Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
June 14, 2021
Four years ago, in a May 2017, Take on Payments post, my colleague Doug King echoed the concern of cybersecurity experts, warning that 2017 and 2018 were going to be the “Year(s) of Ransomware.” This warning came as ransomware attacks were increasing in frequency and being carried out against higher-profile targets. In 2018, the City of Atlanta was attacked. Following the recommendations of law enforcement officials, the city refused to pay the $51,000 ransom. Many city services involving utility billing and traffic court were disrupted for as long as a year, and officials estimated the price tag of investigation and remediation at $17 million.
In its latest report, cybersecurity firm Group-iB described the results of its analysis of more than 500 ransomware attacks: not only did the numbers of attacks in 2020 increase by more than 150 percent over the previous year, but also the sophistication of the attacks themselves had substantially increased.
Over the last month, high-profile attacks against an oil pipeline operation, meat processor, and digital services provider have been reported. While attacks against corporate targets often have limited impact on the general public, the Colonial Pipeline attack led to a shutdown of a major supply pipeline servicing the eastern United States, triggering panic buying and complete outages at more than 11,000 gas stations in addition to a spike in retail gasoline prices, according to a Newsweek article.
Ransomware attack strategies have a number of variables, including the type of criminal organization behind the attack, the target industry, or the size and method of infiltration, whether that’s phishing or finding a network or software security vulnerability or something else. One of the largest concerns of law enforcement is the emergence over the last few years of criminal organizations that provide ransomware as a service (RaaS), as was the case in the Colonial Pipeline cyberattack. Under this scheme, the criminal organization sells or leases their ransomware programming code to users who use it to attack their targets. The Group-iB report indicated that RaaS was used in approximately two-thirds of the ransomware attacks in 2020.
The Ransomware Task Force—an international group of cybersecurity experts from industry, government, law enforcement, and the public sector—was formed in early 2019 to address this threat. In early April, it delivered to the U.S. government a report with recommendations for combatting ransomware attacks. The following list includes some of the 48 recommendations:
- Make proactive diplomatic and law enforcement efforts to reduce and eliminate nation-states from providing protection to ransomware criminals.
- The United States should take a lead role in implementing a comprehensive anti-ransomware campaign including creating a task force composed of government agencies and private industry.
- Organizations should be mandated to report ransomware payments and to consider alternatives before making such payments.
- Since cryptocurrency is predominantly used for ransomware payments, the cryptocurrency operators should be more closely regulated.
On April 21, the U.S. Department of Justice (DOJ) announced the formation of the Ransomware and Digital Extortion Task Force to “bring the full authorities and resources of the Department to bear to confront the many dimensions and root causes of this threat.” An early success of the departments working through the Task Force was detailed on June 7, when the DOJ announced that it had recovered approximately $2.3 million of the $4.4 million ransom paid by Colonial Pipeline.
We will continue to follow the ransomware threat, recognizing that no type of industry or size of business is safe from such an attack.
April 12, 2021
NFTs Raise Questions about Money Laundering
I must admit—my head is spinning a bit trying to grasp the valuation of nonfungible tokens, which are commonly referred to as NFTs. In March, an NFT by the artist Beeple sold for almost $70 million. An NFT is a unique digital asset that is authenticated using a blockchain. Digital assets can be artwork, music, sports cards or videos, or even tweets. There are multiple marketplaces for purchasing NFTs, oftentimes with cryptocurrencies or stablecoins, and many of these platforms are focused on a specific segment of the NFT market such as this one dedicated to players and highlights from the National Basketball Association. (The concept seems so far-fetched that Saturday Night Live based a skit on NFTs.)
Once my head stops spinning due to the astronomical valuations of some NFTs, it immediately focuses on the money-laundering risks. For years, the art world has been used to launder funds. Reasons for this include the anonymity often sought by buyers and sellers, the use of shell companies to hide owners, the use of cash for high-value purchases, and the challenges of determining a fair market value for a singular piece of art that might be purchased for well above market value, which is a red flag for money laundering. Are these reasons for using art in the physical world to launder funds alleviated or exacerbated in the digital world? I don't have the answer for this question because I admittedly haven't spent the time to fully understand the measures the NFT industry has taken to mitigate money laundering risks. I do know that transactions on a public blockchain are transparent, but that doesn't necessarily mean that the individuals engaged in the transaction can be identified. And as I mentioned earlier, determining a fair value for NFTs presents quite the challenge.
Whether or not NFTs are being used for money laundering, I am not alone in asking the question. In March, the Financial Action Task Force, seeking input from the public by April 20, 2021, released a public consultation paper on draft guidance on a risk-based approach to virtual assets and virtual asset providers. This guidance has the potential to affect NFT marketplaces and providers by encouraging regulatory agencies across the globe to require them to perform some levels of Bank Secrecy Act/Anti-Money Laundering monitoring and reporting. The task force is looking to implement changes to the draft and approve this updated guidance at its June 2021 meeting.
Are you interested in learning more about NFTs and the potential risks they may pose? While we will continue to monitor developments and provide pertinent updates, let us know if you have questions or concerns that you think we should address given the increased media exposure and transaction volumes of NFTs.
March 1, 2021
Changing Fraud Strategies: Hindsight Is 2020
Editor's note: This is the first of a three-part series.
It's been exciting to see such rapid innovation in payments recently. It's also been a little frightening, when we think of how quickly fraudsters and cybercriminals capitalize on fast-changing behaviors and how slowly others may adopt mitigation strategies.
To shed light on some of the new threats and offer tips on mitigating these new threats, Take On Payments is running a series of three posts, starting with this one. This first post presents some research and other information on the threat trends and contributing factors that escalated in 2020. The next two posts highlight innovative fraud mitigation strategies.
Account takeover fraud
- Research from one cybersecurity company found that every second fraudulent transaction in 2020 in the finance industry was an account takeover and that the share of account takeover fraud jumped from 34 percent in 2019 to 54 percent in 2020. In addition, 12 percent of account takeovers are carried out with remote access technology: the fraudster tricks the victim into loading software that will allow the scammer access to their computer for "troubleshooting." The research also noted that social engineering has become more successful during the pandemic.
- A recent report explained that over the course of 2020, the share of account takeover fraud ranged between 70 percent and 90 percent of financial fraud attacks.
- A January 2021 article on lessons learned from 2020 reported that criminals have evolved from relying on "credential stuffing"—the use of stolen account credentials to gain access to user accounts—to using sophisticated "device emulators." These emulators can spoof the variables that fraud prevention tools look for, such as device type, browser version, language settings, screen resolution, and GPS coordinates.
- The latest Europol Internet Organized Crime Threat Assessment identified SIM-swapping fraud as a rising trend. The criminal basically deactivates a victim's SIM and ports the victim's number to another phone, allowing the criminal to thwart multi-factor authentication tools used for account logins.
New account opening fraud
- A January 2021 report noted the significant increase in fraudulent new account creation. Cybercriminals are unfortunately becoming rich with stolen credentials and synthetic identities gained from increasingly successful data breaches and phishing attacks.
- Another report said that a full 85 percent of financial institutions experience fraud in the account opening process.
- Finally, other researchers have found that traditional fraud models miss 86–95 percent of applicants that are identified as possible synthetic. In addition, they've found that a full one in seven, or about 14 percent, of new accounts are fraudulent.
- The U.S. Secret Service recently emailed an alert to partners about how they continue to detect a significant upsurge in e-skimming attacks . In these attacks, fraudsters load malicious codes, which are increasingly difficult to detect, on e-commerce sites to steal payment card information from e-commerce websites. Cybercriminals consider e-skimming easy and highly profitable.
- Last month, the Financial Crimes Enforcement Network, or FinCEN, sent out a notice urging financial institutions to alert their customers about business email compromise, ransomware, and fraudulent payments that are attacking both vaccine delivery operations and the supply chains required to manufacture the vaccines. These crimes are drawing, in most cases, six-figure payouts.
Fraudsters see new payment behaviors and innovations as low-hanging fruit, a path of least resistance because sophisticated fraud mitigation tools have yet to be applied. Also, businesses and consumers who are new to digital or online commerce can be slow to adopt security best practices. So how should fraud mitigation strategies change to meet new threats? The next two posts will discuss how fraud strategies can build resistance with updates to organizational structure or expertise and innovative digital fraud prevention technology and security features.
February 22, 2021
New Year, New Fraud
Over the last few years, we've discussed friendly fraud in a number of Take On Payments posts. Friendly fraud occurs when an authorized payment cardholder, or someone they know, purchases goods or services and then disputes the transaction through the chargeback process to have the payment to the merchant canceled. From the merchants' perspective, there is nothing "friendly" about this, so they often refer to it as "chargeback" fraud. The actual losses from friendly fraud are difficult to measure, but it's estimated to cost merchants nearly 2 percent of their annual revenue.
With the surge in ecommerce transactions resulting from changing payment habits caused by the COVID-19 pandemic, we assume that friendly fraud—as well as other types of online payment fraud, including the emerging "refund fraud"—has significantly increased. Refund fraud is similar to friendly fraud in that a legitimate cardholder completes a transaction using legitimate credentials. However, in this refund fraud, the cardholder makes the transaction fully intending to use the merchant's refund policies, rather than file a chargeback, to be reimbursed or to receive an additional product. This also differs from refund abuse, where the cardholder purchases and uses a product—often clothing or tools—and then returns it.
Refund fraud by individual cardholders has existed for decades, but more recently a network of professional refund fraudsters has emerged. Using the Dark Web and other nefarious communications forums, professional refund fraudsters seek accomplices and share tips with each other on how to manipulate a merchant's refund policies and customer service representatives. They recruit willing cardholder accomplices with the promise that in exchange for a fee, the cardholder can make large-dollar purchases, get refunded for these purchases, and still keep them. To earn the fee, the fraudster contacts the merchant's customer service personnel and, using their knowledge of the merchant's refund policies while impersonating the cardholder, demands a refund. The fraudster claims that the product never arrived or was damaged, or insists they returned the defective product. The cardholder often pays the fraudster's fee with cryptocurrency.
Like chargeback fraud, refund fraud is difficult to detect since a legitimate cardholder initiates it and generally targets a merchant only once to avoid establishing a pattern of refund requests with the merchant. CardNotPresent.com recently produced an educational webinar on this type of fraud detailing the processes that fraudsters use and discussing how merchants can improve their defenses. The involvement of the organized criminal element is further evidence that merchants and card issuers must always be vigilant.