A recent story in the Wall Street Journal recapped how bank robberies had declined almost 50 percent over the last decade. In addition to citing the increased physical security measures at banks and tougher sentencing for bank robbers, especially if a firearm is involved, the alternative criminal target of the Internet was cited as being more lucrative and having a lower risk, and therefore more attractive. The article offers the logic of the proven security adage that the more sophisticated criminal is more likely to focus on the weakest link in the overall security ecosystem of the targeted victim.

Online fraud offers a number of advantages for the criminal over the old-fashioned "stick-'em-up" bank robbery. The criminal doesn't have to be physically present at the point of the crime. In fact, the further away, the better with regards to investigative difficulties and jurisdictional issues. Also, compared to a typical bank robbery, the potential take for card and online fraud is significantly higher. Based on FBI statistics for 2010, the average bank robbery netted about $7,500. The Javelin Research 2011 Identity Fraud Survey (2010 data) reports that the average debit card fraud amount was $2,529, and the average credit card fraud amount was $3,741. Noncard account fraud added an average of another $3,000. Obtaining just a handful of cards or account numbers through skimming or other illegal methods can quickly result in tens of thousands of dollars in ill-gotten proceeds at a relatively low risk to the criminal.

Fraud risk mitigation is a constant effort by the banking industry and merchant community to stay ahead of the criminal element in their criminal techniques and efforts for identity and account theft. As new payment methods emerge and gain adoption, they will increasingly gain attention from the criminal element looking to exploit a weak link. Javelin's 2012 Identity Fraud Industry Report reveals that consumers with smartphones have a higher incidence of fraud than nonsmartphone consumers by approximately one-third. Key behavior weaknesses cited included failure to update the phone operating software with security patches, saving account log-in information on the phone and not using the phone lock feature—allowing the information to be accessed by anyone finding the phone. In the meantime, consumer advocacy and educational groups, the banking industry, and mobile carriers are making efforts to educate consumers on the best way to safeguard their personal and banking information against such attacks.

The Mobile Payments Industry Workgroup (MPIW), facilitated by the Federal Reserve Banks of Atlanta and Boston, regular discusses risk associated with this emerging payments method with telephony and payments security experts. In the coming months, a subgroup of the MPIW will be working to evaluate the various security issues with mobile payments and making recommendations to the overall workgroup to ensure that the mobile payments ecosystem is sound and as safe as necessary. Portals and Rails will continue to report on the efforts of this and other groups to improve the security of our payments system. As always, we encourage your comments.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed