Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
January 13, 2020
My Madeleine Moment: A 1965 Penny
It's not often that reading a book related to my professional activities reminds me of my grandmother. Born in 1900, she regularly stuffed me with tapioca pudding. Decades before the Instapot, she mastered the pressure cooker. Always ready with a hug, she turned up on page 46 of Bill Maurer's How Would You Like to Pay? How Technology Is Changing the Future of Money.
My grandmother always carried a penny, loose, in her "pocketbook" for good luck. If she gave me a handbag or coin purse, there would be a penny inside. It was essential. I couldn't walk out the door without a penny for luck.
My Proustian moment came when I read Maurer's comment: "People working on new technologies of money tend to assume that money is just money. But money is so much more, besides." And up popped the penny, a memory buried for decades.
You may have childhood memories around the idea of money-as-more-than-money. An uncle who surreptitiously handed over a crisp bill, perhaps. Or adult memories—for example, the dry cleaner who refused to exchange two of my singles for one of his lucky $2 bills.
Maurer, an anthropologist at the University of California, Irvine, posits that such extra-monetary characteristics of money are important for financial product design going forward. And, indeed, we've seen examples of form factors that add value. Doug King has reported that some consumers are enamored of metal credit cards. "They love how metal cards feel and they love the sound that they make when they drop them on a counter or table." My neighbor tells me that she feels cool tapping her watch to pay for groceries. Many consumers work hard to keep a pristine titanium card clean; some store it in a special pouch.
There's something more to this than a medium of exchange, a unit of account, a store of value, as Maurer notes when he describes the use of money in rituals around the world. He writes that people do "all sorts of things with money besides earn it, pay with it, and save it." Take, for example, my origami dog, pictured here.
How are financial institutions and fintechs incorporating ancient totems into product design so that the safest way to transact would also have this sort of intrinsic value-add? Let me know your thoughts.
January 6, 2020
Phone Payment Bingo
Let's play a game of mobile payments bingo. Say yes to all five and you win!
In the last three days, did you use your mobile phone to:
Do your answers to these questions give you the idea that you are using your phone more and more to pay? If so, you're in line with the latest results from the Diary of Consumer Payment Choice.
As you can see below, using a phone to pay—especially to pay bills and other people—has increased as a share of payments in recent years. More payments are being made with phones.
- In October 2016, 11 percent of bill payments were made via mobile phone; in 2018, 18 percent.
- In October 2016, 5 percent of payments to another person were made via mobile phone, in 2018, 17 percent.
The Diary of Consumer Payment Choice records the daily payments behavior of U.S. consumers 18 and older. Consumers report not only whether or not they used a mobile phone but also if they used a computer or tablet—either remotely or in person—or snail mail to pay. They record the dollar amount of the payment, the payment instrument used (for example, cash, debit card), and the purpose or payee (utilities, grocery store). These consumer behavior data can be analyzed in the context of household income and demographic attributes.
You can read the full report online and download the data for analysis.
By the way, I couldn't complete my bingo card. My answers:
- Yes, 34-pound bag of dog food (using the web browser on my phone).
- Yes, coffee from my local barista (using a QR code).
- Yes, see my answers #2 and #3.
How about you? Did you win?
December 23, 2019
New Data Posted for Federal Reserve Payments Study
If you're looking for payments reading during the holidays, take a look at a new report, the Federal Reserve Payments Study 2019, which was published last Thursday on the Federal Reserve's website.
The report finds that growth in card and ACH payments has accelerated.Here are some key findings:
- The number of ACH credit and debit transfers grew by 6 percent a year between 2015 and 2018, exceeding the 4.9 percent per year growth rate recorded for the period from 2012 to 2015.
- Debit and credit card payments grew at an accelerated rate of 8.9 percent a year between 2015 and 2018, up from the 6.8 percent yearly rate of increase from 2012 to 2015.
- For general-purpose cards overall, the value of remote payments in 2018 nearly equaled that of in-person payments.
- More than half of in-person general-purpose card payments were chip-authenticated, up from 2 percent in 2015.
- Payments made by check fell 7.2 percent a year from 2015 to 2018.
The 2019 Federal Reserve Payments Study covers card (credit, non-prepaid debit, and prepaid debit), ACH, and check payments and ATM withdrawals. In these days of fintech and new ways to pay with a phone or fingerprint, these core noncash payment types are used not only in traditional ways but also to make possible alternative payment methods and services.
We look forward to continuing the payments conversation with you on January 6, 2020, when I will be challenging you to a game of pay-with-your-phone bingo.
December 16, 2019
ATM Cash-Out Attacks Return
I first wrote about ATM cash-outs back in 2013 when these attacks were escalating. But the frequency of the attacks quickly declined when card issuers and their processors and networks hardened their defenses. So why am I writing about it again? There were some major attacks in mid-2018. A bank in India, for example, lost approximately US$13 million from more than 12,000 fraudulent transactions at ATMs located in Canada, India, and Hong Kong. The United States has seen isolated attacks in recent years, but law enforcement is concerned that these attacks will grow because perpetrators stand to obtain a large amount of money. It's critical that financial institutions and other transaction processors remain vigilant, so I'd like to bring some attention back to this especially costly crime.
These attacks require careful planning and a synchronized effort, but the payoff for the criminals can make it worth all the work. First, the criminal gains remote access to an issuer's card management system and transaction controls. Next, the criminal uses a money mule network to open new accounts with a chip card or distributes debit or prepaid cards with cloned magnetic stripes and compromised PINs to the money mules spread across the globe. In a carefully synchronized operation, the money mules begin making withdrawals at numerous ATMs. With access to the card management system, the criminal keeps resetting balances and transaction counters to get around amount and transaction limits, and withdrawals continue to be authorized. The mules continue to make withdrawals until the cash supply in the ATM is exhausted. This is how such attacks can result in a loss to issuers in the millions of dollars worldwide in just a couple of hours. Most networks have now implemented transaction monitoring capabilities that can detect abnormal transaction traffic both at the account and the financial institution levels. If the networks identify abnormalities, they contact the issuer or processor to examine the transactions more closely. Some networks, if they can't contact the financial institution or processor, are authorized to block the activity right away to prevent additional transactions until the situation can be evaluated. Some criminals have responded by increasing the number of targeted accounts so the activity is spread across more accounts and the detection thresholds are not crossed as quickly.
Here are some steps that issuers and processors can take to defend against cash-out attacks:
- Follow standard cybersecurity protocols related to password strength and management of system access controls to prevent compromise of system access credentials.
- Evaluate adding further layers of authentication/approval for remote changes to card management data fields such as account balances and transaction counters.
- Discuss with processors and networks any additional monitoring capabilities they may have to mitigate such attacks.
As the ATM celebrates its golden anniversary, cash-out attacks remind us of the constant efforts by criminals to defraud financial institutions and other stakeholders in the payments industry. Cash-out attacks are not new, but they can still result in huge losses, so the industry needs to remain vigilant and continue to look for ways to defeat them.