Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
September 28, 2020
Encouraging Password Hygiene
Many offices have closed their doors to protect employees from COVID-19 infections, causing a surge in people working remotely in 2020. This situation has brought data security concerns to the forefront for many businesses. This past blog is a great reminder about the importance of password hygiene to protect valuable data assets. Don't fall victim to credential theft or social attacks.
Practicing good password hygiene such as using strong passwords and never using them for any other application can be a huge nuisance. Many people, including yours truly, would love to see passwords fade into oblivion and be replaced by stronger authentication technologies, such as biometrics. But the fact remains that passwords will continue to be used extensively for the foreseeable future, and for as long as they remain with us, it's imperative that we adhere to good password protocol. Verizon's 2019 Data Breach Investigation Report reveals that more than 60 percent of successful data breach hacks were due to compromised or stolen log-in credentials.
Information that describes good password practices is abundant, but people continue to be careless. So how can we successfully encourage people to actually follow these practices?
Interestingly, while I was pondering this issue, I came across a Wall Street Journal article. Written by a cybersecurity professor, the article describes research that the author and her colleagues did on this very topic—how to get people to create strong passwords—and I thought it would be useful to share their findings.
So what's the secret to getting us to use strong passwords, according to these researchers? It's the simple incentive of time—and by this I mean the length of time we're allowed to keep our passwords. The researchers found that people were willing to use stronger passwords if they could keep them for longer than they had in the past.
The conventional wisdom used to be that we should change passwords at least once a year. Now many financial service providers and others require users to change passwords every 30 days. However, some organizations continue to allow longer time periods, or perhaps don't enforce change at all, but offset the longer duration with stricter rules, requiring longer passwords with a minimum number of special characters. I imagine most of us are accustomed to the strength bar or bubble graphic that shows us the strength of a password as we're creating it. These might be useful in educating us about what strong passwords look like, but the researchers found them to be ineffective in driving people to create strong passwords.
I'll admit I don't always practice the best password hygiene. One of several reasons for this is that it seems my passwords expire so frequently. But I could get fully on board with building stronger, unique passwords if that meant I would have more time before I had to change them.
Have you seen or experienced other tactics or solutions that have pushed you to use better password hygiene? If so, we would love to hear from you!
September 21, 2020
Personal Responsibility for Irrevocable Payment Scams
Those who have experience with parenting know that with many joys come challenges. For me, one of those challenges is teaching my children the importance of personal responsibility. Picking up after themselves, making sure their chores are finished before running out the door to play, and owning up to mistakes are just some of the personal responsibilities that they struggle with daily. And while there is a light at the end of the tunnel for this struggle, I firmly believe it is their having to experience the consequences that is getting us there. In this parent's opinion, knowing there are consequences for their actions helps children become responsible.
You might be thinking, "What does this notion of teaching personal responsibility have to do with payments?" Earlier this year, my colleague Dave Lott started the dialogue among those of us at the Risk Forum, and perhaps within some of our readers' circles, when in a post he posed the question "What is the likelihood that similar protections will be extended to consumers here (United States)?" The post was related to the extension of consumer protections in the United Kingdom to combat its growing problem of authorized push payment (APP) fraud.
In August, a UK-based consumer advocate organization called Which? released a research report based on the experiences of 150 consumers related to the Contingent Reimbursement Model (CRM) Code adopted by many financial institutions in the United Kingdom in 2019. The CRM Code has two primary goals: to reduce the occurrence of APP fraud and, for the fraud that occurs, to reduce the impact. Many of these scam payments in the United Kingdom are occurring on their faster payments rail, which was designed to make payments immediate and irrevocable. The report concluded that consumers' experiences with reimbursement for APP scams were mixed. Some consumers were reimbursed by their financial institution after authorizing payments to scammers while others were unable to receive any reimbursements.
The primary payment instrument in the United States today for large-scale corporate APP scams is wire. For consumers, person-to-person (P2P) services such as CashApp, Venmo, and Zelle are being used to scam individuals out of money. All these payments, both business and consumer, are irrevocable. Once the payments leave their accounts, neither the financial institution nor service provider has liability. But should individuals in the United States, like those in the United Kingdom, be afforded protections for these wire and P2P payments if they're scammed? And should these protections also apply to newer real-time payment schemes here in the United States?
My personal belief is that financial institutions or P2P services should not be responsible for people who fall victim to APP scams. Their responsibility should be limited to educating their customers on the rules around these payments and their finality when executed. APP scams are often the result of social engineering campaigns, and I am of the thought that, just as I expect my children to accept personal responsibility for their mistakes, it's fair for consumers to accept their responsibility for making sure they do not become the next social engineering victim. Do you think this is a reasonable approach to these scams and payments? Or should the United States banking industry and regulators move toward a model like the United Kingdom has in place?
September 14, 2020
You've Discovered a Money Mule: Who You Gonna Call?
The movie Ghostbusters is not a favorite of mine, but many people view it as a classic. While we can debate its status as a classic, there is no debate that it has one of the most well-known lines of any theme song in all of Hollywood: "Who you gonna call?"
The lyrics from this song were the recent topic of discussion among my colleagues as I shared with them that a banker had reached out to me about a fraud scheme that affected his customers. As he researched this scheme, he identified the involvement of a money mule using multiple accounts at two different banks to deposit funds from fake or counterfeit checks. His research also led him to a website that appears to be dedicated to hiring money mules to launder money. In this particular case, the banker rightfully contacted the two institutions where the fraudulent funds were deposited to inform them of the scheme and their potential money mule customer.
The banker asked, "What should I do now?" And "Who do I need to call?" After discussing with my Risk Forum colleagues, I made several recommendations to the banker about what to do and whom to contact:
- Contact law enforcement, both the local law enforcement office and the local Federal Bureau of Investigation office.
- File a Suspicious Activity Report with the Financial Crimes Enforcement Network.
- If your financial institution is part of the Financial Services Information Sharing and Analysis Center (FS-ISAC), report the money mule to the fraud intel or payments risk group.
- In addition to reaching out directly to the FBI, file a complaint through its Internet Crime Complaint Center.
- If your financial institution is part of a regional payments association, report the mule to the association as many of these associations send out money mule and fraud alerts to their members.
- Finally, report the suspected money mule recruitment website to the Federal Trade Commission by filing a complaint either through its online system or by calling 877-FTC-HELP (877-382-4357).
Earlier this year, my colleague Dave Lott blogged about efforts by law enforcement officials to crack down on money mules. As the example I'm describing here shows, the effort to bring down mules must be collaborative. As part of this collaborative effort, banks and other financial institutions have a critical role to play in identifying mule accounts and sharing this information with law enforcement as well as with each other. To those like the banker who reached out to me and other financial institutions that identify money mules, don't remain silent. In the immortal words of Ray Parker Jr., "If there's something weird, and it don't look good, who you gonna call?" Make the call to law enforcement and others to bring these mules and hopefully the larger criminal organizations behind them down.
September 8, 2020
New Payments Chassis Could Undergird Consumer-Friendly Vehicles
Introducing the FedNow ServiceSM in a mid-August speech, Fed governor Lael Brainard said the Fed is "engaging directly with the fintech and software companies who provide customer-facing services that will help banks build innovative instant payment products to serve their communities."
This engagement is important because, like a car chassis that can support multiple models of cars (hatchback or sedan?), instant payments services like the Clearing House's RTP (from "real-time payments") and the planned FedNow Service are platforms that make it possible to develop a huge variety of new products and services.
The shape of these new payments offerings will be vital for efforts to provide access to all consumers and businesses. In a February speech, "The Digitalization of Payments and Currency: Some Issues for Consideration," Governor Brainard remarked about the potential for improving access: "The entrance of BigTech and FinTech into payments…has the potential to enhance financial inclusion by expanding the number and diversity of ways people gain access to financial services and by creating more consumer-friendly offerings."
One way to create such offerings is to investigate what consumers do now and then envision how that might change for the better. With Fed economists Fumiko Hayashi and Joanna Stavins, I recently shared some data about the experiences of consumers who could benefit from offerings built on a faster payments chassis. In the Federal Reserve series Consumer & Community Context, we reported data from several sources: the Federal Reserve Survey of Household Economics and Decisionmaking, the Federal Reserve Bank of Atlanta's 2019 Survey of Consumer Payment Choice and 2019 Diary of Consumer Payment Choice, and the Federal Deposit Insurance Corporation (FDIC) National Survey of Unbanked and Underbanked Households. All the data relate to the capacity to send and receive payments almost instantly.
- Among consumers who overdrew their bank accounts, lower-income consumers were more likely to incur fees.
- Lower-income consumers were more likely to pay bills late and, when paying late, to be charged late fees by billers.
- Underbanked consumers whose income varied often or occasionally were more likely to report that they had trouble accessing funds due to delays in availability. Underbanked consumers are those who have used alternative financial services like payday loans or check-cashing services.
- Timing problems related to both receipts and payments could be making some consumers use high-cost alternative financial services.
Various factors may influence whether faster payments benefit everyone equally. That's why it's important to read the Federal Register notice, check out the Clearing House's RTP website, dive into the research, and imagine the possibilities inherent in the shape of payments products and services to come. Hatchback, sedan, or both?
You have a role in driving the outcome.
Take On Payments Search
- account takeovers
- bank supervision
- banking regulations
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- crossborder wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator MNO
- money services business MSB
- online banking fraud
- online retail
- payments fraud
- payments innovation
- payments risk
- payments studies/research
- payments systems
- Payment Services Directive
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- supervision and regulation
- thirdparty service provider
- Unfair and Deceptive Acts and Practices UDAP
- wire transfer fraud
- workforce development
- workplace fraud