When a Fraudster ‘Borrows’ Your Customer’s Smartphone

This post continues our series on risk assessment for mobile banking apps.

Smartphone theft is a burgeoning crime, and one that is definitely not victimless. A few years back, stolen cell phones were an inconvenience – victims had to replace their phones and rekey in contacts. Today, however, stolen smartphones – equipped with banking and payment tools, not to mention hundreds of other apps that gather and store personal data – can be the lynchpin to a devastating identity theft incident.

Mobile Threat #8: Vulnerable Apps Allow Criminals Access to Info

In my last post, I discussed the importance of securing user passwords. Obviously, you, as the financial institution providing this window into the private financial lives of your customers, want to keep it closed to strangers. But sometimes, the criminals gain entry. And then what? How do you minimize the risk once fraudsters are inside looking around at your customer’s information?

To lessen the risk:

Be sure no personal customer data resides on the smartphone itself, nor is visible inside your mobile banking app. You want to protect information that a legitimate user would already know (and not need access to) and information that could be of great value to a criminal. This is information such as the social security number (even the last four digits) or an associated card’s number and expiration date.

Another thing you can do is to be sure your app times out after even a brief period of inactivity. This prevents criminals from gaining access should your customer forget to log-off before misplacing his or her phone or having it stolen.

Next time, we’ll discuss the threat of inadequate contract terms between a financial institution and its mobile-banking customers.

Life After Durbin

A recent report by the Federal Reserve Bank of Kansas City examines the current state of the debit card market. The report specifically looks at how that market was shaped by the Durbin Amendment. The interventions by Congress and the Justice Department were intended to advance consumer welfare and promote competition within the payment card industry. However, statistics show this goal has not been achieved.

On one hand, says the report, merchants have benefited from new rules that cap certain fees. Card issuers, on the other hand, have lost billions of dollars of debit interchange revenues, resulting in the reduction in rewards programs and higher fees as financial institutions (FIs) try to offset lost revenue. Thus, as the report points out, consumers largely have not been well served.

The report shows after the cap took effect, the average interchange fee on signature debit for regulated issuers fell 24 cents, to 33 cents per transaction. In comparison, the average PIN-debit fee, fell just 7 cents, to 26 cents. Overall, average debit fees dropped from 48 cents to 30 cents.

According to the study, savings were minimal for merchants who chose bundled pricing from their acquirers. This is where acquirers wrap interchange, network fees, and processing fees into a bundled, overall percentage rate. While this type of pricing (mostly used by smaller merchants) does make budgeting easier, it also makes it more difficult to determine changes in interchange.

The study found that small-ticket merchants such as fast-food restaurants have likely seen their interchange costs increase. This is due to the fact that interchange on these small transactions started out below the Durbin cap, prior to the cap taking effect.

Overall, the study provides a detailed review of how the new rules have affected card networks and FIs, and how they have begun to respond. Specifically, the report shows that fee structures have adjusted, incentives within the industry have shifted, and the market shares of the top card networks have changed. Early signs indicate some of the legislation achieved a portion of its intended purpose, fostering increased competition in some areas of the industry.

However, whether consumers will enjoy the benefits in the long run will depend, in part, on the results of new revenue-generating strategies adopted by key players in the industry, and of course, whether merchants will come through on their promises to pass the savings along to customers.

Verifying the Identity of Inbound Callers

This post continues our series on risk assessment for mobile banking apps.

As masters of disguise, criminals are only getting better at pulling the wool over the eyes of even well-trained financial institution representatives. Social engineers and other scammers have become incredibly adept at acquiring just enough information to convince call center staff they are indeed who they are pretending to be on the phone.

With the rise in popularity of mobile banking, more bank customers are taking their financial portals with them – in the car, on the train, to their kids’ school playground. When they accidentally leave it behind and a bad guy with even worse intentions gets a hold of it, those customers will expect you to protect them. Are you up to the task?

Mobile Threat #7: Password-Change Requests

Once a perpetrator masquerading as a legitimate customer receives a new password, he or she has full access to that customer’s account information, and potentially to their payment tools. Less sophisticated, but just as dangerous, is the possibility that an experienced thief could gain access to your customer’s account information simply by guessing a common or weak password and keying it into the app’s login screen.

To lessen the risk:

As you evaluate mobile-banking applications, be sure its developers have built a system for preventing successful password “guesses,” which is often where criminals start. You’d be surprised how many people have chosen 1-2-3-4 or their home address as their password.

Users get locked-out of SHAZAM BOLT$, for example, after three unsuccessful password attempts. However, you and your mobile app partner must go beyond simple lock-out procedures, as tenacious criminals simply call in and pretend to be the account holder and claiming to have forgotten the password.

Make sure to educate your customers on choosing a complex password. Additionally, ensure your call center reps have a thorough list of qualifying questions callers must answer before giving out a new password. We recommend at least four qualifiers, which could include things like the registered card account number or the last four digits of a social security number.

Next time, we’ll discuss what can happen when a fraudster gains access to account information and how to prevent that from happening on a mobile device.

Learning from the EMV Experiences of Other Countries

Recent statistics regarding the U.S. payment and fraud volumes indicate that the shift to EMV is a necessary step in order to reduce fraud. More than $3.9 trillion in payment transactions were made in 2011. Those transactions were made using 1 billion debit and credit cards an average of 69 times each. Payment card losses in 2009 totaled $3.4 billion.

It’s important to note, however, that signature, magnetic-stripe debit and credit fraud was four times greater than PIN magnetic-stripe debit card fraud. Not surprising, but important, as that fact may have implications for post-EMV fraud levels.

It’s well known that while EMV has been effective at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise in countries where EMV is the standard. That’s because EMV is less effective at preventing fraud online. As EMV adoption ramps up in the U.S., card issuers are considering increased verification methods in order to lessen the magnitude of the shift from card-present (CP) fraud to CNP fraud. It was a trend experienced in Europe following its own EMV shift several years ago.

Specifically, U.S. payments companies are looking into verifications such as texting a unique password each time a cardholder initiates a transaction or using mobile location technology to compare with a transaction’s IP address.

Whether or not the U.S. shift to EMV, which will take several more years, results in a reduction of overall card fraud remains to be seen. Recent statistics indicate only between 40 percent and 50 percent of merchants and issuers will be EMV-enabled by 2015. In the meantime, we must pay attention to the experiences of other countries and consider possible developments as a result. These may include elimination of magnetic stripe fallback, the adoption of credit PIN, and more robust CNP authentication.

FI Execs, Speak Up on Regulatory Burden

Community financial institutions are suffering a pretty unfair burden caused by increasing regulation. Although these financial institutions certainly agree with the spirit of the rules – to protect consumers from predatory financial providers – many feel their community bank or credit union was already going above and beyond to protect its customers before the regulations.

A recent report found that, ironically, regulations may cause overwrought community financial institutions to merge or close. With a greater concentration of assets among the megabanks, consumers – particularly “small businesses and individuals who do not fit neatly into standardized financial modeling, or who live outside of metropolitan areas” may find their personal financial picture actually becoming worse.

If you’re one of the financial institution executives experiencing the unintended consequences of Basel III capital requirements, complex mortgage regs, and Consumer Financial Protection Bureau rules, don’t be too discouraged to speak up. Let your trade associations and legislative representatives hear you. That’s what they are there for… to be your agents for change.

Speak loudly and speak often about the manner in which your financial institution goes out of its way to serve the best interests of your customers and members.

ATM Industry Works to Go Green

The ATM industry is taking steps to reduce its carbon footprint. Below are seven practices ATM developers and operators are incorporating to benefit the environment:

1) Solar power — With continued technological strides reducing the cost of solar panels and upping the storage capacity of batteries, solar-powered ATMs are now a reality. In fact, a number of FIs have installed solar-powered ATMs in a number of areas across the globe.

2) Smartphone access — Different types of mobile cash withdrawal programs are now available at many ATMs. This allows consumers to set up a cash withdrawal via their mobile device, and to finish the transaction by scanning or entering a code at the ATM. This may allow for the eventual elimination of the plastic card.

3) Parts recycling — Recycled parts are generally less expensive than new parts, and as they come with a guarantee, they are almost always as reliable. There are two options to choose from for parts repair. Advance exchange allows ATM owners to have a repaired part shipped immediately to them. In return, they send in the defective part for assessment and credit. Depot repair is the more traditional method of sending a defective part to a repair service and waiting while they repair the part and ship it back.

4) Deposit automation — With significant advances in check imaging and verification technologies, envelop-free automatic deposits are more popular than ever.

5) E-receipts — The industry’s first printer-less ATM was unveiled at this year’s ATM Industry Association conference. Eliminating all paper receipts at ATMs would save 640,000 tons of receipt paper annually.

6) Machine refurbish — Refurbished ATMs may prove to be attractive as the industry deals with the costs associated with EMV, PCI, and Windows 7 compliance. Refurbished ATMs may also be useful in developing markets, as access to affordable hardware leads the way to faster, broader expansion in those markets.

7) Smaller branch footprint — Advanced self-service and teller assist ATMs are transforming entire financial institution branches. As these functions are capable of performing nearly all teller-based transactions, they are reducing the real estate required to facilitate a full brick-and-mortar branch.

Merchants Continue To Resist EMV Conversion

Although networks, issuers, and acquirers are making strides in the switch to EMV, a significant number of retailers are resistant to making the required upgrades to their point-of-sale (POS) hardware. During a recent RAMP Mobile Retail Services conference, a panel of major retailers, a processor acquirer, and a merchant association executive collectively criticized EMV mandates.

Visa, MasterCard, American Express, and Discover Financial Services continue to hold fast to the October 2015 deadline for merchants to have the technology in place to handle EMV payments (fuel merchants have an additional two years). Failure to upgrade their hardware will result in an increased fraud liability burden for merchants.

Although it’s well known that the U.S. EMV migration is coming about much later than other countries, many do not see this as a negative. In fact, they see it as quite the opposite, as it allows us in the U.S. to learn from the experiences of other countries, potentially easing the transition here.

One of the biggest complaints merchants make is in regard to the technology itself. Many are concerned that by the time they complete the switch to EMV, a new upgrade will be required, leaving them constantly behind the curve.

For example, Murphy Oil has 16,000 gas pumps to convert for EMV compliance. An upgrade of that magnitude is anticipated to cost the company millions of dollars. That, combined with the potential risk of the technology becoming obsolete by the time the switch is completed, has led Murphy Oil to indicate they may not make the switch to EMV at all.

According to the panel, another merchant concern centers on the ongoing chip-and-PIN vs. chip-and-signature debate. With a number of card issuers choosing not to require the use of a PIN to add security to EMV-chip card payments, some merchants are concerned about the level of fraud protection the switch will actually offer. There is also some merchant unease about EMV’s failure to address the shift in fraud to card-not-present transactions.

Also discussed at the conference is the general lack of awareness about EMV among smaller merchants and the potential challenges this will pose to the success of the U.S. migration. The panel also broached the subject of EMV terminals and security. The group agreed that a security standard must be established for the entire merchant community, not only for card networks and financial institutions.

Members of the panel conceded that although a number of merchants are unlikely to fully adopt EMV until the last minute, many merchants are taking the necessary steps toward meeting the requirements.

Have you discussed EMV migration with your merchant clients? If so, I’d be interested to hear of their plans for making the switch. Drop a comment below or get in touch with me via email.

E-Commerce, Business Transactions & International Payments Boost ACH Volume

Recent research by The Electronic Payments Association (NACHA) reports Automated Clearing House (ACH) payment volume increased to more than 21 billion transactions in 2012. That’s a more than 4-percent increase from the year prior.

Additionally, the value of ACH payments increased more than 8 percent to $36.9 trillion. According to the report, the ongoing growth of the ACH network is due to the continued increase in native electronic payments, the expanding use of ACH credit payments by businesses and consumers, and the rise in online payments.

Interestingly, international ACH transactions proved to be the network’s fastest-growing payment type last year, growing nearly 50 percent year over year.

In all, native electronic payments grew 6.4 percent over 2011, and now make up 85 percent of total ACH network volume. Total check-initiated transactions declined 6.8 percent. With regard to ACH credit payments, the report stated the ACH network processed a total of $7 billion in ACH credit payments last year, up 5.4 percent over 2011. Overall, ACH debit payment volume jumped by 3.3 percent in 2012.

Consumer-initiated entries, or CIE credit payments, grew by 7.6 percent in 2012. Business-to-business transaction categories, which enable B2B credit payments, grew by 5.1 percent. Direct deposits via ACH, also saw significant growth. In 2012, there were a total of 5.1 billion direct deposit transactions, representing a 5.4-percent increase over 2011.

According to the report, ACH transaction quality continued to improve in 2012. The unauthorized debit rate declined for the 10th year in a row to 0.0298 percent of transactions. The rate covers both fraudulent transactions, as well as those returned for other reasons, such as administrative errors. The overall network return rate also declined last year.

The report also showed that in 2012, web-based transactions rose 10.2 percent, and amounted to about 17 percent of total ACH network volume. With the recent approval of the NACHA Operating Rules amendment, which enables a web credit for person-to-person (P2P) payments, web transaction growth is likely to continue.

New Bill Would Eliminate Basel III and Raise Bank Capital

To put an end to the too-big-to-fail phenomenon, Senators Sherrod Brown and David Vitter recently introduced the “Terminating Bailouts for Taxpayer Fairness Act of 2013” bill.

While the bill focuses on large financial institutions (FIs), it also contains several provisions that would affect smaller FIs.

The bill employs four mechanisms to address too-big-to-fail:

1. An 8-percent leverage requirement for FIs with more than $50 billion in consolidated assets, with a 7-percent surcharge for FIs with assets of more than $500 billion.
2. Application of these requirements to each of the affiliates and subsidiaries of these FIs (with certain exceptions).
3. Ring-fencing in the form of a ban on credit and certain other transactions between any depository institution with total consolidated assets of $50 billion or more and any of the institution's affiliates.
4. Broad prohibition on most forms of government support to any entity that is not an insured depository institution.

The bill would also bring U.S. participation in Basel III to an end, and marginalize if not eliminate risk-based capital requirements. Interestingly, however, the bill imports a few concepts from Basel III and the risk-based rules into the leverage ratio calculation.

Community FIs may be affected by two of these changes — revisions to the elements of capital now used to calculate the leverage ratio and the end of Basel III — as well as by other provisions in the bill that address balloon payment mortgage loans, privacy, and small business data collection.

Below are some of the specific changes in the bill:

• Leverage ratio — The bill would change all three elements of this capital requirement. Although the numerical leverage requirement would remain the same for community FIs, the changes to the numerator and denominator would result in ratios different from those now reported.
• Basel III — The bill would abandon Basel III, including the pending regulatory capital proposals that were issued in June 2012.
• Risk-based capital — The bill de-emphasizes risk-based capital to the point that regulators must justify risk-based capital rules as something outside the mainstream of FI regulation.
• Community FI provisions — The bill includes several provisions to address specific community FI concerns.

Read a draft of the bill in its entirety here.

Do Contactless Payments Scare Your Customers?

Contactless payments using mobile phones are the future of the payments processing industry – they're quick, easy, and bring countless benefits to merchants. But according to recent research, many people are still unsure about the technology.

Survey data from the comparison website GoCompare recently found that only 6 percent of consumers have initiated a contactless payment so far, and just 3 percent have done so using mobile phones. About 25 percent said they still find the technology “scary.”

The survey, which included 2,000 United Kingdom adults, also looked at how consumers expect to pay for things ten years from now — 60 percent of those surveyed said cash will remain their top choice in 2023. More than half (52 percent) said debit cards will still be their payment of choice.

Nearly two-fifths of people thought they would be using contactless card payment systems in 2023. By comparison, only 36 percent expected to still be using traditional credit cards by then. Just over a quarter of those surveyed expect to be paying for items via their mobile phone in 2023, while 19 percent think they will be using a type of biometric payment system. Very 007.

Some consumers remain unwilling to embrace what is clearly an emerging technology. Yet, there's no doubt contactless payments are the way of the future. According to Smart Card Alliance, there's already widespread support for the technology, as American Express, Discover, MasterCard, and Visa have all already begun contactless payment initiatives.

Payments using near-field communications for card reading and point-of-sale systems for swiping cards have recently gained traction. Although some consumers may be afraid of technological innovation now, most are predicted to eventually come around.