Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 11, 2020
Seeing the Future through a Morning with Fifth Graders
Early in March, I spent the morning with four fifth-grade classes at an elementary school as part of their college and career day. My son had asked me not to talk about writing blogs and papers but rather to talk about "cool" things in payments and fraud. So that's exactly what I did with each class for 15 minutes, leaving the remaining 10 minutes of the time for questions or discussion. Looking back, I wish I had allotted more time for the final portion because these fifth graders were as engaging an audience as I have ever had. I left the school with two thoughts that I think the payments industry could find valuable, so thought it would be worthy of sharing with our readers today.
First, I was surprised by the general level of awareness that the fifth graders exhibited around online safety. Many had stories to share of both successful and unsuccessful attempts of their relatives being scammed online or through the phone. Others shared stories of their parents' bank accounts or cards being compromised. Several students talked about how they search safely on the internet. I was probably naïve going into the day about their level of knowledge and awareness seeing that these kids have grown up with this technology a part of their daily lives, but call me impressed that many of them are well aware of dangers lurking and eager to learn how to better protect themselves.
Second, I was blown away by the kids' access to and use of smart-assistant speakers. I have heard a number of people project that speech recognition is the future of commerce and if the kids I met with are any indication of their generation, then I think I can get on board with those projections. In an unscientific survey, I would estimate that nearly 90 percent of the kids had access to at least one smart-assistant speaker, and amazingly 75 percent had one in their room. Without naming any names, one company dominated this space for the group. While the "phone" aspect of the mobile phone for many kids is foreign as it's primarily used as a camera or texting device, it seems that they actually are comfortable having a conversation with a speaker.
As I walked back to my car, my mind was filled with thoughts about the future. On the one hand, I was smiling because this young generation is going to be better prepared in understanding the risks of the cyberworld that will continue to play a more prominent role in our lives. People will always be vulnerable but I left with confidence that our young people are aware that there are bad people lurking behind computer screens. On the other hand, my mind was spinning because I predict that commerce through a smart-assistant speaker will be as common a practice for them as dipping a card is for me. How different that world will look from where we are today!
April 27, 2020
My Internet Journey of Self-Discovery
I don't know how many times my social security number has been compromised, much less any other personally identifiable information (PII). Knock on wood, so far I have avoided identity theft, synthetic or otherwise. I have taken all of the recommended steps to protect myself—I get fraud alerts on my credit reports, I've implemented identity monitoring, and so forth. However, given that hackers frequently sell stolen data online, I fear my social security number lingers on the dark web in perpetuity, waiting to be compromised at any time. My curiosity being what it is, I set off on the interwebs to see what I could find.
An internet search string asking "How many times has my personal data been breached?" returned some interesting results. According to the website Have I Been Pwned?, a searchable repository of data breaches, my personal email address has been breached at least a dozen times going back to 2008. Not all these instances were known to me—I do not recall having a MySpace page! I have also been notified of other breaches that were not listed here, including from financial services companies and medical providers, so the number is surely higher.
I was surprised to learn that my email address was discovered in multiple credential stuffing lists, including "Collection #1," a large collection of credential stuffing lists discovered in January 2019. According to Have I Been Pwned, 773 million unique email addresses and passwords were included. Credential stuffing is an automated cyberattack where criminals attempt to gain fraudulent access to user accounts through use of these types of collections of user names and passwords. On the bright side, if there is one, the website indicated that none of my information had been "pasted," meaning posted on public content-sharing websites frequented by hackers. For over a decade, I have used a password vault to generate and store all of my user profiles and account logins and currently have over 200 different records. I do not reuse passwords, especially for profiles that have payments instruments tied to them, and I believe this practice has provided some measure of protection from this type of activity.
The next stop on my journey was the credit bureau to see what else I could learn about the state of my PII. Experian offers consumers a free "Dark Web Internet Surveillance Report." Although five associated records were located, according to this source, my social security number is currently not on the dark web.
My identity protection monitoring service was the final stop to review my digital exposure report on information about me found on the internet. Relief! My exposure is consistent with the reports from the other sources.
I would rate myself as average in terms of my digital footprint and doubt my internet habits differ from most people's. I doubt my breach experience differs much, either, but from this journey, I've discovered that the safeguards I have in place to protect my personal information seem to be working. Have you taken an internet journey to discover where your personal information may reside? What steps have you taken to ensure your identity remains safe?
April 6, 2020
Will COVID-19 Exacerbate Ecommerce Fraud?
Ecommerce sales in the United States continue to gain a greater share of overall retail sales each year. The Department of Commerce reports that in 2019, total ecommerce sales increased almost 15 percent over 2018 and represented 11 percent of total retail sales. There is no question that with the current COVID-19 environment, our daily habits have undergone tremendous change. As part of that change, I expect that ecommerce sales will increase at a greater rate in 2020 than in 2019.
Following social isolation guidelines, consumers and businesses are turning more and more to conducting their commerce transactions online. Prepaid carry-out, drive-through, and delivery orders now dominate the dining industry as inside dining options have been largely shuttered. Large retailers have been promoting online ordering and ship-to-home delivery options as their stores are closed. TransUnion reports that in the week from March 11 to 17, when the World Health Organization classified COVID-19 as a global pandemic, ecommerce transaction volume increased 23 percent over the previous week.
This spike in ecommerce traffic will likely bring with it a parallel spike in criminal activity, possibly adding to the increasing fraud levels in ecommerce. This shouldn't come as any surprise. It will be important for the good guys not only to be expecting this but also to be prepared for it by making swift adjustments that match the challenge.
One of the key adjustments to consider and apply quickly is properly tuning algorithms for detecting ecommerce fraud. In normal times, anomalous-pattern detection schemes are relied on to expose fraudsters. Elements such as the type of stores commonly used, frequency of usage, average or range of transaction values, and more go into making up an overall usage pattern for a given customer. While these transaction risk models have become very sophisticated over the years, they are challenged by abrupt changes in usage patterns, especially at an individual account level. They need to be smartly and quickly adjusted. Issuers and merchants need to balance the decision of denying transactions—which brings with it the risk of disgruntled legitimate customers and lost revenues—against approving fraudulent transactions and taking financial losses. No easy task, but doable and necessary to undertake, with constant attention.
Working collaboratively with merchants, consumers can help to surprise the criminals as fraud fighting evolves. The good guys win if we exercise patience with one another and remain mindful of the balance between purchase friction and fraud avoidance as fraud-fighting tools and methods adjust. Both sides being considerate of the needs on both sides of the transaction—working together, again, with patience and willingness to engage, perhaps differently than we've been willing to in the past, could yield results that everyone (except the crooks) is happier with, in both the short run and long run.
We know fraud management teams will be busy managing their fraud-detection tools and processes and expect they will rise to the challenge. We also expect consumers are ready and willing to assist in ways that are helpful as well. The constant chess match with the criminal element will continue, and we look forward to seeing a chess piece on the good guys ' side of the board with some new moves to help aid in the fight against the bad guys.
February 10, 2020
Slowing Down the Mule Train
Slowing down the money mule train, that is. Money mules are those individuals who transfer money or goods received through fraudulent schemes on behalf of or at the direction of a criminal enterprise, often based outside the United States. It's a form of money laundering.
In December 2019, the FBI announced it was collaborating with other domestic and international law enforcement agencies to identify, stop, and prosecute major money mule networks. Two months later, it claimed that the operation had stopped the illegal actions of more than 600 domestic money mules—a 50 percent increase in their success rate over the entire previous year. (The U.S. efforts coincided with the European Money Mule Action, led by Europol, the European Union's agency that combats crime and terrorism.)
So who are these money mules and how are they recruited? The money mules fall into two main groups: innocent participants and those people who are as criminal as the leaders of the fraud schemes. It's the money mules who take the greatest risk; the leaders of the schemes use them to insulate themselves from arrest and prosecution.
The first group, the naïve participants, are generally recruited through online ads, résumés submitted to mainstream job search sites, or emails promising work-from-home employment as a "payment processing" or "money transfer" agent. Upon being "hired," these people must provide their bank account information so that deposits can be made to their accounts. If the victims say they want to open a new account to process these transactions, the contact dissuades them from doing so because new accounts face additional scrutiny and restrictions. When a deposit is made, a mule has to transfer those funds, minus the "commission," to another bank account. That account is usually outside the United States so the transfer occurs through an international money transfer service. The mule might also be asked to purchase gift cards, load funds onto them, and then provide the card numbers and PINs to the contact. Individual transactions are generally under $10,000 to avoid the filing of currency transaction reports or suspicious activity reports.
Sometimes truly innocent participants are caught in a "cuckoo smurfing" scheme. In this scenario, someone's bank account credentials are compromised without that person's knowledge. The criminal deposits or transfers money into the account and quickly moves it over to another account. The innocent participant isn't aware of this transaction until he or she checks the account.
However, the vast majority of money mules are people who clearly know they are acting illegally. They are often part of local, national, or international gangs, and use the proceeds of money mule activities to fund other criminal activities.
While there have been a number of enforcement successes, including the effort announced by the FBI, the constant attention being given to this problem indicates it persists. Hats off to all the various law enforcement agencies involved in this money mule crackdown. Hopefully, the increased publicity will prevent individuals from unknowingly becoming part of these networks as well as highlight the scams used to victimize others. What other actions do you think will help curb this type of crime?