The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Announcement Federal Reserve Bank of Chicago First Quarter 2009 Economic perspectives 2 Economic Perspectives special issue on payments fraud: An introduction 7 Payments Fraud: Perception Versus Reality— A conference summary 17 Fraud containment 22 Data security, privacy, and identity theft: The economics behind the policy debates 31 Perspectives on retail payments fraud 37 Divided we fall: Fighting payments fraud together 43 An examination of the fraud liability shift in consumer card-based payment systems 50 Vulnerabilities in first-generation RFID-enabled credit cards 11 perspectives President Charles L. Evans Senior Vice President and Director of Research Daniel G. Sullivan Research Department Financial Studies Douglas D. Evanoff, Vice President Macroeconomic Policy Research Jonas D. M. Fisher, Vice President Microeconomic Policy Research Daniel Aaronson, Vice President Regional Programs William A. Testa, Vice President Economics Editor Anna L. Paulson, Senior Financial Economist Editors Helen O’D. Koshy Han Y. Choi Graphics and Layout Rita Molloy Production Julia Baker Economic Perspectives is published by the Research Department of the Federal Reserve Bank of Chicago. The views expressed are the authors’ and do not necessarily reflect the views of the Federal Reserve Bank of Chicago or the Federal Reserve System. © 2009 Federal Reserve Bank of Chicago Economic Perspectives articles may be reproduced in whole or in part, provided the articles are not reproduced or distributed for commercial gain and provided the source is appropriately credited. Prior written permission must be obtained for any other reproduction, distribution, republication, or creation of derivative works of Economic Perspectives articles. To request permission, please contact Helen Koshy, senior editor, at 312-322-5830 or email Helen.Koshy@chi.frb.org. Economic Perspectives and other Bank publications are available on the World Wide Web at www.chicagofed.org. a s chicagofed. org ISSN 0164-0682 Contents First Quarter 2009, Volume XXXIII, Issue 1 2 Economic Perspectives special issue on payments fraud: An introduction Gene Amromin and Richard D. Porter This article provides an overview of this special issue of Economic Perspectives, which presents selected papers based on the proceedings of the Federal Reserve Bank of Chicago’s eighth annual Payments Conference, Payments Fraud: Perception Versus Reality, held on June 5-6, 2008. 7 Payments Fraud: Perception Versus Reality—A conference summary Tiffany Gates and Katy Jacob The authors highlight key issues from the presentations, keynote addresses, and open floor discussions at the Federal Reserve Bank of Chicago’s eighth annual Payments Conference. 14 Agenda: 2008 Payments Conference Payments Fraud: Perception Versus Reality 16 Announcement: 2009 Payments Conference 17 Fraud containment Bruce J. Summers 22 Data security, privacy, and identity theft: The economics behind the policy debates William Roberds and Stacey L. Schreft 31 Perspectives on retail payments fraud Steve Malphrus 37 Divided we fall: Fighting payments fraud together Mark N. Greene 43 An examination of the fraud liability shift in consumer card-based payment systems Duncan B. Douglass 50 Vulnerabilities in first-generation RFID-enabled credit cards Thomas S. Heydt-Benjamin, Daniel V. Bailey, Kevin Fu, Ari .hiels, and Tom O’Hare Economic Perspectives special issue on payments fraud: An introduction Gene Amromin and Richard D. Porter In this special issue of Economic Perspectives, we present selected papers based on our recent conference, Payments Fraud: Perception Versus Reality, hosted by the Federal Reserve Bank of Chicago on June 5–6, 2008. The conference brought together decision-makers from the banking, payments, legal, regulatory, and merchant communities for a wide-ranging discussion of the threats to the security of the payments system and how those threats might best be addressed. The volume starts with an extensive summary of conference presentations, keynote addresses, and open floor discussions, written by Tiffany Gates and Katy Jacob. In order to give a sense of the intense back-andforth exchanges that took place during this day-and-ahalf-long event, the authors structure their summary around the broad themes of the discussion rather than simply presenting a chronological account. The themes are as follows: organizational structures for management of fraud risks; technological innovation; alignment of incentives for fraud prevention among consumers, merchants, and payments providers; and regulatory policies. Gates and Jacob’s article highlights the challenges involved in bringing the various constituencies together to forge common ways to address fraud in payments systems. Gates and Jacob find that payments fraud cannot be eliminated without decreasing the openness and efficiency of the payments system. In the current environment, technological innovations have enabled system participants to enhance payments security, at the same time that technology has made it easier for criminals to perpetrate payments fraud remotely. Practitioners are constantly weighing the costs and benefits of payments fraud mitigation and are looking to the public sector to offer guidance and support. As the industry combats payments fraud, companies are banding together to find common solutions. For instance, throughout the conference, financial industry participants emphasized the concept of enterprise-wide fraud management, while many also acknowledged the difficulties faced by small merchants and many financial institutions in fashioning such holistic strategies. A number of legal professionals stressed the detrimental effects of legacy laws and regulations that evolved independently around individual payment product lines. Together, these viewpoints contributed to a budding consensus on the importance of dedicated high-level executive involvement in payments fraud management and of outsourcing development of fraud prevention tools to specialized entities. The rest of this volume is devoted to articles that address in greater detail some of the key topics discussed at the conference. The contributors of these papers span the spectrum of thought leaders in combating payments fraud—industry experts in fraud detection systems, legal professionals, academic researchers in economics and technology, and senior officials of the Federal Reserve System. The first article is written by Bruce J. Summers. His paper provides a synthesis of the approaches of practitioners and economists to thinking about the problems in containing retail payments fraud. As Summers makes clear, these approaches differ somewhat for reasons that have to do with both perspective and analytical framework. Yet, both parties are integral in formulating a coherent public policy response to the problem of payments fraud. In particular, payments industry practitioners tend to regard fraud as a persistent but manageable problem that requires both unrelenting attention and significant expenditures. These expenditures on fraud mitigation Gene Amromin is a senior financial economist and Richard D. Porter is a vice president, senior policy advisor, and the director of the payments team in the Financial Markets Group at the Federal Reserve Bank of Chicago. 1Q/2009, Economic Perspectives have resulted in declining rates of fraud losses. Still, there is concern that maintaining such results in the future will require ever-expanding expenditures. Part of this argument rests on the view that fraud threats to electronic payments networks arise globally, are increasingly sophisticated, and propagate quickly. The bottom line is that for the practitioners, payments fraud is part of the cost of doing business, which can be ameliorated by pooling fraud prevention efforts. To underscore this view, Summers reports consensus recommendations from a recent industry roundtable (which is a focus of the article by Malphrus later in this volume). Those recommendations call for information sharing, better authentication technologies, and adoption of standards— ideas that take into account the economies of scale and scope in fraud prevention, though not necessarily the conflicting incentives among the many participants in payments networks. Economists tend to think of the payments system as a vast network of participants whose divergent incentives generate considerable spillovers from their own actions. The effects of these spillovers are frequently not fully appreciated by the participants because market prices fail to convey the extent of the spillovers to them. An example of such an “externality” is when a consumer (or merchant) fails to be appropriately vigilant about data security because limited liability rules (or existing penalties for breaching network security protocols) do not signal the extent to which such actions affect other participants in the payments system. Moreover, because fraud prevention by one party usually improves the experience of everyone else, there is ample incentive for other participants to “freeload.” As a result, there may be drastic underprovision of fraud prevention in the aggregate. This framework forces economists to take a systemic view of payments networks, focusing on ways in which policy can better align the incentives of all participants. One important implication of this view is that incentives (or regulation) must be appropriately allocated across the payments network because the entire system is only as strong as its “weakest link.” The juxtaposition of the views of practitioners and academic economists gives rise to an interesting and provocative observation that industry practitioners’ relatively sanguine view of risk is partly attributed to their focus on practices of their own firms. Thought leaders in the industry are keenly aware that the interconnectedness between the many players in the payments space poses risks that are not directly observable by any individual participant. Yet, their primary responsibility for managing fraud at their enterprises may instill a somewhat false sense of security. This comparison Federal Reserve Bank of Chicago also points to a potentially key role of the Federal Reserve in bridging the gap, since it is both a research center and a major payments provider. The next three articles in this volume are, in some sense, elaborations on Summers’ conclusion. The first of these, by William Roberds and Stacey L. Schreft, lays out an economic framework for thinking about fraud in payments networks. The second, by Steve Malphrus, gives the industry view on the current state of efforts in retail fraud management. The third, by Mark N. Greene, addresses the nature of payments fraud and the need for coordinated efforts in fighting it. Roberds and Schreft start out by noting the inevitable trade-off between more efficient payments markets and loss of privacy. On the one hand, as an economy grows, paying for transactions in cash becomes prohibitively expensive and inefficient. On the other hand, credit- and debit-based transactions between parties that typically do not know each other are impossible without exchanging some information that verifies both the identity and the creditworthiness of the parties. The resulting transfer of information back and forth presents opportunities for fraud. Still, without such transmission of private information modern payments systems would be infeasible, thereby forcing payments activity onto the slower rails of cash-facilitated exchanges of yesteryear. What is the proper balance then? As Roberds and Schreft argue, it is useful to think of this balance as “confidentiality” of payments transactions. “Confidentiality” thus consists of “data informativeness” (how much identifying information is exchanged between parties) and “data integrity” (how well this information is protected). If you tilt the balance too much toward safeguarding privacy (that is, lessen data informativeness), then the wheels of credit-based and remote transactions grind to a halt. But if you tilt it too much toward being absolutely certain about the identity and creditworthiness of the consumer, then you may transmit so much data that you increase the incidence of and losses from fraud. To get closer to the answer, the authors lean on economic theory. They note that neither information nor integrity diminishes with repeated use. For example, say Wal-Mart knows Mr. A is not a fraudulent actor and, therefore, processes payments it receives from him. The fact that Wal-Mart has this information does not diminish the value of the information to Home Depot. These seemingly abstract concepts matter because they help us think about the way in which “confidentiality” can be provided efficiently. In particular, the fact that the two attributes of “confidentiality” do not wear down with consequent use implies that, at some point, the marginal cost of providing it is close to zero. This insight implies that optimally there will be only a few large producers of “confidentiality” that are able to leverage vast economies of scale in building networks for collecting and transmitting necessary information securely (for example, credit bureaus, card networks, and so on). However, since information must be exchanged among many different parties (for example, merchants, issuers, and consumers) in order to have value, the potential for conflicts of interest is large. Some parties may have weaker incentives to safeguard information and thus become the “weak link” that compromises the entire system. Some parties may choose to freeload on data integrity efforts of others because the cost of fraud or loss of “confidentiality” is not proportionately allocated. The authors’ analysis of “confidentiality” further points to the proper role for policymakers in fostering efficient (but not fraud-free) payments systems. Public policy should aim to resolve the potential for conflicts of interest through coordination, judicious imposition of standards, and proper allocation of legal incentives (as discussed in greater detail in Douglass’s article later in this volume). The public sector should not focus on duplicating the job done by the private sector in collecting, verifying, and processing payments-related information. As Roberds and Schreft underscore, the ultimate goal of regulators should be to strike the proper balance between privacy and efficiency. Malphrus’s article summarizes the results from a special roundtable discussion on retail payments fraud, which was held at the Federal Reserve Bank of Minneapolis in March 2007. The participants reported that, despite the declining use of checks, check payments still generated the largest number of fraud attempts. They emphasized that criminals are continually searching for weaknesses in fraud detection and prevention practices. Many thought that banks and businesses needed to adopt a holistic approach to detecting and preventing retail payments fraud, being ever mindful of the overall fraud landscape across all of their operations. The roundtable participants shared a number of suggestions for improving the industry’s ability to detect and prevent retail payments fraud, including better protection of customers’ personal and financial data. They recommended more effective sharing of best practices with respect to fraud detection and prevention within the industry. Industry leaders specifically discussed the effectiveness of PIN (personal identification number) and chip technology. Some stated that fraud rates on PIN debit cards are significantly lower than those for other payment types, and advocated a more widespread application of PIN security to card payments. Malphrus also shares some thoughts on new account fraud that has featured prominently in recent discussions on retail payments systems’ vulnerabilities. Allowing customers to open accounts electronically, as opposed to in person at a bank, clearly offers the potential for fraud. However, this risk can be mitigated by making use of various technologies; for example, software can identify the geographical location of the user’s computer, and device identification tests can be subjected to further fraud screening. All of these technologies are currently operational, and their widespread adoption is likely to make a considerable difference in mitigating a particular aspect of retail payments fraud. Malphrus also highlights an increasingly important aspect of policymaking—the need to protect privacy while countering terrorist financing and money laundering. As different agencies (for example, the Central Intelligence Agency and the Federal Reserve) cooperate to combat these threats, they must be vigilant about how they exchange information about U.S. citizens. Moreover, as those perpetrating illicit activities increasingly attempt to leverage existing payments networks, the need for cooperation between the private sector and government agencies becomes all the more important. The next contributor, Greene, represents Fair Isaac Corporation—a leading provider of automated identification procedures for prospective fraud on electronic payments networks. Greene’s role gives him a clear perspective on the nature of the current threats to the payments system. As Greene argues in his article, greater cooperation among the various payments system participants is necessary to combat fraud. Increasingly, modern day fraudsters operate globally, often outside the jurisdiction of the U.S., and they are well organized and well financed. In particular, Greene warns that adopting piecemeal solutions that focus on individual payments segments or regions would be inadequate to beat the scams. While payments providers may have an incentive to differentiate their products and seek competitive advantage, they need to find ways to cooperate with each other in sharing information or developing standards that would help lessen the problem. He suggests that piecemeal solutions are like pushing on a balloon— they may impede fraud in the particular targeted segment or region but quite often at the expense of increasing fraud elsewhere. Instead, Greene advocates a fraud protection system that works like a burglar alarm, covering all the openings—“doors and windows”—since fraudsters will always make the most of the weakest link. He argues it is possible to build better models of fraud 1Q/2009, Economic Perspectives containment that profile not only individuals but also devices and merchants. With this platform, one could successfully identify uncharacteristic and possibly fraudulent payment behavior. Such modeling exercises would be more effective if they could be “trained” (that is, estimated on large amounts of current realworld data); this might require the cooperation of various payments system participants. Some public sector cooperation might be desirable to remove the concern that such industry data-sharing exercises constituted collusive practices. In the question-and-answer session that followed Greene’s keynote address at the conference, Greene raised the possibility of a mass compromise to the payments system by fraudsters. In a typical card compromise where the information could be stolen for, say, 25,000 cards, Greene acknowledged there is often only a limited amount of resulting damage—perhaps on the order of 400 fraudulent transactions. He suggested that the outcome could be considerably larger, with perhaps as many as 4 million fraudulent transactions generated on the same (25,000) card base. In this circumstance, Greene argued the systemic risk to payments could be huge. Moreover, he stressed that the industry is not prepared to deal with such a contingency. This might require a joint public–private initiative to scope out the problem and propose solutions. The next article in this volume, by Duncan B. Douglass, takes us back to the central role that proper allocation of incentives plays in the efficient functioning of payments systems. Douglass focuses on ways in which the current framework of public laws and private network rules distributes fraud liability among the three principal sets of participants—consumers, merchants, and card issuers. Although the discussion centers on signature-based credit and debit cards, its implications are readily extended to other payments instruments. The public law framework that governs the legal liability for fraud losses is based on the Truth in Lending Act (TILA) and the Electronic Fund Transfer Act (EFTA), as well as the associated Federal Reserve Board Regulations Z and E. As Douglass points out, the primary goal of these laws and rules is to effectively absolve the consumer from liability for losses related to fraud, regardless of whether a consumer’s own behavior contributed to fraud in the first place. Although a lack of care on the part of consumers often contributes to fraud, Douglass argues that making consumers bear more of the consequences for their actions is not realistic. This owes both to the political environment and, more importantly, to the desire to instill confidence in the security of card transactions among consumers. Federal Reserve Bank of Chicago The private card networks’ rules take over from where public laws stop—by setting cardholder liability to zero—and proceed to further allocate fraud loss liability between merchants and card issuers. In brief, the rules effectively assign liability for losses in cardpresent transactions to issuers and in card-not-present transactions to merchants. Douglass emphasizes that this joint framework of public laws and private rules leads to several predictable outcomes that make systemwide fraud prevention efforts somewhat inefficient. To paraphrase, consumers never care too much about safeguarding their transactions, merchants try to exercise due diligence primarily in card-not-present environments, and card issuers are concerned mostly with point-of-sale transactions. Each party thus has ample incentives to undermine the efforts of the other—for example, merchants not verifying signatures at the point of sale. Douglass illustrates this dynamic with the example of the failed adoption of networks’ payer authentication programs. Although these programs are effective in reducing online fraud, consumers, who bear no responsibility for fraud, have balked at merchants’ efforts to adopt these measures. For their part, card issuers, which bear less of a burden for fraud in cardnot-present transactions, were content to sit on the sidelines and not force their customers to enroll in such programs. The final article in the volume, by Kevin Fu, Thomas S. Heydt-Benjamin, Daniel V. Bailey, Ari Juels, and Tom O’Hare, focuses on technological vulnerabilities in a newly popular set of payments instruments—devices that use RFID (radio frequency identification), such as credit cards. Such cards offer the promise of speedier contactless transactions at the checkout or gas station and, unlike traditional magnetic stripe cards, require only physical proximity between the card and the associated reader. Fu and his co-authors demonstrate that the more convenient retail experience provided by RFID devices over magnetic stripe cards may come at the price of several vulnerabilities in RFID’s first-generation incarnations. Using their toolkit as electrical engineers, the authors find that all of the 20 million RFID-enabled cards currently in circulation are subject to privacy invasion. The cards can be scanned and private information can be removed by the fraudsters without the awareness or consent of the cardholders. These vulnerabilities should not necessarily be viewed as a fatal indictment of the technology; rather, they represent what might be expected for a work in progress. If successful, RFID technology will overcome these vulnerabilities along its developmental path. New (and ultimately successful) payments innovations do not necessarily provide full fraud protection capabilities at launch but often gain them over time as they scale up efficiently. The history of PayPal illustrates this point quite nicely.1 We hope that the message delivered by Fu and his co-authors will rouse the card manufacturers to address these challenges quickly. Each of the articles collected in this volume offers a specific insight into the current state of efforts in combating retail payments fraud. The articles also outline a number of ways in which these efforts can be made more successful at a systemwide level and offer a methodological framework for thinking about the problem. We hope this work will provide a valuable basis for ongoing discussions on how we can develop and coordinate public and private responses to the pressing need to manage payments fraud risk. NOTES Sujit Chakravorti and Carrie Jankowski, 2005, “Forces shaping the payments environment: A summary of the Chicago Fed’s 2005 Payments Conference,” Chicago Fed Letter, Federal Reserve Bank of Chicago, No. 219a, October, p. 2. 1 1Q/2009, Economic Perspectives Payments Fraud: Perception Versus Reality— A conference summary Tiffany Gates and Katy Jacob An overview of payments fraud Payments fraud can be broadly defined as any activity that uses information from any type of payments transaction for unlawful gain. Such fraud can be perpetrated on any type of payments device, including credit and debit cards, cash, checks, online or mobile payments, and automated clearinghouse (ACH) transactions. Payments fraud can be committed knowingly by a consumer (first-party fraud), or consumers can be victimized by fraudsters operating within financial institutions or as part of criminal enterprises (third-party fraud). Payments fraud has received extensive attention in the popular press and in public policy venues recently, and the payments industry is fighting the perception that fraud is now occurring at unmanageable levels. While there has been increasing emphasis on all types of payments fraud, fraud perpetrated by criminals has received special attention of late.1 Fraud is a very real threat to the payments system’s efficiency. According to one recent report, 71 percent of surveyed organizations experienced payments fraud in 2007, and over one-third of those firms reported financial losses stemming from the fraudulent activity.2 As another example of the size of the payments fraud problem, in a 2007 data breach involving TJX Companies Inc. (the holding company of retailers T. J. Maxx, Marshalls, Winners, HomeGoods, TK Maxx, A. J. Wright, and HomeSense), 45,700,000 credit card and debit card account numbers were stolen, along with 455,000 merchandise return records containing customer names and driver’s license numbers. Latest reports allege that an additional 48 million people have been affected for a total of over 30 percent of the entire U.S. population. The situation has cost TJX Companies Inc. more than $130 million in settlement claims. The breach was a worldwide effort perpetrated by criminals from the United States, Eastern Europe, Federal Reserve Bank of Chicago and China. The U.S. Department of Justice has arrested 11 people in this case, which is the largest hacking and identity theft case ever prosecuted by the department.3 As more payments become electronic, the size and scope of payments fraud has grown, in part because the relevant parties in a payments transaction do not know one another. Information about those parties is vital to prevent fraud and enable legitimate transactions. However, as innovations in payments technology have made authentication of information more reliable, other technological innovations have made that information more widely available and subject to abuse. Fraud such as counterfeiting or check forgery has always had a global reach. However, payments fraud used to be much more reliant on physical connections between parties, such as the theft of an individual checkbook or credit card. Today, modern databases, online information sharing, and increased access points have opened up opportunities for sophisticated criminal gangs to perpetrate fraud from remote corners of the globe. Further, the growing presence of nonbanks and third-party service providers means that regulated financial institutions must consider the security of those providers. At the same time, new laws and standards are being developed for payment activities and instruments. While the continual refining of systems and rules arguably makes payments easier and more efficient, the fast pace of change can compound fraud potential as fraudsters hunt to exploit the weakest link in the emerging systems. In this complex environment, market participants and governments must determine whether new payment Tiffany Gates is a supervision analyst in the Banking Supervision and Regulation Department at the Federal Reserve Bank of Chicago. Katy Jacob is a research specialist in the Financial Markets Group at the Federal Reserve Bank of Chicago. The authors thank the Chicago Fed’s payments team for their help in producing this article. types carry excessive fraud risk; who is liable when payments fraud occurs; how losses are allocated; what consumer protections should be in place; how notification of fraud should be handled; and how standards should be defined to minimize the incidence of fraud. It is a tall order, but payments providers must also identify consumers whom they have never met and authorize electronic transactions from which they might be far removed. And, increasingly, they must do this in real time. To explore the problem of payments fraud, the Federal Reserve Bank of Chicago organized its eighth annual Payments Conference around the topic. The conference, Payments Fraud: Perception Versus Reality, took place on June 5–6, 2008.4 In this article, we summarize the conference and focus on the following themes: why the industry is worried about payments fraud; managing fraud risks; the impact of technology and innovation on fraud; responsibilities and incentives for fraud prevention; and public sector involvement in mitigating payments fraud. We note that market participants agree that payments fraud cannot be eliminated without risking the viability of certain payment channels, but also find that close industry collaboration, properly aligned incentives, technological innovations, and active risk management can lessen fraud’s ill effects. Why worry about payments fraud? Fraud degrades operational performance and increases cost—not only for the parties to the transactions whose payments are disrupted, but also for the payments system as a whole. Indeed, payments networks are vulnerable to fraud at any point in a payments chain, and fraudsters often attempt to exploit the weakest link in that chain. One of the foremost concerns is the potential for a single data breach or compromise to disrupt an entire payments system. According to conference panelist Jeff Schmidt, an independent consultant, it is possible for a single data breach to affect multiple layers in the payments system and disrupt the efficient operation of the entire system if confidence in the system is lost. Further, Mark Greene, Fair Isaac Corporation, raised the possibility of a mass compromise of significant components of the U.S. payments industry. Greene said that the industry is not prepared for a mass attack wherein fraudsters target multiple companies simultaneously through hacking and sophisticated phishing techniques.5 These threats have the potential not only to harm a financial institution but also to degrade the payments system globally. Bruce Summers, a payments system and technology management consultant, questioned whether the marketplace alone could contain fraud and protect the payments system as a whole if such a mass compromise were to occur. Indeed, Allison Edwards, Fiserv EFT, commented that the payments industry was completely caught off guard by the aforementioned 2007 TJX Companies data breach because of its size and scope. It is important to note that there is a distinction in the payments industry between actual fraud that has been perpetrated and potential fraud from compromised information that might not necessarily result in criminal activity. Ellen Richey, Visa Inc., claimed that the number of compromise incidents in the United States is rising, while other analysts contend that only the reporting of these incidents is increasing. Regardless of the magnitude of growth, industry leaders are concerned about both stopping compromises from occurring and ensuring that significant fraud does not take place when compromises do occur. Conference panelists maintained that when such fraud happens, consumer confidence can only be restored by a fast and thorough industry response. Managing fraud risks As it stands, many in the industry find it difficult to gauge the full impact of fraud on the payments system. Richey applauded the payments industry for doing a good job in stemming the tide of increasing fraud attacks, stating that global fraud rates in the card industry have remained largely constant since 2002. Others at the conference argued that, while the total amount of fraud has gone down, the impact of the fraud that does occur has become more costly to society. Summers commented that many in the payments industry argue that today’s level of fraud protection is sufficient, and noted that few market participants seem dissatisfied with the overall state of payments fraud. Some players view fraud as just another cost of doing business, though according to several conference participants, that view is being overshadowed by an urgent need to keep fraud under control.6 According to David Poe, of Edgar, Dunn, and Company, many payments participants often make suboptimal risk-management business decisions because the true cost of fraud is misunderstood. Most analysts only take account of fraud losses to issuers (banks that issue payment cards to consumers or businesses) when tallying fraud costs. Poe noted that the monthly benchmarks for issuers’ fraud losses are approximately 0.07–0.08 percent of transaction volumes. Fraud losses to acquirers (banks that process card payments for merchants) from chargebacks are also of about the same magnitude. Poe echoed Greene by noting that statistics on issuers’ credit card losses from first-party fraud showed that fraud could account for as much as 10 percent of their credit losses if correctly categorized. 1Q/2009, Economic Perspectives Moreover, opportunity cost—where consumers pass up one payment option or company in favor of another because of perceived security concerns—is arguably the biggest cost of fraud and the most difficult to quantify. It is the largest potential risk in that customers might not use a payment product at all, or might not use the product in the appropriate way, because they do not trust that the payment instrument is secure. When determining the true cost of payments fraud, analysts sometimes also fail to count the cost borne by issuers, acquirers, and merchants to manage fraud risks. Bob Ledig, of Fried, Frank, Harris, Shriver, and Jacobson LLP, stated that the costs of fraud cannot be limited to direct costs borne by any one party in the payments system. Rather, resource, compliance, enforcement, reputation, and litigation costs must also be taken into consideration. He noted that data security should be an inherent part of the payments vehicle, rather than a separate line of business. These comments about the true price of payments fraud raise the possibility that there may be some type of market failure in the payments system, wherein the nature of fraud is so complex that firms are unable to price it correctly. To keep costs down and to better manage the risk associated with payment channels and instruments, financial institutions are looking to incorporate an enterprise-wide approach to fraud management. Challenges arise because lines of business have historically been developed as independent silos. Judith Rinearson, of Bryan Cave LLP, stressed that payments laws and regulations have largely emerged around individual product lines, making it difficult to implement enterprisewide solutions. Many audience members commented that small merchants also struggle to implement enterprise-wide solutions, as they lack the resources to obtain high-end fraud prevention tools. The transition to an enterprise-wide approach to fraud mitigation is driven by governance and culture. Conference participants felt that the comparative handful of organizations that have appointed “payment czars” have been more effective in looking at payments fraud across the institution as a whole. Yet, if an institution has a deeply siloed governance and organizational structure, it is difficult to develop consistent, cost-efficient business processes across different product lines. Greene urged the industry to take note of the “balloon effect” in payments fraud. Namely, once fraud begins to decrease in one payment method, criminals often shift focus to another part of the payments system, where fraud rates begin to rise. Audience members commented that fraud might also shift among regions or nations. Some speculated that the increasing use of chip and PIN (personal identification number) technology Federal Reserve Bank of Chicago in Europe and Canada might lead criminals in those countries to focus on countries that rely more heavily on older magnetic stripe technology, such as the United States. These different types of fraud shifts could lead to misperceptions about what is truly occurring in the system as a whole, and they are especially important to consider when new payments technologies enter the market. Payments technology and innovation On the one hand, technological innovations have enabled market participants to authenticate payments information more accurately in real time, greatly enhancing the security of electronic payments transactions. On the other hand, the speed of payments innovation can accelerate fraud risks. Traditionally, the payments industry has been slow to manage technology, while fraudsters have quickly adapted to the new channels available. Poe reinforced the idea that technology has made fraud easier to commit on a wide scale, citing the increases in phishing, pharming, skimming, and other fraud tactics that often rely on remote or cardnot-present transactions.7 According to Kevin Fu, University of Massachusetts Amherst, phishing is one of the biggest security problems on the Internet. It is certainly the easiest way a spammer (one who uses electronic messaging systems to indiscriminately send unsolicited bulk messages) can infiltrate thousands or millions of compromised machines around the world. If just a tiny fraction of the people spammed respond, the spammer can obtain quite a bit of sensitive information that can be used to perpetrate fraud. Richey went further by saying that the top vulnerabilities in the payments system are the storing of prohibited data; out-of-date security systems; perimeter security; weak wireless security systems; and structured query language (SQL) injection attacks.8 These vulnerabilities can only be addressed if every participant in the payments system is accountable and vigilant about protecting data, upgrading systems, and monitoring its own staff and its partner firms. However, upgrading software and infrastructure can be quite costly. In some cases, technology enhancements happen so quickly that companies, especially small merchants and processors, have little time to react. Consumer perceptions of fraud risks can also directly impact the success of a new payment method. Greene noted that consumers’ perception that mobile and contactless payments are more prone to fraud has apparently stunted the growth of those payment channels in the United States. Mobile payments are payments that are initiated by a mobile device, such as a mobile phone.9 A contactless payment device, such as a card or fob, uses radio frequency identification (RFID) or near field communication (NFC) technology to make secure payments. The embedded chip and antenna enable consumers to wave their payment device over a reader at the point of sale. Both RFID and NFC payment methods are relatively new in the U.S. market, and it should be noted that it often takes time for consumers to adopt any new instrument or market. Bruce Cundiff, Javelin Strategy and Research, echoed the sentiment that risk adversely affects consumer adoption of these new payment instruments. Because repairing the damage done by payments fraud is becoming more complex for consumers, many are reluctant to switch to a new payment method. For example, in a recent Javelin survey, 65 percent of those who said they did not want to use contactless cards named security fears as the number one reason, and 33 percent of those surveyed viewed mobile banking as too risky.10 Cundiff pointed out a marked change in the way that consumers perceive the security efforts of their financial institutions. Consumers now want to be more engaged in security measures and view companies that allow them to be engaged through account alerts or verification calls as being more reliable. Rinearson agreed, arguing that many consumers are confused about fraud prevention features of different payment cards, such as prepaid cards11 versus debit or credit cards. For example, consumers might find out about fraudulent transactions from billing statements for their debit cards or credit cards, but would not have such information for a number of prepaid cards. Payments fraud can affect the availability of new products as well. Payments providers might be hesitant to innovate in an area where unknown fraud risks exist. Paul Tomasofsky, Two Sparrows Consulting LLC, said that the newly emerging decoupled debit field faces challenges as issuers work out several potential risks. A decoupled debit card is a debit card issued by a nonbank or bank that is linked to a demand deposit account that the issuer does not own. The payments are processed on the automated clearinghouse network, are typically co-branded with a particular merchant, and may include other options such as a credit feature or reward program.12 Tomasofsky pointed out that issuers need to thoroughly authenticate both the user of the card and the user’s checking account to verify that they are in fact linked. Issuers, moreover, run the risk of the account holder having nonsufficient funds because they aren’t able to check deposit account balances directly. It is also unclear who will be responsible for handling dispute resolution for decoupled debit cards. While relatively low merchant fees may make these cards attractive to the merchant community, their slow 10 start suggests that some of these perceived risks might be impeding their adoption. Online payments also face numerous threats from payments fraud. Steve Malphrus, Board of Governors of the Federal Reserve System, noted that fraud is more prevalent in online transactions than in person-toperson transactions. According to Bob West, Echelon One, there is $2.3 billion–$3.2 billion in online credit card fraud per year, much of which is orchestrated by very sophisticated crime syndicates.13 Moreover, even traditional payment forms that are undergoing modernization face new potential fraud risks. For example, David Walker, Electronic Check Clearing House Organization (ECCHO), explained that in check imaging, technology moved much faster than the laws related to handling check fraud issues. While imaging reduces fraud potential over paper checks, industry players are unsure how to interpret their new roles related to risk management. Walker explained how new forms of check fraud have arisen following the introduction of check imaging. These forms of fraud include a greater volume of duplicate checks and images that do not conform to standards set in the Check Clearing for the 21st Century Act.14 Walker said that many institutions struggle to decide whether imaged checks are authorized and who should receive returned checks. The increased fraud risk from some technological innovations has even begun to change the way that institutions view new customer relationships for deposit accounts. Malphrus commented on how the increase in remote account opening has created a new set of fraud risks, which can hopefully be managed by increasingly sophisticated authentication technologies. West expanded on this theme by discussing the overall disconnection between the physical and online worlds in payments, stating that this basic problem is with us to stay. Fraud perpetrators regularly exploit new technologies to their benefit, but payments providers are working to find ways to exploit technology for fraud resolution as well. These firms are incorporating technology into the broader design of their fraud detection mechanisms. Edwards noted that “neural” networks15 are helping companies to manage their risk profiles more conservatively by adding the elements of time control and customer targeting. Fu discussed the ways that RFID technology in contactless cards and mobile payment devices can allow for sophisticated tracking in order to reduce fraudulent transactions. The RFID tags, which mimic minicomputers and store enormous amounts of data, can mitigate the security risk of handing over your card to someone who may want to compromise the information contained on it. 1Q/2009, Economic Perspectives Greene mentioned the rise of profiling mechanisms that compile fraud patterns for specific merchants as well as in geographically dispersed payment devices and terminals. These mechanisms can be used in adaptive models that keep up with changes in fraud patterns; they allow users to dynamically change model weights to suit their needs. He argued that fraud prevention should not be viewed as providing a competitive advantage for any firm. Otherwise, fraud becomes too great of a collective problem. Fu also supported the use of open source RFID technology rather than the proprietary systems that companies are now pursuing. This idea furthers the notion that collaboration is required to combat fraud in the payments system. Responsibilities and incentives for fraud prevention Conference participants noted that, as consumers, merchants, and payments providers struggle with the issue of payments fraud, the goal is not to eliminate fraud but rather to generate better risk-management practices that strike a balance between allowing for risks in the payments system and dictating payments choices. Speakers at the conference were unanimous in the view that collaboration within and among companies is a necessary aspect of successful payments fraud mitigation. Security is expensive to achieve and maintain. Therefore, it can result in indirect but nonetheless real costs to consumers if those costs are transferred. Cooperation is thus not only desirable but also necessary. According to the conference speakers, in order to be effective, payments fraud mitigation efforts must recognize the need to include all members of the system. To do this, incentives must be properly aligned. Market participants must have sufficient reasons to care about fraud mitigation. For instance, Mallory Duncan, National Retail Federation, argued that we currently have pricing and protection scenarios that encourage customers to use signature-based payment cards rather than PIN-based cards, leading to perverse incentives to use a payment vehicle that is perceived to be less secure. Moreover, banks and merchants often base their preference for different payments mechanisms on narrow cost reasons, thereby overlooking the hidden costs embedded on the security side. Duncan also noted that if merchants do not feel that they are directly benefiting from increased data security, they will not be willing to pay for new security infrastructure. He said that it is very difficult for merchants to keep up with constantly changing payments rules, as merchants are being asked to handle payments technologies that are outside of their core competencies. Federal Reserve Bank of Chicago Schmidt countered that today all industries face security issues and that compliance is not specific to payments. Several conference participants suggested that one solution to the problem of data storage standards is to be parsimonious with payments data and store only as little as the law requires. Mark Michelon, Orbitz Worldwide, explained that fraud detection needs to be automated in order for merchants to do it in a costeffective manner. Richey elaborated by stating that effective authentication can make stolen data useless. Schmidt agreed, noting that there is so much payments data available that fraud solutions should not focus on limiting data but rather on making the data less meaningful. Public disclosure of sensitive data devalues the data for fraudsters and essentially halts the fraud. In other words, if data such as Social Security numbers are not deemed to be highly confidential, the impact of having such data stolen will not be as great. Alternative types of data include addresses or zip codes; according to Richey, these are quite effective authentication tools in many instances. Schmidt suggested that incentives for fraud prevention should be aligned with responsibility and that potential victims should be given good reasons to care about protecting their own payments data. Several presenters commented on consumers’ relative lack of incentives in preventing payments fraud, especially in the credit card market where zero liability policies protect consumers from virtually all losses. Duncan Douglass, of Alston and Bird LLP, argued that there needs to be a realistic price tag placed on risk. Currently, he said, attorneys work with payments system participants to help them decide if paying to eliminate risk is worth the cost. Payment channels rely on customer confidence for survival, but there is a moral hazard problem when customers have little incentive to be careful with data. Michelon stated that one solution to this problem is consumer education about payments fraud and data protection. While these efforts can be useful, in order for them to have meaningful effects, all actors in the payments system must have similar incentives to avoid payments fraud. Indeed, if fraudsters are to stay in business, it would seem to be in their best interest to avoid creating a situation where a mass compromise would disrupt the payments system as a whole or destroy a specific payment channel that had previously proven lucrative for them. Marsha McClellan, United States Attorney’s Office for the Northern District of Illinois, remarked that there should be real consequences for committing payments fraud that are significant enough to make criminals think twice. She stated that it is difficult to prosecute a payments fraud case because 11 of the electronic nature of the crime, which usually means there is not much physical evidence. Moreover, many consumers have a hard time pinpointing compromised information. McClellan suggested that monetary incentives were the most likely way to deter fraud. United States Attorneys have the authority to seize the proceeds of criminal activity even before prosecutions occur. If funds are seized, criminals lose the ability to continue their operations. However, Sujit Chakravorti, Federal Reserve Bank of Chicago, agreed with Schmidt’s point that this type of monetary incentive does not work for irrational actors, such as pedophiles, terrorists, and other perpetrators of payments fraud who are not motivated primarily by financial goals. Clearly, these types of actors present a problem to society that goes far beyond payments. Some argue that the existence of such issues with broad implications for our society leads to the need for public sector intervention in the problem of payments fraud. The role of the public sector Payments markets contain strong public-good components. Gene Amromin, Federal Reserve Bank of Chicago,16 argued that payments services are neither purely public goods nor purely private goods; thus, they are best provided by the private sector but with government oversight. Because of the inherent conflicts of interest, as noted in the previous discussion concerning misaligned incentives, the public sector can help counter information asymmetries by designing proper mechanisms to deter fraud, helping to align incentives to prevent fraud, and providing information to all levels of the payments system about the issue of payments fraud. While government involvement might therefore be seen as a crucial component in combating payments fraud, no clear consensus emerged at the conference on the best specific strategies for doing this.17 Charles Docherty, MBNA Canada Bank, offered a perspective on how other nations deal with the role of government in payments fraud. In Canada, where there are fewer financial institutions and the central bank is not an active participant in the payments market, payments issues are largely governed by the private Canadian Payments Association, which consists of credit unions and banks. Docherty argued that in Canada, consumers and payments providers are considered the first line of defense for fighting payments fraud, followed by the government. In contrast to the payments environment in Canada, in the United States regulatory and legal incentives have always been a central aspect of payments. Christian Johnson, University of Utah S. J. Quinney College of Law,18 noted that there are four types of laws that 12 directly affect how payments fraud issues are handled (most of them involving the public sector): contracts between payments parties; state laws and regulations; federal laws and regulations; and international laws and treaties. All participants in the payments system must recognize these legal constraints. Greene highlighted the importance of the government in the extremely crowded and competitive U.S. payments market. He said that the payments industry is concerned that sharing data and strategies related to payments fraud prevention might be viewed as collusive, possibly leading to a need for objective government intervention. Richey noted that by setting uniform rules, the public sector would be in a unique position to get at the root of payments fraud. However, Richey cautioned that too much intervention would stifle innovation. Some audience members argued that a uniform set of standards for all payment channels, governed by one body, would greatly deter payments fraud. Ledig commented that the recent proposal by U.S. Treasury Secretary Henry M. Paulson, Jr., to give the Federal Reserve more power over all payment forms would be a step toward centralizing payments policy.19 Charles Evans, president and chief executive officer, Federal Reserve Bank of Chicago, reiterated that one of the key responsibilities of the Federal Reserve is to maintain the integrity of the U.S. payments system. Malphrus suggested that even in the current framework, which does not give the Federal Reserve governance over the entire payments system, the Fed should take up both advisory and participatory roles for that system. Such a role would still let the private market thrive. Some in the audience suggested that the Federal Reserve is in a unique position to advise on payments fraud issues, since it is both a direct participant and an overseer of the payments marketplace. Others, however, argued that these roles could prove conflicting for the Fed. Overall, conference participants seemed to favor a balanced approach of government and central bank intervention with support that would still allow the private market to police itself. Conclusion Participants in the conference felt that some level of fraud will always remain: Fraud could be eliminated entirely from the market only by shutting down active payment channels. However, a consensus was reached that the effects of data breaches and information compromises can be minimized through a holistic approach to data security. Such an approach would recognize the importance of cooperation within and across companies and among various actors in the private market. This cooperation would also be advanced by 1Q/2009, Economic Perspectives government actions that are able to bring more uniformity to fraud mitigation without stifling innovation. Fraud is an ongoing issue in the payments market, and the fast pace of technological change is likely to bring new opportunities for fraud to occur at the same time that it will spur more efficient fraud mitigation solutions. Policy leaders around the globe are struggling to define new rules and expectations of market participants, and industry leaders have different perspectives on the state of payments fraud and its future. The articles included in this volume represent various views on payments fraud from academic and industry speakers at the Federal Reserve Bank of Chicago’s 2008 Payments Conference. Notes Identity theft is another aspect of payments fraud. However, when payments information is used to help criminals obtain information about consumers in order to commit identity theft, the crime goes beyond payments. We do not focus on identity theft in this article. 1 Bruce Cundiff, 2007, “Online payments forecast: Alternative payments to go mainstream as consumers seek security and convenience,” Javelin Strategy and Research, report, September. 10 Prepaid cards allow users to pay merchants with funds transferred in advance to a prepaid account. For a summary on prepaid cards, see Sujit Chakravorti and Victor Lubasi, 2006, “Payment instrument choice: The case of prepaid cards,” Economic Perspectives, Federal Reserve Bank of Chicago, Vol. 30, No. 2, Second Quarter, pp. 29–43. 11 Association for Financial Professionals, 2008, “2008 AFP Payments Fraud and Control Survey: Report of survey results,” Bethesda, MD, March, available at www.afponline.org/pub/pdf/ 2008PaymentsFraudandContolSurvey.pdf. The survey includes a variety of types of organizations from merchants and manufacturers to financial institutions to government agencies. 2 Conspirators obtained the credit card and debit card numbers by hacking into TJX Companies’ wireless computer networks. At the time, TJX Companies was in the process of becoming compliant with the Payment Card Industry Data Security Standard (PCI DSS), which defines guidelines for merchants’ handling and processing of payment card data in order to prevent card fraud and data breaches. See Brad Stone, 2008, “Global trail of an online crime ring,” New York Times, August 11, available at www.nytimes.com/2008/08/12/ technology/12theft.html. Also see www.privacyrights.org. 3 For more information, see Katy Jacob and Bruce J. Summers, 2008, “Assessing the landscape of payments fraud,” Chicago Fed Letter, Federal Reserve Bank of Chicago, No. 252, July. 4 A phishing attack uses randomly distributed emails to attempt to trick recipients into disclosing personal information, such as account numbers, passwords, or Social Security numbers. See www.spamlaws.com/online-credit-card-fraud.html. 5 In March 2007, the Federal Reserve Bank of Minneapolis held a roundtable discussion on payments fraud. A variety of market participants and regulators participated in the discussion. At this roundtable, participants revealed varying levels of comfort with the current state of payments fraud. See Board of Governors of the Federal Reserve System, 2007, “A summary of the roundtable discussion on retail payments fraud,” report, Washington, DC, July. 6 Phishing is explained in note 5. During a pharming attack, a hacker tampers with the domain name resolution process so that users might go to the website of a legitimate financial institution and be unknowingly routed to a compromised site, where they reveal their personal information. A skimming device is one that is mounted to an automated teller machine or point-of-sale machine to copy encoded data from the magnetic stripe on the back of a payment card. For more information, see www.spamlaws.com/online-credit-card-fraud.html. 7 Perimeter security refers to security systems that are developed to stop criminals from getting inside a network or database. In a SQL injection attack, a hacker uses knowledge of the SQL programming language to obtain hidden information in a database or network. 8 For more on mobile payments, see Katy Jacob, 2007, “Are mobile payments the smart cards of the aughts?,” Chicago Fed Letter, Federal Reserve Bank of Chicago, No. 240, July. 9 Federal Reserve Bank of Chicago Capital One was the first issuer to develop a decoupled debit card in June 2007. HSBC (Hongkong and Shanghai Banking Corporation), along with Tempo Payments, developed a decoupled debit program in July 2007. See M. Bruno-Britz, 2008, “Rethinking the card business: The evolution of payment cards,” Bank Systems and Technology, Vol. 45, No. 2, February, pp. 31–35. Also see M. Bruno-Britz, 2007, “Debit cards: Cutting the debit ties,” Bank Systems and Technology, Vol. 44, No. 11, November, p. 14. 12 For more information about issues related to online payments fraud, see Thomas P. Brown and Richard A. Epstein, 2008, “Cybersecurity in the payment card industry,” University of Chicago Law Review, Vol. 75, No. 1, Winter, pp. 203–223. 13 For some details on the Check Clearing for the 21st Century Act, see www.federalreserve.gov/paymentsystems/truncation/. 14 A neural network is a system of programs and data structures that mimics the neurons in the human brain. Neural networks “remember” information and data in complex ways. See www.webopedia.com/ TERM/N/neural_network.html. 15 Amromin stood in for William Roberds, Federal Reserve Bank of Atlanta, who was scheduled to moderate the final panel but was unable to attend. For more on Roberds’ perspective of payments fraud, see Michele Braun, James McAndrews, William Roberds, and Richard Sullivan, 2008, “Understanding risk management in emerging retail payments,” Economic Policy Review, Federal Reserve Bank of New York, Vol. 14, No. 2, September, pp. 137–159. 16 For a more detailed argument for an increased governmental role in payments, see Stacey L. Schreft, 2007, “Risks of identify theft: Can the market protect the payment system?,” Economic Review, Federal Reserve Bank of Kansas City, Fourth Quarter, pp. 5–40. 17 Ronald Mann, Columbia Law School, was originally slated to moderate the panel on fraud loss and dispute resolution. Christian Johnson moderated in his absence. 18 The proposal states: “Treasury recommends the creation of a federal charter for systemically important payment and settlement systems. The Federal Reserve should have primary oversight responsibilities for such systems.” See U.S. Department of the Treasury, 2008, The Department of the Treasury Blueprint for a Modernized Financial Regulatory Structure, report, Washington, DC, March, available at www.treas.gov/press/releases/reports/Blueprint.pdf. 19 13 2008 Payments Conference Payments Fraud: Perception Versus Reality Thursday, June 5, 2008 Introduction and Welcome Gordon Werkema, First Vice President and Chief Operating Officer, Federal Reserve Bank of Chicago KEYNOTE SPEECH Divided We Fall: Fighting Payments Fraud Together Mark Greene, Chief Executive Officer, Fair Isaac Corporation Identifying Security Issues in the Retail Payments System Moderator: Robert Ledig, Partner, Fried, Frank, Harris, Shriver & Jacobson LLP Panelists David Poe, Managing Director, Edgar, Dunn & Company Ellen Richey, Chief Enterprise Risk Officer, Visa Inc. Talking Points What are the main security threats to retail payments? What are the potential costs of payments fraud and of solutions to guard against it? What role, if any, should public authorities play to protect payments system participants from these threats? Fraud Containment Moderator: Bruce Summers, Payment System and Technology Management Consultant Panelists Jeff Schmidt, Consultant Bob West, Chief Executive Officer, Echelon One Mallory Duncan, Senior Vice President and General Counsel, National Retail Federation Talking Points What are the most common forms of retail payments fraud? What are the most effective fraud reduction tools, and how have these tools evolved to support “real-time” payments? How do payment providers and merchants balance fraud risk and consumer convenience? Fraud Loss and Dispute Resolution Moderator: Christian Johnson, Professor, University of Utah S. J. Quinney College of Law Panelists Mark Michelon, Senior Director, E-commerce Risk and Revenue Protection, Orbitz Worldwide Duncan Douglass, Partner, Alston & Bird LLP Charles Docherty, Legal Counsel, MBNA Canada Bank 14 1Q/2009, Economic Perspectives Talking Points Who is responsible for mitigating fraud in the payments system, and what are the consequences of that responsibility? How are losses allocated when fraud occurs? Do current fraud resolution measures distort incentives for payments system participants to adequately secure payment information? Friday, June 6, 2008 Welcome and Introduction Daniel G. Sullivan, Senior Vice President and Director of Research, Federal Reserve Bank of Chicago Security Risks and Solutions in Emerging Payment Channels Moderator: Bruce Cundiff, Director of Payments Research, Javelin Strategy and Research Panelists David Walker, President and Chief Executive Officer, Electronic Check Clearing House Organization (ECCHO) Paul Tomasofsky, President, Two Sparrows Consulting LLC Kevin Fu, Assistant Professor, University of Massachusetts Amherst Talking Points Do new payment channels, such as mobile, electronic images of checks, and decoupled debit, entail different fraud risks? Are new tools necessary to minimize risks associated with emerging payment platforms? Do these new channels provide any security features that mitigate risk in the payments system? KEYNOTE SPEECH Introduction: Charles L. Evans, President and Chief Executive Officer, Federal Reserve Bank of Chicago Steve Malphrus, Staff Director for Management, Board of Governors of the Federal Reserve System Public and Private Responses to Payments Fraud Moderator: William Roberds, Research Economist and Policy Advisor, Federal Reserve Bank of Atlanta Panelists Judith Rinearson, Partner, Bryan Cave LLP Allison Edwards, Director of Product Development, Fiserv EFT Marsha McClellan, Chief, Money Laundering and Asset Forfeiture, United States Attorney’s Office for the Northern District of Illinois Talking Points How can the government define its role in fraud containment without stifling innovation? Should different payment instruments have similar laws and regulations governing them? Have standards been an effective tool in combating payments fraud? CLOSING REMARKS Sujit Chakravorti, Senior Economist, Federal Reserve Bank of Chicago Federal Reserve Bank of Chicago 15 2009 Payments Conference Payments Pricing: Who Bears the Cost? May 14-15, 2009 As consumers and merchants increasingly adopt electronic payments, the pricing of these services has generated substantial scrutiny around the world. Some public authorities have directly intervened in the payments market. Others have relied more heavily on the private market to develop payments pricing strategies. Moreover, innovative vehicles and business models may increase competition, resulting in greater choice to payments system participants. However, these products may not provide the same benefits as traditional debit and credit cards. In light of these developments, the Federal Reserve Bank of Chicago will host its ninth annual Payments Conference, Payments Pricing: Who Bears the Cost? During this two-day event held at the Chicago Fed on May 14-15, 2009, we will focus on the following: ■ Evaluating the role of public intervention; ■ Comparing perspectives on market-based solutions; ■ Offering incentives to affect payments behavior; ■ Leveraging technology to increase competition; and ■ Developing future payments pricing strategies. Who should attend? Decision-makers from financial institutions, payment networks, regulatory bodies, central banks, merchants, and payment innovators, as well as academics. Registration Early Registration Discount—before March 6, 2009: $350 Registration from March 6, 2009, through May 1,2009: $450 Registration received after May 1,2009: $550 Cancellations after May 1,2009, will not be refunded. Please notify us in writing of any substitutions. Hotel Reservations Union League Club of Chicago Hotel Blake 65 W. Jackson Blvd. 500 S. Dearborn St. Chicago, IL 60604 Chicago, IL 60605 (312) 427-7800 (312) 986-1234 www.ulcc.orgwww.hotelblake.com For more information, please visit www.chicagofed.org/paymentsystems or contact Susan Parren at (312) 322-4021 or susan.parren@chi.frb.org. 16 1Q/2009, Economic Perspectives Fraud containment Bruce J. Summers Fraud is an unfortunate aspect of the technical efficiency of the payment system, which is measured by the quality of its operational performance and cost.1 Fraud degrades operational performance and increases cost— not only for the parties to the transaction(s) whose payments are disrupted, but for the payment system as a whole. Indeed, any serious consideration of payments fraud must account not only for the readily measurable business and consumer impacts of such fraud, but also for impacts on the performance and cost efficiency of the payment system. Today’s panel2 on fraud containment has been asked to identify the most common forms of retail payments fraud; the most effective fraud reduction tools, especially those pertaining to real-time payments; and approaches that payment providers and merchants take to balance fraud risk and consumer convenience. In taking up the last issue in particular we will attempt to provide a broad perspective that addresses the consequences of fraud not only for individual businesses and consumers, but for the integrity of the payment system as a whole. While the focus of the conference is, naturally, on the U.S. payment system, it should be noted at the outset that the fraud problem is global, affecting many national payment systems and cross-border payment arrangements. For example, payment system fraud poses a threat to the internal market for payments in the European Union and is therefore receiving prominent attention in Europe.3 My sense is that the main payment system fraud concerns and issues in the U.S. and Europe are very similar and that we have a lot to learn from each other’s experiences and responses. Accordingly, we should consider today’s discussion part of a global dialogue about payment system fraud, and we should be open to opportunities to be informed by the international debate. This is especially Federal Reserve Bank of Chicago so with regard to the public policy responses to the fraud problem. The members of the panel bring an ideal combination of informed perspective and practical experience to bear on the problem of fraud. We have an information security technologist, a banking security practitioner, and a seasoned retail industry lawyer who has been concerned with customer data privacy and protection. Each of the panelists, whom I will introduce in a few minutes, will take 15 minutes to present his perspectives, and then we look forward to taking your questions and engaging in dialogue with you. I would like to begin with some introductory remarks intended to set the stage for the panel discussion. In particular, I want to crystallize the business and public policy issues that involve containment of retail payments fraud. I will do so by summarizing the thinking of practitioners (by which I mean the providers and corporate users of payment services) and economists about fraud and efforts to contain it. The views of these two groups vary somewhat and are important because they influence public policy. You will understand that my background as a central bank economist, and also as a payments product manager and technology manager, has a strong bearing on how I cast the issues. Economists’ view of payments fraud Payment system economists are principally interested in the most effective and efficient possible operation of the payment system. Of course, economists also respect the role of markets in delivering efficient Bruce J. Summers is an independent consultant on payment systems and technology management. He is the former director of Federal Reserve Information Technology. The author thanks Katy Jacob and Tara Rice for their assistance in the preparation of this article. 17 outcomes, and the payment system market is no exception. From the perspective of economic analysis, however, payment systems and markets are thought of as special because they entail something called “network effects” and “two-sided” services, which are characteristic of public goods.4 Payment markets, moreover, may not always function like perfect markets because of the presence of “externalities,” meaning that the costs and/or benefits associated with payment services are not always recognized by the parties to commercial transactions. As an example, my decision to use a risky means of payment may be a relatively easy one if it imposes costs on others and on the payment system, but not so much on myself. In addition, the markets may suffer from “asymmetrical information,” meaning that the sellers and buyers of payment services are not equally well informed about the riskiness of a particular payment service. For example, as a buyer I may not know as much as I would want or need to know about how well my personal payment information is secured in the service provider’s systems. For these reasons, as I will describe later, some economists see a natural role for the public authorities in helping control payment system fraud. They might do so by issuing regulations that specify the amount and type of disclosure required for payment service security, by enforcing those and other regulations, and possibly by facilitating industry-wide practices that lead to desired effectiveness and efficiency outcomes for the payment system. The views of economists are often informed by observed experience, and accordingly, I would like to share with you some lessons learned by practitioners who have met the business challenge of delivering effective, efficient, secure, and well-controlled payment services, especially as it pertains to security. They have found, first, that security is hard to achieve and ensure, and it requires relentless attention. Second, security is very expensive to produce and can impose indirect but nonetheless very real costs on consumers through the “user experience.” Third, cooperation across the supply chain is not only desirable but also necessary to achieve meaningful outcomes for customers because security is “only as strong as the weakest link,” as the adage goes. Fourth, certain aspects of technology, and security in particular, are moving outside the banks’ sphere of core competency, leading to outsourcing as a means of staying ahead of the curve; this leads to new types of risk that must be managed. Finally, the reputational risk associated with providing payment services is of greatest consequence to boards of directors of banking institutions because the success of the banking 18 franchise depends on reputation and trust. Any business consideration of fraud containment must start with the board of directors and the corporate culture surrounding the private market approach to fraud containment. The Federal Reserve’s role A word or two about the Federal Reserve’s operational responsibilities in the payments marketplace will help illustrate that the Fed is in close touch with business and operational realities faced by practitioners. The Federal Reserve Banks directly provide retail payment services, primarily check, electronic check, and automated clearinghouse (ACH), for which they charge fees that are designed to recover the full costs of operation. They also produce retail payment services on behalf of the U.S. Department of the Treasury in their role as fiscal agents. This includes electronic payment services in support of the Treasury’s public debt and, if I can put it in these terms, accounts receivable and payable operations. The Fed thereby indirectly interacts with a large proportion of the retail public. Moreover, and perhaps especially important in the context of today’s discussion, the Federal Reserve Banks’ electronic payment operations are Internet-intensive, meaning that the public Internet figures prominently in the delivery of their services. This brings the reality of public networking and protection of customer information very close to home for the Federal Reserve Banks. Speaking of close to home, this is an opportunity to recognize the leading role played by the host of this conference, the Federal Reserve Bank of Chicago, as the Reserve Bank responsible for the content, quality, security, and bottom line financial viability of the Federal Reserve’s electronic payments. The Chicago Fed deserves to be recognized as the U.S. central bank’s Internet payments pioneer. An industry perspective of payments fraud The current state of thinking by industry practitioners about retail payment system fraud is well represented by the diverse cross section of participants in a 2007 roundtable on the subject sponsored by the Federal Reserve Board’s Payments System Policy Advisory Committee.5 The roundtable, which included representatives of banks, nonbank payment providers, card companies, and technologists, produced a variety of views but also a broad consensus on some important points. There was consensus that the current level of payments fraud is being effectively managed and that organizations must constantly adapt to keep pace with criminal activity, technology-driven change, and innovation in the payment system. At the same time, the industry representatives concluded that it 1Q/2009, Economic Perspectives will never be possible to eradicate fraud completely and that the never-ending challenge of fraud prevention must balance costs and benefits. While the roundtable participants indicated that the dollar value of fraud relative to business revenue is declining, their business costs of fraud mitigation are both substantial and trending upward. An especially interesting consensus emerged: The payment instrument that is the principal source of fraud losses on a comparative basis is the traditional paper check. We should try to validate this observation today and, depending on the outcome, reflect on the implications for future fraud containment as reliance on electronic payments continues to increase. The roundtable participants spoke to the challenges posed by the Internet as a source of fraud, since it allows fraud that is directed to the domestic payment system to originate anywhere in the world. Some took a broad view of payments fraud by saying—rightly so in my view—that protecting customer information is part of the responsibility shouldered by payment providers. In the end, it was noted that detecting and preventing retail payments fraud requires a holistic approach that includes not only designing and producing wellsecured payment services, but also encouraging and helping customers to practice good security behaviors. The roundtable made three suggestions for improving fraud detection and prevention. These are to increase 1) industry-wide information sharing and collaboration, 2) use of enhanced authentication technologies, and 3) adoption of the standards set by the PCI (Payment Card Industry) Security Standards Council LLC.6 The consensus reached by the roundtable is supported by the results of a somewhat earlier survey of approximately 100 large nonfinancial firms that actively use a variety of payment services.7 In the survey, each firm identified its most important payment processing needs and those needs that are least well met. While the firms participating in the survey generally responded that controlling fraud is very or critically important, a relatively low percentage responded that they are dissatisfied with the ability of current payment methods to control fraud. Consequently, other payment improvements, such as the ability to track transactions, emerged as needing higher priority attention than fraud containment. Public versus private responses to payments fraud The evidence suggests that practitioners are comfortable with the current state of fraud control in the retail payments marketplace. Their views can be contrasted with those of economists who take a public Federal Reserve Bank of Chicago policy interest in the payment system. Economists’ current thinking about retail payment system fraud is somewhat more difficult to discern than that of practitioners because it has a work-in-process quality to it. Nonetheless, some recent economic analysis suggests that the view of economists is likely to be a bit less sanguine than that of the practitioners in the retail payment industry. There seems to be the sense that market incentives and mechanisms per se are not up to the task of containing fraud and possibly other operational risks to a degree that optimizes overall payment system effectiveness and efficiency, and indeed they might not even maintain the integrity of the payment system as it continues to evolve. Two recent economic analyses undertaken within the central banking community suggest that the growing role of third-party, or nonbank, providers of payment services is a cause for concern and, moreover, that the public-good aspects of payment systems call for a more active governmental role. Let me elaborate briefly on some of the main conclusions from these analyses for they are important. The role of nonbanks A paper presented at the recent conference on nonbanks and risk in retail payments, sponsored jointly by the European Central Bank and the Bank of England, shows that nonbanks currently play an important role, especially in the United States, and will play an increasingly important role in a variety of retail payment systems worldwide.8 It argues that the growing nonbank presence has increased operational risk, including data security risk and, by extension, fraud risk. The paper also raises concerns about systemic operational disruptions as a consequence of concentrating operations among fewer key nonbank payment services providers. Finally, the paper speaks to the “payment system gatekeeper” role of banks and to the inherent difficulties that banks have in fulfilling their role while the operational locus shifts to nonbanks. I think that it is very useful to measure and highlight the significant and increasing role of nonbanks in the retail payment system. At the same time, however, I question the conclusion that a more prominent operational role for nonbanks automatically increases operational risk. Electronic payments are among the most technology-intensive financial services. My practical experience with electronic payments is that the pace of change in the technology environment, including the technical capabilities that support fraud schemes, requires providers to operate on or near the technology frontier, especially if they want to stay a step ahead of the bad actors who perpetrate fraud. 19 Staying a step ahead of payments fraud in this environment is simply not possible for banks to accomplish without forming business alliances and partnerships that mobilize the needed technology skills. These business partnerships more often than not take the form of outsourcing to nonbank specialists, which, if managed well, act to strengthen the payment system. Also, I question whether concentrating the supply of sophisticated operational services, at least up to a point, necessarily increases operational risk. I think, again based on practical experience, that fragmented operations poorly performed, or performed below a recognized high standard, can be riskier than consolidated operations performed at the highest standard if due attention is given to security, business continuity, and operational contingency arrangements. Of course, operational cost is also a factor in that electronic processing exhibits natural economies of scale. Information-dependent transactions An additional paper relevant to the topic of fraud containment is that by a Federal Reserve Bank of Kansas City economist regarding the ability of the private sector alone to protect against the risk of identity theft and to protect the retail payment system.9 This paper focuses on “transactional identity” and “informationdependent transactions” involving noncash retail payments. It concludes that because of the problems with externalities and asymmetric information, the marketplace will not contain identity theft to an efficient degree; and as a result, the integrity and efficiency of the payment system, which we are to think of as a public good, are threatened. The concept of market failure is evoked and an active role for public authorities is envisioned to ensure the integrity of the payment system. Some examples of public policy prescriptions to deal with market failure—such as disclosure rules to address the asymmetric information problem and laws to clearly and comprehensively assign liability to address the problem with externalities—are very familiar to us. 20 The paper holds out the more intriguing prospect of other payment system interventions by public authorities along the lines of the Federal Reserve’s lender of last resort role in the credit markets or the federal deposit insurance. This economic analysis seems to be at odds with the views of industry practitioners who think that the payments fraud challenge, while significant, is within the power of the private sector to address. The challenge, I think, is to evaluate seriously what remains to be done in the realm of private sector initiatives to protect the integrity of the payment system, not just the integrity of individual service offerings. Conclusion As we head into the panel discussion, it will be important to keep in mind the apparent differences in how practitioners and payment system economists size up the problem of fraud, the ways in which it is contained, and the implications for public policy. In taking up the issues assigned to us—the most common types of payments fraud, the most effective tools to deal with these types of fraud, and the costs of containing fraud— the panelists will provide their business perspectives and also help us understand whether the private sector is able to do enough alone to contain fraud in a manner that protects the payment system as a whole. The issue of the integrity of the payment system becomes more important each day, as electronic real-time payments supplant conventional paper instruments, dependence on sophisticated technologies increases, and nonbanks come to play an increasingly important role as providers of payment services. Depending on the outcome of the debate, public policy institutions such as the Federal Reserve could come to play a more active and interventionist role in the payment system as regulators and supervisors, and nonbanks could come more directly under the regulatory and supervisory purview of the authorities. 1Q/2009, Economic Perspectives NOTES Bruce J. Summers, 1994, “The payment system in a market economy,” in The Payment System: Design, Management, and Supervision, Bruce J. Summers (ed.), Washington, DC: International Monetary Fund. 1 This panel, which I moderated, comprised Jeff Schmidt, an independent consultant; Bob West, chief executive officer, Echelon One; and Mallory Duncan, senior vice president and general counsel, National Retail Federation. 2 Commission of the European Communities, 2008, “Report on fraud regarding noncash means of payments in the EU: The implementation of the 2004–07 EU Action Plan,” commission staff working document, Brussels, Belgium, April 22. 3 A network effect occurs when the value to existing users of a product or service increases as the number of additional users increases. Rochet and Tirole define a two-sided market as a market in which end-users are unable to negotiate prices based on costs to participate on a platform and the price structure affects the total volume of transactions; see Jean-Charles Rochet and Jean Tirole, 2006, “Twosided markets: A progress report,” RAND Journal of Economics, Vol. 37, No. 3, Autumn, pp. 645–667. For further discussion on network effects and two-sided markets, see Wilko Bolt and Sujit Chakravorti, 2008, “Economics of payment cards: A status report,” Economic Perspectives, Federal Reserve Bank of Chicago, Vol. 32, No. 4, Fourth Quarter, pp. 15–27. 4 Experience shows that continuous and timely strengthening of recommended standards deserves as much emphasis as does their adoption. For example, it has been reported recently that the standards set by the PCI Security Standards Council provide incomplete protection of “data in transit” through telecommunications channels. See Associated Press, 2008, “Credit card breach raises broad concerns,” New York Times, March 23, and Joseph Pereira, 2008, “Credit card security falters,” Wall Street Journal, April 29. 6 Sandy Krieger and Michele Braun, 2004, “Opportunities to improve payments services: Results from a survey of large corporations,” Federal Reserve Bank of New York, report, July. 7 Simonetta Rosati, Terri Bradford, Fumiko Hayashi, Christian Hung, Richard J. Sullivan, Zhu Wang, and Stuart E. Weiner, 2007, “Nonbanks and risk in retail payments,” Federal Reserve Bank of Kansas City, Payments System Research, working paper, No. 07-02. This paper was presented at the joint European Central Bank–Bank of England conference on payment systems and financial stability, which was held on November 12–13, 2007, in Frankfurt, Germany. 8 Stacey L. Schreft, 2007, “Risks of identify theft: Can the market protect the payment system?,” Economic Review, Federal Reserve Bank of Kansas City, Fourth Quarter, pp. 5–40. 9 See Board of Governors of the Federal Reserve System, 2007, “A summary of the roundtable discussion on retail payments fraud,” report, Washington, DC, July. This article summarizes the roundtable discussion on payments fraud held on March 27, 2007, at the Federal Reserve Bank of Minneapolis. For details on the Fed’s Payments System Policy Advisory Committee, see www.federalreserve.gov/ paymentsystems/comm/default.htm. 5 Federal Reserve Bank of Chicago 21 Data security, privacy, and identity theft: The economics behind the policy debates William Roberds and Stacey L. Schreft Introduction and summary A byproduct of improved information technology has been a loss of privacy. Personal information that was once confined to dusty archives can now be readily obtained from proprietary data services, or it may be freely available (and, as Facebook users know, often voluntarily provided and accessible) through the Internet. While the increased collection and dissemination of personal data have undoubtedly provided economic benefits, they have also diminished people’s sense of privacy and, in some cases, given rise to new types of crime. Is this loss of privacy good or bad? Press accounts repeatedly argue the latter: Too much data are being collected in ways that are too easy for criminals to access.1 But in a thought-provoking essay, Swire (2003) argues that a meaningful answer to this question requires some notion of efficient confidentiality of personal data—that is, of a degree of privacy that properly balances the costs and benefits of our newfound loss of anonymity. In this article, we explore the concept of efficient confidentiality, using some ideas from economic theory. Loss of privacy: The costs are large and easy to find The most dramatic consequence of the increased availability of personal information has been the emergence of a new form of payment fraud, identity theft. The 1998 U.S. Identity Theft and Assumption Deterrence Act (ITADA) defines identity theft as the knowing transfer, possession, or usage of any name or number that identifies another person, with the intent of committing or aiding or abetting a crime. Traditional varieties of identity theft, such as check forgery, have long flourished, but over the last decade, identity theft has become a major category of crime and a significant policy issue.2 22 Identity theft takes many guises, but it is divided into two general categories: existing account fraud and new account fraud. Existing account fraud occurs when a thief uses an existing credit card or similar account information to illicitly obtain money or goods. New account fraud (traditionally) occurs when a thief makes use of another individual’s personal information to open one or more new accounts in the victim’s name. Both types of identity theft depend on easy access to other people’s data. Today, identity theft is big business. A study conducted by the Federal Trade Commission (FTC), encompassing both new account fraud and existing account fraud, indicates that in 2006 identity thieves stole about $49.3 billion from U.S. consumers.3 When the time and out-of-pocket costs incurred to resolve the crime are added in, identity theft cost U.S. consumers $61 billion in 2006 (Schreft, 2007). Even this is a conservative estimate, however, as it omits certain categories of identity theft and some types of costs that are not generally known to consumers. For example, an increasingly prevalent type of identity theft is fictitious or synthetic identity fraud, in which a thief combines information taken from a variety of sources to open accounts in the name of a new fictitious identity (Cheney, 2005; and Coggeshall, 2007). There is no single victim, in contrast to traditional types of identity theft, but retailers and ultimately consumers end up bearing the cost. Much of the data used in identity theft is obtained through low-tech channels. In consumer surveys, William Roberds is a research economist and policy advisor in the Research Department at the Federal Reserve Bank of Atlanta. Stacey L. Schreft is a director of investment strategy at The Mutual Fund Research Center LLC. The views expressed in this article are not necessarily those of the Federal Reserve Bank of Atlanta or The Mutual Fund Research Center LLC. 1Q/2009, Economic Perspectives victims who know how their identifying information was stolen commonly attribute identity theft to stolen wallets or mail or to personal acquaintance with the identity thief (Kim, 2008). In these same surveys, however, the large majority of identity theft victims are unable to pinpoint how the thief obtained their data. Available evidence suggests that much of these data are obtained through illicit access (called “breaches”) of commercial or government databases. Statistics on data breaches are available from information security websites, such as Attrition.org and the Identity Theft Resource Center (www.idtheftcenter.org). Certainly data breaches are numerous and increasing: Attrition.org lists 326 reported data breach “incidents” for 2007, leading to the compromise of 162 million records of personal data, as compared with 11 reported incidents and 6 million compromised records in 2003.4 These numbers must be placed in perspective. A data breach does not necessarily lead to identity theft, and one reason for the upsurge in reported breaches is the spread of state laws that require consumer notification when a data breach occurs (Anderson, Durbin, and Salinger, 2008). Nevertheless, there is widespread recognition that data breaches promote identity theft. A strong demonstration of this can be found in the August 2008 indictment of an 11-person, global identity theft ring, responsible for the theft of 41 million credit card and debit card numbers, as well as hundreds of millions of dollars in fraud losses.5 The benefits of loss of privacy: More subtle, but substantial If identity theft costs the U.S. economy so much, are there offsetting benefits? To try and make sense of this question, we will employ a branch of economics known as monetary theory. Broadly speaking, monetary theory seeks to understand how transactions are structured within an economy. The classic model of monetary theory was proposed by Knut Wicksell (1935). Wicksell’s model economy is depicted in figure 1 and consists of only three individuals: Andy, Bob, and Clyde (A, B, and C, for short). Andy can produce a good valued by Bob, Bob can produce a good valued by Clyde, and Clyde can produce a good valued by Andy. The point of Wicksell’s model is that in real-world economies, transactions typically happen between people who cannot deal through simple barter. For example, when Andy and Bob meet, Bob would like to purchase Andy’s good, but the good that Bob has available to trade is only valued by Clyde. How should exchange proceed? One way to solve this problem is through the use of cash. Suppose that A and B meet on every Monday, Federal Reserve Bank of Chicago figure 1 Wicksell triangle B A C Note: See the text for further details. Source: Wicksell (1935). B and C meet on every Wednesday, and A and C on Fridays. Then if everyone agrees that the goods they exchange are each worth $1, the economy can function perfectly well with a “money supply” of two dollar bills.6 For example, Bob sells his good to Clyde on every Wednesday, earning a dollar that he uses to buy Andy’s good the following Monday. Andy uses this dollar to buy a good from Clyde every Friday, and so on. This “Wicksell triangle” shows how cash can function as a sort of recordkeeping system for transactions within an economy; every dollar that someone spends is proof of an earlier sale by the same person.7 Cash has some well-known limitations, however— some of which appear even in the context of this simple model. For example, if Clyde gets sick or otherwise fails to show up one Wednesday, then Bob will have no money with which to make next Monday’s purchase. In practice, cash has other drawbacks, including risk of counterfeit or theft, the inconvenience of finding an automated teller machine (ATM), limited usefulness in telephone and Internet transactions, and the fact that it does not pay interest. The alternative to cash is credit. In Wicksell’s model economy, cash would not be needed if A, B, and C could get together and agree that each individual would receive a good of their preferred type, so long as they had provided a good to someone else the previous week. That way, if an individual occasionally was unable to sell his good during one week, he could still purchase goods on the expectation that he would resume sales the following week. The value of this additional exchange of goods, beyond what would be possible if all transactions were only in cash, is known as a credit benefit. 23 Paying by credit has other advantages, which are the “mirror image” of the disadvantages of cash: fewer trips to the bank, less liability in case of theft, ease in transactions at a distance, and the reduced need to carry non-interest-bearing cash.8 Any estimate of the total credit benefit in an economy is somewhat speculative, since it involves the comparison of the value of exchange in an actual economy to the value of exchange in a hypothetical economy where only cash is available for most transactions.9 For a developed economy such as that of the U.S., however, this benefit is almost certainly quite large. For example, in 2006 (the year of the FTC identity theft survey), U.S. residents made about $3 trillion in purchases, using credit and debit cards.10 If the credit benefit of these transactions alone (ignoring other types of credit transactions) amounted to, say, just 5 percent of their total value, the resulting benefit to the overall economy would be $150 billion—more than enough to outweigh the estimated costs of identity theft. In the rest of this article, we will argue that some loss of privacy is central to the provision of this credit benefit. Identity: Real and transactional In Wicksell’s model economy, there’s no chance of identity theft. Andy, Bob, and Clyde are well known to one another, and as long as one of their mutual friends (say, Dave) can keep a tally of who’s provided a good to whom, it would be easy to maintain a credit-based system of exchange. This system would be self-enforcing, since any shirking by one party would quickly be noted by Dave and immediately become apparent to the other parties.11 Such informal credit systems are common among friends and families, in primitive societies, and in other settings with limited social interactions. But most transactions in today’s economy are either between 1) parties who are total strangers, and/ or 2) parties who feel no particular sense of obligation toward one another. Credit in such situations requires some system to control two types of risk. The first type of risk is credit risk—the risk that the purchaser may not repay the debt incurred. Overcoming credit risk requires a way to keep track of “credit histories,” that is, a way to restrict the use of credit to people who habitually pay their bills. The second type of risk is fraud risk—the risk of deception by the purchaser. Overcoming fraud risk requires a way to associate transactors with credit histories: For example, I may have a spotless credit record, but somehow that information has to be conveyed to the grocery store before I’m allowed to leave the store with a bag of groceries. To be effective, both types of services require the 24 accumulation, storage, and distribution of large amounts of personal data. But the data required by the second service concern a person’s identity, and are bound to be of a more confidential and controversial nature.12 “Identity” in general refers to all the distinguishing attributes of an individual—potentially a very long list. The term personal identifying data (PID) is used to describe some portion of a person’s identity— name, birth date, Social Security number, etc.—that is readily observable by others. In order to distinguish individuals, the credit bureaus, credit card companies, data brokers, and other parties in the credit industry have compiled large databases of PID. These subsets of a person’s “real” identity that are stored by these parties and used in transacting can be thought of as transactional identities (Schreft, 2007). Once the relevant data have been verified, a person’s transactional identity may be augmented by the creation of new, synthetic data unique to that person, such as a credit card number, PIN (personal identification number), and so on (Kahn and Roberds, 2008). A typical credit transaction—say, a purchase of a bag of groceries, using a credit or debit card—can be thought of as a merchant exchanging goods in return for two essential pieces of payment information corresponding to the types of risk described previously: 1) that the purchaser, based on his credit history, is likely to pay his bill13 and 2) that the purchaser’s transactional identity is genuine so that the consumer is not a fraudster. Transactional identities as club goods All credit-based payments require systems for processing valuable information. We can think of this information (credit histories and transactional identities) as economic goods, or items having value in exchange. These goods have value, since they facilitate the exchange of other goods (say, groceries) that people want to consume. Electronic versions of payment data, once amassed, can be stored at a few locations and then shared among payment system participants at very low cost. The data used in credit-based transactions meet Varian’s (1998) description of a digital good, a good that can be stored and transferred in digital form. Digital goods are also nonrival goods, meaning that they are not diminished by successive use. This distinguishes them from rival goods, such as cars and cornflakes; one individual’s consumption of a rival good diminishes or eliminates the possibility of another person consuming it. Other examples of digital (and also nonrival) goods are given by the electronic information that is incorporated into broadcast and 1Q/2009, Economic Perspectives cable television, computer programming, or recorded music and video: For instance, my consumption of an episode of American Idol does not diminish another’s enjoyment of the same episode. The same holds true with payment data, including transactional identities: The fact that Wal-Mart knows that I am not a fraudster does not diminish the value of the same information to Home Depot. Nonrival goods are classified as club goods or public goods. A club good is an excludable nonrival good—that is, one for which a group or individual can be excluded from consuming (for example, cable TV programming).14 A public good is a nonexcludable nonrival good—that is, one for which access cannot be limited (for example, national defense or clean air). The club good classification is more appropriate for payment information, since access to this information can be controlled (to a greater or lesser degree). The “nonrivalness” of electronic payment information is a tremendous source of economic efficiency. Turning the clock back several decades, in any retail situation involving credit, a merchant had to independently come by the information needed to assess a customer’s creditworthiness. The high cost of this information meant that credit was impractical in many situations, for example, during travel or for small transactions. The development of the credit industry (the large databases of credit histories and transactional identities, credit and debit cards, electronic authorization procedures, and antifraud technologies) has meant that merchants can take advantage of economies of scale in managing this information, and has spread the costs of information management over a larger group of merchants (and, ultimately, consumers).15 This has, in turn, increased the credit benefit available to society as a whole. Of course, the transformation of payment information into a nonrival good has not occurred in isolation. All kinds of data (music, video, maps, encyclopedias, and celebrity gossip) have been widely digitized, and thanks to the essentially nonrival nature of digital goods, they are rapidly accumulated and widely disseminated. The dark side of nonrivalness A central feature of any digital good is its quality. Recorded music or video, for example, is useless if the original is garbled. A potentially interesting website may seem less so if it is known to harbor computer viruses. Quality is especially critical for payment data because people using a payment system expect it to work flawlessly virtually 100 percent of the time. Contamination of a payment system’s data through even a few errors or instances of fraud can quickly erode its value. Federal Reserve Bank of Chicago A “dark side” of the efficient production of payment information is that it can compromise quality; that is, it can facilitate fraudulent activity as well as legitimate use. Once a fraudster has assumed another person’s transactional identity (through either new or existing account fraud), the fraudster becomes an apparently legitimate participant in one or more payment systems and, by extension, a legitimate participant in the eyes of many participants in those systems. This vulnerability means that payment data, as an economic good, will only have value in the presence of the complementary good “data integrity,” which is the quality and reliability of the data incorporated into the payment system (Braun et al., 2008).16 Data integrity, like the underlying payment data, is a nonrival (club) good: The assurance that a payment information database is secure against data breaches is not diminished by successive use. Another widely recognized drawback of modern payment arrangements stems from the more difficult to measure, but nonetheless important, consequences of diminished privacy. That is, the digitization of personal data contained in transactional identities has made these data available to many more people than ever before, often with negative consequences. These may take the form of intangible, but undeniable, costs in terms of people’s loss of a “sense of space” about their personal lives. Or, for victims of identity theft, these costs may assume a more concrete form, through harassment by bill collectors, misplaced civil lawsuits, or even criminal investigations. Many current payments and credit practices can be interpreted as attempts to partly restore the sense of privacy that may have existed in earlier times. When someone makes a purchase with a credit card, for example, that purchaser must effectively reveal some information to the merchant concerning his transactional identity—at least in the form of a relatively anonymous credit card number. This “surrender” of information represents a compromise between the merchant’s need to identify the purchaser and the purchaser’s desire to preserve his own privacy. Ideally, the merchant obtains enough information about the purchaser to determine that the transaction is legitimate, but no more. Consumers themselves have also undertaken forceful actions to safeguard their privacy, removing their names from public directories and mailboxes, installing paper shredders in their homes, and only giving out personal information to the most trusted parties. Ironically, these very attempts to restore privacy may have contributed to the rise of identity theft, according to LoPucki (2003). LoPucki points out that in earlier times, individuals’ access to credit often depended 25 on their public persona, that is, on their standing within a local community or circle of business associates. Those seeking access to credit had to sacrifice much of their privacy (say, by socializing with their neighbors on a regular basis or joining civic organizations) in order to gain a reputation as an upstanding and creditworthy individual. Modern information technology, by enabling “instant credit” between relatively anonymous parties, has reduced the need for a public persona, but it has also multiplied the potential for fraud. Efficient confidentiality: Beyond supply and demand Using the ideas outlined thus far, we can now look at the issue of efficient confidentiality. The term confidentiality has a specific meaning in our context, which is the likelihood that a person’s transactional identity will not be observed by miscreants and put to inappropriate use. A person’s confidentiality can be thought of an economic good, whose provision in the marketplace depends on two other economic goods: 1) the amount of PID incorporated into that person’s transactional identity and 2) the level of security for these data, or the degree of data integrity applied to the person’s transactional identity. An increase in the second good always improves confidentiality. An increase in the first good can improve confidentiality, up to a point. The more data that are collected (all else being equal), the more precise the identification of individuals is, and hence, the greater the availability of credit-based payment is throughout the economy. But increasing the amount of PID collected (again, all else being equal) reduces privacy and can also amplify the negative consequences that occur when such data are misused, eroding confidentiality. How should we know if these two goods (data collection and data security) are being efficiently provided? Textbook economic theory says that for many goods, it is (conceptually, at least) easy to describe how that good can be efficiently provided: An efficient market exists for a good when its supply curve intersects with its demand curve. The demand curve for a good, in turn, is given by its marginal benefit to buyers, and the supply curve is determined by sellers’ marginal cost of producing that good. In a competitive industry, if the price of a good is above (below) its marginal cost, producers enter (leave) the industry until efficiency prevails. Unfortunately this familiar model doesn’t work for digital goods, since their marginal cost is practically zero. Instead, a more typical pattern for digital goods is for there to be competition among a few large producers, which are able to take advantage 26 of the extensive economies of scale in these goods’ production (think of the computer software and entertainment industries). Prices remain above marginal costs, so as to defray the costs of production. We see the same pattern in the construction of transactional identities by a relatively small number of large players such as credit bureaus, credit card networks, and card issuing banks.17 Through the accumulation of large amounts of PID, these organizations attempt to meet the demand for transactional identities that exists in the market economy. Just as with other digital goods, such as computer software and recorded video, it is hard to know whether these data are being efficiently collected and priced.18 The situation is different when we turn to the issue of data integrity. Because payment data are only useful if they are communicated (in some form), these data must be touched by a large number of hands to be of any value. A real-world list of such hands would include consumers, merchants, credit bureaus, banks, and payment processors. In other words, efficient production of data integrity, a club good, requires the cooperative efforts of a large number of “club members.” Large clubs often promote efficiency because they allow for economies of scale in the production of a good. But within large clubs, conflicts of interest can arise as to the amount of the good that should be provided. This is especially true for goods such as data integrity, for which the “weakest link” or “flood control” model of a nonrival good is often applicable (Hirshleifer, 1983). For a weakest link good, the total amount of the good provided to the club is equal to the lowest amount of the good supplied by a club member (the weakest link in a chain, or the lowest levee in a flood control system). The idea of a weakest link is consistent with many press accounts of identity theft, in which a data breach at a single retailer or payment processor leads to widespread fraud. There is a natural tendency to supply an inefficiently small amount of a weakest link good (Varian, 2004), which can arise from the following conflict: A club member with relatively little at stake will tend to put less effort into providing the club good than a club member with a lot at stake. This tension is present in many situations involving data security (Anderson and Moore, 2006). Recent changes in the payments industry’s security practices can be seen as a response to this problem. For example, a set of industry-wide data security standards—the PCI (Payment Card Industry) standards (www.pcisecuritystandards.org)—has been created as a way of strengthening the weakest links in the data security chain. Another development along these 1Q/2009, Economic Perspectives lines has been the increasingly common practice of merchants quickly disposing of payment data, rather than storing it for an extended period of time.19 An additional source of inefficiency comes from externalities (also called spillovers) across data security practices. An externality occurs when the consumption or production of a good by one party affects another’s, conferring benefits or costs on the other party. A negative externality results when a party does not take into account the full cost of his action to others. In the context of data security, the potential for negative externalities exists for at least two reasons. First, as noted previously, payment data often passes through many hands, so it is difficult to determine how an identity thief was able to access the necessary data. Second, under current U.S. and Canadian laws, recovering the costs of a data breach through the courts can be difficult (Schreft, 2007; and Chandler, 2008). Either way, if payment data are stolen from one party and used to commit identity theft with costly consequences for another, the first party may not expect to pay the full costs of the breach. Taken together, these complications suggest that there are obstacles to the efficient provision of data integrity in the marketplace. Because payment system participants may not fully take into account all of the costs associated with their security practices, this can lead to underprovision of data security. This would, in turn, imply an inefficiently low level of confidentiality in the marketplace, even if the market is collecting the “right” amount of PID. In Roberds and Schreft (2008), we present a model that shows how this inefficiency could be exacerbated by the interaction between PID collection and data security. If some payment systems are not adequately securing their data and other payment systems are alerted to this, then each system’s best safeguard against identity theft may be to increase the amount of PID it uses for transactional identities. Under these circumstances, gathering more PID can reduce fraud, but doing this is inefficient because it further reduces confidentiality. Roles for regulation The previous discussion points to a role for public policy. If the markets for information on transactional identities are providing inefficiently low levels of confidentiality, there may be ways for well-designed policies to improve on market outcomes. One policy implication that is not supported is government entry into the markets for payment information. As with other types of club goods, the excludability of payment information provides a profit incentive to motivate ongoing improvements in efficiency. But the production of club goods is rarely a Federal Reserve Bank of Chicago straightforward business, and it is usually subject to extensive policy interventions. Electronic entertainment products, computer software, and various types of Internet content, to name just three examples, are frequent subjects of public controversy, legislation, regulation, and litigation. This same general pattern is found in the markets for payment information. Various pieces of legislation and regulatory efforts have sought to address the “weakest link” and “spillover” problems identified before, but have stopped short of trying to micromanage industry practices. For example, the Fair and Accurate Credit Transactions Act of 2003 (commonly known as the FACT Act) seeks to increase the industry standards for minimally acceptable security practices. The FACT Act requires banks and other creditors to develop procedures to respond to account activity that could reasonably be interpreted as evidence of identity theft (“red flags”), but does not specify the details of how this should be done.20 In the same vein, a number of state laws now require that consumers be notified whenever their data are breached. One motivation for this requirement is to enable quicker detection of identity theft by consumers. An equally important purpose for this requirement, though, may be to motivate better security practices by increasing the costs of a data breach (in terms of both dollars and reputation). A number of states have taken another tack, which is to allow consumers to limit or “freeze” access to their credit reports, that is, to limit access to information on their transactional identities. A concern with this type of regulation is the cost of compliance. Since securing data is costly, perfect confidentiality of personal data cannot be an efficient outcome, and should not be a goal of sensible regulation. As outlined in this article, some amount of identity theft is inevitable given modern information technology. Eliminating identity theft entirely would not be possible without eliminating the efficient sharing of information at the heart of our modern credit and payment systems. Public goods Government intervention is traditionally viewed as beneficial when it yields public goods. One such good is “public security,” as is provided by the criminal justice system. The ITADA and various state laws have sought to discourage identity theft by imposing severe criminal penalties—a form of deterrence not available to the private sector. The nature of identity theft puts limits on the effectiveness of criminal sanctions, however. By stealing 27 someone else’s payment data, an identity thief gains that person’s access to credit in largely anonymous situations, such as in purchases over the Internet. This same anonymity that benefits legitimate purchasers (in terms of access to credit with increased confidentiality) makes criminal prosecution of identity theft impossible in many cases—as when the identity thief is located in a different country from that of the victim. Another noteworthy public good in this context is that of overall “confidence” in credit and payment systems. As discussed previously, people do not like to use payment systems without something close to 100 percent reliability. If incidences of identity theft and data breaches were to become sufficiently common, the result could be a loss of this public good— that is, a loss of confidence not only in the directly affected parties, but in credit-based payment more generally (Braun et al., 2008). One rationale for recent regulatory actions in the payments area is that, apart from the effects of any specific provisions, these laws and regulations demonstrate governments’ commitment to maintain a reasonable standard for confidentiality of payment information. Conclusion In this article, we have looked at the issue of confidentiality of personal information from the standpoint of economic theory. Some loss of privacy is necessary for the credit benefit, which is a key advantage of modern payment systems. By consolidating personal information into transactional identities, information technology now allows people to enjoy this credit benefit in circumstances that would have been unthinkable a generation ago. The sharing of information on transactional identities is vital to the operation of these payment systems. However, this information sharing can facilitate fraud in the form of identity theft. Information sharing can also create conflicts of interest that may not be easily resolved through the operation of the marketplace. Thoughtful public policy should be aimed at resolving these conflicts and providing public goods. The ultimate goal of regulation should not be absolute privacy of consumers or complete suppression of identity theft, but instead the promotion of efficient confidentiality of personal information. NOTES See, for example, Stone (2007), Swartz and Acohido (2007), Caruso (2007), and Dow Jones and Company Inc. (2008b). 1 There are no time-series data on identity theft rates, but one measure of the extent of the problem is the how often the term “identity theft” shows up in press reports. Anderson, Durbin, and Salinger (2008) report 30 mentions of “identity theft” in U.S. newspapers in 1995; 2,000 in 2000; and 12,000 in 2005. 2 This estimate is from a survey of consumers reported in Synovate (2007); for extensive discussions of this survey, see Schreft (2007) and Anderson, Durbin, and Salinger (2008). 3 Even for the simple Wicksell model, calculation of a credit benefit can be a challenging exercise. Taub (1994) shows that for this model, people can sometimes do just as well by keeping hoards of cash. However, Kocherlakota (1998) shows that in general an economy’s credit benefit will be a positive number. 9 Bank for International Settlements, Committee on Payment and Settlement Systems of the Group of Ten Countries (2008). Use of a debit card can result in a credit benefit if the card is attached to a bank account with an overdraft privilege or line of credit. 10 4 In some simple economies like Wicksell’s, Araujo (2004) shows that Dave may not be needed; mutual confidence that others will honor their obligations is enough to sustain credit-based exchange. Kahn and Roberds (2009) discuss how Wicksell’s model can be used to analyze various types of payment systems. See, for example, Stone (2008). For other recent data breach incidents, see Braun et al. (2008). 12 Of course not all data breaches are publicized, so these numbers are probably underestimated. 11 5 If we increase “money velocity” by changing the order of transactions (say A and C meet on Wednesdays and B and C on Fridays), then a money supply of one dollar bill will be sufficient. 6 Beginning with Kiyotaki and Wright (1989), this role for cash has been extensively developed in “search” models of money; Wright (2008) surveys this literature. 7 For a detailed comparison of the costs of cash versus other forms of payments in certain retail settings, see Garcia-Swartz, Hahn, and Layne-Farrar (2006). 8 28 Credit risk and fraud risk are often difficult to separate. For example, if a person applies for a credit card, runs up a bill, and then never makes a payment, then it may be hard to tell whether the person meant to commit fraud or just wasn’t able to pay. Or someone may refuse to pay for his credit card purchase, claiming the transaction was fraudulent; this practice is sometimes known as “friendly fraud.” Nonetheless, it is useful to conceptually distinguish between these two types of risk. There is an element of credit even with many transactions that are thought of as “instantaneous” (for example, debit card or Internet banking payments), since these do not settle instantaneously. In many card transactions, the card issuer assumes the “credit risk” that the card payment will not be repaid by the cardholder. 13 1Q/2009, Economic Perspectives For example, one can imagine all viewers of ESPN (Entertainment and Sports Programming Network) as members of a club who pay membership fees to the club through their monthly cable or satellite television bill. 14 An economy of scale occurs when an increase in the production of a good lowers its average cost. In our context, the increased accumulation and distribution of payment information have lowered the average cost of accessing such information. For example, one could interpret the famous antitrust case brought by Wal-Mart and other retailers against Visa and MasterCard, settled in 2003 for $3 billion, as a dispute over the efficient pricing of access to payment information, including the validity of cardholders’ transactional identities. 18 15 A complementary good is defined as a good that is consumed with a second good, for which an increase in the demand for the first good results in an increase in demand for the second. For example, cars and gasoline are complementary goods. This practice of merchants quickly disposing of payment data has been incorporated into the PCI standards; the practice came about in part because of legislation discussed later in this article. See, for example, Dow Jones and Company Inc. (2008a). 19 16 The structure of this industry has been changed by the emergence of data brokers (legal and illegal) and other entities that compile and trade PID obtained from other sources (Schreft, 2007). 17 More specific guidelines were jointly issued by six federal regulatory agencies, including the Federal Reserve System, in 2007. See Office of the Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, and Federal Trade Commission (2007). 20 REFERENCES Anderson, K. B., E. Durbin, and M. A. Salinger, 2008, “Identity theft,” Journal of Economic Perspectives, Vol. 22, No. 2, Spring, pp. 171–192. Coggeshall, S., 2007, “ID theft knows no boundaries,” E-Commerce Times, April 13, available at www. ecommercetimes.com/story/56864.html. Anderson, R., and T. Moore, 2006, “The economics of information security,” Science, Vol. 314, No. 5799, October 27, pp. 610–613. Dow Jones and Company Inc., 2008a, “New payment card data mantra is ‘Don’t need it, don’t store it,’ ” Wall Street Journal, September 16, available by subscription at http://online.wsj.com/article/ SB122153790800641877.html. Araujo, L., 2004, “Social norms and money,” Journal of Monetary Economics, Vol. 51, No. 2, pp. 241–256. Bank for International Settlements, Committee on Payment and Settlement Systems of the Group of Ten Countries, 2008, Statistics on Payment and Settlement Systems in Selected Countries, Basel, Switzerland: Bank for International Settlements, March. Braun, M., J. McAndrews, W. Roberds, and R. Sullivan, 2008, “Understanding risk management in emerging retail payments,” Economic Policy Review, Federal Reserve Bank of New York, Vol. 14, No. 2, September, pp. 137–159. Caruso, D., 2007, “Securing very important data: Your own,” New York Times, October 7, available at www. nytimes.com/2007/10/07/technology/07frame.html. Chandler, J. A., 2008, “Negligence liability for breaches of data security,” Banking and Finance Law Review, Vol. 23, No. 2, pp. 223–273. Cheney, J. S., 2005, “Identity theft: Do definitions still matter?,” Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. 05-10, August. Federal Reserve Bank of Chicago __________, 2008b, “Data breaches surpass 2007 level, but businesses rarely are penalized,” Wall Street Journal, September 9, available by subscription at http://online. wsj.com/article/SB122093405633914081.html. Garcia-Swartz, D. D., R. W. Hahn, and A. LayneFarrar, 2006, “The move toward a cashless society: A closer look at payment instrument economics,” Review of Network Economics, Vol. 5, No. 2, June, pp. 175–198. Hirshleifer, J., 1983, “From weakest link to best shot: The voluntary provision of public goods,” Public Choice, Vol. 41, No. 3, January, pp. 371–386. Kahn, C. M., and W. Roberds, 2009, “Why pay? An introduction to payments economics,” Journal of Financial Intermediation, Vol. 18, No. 1, January, pp. 1–23. __________, 2008, “Credit and identity theft,” Journal of Monetary Economics, Vol. 55, No. 2, March, pp. 251–264. 29 Kim, R., 2008, 2008 Identity Fraud Survey Report (Consumer Version): How Consumers Can Protect Themselves, Pleasanton, CA: Javelin Strategy and Research, February, available at www.javelinstrategy. com/research/all. Kiyotaki, N., and R. Wright, 1989, “On money as a medium of exchange,” Journal of Political Economy, Vol. 97, No. 4, August, pp. 927–954. Kocherlakota, N. R., 1998, “Money is memory,” Journal of Economic Theory, Vol. 81, No. 2, August, pp. 232–251. LoPucki, L., 2003, “Did privacy cause identity theft?,” Hastings Law Journal, Vol. 54, No. 4, April, pp. 1277–1298. Office of the Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, and Federal Trade Commission, 2007, “Identity theft red flags and address discrepancies under the Fair and Accurate Credit Transactions Act of 2003,” Federal Register, Vol. 72, No. 217, November 9, p. 63718, available at www.gpoaccess.gov/fr/. Roberds, W., and S. L. Schreft, 2008, “Data breaches and identity theft,” Federal Reserve Bank of Atlanta, working paper, No. 2008-22, September. Schreft, S. L., 2007, “Risks of identity theft: Can the market protect the payment system?,” Economic Review, Federal Reserve Bank of Kansas City, Fourth Quarter, pp. 5–40. Stone, B., 2008, “11 charged in theft of 41 million card numbers,” New York Times, August 5, p. C1, available at www.nytimes.com/2008/08/06/business/ 06theft.html. 30 __________, 2007, “To fight identity theft, a call for banks to disclose all incidents,” New York Times, March 21, available at www.nytimes.com/2007/03/21/ business/21identity.html. Swartz, J., and B. Acohido, 2007, “Who’s guarding your data in the cybervault? ChoicePoint redeemed itself but not all brokers as careful,” USA Today, April 2, p. 1B, available at www.usatoday.com/ educate/college/careers/Car_foc/4-02-07.htm. Swire, P. P., 2003, “Efficient confidentiality for privacy, security, and confidential business information,” in Brookings–Wharton Papers on Financial Services: 2003, Richard Herring and Robert E. Litan (eds.), Washington, DC: Brookings Institution Press, pp. 273–310. Synovate, 2007, Federal Trade Commission—2006 Identity Theft Report, McLean, VA, available at www.ftc. gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf. Taub, B., 1994, “Currency and credit are equivalent mechanisms,” International Economic Review, Vol. 35, No. 4, November, pp. 921–956. Varian, H. R., 2004, “System reliability and free riding,” University of California, Berkeley, report, November 30, available at http://people.ischool.berkeley.edu/~hal/ Papers/2004/reliability. __________, 1998, “Markets for information goods,” University of California, Berkeley, report, October 16, available at http://people.ischool.berkeley.edu/~hal/ Papers/japan/. Wicksell, K., 1935, Money, Vol. 2, Lectures on Political Economy, New York: Macmillan. Wright, R., 2008, “Search-and-matching models of monetary exchange,” in The New Palgrave Dictionary of Economics, S. N. Durlauf and L. E. Blume (eds.), 2nd ed., New York: Palgrave Macmillan. 1Q/2009, Economic Perspectives Perspectives on retail payments fraud Steve Malphrus Let me begin by saying that I am not here to lecture, but rather to learn. Today, I would like to talk about a couple of things. First, I would like to start with some themes that emerged from a roundtable discussion that the Federal Reserve held last year with industry leaders on emerging issues involving fraud in the retail payments system. This is important to the Federal Reserve. The outputs from the roundtable are used to direct the Federal Reserve’s research and inform its work. Thus, hearing your perspectives on those themes today is important. The second thing I would like to talk about is an area in which I have been doing research. These are the emerging trends in new account fraud detection for applicants on the Internet, where businesses are not physically present to authenticate the identity of customers. As everybody here knows, this is an area of growing interest throughout the banking industry. Findings from the roundtable discussion on retail payments fraud Let me start with the roundtable that the Federal Reserve sponsored last year. Fourteen industry experts— including merchants and representatives from payments system providers, financial institutions, and law enforcement organizations—participated. Overall, these leaders agreed that, although the current level of payments fraud is being effectively managed and does not represent a crisis, organizations must constantly adapt to keep pace with criminal activity and with changes in technology and payment methods. While the dollar amount of fraud relative to business revenues in the United States is likely declining, the costs associated with fraud mitigation are substantial and increasing. The roundtable discussions focused on four main themes: 1) the changing landscape of retail payments fraud, 2) current trends, 3) emerging concerns, and 4) areas for improvement in fraud detection and prevention. The following Federal Reserve Bank of Chicago paragraphs sum up our discussions involving these four themes. The changing landscape of retail payments fraud Despite declining use of checks across the country, industry leaders find that the largest number of fraud attempts remains in check payments. Fraud losses are also highest for checks on a comparative basis with other payment methods. A number of participants stated that business losses resulting from check fraud are significantly higher than losses from noncheck payment types because checks are relatively easy to alter or forge, using readily available printers, scanners, and computer software. Moreover, changes in the payments system and in criminal behavior have introduced additional risk. One key change in the payments system has been the proliferation of commerce conducted over the Internet. The Internet has created new means for criminals to gain access to consumers’ personal and financial information, and has facilitated the formation of extensive illegal networks through which criminals buy and sell this information without the limits of geography. Indeed, substantial Internet fraud operations are now linked to sites located in certain developing countries. The Internet has also accelerated worldwide information-sharing among criminals regarding successful fraudulent schemes, so that new fraud techniques now move quickly around the world. In addition, the growth in online commerce has led to an increase in the number of transactions in which merchants are not physically present to authenticate the identities of purchasers. Steve Malphrus is the staff director for management at the Board of Governors of the Federal Reserve System. 31 That said, some changes in the payments system have helped reduce risk, such as faster clearing of check payments associated with Check 211 and check-to-automated-clearinghouse (ACH) conversion. Being able to clear payments more quickly can mean that a fraudulent check may be returned before a collecting bank makes funds available to the depositor. At a minimum, faster returns help inform banks and their customers that fraud is taking place. But some feel that ACH e-check payments may be more vulnerable to fraud than other ACH standard code categories, such as ACH transactions initiated via telephone. Concerns were also raised over the greater use of check images in the rapidly growing Check 21 environment, which could reduce the usefulness of some current check security features that may not survive the imaging process. Further, criminals’ ability to adapt to changes in the industry’s practices in fraud detection and fraud prevention is a continuing challenge, as these lawbreakers continue to seek the path of least resistance. For example, as large merchants and banks develop new tools to detect and prevent fraud, criminals turn to smalland medium-sized enterprises because they are less likely to have the resources to invest in fraud detection and prevention. Because fraud affects the entire financial industry, some feel that it is the duty of larger businesses and banks to reach out to educate and aid smaller organizations. Others suggest that we should raise the bar by increasing criminal penalties for fraud and prosecuting fraud more rigorously. Current trends It is becoming increasingly important for firms to protect consumer information. Industry leaders are concerned about the potential damage to their brands’ reputations in the event of a data breach. The industry has taken steps to protect consumers from fraud that may result from compromised information. Often, for evidence of fraud, banks and card networks monitor customer accounts that may have been compromised and then reissue cards when necessary. Some industry leaders argued that, although the storage of data is a potentially vulnerable point in the payments system, the extent to which compromised information has actually been used is relatively low. In many instances, if consumer information is compromised and subsequently used to commit payments fraud, the consumer is not liable for the associated losses. Thus, while it is important to protect consumer data, it is equally important to develop tools to prevent the fraudulent use of data or to otherwise render data unusable. One example is phishing.2 While 32 phishing is a current threat to the security of consumer information, many believe that the level of actual loss incurred from phishing has been relatively low in the aggregate. In some cases, education has been reasonably effective in preventing consumers from divulging information online. In addition, it is important to differentiate between “payments fraud” and “identity theft.” While both are a crime, the ramifications of each are substantially different. The Federal Trade Commission (FTC) has defined the term “identity theft” as fraud perpetrated by 1) obtaining access to and illegally using a consumer’s existing financial information, such as a person’s credit card number or bank account number, or 2) illicitly obtaining identity information about a consumer to open new financial accounts in the consumer’s name. The roundtable participants generally agreed that the second part of the FTC’s definition should be considered “identity theft” and that the first part should be considered “payments fraud.” Some stated that the FTC report used an overly broad definition of identity theft, which has led to an overestimate of the true frequency of this type of fraud. Nevertheless, the consequences of true identity theft can be very significant for consumers. While actual financial losses might be low, the impact on a consumer’s credit record—and the time and effort required to correct that record— can be substantial. Emerging concerns As noted, criminals are continually searching for weaknesses in fraud detection and fraud prevention practices. Several participants said that the potential movement of check-based fraud to the ACH network is an area of growing concern for the industry. A fraudulent payment initiated with a check can move into the ACH system through a point-of-purchase (POP), back-office-conversion (BOC), or accounts-receivableconversion (ARC) transaction. Since ACH has traditionally been used for recurring payments from trusted sources only, banks may not yet have robust tools in place to detect fraudulent ACH payments from other sources. Fraudulent checks that may be detected using existing tools might, therefore, go undetected if processed on the ACH network. This possibility is a particular concern to businesses that use check fraud prevention services, such as positive pay,3 that are not available for ACH payments. While a concern, fraud of this nature is, at present, relatively low. The industry has only recently begun monitoring the movement of fraud across payment channels. Perhaps further study is required to understand how fraud is moving between paper and electronic instrument 1Q/2009, Economic Perspectives or between different electronic instruments. Banks and businesses are looking to adopt a holistic approach to detecting and preventing retail payments fraud across the spectrum of payments systems. One participant described this approach as managing fraud at the “relationship” level—that is, at the level of an individual or a corporate client for a bank, and a customer for a merchant—rather than at the “product,” or payment instrument, level. Moreover, the industry is concerned that the introduction of new payments instruments, such as prepaid cards, could increase fraud in the payments system. One participant noted that some of these cards can be easily reloaded with funds and can be used anonymously, making them effective vehicles for money laundering. Another stated that open-loop, reloadable prepaid cards could be a primary vehicle for fraud in the future, and others concurred that prepaid cards are a growing area of concern. We also discussed the security of mobile and contactless card transactions. On the one hand, payments made using these devices could be more exposed depending on their security features. On the other hand, the development of security enhancements, such as “dynamic” authorization techniques, for some payment devices can offer significant benefits. The hesitation in trusting emerging payments instruments may stem from the fact that their risks are not yet understood. Successful payments systems have historically had to put innovative systems into production and undergo a learning phase before the development of a fully mature riskmitigation strategy. Areas for improvement in fraud detection and prevention At the roundtable, the most discussed suggestions for improving the industry’s ability to detect and prevent retail payments fraud were 1) increasing industry collaboration and information sharing, 2) using enhanced authentication techniques, and 3) adopting Payment Card Industry (PCI) standards. Merchants and financial institutions could benefit from increased collaboration and information sharing across industries and within their own business sectors, including through the development of best practices in fraud detection. Firms need to not only detect fraudulent transactions in process but also prevent fraud’s initial occurrence by improving authentication at the point of sale. At the roundtable, the effectiveness of PIN (personal identification number) and chip technology was debated. Some stated that fraud rates on PIN debit cards are significantly lower than those for other payment types; as a result, they advocated the application of PIN security to card payments in general. Federal Reserve Bank of Chicago Chip technology has been widely adopted in other countries, and could prove to be a safer alternative to magnetic stripe technology for card-based transactions. Roundtable participants also discussed the role of the Payment Card Industry program, developed jointly by Visa and MasterCard. Full compliance with security standards could help the industry safeguard consumers’ personal and financial information. The PCI program in particular could be helpful, but there are challenges for some organizations to become compliant with the PCI program. Nevertheless, compliance with the PCI program might be a good first step in securing consumer information, though other opportunities exist. For example, existing data privacy regimes generally apply to banks or merchants, while they exclude others, such as third-party service providers. These third parties have access to consumers’ personal and financial information. In order to improve the security of consumer information, it is desirable to expand data protection regimes with respect to both the types of payments and the types of organizations that are included. Ultimately, the roundtable discussions returned to the refrain that criminals will continue to search for the fastest and easiest ways to commit payments fraud. Consequently, strategies for fraud detection and fraud prevention should be considered holistically, so as not to merely shift fraud from one payments channel to another. Industry leaders maintain that it is not financially feasible to prevent all payments fraud. Rather, businesses must make prudent, risk-based decisions that will yield appropriate returns relative to the investment required to minimize fraud. Organizations continue to balance costs and benefits when investing in tools to mitigate fraud. At the roundtable’s conclusion, several suggestions emerged for how the Federal Reserve might assist the industry’s efforts to mitigate fraud. Some advised the Federal Reserve to continue its outreach events to encourage industry participants to share concerns and effective practices, and others emphasized the importance of the Federal Reserve conducting research on payments and fraud-related issues. As a general matter, however, leaders advocated the continued application of market-driven approaches to keep payments fraud at a manageable level. Payments system participants’ ability to adapt to changes in criminal behavior will be critical in maintaining a safe and efficient payments system. Some thoughts on new account fraud Shifting gears now, I would like to offer my perspective on recent developments in the detection of 33 fraud in new accounts. Many companies with an online presence today are struggling to find solutions for screening out fraudulent applicants for new accounts. These accounts range from those used for banking and brokerage accounts to accounts used for services. The dilemma is universal for online businesses where there is no person-to-person discussion with the applicant and, therefore, no possibility to examine documents such as driver’s licenses or passports and to verify identity in person. New account fraud in such non-person-to-person (mainly online) environments is estimated by some experts to be four to five times higher than it is when accounts are opened in person. Although there is no comprehensive solution available in the market today, various methods can help detect accounts opened for illicit purposes. In the case of regulated banks, meaningful attempts must be made to detect new account fraud under the new “red flags regulations” that were fully implemented by November 2008 (I discuss these regulations in greater detail later). This is true whether the ultimate victim is a consumer, whose identity has been stolen, or the business itself, where an account is opened using a fictitious identity created by a criminal. n Personal computer/web browser identification Client device identification Device identification tests can be subject to further fraud screening through the use of information entered on the application. Depending on the information requested on the application form, these fraud detection strategies can include the following. In the non-person-to-person online environment, a business does not have an opportunity to screen identity documents, videotape the person, and/or engage directly with the applicant. However, the business does have an opportunity to screen the user’s device, such as a personal computer. Various technologies make device identification and analysis a useful first step in flagging suspect applicants. For first-time users, businesses can obviously not rely on installed desktop software, tokens, or credentials that have already been installed. However, they can analyze various pieces of information available through the user’s web browser connection to check for potentially fraudulent activity. These include the following. n Geolocation of the user based on the user’s Internet protocol (IP) address. Vendors that specialize in IP address intelligence are often able to detect the use of blacklisted IP addresses or blocks of addresses (that is, those that have been known to be used for criminal activity). They can detect the use of anonymizers and/or proxy servers that criminals use to hide their locations. Businesses can also compare the country and geographical region of the IP address to the country and region from the user’s credit card billing address. 34 examines the hypertext transfer protocol (HTTP) browser header and other information from the user’s computer or device, and compares them to what are expected. For example, this process can compare the time stamp from the computer to the time expected from the user’s geolocation. Using a JavaScript executed from the business’s server, this software can try to uniquely identify a computer and determine if it is being used by a large number of account applications. Software is available today that specializes in computer identification using proprietary techniques along with geolocation analysis. Similarly, a biometric system that records a user’s keystrokes and unique typing pattern can be used to ascertain if the same person, and not just the same machine, is opening multiple accounts. n Botnet detection can identify a machine on a criminally run botnet that is accessing an enterprise’s website. Fraud detection using information on the account application n Identity proofing, which is typically used when a comprehensive set of information is being requested from the user, such as financial data, Social Security number, employment history, and homeownership information. This is common when applications are filled out for financial accounts, such as insurance, credit card, and bank accounts. Identity proofing can be relatively expensive, at a few dollars for each identity checked, and uses either: – Rule-based data-matching systems from vendors or credit bureaus; or – Identity scoring, relying on service and software providers that detect potential fraud using scoring models that look across application records and data. n Credit card fraud detection, which is useful for new account openings that require only a credit card authorization. This detection typically costs about 15 cents to 25 cents per transaction, on top of the usual authorization costs, and depends upon 1Q/2009, Economic Perspectives volume and vendor-licensing arrangements. These systems analyze data available from credit card records, such as billing address and shipping address. They perform various checks, such as validating addresses using the card companies’ address verification system, and compare credit card billing and shipping addresses to the customer’s geolocation and to lists of suspect addresses. The systems check to see how many times the end-user accesses a webpage asking for credit card information—possibly an indication of a brute force attack against a card’s security code. Credit card fraud detection systems also can compare credit card numbers provided by the user with stolen cards noted on blacklists, although stolen credit cards are so readily available to the fraudsters that blacklists have limited value. Most systems for credit card fraud detection enable enterprises to manage the business rules that each of their transactions runs against, so the businesses can catch fraud patterns particular to their situations. n Niche data verification, which refers to the verification of specific data, such as telephone numbers or applicants’ ages. These data are then reconciled with data expected from the applicant. The line information database is a telecommunications industry standard database containing the same information made available through hub providers. Unfortunately, it is still not possible for enterprises to get access to a comprehensive set of wireless phone directories held privately by some wireless carriers (notably Verizon Wireless)—a step critical in verifying phone numbers because many customers prefer listing cellphone numbers rather than landline numbers. Stepped-up applicant verification Optimally, all account applications should go through a set of initial screening procedures, and suspect transactions that need further review should be routed to a fraud investigation queue for manual or automated follow-up. Additional automated screening can occur using one of the following methods. n Identity proofing is a method that uses knowledgebased authentication systems, based on public source data that pose questions to the user that only he or she can presumably answer (such as “What was the make of the first car you owned?”). Vendors offer identity-proofing applications based on public records, which can be partially Federal Reserve Bank of Chicago effective in screening out fraud. However, roughly 20 percent of the question/answer sessions invoked for high-risk applications fail or are abandoned. Sometimes, the failure is because legitimate users cannot successfully answer the questions or because there is not enough public data available for a particular individual. At other times, criminals manage to answer questions successfully. n Telephone-based user verification is a method that relies on a call to an applicant using a phone number found in the public records or provided by the user personally. The automated phone system can simply ask the user to speak, and it can record the user’s voice or ask the user to type in the phone transaction number generated by the online application session. This method is not foolproof unless the business is sure that the phone number on record belongs to a legitimate user. Implications of red flags regulations On October 1, 2007, the Federal Trade Commission and federal banking regulators, including the Federal Reserve, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration, released rules that require financial institutions to step up efforts to combat identity-theftrelated fraud. These long-awaited identity theft rules implement the Fair and Accurate Credit Transactions Act, or FACT Act, and took effect on January 1, 2008. Financial institutions covered by the rules had until November 2008 to comply. The rules require regulated financial institutions to create “reasonable policies and procedures” for detecting and preventing identity theft. Red flags cited in connection with an account application or an existing account include patterns of activity that are inconsistent with the historical and usual pattern of an account, such as a recent and significant increase in inquiry volume or an unusual number of recently established credit relationships. Other red flags include applicant addresses that do not match addresses from external sources, as well as internally inconsistent personal information, such as a lack of correlation between the Social Security number range and the date of birth. Institutions are also asked to check for invalid phone numbers or addresses and to flag applications for which an address, Social Security number, or phone number provided is the same as that submitted by other persons opening an account or by other customers. 35 Conclusion As we ponder retail payments fraud going forward, the risk is not just about the cost of dealing with fraud and the associated losses. Indeed, fraud risks and associated retail payments fraud will cross into areas of public policy related to privacy. Today privacy is becoming a serious issue, and interestingly, this issue brings us full circle to the broader topic of information security. Government agencies, for example, have a new mandate in terms of handling information about citizens: It is called private identity information. Federal agencies must take affirmative action to protect private information such as Social Security numbers, dates of birth, etc. Moreover, today the U.S. Department of Homeland Security has an assistant secretary for cyber security and communications. That position centralizes the federal government’s work in this area as well. Other agencies that work on privacy and identity issues related to payments fraud include the Central Intelligence Agency, the National Security Agency, U.S. Department of the Treasury, and the Federal Reserve System. Concerns about terrorist financing and money laundering drive much of this federal work, but we should remember that such concerns are also increasingly spilling over into the world of payments fraud. In the future, you should see additional coordination and partnerships between the public sector and the private sector to address risk. I think it is important to understand that the Federal Reserve System is unique in that it acts as a banker’s bank, the federal government’s bank, and a payments system operator. Having a payments system that is safe and secure is an absolute necessity in maintaining the confidence and trust held in it. To achieve this, we must focus on operations risk first, but also pay attention to reputational risk. It is important for us to understand these risks from multiple perspectives—from the economic research perspective, from the perspective of a financial market authority, and from the perspective of a very large bank. NOTES For details on the Check Clearing for the 21st Century Act, see www.federalreserve.gov/paymentsystems/truncation/. 1 A phishing attack uses randomly distributed emails to attempt to trick recipients into disclosing personal information, such as account numbers, passwords, or Social Security numbers. See www. spamlaws.com/online-credit-card-fraud.html. 2 36 Positive pay is an antifraud service offered by virtually every U.S. commercial bank. It protects a company from altered checks and counterfeit check fraud by comparing the components (such as the account number, check number, and dollar amount) of each check presented for payment against those from a list of checks previously authorized and issued by the company. It allows a company to reject unauthorized transactions (that is, for checks that do not match) before losses occur. 3 1Q/2009, Economic Perspectives Divided we fall: Fighting payments fraud together Mark N. Greene It is a great pleasure to be addressing this august group. As some of you know, I began my career at the Federal Reserve back in 1982. So speaking to you is like a homecoming for me. I have been fortunate in my career to participate in the U.S. banking economy from three perspectives: at the Fed, obviously a policymaking central bank; at Citibank, a lender; and at two financial technology providers, including 12 years at IBM (International Business Machines) and the last year at Fair Isaac, a leader in decision management technology. From these three perspectives, I have seen the tremendous collaboration that exists in the banking industry on the issue of fraud. However, from my current vantage point, I am also able to see a disturbing trend: More companies are declining to participate in some of these collaborative, consortium-based best practices. The reason is simple: They see a competitive advantage to keeping their information and experience to themselves. This raises some key issues for the financial services industry. Do we want to fight fraud or move it around? That is, do we want to reduce the amount of fraudulent activity overall, or are we content to just have the most advanced banks move it to the less advanced banks, and to shift it from well-protected channels to less protected channels? Does a failure to maximize our effectiveness at fraud prevention have even deeper consequences? Which people, which groups, and which activities might we be funding if we allow fraud to persist? And are private industry initiatives enough, or is there a role in fraud prevention for public sector initiatives, mandates, or intervention? I won’t leave you guessing as to where I’m going with this. My experience has taught me the following. n Fraud is too important to the economic and social well-being of our country to let it persist and grow. Federal Reserve Bank of Chicago n Individual gains must be balanced by the collective good. n It is better to stop a fraudster than send him to the bank next door. Now, my company is in the business of giving banks a competitive advantage. We have used consortium approaches to defeat fraud. We believe these collaborative approaches, along with ubiquity in protection, are essential ingredients in the fraud-fighting formula. They are necessary to reduce the “balloon effect” in fraud prevention, where progress in fighting a segment of fraud succeeds primarily in moving fraud from one place to another. We win when fraud loses—and fraud loses when we fight it together. Types of payments fraud Let me start by simply defining the key areas of payments fraud I’m discussing here. Fundamentally, we can divide fraud into two categories. There is firstparty fraud, which is the abuse of account privileges by the account holders themselves, or the acquisition or expansion of those privileges by deceitful means. There is also third-party fraud, which is often identity fraud, or the abuse of one person’s account by another. For the purposes of this talk, I am not discussing insider fraud, which is the misuse of a customer account by bank employees or others involved in the provision and distribution of financial services products. First-party fraud typically involves your customer opening an account with you, with the intention of violating the terms of the account agreement. It can also involve a borrower selling his information to Mark N. Greene is the chief executive officer of Fair Isaac Corporation. 37 criminals or constructing a fraudulent identity or deceitful credentials for gaining credit. This type of fraud very often shows up in the collections queue as bad debt. But it is not traditional bad debt— when it is intentional, it is fraud. Third-party fraud is what we usually think of when we consider fraud. This is stolen identities, the use of lost or stolen cards, and the counterfeiting of cards or other means of account access. It encompasses a wide range of techniques. This is where the criminal gangs operate— and where advanced technology comes into play to greatly reduce fraud losses. Fraud costs figure 1 Global card fraud per $100 in total sales cents 7 6 Lost or stolen 5 4 Counterfeit 3 Card-not-present 2 1 Other 0 1992 ’94 ’96 ’98 2000 ’02 ’04 ’06 Fraud—both first-party and thirdSource: HSN Consultants Inc., 2007, “Global card fraud,” Nilson Report, party—is on the rise, but not across the No. 884, July, pp. 1, 6–7. board, according to Javelin Strategy and Research. That is because fraudsters are fast learners and attack less protected channels. Almost 4 percent of adult Americans n We can make a huge difference by focusing were victims of fraud in 2007, resulting in losses of on fraud in a collaborative way; and $51 billion. U.S. credit card fraud losses were down n Fraudsters are moving from one channel and 22 percent to $11.4 billion; credit cards are highly technology to the next, in what we call the protected by consortium models that are part of the balloon effect—squeeze them in one area and Falcon fraud protection system. (I will talk more about they move to another. that later.) By contrast, U.S. debit card losses rose 16 percent to $7 billion. Debit card transaction volumes So are we winning the war on fraud, or just movare on the rise, and only some debit cards are protected ing it around? We don’t need any help recognizing by consortium Falcon models. Online purchase fraud the importance of fraud in its impacts to our businesses experienced an increase, rising 33 percent in 2007. and the bottom line. But it is worth noting that real Though new account fraud incidents increased, total aneconomic costs may be 150 percent of measured fraud nual new account fraud losses dropped by 21 percent. losses. In other words, we are underestimating the There was a surge in new telephone account misuse, problem when we just measure fraud losses. We know and existing checking and savings accounts fraud was from our work with clients, for example, that a tremenup by 10 percent. dous amount of bad debt is actually misclassified fraud. Just to take one example of a rising problem, We worked with one prominent UK card issuer and card-not-present fraud (CNP fraud) is on the rise found that more than 10 percent of the bad debt in its (see figure 1). It is estimated that about half of transcollections queue was really fraudulent activity. The actional card fraud today is CNP fraud. CNP fraud is costs associated with this is not just the charge-off primarily perpetrated through fraudulent use of cards losses; it is also the costs of having collections and for online purchases. CNP fraud is the biggest threat recoveries staff and agencies try to collect unrecoverto online channels, such as PayPal. able monies. Looking at global card fraud, we can see how the Fraud’s shifting focus different methods of fraud have been changing over time. Certain fraud types are rising to “fill the gap” made by Of course, the costs to the lending institution and excellent progress in categories such as lost or stolen its customers are not the only costs we need to worry card fraud, since new technologies and channels enable about. Terrorists and criminal organizations are funding new forms of abuse, as demonstrated by the rise in crime through fraud. The costs here are incalculable. CNP fraud. To summarize, I have noted the following: These costs make a strong case that a concerted, collaborative effort to fighting fraud is more important 38 1Q/2009, Economic Perspectives figure 2 Benefits of enterprise fraud solutions Reduced fraud losses are seen as the chief benefit of an enterprise fraud solution Reduced fraud losses 77 Better management of fraud resources 61 Increased profitability 42 Improved customer loyalty 23 Improved customer service 40 Other 5 Note: All values are in percent. Source: Theodore Iacobuzio, 2008, Survey of Credit Card Issuers and Consumer Lenders: Connected Decision-Making for Collections, Risk, and Fraud Management in Turbulent Times, TowerGroup, report, April. The point here is that gains in one area of fraud are frequently offset by losses in another. In fact, banks, retailers, telecommunications firms, and others are struggling to combat fraud, which is growing more complex all the time. There are more channels and lines of business to protect. There are regulatory mandates for better risk management. We are fighting sophisticated, worldwide criminal organizations. There are more frequent pattern changes. Lost, stolen, and counterfeit cards remain a concern, but we are also dealing with new forms of attack, such as Internet attack bots, which apply all kinds of techniques—persistence being the key ingredient—to work their way through online security measures. Fraud solutions than making fraud prevention a competitive advantage for a select group of lenders. I’ve mentioned the balloon effect in fraud. The fraud detection and prevention tools that have been commonly applied by banks include card issuer and network transaction fraud solutions, a debit bureau and other identity protection for account opening, the implementation of chip and PIN (personal identification number) technology, the increasing usage of account verification techniques, and online fraud detection and transaction review tools. However, many new types of fraud have emerged or increased in response to the banks’ defenses. These include the following: n Increasing phishing and skimming attacks;1 n More attacks on small card issuers and smaller merchants that do not have the same level of protection; n Recruitment of insiders to better enable fraud; n Offshore fraud; n Mail theft of cards; n Large-scale abuse of card data retained at the point of sale; n Declining effectiveness of address verification in detecting fraud; and n International mail-order, telephone order, and online fraud. Federal Reserve Bank of Chicago Mass compromise losses could rocket higher given the low current criminal utilization rate of compromised cards. Large data breaches, to date, have been inefficiently leveraged by the criminals that end up with the information. Some incidents involving thousands of card numbers have resulted in only a few handfuls of fraudulent transactions. But breaches perpetrated by a more organized or effective criminal organization could have much more severe and immediate consequences. The uneven protection of account types has raised interest in enterprise fraud systems. The information in figure 2 comes from a survey of leading U.S. banks conducted by TowerGroup for Fair Isaac this year. These banks are pursuing enterprise fraud systems as a way of controlling fraud losses. Today’s fraud systems tend to protect one channel or product. It is like putting a burglar alarm on your front door but leaving the windows open. An enterprise fraud system is like a burglar alarm system for your whole house. This sounds simple, but it isn’t. Few institutions today have the same level of protection across the organization. There are a lot of very well-protected doors out there—and some very open windows as well. As we discuss the importance of collaboration, it is important to understand that many of the principal victories that have been made in the area of fraud depend on collaboration. Next, I present three examples and focus on the collaborative aspect. Falcon Fraud Manager How does collaboration win today? It probably comes as no surprise that I’m starting with Falcon 39 Fraud Manager, which is a Fair Isaac figure 3 solution. Falcon is an excellent example Card fraud in the U.S., 1990–2006 of the effectiveness of collaboration in basis points fighting fraud. Falcon is the leading cards 20 fraud protection platform. Falcon manages 65 percent of card accounts worldwide, 16 including 90 percent of credit cards in the U.S. Falcon reviews card transactions and “scores” them based on their likelihood 12 of being fraudulent, enabling card issuers to stop losses faster and to react dynamiFalcon 8 introduced cally to changing fraud activity in real in 1992 time. Falcon’s fraud detection is based on 4 innovative neural network models that are “trained” on large sets of consortium data. These consortium models are embedded 0 1990 ’92 ’94 ’96 ’98 2000 ’02 ’04 ’06 in end-user software or accessed by card issuers via third-party processors. The Note: Falcon Fraud Manager is a leading cards fraud protection platform from the Fair Isaac Corporation. neural network models search through Sources: Data complied by Fair Isaac Corporation, using information from masses of data to identify very subtle HSN Consultants Inc., Nilson Report (various issues). signs of fraud. The size and diversity of the data are critical factors in the power of the models. We have created a fraud consortium that includes information on 1.8 billion card currently flags roughly 500,000 unique card accounts accounts, contributed by lenders that subscribe to the annually as being compromised at ATM devices. Falcon product. So the information on card compromise from some Falcon Fraud Manager typically cuts individual issuers is used to benefit other issuers and to help issuers’ fraud losses by 50 percent and in many cases criminal investigators. by more. But the really impressive thing is the impact Card Alert generates a wealth of data on ATM this kind of solution can have on the industry. Falcon fraud trends, which is used by banks to systematically Fraud Manager was introduced in 1992, when card stop the fraud and by law enforcement to fight the fraud was at 18 basis points in the U.S. As shown in fraudsters. Collaborative efforts like Card Alert have figure 3, this number has since declined by about served to dramatically reduce the percentage of fraud two-thirds based on the industry’s use of a common, that occurs at ATM devices. powerful fraud protection system. Chip and PIN fraud This shows how a ubiquitous solution powered Our third example looks outside the U.S., to the by close collaboration has served to benefit both chip and PIN rollout in the UK. This was an industryindividual issuers and the industry. Individual issuers wide, collaborative effort that resulted in nearly all have squeezed fraud out of their portfolios, and the devices being PIN-verified in the UK and, therefore, industry as a whole has worked to squeeze a substannearly all cards being much harder to counterfeit or tial amount of fraud out of the system. scam. Over 90 percent of UK cards are chip and PIN Card Alert cards now, and nearly 1 million retail tills have been Our second example involves automated teller upgraded. In 2005, this resulted in a 24 percent remachine (ATM) fraud detection. Some 11,000 banks duction in fraud from counterfeit, lost, and stolen in the U.S. subscribe to a Fair Isaac service known as cards, according to APACS (Association for Payment Card Alert. What Card Alert does is trace the flight Clearing Services) in the UK. path of compromised cards to identify compromised However, while counterfeit, lost, and stolen card ATMs. It works backward from compromised cards fraud has been contained by chip and PIN technoloto identify whether they passed through a single gy, it has pushed fraud for those same accounts to a ATM. The Card Alert team then identifies other cards new venue. Cross-border fraud—largely unprotected that passed through the ATM in question. They notify by the chip and PIN technology—went up by 43 percent the issuers that these cards may be at risk. The system in 2006 and by another 77 percent in 2007. Cross-border 40 1Q/2009, Economic Perspectives fraud now accounts for 39 percent of all fraud for UK card issuers, compared with 27 percent in 2006. This shift swallows nearly all of the gains achieved through the reduction in fraud occurring in the UK itself. The problem that we’re seeing here is that the collaboration worked in the UK, but because it was not executed in easily accessible neighboring countries, it failed to reduce UK issuers’ overall losses. They decreased one form of fraud but increased another. Again, this speaks to the importance of both collaboration and ubiquity in avoiding the balloon effect. Device and merchant profiling How will new technical advances enable the industry to combat fraud? Let’s look at three new advances that use payments data in different ways to increase fraud protection. The first is known as device profiling. One of the ways that successful card fraud solutions operate is to build a profile of each cardholder that can be used to identify unusual activity. By profiling devices as well, we are able to provide a more complete profile picture for a given transaction. The device profile looks for unusual device behavior: large amounts, rapid transactions, and suspicious patterns of transaction types. Device scores can be combined with the cardholder scores to improve fraud detection. This approach can identify patterns that often involve multiple cards. It is especially useful in identifying counterfeiters and ATM burst fraud events. Device profiling requires a collaborative cross-issuer view, similar to the Card Alert service discussed before. Our research shows a sizable predictive lift from adding cross-issuer device profiling. For example, there is an 80 percent relative performance lift in real-time value detection at a 10:1 false positive rate. This means that at a threshold where you are flagging ten “good” accounts to review for every one fraudulent account, you are identifying 80 percent more fraud than a traditional card system based on just cardholder profiles. If this kind of trade-off curve looks geeky to you, you have to understand that I am an econometrician working at a company populated by analytic staff. Geeky is where I work! Our second innovation involves merchant profiling. As we discussed, today the standard is to profile cardholders and use every transaction to build and evolve the profiles. What we can do now is build a fuller picture by examining the merchant profiles as well. Merchant profiles are similar to cardholder profiles in that they contain a summarized view of detailed transaction information and history. They identify the points of sale that are more or less likely to experience fraud. Federal Reserve Bank of Chicago The account fraud score is adjusted downward or upward based on the merchant information. This additional data collection increases the detection power of the model, through the integration of cardholder variables, merchant variables, and combined cardholder/ merchant data. Better fraud detection means lower losses and improved customer service. Again, the ability to profile merchants effectively depends on the rich data coming from a cross section of issuers. We have found that using merchant profiles in Falcon Fraud Manager, our card fraud system, enables clients to jump another level up in fraud detection. The enhanced version of Falcon, that is, with merchant profiles added, identifies substantially more frauds in real time, enabling the issuers to reduce fraud losses. At that same 10:1 false positive rate, the consortium subscribers are able to achieve a 40 percent relative performance lift in fraud detection and prevention. Adaptive models Our third example is a different kind of technology breakthrough. It involves what we term “adaptive models.” The fraud models we have been discussing so far are based on consortium data, and every year we update the models by training them on the most recent set of consortium data. These new models are then used to upgrade our clients’ systems. This has been very successful, but it means there is a lag time between the card issuers’ experience of evolving fraud trends and the incorporation of that experience into their fraud-fighting tools. What we need is a way to capture new and important shifts in fraud patterns because of the highly dynamic nature of fraud. The way adaptive models work is to adjust the model weights on each issuer’s system. This dynamically tunes the models in response to actual fraud experienced by the issuer. This approach enables the issuer to benefit both from the broader view of fraud activity captured in the consortium model and from more immediate information on fraud against their accounts. Our ability to detect fraud is increased with the adaptive models. Our research has shown an 18 percent relative performance lift in real-time value detection at a 10:1 false positive rate. These are just some of the advances coming in payments card protection. The point is that to make these kinds of advances, and to make them effective, requires collaboration. I have pled my case regarding collaboration. Collaboration What are the implications for the industry? The real frontline soldiers in the war on fraud—in particular the fraud managers who help protect their 41 institutions from a growing array of threats—need the best weapons we can give them. The innovations they depend on often stem from independent action and proprietary development. But these innovations are powered by collaboration. The trend toward viewing fraud management as a competitive advantage has potential negative implications for fraud management overall. Models are stronger when they are trained on larger, more varied data sets. Certain types of information, such as device profiles, only provide value when powered by a macro-level view. And because fraud always finds its way to the weakest link in the chain, ubiquity helps contain the problem of the balloon effect. So where might the public and private sectors collaborate next? Here is one idea: an industry-wide Fraud Alert Network. This would take the success of systems such as Falcon and Card Alert to a new level by building on collaboration. A Fraud Alert Network could take an approach to updating systems that is similar to the way companies such as AVG and Symantec fight computer viruses. By looking across millions of events, they are able to identify new virus patterns and automatically push updates to their user bases. This is the model we are exploring for payments fraud. Rather than annual system or model updates, we would push out updates, rules, or hot lists automatically. The concept includes a collaborative rules subscription service, as well as simplified, timely consortium data collection. And the Fraud Alert Network includes a portal designed to bring banks, retailers, and others together to share ideas. Think of it as a private user community focused on real-time fraud issues— a Facebook for fraud management. In fact, this collaboration portal will go live later this month. We expect it to yield faster responses to fraud threats. It is a great example of where we see fraud protection going—toward greater collaboration and a real unified front. In summary, I leave you with these key ideas. n Payments fraud remains a front burner issue. n Fraud evolves with new payment product technologies. n This is too big an issue to fight separately. n Private sector collaboration is essential, as we have seen—it is really the foundation of the successful antifraud initiatives. n Public sector involvement can help with best practices and information sharing. In short, this is a war—divided we fall, united we win. NOTES A phishing attack uses randomly distributed emails to attempt to trick recipients into disclosing personal information, such as account numbers, passwords, or Social Security numbers. A skimming device is one that is mounted to an automated teller machine or point-ofsale machine to copy encoded data from the magnetic stripe on the back of a payment card. For more information, see www.spamlaws.com/ online-credit-card-fraud.html. 1 42 1Q/2009, Economic Perspectives An examination of the fraud liability shift in consumer card-based payment systems Duncan B. Douglass Introduction and summary In the absence of a significant (and right now unforeseeable) shift in the retail payments landscape in the United States, consumers will continue to reach consistently (and often) for their debit and credit cards. They will use these cards when paying for goods and services in face-to-face, Internet, mail order, and telephone order transactions. Likewise, criminals will continue to use tried-and-true tactics and will develop innovative methods to perpetrate payment card fraud. At the intersection of consumers conducting legitimate card transactions and fraudsters pursuing their illegal ends is a tangled web of public laws and private card network rules. These laws and rules allocate fraud risk among the consumers, card issuers, and merchants participating in card-based payment systems. In theory, one would hope that these laws and rules for payment card transactions are thoughtfully designed to encourage behavior that minimizes fraud losses to the system as a whole. In reality, systemwide fraud reduction is often not the principal objective behind particular public laws or private rules affecting fraud liability allocation. Consequently, these laws and rules may fail to promote efficient fraud avoidance; indeed, in some instances, they may actually discourage fraud avoidance. Defining the issue The first step in evaluating the efficiency of fraud liability allocation rules in current card-based payment systems is to define the issue. Doing so requires an understanding of the difference between identity theft and common payment card fraud, as well as an understanding of the workings of the card-based payment systems at issue. Identity theft versus fraud News stories abound about identity theft resulting from dumpster divers absconding with old bank Federal Reserve Bank of Chicago statements and criminals rifling through mail and intercepting credit card offers. Further, email accounts are barraged with phishing attempts and other webbased schemes craftily designed to lure consumers into revealing personal identification information that can be used for nefarious purposes. Typically, the fraudsters intend to use the ill-gotten fruits of their snooping to impersonate their victims and access their credit or asset accounts. This is identity theft, and it is an increasingly pervasive problem in the United States and throughout the world. During 2007, Consumer Sentinel, a network that collects information about consumer fraud and identity theft from the Federal Trade Commission and over 125 other organizations, recorded 258,427 identity theft complaints.1 Identity theft is distinguishable from common financial fraud. Identity theft is generally defined as “the use of personal identifying information to commit some form of fraud.”2 In contrast, fraud is simply “[a] knowing misrepresentation of the truth ... to induce another to act to his or her detriment.”3 As noted in the definition of identity theft, fraud is typically the end goal of identity theft. However, often fraud is committed without antecedent theft of Social Security numbers or other assumption of identity. Along with the cases of identity theft reported in 2007, 555,472 cases of non-identity-theft-related fraud were reported during the same year. 4 Given that card-based payment systems (and other payment systems, for that matter) seek to prevent monetary fraud perpetrated through the system regardless of how the information used to perpetrate the fraud was obtained, here I focus on the broader category of payments fraud—whether or not Duncan B. Douglass is a partner at Alston and Bird LLP, practicing in the areas of corporate and retail payment systems. 