Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Federal Reserve Web Sites
Other Bank Regulatory Sites
April 13, 2020
Scams Proliferate in an Environment of Uncertainty and Fear
Last week, my colleague Dave Lott wrote a post highlighting a challenge that COVID-19 is bringing to the ecommerce landscape. Another unwelcome aspect of this virus has been the proliferation of email and telephone scams, as criminals take advantage of the current environment of uncertainty and fear. According to a March 31 Wall Street Journal article, the Federal Trade Commission had already received this year 7,283 complaints of coronavirus-related scams, with losses totaling $4.6 million. We Risk Forum members have spoken and written extensively about social engineering, so it's our duty to point our readers to some resources that provide information about these scams. We hope these resources bring awareness to the situation and protect you from becoming the next victim.
Incidentally, the resources I list below and many more appear on a new Atlanta Fed page, COVID-19 Resources and Information. This page also offers links to information that can help readers navigate the many other financial challenges the virus has brought about.
- The Federal Trade Commission's COVID-19 scam web page
- The American Bankers Association's tips to avoid COVID-19 scams
- The FBI's dedicated COVID-19 web page
- The Secret Service's press release alerting people to COVID-19 phishing attempts
- Europol's report on how criminals are exploiting the COVID-19 crisis
As our name implies, we are a forum and work to bring people in the payments industry together to engage in discussions. As such, we encourage our readers to respond to this blog using the comments feature to provide us all with additional resources you find valuable in mitigating losses from COVID-19 scams. Let's all fight together to protect each other. As Helen Keller so eloquently stated, "Alone we can do so little; together we can do so much."
October 29, 2018
Remote Card Fraud: A Growing Concern
Where's the money in card payments? Despite all we hear about e-commerce and other kinds of remote payments, in-person payments remain strong. The total dollar value of in-person card payments exceeded the total dollar value of remote payments in both 2015 and 2016. In-person payments were 56 percent of all card payments by value in 2016, and 58 percent in 2015. By number, the race is not even close: 78 percent of card payments were in person in 2016.
Looking at change from 2015 to 2016, however, another story could be emerging. When we consider the growth in the value of card payments, remote payments grew by 11 percent from 2015 to 2016, compared to about 3 percent growth by value for in-person card payments. By number, in-person card payments increased 5 percent and remote by 17 percent.
It wasn't only remote payments that grew from 2015 to 2016—so did remote fraud. In fact, it grew faster than remote payments did overall. Remote fraud by value grew more than three times faster than the value of remote payments—35 percent compared to 11 percent. By number, remote fraud grew about twice as fast—32 percent compared to 17 percent.
In contrast to the mix of remote and in-person card payments overall, where in-person payments still are the majority, fraudulent remote card payments were more than half of all fraudulent card payments by both value and number in 2016.
These data suggest that remote card payments fraud is likely to be of increasing concern for the U.S. payments system going forward. Additional data are included in the report at www.federalreserve.gov/paymentsystems/fr-payments-study.htm.
To learn more about payments fraud, you can sign up for the Talk About Payments webinar on November 1 at 11 a.m. (ET). This webinar is open to the public but you must register in advance to participate.
By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
August 6, 2018
The FBI Is on the Case
I recently took advantage of a job shadow program in our Information Security Department (ISD). I joked with our chief information security officer that I was ready to "ride along" with his detectives for our own version of the television drama series Crime Scene Investigations (better known as CSI).
All jokes aside, I enjoyed working with ISD as part of the team rather than as an auditor, a role I have played in the past. We spent a good part of the day walking through layered security programs, vulnerability management, and data loss prevention. Underneath these efforts is an important principle for threat management: you can't defend against what you don't know.
Threat investigations absolutely must uncover, enumerate, and prioritize threats in a timely manner. Digging into each vulnerability hinges on information sharing through adaptable reporting mechanisms that allow ISD to react quickly. ISD also greatly depends on knowledge of high-level threat trends and what could be at stake.
It turns out that many payments professionals and law enforcement agencies also spend a large part of their time investigating threats in the payments system. After my job shadowing, I realized even more how important it is for our payments detectives to have access to efficient, modern information-sharing and threat-reporting tools to understand specific threat trends and loss potential.
One such tool is the Internet Crime Complaint Center (IC3). The FBI, which is the lead federal agency for investigating cyberattacks, established the center in May 2000 to receive complaints of internet crime. The mission of the IC3 is two-fold: to provide the public with a reliable and convenient reporting mechanism that captures suspected internet-facilitated criminal activity and to develop effective alliances with industry partners. The agency analyzes and disseminates the information, which contributes to law enforcement work and helps keep the public informed.
The annual IC3 report aggregates and highlights data provided by the general public. The IC3 staff analyze the data to identify trends in internet-facilitated crimes and what those trends may represent. This past year, the most prevalent crime types reported by victims were:
- Personal data breach
The top three crime types with the highest reported losses were:
- Business email compromise
- Confidence/Romance fraud
The report includes threat definitions, how these threats relate to payments businesses, what states are at the highest risk for breaches, and what dollar amounts correspond to each crime type. This is one tool available to uncover, enumerate, and prioritize threats to the payment ecosystem. Do you have other system layers in place to help you start your investigations? If you don't know, it might be time for you to take a "ride along" with your detectives.
By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
July 6, 2018
Attack of the Smart Refrigerator
We've all heard about refrigerators that automatically order groceries when they sense the current supply is running low or out. These smart refrigerators are what people usually point to when giving an example of an "internet-of-things" (IoT) device. Briefly, an IoT device is a physical device connected to the internet wirelessly that transmits data, sometimes without direct human interaction. I suspect most of you have at least one of these devices already operating in your home or office, whether it's a wireless router, baby monitor, or voice-activated assistant or "smart" lights, thermostats, security systems, or TVs.
Experts are forecasting that IoT device manufacturing will be one of the fastest growing industries over the next decade. Gartner estimates there were more than 8 billion connected IoT devices globally in 2017, with about $2 trillion going toward IoT endpoints and services. In 2020, the number of these devices will increase to more than 20 billion. But what security are manufacturers building into these devices to prevent monitoring or outside manipulation? What prevents someone from hacking into your security system and monitoring the patterns of your house or office or turning on your interior security cameras and invading your privacy? For those devices that can generate financial transactions, what authentication processes will ensure that transactions are legitimate? It's one kind of mistake to order an unneeded gallon of milk, but another one entirely to use that connection to access a home computer to monitor one's online banking transaction activity and capture log-on credentials.
As one would probably suspect, there is no simple or consistent answer to these security questions, but the overall track record of device security has not been a great one. There have been major DDOS attacks against websites using botnets composed of millions of IoT devices. Ransomware attacks have been made against consumers' home security systems and thermostats, forcing consumers to pay the extortionist to get their systems working again.
Some of the high-end devices such as the driverless cars and medical devices have been designed with security controls at the forefront, but most other manufacturers have given little thought to the criminal's ability to use a device to access and control other devices running on the same network. Adding to the problem is that many of these devices do not get software updates, including security patches.
With cybersecurity issues grabbing so many headlines, people are paying more and more attention to the role and impact of IoT devices. The National Institute of Standards and Technology (NIST) has begun efforts to develop security standards for cryptology that can operate within IoT devices. However, NIST estimates it will take two to four years to get the standard out.
In the meantime, the Department of Justice has some recommendations for securing IoT devices, including:
- Research your device to determine security features. Does it have a changeable password? Does the manufacturer deliver security updates?
- After you purchase a device and before you install it, download security updates and reset any default passwords.
- If automatic updates are not provided to registered users, check at least monthly to determine if there are updates and download only from reputable sites.
- Protect your routers and home Wi-Fi networks with firewalls, strong passwords, and security keys.
I see IoT device security as an issue that will continue to grow in importance. In a future post, I will discuss the privacy issues that IoT devices could create.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud