Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
June 1, 2020
My Dog the Cybercriminal
As I write, my dog Coco gazes at me soulfully in a bid to wrangle a bite of my peanut butter sandwich or, even better, the whole sandwich. This cute yet parasitical behavior is typical. In fact, after some weeks of close association, I have come to realize that Coco exhibits not only the skills but also the personality traits of a cybercriminal:
- She tracks my every move and knows when she's most likely to get a treat, just as scammers prepare for phishing attacks by learning about a business's vendors, billing systems, and "even the CEO's style of communication ."
- She leaps at opportunities—butter on a counter, an open dishwasher—just as scammers are leaping at the chance to steal Economic Impact Payments, as Take On Payments reported in early May.
- She balances work and reward. Coco knows the difference between kibble and mozzarella cheese and differentiates her efforts accordingly. In trainer lingo, the mozzarella is a "high-value treat," analogous to the personal information a criminal might be able to obtain via health care and Medicare fraud.
- She repeats successful tactics, like counter surfing. Similarly, perpetrators of the "grandparent scam" know that what worked with imaginary bachelor parties in 2019 will work with imaginary emergency hospitalizations in 2020.
- She's persistent. Again and again, she noses my hand away from my keyboard. Eventually, a treat or walk will ensue. Again and again, scammers email fraudulent COVID-19 cures and investment opportunities in the hope of eventual success.
- She adapts. How can she get the treat? Sit? Lie down? Roll over? Sit again? Criminal enterprises continually experiment and adjust, for example, by changing the threat of shut-off in the "classic utility scam" to an offering of discounts on utility bills.
- She's adorable. Every dog is, but trust me, Coco is especially adorable, just like the photo in a phishing email posing as an appeal from a worthy charity .
- She is utterly unconcerned with the needs and preferences of others: the criminal mind at work.
No doggy day care. No walker. Me and Coco, 24/7. Did I mention that she's adorable?
It you sight any of these doggy behaviors, you can report coronavirus-related complaints to the Justice Department National Center for Disaster Fraud.
May 11, 2020
Seeing the Future through a Morning with Fifth Graders
Early in March, I spent the morning with four fifth-grade classes at an elementary school as part of their college and career day. My son had asked me not to talk about writing blogs and papers but rather to talk about "cool" things in payments and fraud. So that's exactly what I did with each class for 15 minutes, leaving the remaining 10 minutes of the time for questions or discussion. Looking back, I wish I had allotted more time for the final portion because these fifth graders were as engaging an audience as I have ever had. I left the school with two thoughts that I think the payments industry could find valuable, so thought it would be worthy of sharing with our readers today.
First, I was surprised by the general level of awareness that the fifth graders exhibited around online safety. Many had stories to share of both successful and unsuccessful attempts of their relatives being scammed online or through the phone. Others shared stories of their parents' bank accounts or cards being compromised. Several students talked about how they search safely on the internet. I was probably naïve going into the day about their level of knowledge and awareness seeing that these kids have grown up with this technology a part of their daily lives, but call me impressed that many of them are well aware of dangers lurking and eager to learn how to better protect themselves.
Second, I was blown away by the kids' access to and use of smart-assistant speakers. I have heard a number of people project that speech recognition is the future of commerce and if the kids I met with are any indication of their generation, then I think I can get on board with those projections. In an unscientific survey, I would estimate that nearly 90 percent of the kids had access to at least one smart-assistant speaker, and amazingly 75 percent had one in their room. Without naming any names, one company dominated this space for the group. While the "phone" aspect of the mobile phone for many kids is foreign as it's primarily used as a camera or texting device, it seems that they actually are comfortable having a conversation with a speaker.
As I walked back to my car, my mind was filled with thoughts about the future. On the one hand, I was smiling because this young generation is going to be better prepared in understanding the risks of the cyberworld that will continue to play a more prominent role in our lives. People will always be vulnerable but I left with confidence that our young people are aware that there are bad people lurking behind computer screens. On the other hand, my mind was spinning because I predict that commerce through a smart-assistant speaker will be as common a practice for them as dipping a card is for me. How different that world will look from where we are today!
April 27, 2020
My Internet Journey of Self-Discovery
I don't know how many times my social security number has been compromised, much less any other personally identifiable information (PII). Knock on wood, so far I have avoided identity theft, synthetic or otherwise. I have taken all of the recommended steps to protect myself—I get fraud alerts on my credit reports, I've implemented identity monitoring, and so forth. However, given that hackers frequently sell stolen data online, I fear my social security number lingers on the dark web in perpetuity, waiting to be compromised at any time. My curiosity being what it is, I set off on the interwebs to see what I could find.
An internet search string asking "How many times has my personal data been breached?" returned some interesting results. According to the website Have I Been Pwned?, a searchable repository of data breaches, my personal email address has been breached at least a dozen times going back to 2008. Not all these instances were known to me—I do not recall having a MySpace page! I have also been notified of other breaches that were not listed here, including from financial services companies and medical providers, so the number is surely higher.
I was surprised to learn that my email address was discovered in multiple credential stuffing lists, including "Collection #1," a large collection of credential stuffing lists discovered in January 2019. According to Have I Been Pwned, 773 million unique email addresses and passwords were included. Credential stuffing is an automated cyberattack where criminals attempt to gain fraudulent access to user accounts through use of these types of collections of user names and passwords. On the bright side, if there is one, the website indicated that none of my information had been "pasted," meaning posted on public content-sharing websites frequented by hackers. For over a decade, I have used a password vault to generate and store all of my user profiles and account logins and currently have over 200 different records. I do not reuse passwords, especially for profiles that have payments instruments tied to them, and I believe this practice has provided some measure of protection from this type of activity.
The next stop on my journey was the credit bureau to see what else I could learn about the state of my PII. Experian offers consumers a free "Dark Web Internet Surveillance Report." Although five associated records were located, according to this source, my social security number is currently not on the dark web.
My identity protection monitoring service was the final stop to review my digital exposure report on information about me found on the internet. Relief! My exposure is consistent with the reports from the other sources.
I would rate myself as average in terms of my digital footprint and doubt my internet habits differ from most people's. I doubt my breach experience differs much, either, but from this journey, I've discovered that the safeguards I have in place to protect my personal information seem to be working. Have you taken an internet journey to discover where your personal information may reside? What steps have you taken to ensure your identity remains safe?
April 6, 2020
Will COVID-19 Exacerbate Ecommerce Fraud?
Ecommerce sales in the United States continue to gain a greater share of overall retail sales each year. The Department of Commerce reports that in 2019, total ecommerce sales increased almost 15 percent over 2018 and represented 11 percent of total retail sales. There is no question that with the current COVID-19 environment, our daily habits have undergone tremendous change. As part of that change, I expect that ecommerce sales will increase at a greater rate in 2020 than in 2019.
Following social isolation guidelines, consumers and businesses are turning more and more to conducting their commerce transactions online. Prepaid carry-out, drive-through, and delivery orders now dominate the dining industry as inside dining options have been largely shuttered. Large retailers have been promoting online ordering and ship-to-home delivery options as their stores are closed. TransUnion reports that in the week from March 11 to 17, when the World Health Organization classified COVID-19 as a global pandemic, ecommerce transaction volume increased 23 percent over the previous week.
This spike in ecommerce traffic will likely bring with it a parallel spike in criminal activity, possibly adding to the increasing fraud levels in ecommerce. This shouldn't come as any surprise. It will be important for the good guys not only to be expecting this but also to be prepared for it by making swift adjustments that match the challenge.
One of the key adjustments to consider and apply quickly is properly tuning algorithms for detecting ecommerce fraud. In normal times, anomalous-pattern detection schemes are relied on to expose fraudsters. Elements such as the type of stores commonly used, frequency of usage, average or range of transaction values, and more go into making up an overall usage pattern for a given customer. While these transaction risk models have become very sophisticated over the years, they are challenged by abrupt changes in usage patterns, especially at an individual account level. They need to be smartly and quickly adjusted. Issuers and merchants need to balance the decision of denying transactions—which brings with it the risk of disgruntled legitimate customers and lost revenues—against approving fraudulent transactions and taking financial losses. No easy task, but doable and necessary to undertake, with constant attention.
Working collaboratively with merchants, consumers can help to surprise the criminals as fraud fighting evolves. The good guys win if we exercise patience with one another and remain mindful of the balance between purchase friction and fraud avoidance as fraud-fighting tools and methods adjust. Both sides being considerate of the needs on both sides of the transaction—working together, again, with patience and willingness to engage, perhaps differently than we've been willing to in the past, could yield results that everyone (except the crooks) is happier with, in both the short run and long run.
We know fraud management teams will be busy managing their fraud-detection tools and processes and expect they will rise to the challenge. We also expect consumers are ready and willing to assist in ways that are helpful as well. The constant chess match with the criminal element will continue, and we look forward to seeing a chess piece on the good guys ' side of the board with some new moves to help aid in the fight against the bad guys.
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud