Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

September 28, 2020

Encouraging Password Hygiene

Many offices have closed their doors to protect employees from COVID-19 infections, causing a surge in people working remotely in 2020. This situation has brought data security concerns to the forefront for many businesses. This past blog is a great reminder about the importance of password hygiene to protect valuable data assets. Don't fall victim to credential theft or social attacks.


Practicing good password hygiene such as using strong passwords and never using them for any other application can be a huge nuisance. Many people, including yours truly, would love to see passwords fade into oblivion and be replaced by stronger authentication technologies, such as biometrics. But the fact remains that passwords will continue to be used extensively for the foreseeable future, and for as long as they remain with us, it's imperative that we adhere to good password protocol. Verizon's 2019 Data Breach Investigation ReportOff-site link reveals that more than 60 percent of successful data breach hacks were due to compromised or stolen log-in credentials.

Information that describes good password practices is abundant, but people continue to be careless. So how can we successfully encourage people to actually follow these practices?

Interestingly, while I was pondering this issue, I came across a Wall Street Journal articleOff-site link. Written by a cybersecurity professor, the article describes research that the author and her colleagues did on this very topic—how to get people to create strong passwords—and I thought it would be useful to share their findings.

So what's the secret to getting us to use strong passwords, according to these researchers? It's the simple incentive of time—and by this I mean the length of time we're allowed to keep our passwords. The researchers found that people were willing to use stronger passwords if they could keep them for longer than they had in the past.

The conventional wisdom used to be that we should change passwords at least once a year. Now many financial service providers and others require users to change passwords every 30 days. However, some organizations continue to allow longer time periods, or perhaps don't enforce change at all, but offset the longer duration with stricter rules, requiring longer passwords with a minimum number of special characters. I imagine most of us are accustomed to the strength bar or bubble graphic that shows us the strength of a password as we're creating it. These might be useful in educating us about what strong passwords look like, but the researchers found them to be ineffective in driving people to create strong passwords.

I'll admit I don't always practice the best password hygiene. One of several reasons for this is that it seems my passwords expire so frequently. But I could get fully on board with building stronger, unique passwords if that meant I would have more time before I had to change them.

Have you seen or experienced other tactics or solutions that have pushed you to use better password hygiene? If so, we would love to hear from you!

September 21, 2020

Personal Responsibility for Irrevocable Payment Scams

Those who have experience with parenting know that with many joys come challenges. For me, one of those challenges is teaching my children the importance of personal responsibility. Picking up after themselves, making sure their chores are finished before running out the door to play, and owning up to mistakes are just some of the personal responsibilities that they struggle with daily. And while there is a light at the end of the tunnel for this struggle, I firmly believe it is their having to experience the consequences that is getting us there. In this parent's opinion, knowing there are consequences for their actions helps children become responsible.

You might be thinking, "What does this notion of teaching personal responsibility have to do with payments?" Earlier this year, my colleague Dave Lott started the dialogue among those of us at the Risk Forum, and perhaps within some of our readers' circles, when in a post he posed the question "What is the likelihood that similar protections will be extended to consumers here (United States)?" The post was related to the extension of consumer protections in the United Kingdom to combat its growing problem of authorized push payment (APP) fraudOff-site link.

In August, a UK-based consumer advocate organization called Which?Off-site link released a research reportOff-site link based on the experiences of 150 consumers related to the Contingent Reimbursement Model (CRM) Code adopted by many financial institutions in the United Kingdom in 2019. The CRM Code has two primary goals: to reduce the occurrence of APP fraud and, for the fraud that occurs, to reduce the impact. Many of these scam payments in the United Kingdom are occurring on their faster payments rail, which was designed to make payments immediate and irrevocable. The report concluded that consumers' experiences with reimbursement for APP scams were mixed. Some consumers were reimbursed by their financial institution after authorizing payments to scammers while others were unable to receive any reimbursements.

The primary payment instrument in the United States today for large-scale corporate APP scams is wire. For consumers, person-to-person (P2P) services such as CashApp, Venmo, and Zelle are being used to scam individuals out of money. All these payments, both business and consumer, are irrevocable. Once the payments leave their accounts, neither the financial institution nor service provider has liability. But should individuals in the United States, like those in the United Kingdom, be afforded protections for these wire and P2P payments if they're scammed? And should these protections also apply to newer real-time payment schemes here in the United States?

My personal belief is that financial institutions or P2P services should not be responsible for people who fall victim to APP scams. Their responsibility should be limited to educating their customers on the rules around these payments and their finality when executed. APP scams are often the result of social engineering campaigns, and I am of the thought that, just as I expect my children to accept personal responsibility for their mistakes, it's fair for consumers to accept their responsibility for making sure they do not become the next social engineering victim. Do you think this is a reasonable approach to these scams and payments? Or should the United States banking industry and regulators move toward a model like the United Kingdom has in place?

July 27, 2020

SNAP Gets Snappier and Offers Ecommerce and Fraud Prevention

In April 2019, the USDA launched the Supplemental Nutrition Assistance Program (SNAP) online purchasing pilot programOff-site link, which allows participants to purchase groceries online. What began as a two-year pilot program in one state with a gradual rollout to additional states is now available in 40 states (with five additional states granted approval and in the planning phase). The COVID-19 public health emergency, which has made access to online grocery shopping critical, expedited the program's deployment. The USDA also rolled out the Pandemic Electronic Benefits Transfer (P-EBT) program as a SNAP extension. With P-EBT, children in low-income households continued to receive the free or reduced-priced meals that they would normally have received in school during the 2019–20 school year.

This is certainly a positive move toward advancing ecommerce inclusion. However, more ecommerce transactions present more fraud risks and opportunities for criminals. (My colleague Doug King blogged a few years ago about fraud risks SNAP was already experiencing, including trafficking.) To mitigate some of these ecommerce risks, the Department of Agriculture's (USDA) Food and Nutrition Service (FNS), which administers SNAP, has increased security for online EBT card use. SNAP benefits and P-EBT benefits are both delivered on PIN-enabled EBT cards that function like prepaid debit cards. Retailers must use a USDA-approved, third-party processor that offers secure PIN-on-glass entryOff-site link for online purchases. When customers transact online using their EBT card, they must enter their EBT PIN to complete their purchase. In addition, retailers must successfully meet the FNS's stringent technology and testing requirementsOff-site link.

Unfortunately, these technology and testing requirements to integrate a secure online purchasing environment with the grocer's EBT benefits system are extensive and cannot be done overnight. As a workaround until retailers can fully integrate their systems, the USDA recommendsOff-site link that SNAP customers take advantage of existing services like "pay at pickup," where customers place grocery orders online and pay with their SNAP EBT card when they get their groceries—which allows them to follow both social distancing and ecommerce fraud-prevention guidelines.

The USDA's SNAP Fraud FrameworkOff-site link offers states resources to help them proactively identify potential fraud and suggests best practices on fraud prevention and mitigation. You can learn more about the USDA's efforts to manage fraud risk by visiting their websiteOff-site link

June 1, 2020

My Dog the Cybercriminal

As I write, my dog Coco gazes at me soulfully in a bid to wrangle a bite of my peanut butter sandwich or, even better, the whole sandwich. This cute yet parasitical behavior is typical. In fact, after some weeks of close association, I have come to realize that Coco exhibits not only the skills but also the personality traits of a cybercriminal:

Coco, my dog.
  • She tracks my every move and knows when she's most likely to get a treat, just as scammers prepare for phishing attacks by learning about a business's vendors, billing systems, and "even the CEO's style of communication Adobe PDF file formatOff-site link."
  • She leaps at opportunities—butter on a counter, an open dishwasher—just as scammers are leaping at the chance to steal Economic Impact Payments, as Take On Payments reported in early May.
  • She balances work and reward. Coco knows the difference between kibble and mozzarella cheese and differentiates her efforts accordingly. In trainer lingo, the mozzarella is a "high-value treat," analogous to the personal information a criminal might be able to obtain via health care and Medicare fraudOff-site link.
  • She repeats successful tactics, like counter surfing. Similarly, perpetrators of the "grandparent scamOff-site link" know that what worked with imaginary bachelor parties in 2019 will work with imaginary emergency hospitalizations in 2020.
  • She's persistent. Again and again, she noses my hand away from my keyboard. Eventually, a treat or walk will ensue. Again and again, scammers email fraudulent COVID-19 cures and investment opportunitiesOff-site link in the hope of eventual success.
  • She adapts. How can she get the treat? Sit? Lie down? Roll over? Sit again? Criminal enterprises continually experiment and adjust, for example, by changing the threat of shut-off in the "classic utility scamOff-site link" to an offering of discounts on utility bills.
  • She's adorable. Every dog is, but trust me, Coco is especially adorable, just like the photo in a phishing email posing as an appeal from a worthy charity Adobe PDF file formatOff-site link.
  • She is utterly unconcerned with the needs and preferences of others: the criminal mind at work.

No doggy day care. No walker. Me and Coco, 24/7. Did I mention that she's adorable?

It you sight any of these doggy behaviors, you can report coronavirus-related complaints to the Justice Department National Center for Disaster FraudOff-site link.