Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
November 4, 2019
Encouraging Password Hygiene
Practicing good password hygiene such as using strong passwords and never using them for any other application can be a huge nuisance. Many people, including yours truly, would love to see passwords fade into oblivion and be replaced by stronger authentication technologies, such as biometrics. But the fact remains that passwords will continue to be used extensively for the foreseeable future, and for as long as they remain with us, it's imperative that we adhere to good password protocol. Verizon's 2019 Data Breach Investigation Report reveals that more than 60 percent of successful data breach hacks were due to compromised or stolen log-in credentials.
Information that describes good password practices is abundant, but people continue to be careless. So how can we successfully encourage people to actually follow these practices?
Interestingly, while I was pondering this issue, I came across a Wall Street Journal article. Written by a cybersecurity professor, the article describes research that the author and her colleagues did on this very topic—how to get people to create strong passwords—and I thought it would be useful to share their findings.
So what's the secret to getting us to use strong passwords, according to these researchers? It's the simple incentive of time—and by this I mean the length of time we're allowed to keep our passwords. The researchers found that people were willing to use stronger passwords if they could keep them for longer than they had in the past.
The conventional wisdom used to be that we should change passwords at least once a year. Now many financial service providers and others require users to change passwords every 30 days. However, some organizations continue to allow longer time periods, or perhaps don't enforce change at all, but offset the longer duration with stricter rules, requiring longer passwords with a minimum number of special characters. I imagine most of us are accustomed to the strength bar or bubble graphic that shows us the strength of a password as we're creating it. These might be useful in educating us about what strong passwords look like, but the researchers found them to be ineffective in driving people to create strong passwords.
I'll admit I don't always practice the best password hygiene. One of several reasons for this is that it seems my passwords expire so frequently. But I could get fully on board with building stronger, unique passwords if that meant I would have more time before I had to change them.
Have you seen or experienced other tactics or solutions that have pushed you to use better password hygiene? If so, we would love to hear from you!
October 28, 2019
Should We Throw in the Towel When It Comes to Data Breach Prevention?
We've all heard it said—we've probably, cynically, said it ourselves: "It's not a matter of if but when your company will be hit by a data breach." Reports about cyberattacks and network breaches fill my daily newsfeed with headlines on ransomware attacks, attacks on multifactor authentication, and 5G network vulnerabilities. For each new, better, stronger, faster solution the industry comes up with, criminals find a way to circumvent it in seemingly short order. Is there anyone whose personal information hasn't been stolen once, twice, five times? I've lost count of how many times I've received six months of free credit monitoring.
In today's world, is there any way for an organization to fully protect itself against the broad spectrum of ever-evolving threats and still have time, resources, and capital left over to conduct its everyday business? Or should we assume that breaches are a foregone conclusion, throw in the towel when it comes to prevention, and turn our focus instead to incident response?
According to Verizon's 2019 Data Breach Investigations Report , small businesses were frequent targets of breaches. (The report looked at incidents occurring from November 1, 2017, to October 31, 2018.) Other findings it reported: outside actors perpetrated 69 percent of breaches, 52 percent were the result of hacking, and it took months or longer to discover 56 percent of the incidents.
Last year, I wrote about committing to muscle memory your organization's plan for the right of boom. A Google search on "data breach response" returns pages of results with guides, resources, and services, but the midst of a cyber-event is probably not the best time to come up with a plan. Turns out, there's an app for that! At a recent fintech conference, I saw a demo of a dynamic breach response solution that turns response into a routine business process. The company likens its app to "an airbag for network breaches" and claims the tool helps organizations prepare for, detect, and respond to data breaches. Another company demonstrated a white-labeled application for financial institutions that aims to reduce post-breach fraud and identity theft of consumers through algorithmic risk assessments that produce recommendations for actions to take to mitigate these risks.
October is National Cybersecurity Awareness Month. It's a good time to review your own right of boom plan or take steps to implement one. One resource: the Department of Homeland Security's Cybersecurity Resources Road Map for small and midsize businesses.
While it is not hyperbole to assert that criminals will breach your organization's network, you should not throw in the towel or lower your defenses against such threats. Rather, you should avail yourself of technological innovations to support breach prevention and response preparedness so your organization can restore normal business operations as quickly as possible. What approach has your organization taken to adopting threat prevention and response preparedness?
