Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
August 24, 2020
Facial Recognition Biometrics: Bruised but Still Standing
So far, 2020 has been a rocky year for facial recognition biometrics. In June, Amazon, Microsoft and IBM delivered a body blow, announcing they would not sell their facial recognition software to law enforcement agencies. They cited a lack of accuracy, a potential for misuse or abuse, and the lack of federal privacy legislation to safeguard individual rights. Widespread use of facial masks due to the COVID pandemic dealt another punch. Masks have generally rendered facial recognition inoperable for any number of applications on mobile phones. The masks have also hobbled the Transportation Security Administration's plans to further automate passenger authentication and check-in processes. Will the technology be able to recover and go another round?
Unfortunately, there is a great deal of misinformation and misinterpretation of studies about the technology behind facial recognition and its use, particularly with regard to claims of racial and gender bias. Critics often point to a 2018 study by MIT and Microsoft researchers in which three facial classification algorithms misclassified the gender of light-skinned males at a rate of less than 1 percent but darker-skinned females as high as 34 percent. Critics of facial biometrics technology have pointed to the research as evidence of bias against various minority groups.
It is important to note that "gender classification" is a very different from "facial recognition," although they are often lumped together in the media. In a gender classification process, a digital facial image of an individual is captured and processed through an algorithm that determines whether the image is that of a male or female. Numerous studies have shown that the accuracy of such classification systems is largely based on the database of images being used to "train" the algorithm—that is, to teach it to properly classify an image. The smaller the database, the less accurate the classification.
In a facial recognition process, the digital image captured by the camera is compared using a recognition algorithm to see if it matches the individual's image in a database or on their identification document. While the top performing algorithms are highly accurate, studies have found that results can vary based on lighting, camera definition, viewing angle, and other factors. While most people think facial recognition is new technology, the casino industry has used it to identify banned players since the 1990s.
In a future post, I will discuss the findings of the National Institute of Standards and Technology in its 2020 evaluation of more than 200 facial recognition algorithms. The promising news is that the top performing algorithms showed no discernible bias.
While there are certainly privacy and other issues connected to facial recognition and other biometric technologies, I believe objective education and discussions can address these issues. So I think the technology is not on the ropes but is ready to go another couple of rounds.
August 17, 2020
Executive Spoofing Hits Close to Home
Sitting around a table outdoors, physical distancing with my family, the conversation turns to executive spoofing scams at work.
- Millennial works at a factory automation start- up: "Yeah, right. The CEO is sending me an email [snicker]."
- Millennial working in government contracting: "I get them all the time, sometimes from the CFO."
- Boomer works in software industry: "We got a warning just the other day that one is floating around. Don't send money."
We are talking about three businesses with employees numbered in the low hundreds. All privately held. Small fry, really. Every one of my family considers executive spoofing via phishing to be an everyday, ho-hum event.
Everyday, yes. Ho-hum, not so much. The FBI reports that 114,702 victims of phishing and its cousins vishing, pharming, and smishing lost almost $60 billion in 2019. Phishing is executed via email; vishing, via phone call or voicemail; pharming, via bogus websites; and smishing, via text message. Perpetrators request personal information or money. In addition, business email compromise (BEC), the foundational criminal act for executive spoofing of the sort my family members describe, resulted in more than $1.7 billion in losses related to 24,000 incidents in 2019, reports the FBI. The Association for Financial Professionals (AFP), in a survey of Treasury and finance professionals, found that BEC was the source of six in 10 fraud attempts in 2020.
A number of vendors offer products that use machine learning to fight these forms of fraud. Machine learning holds promise for automatically detecting these attacks. Nevertheless, as with much automation, the human being is the important last line of defense. A few days after that family meal, I see a scam alert. The gist: never, never, never will the Atlanta Fed president text me with a request to purchase $500 in gift cards.
The late Intel CEO Andy Grove said it perfectly: "Success breeds complacency. Complacency breeds failure. Only the paranoid survive." So please don't be ho-hum or complacent about these attacks and warn your family members and others.
August 10, 2020
Contactless Pay: A True Life Story
A few weeks ago, my friend decided it was time to start using to her phone to pay at the in-person point of sale. On her first foray into the land of contactless pay, she shopped at four stores that promoted their ability to accept contactless card and mobile payments. My friend's experiences show that while the technology may be ready, the human interactions could still use some work.
- Store #1, one of the largest retailers in the United States: Yes, we take mobile payments but not your mobile wallet. Download our app and then we can deal.
- Store #2, grocery chain with more than 1,000 stores: Yes, we take contactless mobile payments. But we want you to use our electronic pen to sign at the terminal.
- Store #3, top-5 grocery store: Yes, our reader can accept your phone signal. Now, touch a button to select debit or credit.
- Store #4, neighborhood retailer: Finally, a transaction where there was no physical interaction between the phone and the terminal or between my friend's hand and the terminal.
My friend's experiences—where only one of four transactions was fully contactless—illustrate that not only for consumers but also for merchants, contactless pay isn't as easy as flipping a switch. Any change in payments protocol is tricky because of the network of participants in the payments ecosystem:
- Card issuer. For contactless mobile payments, the card issuer has to offer consumers the ability to store their payment card information in a mobile wallet. For contactless card payments, the card issuer has to provide the contactless card (with four ripples on the front). Of the three credit cards and one debit card in my physical wallet, just one credit card is contactless on this summer day 2020. In June 2019, the Federal Reserve Mobile Financial Services Survey asked banks and credit unions about their plans to issue contactless-enabled cards. More than half (56 percent) of the total respondents reported they had no plans to issue contactless cards. For financial institutions with assets under $100 million, about two-thirds indicated they had no plans to issue a contactless card. The major card networks began promoting contactless card issuance and customer usage in mass media channels even before the COVID-19 pandemic and have continued to do so.
- Merchant. For contactless payments of either sort, the merchant has to enable terminals with the contactless technology. Then, as indicated by my friend's saga above, merchants need to set policies and train cashiers to support a customer's use of the technology. Several large merchants that previously had refused to accept contactless mobile transactions have recently announced plans to accept such transactions in the near future, but there are still some major holdouts.
- Card holder. Consumers adapted fairly quickly to the change from swiping their magnetic-striped card at the terminal to inserting their EMV chip card. And tapping or waving is faster than inserting a chip card, as long as what people expect to be a simple wave of the phone or card does not entail more work to complete the transaction (as in my friend's case). Faced with warnings about virus transmission through physical objects, consumers look ready to see benefit from contactless mobile or card pay.
The decisions of all these parties will be relevant for what happens next. Merchants are more likely to offer the contactless option as they see other merchants offering it. Consumers are more likely to use it as they see other consumers using it and as they gain confidence the transaction will work. Financial institutions, especially the smaller ones, may issue these cards as no-touch becomes more the norm and they feel the competitive pressure. Perhaps the stars are beginning to align with increased card issuance and merchant acceptance.
August 3, 2020
A Checkup on Checks: New Data on Business and Consumer Use
When did you last go to the dentist? OK, maybe too personal. How about this: when and why did you last write a check? For me, it was in December, for my annual purchase of Tag-a-Longs from my niece's Girl Scout troop. My check use is infrequent, but sometimes a check is still my go-to payment instrument. Even though the Federal Reserve Payments Study has found that the number of check payments in the United States declined from 41.9 billion in 2000 to 14.5 billion in 2018, U.S. businesses and consumers—like me—continue to use checks for all kinds of reasons, according to the 2018 Check Sample Survey (CSS) report, just published by the Atlanta Fed. The CSS reports check use by businesses and consumers based on a sample of checks cleared by the Federal Reserve in 2018.
Previous iterations of the CSS, which has been conducted since 2001, the 2018 survey estimated percentage shares of checks paid both by purpose (bill, POS, income, casual, and indeterminate) and by payer and payee (business and consumer). In 2018, for the first time, the report includes data about checks returned, allowing for detailed analysis of returns by reason code, including possible fraud. Checks returned are items that the paying depository institution has chosen not to honor and which the Federal Reserve subsequently returns to the depositing institution.
Among the findings:
- Just over half of checks are written by consumers.
- Businesses are the recipients of two-thirds of checks.
- The median value of a check written by a consumer is $116; by a business, $357.
- Checks written by businesses made up three-fourths of total check value.
- Checks returned for insufficient funds, which also include uncollected funds holds (funds on deposit but not yet available for withdrawal), were two-thirds of return items by number and half of return items by value.
Want to know more? Join us on Thursday, August 27, from 2 to 3 p.m. (ET), when I and my Retail Payments Risk Forum colleagues delve into the CSS findings in greater detail on our Talk About Payments webinar. You must register in advance to participate. Once you've registered, we'll send you a confirmation email with the access information. (There is no fee for the webinar.)
And before that next dentist visit, why don't you "do-si-do" on over to the Atlanta Fed website and see the report for yourself. You can download the report and Excel data tables and explore, drill down, and be part of the August 27 webinar discussion. Hope to see you there!