Please enable JavaScript to view the comments powered by Disqus.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

December 16, 2019

ATM Cash-Out Attacks Return

I first wrote about ATM cash-outs back in 2013 when these attacks were escalating. But the frequency of the attacks quickly declined when card issuers and their processors and networks hardened their defenses. So why am I writing about it again? There were some major attacks in mid-2018. A bank in India, for example, lost approximately US$13 million from more than 12,000 fraudulent transactions at ATMs located in Canada, India, and Hong Kong. The United States has seen isolated attacks in recent years, but law enforcement is concerned that these attacks will grow because perpetrators stand to obtain a large amount of money. It's critical that financial institutions and other transaction processors remain vigilant, so I'd like to bring some attention back to this especially costly crime.

These attacks require careful planning and a synchronized effort, but the payoff for the criminals can make it worth all the work. First, the criminal gains remote access to an issuer's card management system and transaction controls. Next, the criminal uses a money mule network to open new accounts with a chip card or distributes debit or prepaid cards with cloned magnetic stripes and compromised PINs to the money mules spread across the globe. In a carefully synchronized operation, the money mules begin making withdrawals at numerous ATMs. With access to the card management system, the criminal keeps resetting balances and transaction counters to get around amount and transaction limits, and withdrawals continue to be authorized. The mules continue to make withdrawals until the cash supply in the ATM is exhausted. This is how such attacks can result in a loss to issuers in the millions of dollars worldwide in just a couple of hours. Most networks have now implemented transaction monitoring capabilities that can detect abnormal transaction traffic both at the account and the financial institution levels. If the networks identify abnormalities, they contact the issuer or processor to examine the transactions more closely. Some networks, if they can't contact the financial institution or processor, are authorized to block the activity right away to prevent additional transactions until the situation can be evaluated. Some criminals have responded by increasing the number of targeted accounts so the activity is spread across more accounts and the detection thresholds are not crossed as quickly.

Here are some steps that issuers and processors can take to defend against cash-out attacks:

  • Follow standard cybersecurity protocols related to password strength and management of system access controls to prevent compromise of system access credentials.
  • Evaluate adding further layers of authentication/approval for remote changes to card management data fields such as account balances and transaction counters.
  • Discuss with processors and networks any additional monitoring capabilities they may have to mitigate such attacks.

As the ATM celebrates its golden anniversary, cash-out attacks remind us of the constant efforts by criminals to defraud financial institutions and other stakeholders in the payments industry. Cash-out attacks are not new, but they can still result in huge losses, so the industry needs to remain vigilant and continue to look for ways to defeat them.

December 9, 2019

Payments in Review: A Webinar

Whether you are out dipping your payment card at a store, waiting in line behind a check writer, trying to look like you're working while you shop online for last-minute gifts using your digital wallet, or just always looking for more information about payments, grab your headphones for the last Talk About Payments webinar of 2019. On December 19, the Retail Payments Risk Forum team continues its tradition of discussing what we consider to be the significant payments events and issues of the year. We invite financial institutions, retailers, payments processors, law enforcement officials, academics, and other payments system stakeholders to participate.

The webinar 2019: Payments in Review features a live roundtable discussion with payments risk experts Doug King, Dave Lott, and Jessica Washington. You will be able to see how your reflections on 2019 payment events compare to the Risk Forum's perspectives and reflections on the year. To liven up the party, polling questions and real-time questions and comments will let you engage with the speakers.

Last year ended with increasing momentum in technology research and development—distributed ledger technology, contactless, machine learning—which continued into 2019, mixed with the some of the largest fintech mergers and acquisitions the industry has seen. Faster payments started taking new forms with added interest from industry stakeholders. The fight against payments fraud also changed shape during 2019, with some new collaborations and methods worth mentioning. Fintech is surely to be discussed along with other topics such as the proliferation of digital payment methods versus the state of cash.

Find out what you might need to consider as you promote safer payments innovation in the coming year.

The webinar will happen on Thursday, December 19, from 1 to 2 p.m. (ET). Participation is free, but you must register in advanceOff-site link. Once you register, you will receive a confirmation email with the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks after the event.

We look forward to you joining us on December 19 and sharing your perspectives on the payment events that took place in 2019.

December 2, 2019

Making the Choice to Use Cash

FADE IN:

INTERIOR, VETERINARY HOSPITAL—LATE NIGHT (2019)

Male, 60ish baby boomer, in work clothes and yellow reflective vest approaches the desk.

"Picking up a prescription.'

"That's $15.17," says the receptionist.

Waiting puppy owner—off-the-clock Payments Risk Expert—slouched in plastic chair, swings around to face desk. She stares rapt at boomer in work clothes.

A moment's pause.

Boomer rummages deep in his right pants pocket, then the left. Crumpled bills appear in his fist. A dime, a nickel, and 2 pennies fall to the counter.

Payments Risk Expert leans back, satisfied, and smiles.

FADE OUT.

That was Yours Truly at the vet last month. Research based on data from the Diary of Consumer Payment Choice predicts that anonymous pet owner would be likely to choose cash and, in the moment, he did.

Oz Shy, senior policy adviser and economist at the Atlanta Fed, applied machine learning algorithms to examine some 17,000 in-person payments from the 2017 and 2018 Diary of Consumer Payment Choice. The decision tree that resulted (below) predicted the likely behavior of my boomer.

graphic 01 of 01: Who am I and how much am I paying?

Reading from left to right, you can see that the first fork occurs for payments above and below $10. For payments less than $10, U.S. consumers are most likely to choose cash (choices to use cash are represented by the green boxes).

The second fork, for payments of $10 or more, is determined by household income. For payments of $10 or more, people with household income greater than $110,000 are most likely to use a credit card (orange boxes show the choice to use a credit card).

The next fork again occurs for transaction value. For payments equal to $20, it's probable that consumers will choose cash. (In his paper Adobe PDF file format, Oz relates this choice to the denomination typically available from ATM withdrawals.)

Now age comes into play: For payments less than $20 (remember, $15.17), consumers 54 and older (boomers) choose cash.

Voila! The pet-owning baby boomer plays to type.

Oz's research illustrates the importance of transaction value for payment instrument choice. For in-person payments of less than $10, consumers—whatever their household income or demographics—are most probably going to use cash. And for larger transaction values, the decision tree also shows that income and age matter for the choice to use (or not use) cash and other payment instruments.

You can read the paper, "How Currency Denomination and the ATM Affect the Way We Pay," here Adobe PDF file format.

November 25, 2019

We Are Thankful For...

Several years ago, I began the practice of making a list around Thanksgiving of things I am thankful for. I was pondering what I might include on my list this year while I was stuck in traffic behind an awful wreck I was thankful I wasn’t involved in. And then the idea hit me that maybe we at the Risk Forum should create our own list focused on what we are thankful for in payments.

To keep the list at proper blog length, I asked each Risk Forum member to name just one item. Without further ado, the Risk Forum presents to you our 2019 Thanksgiving week "What we are thankful for in payments" list.

  • Nancy Donahue, project manager: I’m thankful that my debit card has only been breached once this year and although the criminal lived it up at several fast food restaurants and c-stores, it was less than $100 total and I got my money back!
  • Claire Greene, payments risk expert: I am thankful that direct deposit lets me put my finances on autopilot. I’ve split my paycheck into different accounts: one for retirement, one for the mortgage, one for saving, and one for everyday expenses.
  • Douglas King, payments risk expert: I am thankful for the ability to pay via self-checkout at my local grocery store and receive cash back when using my debit card.

The Retail Payments Risk Forum folks: Pictured from left: Jessica Washington, Douglas King, Nancy Donahue, Dave Lott, Catherine Thaliath, Julius Weyman; Not pictured: Claire Greene

Pictured from left: Jessica Washington, Douglas King, Nancy Donahue, Dave Lott, Catherine Thaliath, Julius Weyman; Not pictured: Claire Greene

  • Dave Lott, payments risk expert: I am thankful for law enforcement and other security professionals who work diligently to protect the integrity of our payments system.
  • Catherine Thaliath, project management expert: I am thankful for credit card rewards programs. It is nice to get rewarded with cash back or even a free plane ticket just by using your credit card for everyday purchases!
  • Jessica Washington. payments risk expert: I am thankful for payments industry collaboration. This year I have seen improvements in fraud information sharing across stakeholders; partnerships between fintechs, financial institutions, and payment networks to promote financial inclusion; and working groups embracing emerging payment innovations.
  • Julius Weyman, vice president and forum director: I am thankful that I can write a check where it makes sense; pay online where it makes sense; get paid via ACH (no choice in that, but wouldn’t choose otherwise); pull bills from a real wallet (not the fake kind) and pay that way, where it makes sense; and use a card (and get rewards), which almost always makes sense and is the one I use the most.

And we are thankful for YOU: our readers of Take On Payments and supporters of the Risk Forum. We sincerely appreciate your comments, kudos, and criticism, and hope that you all find value in the information we provide and share. As we enter into these crazy last weeks of 2019, we wish you and yours a wonderful holiday season.