July 22, 2019
Ransomware Attacks Continue
Ransomware attacks have only continued since I addressed the problem in a recent post, and they've continued to target municipal and state agencies. Riviera Beach (May) and Lake City (June), both in Florida, were successfully attacked. Lake City paid a bitcoin ransom of approximately $470,000 while Riviera Beach paid about $600,000, also in bitcoin. These attacks took place soon after the one in Jackson County, Georgia, whose government paid $400,000 for decryption keys. While law enforcement officials recommend that victims not pay ransom for fear that doing so encourages the criminals to continue their attacks, the affected agencies often view paying the ransom as a cost-effective way to restore operations as soon as possible. Moreover, Lake City and Riviera Beach were both insured against such attacks, with a $10,000 and a $25,000 deductible, respectively. It appears that in all three of these instances, when they got their ransom, the criminals supplied the necessary data that allowed officials to regain control of the systems.
So how can governments, schools, hospitals and doctors' offices, financial services, and consumers best protect their systems from these nefarious attacks? It's not easy—criminals are constantly developing new malware to get into systems. However, here are some critical guidelines from IT security professionals that can help us all avoid or minimize the impact of a ransomware attack.
- Perform data backups at least daily, and keep at least one backup copy offsite or on portable storage devices not connected to the network.
- Avoid using end-of-life operating systems and software that cannot be updated to address known vulnerabilities.
- Install software updates and security patches as soon as possible, and follow established change control guidelines.
- Evaluate segmenting your network into separate zones to minimize the spread of a ransomware infection.
- Train and test employees regularly about how criminals use phishing attacks to load malware onto computers that can then compromise system access credentials.
- Require employees to use strong passwords.
- The IT security community is divided about how frequently passwords should be changed, but do so at least every six months.
- Maintain comprehensive access controls so that only the employees that require access to individual system have such rights, especially regarding remote access.
- Use reliable security software and, as the second bulleted item recommends, keep it updated. Evaluate adding special trusted anti-ransomware tools, some of which are free.
- Evaluate your cybersecurity insurance policy in terms of its ransomware coverage.
In addition, every agency and organization should develop a ransomware response plan that can be implemented as soon as an attack has been detected. While the immediate focus should be on minimizing the impact of the attack, elements for business continuity, law enforcement notification, media communications must also be part of the plan.
We hope you won't be a victim, but simply keeping your fingers crossed isn't an effective plan.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 1, 2019
Ransomware: Hopefully Not Coming Soon to a Computer Near You
In March 2018, the city of Atlanta fell victim to a ransomware attack. Criminals gained access to the city's computer network and loaded SamSam Ransomware, a malicious software. The criminals demanded a payment of approximately $51,000 in virtual currency to provide the decryption keys necessary to regain access to the infected and locked systems. The attack laid siege to the city by rendering police, utility billing, traffic court, and other systems unusable. The city refused to pay the ransom, and has since spent at least $6 million in forensic and remediation work with as much as an additional $11 million earmarked for system upgrades and other resources to combat future attacks.
Ransomware attacks have been a growing threat. While studies such as the Symantec Internet Threat Security Report show that the overall incident rate has decreased slightly, they also indicate that the range of targets has shifted. From 2013 until last year, consumers were the most frequent targets, with ransom requests in the hundreds of dollars. In the early years of these attacks, individuals would get a message that their computers had been infected and they had to pay a fee to download a fix. In many cases, the infection claim was false. Beginning in 2018, businesses—including municipalities, hospitals, and health care networks—have become primary targets, with ransom demands in the tens or hundreds of thousands of dollars. Typically, the criminals demand that the ransom be paid in cryptocurrency (nearly always bitcoin). As in the Atlanta case, these attacks often prevent customers from making payments, whether for traffic violations, business permits, or even marriage licenses.
Should ransomware targets pay the ransom? Law enforcement communities officially say "no." In some cases, when victims pay the ransom, they never receive the decryption keys to regain access to their data, or the keys don't work. There is concern that payments only encourage the criminals to commit further attacks, sometimes against the same business and demanding additional money. It is not illegal for a business to make ransomware payments, and many, including Newark, New Jersey ($30,000), have done so.
Is your computer or network prepared to defend against such an attack? Ransomware attacks typically exploit weak passwords or known security vulnerabilities in applications and operating systems. But a common entry point is through phishing of an employee to compromise legitimate system access credentials. As in business email compromise, the criminal conducts surveillance to learn about the different systems in operation and plans the initial attack to have the greatest possible impact. As we have stressed so often, prevention starts with employee education and the adoption of security best practices. In a future post, I will write about more prevention and mitigation best practices.
As for the Atlanta ransomware attack, last December, a federal grand jury returned indictments against two foreign nationals for the attack. The grand jury indicated these two people were also behind the April 2017 attack on Newark, New Jersey. There was hope in the law enforcement and cybersecurity communities that the arrest of these individuals would dampen enthusiasm for this threat vector, but attacks this year against Akron, Ohio (January), Albany, New York (March), and Baltimore, Maryland (May) suggest otherwise. None of these cities made any ransom payments.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- mobile payments
- money laundering
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- thirdparty service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud