Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry
Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio
by Avivah Litan | January 9, 2012 | 1 Comment
Paypal payments come to Home Depot store shoppers. See last Friday’s PayPal blog about their trial of point-of-sale (POS) payments at 5 unnamed Home Depot stores https://www.paypal-media.com/aboutus.cfm. Home Depot customers can now check out at those five stores by entering their phone numbers and PayPal PIN numbers, or by swiping their PayPal cards, at the point of sale.
I’m excited that PayPal is finally making a meaningful entrance into physical POS payments. The card brands have overly dominated this space for far too long. There certainly has been no shortage of challenges to Visa and MasterCard’s empires such as:
a) the watered-down (by the financial lobby) Durbin amendment to Dodd Frank Wall Street financial reform act that lowered debit interchange fees banks can charge merchants, but not by nearly as much as merchants originally hoped for.
b) countless class action lawsuits against the card brands, led by retailers such as Wal-Mart, who claimed unfair trade practices and merchants fees that were unjustifiably high. In 2003, Wal-Mart did manage to win back $3 billion from Visa and MasterCard for itself and its class, but increased merchant fees were levied by the card networks where and when they could, and quickly ate up the merchant settlement gains.
c) legal challenges to Visa’s and MasterCard’s seemingly unfair dominance and apparent ‘monopoly’ status that never went anywhere with the U.S. Dept of Justice Antitrust division.
The real challenge to the card brands will come from viable alternative payment networks. PayPal has the best chance at this point, even though it’s somewhat of an indirect challenge since it relies both on the payment card and bank-to-bank transfer networks for its livelihood.
With well over 100 million account holders (some estimates are much higher), PayPal has importantly won trust among consumers. A recent Gartner survey of over 3000 U.S. consumers found that PayPal is perceived to be safer than the card brands, Visa and MasterCard, although by a relatively narrow margin. PayPal’s trust lead over other large alternative ‘wallet’ providers such as Apple, Google and FaceBook is much larger. In the case of FaceBook in particular, PayPal commands a substantial lead when it comes to consumer perceptions of safety and security.
This Home Depot trial, along with other mobile payment trials announced by Google, MasterCard, Citibank and some telco carriers marks the beginning of intense competition that will benefit consumers in terms of more personalized choices and eventually lower prices. After all, consumer ‘wallet share’ is increasingly coveted by the big card brands, banks, telcos, retailers and anyone else asking for your money. The race to grab a piece gets much more interesting and innovative as mobile payments – PayPal or otherwise – and platforms roll out.
Category: Uncategorized Tags:
by Avivah Litan | December 15, 2011 | Comments Off
For years, I have been trying to get to the bottom of what type of self-learning predictive models and fraud scoring systems the vendors I cover provide. I often got the impression, that in many cases, it was a bit of a Wizard of Oz scenario, with some guys sitting behind a big door or curtain, mining the data and writing rules for each of their customers, based on the fraud they experienced and confirmed.
This was the real reason ‘tuning’ was needed and the systems did not work well out of the box, because the guys or gals hadn’t yet ‘tweaked the models for the organization’ meaning they hadn’t yet mined the company’s data and written the rules accordingly. This becomes especially problematic when the company doesn’t have any confirmed fraud. The irony in these situations is that you can’t prevent fraud until you experience enough of it!
It was also the main reason the models ‘degrade over time.’ The rules stop working once the bad guys catch on to them, so the cycle of data mining and rule creation by the guys and gals behind the curtain must start once again, sometimes costing the customers tens of thousands of dollars if not more.
I continue to learn that this is pretty much the way many of these ‘predictive models’ work. Most of them are essentially just rules.
The only time models can run ‘out of the box’ is when the customer’s situation is akin to their peers and the model is built on consortium data where the confirmed fraud of others’ experiences can help pinpoint fraud for each participant of the consortium. In most cases, vendors that base their models on consortium data use predictive modeling and scoring techniques, e.g. based on neural or bayesian networks, more often than the vendors who don’t. But consortium models have had their limits because many companies don’t want to share their fraud data with anyone – not the authorities, not their competitors and not the vendors.
Further, self-learning models aren’t a reality in fraud management, at least from what I have seen. The vendors have to run their own analyses to find the outliers – or the transactions not evaluated by the model – and then figure out what they have in common so they can manually adjust the model to take them into account.
In any event, the next time a vendor’s model seems like a black box, it probably means there are a few geeks behind the curtain mining your data and building rules. If nothing else, they should make it clear that after a set period, those rules will become ineffective so you will have to invite them back — and pay them a considerable amount of money — unless you’ve learned to write your own rules and ‘models.’
Category: Uncategorized Tags:
by Avivah Litan | December 8, 2011 | Comments Off
What really happened at Lucky and Savemart stores? See http://savemart.com/index.php?id=449 for their press release on this.
Something here doesn’t add up. The chain says employee and customer bank accounts were compromised but employees generally don’t swipe their cards at the POS systems. So I for one, would like to understand the connection to employee accounts. There must be more than just card reader tampering going on here.
But if you take the employee piece out of the picture (and I don’t say we should) then this looks like yet another sophisticated POS card reader fraud attack.
The bad guys are very organized. They have the ring leaders that target the POS systems used at the store chain. They must have known which type of POS equipment Savemart uses and designed an attack specifically against their systems.
The ring leader(s) hire ‘flackies’ to insert skimmers in the equipment or to replace the equipment Savemart has have installed altogether. (Most likely it’s the former option although the latter option is more common in South America). They then hire the counterfeit specialists that turn the stolen data into counterfeit cards (with PIN numbers, if they have them) taped on to the counterfeit cards. And finally they hire the ‘cash out’ flunkies to use the cards at ATM machines or other POS systems to turn the stolen cards into stolen cash or easily fence-able goods (like TVs, tablets or other electronic goods).
Then they hire people to collect the cash or to fence the goods before the cash is collected.
They generally use the cards VERY QUICKLY at ATM machines around the country and sometimes in other countries, simultaneously withdrawing small amounts at dozens of machines against dozens of accounts, typically within 10-30 minutes. Then they wait an hour and do it again. This way they can evade many of the fraud detection systems.
I blogged about this months ago – I call this the Flash Attacks. Of course Savemart is only reporting on their piece and the banks generally don’t disclose their side of things so we can’t be sure if Flash Attacks resulted from this hack.
Also the part disclosed on employee account takeover is still troublesome. I’d like to know more about that. As noted, employees typically don’t swipe their own cards at the cash registers.
Category: Uncategorized Tags:
by Avivah Litan | November 8, 2011 | Comments Off
I was very excited to read this blog in Computerworld about Apple starting to link its iTunes wallet service to physical world payments:
http://blogs.computerworld.com/19233/apple_quietly_begins_iphone_as_wallet_in_store_trials?source=CTWNLE_nlt_blogs_2011-11-08
It may be a slow start – and a long leap to go from barcode scanning at Apple stores to NFC payments anywhere accepted – but it’s a start for leveraging iTunes wallet/card information for payments in the physical world.
Recent Gartner consumer survey data shows Apple has a clear leg up on Google when it comes to being their trusted mobile wallet provider but PayPal in this role is still the most trusted, although not by a very wide margin.
There should be plenty of room for multiple mobile wallet providers which is a good thing because I imagine there will be plenty of innovation brewing in this area, fostered in large part by the healthy competition.
Category: Uncategorized Tags:
by Avivah Litan | November 1, 2011 | Comments Off
Executives at many U.S. and global financial institutions are pounding on their risk managers to make sure they are not the next victim of a UBS-style rogue trading multi-billion dollar fiasco. Of course, many of the vendors engaged in data mining, analytics, and fraud prevention have taken notice and are pitching their wares to these stressed risk managers.
Essentially, most of the vendors are proposing to use pattern based intelligence based on entity link analysis to find anomalous trades and aberrant trader activity. To do that, they need to baseline and profile trader, desk and counterparty activities. No small task and one that frankly I don’t believe can be successfully done. There is no baseline profile for a good trader, where success requires innovative trades based on volatile, dynamic, and unpredictable market movements that we have come to see all too frequently. Plus, enormous amounts of information and data needs to be culled, sifted and analyzed, and only a highly experienced trader would have a clue of what to look for, assuming the vast data sets were integrated and “minable”.
Instead, good old fashion controls seem to be in order here. And some standardization used across financial institutions would certainly help.
My limited understanding is that there are essentially two types of trades that need to be monitored – OTC (over the counter) that are executed with counterparties and listed trades thare are executed on internal accounts. With listed trades, the control desks need to confirm that there are assets or securities in the accounts reflecting those trades (a control that should catch fake trades done internally, which I think was the problem with most of the rogue trading scandals that have cost some banks billions of dollars in losses). With OTC trades, it’s a bit more complicated because the trades need to also be confirmed with the external counterparty but that can be done using standard electronic formats such as SwapsWire that is now used in limited fashion.
Sometimes, in fact often times, the best solutions are also the simplest to implement and make the most common sense, even at opaque financial institutions that specialize in complexity.
Category: Uncategorized Tags:
by Avivah Litan | October 10, 2011 | 5 Comments
Unless things change quickly (which I doubt will happen) Congress is about to head down the wrong path in tackling Medicare fraud. Under the recently-introduced bipartisan bill “the Medicare Common Access Card Act of 2011,” all Medicare recipients and providers will be issued a smart card. Recipients will also get a PIN to use when they arrive at a provider’s office and providers will have to swipe their card and scan their fingerprint in order to make a claim for payment.
Can anyone guess who is the main lobbying force behind this legislation? The smart card companies of course and the Secure ID Coalition, an industry group comprised of smart card manufacturers and related vendors.
In 2010, OMB Chief Peter Orszag was quoted as saying that Medicare and Medicaid combined had nearly $65 billion in improper payments in 2009, of which $47 billion was for Medicare alone. We have heard higher numbers than Orzag gives, or that more like 12%-15% of claims against Medicare are fraudulent or highly ‘abusive’ to the system.
And Congress thinks smart cards are going to get this kind of savings? Adding insult to injury, at least parts of this law may be adopted by the Congressional Super Committee in its recommended debt-limit spending cuts due to Congress on Nov. 23. No wonder our country’s credit rating was downgraded and no wonder we are in so much financial trouble.
Reasons why the smart card advocates are wrong:
a) The smart card advocates are projecting that smart cards will save over $30 billion a year. That would mean that between 37% and 50% of the providers, physicians, hospitals etc. don’t exist or are fraudulent entities. While things are pretty bad in our medical system, I doubt very much they are that bad.
b) In fact, the most serious and consequential fraud and misuse is committed by legitimate users using regular systems, or by unauthorized persons who take over legitimate users’ accounts. Granted account takeover is harder with biometrics and smart cards, but strong authentication has already been successfully circumvented in many instances by sophisticated criminals. (For example, if a doctor is logging into an online system with a biometric and a smart card, the fraudsters simply wait until the doctor is authenticated and then manipulate the transactions to their favor).
c) Similarly, just because a doctor or healthcare provider has a smart card and is authenticated to the systems, does not mean he or she will not make illegitimate claims on the system. It’s imperative to monitor the actions AFTER the user is authenticated and not stop with authentication, which is all that smart cards imperfectly accomplish.
d) Further, and importantly, each person who is issued a smart card must be thoroughly vetted and I didn’t see any evidence in the congressional documentation of an identity proofing program that would be effective enough to keep out the bad players. Identity proofing is a major issue in financial services, as the bad guys find ways to have new accounts issued to them while they evade the financial services firms’ identity vetting techniques. Once they are issued an account, and in this case a smart card to go with it, they can wreak havoc in the system. Surely, this type of identity-level fraud and abuse will be even more rampant in the public sector healthcare system.
This is not to say that (even with all these problems) strongly authenticating all users and providers to the Medicare systems is a bad idea. It’s a good idea but it is only one lower-priority step in fraud and abuse mitigation that will take much more time and money than it is likely worth. I estimate it will cost the U.S. AT LEAST $4-$5 billion (total cost and probably much much more than that) to adopt smart card technology in healthcare and that at the end of the day it may save up to $5 billion in fraud (if we are lucky).
In contrast, the U.S. can spend around $100 million on scoring and automatically analyzing (using pattern recognition) Medicare and Medicaid claims for fraud and abuse, and likely save $40 billion to $60 billion a year. I have talked with some individuals that have closely analyzed Medicare files and have easily found these kinds of savings using fraud scoring and pattern analysis technology.
It’s time to take these analytical technologies into the fragmented and outdated CMS systems. It doesn’t require re-engineering them – it just requires adding a scoring and analytical process BEFORE a Medicare payment is made. Later on, smart-card based authentication can be layered on top of the fraud prevention systems but this should be a much lower priority. We need to spend the money on the systems that will yield the MOST savings, not on putting a pretty and expensive face (or smart card) on top of an ugly (Medicare IT) system.
I typically am an optimist but in this case, I must say I have lost faith in our legislative body to tackle the issue and set the right priorities. True, they are not fraud prevention and security specialists and true they probably have less bandwidth to focus on these issues than many of us do. But it’s also true that:
a) They need to stop listening to the groups with the best paid lobbyists and
b) They are about to make decisions that I estimate will cost the U.S. economy up to half a trillion dollars over the next decade. And that’s a sign of a very ill legislative process that even the best doctors of America won’t be able to cure.
Category: Uncategorized Tags:
by Avivah Litan | August 10, 2011 | Comments Off
Home lenders and banks are losing between $7.5 billion and $15 billion in fraud from seemingly-deplorable subprime mortgage activities that get the wrong people rich quick.
It just doesn’t quit – fraud on the way into the subprime crisis, and now fraud as we try to dig our way slowly out. The techniques are essentially the same as the 2007 legacy fraud rings, except the 2007 goal was to artificially inflate the valuation and sales price, and then extract all the money with a subprime mortgage and its derivatives. This time around, the goal is to artificially reduce the valuation and sales price, while putting the mortgage into default, and then extract the money with a sale, property transfer, or even a new mortgage at the real (higher) valuation. Perhaps there was not as much incentive to stop the fraud and abusive lending practices as we got into this mess, since greed invariably got in the way – but hopefully, with the economy struggling and the market tanking again, there will be more incentive to stop the abusive foreclosure practices that are cropping up as wallets continue to shrink.
Palantir, a technology supplier that specializes in quickly integrating and making sense of all types of structured and unstructured data, has been working with the nation’s largest mortgage lenders and financial institutions on ‘solving big problems with big data management’ (for invariably big revenues that accrue to the vendor, but hey that’s the American way). In working on mortgage pricing and analysis, Palantir inadvertently stumbled across some stark and depressing facts, albeit not at all surprising. By getting its arms around data stuck in legacy green screen systems, it found that over 1% of subprime sales (where a total portfolio could amount to between $100 billion and $2 trillion) was consistently lost to fraudulent and sleazy real estate deals. Here’s how the basic scheme works:
a) Bob Borrower can’t pay his adjustable rate mortgage, now with a balance of $1 million, and the bank has serviced him with a notice of foreclosure. His home is only worth $500,000, based on sales of comparable properties in the last 90 days.
b) Bob goes searching on Google for “Foreclosure Help” and discovers the promises of Shady Foreclosure Prevention Inc. who say they can get him out of this mess if he just sends them his contact information.
c) Connor from Shady Foreclosure Prevention calls Bob the next day and tells him they can help get him out of his mess by short selling his home, whereupon Bob’s Lender (the Bank) will forgive the balance of the loan owed to them by Bob after it collects the sale price. Bob might also qualify for $3,000 to $20,000 in cash incentives from the bank or programs like HAFA.
d) Bob says OK, sounds perfect.
e) Shady Foreclosure Prevention is actually a front designed to drive foreclosed customers to a ring of realtors, appraisers, and mortgage brokers, looking to monetize distressed properties. Connor simply contacts his sister Nancy, who just got her real estate license two months ago, and tells her to ‘arrange the sale’.
f) Over the following months, Nancy only actually receives and submits low bids on behalf of non-arms-length buyers, such as her brother-in-law Joe who will say that he will be happy to buy the house, but alas he can only afford to pay $300,000.
g) Nancy tells Connor and the Bank the news that sadly enough, there was only ONE bid on the house despite their very aggressive and lengthy sales and marketing efforts.
h) The transaction between Bob and Joe goes through for $300K. Bob (or often in these distressed markets, the Bank ) pays Nancy her commission for selling his house, and Joes pays Nancy her commission fees for buying the house.
i) Nancy splits the commissions with Connor from Shady Foreclosure Prevention, per their agreement. Nancy takes Connor to dinner that night, celebrating their latest success and plotting their future ones.
j) The next day, Nancy tells Joe she thinks she can sell his house for $600,000 and Joe replies ‘Why not? Go for it.’
k) This time, it only takes Nancy 30 days to sell the house, this time to a ‘real’ buyer – a family of four. Again Nancy and Shady Foreclosure Prevention make their commissions, and split the $300,000 profit between Nancy, Connor and Joe.
And the cycle repeats. Again and again and again. Nancy and Joe enlist the help of another broker to guarantee that bank-ordered valuations support their shady deals. Eventually, Connor even defaults on his own $1 million mortgage, and sells it to an LLC for $500K, using Nancy as his realtor. The bank, investor, or government-sponsored enterprise such as Fannie Mae, end up losing 25-50 cents on every dollar loaned.
I don’t need to remind anyone how bad this is for a struggling housing market. This ends up hurting everyone – the banks, the government home lending agencies (Fannie Mae and Freddie Mac), the taxpayers and even those who earn too little to pay any taxes. It hurt’s every party’s credit ratings, empties their coffers and damages the economy. Everyone loses except the con artists.
Apparently, this con is very easy to pull off because the systems that process these sales aren’t intelligent enough to see what’s happening before their very ‘eyes’. The mortgage systems were built to pump out and service loans – not to analyze huge amounts of structured and non-structured data. (The outstanding loan value on U.S. mortgages is about $10 trillion).
But by using entity link analysis and pattern based intelligence (what we call Layer Five of Fraud Prevention – please see “The Five Layers of Fraud Prevention and using them to beat malware” ) lenders, government agencies and other entities can get their arms around disparate information, find the abuse and fraud, and stop it once and for all. This technique can work just as well in weeding out an estimated $60 billion in Medicare and Medicaid fraud annually. And it has already proven to yield significant returns in many other use cases, such as credit card bust out, insurance claim fraud and homeland security.
Instead of spending countless hours dragging our country through more uncertainty and inflamed rhetorical sessions, I personally would like to see the U.S. Congress create incentives to use Pattern Based intelligence systems to weed out billions in fraud and abuse. They could then use the savings to pay for causes that matter, such as affordable housing and easily accessed quality medical assistance for the underprivileged. Now wouldn’t that be an anomaly?
For related and more information on some sample fraud rings uncovered by law enforcement trying to pilfer almost $100 million, please see:
http://libn.com/2011/08/04/li-mortgage-firm-charged-in-58m-fraud/
http://www.themreport.com/articles/scam-artist-sting-successful-in-south-florida-2011-08-05
Category: Uncategorized Tags:
by Avivah Litan | August 9, 2011 | 4 Comments
Visa’s announcement of a move to the EMV standard in the U.S. is both welcome and long overdue and should eventually lead to a substantial reduction in counterfeit plastic card fraud. With the U.S. – the last major market EMV holdout – finally onboard, it will also enable the eventual death of the Achilles Heel of card security – the magnetic stripe on the back of the card that stores cardholder authentication data. This will lead to a substantial reduction in global, domestic and cross-border fraud.
What’s not in it for the Merchants and card acceptors?
Despite the strong security benefits, Visa and the card issuers come out much farther ahead in this program when compared to the merchants, as generally seems to be the case when it comes to card industry events. With this program, Visa and the card issuers “incentivize” the merchants to upgrade their point of sale equipment to accept mobile contactless NFC payments as well as plastic card contact payments. (In other parts of the world, the terminal upgrades Visa required were restricted to enabling just plastic contact card acceptance). Unless the merchants adopt this ‘dual interface’ technology, they won’t benefit from potential ability to escape annual PCI compliance validation (except their first one), which is a key incentive merchants have in adopting this Visa program.
Further unless MasterCard, American Express (and Discover) launch similar EMV adoption programs, merchants will still have to validate each year for PCI compliance to these other card brands. In addition, most Level 1 and the majority of Levels 2 and 3 merchants are already PCI compliant. So while merchants may eventually save about $30,000 to $55,000 on the annual cost of PCI audits and assessments (if MasterCard and American Express join the fray), they will now need to fork out at least $30 a payment terminal upgrade to enable chip payments, plus unpublished activation, installation and maintenance fees. The new upgrade fees will almost surely amount to more than the annual PCI audit fees for most large merchants.
Finally, given that at least 75% of merchant Visa transactions must originate from chip-enabled terminals, the merchants won’t stand a chance of gaining the benefit of not having to validate PCI compliance annually until at least 2016 or later. That’s well after most will have spent all the money on terminal upgrades and years of annual PCI audits.
What’s in it for the Issuers and Visa?
Besides benefiting from merchant paid-for terminal upgrades and stronger card security that will reduce the counterfeit fraud issuers are responsible for, the card issuers can now start to count on many merchants trying to avoid annual PCI compliance validation having the equipment to accept mobile NFC payments. And rather than spend the money issuing new smart EMV chip cards to their customers, the issuers can rely to a large extent on consumer-owned mobile phones that are capable of transmitting NFC-based EMV payments. This will enable the card issuers and Visa to compete much more forcefully in the mobile payments world, and not necessarily have to concede market leadership to non-bank players like Google and Apple. The latter companies can benefit from the merchant terminal hardware upgrades done for Visa EMV payments, but if they use different non-EMV payment instruments and standards, they will have to figure out the complex logistics and incentives involved in activating merchant payment terminals with their own message formats and routing the payments to their own payment ecosystems.
Visa card issuers can also avoid spending money on manufacturing and distributing relatively expensive plastic chip cards and will instead invest in lower cost software applications and ‘trusted’ services that provision and manage mobile EMV payment services to already-paid-for consumer mobile phones.
Further, under the new Visa program, issuers are able to shift even more of the counterfeit plastic card present fraud over to the merchants than they do today, if the merchants don’t have their payment terminals chip ready by October 2015. According to the 2010 Federal Reserve Board report on Debit Interchange fees, 57% of reported fraud losses across all types of transactions were borne by issuers and 43% by merchants. Now with the announced liability shift, U.S. merchant fraud liability share will dramatically escalate above the 43% they bear today if they don’t chip enable their terminal payment acceptance.
Interestingly and notably, Visa did not extend the shift in fraud liability from issuers to merchants for mobile contactless payments and just kept the shift with plastic contact card payments. Merchants already pay higher rates for NFC payments, according to retailers Gartner has spoken with, which naturally disincents many of them from accepting them. It seems to me from this liability shift exemption, that Visa is doing everything it can to promote contactless payment adoption among the merchants and doesn’t want to give them any excuse to push back from accepting them. Visa and the card issuers understand well that widespread merchant adoption is key to NFC EMV-payment success. And that’s good business for the card companies because it will boost their merchant fee revenues.
No one can argue against stronger card security and in that sense this program is a very good move. However, in the end, it seems to me that the merchants are paying more than their fair share, just like I think they are today when it comes to card fraud and security.
Category: Uncategorized Tags:
by Avivah Litan | August 9, 2011 | Comments Off
Visa finally took the plunge and issued a plan to move U.S. plastic (contact) and mobile (contactless) Visa payments to the EMV standard today. They cleverly bundled incentives for merchants and card issuers to adopt the standard for both contact and contactless payments, unlike the programs they have rolled out for chip in other countries. They call this the adoption of ‘dual-interface’ technology where merchant payment terminals accept both types of payments. The cost of upgrades is about $30 a reader.
The main incentives are:
a) starting in october 2012, merchants with at least 75 percent of their Visa transactions originating from these dual interface chip terminals need not validate their compliance with PCI (as long as they have done so in the past at least once). This means that their processors must be able to accept the new formats so as a practical matter, merchants can’t go it alone. but that brings us to the second incentive:
b) Starting April 1, 2013, U.S acquiring processors and subprocessors must be able to support merchant chip transactions.
c) Finally, the strongest incentive is effective Oct 2015 (gas stations have another two years because of the time and complexity involved in upgrading gas pumps) and that’s where liability shifts for domestic and cross-border counterfeit card present point of sale transaction fraud – which is now eaten mostly by card issuers. By that time, if the merchant can’t accept a contact chip card (no word about NFC or contactless, strangely enough), the merchant’s acquirer will eat the fraud and of course pass it on to the merchant.
All in all, this is mainly a good strong and long overdue program. Unlike similar programs rolled out in other countries which were tied to contact/plastic cards only – the first incentive is tied to also accepting NFC payments and will likely go a long way to preparing the mobile payment infrastructure in the U.S.
Still, I’m left to wonder why VISA couldn’t create incentive 3 for mobile NFC payments.
Finally, where’s MasterCard in all this? Until they get similarly on board with a chip program, merchants can’t realize the dream of Incentive 1 – no more annual PCI validation…
Category: Uncategorized Tags:
by Avivah Litan | June 28, 2011 | 6 Comments
Finally, we can breathe a sigh of relief! The FFIEC finally issued an update to its 2005 Guidance on “Authentication in an Internet Banking Environment,” a document that instigated many of the security improvements we have seen over the past 5 years in online banking. But the 2005 guidance fell short by suggesting technical measures that quickly became obsolete in the face of today’s more sophisticated cyberattacks, a fact readily admitted in the 2011 update.
The forest — or the sound principals introduced by the 2005 Guidance – was lost for the trees — or the technical solutions that the appendix to the 2005 Guidance outlined, many of which fell flat on their face when it came to protecting customer bank accounts.
I’m afraid that could happen again this time since the FFIEC has not steered away from outlining technical measures and attack vectors that the banks will build their security to in the next few years. The cycle will likely repeat. The attacks will get more sophisticated, and will use new techniques that are not addressed in the details of the guidance.
In the regulators’ defense, many of their constituents want them to suggest detailed solutions, so the regulators do have to balance that need with the reality that the threat landscape will continue to morph quickly and the ‘suggested’ solutions will get out of date.
I think the industry would have been better off with a guidance document that stuck to the principles. Here the FFIEC Guidance did a really good job outlining the need for layered security measures, giving broad examples of layered security controls, specifying detection and response strategies, as well as offering sound advice on administrative controls, and customer awareness and education. It would have been advantageous if they had moved the details on device identification and challenge questions, and the appendix discussion on technical controls, to an entirely separate document that was updated on an (at least) annual basis.
Still, in the end, it was good to see all five U.S. financial regulatory agencies get on board as they needed to. (It appears that at least one of the five regulatory agencies was holding up the guidance release until now). Of course it’s a couple of years too late for many small (and large) American businesses who lost hundreds of millions of dollars in cyberfraud, which turned out to be unrecoverable, by U.S. law, from their banks. (See http://blogs.gartner.com/avivah-litan/2011/06/07/judicial-decision-favors-bank-over-defrauded-business-regulatory-blunder/). Hopefully, the updated guidance can be used by customers who suffer future cyberfraud to establish a baseline for what they can reasonably expect from their banks when it comes to electronic banking security measures.
In sum, there are some very positive aspects to the updated guidance, but there are still pieces that are missing or lacking.
First the positives:
a) The guidance clearly outlines the need for a system of layered security and repeats, as it should, the fact that virtually every authentication technique can be compromised. The last FFIEC guidance in this area spent too much time on specific authentication measures and not enough on a layered security approach.
b) It gives good guidance on considerations for updating risk assessments, and what environmental and customer changes to take into account when doing so.
c) It emphasizes a risk-based approach where controls are strengthened as risk increases.
d) It clearly delineates between the risks associated with consumer vs. business banking. The 2005 guidance did not do this and many in the industry incorrectly assumed it was mainly directed towards consumer accounts.
e) It outlines process changes that should be implemented to mitigate risk, including the use of ‘positive pay’, debit blocks, dual customer authorization, etc, and does not focus solely on technology measures. The last guidance did not include this aspect.
f) It calls out the need to control privileged user access to sensitive applications. The 2005 guidance did not address this dimension.
g) It clearly tells financial institutions that the techniques many of them have relied upon, i.e. simple device identification and easily exposed challenge questions, are not good enough anymore given today’s threat landscape.
But the guidance still falls short in several areas, in my opinion:
a) Its wording is too wishy washy when it comes to delineating bank responsibility from customer responsibility. It uses words like ‘could have prevented’ or ‘suggestion’ too often. The regulators should be more matter of fact in setting out the guidelines and principles. For example, they should tell banks that they NEED to detect and STOP money transfers that are CLEARLY OUT OF THE ORDINARY when compared with the customer’s established pattern of behavior. (See bottom of page 10 for example).
b) There is nothing in the guidance that specifically addresses the needs and requirements of small banks (which constitute over 80% of the U.S. bank population in terms of number of institutions) that rely on third party service providers for online banking and online banking security. Where’s the guidance for them?
c) The guidance is much too unclear on Customer Awareness and Education . (See Page 7). It does say that banks need to explain to their customers what protections are provided — and not provided — to account holders relative to electronic fund transfer. But it makes no mention of HOW they need to impart this explanation. So banks can still get away with burying the explanations on protections to their business customers in long multi-page wordy contracts printed in very small font, which customers may not read. Or if they do, they may continue to not notice how limited the protections are. The FFIEC should have established minimum requirements on what clear disclosure looks like.
d) Much of the guidance is backwards looking. The FFIEC guidance does a good job of addressing yesterday’s threats and suggested techniques for defeating them, but it is not sufficiently forward looking. For example, it spends a good amount of time and space on out of band authentication and transaction verification techniques, as it should, but does not sufficiently discuss what that should look like in the coming age of mobile banking from smartphones or tablets.
Likewise, it spends a good amount of time on addressing threats from attacks to PC-based electronic banking, but does not address telephone banking attacks that can take various forms. Surely the threats will change substantially over the next five years. Given that the guidance is specific in its discussion about the techniques used to prevent yesterday’s attacks, it should devote more time describing how those attacks are likely to change. (Granted that’s a very difficult thing to do).
Either that or — much better yet — it should steer clear of embellishing the details of attacks and various technical solutions because soon, the controls outlined in the appendix to the guidance will be ‘so last year’. And then we will all be bothering the regulators to update the guidance once again…
Category: Uncategorized Tags:
