For the payment of a "modest fee," the company can download software that can kill the virus and protect the computer against future attacks. Often, the software downloaded actually contains some form of malware that may allow the criminal to compromise the banking credentials of the victim.
  • Other advance fee fraud: The fraudster requests money to help a relative in jail or stranded on the roadside. The situations are completely false but might contain some element of truth as the scammer may have found information on social media providing a name or that the named individual is out of town.
  • Identity theft: The criminal communicates with the victim through social media, telephone, or email to obtain bank account or other information allowing them to attempt a wide variety of fraudulent activities including credit applications, unauthorized account transactions, and more.
  • Investments: The victim is convinced to purchase an annuity or some other investment with a supposed lucrative payback.

Sadly, most elder financial abuse is committed by family or other people who are trusted with care of the elderly, which makes the crime more difficult to detect. Such abuses range from the transfer of property or securities to the theft of liquid assets through check writing or ATM withdrawals.

While researching this issue, I was heartened to learn that various organizations are developing or improving software products to help spot potential financial exploitation or to provide training materials. The American Association of Retired Persons recently launched a pilot program for financial institutions called BankSafe. It is a free online training program with educational material presented in different formats, including video games, distributed by the Independent Community Bankers of America and the Credit Union National Association, and, directly, by some financial institutions. In addition, a recent Dow Jones Institutional News article highlighted some fintech products designed to alert trustees of unusual or suspicious activity.

If you know of any valuable programs or organizational efforts to increase awareness of elder financial abuse, please let us know.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 26, 2018

Explosive News Regarding ATMs

You've probably seen at least one video of a criminal attaching a chain from a truck an ATM to try to pull the ATM out of its mounts. Or maybe you've seen one of someone using a sledgehammer to try to smash an ATM open. Although these types of attacks are destructive, they do not rise to the level of the explosive attacks that have been taking place in Europe, Australia, and South America—and, just recently, in the United States. First reported about 10 years ago in Europe, their frequency has increased dramatically over the last several years.

I learned a bit about these and other ATM dangers at a conference I recently attended in Las Vegas on emerging functionality for ATMs and cash dispensers. One of the most interesting sessions was a presentation on ATM crimes that a U.S. Secret Service agent gave. The agent talked about the two major categories of ATM terminal crimes: logical and physical attacks. Criminals carry out logical attacks using software, skimming devices, or cameras. With software, they aim to gain access to the ATM software or operating system so they can intercept data transmissions or issue commands to dispense currency. With skimming or shimming devices and cameras, they can capture card and PIN data. A recent logical attack "jackpotted" an ATM—that was the first time in the United States that a criminal forced an ATM to dispense all its currency.

Criminals trying to blow up ATMs in Europe have predominately used gas. They pump a combustible gas like oxyacetylene, used in welding, into the ATM enclosure through a drilled hole, currency slot, or other entry point, and then detonate it. This 2015 Bloomberg Businessweek article describes explosive attacks in England in great detail.

Unfortunately, reports indicate that solid explosives such as dynamite, explosive gel, and C4 are becoming more common in Europe and South America. In Brazil, dynamite is the predominant explosive, in part because a large supply of dynamite was stolen from a mining operation. As expected, these attacks are highly destructive, not only to the ATM but also to the surrounding building, which you can see in the photo below (this ATM attack recently took place in Atlanta). Normally these attacks are carried out at ATMs in isolated locations at off-hours. Fortunately, I have not heard of any loss of life or injuries to innocent people from these attacks.

From tweet
Source: WSB-TV

Because the frequency of these attacks is growing, ATM manufacturers and other third parties have developed countermeasures either to detect and thwart the attacks or to reduce the monetary value of a successful attack. For gas attacks, detection sensors installed in the ATM may do several things: trigger an audible—and monitored—alarm, release a gas-suppression system to prevent detonation, open a cover to prevent the gas pressure from building to a level that will detonate, or trigger a currency-staining mechanism that would put an ink stain on the currency in the machine, neutralizing its ability to be used. Additionally, penetration mats may be installed inside the ATM fascia that could detect drilling. Regrettably, attacks with solid explosives are more difficult to mitigate, but the industry has responded with harder enclosures and currency-inking neutralization systems.

We can hope that such attacks will not grow in frequency the United States, but security folks will probably tell us that we are being a bit Pollyannaish. Best be prepared.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 28, 2017

Are Consumers Out of Touch?

According to the Identity Theft Resource Center (ITRC), 791 data breaches occurred in the first half of 2017, an increase of 29 percent over the first half of 2016. This rising incidence of data breaches is a continuation of a trend, as the 1,093 data breaches tracked by the ITRC in 2016 represented a 40 percent increase over breaches in 2015. As data breaches continue to proliferate, I would expect consumers to be very concerned that their payment credentials (credit, debit, and bank account numbers) are at risk of being compromised. Apparently, my expectations are a bit off, which is both puzzling and alarming.

In a just-released report on a survey conducted in May, Transaction Network Services found that only 46 percent of U.S. adults believe that a data breach may have exposed their credit or debit card information. In 2015, 60 percent of the respondents had that fear. So evidence exists that data breaches are on the rise, yet consumers have less fear today than they did in the past.

In its review of the 2017 data breaches, the ITRC found that only 13 percent resulted in the exposure of card data. However, this figure is up from 10 percent in 2016. Social Security numbers appear to be the prime target, with 60 percent of breaches exposing them. Small wonder, as this information is critical for committing identity theft. Why steal a card number when you can steal a Social Security number and apply for any number of credit cards?

I would like to think that, because the industry is making great strides in improving both transaction security, with initiatives such as EMV, and data security, with encryption and tokenization, consumers are feeling that their card data is more secure than it used to be. But the pessimist in me believes that consumers may be a bit naïve about the risks associated with data breaches, and may have also been inured by the proliferating occurrences. Or maybe because of limited liability protections, consumers just don’t care about their card data falling into the wrong hands from breaches. But now is not the time for consumers to drop their guard as data breaches—more specifically, breaches of card data—are on the rise. They must continue to take steps to protect themselves from falling victim to card breaches, such as keeping debit card PINs private and examining credit card and bank statements regularly for fraudulent transactions.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 28, 2011

Gains made in reducing identity theft, but significant fraud losses still loom

Was it a mere coincidence that the day following the release of Javelin Strategy & Research's 2011 Identity Fraud Survey Report, CNBC aired American Greed: Operation Get Rich or Die Tryin'? This show examines Albert Gonzalez's hacking into computer networks of retailers (most notorious, TJX Companies) and a payment processor (Heartland Payment Systems) and the subsequent extensive fraud using compromised credit and debit card information.

While the CNBC story was intriguing, Javelin's 2011 report just might be even more intriguing given the surprising results that identity thefts and the related losses in 2010 were at their lowest levels since 2003, when the survey began. In 2010, the incidence rate for existing card account fraud stood at a lowly 2.3 percent and only 7 percent of consumers were notified of a data breach, compared to 11 percent in 2008. While many factors are responsible for these low levels, it seems that preventive and detection measures by financial institutions, merchants, and consumers are playing a positive role. However, the fact remains that in the current magnetic-stripe environment, all parties could still experience significant losses from counterfeit cards if a large data breach were to occur.

Merchants and PCI implementation: Success in reducing data breaches
At year-end 2010, Visa reported that 96 percent of its Level 1 and 2 merchants (merchants with more than 1 million transactions a year) were compliant with the Payment Card Industry Data Security Standard (PCI DSS), and 100 percent had been validated as not storing prohibited data. For smaller merchants (Level 3 and 4), Visa reports moderate PCI DSS compliance but does not offer any figures. Watching the CNBC special, it was a bit harrowing to fully understand the amount of card and personally identifiable data that merchants and processors store, sometimes without even encrypting the data. The PCI DSS was put into place to not only require the encryption of data, but also prohibit the storage of certain sensitive cardholder authentication data such as full magnetic-stripe data, CVV2 codes, and PINs. In the event that a PCI DSS-compliant merchant is hacked, it would be much more difficult to perpetrate a fraud as extensive as Albert Gonzalez and his accomplices pulled off. It’s possible that these strict data standards have been effective in thwarting fraudsters and hackers.

Financial institutions and consumers working together to reduce detection times
Not only are the incidence of existing card account fraud and related losses stemming from identity theft at all time lows, the detection time—and subsequent losses—for this type of fraud is significantly shorter than for existing noncard fraud and new account fraud. According to Javelin, 31 percent of all existing card fraud is detected within a day or so, and nearly another 30 percent within a week. The top three fraud detection methods as reported by Javelin are notification to a consumer by a financial institution, consumer's monitoring of accounts through paper statements, and consumer's monitoring of accounts through electronic means or ATM. With increased availability, and consumer usage, of online and mobile banking, consumers can more easily monitor their accounts and more quickly identify fraudulent transactions than with the traditional method of a monthly paper statement. Many financial institutions are also being proactive in their battle against fraud by using the mobile channel to push notification alerts of potential fraudulent transactions to the consumer. According to Javelin's 2010 Banking Identity Safety Scorecard, 85 percent of the top 30 banks or credit unions offer mobile phone alerts.

Still vulnerable from the mag stripe, but where to go from here?
Even though we've taken great strides to reduce identity theft and related fraud losses, we can't make the same claim for card technology in the United States. As history shows us, fraudsters are often a step ahead of the industry. And unfortunately, implementation of new standards and technology is often reactive to the latest fraud rather than proactive to fraud that could happen. As long as the United States remains a magnetic-stripe country, we'll continue to have the risk for widespread fraud losses from the counterfeiting of magnetic-stripe cards.

Visa recently recognized the importance of chip-and-pin along with PCI DSS compliance when it announced its Technology Innovation Program (TIP). With TIP, merchants will no longer have to go through costly annual PCI DSS validation if 75 percent of their Visa transactions are completed at chip-and-pin-enabled terminals—but TIP is not available to merchants in the United States. Though much has been written about the lack of a business case for contact or contactless chip form factors in the United States, will continued mag-stripe fraud and the potential for even larger losses—all while the rest of the world migrates to chip-and-pin—finally build that case?

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed