Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
May 2, 2022
Taking the Long View: A Visit with Retail Payments Risk Forum Founder Rich Oliver
Rich Oliver, the founder of our Retail Payments Risk Forum (RPRF), paid a visit to our team recently and shared his vision when creating the forum, the challenges facing the payments industry, and the future direction our team could consider as the payments landscape continues to evolve.
In addition to founding our RPRF, Rich's payments expertise goes back to the 1970s when he led the effort to utilize the fledgling US Automated Clearing House (ACH) system to electronically deliver the first government payrolls and social security payments.
Drawing on his expertise, Rich wrote a book with George Warfel Jr. about the payments industry, The Story of Payments: How The Industrialization of Trust Created the Modern Payments System, that "tells the story of how payments—between people, merchants, employers, and governments—emerged from the ancient system of barter and grew, through various technological implementations ranging from coins and paper money to checks, wire transfers, and credit cards, to today's entirely electronic local and international payment systems."
In a wide-ranging conversation about the history of payments and Rich's role in many areas with the Fed, each of us in the RPRF took away some highlights to share with you.
Scarlett Heinbuch: Rich reminded us of the need to be bold in our thinking about the future of payments. We discussed advances in biometrics and how these initiatives could address identity and security concerns and make payments easier for all while also presenting other risks and challenges.
Nancy Donahue: One comment that made me go "hmm" was: "Do we have too many retail payments products that are trying to solve the same problem? Do they all make money? Do they all need to?"
Catherine Thaliath: What resonated with me was when Rich talked about potential risks of Buy Now Pay Later (BNPL). While viewed as a credit offering, it is nevertheless using a payment instrument in ways not previously done.
Claire Greene: "When it comes to product design, you can't assume you know what someone wants without doing the work." This was a humble statement from an innovator that applied in the 1970s and remains relevant today.
Dave Lott: Rich discussed the evolution of the current consumer banking product market where many of the explicit services (on-us ATMs, online banking, mobile banking, pay wallets, etc.) are provided free of charge.
Sally Martin: It resounded with me how much collaboration went on with the payments players in the industry. Also, the amount of time spent brainstorming on what the needs were and how to fill them, and in moving toward new offerings rather than replays of existing products. Rich's talk focused on moving into new territory—he was "agile" before it was cool.
Jessica Washington: We still need to collaborate on fraud mitigation at the strategic level. In the United States, we implemented chip credit cards but not so much chip-and-pin, plus we still have the magstripe, which is a major source of weakness, and we still have much work to do on card-not-present transactions.
As the RPRF founder, Rich challenged each of us to remember its mission: to be a source for non-biased thought leadership, to do original research, challenge norms, and push the envelope to move the payment system forward. Sometimes looking back at history can bring the future into sharper focus, which is what our chat with Rich did for us. As you look to the future of payments and payments risk, what stands out to you?
By the Retail Payments Risk Forum Team: Jessica Washington, Dave Lott, Scarlett Heinbuch, Claire Greene, Nancy Donahue, Catherine Thaliath, and Sally Martin.
April 11, 2022
Defending ATMs from Jackpotting
In a recent post on ATM jackpotting, I promised to follow up with some defensive tactics that could prevent, or at least deter, criminals from installing the malware that would allow them to empty an ATM. Because criminals use a variety of methods to jackpot ATMs, a multi-layered security approach is recommended since no one tactic is completely bulletproof.
The first line of defense is to make it more difficult for the criminal to gain access to the top cabinet of the ATM, which houses the operating components. This cabinet normally has an easily defeated barrel or a simple key lock mechanism. Often the same key accesses multiple machines to make it easier for service personnel. Owners should consider installing a digital lock on the cabinet since digital locks are more robust than key locks. The owners can change codes remotely and avoid the issues of lost or duplicated keys and personnel changes. Such a retrofit is not inexpensive nor a totally tamperproof enhancement, but it does create a deterrent.
A second defensive method is to encrypt the hard drive, which actually provides a double defense. First, someone would need an encryption key or security certificate to validate the hard drive before proceeding with a reboot, thus preventing the criminal from replacing the entire hard drive with one containing jackpotting malware. Second, even if the criminal were to remove the hard drive, the encryption would make it extremely difficult for the criminal to reverse-engineer the ATM software or to obtain usable data stored on the drive.
A third tactic is to encode a list of software applications or executable files that can be present and active in the ATM. The primary objective is to protect the ATM from the installation of potentially harmful applications.
A fourth defense is to block the operating system from recognizing an ATM's USB connection ports. This tactic presents some challenges because service technicians often need to connect their diagnostic equipment to a USB port. While the experienced criminal can circumvent this measure, it is still a deterrent to the opportunistic criminal.
Finally, as with all computerized devices, ATM owners should always install software updates and patches as soon as possible since they often address known security vulnerabilities. Likewise, owners should change factory-set passwords for software immediately upon installation of the software. Owners should place surveillance cameras, if they use them, to get good viewing angles of people at the front and rear of the machine. They should monitor access control to determine whether an ATM cabinet has been opened because of a legitimate service need.
I hope these two posts on ATM jackpotting have offered a better understanding of the risks of ATM jackpotting and the steps operators can take to minimize the risk of successful attacks. As always, your comments are welcome.
March 21, 2022
ATM Jackpotting Attacks Getting Clever
In reviewing my previous posts on ATM fraud, I realized I haven't written about ATM jackpotting since cybersecurity journalist Brian Krebs detailed the first jackpotting attacks against ATMs in the United States in early 2018. ATM jackpotting occurs when a criminal gains physical access to an ATM and instructs the ATM to dispense cash until the ATM is empty. This type of fraud is different from ATM cash-out schemes I wrote about in February 2018 and December 2019, whereby the criminal gains access to an issuer's card management system and overrides card or account withdrawal limits by manipulating the authorization messages to the ATM. More details on the jackpotting process below.
The European Association for Secure Transactions (EAST), which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM Malware & Logical Attacks) in 2020, resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019. Statistics of attacks in the United States are more difficult to obtain because most ATM owners avoid the negative publicity associated with a compromise of their terminal.
I recently attended a panel discussion at an ATMIA conference on this topic. The participants discussed several attacks, including one involving multiple ATMs resulting in a loss of $1.5 million in the span of a couple of hours. The amount of money in a machine varies from a couple thousand dollars to as much as $50,000, depending on the ATM type (full-service ATM versus simple cash dispenser), its location, and the expected activity level. It's a balancing act of trying to minimize service calls to replenish the cash versus risking losing the cash to an attack.
So what does it take for a jackpotting attempt to succeed? Unlike the highly secured vault-like compartment for cash storage, an ATM's top compartment, which contains the software-driven components, is more easily accessed, either by jimmying the lock or purchasing a key off the internet (many terminals use a common key). In that compartment, the criminal installs software with jackpotting malware or a black box that intercepts transaction messages. Most often, criminals target ATMS in retail locations, where they can pose as a service technician and not attract the attention of store employees. After the criminal has installed the malware, money mules collect the money. In some cases, a mule presses numbers on the keypad that instruct the terminal to dispense a large quantity of bills or to empty the currency cassette completely. In others, the mule seems to be withdrawing, say, $60 but the malware tells the terminal to dispense $600. In most cases, the ATM owner doesn't discover the attack until the terminal unexpectedly transmits an "out-of-cash" message.
Such attacks can be financially devastating to an independent ATM owner because, unless they have some level of insurance coverage, they bear the full brunt of the loss. In a follow-up to this post, I will examine some of the countermeasures ATM owners can use to prevent such attacks from being successful.
March 7, 2022
Cash Is Critical in Times of Crisis
Before I get into the meat of this post, I want to acknowledge that the events in Ukraine are on all our minds. Our hearts and thoughts are with those caught up in this conflict.
Among the photos coming out of Ukraine are images of the Ukrainian people lined up at ATM machines. These pictures underscore that cash, and access to it, is critical in times of crisis and uncertainty. Here at home in the Southeast, the Atlanta Fed is always on alert during hurricane season in the event that we have to step up our supply of cash to banks.
In addition, understanding the continuing role of cash in an increasingly digital world has been a core focus in the payments research we do through the lens of diversity, equity, and inclusion. Cash remains an important payment option among our many other options, including cards, checks, apps, and digital currencies. There are many reasons some people prefer to use cash: it helps them manage their budget, they don't have a bank account, they lack access to internet or smartphones and therefore lack access to digital payment apps, they're comfortable with cash from a lifetime of use, they're seeking anonymity, or they just plain choose to use it.
Although some businesses had already stopped accepting cash by the time the pandemic hit, the pandemic opened the door for many other businesses to stop taking it. Some businesses stopped offering in-person services and went to online platforms where customers could not use cash, such as order ahead, curbside pickup, and delivery subscription services. Concerns about money and hygiene, the coin supply disruption, and the ease of using cards and apps also discouraged cash use.
Those who use cash, whatever their reason, have been affected by the decisions of these businesses and by other decisions stemming from the pandemic, according to survey data. They've also been affected by the reduced number of ATMs in the United States due to bank and business closures, often in rural and low-income areas, or due to changing policies affecting independent ATM operators. Access issues to ATMs even in the United States can make it more difficult, and perhaps more expensive, for people to get cash when they need it most.
In times of natural disasters, when electronic systems could fail, people turn to cash. People also turn to cash in times of manmade disasters. The reliance on cash as the go-to payment in times of crisis and as a personal choice underscores the need for cash preservation and ease of access.
While the Ukrainian people have much more important things to deal with, and our thoughts are with them as they navigate this crisis, understanding the role that access to cash plays in people's lives is something we will continue to look at here at the Atlanta Fed.
Take On Payments Search
- account takeovers
- data security
- digital currency
- financial inclusion
- identity theft
- payments risk
- payments studies/research
- TOP payments inclusion
- supervision and regulation
- workforce development