Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

January 30, 2023

What Does Generative AI Mean for Payments?

When the latest news in natural language processing (NLP) hits the newspaper comicsOff-site link on a Sunday, you know you've got a phenomenon on your hands. Perhaps you, like me, are asking yourself some questions: What the heck is ChatGTPOff-site link? What does it mean for payments? How can I think about the risks? And what new ideas will the capabilities of NLP inspire?

What is ChatGPT? Like a lot of people in the past few weeks, I asked ChatGPT to tell me. The answer: "ChatGPT is a large language model that has been trained to generate human-like text. It can be used for a variety of natural language processing tasks such as language translation, question answering, and text generation."

Let's unpack this answer. "Large" means that the model is trained on vast amounts of data—that is, text created by humans. A "language model" is designed to understand written or spoken text. "Generate" means create content, which is a key capability to think about in the context of payments. Large language models like this one, using a massive amount of computing power and human training, are taught to pretend to be human in responding to written or spoken text.

How successful is this charade? A lot depends on the questions you ask and how you ask them. Your human input is still important. When you give the model a prompt, you are "programming" it to give you a list of Alfred Hitchcock's most famous movies or the ingredients for coq au vin. When you "program" a search engine by asking such a question, you see a list with links (that is, sources for the information). When you program a natural language model, you get sentences and no source for the information. The lack of sourcing is a critical distinction when it comes to assessing accuracy or bias.

Setting accuracy aside, the answers I got sounded human enough to me, maybe a bit stilted. Let's look at the opportunities and risks for payments.

Opportunity. Generative AI has the potential to make customers feel like they are chatting with a person when they are interacting with a bot. For customers like me, that could cut down on trudging through FAQs to get an answer—or even a hint to an answer—depending, of course, on how well trained the bot is. Chatbots could become more responsive to me personally.
Risk. Generative AI has the potential to enable fraud. New tech = new fraud, as we learned with new tech for making remote paymentsOff-site link. The ability to create plausible content and mimic human conversation is chilling in the context of phishing—for example. ChatGPT already can pretend to be an ATMOff-site link information screen.
Opportunity. Generative AI has the potential to prevent fraud. NLP tools can find patterns in data, perhaps leading them to detect fraud created with these very same tools. We've seen this pattern before in payments, with innovations in fraud followed by innovations in fraud prevention and detection, et cetera, et cetera, et cetera. As previously pointed out by the Federal Trade Commission, however, AI is no silver bullet in fighting fraud.

When I asked the model, "What practices are most important to prevent payments fraud?," I got an error message. Too complicated? Too dependent on common sense? Too speculative? Therefore, without AI assistance, here are this earthling's thoughts about ways to prevent payments fraud in the era of generative AI:

  • Keep your tech and tools up to date.
  • Share informationOff-site link across the payments industry.
  • Educate employees and end users.
  • Use dual controls when possible.
  • Practice password hygiene.
  • Always keep an eye out for The Next Big Thing.

To learn more, check out two podcasts I found informative:

October 17, 2022

Webinars Address ATM Crimes, Financial Exploitation

ATM attacks don't generally appear in the news, despite their growing threat. As we've written before, these attacks can be both cyber and physical, and the physical attacks can be against both machine and the personnel servicing the machine. Another disturbing crime that may not appear enough in the headlines is the financial exploitation of senior adults. Two upcoming events in our Talk About Payments webinar series will give you the opportunity to learn more about these issues from the experts. The first, on November 3, covers ATM attacks. The second webinar takes place the following week, on November 10, and addresses the exploitation of seniors and community-based approaches to help mitigate vulnerabilities. More details about these webinars, as well as registration links, are below. We hope you will join us for both events.

November 3: ATM Attacks and Defenses
Because many financial institutions have closed or reduced the operating hours of many of their banking offices since the start of the pandemic, customer withdrawals of cash from ATMs have increased significantly. Unfortunately, the criminal element has shifted some resources to attacking ATMs and the personnel servicing them, including those who make currency deliveries. More than half of all ATM attacks in the United States involve thefts of the ATMs themselves, according to ATM Security Association data. The growth in dispenser jackpotting is also troubling. Because the methods of ATM crime can vary from city to city and month to month, it is critical that that ATM operators stay informed about current trends.

A panel of ATM experts join moderator David Tente, executive director of the ATM Industry Association, in discussing trends in cyber and physical attacks against ATM terminals and service personnel along with measures that can mitigate the risks. The panelists are:

  • Brenda Born, supervisory special agent, Federal Bureau of Investigation
  • Brad Moody, executive vice president of operations, Lowers & Associates
  • John Toneatto, vice president of security and investigations, Loomis

The webinar takes place on November 3 from 1 to 2 p.m. (ET). To participate in the free webinar, please registerOff-site link.

November 10: Financial Exploitation of Aging Adults
Did you know that more than 10,000 US adults turn 65 every day, and that many of them will be victims of financial fraud? Elder financial exploitation is a growing problem, according to the National Council on AgingOff-site link, which estimates financial losses of at least $36.5 billion dollars a year. With the rapidly aging population, we must identify and protect elderly citizens exposed to financial exploitation risks.

In the November 10 episode of our Talk About Payments webinar series, Drs. Thomas Blomberg and Julie Brancale, criminologists from Florida State University, describe the current research, theory, and policy responses associated with this growing social problem. They also address the patterns and variations of financial exploitation of older adults and discuss why some older adults may be more or less vulnerable than others. The presentation concludes with a discussion of areas in need of additional research and policy attention. Scarlett Heinbuch, a payments risk expert at the Atlanta Fed, moderates the discussion.

The webinar takes place on November 10 from 1 to 2 p.m. (ET). To participate in the free webinar, please registerOff-site link.

We encourage financial institutions, retailers, payments processors, law enforcement officials, academics, and other payments system stakeholders to join us for these informative webinars. You will be able to submit questions during the webinar. Please let your colleagues know about these webinars!

August 22, 2022

Not-So-Common Scams Result in Large Losses

We often write in this blog about the scams that criminals seem to favor at the time and describe defenses that targeted individuals or companies can use to thwart these scams. The most popular continues to be the broad category of advance fee scams. I thought it would be helpful to review two other types of financial scams that are not so frequent but that can result in large losses for victims.

Cashier's check fraud
A genuine cashier's check is a direct obligation of the bank that sells it. In a more innocent time, cashier's checks were viewed "as good as gold." Regulation CCOff-site link generally requires a bank to make the funds of a deposited cashier's check available the next business day, but a fraudulent cashier's check could take several days or weeks to be returned to the bank of first deposit.

Criminals use this time gap to their advantage. In some cases, the check is for the exact amount of the item being purchased, and the criminal departs with the goods. For remote purchases, the criminal may send the seller a cashier's check for an amount in excess of the purchase price: $1,500 instead of $1,000, for example. Then the criminal claims the amount was a mistake and asks the seller to send the merchandise as well as refund the overpayment. When the fraudulent check is returned, the seller is out not only the merchandise but also cold hard cash.

Fraudulent cashier checks can be very difficult to spot given the advanced technology of printers and graphics software. Here is some fraud prevention advice:

  • Accept a cashier's check only from someone you know or trust.
  • Never accept a cashier's check with an amount higher than the purchase price.
  • Consider using an escrow service instead of a cashier's check, where the goods are held by a trusted third party until the payment funds are fully verified.
  • Be aware of the difference between when funds from a cashier's check become available versus when the check finally clears.

You can find more information about cashier's check fraud on the website of the Federal Deposit Insurance CorporationOff-site link (FDIC).

High-yield investment fraud
In this type of scam, a fictitious financial institution or company, often located outside the United States, offers a risk-free, guaranteed return on a savings or investment instrument that is substantially above the market rate. The scammer claims to be able to achieve these returns by using sophisticated trading techniques involving "prime bank" financial instruments in foreign markets. Often, there is a promise that the funds are insured by a country's financial oversight agency or by the World Bank, a claim supported by certificates that look legitimate.

These scammers target their victims through advertisements in national and financial publications. They may also solicit victims with executive phishing attacks that have obtained contact information of high-net-worth individuals. The criminals assert that the victim will be part of an exclusive group and therefore should not discuss the investment with others, sometimes even requesting execution of nondisclosure agreements.

My prevention tip for this scam is to follow the old adage that "if it's too good to be true, it probably is."

If there are other financial scams that you think we should address, please let us know by leaving a comment.

June 27, 2022

The Ransomware Threat Continues to Grow

For more than five years, this blog; federal, state, and local law enforcement agencies; and multiple industry associations have continued to warn businesses about the threat of ransomware attacks. Nevertheless, the FBI's Internet Crime Complaint Center's (IC3) 2021 crime report Adobe PDF file formatOff-site link shows that in 2021, IC3 received 3,729 ransomware complaints, representing losses of $49.2 million. These numbers reflect a 51 percent increase in the number of victims and a 69 percent increase in losses. The report notes that these figures are likely higher as the crimes are underreported, and that these financial losses don't “include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim.” According to the report, the industries most frequently targeted were health care, financial services, information technology, critical manufacturing, and government but water systems, energy, and transportation networks were also attacked.

In the beginning, criminals carried out ransomware attacks by gaining network access to a company's computer system, which they would accomplish by getting an employee to unknowingly load malware or load it themselves by exploiting an operating software vulnerability or using a remote access channel. The malware would then encrypt the targeted files so the company could not access them, and the criminal would demand a ransom and promise a decryption key once it was paid.

Last year saw an evolution of the attacks, when criminals began to seek higher payouts. In addition to making the regular ransomware demands, criminals threatened to release sensitive information they'd gathered before encrypting the files unless the victims paid an additional ransom. Regardless of any promises they make and money they get, criminals often sell this information on the Dark Web for even more money.

The defenses against a ransomware attack remain the same:

  • Conduct employee training and phishing tests to educate and increase awareness. • Implement a process for employees to report suspected phishing emails and investigate them immediately.
  • Make frequent offline data backups and regularly test the backup process.
  • Install security patches and software updates as soon as possible.
  • Monitor remote desktop protocols, if they're used, and carefully review access controls.

What defensive measures has your company implemented to defend against a ransomware attack? Let us know I've missed any.