Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
August 24, 2020
Facial Recognition Biometrics: Bruised but Still Standing
So far, 2020 has been a rocky year for facial recognition biometrics. In June, Amazon, Microsoft and IBM delivered a body blow, announcing they would not sell their facial recognition software to law enforcement agencies. They cited a lack of accuracy, a potential for misuse or abuse, and the lack of federal privacy legislation to safeguard individual rights. Widespread use of facial masks due to the COVID pandemic dealt another punch. Masks have generally rendered facial recognition inoperable for any number of applications on mobile phones. The masks have also hobbled the Transportation Security Administration's plans to further automate passenger authentication and check-in processes. Will the technology be able to recover and go another round?
Unfortunately, there is a great deal of misinformation and misinterpretation of studies about the technology behind facial recognition and its use, particularly with regard to claims of racial and gender bias. Critics often point to a 2018 study by MIT and Microsoft researchers in which three facial classification algorithms misclassified the gender of light-skinned males at a rate of less than 1 percent but darker-skinned females as high as 34 percent. Critics of facial biometrics technology have pointed to the research as evidence of bias against various minority groups.
It is important to note that "gender classification" is a very different from "facial recognition," although they are often lumped together in the media. In a gender classification process, a digital facial image of an individual is captured and processed through an algorithm that determines whether the image is that of a male or female. Numerous studies have shown that the accuracy of such classification systems is largely based on the database of images being used to "train" the algorithm—that is, to teach it to properly classify an image. The smaller the database, the less accurate the classification.
In a facial recognition process, the digital image captured by the camera is compared using a recognition algorithm to see if it matches the individual's image in a database or on their identification document. While the top performing algorithms are highly accurate, studies have found that results can vary based on lighting, camera definition, viewing angle, and other factors. While most people think facial recognition is new technology, the casino industry has used it to identify banned players since the 1990s.
In a future post, I will discuss the findings of the National Institute of Standards and Technology in its 2020 evaluation of more than 200 facial recognition algorithms. The promising news is that the top performing algorithms showed no discernible bias.
While there are certainly privacy and other issues connected to facial recognition and other biometric technologies, I believe objective education and discussions can address these issues. So I think the technology is not on the ropes but is ready to go another couple of rounds.
November 18, 2019
Will Payments Be Getting REAL?
When someone tells you to "get real," they mean you'd better understand the true facts of a situation. Well, you better get REAL if you want to enter a federal building or fly on a commercial aircraft after October 1, 2020. Unusual for such major federal legislation, the REAL in the REAL ID Act of 2005 isn't an acronym but an all-caps word intended to emphasize that states must adopt minimum federal standards for the documents required to obtain a driver's license or state-issued ID card. The act also prohibits federal agencies from accepting noncompliant IDs for any type of official business.
The good news is that most states have been issuing driver's licenses and ID cards that for a number of years have complied with the REAL ID Act, so more than likely your ID is already compliant. How can you tell? Look for a gold or black star in the upper right corner of your card. In my state, the Georgia Department of Motor Vehicles has been issuing compliant licenses and cards since July 1, 2012, and estimates that more than 96 percent of registered Georgia drivers have a compliant license. However, three states—New Jersey, Oklahoma, and Oregon—only came into compliance in early October after being granted a number of extensions.
So much time—15 years—has passed between passage of the act and the final compliance deadline because 25 states mounted legal challenges to the act's constitutionality, often claiming that it was essentially establishing a national ID card or abridging state's rights. These challenges were all defeated, but the Department of Homeland Security was required to announce a number of compliance extensions to give the states time to change their processes.
In reality, you do not have to have REAL ID-compliant identification to access federal services or commercial flights. A passport will suffice, although I think a state-issued license or ID card is more convenient. The REAL ID, however, does not substitute for a passport for international travel.
This website has a great deal of background and interesting information about the REAL ID program and the states' implementation. You can also find READ ID information on the websites of most state motor vehicle departments.
You might ask: so what? What does this change have to do with payments and risk? While the REAL ID Act technically affects only a citizen's interactions with federal agencies, it's quite possible that financial institutions will begin requiring a compliant driver's license or ID card as an acceptable form of documentation in compliance with their Customer Identification Program.
Are you ready? Get REAL!
November 4, 2019
Encouraging Password Hygiene
Practicing good password hygiene such as using strong passwords and never using them for any other application can be a huge nuisance. Many people, including yours truly, would love to see passwords fade into oblivion and be replaced by stronger authentication technologies, such as biometrics. But the fact remains that passwords will continue to be used extensively for the foreseeable future, and for as long as they remain with us, it's imperative that we adhere to good password protocol. Verizon's 2019 Data Breach Investigation Report reveals that more than 60 percent of successful data breach hacks were due to compromised or stolen log-in credentials.
Information that describes good password practices is abundant, but people continue to be careless. So how can we successfully encourage people to actually follow these practices?
Interestingly, while I was pondering this issue, I came across a Wall Street Journal article. Written by a cybersecurity professor, the article describes research that the author and her colleagues did on this very topic—how to get people to create strong passwords—and I thought it would be useful to share their findings.
So what's the secret to getting us to use strong passwords, according to these researchers? It's the simple incentive of time—and by this I mean the length of time we're allowed to keep our passwords. The researchers found that people were willing to use stronger passwords if they could keep them for longer than they had in the past.
The conventional wisdom used to be that we should change passwords at least once a year. Now many financial service providers and others require users to change passwords every 30 days. However, some organizations continue to allow longer time periods, or perhaps don't enforce change at all, but offset the longer duration with stricter rules, requiring longer passwords with a minimum number of special characters. I imagine most of us are accustomed to the strength bar or bubble graphic that shows us the strength of a password as we're creating it. These might be useful in educating us about what strong passwords look like, but the researchers found them to be ineffective in driving people to create strong passwords.
I'll admit I don't always practice the best password hygiene. One of several reasons for this is that it seems my passwords expire so frequently. But I could get fully on board with building stronger, unique passwords if that meant I would have more time before I had to change them.
Have you seen or experienced other tactics or solutions that have pushed you to use better password hygiene? If so, we would love to hear from you!
August 19, 2019
Why Should You Care about PSD2?
The revised Payment Services Directive (PSD2) is major payments legislation in the European Union (EU) that is intended to provide consumers increased competition, innovation, and security in banking and payment services. PSD2 specifications were released by the European Banking Authority in November 2017 and requires all companies in the EU to be in compliance by September 14, 2019. Earlier this year, the European Banking Authority had refused a request by numerous stakeholders in the payments industry for a blanket delay of the regulation, citing a lack of legal authority to do so, although it announced it would permit local regulatory authorities to extend compliance deadlines a "limited additional time." In the United Kingdom, however, the Financial Conduct Authority (FCA) announced on August 7 that it was deferring general enforcement of the PSD2 authentication provisions until March 2021, and allowing the industry an additional six months beyond that to develop more advanced forms of authentication. The Central Bank of Ireland has also granted an extension that is expected to be similar to the FCA's, but one has not been announced as of this writing.
The PSD2 has two major requirements: offer open banking and strong customer authentication (SCA). With open banking, consumers can authorize financial services providers to access and use their financial data that another financial institution is holding. (Application programming interfaces, or APIs, allow that access.) The FCA had mandated that open banking for U.K. banks be in place by early 2018 while the rest of the EU kept the open banking compliance deadline the same as that for SCA compliance. While open banking represents a major change in the EU's financial services landscape, the rest of this post focuses on the PSD2's strong customer authentication requirements.
Generally, PSD2 requires financial service providers to implement multi-factor authentication for in-person and remote financial transactions performed through any payment channel. As we have discussed before in this blog, there are three main authentication factor categories:
- Something you know (for example, PIN or password)
- Something you have (for example, chip card, mobile phone, or hardware token)
- Something you are (for example, biometric modality such as fingerprints or facial or voice recognition)
PSD2 compliance requires the user to be authenticated using elements from at least two of these categories. For payments that are transacted remotely, authentication tokens linking the specific transaction amount and the payee's account number are an additional requirement.
The regulation provides for a number of exemptions to the SCA requirement. Key exemptions include:
- Low-value transactions (under €30, approximately $33)
- Transactions with businesses that the consumer identifies as trusted
- Recurring transactions for consistent amounts after SCA is used for the first transaction. If the amount changes, SCA is required.
- "Low-risk" transactions based on the acquirer's overall fraud rate calculated on a 90-day basis. Transaction values can be as high as €500 (about $555).
- Mail-order and telephone-order payments, since they are not considered electronic payments covered by the regulation
- Business-to-business (B2B) payments
Since PSD2 does not apply to payments where the acquirer or the issuer is not based in the EU, why would understanding this regulation be important to non-EU consumers and payment system stakeholders? From 2015 through 2018, the Federal Reserve established and provided leadership for the Secure Payments Task Force as it identified ways to enhance payments security, especially for remote payments. One critical need the task force identified is stronger identity authentication. So far, the United States has avoided any legislation concerning authentication, but will actions like the PSD2 create pressures to mandate such protections here? Or will the industry continue to work together through efforts like the FedPayments Improvement Community to develop improved authentication approaches? Please let us know what you think.
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud