Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
March 1, 2021
Changing Fraud Strategies: Hindsight Is 2020
Editor's note: This is the first of a three-part series.
It's been exciting to see such rapid innovation in payments recently. It's also been a little frightening, when we think of how quickly fraudsters and cybercriminals capitalize on fast-changing behaviors and how slowly others may adopt mitigation strategies.
To shed light on some of the new threats and offer tips on mitigating these new threats, Take On Payments is running a series of three posts, starting with this one. This first post presents some research and other information on the threat trends and contributing factors that escalated in 2020. The next two posts highlight innovative fraud mitigation strategies.
Account takeover fraud
- Research from one cybersecurity company found that every second fraudulent transaction in 2020 in the finance industry was an account takeover and that the share of account takeover fraud jumped from 34 percent in 2019 to 54 percent in 2020. In addition, 12 percent of account takeovers are carried out with remote access technology: the fraudster tricks the victim into loading software that will allow the scammer access to their computer for "troubleshooting." The research also noted that social engineering has become more successful during the pandemic.
- A recent report explained that over the course of 2020, the share of account takeover fraud ranged between 70 percent and 90 percent of financial fraud attacks.
- A January 2021 article on lessons learned from 2020 reported that criminals have evolved from relying on "credential stuffing"—the use of stolen account credentials to gain access to user accounts—to using sophisticated "device emulators." These emulators can spoof the variables that fraud prevention tools look for, such as device type, browser version, language settings, screen resolution, and GPS coordinates.
- The latest Europol Internet Organized Crime Threat Assessment identified SIM-swapping fraud as a rising trend. The criminal basically deactivates a victim's SIM and ports the victim's number to another phone, allowing the criminal to thwart multi-factor authentication tools used for account logins.
New account opening fraud
- A January 2021 report noted the significant increase in fraudulent new account creation. Cybercriminals are unfortunately becoming rich with stolen credentials and synthetic identities gained from increasingly successful data breaches and phishing attacks.
- Another report said that a full 85 percent of financial institutions experience fraud in the account opening process.
- Finally, other researchers have found that traditional fraud models miss 86–95 percent of applicants that are identified as possible synthetic. In addition, they've found that a full one in seven, or about 14 percent, of new accounts are fraudulent.
- The U.S. Secret Service recently emailed an alert to partners about how they continue to detect a significant upsurge in e-skimming attacks . In these attacks, fraudsters load malicious codes, which are increasingly difficult to detect, on e-commerce sites to steal payment card information from e-commerce websites. Cybercriminals consider e-skimming easy and highly profitable.
- Last month, the Financial Crimes Enforcement Network, or FinCEN, sent out a notice urging financial institutions to alert their customers about business email compromise, ransomware, and fraudulent payments that are attacking both vaccine delivery operations and the supply chains required to manufacture the vaccines. These crimes are drawing, in most cases, six-figure payouts.
Fraudsters see new payment behaviors and innovations as low-hanging fruit, a path of least resistance because sophisticated fraud mitigation tools have yet to be applied. Also, businesses and consumers who are new to digital or online commerce can be slow to adopt security best practices. So how should fraud mitigation strategies change to meet new threats? The next two posts will discuss how fraud strategies can build resistance with updates to organizational structure or expertise and innovative digital fraud prevention technology and security features.
February 22, 2021
New Year, New Fraud
Over the last few years, we've discussed friendly fraud in a number of Take On Payments posts. Friendly fraud occurs when an authorized payment cardholder, or someone they know, purchases goods or services and then disputes the transaction through the chargeback process to have the payment to the merchant canceled. From the merchants' perspective, there is nothing "friendly" about this, so they often refer to it as "chargeback" fraud. The actual losses from friendly fraud are difficult to measure, but it's estimated to cost merchants nearly 2 percent of their annual revenue.
With the surge in ecommerce transactions resulting from changing payment habits caused by the COVID-19 pandemic, we assume that friendly fraud—as well as other types of online payment fraud, including the emerging "refund fraud"—has significantly increased. Refund fraud is similar to friendly fraud in that a legitimate cardholder completes a transaction using legitimate credentials. However, in this refund fraud, the cardholder makes the transaction fully intending to use the merchant's refund policies, rather than file a chargeback, to be reimbursed or to receive an additional product. This also differs from refund abuse, where the cardholder purchases and uses a product—often clothing or tools—and then returns it.
Refund fraud by individual cardholders has existed for decades, but more recently a network of professional refund fraudsters has emerged. Using the Dark Web and other nefarious communications forums, professional refund fraudsters seek accomplices and share tips with each other on how to manipulate a merchant's refund policies and customer service representatives. They recruit willing cardholder accomplices with the promise that in exchange for a fee, the cardholder can make large-dollar purchases, get refunded for these purchases, and still keep them. To earn the fee, the fraudster contacts the merchant's customer service personnel and, using their knowledge of the merchant's refund policies while impersonating the cardholder, demands a refund. The fraudster claims that the product never arrived or was damaged, or insists they returned the defective product. The cardholder often pays the fraudster's fee with cryptocurrency.
Like chargeback fraud, refund fraud is difficult to detect since a legitimate cardholder initiates it and generally targets a merchant only once to avoid establishing a pattern of refund requests with the merchant. CardNotPresent.com recently produced an educational webinar on this type of fraud detailing the processes that fraudsters use and discussing how merchants can improve their defenses. The involvement of the organized criminal element is further evidence that merchants and card issuers must always be vigilant.
January 25, 2021
Resolve for Better Data Privacy
On the heels of a year that saw, among other things, ransomware attacks occurring about every 11 seconds and a significant supply chain breach affecting 18,000 public and private entities, better data privacy should top our collective list of New Year's resolutions. But if this wasn't among our resolutions, we still have National Privacy Day on January 28 to remind us of the need to be vigilant.
Frank Sinatra sang to us in "Love and Marriage" that you can't have one without the other. Likewise, you can't separate data privacy from data protection. Organizations that place a high value on data privacy implement strong data protection measures. Without doing so, privacy can't be assured.
The National Cyber Security Alliance, sponsor of National Data Privacy Day, has created calls to action employing a few basic privacy concepts that individuals and businesses can follow to keep data safe online.
For individuals: Own Your Privacy
- Personal info is like money: Value it. Protect it. Beyond personally identifiable information, this extends to e-commerce purchases, IP address, and location.
- Keep tabs on your apps. Don't just click "OK" on those pop-ups asking to access your location, contact lists, photos, and other personal data. Consider why it is needed and how it will be used and stored. Also, closely examine links and attachments in text messages and emails to keep malware and viruses off your mobile device.
- Manage your privacy settings. Revisit the data access permissions on your apps and web services.
For businesses: Respect Privacy
- If you collect it, protect it. Consider the data your business collects, the business purpose it serves, the way it is stored (such as data encryption), and the length of time it is stored.
- Adopt a privacy framework. Establish a privacy culture in your organization that manages risk and promotes transparency.
- Conduct an assessment of your data collection practices. Evaluate their adherence to applicable privacy regulations.
- Remember that transparency builds trust. Promote transparency with customers in the collection, use, and sharing of their personal data.
- Maintain oversight of partners and vendors. Ensure that third-party service providers share your priority for data privacy and protection.
As many of us will likely continue to work remotely well into 2021—and will likely continue our heavy use of the internet and e-commerce adopted last year—the new year provides a good opportunity to examine apps and behaviors that could put your data privacy at risk. For me, this includes reviewing locations where my payment information and other personal data are stored.
How will you resolve to better protect your data in 2021?
September 28, 2020
Encouraging Password Hygiene
Many offices have closed their doors to protect employees from COVID-19 infections, causing a surge in people working remotely in 2020. This situation has brought data security concerns to the forefront for many businesses. This past blog is a great reminder about the importance of password hygiene to protect valuable data assets. Don't fall victim to credential theft or social attacks.
Practicing good password hygiene such as using strong passwords and never using them for any other application can be a huge nuisance. Many people, including yours truly, would love to see passwords fade into oblivion and be replaced by stronger authentication technologies, such as biometrics. But the fact remains that passwords will continue to be used extensively for the foreseeable future, and for as long as they remain with us, it's imperative that we adhere to good password protocol. Verizon's 2019 Data Breach Investigation Report reveals that more than 60 percent of successful data breach hacks were due to compromised or stolen log-in credentials.
Information that describes good password practices is abundant, but people continue to be careless. So how can we successfully encourage people to actually follow these practices?
Interestingly, while I was pondering this issue, I came across a Wall Street Journal article. Written by a cybersecurity professor, the article describes research that the author and her colleagues did on this very topic—how to get people to create strong passwords—and I thought it would be useful to share their findings.
So what's the secret to getting us to use strong passwords, according to these researchers? It's the simple incentive of time—and by this I mean the length of time we're allowed to keep our passwords. The researchers found that people were willing to use stronger passwords if they could keep them for longer than they had in the past.
The conventional wisdom used to be that we should change passwords at least once a year. Now many financial service providers and others require users to change passwords every 30 days. However, some organizations continue to allow longer time periods, or perhaps don't enforce change at all, but offset the longer duration with stricter rules, requiring longer passwords with a minimum number of special characters. I imagine most of us are accustomed to the strength bar or bubble graphic that shows us the strength of a password as we're creating it. These might be useful in educating us about what strong passwords look like, but the researchers found them to be ineffective in driving people to create strong passwords.
I'll admit I don't always practice the best password hygiene. One of several reasons for this is that it seems my passwords expire so frequently. But I could get fully on board with building stronger, unique passwords if that meant I would have more time before I had to change them.
Have you seen or experienced other tactics or solutions that have pushed you to use better password hygiene? If so, we would love to hear from you!