Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
June 27, 2022
The Ransomware Threat Continues to Grow
For more than five years, this blog; federal, state, and local law enforcement agencies; and multiple industry associations have continued to warn businesses about the threat of ransomware attacks. Nevertheless, the FBI's Internet Crime Complaint Center's (IC3) 2021 crime report shows that in 2021, IC3 received 3,729 ransomware complaints, representing losses of $49.2 million. These numbers reflect a 51 percent increase in the number of victims and a 69 percent increase in losses. The report notes that these figures are likely higher as the crimes are underreported, and that these financial losses don't “include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim.” According to the report, the industries most frequently targeted were health care, financial services, information technology, critical manufacturing, and government but water systems, energy, and transportation networks were also attacked.
In the beginning, criminals carried out ransomware attacks by gaining network access to a company's computer system, which they would accomplish by getting an employee to unknowingly load malware or load it themselves by exploiting an operating software vulnerability or using a remote access channel. The malware would then encrypt the targeted files so the company could not access them, and the criminal would demand a ransom and promise a decryption key once it was paid.
Last year saw an evolution of the attacks, when criminals began to seek higher payouts. In addition to making the regular ransomware demands, criminals threatened to release sensitive information they'd gathered before encrypting the files unless the victims paid an additional ransom. Regardless of any promises they make and money they get, criminals often sell this information on the Dark Web for even more money.
The defenses against a ransomware attack remain the same:
- Conduct employee training and phishing tests to educate and increase awareness. • Implement a process for employees to report suspected phishing emails and investigate them immediately.
- Make frequent offline data backups and regularly test the backup process.
- Install security patches and software updates as soon as possible.
- Monitor remote desktop protocols, if they're used, and carefully review access controls.
What defensive measures has your company implemented to defend against a ransomware attack? Let us know I've missed any.
June 13, 2022
Quishing: Another "Fish" in the Fraud Ocean
We should all be knowledgeable about phishing attacks by now, given the number of warnings consumers and businesses get about this type of email fraud. We've even warned about it, in this Take On Payments post last year, and in others. We've also warned about smishing, a variation that uses SMS text messaging rather than email. Vishing is another form of social engineering that we've also mentioned in the blog. It's like phishing but comes through a telephone, often from a spoofed number—one that looks like a legitimate number of a company or agency. All of these varieties of fraudulent attacks have the same goal: to "fish" for your login or account information.
And now there's quishing. Again.
Quishing is not new but has experienced a revival within the criminal element as a result of the increased use of QR codes for digital payments. We first wrote about the risks and benefits of QR codes back in 2012, when they were used predominantly on printed media such as billing statements. The account holder could scan the QR code to go to the biller's payment website to pay their bill. We wrote about them again in late 2020, when merchants used them in the pandemic as an alternative contactless payment technology to near field communication. Since then, the use of QR codes has exploded—not just for payment applications, but also for other contactless usages born from health concerns: to let people access digital restaurant menus, for example, or to get detailed product information. QR codes are easy to implement, but that also makes them easy to alter without detection. The criminal sends an email with a QR code that, when captured by the victim's camera, opens a counterfeit website that may look like a merchant's legitimate website but is intended to steal account credentials. The email may contain a coupon to give the victim further incentive to capture the QR code. Unfortunately, detecting quishing attacks is difficult for email malware applications since the QR code is embedded in the email message.
QR code manipulation can also take place on printed material. Cases have been reported where stickers with altered QR codes have been placed on event posters at a venue or in other public places. When the person accesses the fraudulent QR code to purchase event tickets, the criminal captures the payment card information then uses that information to make fraudulent purchases. Meanwhile, the victim shows up at the event and is told their ticket confirmation is invalid.
The same defensive measures used to spot phishing, smishing, and vishing attacks should be used to guard against quishing attacks. Be wary of messages from unknown sources, especially if they offer an incentive or convey a sense of urgency. Always be suspicious of any request for you to "confirm" your account credentials. Keeping a solid defensive position will help keep you safe from these attacks.
June 6, 2022
Potential Change Could Affect US Consumers' Financial Data
Adoption of open banking in the United States has been slow to move forward but that may all be about to change. In open banking, a consumer authorizes a financial services company with which they have a relationship to allow designated third parties to access their financial data. The United Kingdom began implementing open banking regulations in 2018, and the UK government believes that 60 percent of banking consumers will be using open banking by September 2023.
American consumers currently have a limited form of open banking with a technology known as "screen scraping." Screen scraping requires a consumer to give a third party their account sign-on credentials so that third party can electronically access the consumer's account to retrieve—"scrape"—the account information. While the process does have the benefit of allowing consumers to consolidate their financial information, it carries considerable risk in that the third party holds the account access credentials, which makes the consumer's information that much more vulnerable to a data breach. And it's possible the third party might use the data in ways unknown to the consumer.
Over the last several years, a number of major banks have blocked third parties from screen scraping. The US banking industry has instead favored the use of application programming interfaces (API) because they allow customers to use third parties without giving up their logon credentials. API use is also the mandated process in the United Kingdom.
Congress mandated open banking through section 1033 of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, giving the Consumer Financial Protection Bureau (CFPB) the responsibility of developing rules around sharing consumer financial data. In October 2020, the CFPB issued a notice of proposed rulemaking regarding consumer access to financial records. The CFPB, however, cannot act alone—it is required to consult with the federal regulatory agencies (Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Federal Trade Commission) to ensure that its rules do not favor any particular technology.
Last August, my colleague Nancy Donahue authored a post about an executive order (EO) designed to promote competition in a variety of industries, including financial services. The EO is intended in part to encourage the Consumer Financial Protection Bureau (CFPB) "to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products." The expectation of such a policy would be to allow nonbank fintechs to compete with traditional financial institutions, which would lead to lower service costs to the consumer.
The CFPB has been moving forward on this EO very deliberately due to the significant and complex issues tied to the implementation of open banking, three of which are critical:
- Data security: What requirements will be imposed on third parties to ensure that consumer financial data is held and used securely? Will the data aggregators be held to the same consumer data protection standards that banks are held to under the Gramm-Leach-Bliley Act? What regulatory agency will be responsible for the supervision of the nonbank data aggregator fintechs?
- Privacy: What limitations will be placed on the data collected? What happens to the data previously collected when the customer closes an account? What disclosures will be required initially and on a periodic basis as to how data will be used?
- Technology: Will screen scraping be prohibited as the United Kingdom is considering as it continues its open banking transition to include more financial services such as insurance and investments? How will small financial institutions be able to remain competitive with this service given their limited resources?
As a final checkpoint, the Small Business Regulatory Enforcement Fairness Act requires the CFPB to get feedback from a panel of small business owners about how the proposed rule will affect them. It is likely that the formation of this panel and their final report will not be made before the end of 2022. The Retail Payments Risk Forum team will continue to follow developments on open banking coming to the United States.
May 23, 2022
Vulnerable Populations and the Case for Cash
We recently wrote a post about communities not being able to access cash because of natural or man-made disasters. Severe weather and war, for example, may leave a bank branch inoperable. But even in "normal" times, access to cash remains an important consideration, especially for consumers who use it as their only or preferred means of payment. With this post, we look at how cash remains an important payment option and how accessing it may be becoming more difficult for certain vulnerable populations. These vulnerable populations—who tend to be low- to moderate-income households, rural communities, and recent immigrants—are more likely to be un- or underbanked (underserved) and often rely on cash to buy groceries and pay utility bills.
Even with an uptick in digital payment usage , cash remains a critical payment choice for many Americans. Some may be unable to use digital payment options because they lack access to broadband or a smartphone, for example. Others may not be able to access these options because they are unbanked. Data from the Federal Deposit Insurance Corporation's 2019 report How America Banks reveal that approximately 5.4 percent of households (7.1 million) were unbanked in 2019. Almost 14 percent of Black households are unbanked and presumably rely on cash or alternative payment options.
There are many reasons why cash can be a person's default method of acquiring goods and services, according to a forthcoming paper titled "Cash Is Alive: How Economists Explain Holding and Use of Cash" by Oz Shy, a senior policy adviser at the Atlanta Fed.
Unfortunately, recent data suggest that challenges to accessing cash existed prepandemic and accelerated during the pandemic. It may be especially difficult for the underserved, cash-reliant consumer, according to a report by the National Community Reinvestment Coalition:
- The number of banking institutions declined from approximately 18,000 in 1984 to fewer than 5,000 in 2021.
- The rate of bank branch closures doubled during the pandemic.
Rural areas tend to see the most bank branch closures, and those closures have contributed to a decline in ATMs as well. Adding to this, banks have been more cautious in providing accounts to independent ATM operators in part because of anti-money-laundering concerns. So some banks are adopting policies that prohibit business relationships with independent ATM operators or are charging much higher fees for their services—which means some ATM accounts with banks are closing and fewer ATMs are being established.
These closures matter, even to the unbanked consumer, who may need bank branches and ATMs, for example, to obtain cash from a prepaid benefits card for unemployment or social security payments, get a cash advance on a credit card, or cash a check at a bank where the check writer has an account.
As the digital economy expands, people in underserved communities and those who are cash reliant, whether by choice or lack of other options, are at risk for being further marginalized in the financial system. To help ensure that everyone, regardless of payments preferences, is included in this system, cash access and preservation in underserved communities across the nation remain important to maintain.