Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

April 18, 2022

Smishing: Phishing with a Different Bait

The Retail Payments Risk Forum team is always on the lookout for changes in attack patterns by the criminal element regarding payments. Our sources of research include industry news, networking with payments stakeholders, third-party reports, and our internal security warnings. One other source we have is our own personal experience, though we have to remind ourselves of our colleague Claire Greene's warning that each of us is a sample of one. What we experience may not be, and probably isn't, what the average person might encounter.

I was recently reminded of this warning with regard to my own experience with smishing attacks. Unlike phishing, which uses email, smishing uses SMS text messages to entice you to click on a malicious link that either loads malware on your phone or, more likely, directs you to a fake website to capture your login information. (Simply opening the text message poses little risk.) Over the last several weeks, I have been getting one to two text messages a day on my phone asking me to click on a link to respond—usually to a customer satisfaction survey allegedly from a major retailer, with the offer of a gift card as a reward for responding. One message informed me that a product I had ordered (and already received) from an online retailer couldn't be shipped until I clicked on the link to pay an international tax of $2.83. I am confident that all these messages were "smishing" attempts.

Although a part of me was tempted to assume my experience was indicative of a very recent trend, I decided to research whether I was indeed average in experiencing an increased number of these attacks. It appears Claire was right—although my research showed that smishing attacks have substantially increased, seems I am fortunate to have only recently become a target. A cybersecurity firm that claims to handle 80 percent of mobile messages in North America has reportedOff-site link that the number of smishing attacks during the third quarter of 2020 had increased 328 percent over the previous quarter. The FBI's Internet Crime Complaint Center (IC3) doesn't separate smishing from phishing, vishing (phone calls), or pharming (redirection to a fake website) incidents, but the IC3's Internet Crime Report 2021 Adobe PDF file formatOff-site link shows that these complaints increased 34 percent from 2020 to 2021.

The warning signs for a smishing message are quite similar to those of a phishing attack and may include the following:

  • A sense of urgency, pushing you to respond right away. As we are now in income tax season, these messages may include references to past due taxes or a suspended refund.
  • An offer of a reward such as a gift card, rebate, or a coupon for a future purchase from the retailer
  • Poor English grammar or improperly formatted phone numbers
  • An unknown sender. It is best to report or delete messages you weren't expecting from people you don't know.

Be aware that what appears to be the sender's phone number is often spoofed. It may be a familiar number or at least may have a local area code. This is intended to increase your trust and thus the likelihood that you will respond.

Likewise, the protective measures you should take to protect yourself against falling victim to a smishing attempt are similar to any other safeguards you take:

  • Keep your mobile device software and browsers updated with the latest security upgrades.
  • If you are in doubt about the legitimacy of the message, do not use the link or phone number provided in the text to contact the sender. If the message appears to be from someone you know or a business you are familiar with, find their number in your contacts or online and contact them directly.

I realize that the criminals launching these types of attacks are generally using automated systems to transmit hundreds of thousands, if not millions, of the messages in hopes of getting even just a small percentage of recipients to click on the link. So even if you are like me and not average, there is a good chance you have been or are likely to be the target of a smishing attack. I hope you will use information to not become a victim, and distribute it to help keep others from falling victim.

March 7, 2022

Cash Is Critical in Times of Crisis

Before I get into the meat of this post, I want to acknowledge that the events in Ukraine are on all our minds. Our hearts and thoughts are with those caught up in this conflict.

Among the photos coming out of Ukraine are images of the Ukrainian people lined up at ATM machines. These pictures underscore that cash, and access to it, is critical in times of crisis and uncertainty. Here at home in the Southeast, the Atlanta Fed is always on alert during hurricane season in the event that we have to step up our supply of cash to banks.

In addition, understanding the continuing role of cash in an increasingly digital world has been a core focus in the payments research we do through the lens of diversity, equity, and inclusion. Cash remains an important payment option among our many other options, including cards, checks, apps, and digital currencies. There are many reasons some people prefer to use cash: it helps them manage their budget, they don't have a bank account, they lack access to internet or smartphones and therefore lack access to digital payment apps, they're comfortable with cash from a lifetime of use, they're seeking anonymity, or they just plain choose to use it.

Although some businesses had already stopped accepting cash by the time the pandemic hit, the pandemic opened the door for many other businesses to stop taking it. Some businesses stopped offering in-person services and went to online platforms where customers could not use cash, such as order ahead, curbside pickup, and delivery subscription services. Concerns about money and hygiene, the coin supply disruption, and the ease of using cards and apps also discouraged cash use.

Those who use cash, whatever their reason, have been affected by the decisions of these businesses and by other decisions stemming from the pandemic, according to survey data. They've also been affected by the reduced number of ATMs in the United States due to bank and business closures, often in rural and low-income areas, or due to changing policies affecting independent ATM operators. Access issues to ATMs even in the United States can make it more difficult, and perhaps more expensive, for people to get cash when they need it most.

In times of natural disasters, when electronic systems could fail, people turn to cash. People also turn to cash in times of manmade disasters. The reliance on cash as the go-to payment in times of crisis and as a personal choice underscores the need for cash preservation and ease of access.

While the Ukrainian people have much more important things to deal with, and our thoughts are with them as they navigate this crisis, understanding the role that access to cash plays in people's lives is something we will continue to look at here at the Atlanta Fed.

February 28, 2022

5G and 3DS: A Perfect Pair?

Not that long ago, when you heard the term "5G," you would probably mentally translate it to "five grand" or "five thousand dollars." Today, 5G refers to the fifth generation of mobile network wireless communications technology. Network operators promise that 5G technology will deliver much faster data transmission speeds, lower latency, and greater signal reliability, which consumers may not truly realize on the mobile front for several years as operators upgrade their cell tower networks. But are there benefits on the payments side we're likely to see?

My colleague Doug King first raised this question in a Take On Payments post in September 2018, when the industry thought 5G was on the cusp of becoming a reality. While the pandemic and regulatory concerns about security and safety have slowed implementation, it is now underway.

We have also previously written about the evolution of 3DS (short for "three-domain secure"), which was developed in 2000 to improve the authentication of a legitimate consumer's payment transaction with a merchant. The first version of 3DS was unsuccessful in the United States for a variety of reasons centered on poor consumer experiences that resulted in high shopping cart abandonment rates. However, as the share of digital transactions of overall retail sales continued to grow, the payments industry knew that new tools were needed to combat increasing fraud.

Recognizing that the 3DS process needed an overhaul to meet consumer, issuer, and merchant requirements, EMVCo released EMV 3DS 2.0 specifications video fileOff-site link in 2016. While this version results in a more complex transaction and was slow to gain traction in the marketplace until recently, its strength relies on the merchant's ability to send additional data to the payment card issuer. This additional information includes transaction, method of payment, and payment device information and is intended to help the issuer to run fraud mitigation tools more effectively, better detecting the fraudulent transactions and not denying the legitimate ones. The issuer, if still concerned about a transaction's legitimacy, can perform stepped-up authorization with the customer, including out-of-band confirmations. An out-of-band confirmation is authentication occurring on a different channel than the one initiating the transaction, such as when a banking app sends an email or text with a password the customer must enter in the app to carry out the transaction. A recent reportOff-site link indicates that 10 percent or less of transactions require this stepped-up authorization, and merchant adoption increased 50 percent during Q4 2021 compared to Q4 2020.

So how will 5G and 3DS work together? Transmitting and handling payment authorization messages with the additional data the EMV 3DS 2.0 specifications require can increase transaction time. Slow response time (latency) is a major factor in a consumer abandoning a shopping cart and the merchant losing a sale. The mobile network benefits of 5G will be realized over time, but many operators have already begun to support local 5G networks for small to mid-sized businesses requiring fast data speeds.

Such networks will allow these businesses to handle the additional message data, as well as additional payment devices, while providing better service levels. While the GSMAOff-site link (Global Systems for Mobile Communications Association) estimates it will take until 2025 before half of the mobile communications in North America will be on a 5G network, the uptake in the United States is expected to be faster.

I believe that the further adoption of EMV 3DS will be enhanced with the continued implementation of 5G technology in the United States. We will continue to monitor both technologies as well as when their expected benefits start to come about.

January 24, 2022

The Role of Cryptocurrency and Cryptoinsurance in Ransomware Payments

In the Risk Forum's end-of-the-year Talk About Payments webinar video file, ransomware was once again, unfortunately, a topic of discussion. For over five years now, our Take on Payments blog has often discussed ransomware, as financial losses due to ransomware attacks have steadily risen. In 2021, the federal government and the US Department of the Treasury issued guidanceOff-site link for the virtual currency industry in an effort to make it difficult for those behind ransomware attacks to receive cryptocurrency, the preferred ransom payment method. Whether or not these steps, or even an outright ban on cryptocurrency payments, will be effective in reducing ransomware attacks and their associated financial losses is still to be determined, but there are skepticsOff-site link (including yours truly).

In 2019 posts (here and here), Dave Lott and I both wrote about the increasing frequency of people and companies obtaining insurance against ransomware attacks and the payment of ransoms by insurance companies. I think it is time for an evaluation of the costs and benefits of ransomware insurance. In fact, the FBI strongly recommends that ransomware payments not be made.

What are the basics? Organized crime syndicates, generally based in foreign countries, launch the vast majority of ransomware attacks. To protect against the financial consequences of such attacks, businesses may purchase insurance policies for coverage against cyber-related attacks that can include the payment of ransom in the event of a ransomware attack. If a syndicate receives a ransom payment, it not only encourages additional attacks but also allows the syndicate to grow and scale its criminal enterprise. As ransomware attacks flourish, businesses might become more likely to purchase insurance policies or expand existing policies with greater coverage to protect themselves. Another important issue to consider is whether companies that insure against ransomware as a form of protection could become less diligent in preventing an attack. Further, with increased attacks and higher demand for coverage, insurance providers may sell more policies at increased premiums to offset the potential for rising claims. Or perhaps the problem becomes so significant that the costs to insurers from claims outpaces their revenue from such policies, causing them to exit the business.

In a different viewpointOff-site link, maybe insurance coverage that includes ransom payments is in fact beneficial, especially in those circumstances when the "the damage inflicted by a cyber attack is greater than the cost of the ransom."

Over the past five years, since the Risk Forum began covering ransomware, we have witnessed significant growth in attacks and financial losses. While I am hopeful that both the public and private sector will find ways to slow the growth and ultimately stamp out ransomware attacks, the challenge is perhaps more daunting now than it was five years ago. It's promising to know that efforts are underway at the Treasury to address the challenge of ransom payments made with crytpocurrencies, but more may need to be done. As for this post, I am hoping that it can lead to a discussion on the pros and cons of this mitigation strategy as part of the effort at large to defeat ransomware.