Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
April 18, 2022
Smishing: Phishing with a Different Bait
The Retail Payments Risk Forum team is always on the lookout for changes in attack patterns by the criminal element regarding payments. Our sources of research include industry news, networking with payments stakeholders, third-party reports, and our internal security warnings. One other source we have is our own personal experience, though we have to remind ourselves of our colleague Claire Greene's warning that each of us is a sample of one. What we experience may not be, and probably isn't, what the average person might encounter.
I was recently reminded of this warning with regard to my own experience with smishing attacks. Unlike phishing, which uses email, smishing uses SMS text messages to entice you to click on a malicious link that either loads malware on your phone or, more likely, directs you to a fake website to capture your login information. (Simply opening the text message poses little risk.) Over the last several weeks, I have been getting one to two text messages a day on my phone asking me to click on a link to respond—usually to a customer satisfaction survey allegedly from a major retailer, with the offer of a gift card as a reward for responding. One message informed me that a product I had ordered (and already received) from an online retailer couldn't be shipped until I clicked on the link to pay an international tax of $2.83. I am confident that all these messages were "smishing" attempts.
Although a part of me was tempted to assume my experience was indicative of a very recent trend, I decided to research whether I was indeed average in experiencing an increased number of these attacks. It appears Claire was right—although my research showed that smishing attacks have substantially increased, seems I am fortunate to have only recently become a target. A cybersecurity firm that claims to handle 80 percent of mobile messages in North America has reported that the number of smishing attacks during the third quarter of 2020 had increased 328 percent over the previous quarter. The FBI's Internet Crime Complaint Center (IC3) doesn't separate smishing from phishing, vishing (phone calls), or pharming (redirection to a fake website) incidents, but the IC3's Internet Crime Report 2021 shows that these complaints increased 34 percent from 2020 to 2021.
The warning signs for a smishing message are quite similar to those of a phishing attack and may include the following:
- A sense of urgency, pushing you to respond right away. As we are now in income tax season, these messages may include references to past due taxes or a suspended refund.
- An offer of a reward such as a gift card, rebate, or a coupon for a future purchase from the retailer
- Poor English grammar or improperly formatted phone numbers
- An unknown sender. It is best to report or delete messages you weren't expecting from people you don't know.
Be aware that what appears to be the sender's phone number is often spoofed. It may be a familiar number or at least may have a local area code. This is intended to increase your trust and thus the likelihood that you will respond.
Likewise, the protective measures you should take to protect yourself against falling victim to a smishing attempt are similar to any other safeguards you take:
- Keep your mobile device software and browsers updated with the latest security upgrades.
- If you are in doubt about the legitimacy of the message, do not use the link or phone number provided in the text to contact the sender. If the message appears to be from someone you know or a business you are familiar with, find their number in your contacts or online and contact them directly.
I realize that the criminals launching these types of attacks are generally using automated systems to transmit hundreds of thousands, if not millions, of the messages in hopes of getting even just a small percentage of recipients to click on the link. So even if you are like me and not average, there is a good chance you have been or are likely to be the target of a smishing attack. I hope you will use information to not become a victim, and distribute it to help keep others from falling victim.
April 11, 2022
Defending ATMs from Jackpotting
In a recent post on ATM jackpotting, I promised to follow up with some defensive tactics that could prevent, or at least deter, criminals from installing the malware that would allow them to empty an ATM. Because criminals use a variety of methods to jackpot ATMs, a multi-layered security approach is recommended since no one tactic is completely bulletproof.
The first line of defense is to make it more difficult for the criminal to gain access to the top cabinet of the ATM, which houses the operating components. This cabinet normally has an easily defeated barrel or a simple key lock mechanism. Often the same key accesses multiple machines to make it easier for service personnel. Owners should consider installing a digital lock on the cabinet since digital locks are more robust than key locks. The owners can change codes remotely and avoid the issues of lost or duplicated keys and personnel changes. Such a retrofit is not inexpensive nor a totally tamperproof enhancement, but it does create a deterrent.
A second defensive method is to encrypt the hard drive, which actually provides a double defense. First, someone would need an encryption key or security certificate to validate the hard drive before proceeding with a reboot, thus preventing the criminal from replacing the entire hard drive with one containing jackpotting malware. Second, even if the criminal were to remove the hard drive, the encryption would make it extremely difficult for the criminal to reverse-engineer the ATM software or to obtain usable data stored on the drive.
A third tactic is to encode a list of software applications or executable files that can be present and active in the ATM. The primary objective is to protect the ATM from the installation of potentially harmful applications.
A fourth defense is to block the operating system from recognizing an ATM's USB connection ports. This tactic presents some challenges because service technicians often need to connect their diagnostic equipment to a USB port. While the experienced criminal can circumvent this measure, it is still a deterrent to the opportunistic criminal.
Finally, as with all computerized devices, ATM owners should always install software updates and patches as soon as possible since they often address known security vulnerabilities. Likewise, owners should change factory-set passwords for software immediately upon installation of the software. Owners should place surveillance cameras, if they use them, to get good viewing angles of people at the front and rear of the machine. They should monitor access control to determine whether an ATM cabinet has been opened because of a legitimate service need.
I hope these two posts on ATM jackpotting have offered a better understanding of the risks of ATM jackpotting and the steps operators can take to minimize the risk of successful attacks. As always, your comments are welcome.
April 4, 2022
The Fed Goes to School
A primary mission of the Retail Payments Risk Forum (RPRF) is to educate the payments industry on the financial, operational, compliance, and reputational risks of payment methods and channels. We seek to accomplish this outreach mission not only through this weekly blog but also through webinars, papers, and presentations at payments conferences and industry group meetings. But as Fox Mulder of the X Files always said, "We are not alone out there." The Atlanta Fed and other Federal Reserve Banks as well as the system-wide Federal Reserve Education (FRE) group make many efforts to improve financial literacy.
The Education Outreach group within the Atlanta Fed's Public Affairs Department offers a vast number of educational outreach programs including:
- Professional development training and credentialing for K-12 grade teachers in the Sixth District on financial literacy
- Development and updates for a personal finance curriculum with supplemental infographic posters and lesson/activity books
- Delivery of career-day programs for high school students as well as teaching job interview skills and holding mock job interviews
- Advice to state education departments of the states in the Sixth District on their personal finance standards
- Partnering with the St. Louis Fed to conduct a Native American financial literacy initiative
The efforts don't go unnoticed. The Federal Reserve Banks of Atlanta and St. Louis received the Institute for Financial Literacy's 2021 EIFLE Award–Children's Education Program of the Year for their development of a personal finance curriculum and corresponding training program for more than 200 high school teachers in Mississippi as part of a collaboration with the Mississippi Council on Economic Education.
The Atlanta and St. Louis Feds are not the only Federal Reserve Banks in their education outreach efforts. The Richmond Fed recently developed and released an interactive training course called Payments 101 that covers the history of payments and the role of the Federal Reserve. Of course, financial literacy is more than just payments. The Federal Reserve offers many programs on personal finance training on the responsible use of credit, budgeting, and economic decision-making as well.
At the start, I mentioned the RPRF's various outreach efforts. But our education efforts go both ways. My colleagues and I are constantly reading industry publications and blogs from other payments geeks, attending conference sessions, meeting with vendors, and having one-on-one conversations with payments stakeholders to learn about the latest trends and tools. And, of course, we depend on your interaction to learn what's going on in the industry and always welcome your comments.
March 28, 2022
Abigail Adams: "Remember the Ladies"
Women's History Month (WHM) reminds us of how far women have come and how far we still must go in terms of financial equity, education, and inclusion. While women today manage about 80 percent of the finances in the household, they lag behind in making investing decisions often because of being more cautious than men.
One woman who broke through many of these barriers is Abigail Smith Adams (Nov. 22, 1744—Oct. 28, 1818), one of our country's founding mothers. Many people know of Abigail through her roles as the wife of our second president, John Adams, and the mother of our sixth president, John Quincy Adams. She was also the first First Lady to live in the White House.
But there is quite a bit more to Abigail. In colonial times, married women were considered their husband's property. Women could not own or purchase real property, manage money, pursue a formal education, nor have a voice in political matters. Married to John Adams at the age of 19, and self-educated, she bore six children, with four surviving to adulthood. While John Adams was away in France, the Netherlands, and England from 1778 to 1788, he left Abigail behind (except for when she joined him in Paris and London for several years) to manage finances for the household even though women by law could not.
Abigail invested her family's money in government securities (stocks and bonds)—a decision that ultimately made them wealthy, according to Woody Holton's biography. Abigail defied societal norms in other ways. She used "money which I call mine" to contribute to their wealth (even though it was considered the husband's property), valued independence and freedom, opposed slavery, and advocated for women's education. She was a trusted adviser to her husband, and her strong influence led others to refer to her as "Mrs. President."
On March 31, 1776, Abigail wrote in her now famous letter to John Adams to "Remember the Ladies:" when he was at the Continental Congress:
I long to hear that you have declared an independancy—and by the way in the new Code of Laws which I suppose it will be necessary for you to make I desire you would Remember the Ladies, and be more generous and favourable to them than your ancestors. Do not put such unlimited power into the hands of the Husbands. Remember all Men would be tyrants if they could. If perticuliar care and attention is not paid to the Laidies we are determined to foment a Rebelion, and will not hold ourselves bound by any Laws in which we have no voice, or Representation.
Last year for WHM, I wrote about women's financial rights from the 1970s onward. Recent posts have noted the importance of inclusion in our nation's coins and currency, the barriers broken by women, such as Maya Angelou being the first African American woman on a US coin and Maggie Lena Walker being the first African American woman to found a bank for her community. Abigail is remembered for her advocacy for women and her financial savvy and is included on a US Mint series in the First Spouse $10 Gold Coin, with "Remember the Ladies" on the face alongside her image.
As we remember the ladies for Women's History Month, we can acknowledge the most influential women in payments for 2022 who are making a difference in financial equity and inclusion. Happy Women's History Month!