Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
January 7, 2019
A New You: Synthetic Identity Fraud
With the start of the new year, you may have resolved to make a change in your life. Maybe you've even gone so far as to pledge to become a "new you." But someone may have already claimed that "new you," stealing your credentials and using them to create a new identity. Identity theft is a growing problem, resulting in millions of dollars in damage around the world. And now there is a modern twist to this old and costly problem: synthetic identity fraud. Panelists at a forum convened by the Government Accountability Office (GAO) define this problem as a "crime in which perpetrators combine real and/or fictitious information, such as Social Security numbers and names, to create identities with which they may defraud financial institutions, government agencies, or individuals." (Read forum highlights on the GAO website.) According to the U.S. Federal Trade Commission, synthetic identity fraud is the "fastest growing and hardest to detect" form of identity theft.
This graphic from the GAO illustrates how this type of identity fraud differs from what we have traditionally defined as identity theft.
As this image shows, in traditional identity fraud, the criminal pretends to be another (real) person and uses his or her accounts. In synthetic identity fraud, the criminal establishes a new identity using a person's real details (such as social security number), combining this information with fictitious information to create a new credit record.
The challenge for the payments industry is determining whether an identity is planted or legitimate. For example, parents with excellent credit histories sometimes add their children to their existing credit accounts to give their children the benefit of their positive financial behavior. This action allows the children to kick-start their own credit records. Similarly, a criminal could plant a synthetic identity in an existing credit account and from there build a credit history for this identity. (In many cases, the criminal works for years on building a strong credit history for that false identity before "cashing out" and inflicting financial damages on a large scale.)
So what can consumers do to protect themselves? Here are some simple ways to make it harder for a thief to steal your personal information:
- Shred documents containing personal information.
- Do not provide your social security number to businesses unless you absolutely have to.
- Use tools that monitor credit and identity usage.
- Freeze your credit account as well as that of any of your minor children.
- Check your accounts regularly to ensure that all transactions are legitimate and report any suspicious activity immediately.
Staying informed about synthetic identity fraud tactics and taking these steps to protect yourself can help you get one step closer to (preventing) "a new you."
By Catherine Thaliath, project management expert in the Retail Payments Risk Forum at the Atlanta Fed
October 15, 2018
An Ounce of Prevention
Benjamin Franklin coined the phrase "An ounce of prevention is worth a pound of cure," and after attending late September's FinovateFall 2018 Conference in New York City, I find this aphorism as relevant today as it was in 1735. The conference showcased 80 demonstrations of leading-edge financial technology over two days with presenters representing five continents. Demos touched on a wide range of technologies and solutions, including game-based marketing and financial education; "lifestyle" mobile banking applications that integrate social media, news, e-commerce, and financial management to deliver personalized recommendations; lending and home buying; and integration with intelligent personal assistants. What stood out to me most were the many possible technologies offered to authenticate users, cards, and mobile transactions, each with the potential to prevent payments fraud.
As card payments continue to dominate consumer transactions in the United States, usage is increasing in other countries, and remote purchases gather steam, the demand for fast, reliable identity and payment authentication has also grown. So has the even greater demand from consumers for frictionless payments. But how does technology reward the good guys, keep out the bad ones, and prevent cart abandonment or consumer frustration? Here are just a few examples of how some of the fintech companies at the conference propose to satisfy these competing priorities.
SMS—While one company proclaimed that SMS was designed for teenagers and never intended for use as a secure messaging means, another proposed a three-factor authentication method that combined the use of a PIN, Bluetooth communication, and facial recognition via SMS sent to account holders to identify a possible fraud event in real time. Enhancing this technology was artificial intelligence that analyzes facial characteristics such as smiling or frowning.
Biometrics—Developers demonstrated numerous biometrics options, including those using unique, multifactor, non-gesture-based biometric characteristics such as the speed and pressure we use to swipe our mobile devices. Also demonstrated was the process of linking facial recognition to cards for both in-person and e-commerce purchases, as well as "liveness" tests that access the mobile phone's gyroscope to detect slight physical movements not present when a bot is involved. Another liveness test demonstrated was one in which people use their mobile devices to shoot videos of themselves reciting a number or performing randomized movements. Video content is then checked against identity verification documents, such as driver's license photos, that account holders used at setup. The developers noted that using video for liveness testing helps prevent fraudsters from using stolen photos or IDs in the authentication process.
Passwords—Some developers declared that behavioral biometrics would bring about the death of the password, and others offered services that search the corners of the dark web for compromised credentials. Companies presented solutions including a single, unique identification across all platforms and single-use passwords generated automatically at each login. One of the most interesting password technologies displayed involved the use of colors, emojis, numbers, and logos. This password system, which could be as short as four characters, uses a behind-the-scenes "end code," where the definition of individual password characters is unique to each company employing the technology, rendering the password useless in the event of a data breach.
As I sat in the audience fascinated by so many of the demos, I wished I could go to my app store to download and use some of these technologies right away; the perceived security and convenience, combined with ease of use, tugged at the early adopter in me. Alas, most are white-labeled solutions to be deployed by financial institutions, card networks, and merchant acquirers rather than offered for direct consumer use. But I am buoyed by the fact that so many solutions are abiding by the words of Ben Franklin and seek to apply an ounce of prevention.
By Nancy Donahue, project manager in the Retail Payments Risk Forum at the Atlanta Fed
May 21, 2018
Heading toward A New Era of POS Portability?
At recent conferences I've attended, exhibitors in the point-of-sale (POS) terminal and acquiring business were all showing off their portable devices. With one of these, a restaurant server could take a payment at the table or a retail employee could conduct a transaction in a store aisle. The exhibitors said that these devices allow for a more high-touch, personalized customer experience than traditional counter-top POS devices. In fact, while walking the exhibit floor, I noted that countertop POS devices were extremely hard to find.
The theme of POS portability was also evident in the session rooms. Multiple panel discussions and keynote speeches focused on the Payment Card Industry's (PCI) PIN-on-glass security standard, which would give already-in-the-marketplace devices for using mobile phones and tablets as card readers the ability to use PIN-based authentication. In essence, the standard allows customers to enter their PINs on merchants' commercial off-the-shelf (COTS) devices—such as bring-your-own-device tablets or phones—rather than on PCI-certified devices that a merchant owns or leases through its acquiring relationship. PIN on glass has been widely implemented in Australia and, based on what I've heard at these conferences, it is probably one to three years from making any headway here in the United States.
I first wrote about portable POS devices in the restaurant industry nearly six years ago. Since then, I can count on my hands the number of times I've swiped or dipped my card at a portable POS terminal (and several of these interactions occurred in Mexico). Most experiences were positive. On numerous occasions, I've used my card with a COTS device, also with mostly positive experiences. I have honestly never envisioned using or yearned to use a PIN for these transactions.
Little has changed in the way of mobile POS adoption since I wrote that post. So, do I believe we are moving towards a new era of POS mobility? Yes, but very slowly. With the proliferation of independent software providers and their mobile-based solutions for payment processing, I think the industry is now better positioned than it was six years ago for a change. However, I learned from speaking with others in the industry that the conversion process remains time consuming and costly. As far as PIN on glass goes, will the consumer be an obstacle to adoption? I'm not convinced that consumers will be comfortable entering their PIN on someone else's mobile device.
What is your take on the future of POS portability?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 12, 2018
If the Password Is Dying, Is the PIN Far Behind?
Back in January, I wrote a post that highlighted the rising incidence of lost-and-stolen card fraud in the United Kingdom. I concluded that the decades-old PIN solution for the card-present environment is now showing signs of weakness. Results of a recent Minneapolis Fed survey of 283 financial institutions offer some validity to my conclusion: the survey found that losses on PIN-based debit increased by 50 percent from 2015 to 2016. In fact, 81 percent of the respondents reported fraud losses from PIN-based debit, compared to only 77 percent for credit cards.
The news wasn't all bad for PIN-based debit. Signature-based debit and credit cards still had more fraud attempts than any other payment instrument. At 63 percent, signature debit fraud actually had a higher increase in fraud losses from 2015 to 2016 than did PIN debit. The PIN is a far superior verification method for card payments, but I'm willing to bet that the PIN, much like the password, has become less effective.
Is this coming at a time when the PIN is about to become more prominent? In late January, the PCI Security Standards Council announced a new security standard for software-based PIN entry, also known as "PIN on glass." This standard specifies the security requirements for accepting a PIN on a mobile point-of-sale device such as a Square card reader.
As an aside, I am a bit surprised by this announcement. Apparently, mobile phones are safe enough for entering PINs, but when someone uses a pay wallet such as Apple Pay or Samsung Pay, the card's PAN, or primary account number, is tokenized for security purposes. I'll save a discussion of this inconsistency for another post.
People have been talking for years now about how the password has passed its prime as a standalone authentication solution. Yet it continues to live, and it's as difficult as ever to mitigate its vulnerabilities. In my opinion, attempts to do so have increased customer friction and had minimal impact. I think the PIN is following a similar path. It creates customer friction (especially for me as I now have different PINs for multiple cards that I struggle to keep straight) and is losing its effectiveness, according to the data I mentioned in the first paragraph. But it appears that, with the PCI's recent announcement, the PIN could become even more prevalent for cardholders. Is it time, in the name of security and customer friction, for us to replace PINs and passwords with more modern authentication technologies such as biometrics?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed