Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 23, 2022
Vulnerable Populations and the Case for Cash
We recently wrote a post about communities not being able to access cash because of natural or man-made disasters. Severe weather and war, for example, may leave a bank branch inoperable. But even in "normal" times, access to cash remains an important consideration, especially for consumers who use it as their only or preferred means of payment. With this post, we look at how cash remains an important payment option and how accessing it may be becoming more difficult for certain vulnerable populations. These vulnerable populations—who tend to be low- to moderate-income households, rural communities, and recent immigrants—are more likely to be un- or underbanked (underserved) and often rely on cash to buy groceries and pay utility bills.
Even with an uptick in digital payment usage , cash remains a critical payment choice for many Americans. Some may be unable to use digital payment options because they lack access to broadband or a smartphone, for example. Others may not be able to access these options because they are unbanked. Data from the Federal Deposit Insurance Corporation's 2019 report How America Banks reveal that approximately 5.4 percent of households (7.1 million) were unbanked in 2019. Almost 14 percent of Black households are unbanked and presumably rely on cash or alternative payment options.
There are many reasons why cash can be a person's default method of acquiring goods and services, according to a forthcoming paper titled "Cash Is Alive: How Economists Explain Holding and Use of Cash" by Oz Shy, a senior policy adviser at the Atlanta Fed.
Unfortunately, recent data suggest that challenges to accessing cash existed prepandemic and accelerated during the pandemic. It may be especially difficult for the underserved, cash-reliant consumer, according to a report by the National Community Reinvestment Coalition:
- The number of banking institutions declined from approximately 18,000 in 1984 to fewer than 5,000 in 2021.
- The rate of bank branch closures doubled during the pandemic.
Rural areas tend to see the most bank branch closures, and those closures have contributed to a decline in ATMs as well. Adding to this, banks have been more cautious in providing accounts to independent ATM operators in part because of anti-money-laundering concerns. So some banks are adopting policies that prohibit business relationships with independent ATM operators or are charging much higher fees for their services—which means some ATM accounts with banks are closing and fewer ATMs are being established.
These closures matter, even to the unbanked consumer, who may need bank branches and ATMs, for example, to obtain cash from a prepaid benefits card for unemployment or social security payments, get a cash advance on a credit card, or cash a check at a bank where the check writer has an account.
As the digital economy expands, people in underserved communities and those who are cash reliant, whether by choice or lack of other options, are at risk for being further marginalized in the financial system. To help ensure that everyone, regardless of payments preferences, is included in this system, cash access and preservation in underserved communities across the nation remain important to maintain.
May 2, 2022
Taking the Long View: A Visit with Retail Payments Risk Forum Founder Rich Oliver
Rich Oliver, the founder of our Retail Payments Risk Forum (RPRF), paid a visit to our team recently and shared his vision when creating the forum, the challenges facing the payments industry, and the future direction our team could consider as the payments landscape continues to evolve.
In addition to founding our RPRF, Rich's payments expertise goes back to the 1970s when he led the effort to utilize the fledgling US Automated Clearing House (ACH) system to electronically deliver the first government payrolls and social security payments.
Drawing on his expertise, Rich wrote a book with George Warfel Jr. about the payments industry, The Story of Payments: How The Industrialization of Trust Created the Modern Payments System, that "tells the story of how payments—between people, merchants, employers, and governments—emerged from the ancient system of barter and grew, through various technological implementations ranging from coins and paper money to checks, wire transfers, and credit cards, to today's entirely electronic local and international payment systems."
In a wide-ranging conversation about the history of payments and Rich's role in many areas with the Fed, each of us in the RPRF took away some highlights to share with you.
Scarlett Heinbuch: Rich reminded us of the need to be bold in our thinking about the future of payments. We discussed advances in biometrics and how these initiatives could address identity and security concerns and make payments easier for all while also presenting other risks and challenges.
Nancy Donahue: One comment that made me go "hmm" was: "Do we have too many retail payments products that are trying to solve the same problem? Do they all make money? Do they all need to?"
Catherine Thaliath: What resonated with me was when Rich talked about potential risks of Buy Now Pay Later (BNPL). While viewed as a credit offering, it is nevertheless using a payment instrument in ways not previously done.
Claire Greene: "When it comes to product design, you can't assume you know what someone wants without doing the work." This was a humble statement from an innovator that applied in the 1970s and remains relevant today.
Dave Lott: Rich discussed the evolution of the current consumer banking product market where many of the explicit services (on-us ATMs, online banking, mobile banking, pay wallets, etc.) are provided free of charge.
Sally Martin: It resounded with me how much collaboration went on with the payments players in the industry. Also, the amount of time spent brainstorming on what the needs were and how to fill them, and in moving toward new offerings rather than replays of existing products. Rich's talk focused on moving into new territory—he was "agile" before it was cool.
Jessica Washington: We still need to collaborate on fraud mitigation at the strategic level. In the United States, we implemented chip credit cards but not so much chip-and-pin, plus we still have the magstripe, which is a major source of weakness, and we still have much work to do on card-not-present transactions.
As the RPRF founder, Rich challenged each of us to remember its mission: to be a source for non-biased thought leadership, to do original research, challenge norms, and push the envelope to move the payment system forward. Sometimes looking back at history can bring the future into sharper focus, which is what our chat with Rich did for us. As you look to the future of payments and payments risk, what stands out to you?
By the Retail Payments Risk Forum Team: Jessica Washington, Dave Lott, Scarlett Heinbuch, Claire Greene, Nancy Donahue, Catherine Thaliath, and Sally Martin.
April 11, 2022
Defending ATMs from Jackpotting
In a recent post on ATM jackpotting, I promised to follow up with some defensive tactics that could prevent, or at least deter, criminals from installing the malware that would allow them to empty an ATM. Because criminals use a variety of methods to jackpot ATMs, a multi-layered security approach is recommended since no one tactic is completely bulletproof.
The first line of defense is to make it more difficult for the criminal to gain access to the top cabinet of the ATM, which houses the operating components. This cabinet normally has an easily defeated barrel or a simple key lock mechanism. Often the same key accesses multiple machines to make it easier for service personnel. Owners should consider installing a digital lock on the cabinet since digital locks are more robust than key locks. The owners can change codes remotely and avoid the issues of lost or duplicated keys and personnel changes. Such a retrofit is not inexpensive nor a totally tamperproof enhancement, but it does create a deterrent.
A second defensive method is to encrypt the hard drive, which actually provides a double defense. First, someone would need an encryption key or security certificate to validate the hard drive before proceeding with a reboot, thus preventing the criminal from replacing the entire hard drive with one containing jackpotting malware. Second, even if the criminal were to remove the hard drive, the encryption would make it extremely difficult for the criminal to reverse-engineer the ATM software or to obtain usable data stored on the drive.
A third tactic is to encode a list of software applications or executable files that can be present and active in the ATM. The primary objective is to protect the ATM from the installation of potentially harmful applications.
A fourth defense is to block the operating system from recognizing an ATM's USB connection ports. This tactic presents some challenges because service technicians often need to connect their diagnostic equipment to a USB port. While the experienced criminal can circumvent this measure, it is still a deterrent to the opportunistic criminal.
Finally, as with all computerized devices, ATM owners should always install software updates and patches as soon as possible since they often address known security vulnerabilities. Likewise, owners should change factory-set passwords for software immediately upon installation of the software. Owners should place surveillance cameras, if they use them, to get good viewing angles of people at the front and rear of the machine. They should monitor access control to determine whether an ATM cabinet has been opened because of a legitimate service need.
I hope these two posts on ATM jackpotting have offered a better understanding of the risks of ATM jackpotting and the steps operators can take to minimize the risk of successful attacks. As always, your comments are welcome.
March 21, 2022
ATM Jackpotting Attacks Getting Clever
In reviewing my previous posts on ATM fraud, I realized I haven't written about ATM jackpotting since cybersecurity journalist Brian Krebs detailed the first jackpotting attacks against ATMs in the United States in early 2018. ATM jackpotting occurs when a criminal gains physical access to an ATM and instructs the ATM to dispense cash until the ATM is empty. This type of fraud is different from ATM cash-out schemes I wrote about in February 2018 and December 2019, whereby the criminal gains access to an issuer's card management system and overrides card or account withdrawal limits by manipulating the authorization messages to the ATM. More details on the jackpotting process below.
The European Association for Secure Transactions (EAST), which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM Malware & Logical Attacks) in 2020, resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019. Statistics of attacks in the United States are more difficult to obtain because most ATM owners avoid the negative publicity associated with a compromise of their terminal.
I recently attended a panel discussion at an ATMIA conference on this topic. The participants discussed several attacks, including one involving multiple ATMs resulting in a loss of $1.5 million in the span of a couple of hours. The amount of money in a machine varies from a couple thousand dollars to as much as $50,000, depending on the ATM type (full-service ATM versus simple cash dispenser), its location, and the expected activity level. It's a balancing act of trying to minimize service calls to replenish the cash versus risking losing the cash to an attack.
So what does it take for a jackpotting attempt to succeed? Unlike the highly secured vault-like compartment for cash storage, an ATM's top compartment, which contains the software-driven components, is more easily accessed, either by jimmying the lock or purchasing a key off the internet (many terminals use a common key). In that compartment, the criminal installs software with jackpotting malware or a black box that intercepts transaction messages. Most often, criminals target ATMS in retail locations, where they can pose as a service technician and not attract the attention of store employees. After the criminal has installed the malware, money mules collect the money. In some cases, a mule presses numbers on the keypad that instruct the terminal to dispense a large quantity of bills or to empty the currency cassette completely. In others, the mule seems to be withdrawing, say, $60 but the malware tells the terminal to dispense $600. In most cases, the ATM owner doesn't discover the attack until the terminal unexpectedly transmits an "out-of-cash" message.
Such attacks can be financially devastating to an independent ATM owner because, unless they have some level of insurance coverage, they bear the full brunt of the loss. In a follow-up to this post, I will examine some of the countermeasures ATM owners can use to prevent such attacks from being successful.