43 it is precipitated by identity theft. There is no need to steal another person’s identity to perpetrate simple payment card fraud—all the perpetrator needs to do is obtain a person’s payment card or payment card information.5 Distinguishing fraud from identity theft is important to the discussion that follows for two reasons. First, fraud is broader and more pervasive than identity theft. Second, the means of preventing fraud in the initiation of payments, and the appropriate allocation of losses that result from payments fraud, are generally not dependent on whether the fraud resulted from identity theft or from a simpler card/data theft incident. There is no doubt that consumers who fall victim to identity theft experience significant nonmonetary losses in addition to the losses resulting from the fraudulent transactions. These include the opportunity costs of time spent disputing fraudulent claims, closing existing accounts, and opening new accounts.6 However, public laws and private rules governing card payment systems are not capable of preventing such costs to consumers because these costs are wholly external to the payment system itself. Payment systems fraud generally versus signaturebased card fraud Having distinguished identity theft from payments fraud and clarified that this discussion is concerned with the latter, it is worth making the distinction between payment systems fraud generally and payment systems fraud perpetrated through means of a signaturebased access device. This distinction is important because public law treats access device fraud differently than other types of payment systems fraud. Moreover, private card network rules related to fraud are generally different for signature-based card products than for other payment products (including card products based on a PIN, or personal identification number). For the purposes of this article, I limit my consideration to signature-based consumer debit cards (which are directly or indirectly linked to, and draw funds for settlement from, a consumer asset account) and credit cards (which are linked to, and draw funds for settlement from, a line of credit extended by the card issuer). These types of debit and credit cards are issued for acceptance on the major credit card networks in the United States: Visa, MasterCard, American Express, and Discover. Of course, there are other payment card forms and other types of accounts that can be accessed using payment cards. These include wireless technology key fobs, biometric account access that uses no card at all, and prepaid cards that access a different type of account altogether. Again, I only discuss signature-based 44 debit and credit cards here because these devices and the accounts they access remain the most prevalent in the retail payment systems marketplace. Allocation of payment card fraud liability: Public laws and private rules Determining which party to a given fraudulent payment card transaction has liability for the fraud requires an understanding of both the applicable public legal framework and the private card network rules. A fundamental assumption in this article (and many others, although the point is often unstated) is that the actual wrongdoer—the perpetrator of the fraud—will be unavailable for recovery, and so one of the innocent parties involved in the transaction must be asked to bear the resulting loss. Absent any public laws or private rules to the contrary, the cardholder would be the risk bearer by default unless a benevolent merchant or card issuer agreed to absorb the loss. Luckily enough for cardholders, both public laws and private card network rules intervene to protect cardholders and to reallocate liability for fraud losses among other participants to a fraudulent card payment transaction. Public law The public law framework that serves to protect consumer users of credit and debit cards from bearing the full brunt of fraud losses associated with lost or stolen access devices are as follows: the Truth in Lending Act (TILA), together with Regulation Z, and the Electronic Fund Transfer Act (EFTA), together with Regulation E.7 Historically, Congress has shown a fair degree of restraint in tinkering with TILA and the EFTA. Instead, Congress has allowed the Board of Governors of the Federal Reserve System to use its regulatory authority to extend appropriate consumer protections to new payment products and account structures through revisions to Regulation Z and Regulation E.8 Likewise, the Federal Reserve Board generally has taken a measured approach in amending Regulation Z and Regulation E to address market developments (for example, transactions initiated by mobile phone) and new funding sources accessed by payment cards (for example, prepaid accounts held by the card issuer in an omnibus account structure).9 The Federal Reserve Board expressly acknowledged its restrained approach to expanding regulations when it promulgated the interim final rule extending Regulation E coverage to payroll cards, noting that the Board was not extending coverage more broadly to prepaid cards because “coverage of such products could impede the development of other card products generally.”10 1Q/2009, Economic Perspectives Truth in Lending Act and Regulation Z Under TILA and Regulation Z, cardholder liability is capped at $50 for all unauthorized transactions, regardless of whether the fraud occurs in a single transaction or multiple transactions and regardless of when the cardholder learns of the loss or theft of the card or reports the loss or theft to the card issuer.11 The cardholder has no liability for unauthorized activity after alerting the card issuer of the loss or theft of the card (that is, the cardholder’s liability is limited to the lesser of $50 or the amount of fraud committed before the cardholder notifies the card issuer of fraud or the loss or theft of the credit card).12 Regulation Z defines unauthorized use in connection with a credit card as use “by a person, other than the cardholder, who does not have actual, implied, or apparent authority for such use, and from which the cardholder receives no benefit.”13 Unauthorized use of a credit card includes both physical use of a lost or stolen card or fraudulent use of information from a credit card, whether or not the actual device has been lost or stolen.14 Thus, fraudulent use of a credit card number and expiration date to conduct a card-not-present transaction over the Internet constitutes “unauthorized use” according to Regulation Z. Electronic Fund Transfer Act and Regulation E The EFTA and Regulation E place a floating cap on a consumer cardholder’s liability for unauthorized debit card use under which the maximum liability amount is determined when the cardholder notifies the card issuer of the loss or theft of the card used to perpetrate the fraud. If the cardholder notifies the card issuer within two business days of learning of the loss or theft of the debit card, the cardholder’s maximum liability is limited to the lesser of the actual amount of unauthorized transfers or $50.15 If the cardholder fails to notify the card issuer within two business days of learning of the loss or theft, the cardholder’s maximum liability is $500, of which only $50 can be attributable to fraud occurring during the first two business days after the cardholder learned of the loss or theft.16 In addition, if the cardholder fails to notify the card issuer of unauthorized activity within 60 days after the card issuer sends a periodic statement reflecting the unauthorized transactions, subject to the $50 and $500 liability caps, the cardholder has unlimited liability for fraudulent transactions occurring after the 60th day.17 It is worth noting that negligence of the cardholder in safeguarding the debit card is not a basis for the card issuer to impose greater liability on the cardholder than is otherwise permissible under the EFTA/ Regulation E.18 Regulation E defines an unauthorized Federal Reserve Bank of Chicago electronic funds transfer as a transfer “initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.”19 Unauthorized use under Regulation E includes fraudulent use of information from a debit card, including card number and expiration date, to initiate an electronic funds transfer. Card network fraud liability rules TILA/Regulation Z and the EFTA/Regulation E set a baseline maximum of consumer cardholder liability for fraudulent transactions conducted using a credit card or debit card.20 The effect of this public law regime is to require the card issuer to absorb all fraud liability in excess of the maximum cardholder liability allowed under law. Given the stated purposes of TILA/Regulation Z and the EFTA/Regulation E— to protect consumers—it is not surprising that these laws are not concerned with further allocation of fraud liability after shifting responsibility from the cardholder to the card issuer.21 The card network rules both enhance the baseline cardholder protections established by TILA/Regulation Z and by the EFTA/Regulation E and further allocate fraud liability from card issuers to merchants based on a complicated set of rules that vary based on the type of transaction at issue. The card networks enhance the cardholder protections offered under TILA/Regulation Z and the EFTA/Regulation E through their “zero liability policies.”22 The card networks allocate fraud liability risk between card issuers and merchants based upon detailed dispute resolution rules, which take into account at least some element of the respective parties’ compliance with network rules designed to detect and deter attempted fraudulent transactions. Whether the card issuer or the merchant to a particular fraudulent transaction ultimately will be liable for the fraud losses depends on if the merchant followed the payment card rules in connection with the particular transaction. There are numerous permutations of rule requirements for all manner of transaction types. One of the most significant determinants of whether the card issuer or the merchant in a particular transaction will be responsible for fraud is whether the transaction is a face-to-face transaction (a “card-present transaction”) or a transaction conducted over the Internet, by mail, or by telephone (a “card-not-present transaction”). If one distills the standard requirements across the card networks to their essence, it is generally true that a merchant engaging in a card-not-present transaction may only successfully overcome a cardholder/ card issuer allegation that the transaction was the result of fraud if the merchant 1) performed an address 45 verification at the time the transaction was authorized (that is, verified that the person conducting the transaction could validate the billing address associated with the payment card being used); 2) delivered the purchased merchandise to an address that matches the address validated through the address verification; and 3) obtained proof that the purchased goods were delivered to the verified address. If the merchant cannot satisfy these requirements, the card network rules typically shift fraud liability from the card issuer to the merchant. Contrast this to the card-present transaction environment, where a merchant may successfully defend a transaction disputed by the cardholder or card issuer as fraudulent by demonstrating that the card was present at the point of sale and by producing a signed transaction receipt. In the event of such a successful defense, the card issuer typically will be held accountable for the fraud losses. Do current fraud liability allocation rules create incentives that minimize systemwide fraud losses? A shorthand way to look at default liability allocation under public law and private rules of the payment card schemes is as follows: 1) Consumers rarely bear meaningful liability for fraudulent transactions unless they benefited from the fraud; 2) issuers typically bear liability for fraud losses perpetrated in cardpresent transactions; and 3) merchants generally bear liability for fraud losses perpetrated in card-not-present transactions. Taking a systemwide approach to fraud in card-based payment systems, the natural question that follows from the current status quo is whether the rules for fraud liability allocation result in efficient outcomes: That is, are the parties to each payment card transaction vested with appropriate incentives in the form of fraud liability risk to encourage each to take reasonable steps to minimize fraud losses viewed from the perspective of the payment system as a whole? Cardholder liability for fraudulent transactions There is little doubt that cardholders’ carelessness in protecting their own card information contributes to the incidence of payment card fraud. A recent study commissioned by Canada’s Interac Association found that 60 percent of Canadians do not shield their PIN entry at automated teller machines (ATMs) or point-of-sale terminals when they believe no one is watching them and that 37 percent do not shield their PIN entry even when they believe someone can see them entering it.23 The extent to which cardholders are regularly negligent in protecting their own card information from potential fraudsters is debatable. On the one hand, cardholders surely do not wish to invite 46 fraud. On the other hand, while cardholders may not be aware of the nuanced differences in fraud liability protections available under public laws and private rules,24 it would be difficult for cardholders not to be aware of their protections under the zero liability policies prominently and repeatedly promoted by the card networks.25 Assuming most consumers understand, at least in some abstract sense, that they are protected from liability for fraud losses regardless of their level of diligence in safeguarding their own information, one wonders whether a greater deductible on the first-dollar insurance coverage mandated by the card networks through zero liability policies would reduce the incidence of fraud by encouraging appropriate risk-avoiding behavior.26 As it currently stands, the major card networks’ zero liability policies (and even the very low deductibles payable by cardholders under public law) leave in place a significant risk of moral hazard27 that almost certainly, at least at the margins, contributes to overall systemwide fraud losses. Notwithstanding what appears to be somewhat low-hanging fruit in the effort to achieve systemwide fraud reduction, there are two significant challenges— both likely insurmountable—that make increasing cardholder liability highly unlikely regardless of the efficiency in the outcome it may engender. The first challenge is the increasing trend among legislators and regulators to enact payment-system-related public laws that offer greater consumer protection regardless of the efficiency of the fraud-related outcomes these laws may create.28 A reversal of this trend among legislators, in particular, is unlikely given increased public attention on consumer protections in payment systems. The second challenge is the need, critical to broadbased user adoption and acceptance of any payment system, for the users to have confidence in the system’s security and safety. Card network operators are constantly searching for ways to induce greater cardholder confidence in the security of making card-based payments—which they hope will result in a correlative increase in transaction volume across the payment system.29 Designing a card-based payment system that increases consumer liability for fraudulent transactions would likely undermine confidence in the system overall and result in reduced transaction volume—the opposite of the desired effect. Given these counterincentives among those who promulgate the applicable public laws and private rules, increased cardholder liability is likely not a viable option for improving the overall efficiency of fraud liability allocation rules. 1Q/2009, Economic Perspectives Liability for fraudulent transactions: Card issuer versus merchant If increasing cardholder liability is an improbable outcome of any fraud-reducing reforms to card payment systems at the level of either public law or private rules, then we are left to consider whether adjustments to the allocation of fraud liability between card issuers and merchants under current card network rules might have a desirable effect in reducing systemwide fraud losses. As described previously, the card issuers generally bear fraud liability in card-present transactions and merchants generally bear fraud liability in cardnot-present transactions. In the card-present context, existing card network rules may provide inadequate incentives for merchants to take efforts to detect and deter fraudulent transactions. Generally, so long as the presented card is swiped through the point-of-sale terminal and a signature is obtained on the transaction receipt, the merchant will not bear the loss if the transaction is subsequently challenged as fraudulent. Consequently, the marginal economic benefit to merchants of deploying additional fraud prevention measures, even if effective measures are made available by card issuers and card networks, may well not justify the costs to the merchant of implementation because the merchant stands to gain little. Fraud detection measures in traditional brick-andmortar sales channels today include the examination of the card for evidence of tampering and a comparison of the signature on the transaction receipt to the signature on the back of the card (although many merchants’ employees do not even glance at the card presented for payment). In contrast, in the card-not-present environment, existing card network rules may create disincentives for card issuers to support and induce their cardholders to participate in fraud prevention efforts. Nowhere is this more evident than in the surprisingly low adoption of card networks’ payer authentication programs.30 Visa and MasterCard have each developed and actively promoted services designed to assist Internet merchants in authenticating payers—for Visa the Verified by Visa program and for MasterCard the MasterCard SecureCode program. Under both programs, a preenrolled cardholder conducting a card-not-present transaction at a participating merchant is asked to provide an authenticating password in a secure popup window or frame linked to the card issuer.31 The pop-up window or frame in which the cardholder is asked to provide the password displays a phrase or image preselected by the cardholder so that the cardholder can validate that the pop-up or frame is linked to the Federal Reserve Bank of Chicago card issuer.32 This bidirectional layer of additional authentication not only deters fraud, but card network rules provide that it also shifts fraud liability risk from the merchant to the card issuer for the verified transaction. One might think merchants would eagerly adopt these additional security measures and embrace the attendant liability shift to the card issuer for Internet transactions. However, online merchants that have attempted to require customers to enroll in such programs have invoked the ire of their customers. Card issuers have little incentive to expend resources or risk cardholder backlash by requiring participation in such programs given that the benefit would accrue primarily to the merchant, with the added offense of shifting transaction fraud liability to the issuer.33 In other words, card network rules appear to create the same dilemma of moral hazard in allocating fraud losses between card issuers and merchants in both card-not-present and card-present transactions as is created by public laws and private rules that insulate cardholders from fraud liability. Conclusion Empirical evaluation suggests that current public law regimes and private card network rules may fail to create appropriate incentives for cardholders, merchants (in card-present transactions), and card issuers (in card-not-present transactions) to adopt fraud-reducing practices. These rules may also discourage fraudavoiding behavior in certain circumstances because of the associated costs and efforts involved and the limited benefit to be gained by the party undertaking those costs and efforts. This is not to say the current architecture of public laws and private rules is fundamentally flawed or in need of reworking from the ground up. As Robert Ballen and Thomas Fox have argued, the current system in which public law and private rulemaking collaborate to create fraud liability rules is capable of functioning effectively to achieve efficiency in payment systems.34 However, it may be time to reevaluate the incentives created by current card network rules in allocating fraud liability among transaction participants to better align risks with the parties that are able to make efficient decisions regarding how to mitigate them. Increasing cardholder liability is likely not on the table for consideration, but efficiency gains in terms of reduced systemwide fraud losses may well be possible through relatively minor adjustments to the allocation of liability between merchants and card issuers. 47 NOTES See Federal Trade Commission, 2008, Consumer Fraud and Identity Theft Complaint Data: January–December 2007, report, Washington, DC, February, available at www.ftc.gov/opa/2008/02/ fraud.pdf. 1 Federal Deposit Insurance Corporation, 2004, “Putting an end to account-hijacking identity theft,” report, Washington, DC, December 16, available at www.fdic.gov/consumers/consumer/ idtheftstudy/background.html. Board of Governors of the Federal Reserve System, 2005, “Electronic fund transfers: Interim final rule; request for public comment,” notice, Docket No. R-1247, Washington, DC, December 30, available at www.federalreserve.gov/boarddocs/ press/bcreg/2005/20051230/attachment2.pdf. 10 2 See Bryan A. Garner (ed.), 1999, “Fraud,” Black’s Law Dictionary, 7th ed., Eagan, MN: West Publishing Company, p. 670. 3 See 12 C.F.R. § 226.12(b)(1). 11 12 See id. 13 2 C.F.R. § 226.12 n.22. See Mark Furletti and Stephen Smith, 2005, “The laws, regulations, and industry practices that protect consumers who use electronic payment systems: Credit and debit cards,” Series on Fraud, Error, and Dispute Protections, Federal Reserve Bank of Philadelphia, Payment Cards Center, discussion paper, No. 05-01, January, available at www.philadelphiafed.org/pcc/papers/2005/ ConsumerProtectionPaper_CreditandDebitCard.pdf. 14 See Federal Trade Commission (2008). 4 Card payment fraud can be perpetrated in person, if the fraudster has obtained the actual payment card, or over the Internet or via mail or telephone order, if the fraudster possesses the victim’s name, card account number, expiration date, and card identification number (CID)—also called card verification value (CVV2) or card verification code (CVC2), depending on the card scheme at issue. Many online retailers will accept, and card issuers will approve, transactions in which significantly less information is provided through the online payment channel. 5 One author has suggested that the victims of identity theft spend an average of 40 hours resolving fraudulent transactions and other issues relating to the identity theft. See Erin Fonté, 2007, “Who should pay the price for identity theft?,” Federal Lawyer, September, pp. 24–25. 15 See 12 C.F.R. § 205.6(b)(1). 16 See 12 C.F.R. § 205.6(b)(2). 17 See 12 C.F.R. § 205.6(b)(3). 18 12 C.F.R. pt. 205, Supp. I, § 205.2, cmt. 2(a), note 2. 19 12 C.F.R. § 205.2(m). 6 The Truth in Lending Act, which is contained in Title I of the Consumer Credit Protection Act, as amended (15 U.S.C. § 1601 et seq.), was enacted by Congress in 1968 as a consumer protection measure requiring clear disclosure of key terms and costs of lending arrangements. The Federal Reserve Board has promulgated Regulation Z to implement TILA pursuant to authority granted under 15 U.S.C. § 1607. The Electronic Fund Transfer Act (15 U.S.C. § 1693 et seq.) was enacted by Congress in 1978 to establish rights, liabilities, and responsibilities of consumers who use and financial institutions that offer electronic fund transfer services. The Federal Reserve Board has promulgated Regulation E to implement the EFTA pursuant to authority granted under 15 U.S.C. § 1693b. 7 This historical trend has been threatened as of late. During 2007 and 2008, Congress became much more active in proposing and promoting consumer protection bills. See, for example, Credit Cardholders’ Bill of Rights Act of 2008 (H. R. 5244) and Credit Card Reform Act of 2008 (S. 2753). 8 Like Congress, the Federal Reserve Board was much more active in addressing payment market developments during 2008 than it had been historically. For example, on May 19, 2008, the Federal Reserve Board proposed an uncharacteristically sweeping set of amendments to Regulation Z. See Board of Governors of the Federal Reserve System, 2008, “12 C.F.R. Part 226, [Regulation Z; Docket No. R–1286], Truth in Lending; proposed rule,” Federal Register, Vol. 73, No. 97, May 19, pp. 28866–28901. Much of this activity likely stems from the push the Federal Reserve Board is feeling from Congress. The rapid-fire succession of consumer protections bills from Congress appears to have served as a sort of notice to the Federal Reserve Board to regulate or get out of the way. 9 As mentioned in the subsection titled payment systems fraud generally versus signature-based card fraud, the present discussion is limited to signature-based debit and credit cards and card networks— meaning that the card network rules considered are those of Visa U.S.A. Inc., MasterCard International Inc., American Express Travel Related Services Company Inc., and Discover Financial Services. Readers may note that TILA/Regulation Z apply the $50 liability cap to all cardholders, not just consumers, while the EFTA/Regulation E apply the limitations on liability only to consumer cardholders. While this is a meaningful distinction, we will assume for purposes of the present discussion that the victimized cardholder is a consumer, whether the card at issue is a credit card or a debit card. 20 According to 15 U.S.C. 1601, “it is the purpose of [TILA] ... to protect the consumer against inaccurate and unfair credit billing and credit card practices.” According to 15 U.S.C. 1693, “the primary objective of [the EFTA] ... is the provision of individual consumer rights.” 21 Regulation Z expressly provides that an agreement between a cardholder and the card issuer may impose lesser liability on the cardholder than is provided for under Regulation Z. See 12 C.F.R. § 226.12(b)(4). Similarly, Regulation E acknowledges that a cardholder and card issuer may agree to a lower cardholder’s liability limit than the Regulation E default. See 12 C.F.R. § 205.6(b)(6). Each of Visa, MasterCard, American Express, and Discover has enacted some form of zero liability policy. The ultimate effect is that, except in very limited circumstances, a card issuer is required to assume, on behalf of its cardholders, even the amount of fraud liability permitted to be passed on to the cardholder under applicable public laws. 22 See Glenbrook Partners LLC, 2006, “Survey shows Canadians not shielding their debit card PIN regularly,” Payments News, October 19, available at www.paymentsnews.com/2006/10/ survey_shows_ca.html. 23 48 1Q/2009, Economic Perspectives Commentators have noted that consumers are unaware of the different regulatory protections that apply based on the source of funding supporting a payment card transaction. See, for example, Marianne Crowe, Scott Schuh, and Joanna Stavins, 2006, “Consumer behavior and payment choice: A conference summary,” Public Policy Discussion Papers, Federal Reserve Bank of Boston, discussion paper, No. 06-1, available at www.bos.frb.org/economic/ppdp/ 2006/ppdp061.pdf, and Furletti and Smith (2005). 24 For example, Visa’s website informs users of its credit cards and signature-based debit cards that “Visa will always protect you from unauthorized use.” See http://usa.visa.com/personal/security/visa_ security_program/zero_liability.html#anchor_2. Likewise, MasterCard advises cardholders that “your card issuer won’t hold you liable in the event of an unauthorized use of your U.S.-issued MasterCard card.” See www.mastercard.com/us/personal/en/cardholderservices/ zeroliability.html. 25 Without broadening the discussion to politics in general, recent proposals in Congress to enhance consumer protection laws that would increase substantially the costs to lenders of extending credit—as well as recent amendments to Regulation Z proposed by the Federal Reserve Board to do the same—support this proposition. See note 8. 28 See, for example, Jenny C. McCune, 2000, “Shop the web without the worry—Companies reduce cardholders’ liability,” Bankrate.com, June 19, available at www.bankrate.com/brm/news/cc/20000619.asp. 29 See CyberSource Corporation, 2008, 9th Annual Online Fraud Report, 2008 ed., Mountain View, CA. This report comments on the relative slow adoption of payer authentication programs since 2003, notwithstanding significant expressions of interest by Internet merchants since 2003. 30 See Federal Reserve Bank of Philadelphia, Payment Cards Center, 2003, “After the hype: E-commerce payments grow up,” discussion paper, No. 03-12, available at www.philadelphiafed.org/pcc/ conferences/2003/eCommerce_062003.pdf (see, in particular, the summary of the presentation by Steven W. Klebe, titled “Online fraud: The stakes are rising”). 31 The same argument applies, albeit to a slightly lesser degree, to the very low deductibles payable by cardholders in connection with fraud loss insurance mandated by TILA/Regulation Z and the EFTA/ Regulation E. In order to truly cause cardholders to take note of their liability exposure and adjust their behavior appropriately, the cardholder deductible would likely need to rise to a level exceeding the current public law maximums. 26 Moral hazard has been defined as “the tendency for the insurance plans to encourage behavior that increases the risk of insured loss” by Allard E. Dembe and Leslie I. Boden, 2000, “Moral hazard: A question of morality?,” New Solutions, Vol. 10, No. 3, pp. 257–279. That definition is consistent with the use of the term for this discussion. If a participant in a given payment system has no risk of loss due to fraudulent transactions, that participant may have little incentive to take actions, even of the simplest nature, to avoid or reduce the likelihood of fraud occurring. 27 Federal Reserve Bank of Chicago 32 See id. See, for example, Josh Leyden, 2008, “Net shoppers bullied into being verified by Visa,” The Register, August 7, available at www. theregister.co.uk/2008/08/07/verified_by_visa_compulsion/. 33 Robert G. Ballen and Thomas A. Fox, 2008, “The role of private sector payment rules and a proposed approach for evaluating future changes to payments law,” Chicago Kent Law Review, Vol. 83, No. 2, pp. 937–952. 34 49 Vulnerabilities in first-generation RFID-enabled credit cards Thomas S. Heydt-Benjamin, Daniel V. Bailey, Kevin Fu, Ari Juels, and Tom O’Hare Introduction An increasing number of credit cards now contain a tiny wireless computer chip and antenna based on RFID (radio frequency identification) and contactless smart card technology.1 The RFID-enabled credit cards permit contactless payments that are fast, easy, and often more reliable than magnetic stripe card transactions, and only physical proximity (rather than contact) is required between this type of credit card and the reader. An estimated 20 million RFID-enabled credit cards and 150,000 vendor readers are already deployed in the U.S. (Bray, 2006). According to Visa USA, “This has been the fastest acceptance of new payment technology in the history of the industry” (Bray, 2006). The conveniences of RFID-enabled credit cards also lead to new risks for security and privacy. Traditional (magnetic stripe) credit cards require visual access or direct physical contact for retrieving information, such as the cardholder’s name and the credit card number. By contrast, RFID-enabled credit cards make these and other sensitive pieces of data available using a small radio transponder that is energized and interrogated by a reader. Experimental results Although RFID-enabled credit cards are widely reported to use sophisticated cryptography,2 our experiments found several surprising vulnerabilities in every system we examined. We collected two commercial readers from two independent manufacturers and approximately 20 RFID-enabled credit cards issued in the last year from three major payment associations and several issuing banks in the U.S. We were unable to locate public documentation on the proprietary commands used by RFID-enabled credit cards. Thus, we reverse-engineered the protocols and constructed inexpensive devices that emulate both the credit cards 50 and readers. The experiments indicate that all the cards are susceptible to live relay attacks (in which an attacker relays verbatim a message from the sender to a valid receiver of the message), all the cards are susceptible to disclosure of personal information, and many of the cards are susceptible to various types of replay attacks (a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed). In addition, we successfully completed a proof-of-concept cross-contamination attack. Given the size and diversity of our sample set, we believe that our results reflect the current state of deployed RFID-enabled credit cards; however, card issuers continue to innovate and will likely add new security features. Our findings are not necessarily exhaustive, and there may exist cards that use security mechanisms beyond what we have observed. Background In this section, we provide some background on the current state and standards of RFID technology and its deployment throughout the United States. Thomas S. Heydt-Benjamin is a former graduate student at the University of Massachusetts Amherst. Daniel V. Bailey is a senior research scientist at RSA Laboratories in Bedford, Massachusetts. Kevin Fu is an assistant professor in the Department of Computer Science at the University of Massachusetts Amherst. Ari Juels is a chief scientist and director at RSA Laboratories. Tom O’Hare is an employee of Innealta Inc. in Salem, Massachusetts. The authors thank Russell Silva for his assistance in implementing Linux drivers for RFID devices as part of his undergraduate research project at the University of Massachusetts Amherst. They thank Robert Jackson and Prashant Shenoy for sharing their laboratory equipment. They further thank the anonymous reviewers, Simson Garfinkel, Yoshi Kohno, David Molnar, and Adam Stubblefield for reviewing earlier manuscripts. This research was supported in part by grants from the National Science Foundation (award Nos. CNS-052072 and CNS-0627529). 1Q/2009, Economic Perspectives Scale of current deployment Several large chain stores in the U.S. have deployed many thousands of RFID readers for credit cards: CVS Pharmacies (all 5,300 locations), McDonald’s (12,000 of 13,700 locations), the Regal Entertainment Group of movie theaters, and several other large vendors (Koper, 2006; and O’Connor, 2006). Reports estimate that 20 million to 55 million RFID-enabled credit cards are in circulation, which is 5 percent to 14 percent of all credit cards (Averkamp, 2005; Bray, 2006; and Koper, 2006). In addition to traditional payment contexts, RFID-enabled credit cards are becoming accepted in other contexts such as public transportation (Heydt-Benjamin, Chae, et al., 2006). The New York City subway (Metropolitan Transit Authority, 2006) recently started a trial of 30 stations accepting an estimated 100,000 RFID-enabled credit cards (SourceMedia Inc., 2006). A participant in this trial uses her credit card as a transit ticket as well as a credit card in place of the traditional magnetic-stripebased dedicated subway tickets. Integration of radio frequency technology into existing credit card infrastructure In a typical deployment, an RFID-enabled credit card reader is attached to a traditional cash register. Each reader continually broadcasts a radio signal to which RFID-enabled credit cards can respond. The RFID-enabled payment cards that we examined seem to have been designed specifically for easy integration into the existing payment authorization infrastructure. For instance, even though no magnetic stripes are read during an RF transaction, the RFID-enabled credit card readers that we examined reformat the received RFID data into “Track 1 Data” and “Track 2 Data” before passing them along to point-of-sale (POS) terminals. In other words, data are presented to the chargeprocessing network in the same format regardless of whether the credit card reader received the information from an RF transaction or a traditional swipe of a magnetic stripe. Our work focuses on the first step in a long chain of system interactions: card presentation. When considering the potential impact of the vulnerabilities we have observed in RFID-enabled card presentation, one must take into account the expertise credit card issuers have gained in detecting fraudulent transactions by tracking patterns of behavior (Dougherty, 2000). While detecting fraud is an effective defense against many types of financial risk, it does not prevent invasion of privacy. Our study considers vulnerabilities to privacy that today’s antifraud methods do not prevent. Federal Reserve Bank of Chicago Communications protocol used by RFID-enabled credit cards All of the credit cards we tested use a communications protocol specified by the International Organization for Standardization (ISO) in a series of documents titled ISO 14443-1 through 14443-4.3 Our experiments indicate that the cards use the B version of this protocol, with an additional proprietary communications layer carried over ISO layer 4. Related work RFID-enabled credit cards share many of the challenges and approaches for security and privacy as other RFID-based authentication and identification systems. We discuss some of these here. RFID authentication and cloning Many types of RFID tags merely emit static identifiers, making them easy to clone. These tags are sometimes used in inappropriate contexts such as building access control. Westhues (2005) has demonstrated a simple, inexpensive device that can skim many types of cards at a distance—even through walls—and then simulate them. (Skimming is the theft of credit card information used in an otherwise legitimate transaction.) If unclonability is a security assumption, then this is a security break. More sophisticated tags do not emit static data, but use cryptography to emit different data during different transactions. For example, the Texas Instruments’ digital signal transponder (DST) is present in the ExxonMobil Speedpass (a keychain RFID device), and is also part of a common theft deterrent system for automobiles. These systems have been shown to be vulnerable because of faulty cryptography (Bono et al., 2005). In contrast with the RFID-enabled credit cards we examined, the DST uses cryptography to increase the difficulty of cloning, but it does not carry personally identifying information, for example, the name of its owner. Read ranges Industry claims around the security of RFID devices often hinge on their short read ranges. Some cautionary notes are in order, however: RFID tags do not have a single, definitive read range (Juels, 2006). While the nominal read range of an RFID tag may be quite short, a nonstandard reader or large antenna can increase the range at which an attacker can skim an RFID tag. The credit cards we examined are ISO 14443-B cards with a nominal range of 4–5 centimeters. Skimming ranges of over 20 centimeters have been demonstrated for cards of this type (Hancke, 2006), 51 and ranges of up to 50 centimeters are hypothesized in the literature (Kfir and Wool, 2005). Furthermore, while skimming requires that a reader power the targeted tag, an attacker performing passive eavesdropping on a session between a legitimate reader and RFID tag can potentially harvest tag data at a considerably longer range. Claims have surfaced of tests where e-passports, which rely on the same ISO standard as credit cards, were read at a distance of 30 feet (Yoshida, 2004)4 and detected at a distance of 20 meters (EPIC, 2005). Our study makes no claims about the read ranges of RFID-enabled credit cards beyond the observation that characterization of these ranges is not straightforward and constitutes an important open research question. Methodology and experiments The following discussion highlights our methodology for testing the security of RFID-enabled credit cards against eavesdropping, skimming, and replay. A more detailed version is available in our technical report (see Heydt-Benjamin, Bailey, et al., 2006). Eavesdropping experiments In our eavesdropping experiments, we observed transactions between readers and cards with an oscilloscope attached to an antenna. Examination of data thus obtained demonstrated the efficacy of this simple attack, since in all transactions the cardholder’s full name and card expiration date were present in “cleartext” (that is, this information was in a form that was immediately comprehensible to a human being without additional processing, implying a lack of cryptographic protection). A majority of cards examined transmitted the credit card number in cleartext, while a minority broadcast a separate (but static) credit card number apparently reserved for wireless transactions. We provide further details in the analysis and results section. Skimming experiments In our most simple skimming experiment, we took a commercial RFID-enabled credit card reader and presented it with each of our experimental cards, obtaining in each case ISO 7813 (magnetic stripe style) data. Since these are the exact data normally transmitted by a POS terminal to a charge-processing network, this most naive of skimming attacks is sufficient for perpetration of certain kinds of financial fraud. We programmed an RFID reader not intended for credit card use to emulate an RFID-enabled credit card reader. Eavesdropping on transactions between our credit card reader emulator and real RFID-enabled credit cards demonstrated that all of the RFID credit cards we tested responded to our emulator exactly as 52 they respond to a commercial RFID-enabled credit card reader. This strongly suggests that cards do not use any secure mechanism to authenticate an authorized RFID reader before releasing sensitive information. Replay experiments Our credit card emulator is a microprocessor controlled device with a simple radio, permitting broadcast of arbitrary bytes over the ISO 14443-B transport layer. We programmed our credit card emulator to expect the RFID-enabled credit card reader commands that we captured during eavesdropping experiments and then to transmit replies captured from real RFIDenabled credit cards during a skimming attack performed with the reader emulator. In our experiments, commercial readers were unable to distinguish between our emulated card and the real card upon which it was based. Since the output from the card emulator is identical to that of the real card from which it was skimmed, a simple replay attack using this device would succeed. As noted previously, many pieces of data go into an overall transaction approval decision, including sophisticated risk-based fraud detection mechanisms on the back end. For this reason, valuable future research would include field tests in which a credit card emulator is used to perform a purchase in a retail location rather than in a laboratory. Analysis and results To protect the identity of our cards, we label the cards A, B, and C based on semantic equivalence classes determined by observing behavior between cards and readers. Table 1 summarizes some of the vulnerabilities of three classes of cards. Observations of RFID-enabled credit card protocols This section explores some of the RFID-enabled credit card protocols that are in current deployment. The analysis is based on the ISO 7813 (magnetic stripe format) data output by the serial port of RFID-enabled credit card readers when presented with different types of credit cards. Where pertinent, our analysis compares this serial output with the raw RF data from the same transactions as captured by our eavesdropping apparatus. In keeping with a philosophy of ethical attacks research, we have redacted several pieces of information from the following subsections in part to prevent criminal misuse of our findings. The cardholder’s name and the card number have been concealed. Additionally, we have obscured the number of digits in the card number in order to obscure which observations 1Q/2009, Economic Perspectives n Its transaction counter, now located Table 1 Vulnerabilities of three classes of cards Card Payment type association A B C 1 2 3 Privacy Relay Cross- Replay invasion? attack?a contamination? attack? Yes Yes Yes Yes Yes Yes Limitedb Limited No Yesc Limited Limited Because the cards have no shielding or notion of time, all the cards are susceptible to relay. b This attack is proven in the field, but is limited to certain merchants. c This card admits unrestricted replay for the readers we tested, while the others induce a race condition. Notes: This is a summary of susceptibility to various attacks for the three semantic types of cards (A, B, C) from three payment associations (1, 2, 3). A relay attack is one in which an attacker relays verbatim a message from the sender to a valid receiver of the message. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. a correlate with the products of specific payment associations and issuing banks. Card A protocol When presented (RF transaction) with any sample of a card of type A, our reader outputs serial data identical to the data contained on the magnetic stripe of the same credit card (see figure 1). When presented with the same card, the output is always the same: In the serial output there is no evidence of a counter, one-time password, or any other mechanism for prevention of replay attacks. Card B protocol The sample card B output in figure 2 demonstrates the presence of a counter, determined to be as such because of monotonic incrementation with successive transactions. Additionally we observe three digits that change with each transaction in no pattern that we have identified. Because of the relatively high entropy of these three digits, we consider it likely that they are the output of some cryptographic algorithm that takes the transaction counter as an input. If this is the case, then the algorithm must also take a card-specific value like a cryptographic key as an input, since we observe that different cards with the same counter value produce different codes. We speculate that these data may serve as a stand-in for the traditional card verification code (CVC). Card C protocol Card C’s protocol differs from card B’s in a few crucial details: n Its unique transaction codes are eight digits in- stead of three; Federal Reserve Bank of Chicago in the cardholder’s name field, displays only three digits instead of four; and n Rather than sending the embossed card number over the air, it uses a fixed pseudonym. See figure 3 for the sample card C output. Analysis of RFID-enabled credit card protocols In the following sections, we analyze the susceptibility of the card types to replay, relay, cross-contamination, and privacy/tracking attacks. Our analysis considers only the protection mechanisms of the cards and readers; we do not analyze the security of the charge-processing network (for example, the fraud detection algorithms). Replay attacks Replay attacks come in several flavors, depending on what data are communicated from the credit card all the way to the back-end charge-processing network. The following describe the different types of replay attacks. n Unrestricted replay: A card that always reports the same data need be scanned only once. After that, the attacker can replay the captured data at will, and the processing network cannot detect any difference between a replay and successive transactions with a real card. Since we observed the serial output from real POS readers to always be static with respect to cards of type A, we conclude that cards of this type are susceptible to this attack. n Replay with race condition: A card that uses a transaction counter and rolling code poses more of a challenge if the back-end processing network stores and checks counter values. In such a case, once transaction n has been accepted by the network, transactions numbered less than n should be declined if presented. However, if an adversary skims a transaction from a card and replays that transaction to the network before the legitimate user has a chance to use her card, then the charge-processing network should accept the adversary’s transactions and actually decline the legitimate ones. Although the attacker is faced with a counter synchronization problem, such challenges are far easier to defeat than the 53 figure 1 Card A Bxxxxxx6531xxxxxx^DOE/JANE^0906101000000000000000000000000000858000000 xxxxxx6531xxxxxx=09061010000085800000 Notes: This is the serial output from a commercial reader after a radio frequency transaction with a card of type A. See the text and table 1 for further details. figure 2 Card B Bxxxxxx1079xxxxxx^DOE/JANE^0901101100000000000100000000000 xxxxxx1079xxxxxx=09011011000001600221 Bxxxxxx1079xxxxxx^DOE/JANE^0901101100000000000100000000000 xxxxxx1079xxxxxx=09011011000007400231 Notes: This is the sample of the reader serial output after a radio frequency transaction with a card of type B. In this sample, there are a three-digit code (in bold and italics) and a four-digit counter (underlined). See the text and table 1 for further details. figure 3 Card C Bxxxxxx2892xxxxxx^DOE/JANE 017^1001101010691958 xxxxxx2892xxxxxx=1001101010691958 01700 Bxxxxxx2892xxxxxx^DOE/JANE 018^1001101040146036 xxxxxx2892xxxxxx=1001101040146036 01800 Notes: This is the sample output from a card of type C. Transaction codes are in bold and italics, while the transaction counter is underlined. See the text and table 1 for further details. behavior of the target card. Cards of type B are susceptible to this attack. cryptographic problems (we prefer to base our security on cryptography whenever possible). n Counter rollover: If a transaction counter is the only changing input to a code, then the number of possible codes is limited by the maximum possible transaction counter value. There are then two cases. In one case, the counter is permitted to roll over, repeating from the beginning, thus also repeating the codes from the beginning. In the other case, the card refuses to engage in additional transactions after the counter is exhausted. 54 In the first case, an adversary that has sufficient time in proximity to a card can build a database of all possible counter values and their corresponding codes, and therefore can mimic all possible In the second case, a denial-of-service attack can be perpetrated against the card if the attacker has sufficient time in proximity to exhaust the counter by repeated skimming. Our experiments determined that cards of type C exhibit this behavior. Relay attack Even with a hypothetical card that combines a challenge-response protocol with a transaction counter (a case not examined here), the relay attack may still succeed (Hancke, 2005). In an example of a relay attack, the adversary consists of a mole and a proxy that perform a purchase at an innocent user’s expense. The mole possesses a clandestine credit card reader emulator with a (non-RFID) radio link to the 1Q/2009, Economic Perspectives proxy’s clandestine credit card emulator. The mole sits down or stands next to the user, and the mole’s device rapidly discovers the user’s credit card. The proxy receiving this relayed signal approaches the POS terminal and initiates a purchase. The proxy presents his credit card emulator to the POS terminal. The emulator receives commands from the POS terminal and relays them to the mole’s device, which transmits the commands to the user’s credit card. The responses from the user’s card are likewise relayed through the mole’s device and are broadcast from the proxy’s emulator to the POS terminal. The purchase should succeed, and the cost will be charged to the user. Observe that even with application-layer challengeresponse or transaction-counter protocols, this attack will still succeed, as protocol messages will simply be relayed between the card and reader. Cross-contamination attack To analyze the feasibility of a cross-contamination attack, we took a credit card of type A, placed it in a sealed envelope, and performed a “Johnny Carson attack,” by reading the card through the envelope using our custom programmed TI s4100 reader. We combined the data thus obtained with address and telephone information looked up in the telephone directory given the cardholder’s name transmitted through the envelope (for postal mail, the attacker already knows the cardholder’s address!). Using only this information we placed an online purchase for electronic parts from one of our major research parts suppliers. Our purchase was successful, and we conclude that the cross-contamination attack is effective for cards of type A and merchants that do not require a CVC. Privacy invasion and tracking Our eavesdropping transcripts show that personally identifying information is broadcast in cleartext by every RFID-enabled credit card we have examined. This must be considered a privacy vulnerability in that automated full identification of a person carrying an RFID-enabled credit card is easily demonstrated in the lab, and should be feasible in the field. This vulnerability is exacerbated by an adversary who could use the full identity disclosure of the RFID-enabled credit card to build up a database of associated pseudonyms based on other RFID tags with a longer read range that a user may commonly carry. In addition, the transaction counter found in some of the cards could be exploited by a vendor: By storing the transaction counter, a retailer could tell how often the card was used to purchase goods from others. Those heavily using their cards might be targeted for specific advertising, for instance. Federal Reserve Bank of Chicago Countermeasures In addition to fraud detection to limit financial risk, several other countermeasures could significantly reduce risk of fraud and invasion of privacy. We discuss some of these countermeasures here. Shielding and blocking One countermeasure to some cases of skimming and relay attacks is to ensure that credit cards are unreadable when not in use. A Faraday cage is a physical cover that assumes the form of a metal sheet or mesh that is opaque to certain radio waves. Consumers can today purchase Faraday cages in the form of wallets and slipcases to shield their RFID-enabled cards against unwanted scanning (DIFRwear LCC, 2006). Note that this countermeasure offers no protection when the card is in use, since a card must be removed from a shielded wallet before an RF purchase can be made. However, credit card companies ought to at least ship cards through the mail enclosed in a Faraday cage to obviate the dangers of the Johnny Carson attack. A slightly more sophisticated approach to preventing attack against dormant RFID devices is to disrupt ambient RFID communication. Blocker tags (Juels, Rivest, and Szydlo, 2003) and the RFID Guardian (Rieback et al., 2006) are two examples of devices that can selectively disrupt RFID communications to offer tag owners improved access control. Signaling cardholder’s intent As an alternative approach to protections such as the Faraday cage, the credit cards themselves could be modified to activate only after indication of user intent. A simple push button would serve this purpose (Selker, 2003), but more sophisticated sensors might serve the same purpose, such as light sensors that render cards inactive in the dark, heat sensors that detect the proximity of the human hand, motion sensors that detect a telltale “tap-and-go” trajectory. Ultimately, credit card functionality will see incorporation into higher-powered consumer devices, such as near-fieldcommunication-ready (NFC-ready) mobile phones, and will benefit from the security protections of these host devices, such as biometric sensors and increased computational capacity (Carey, 2006). Better cryptography Contactless smart cards capable of robust cryptography have long been available. These techniques have already been applied to payment cards in the EMV (EuroPay, MasterCard, Visa) standards, detailed in the next section. If personally identifiable data can only be decrypted by authorized readers, then the danger of many of the privacy invasion attacks discussed 55 here are obviated. Anecdotal accounts suggest payment associations are moving to improve the on-chip cryptographic features of these cards, including challengeresponse protocols, to further frustrate replay attacks. Discussion As time goes on and technology costs decrease, we can expect issuers to provide more effective cryptographic protocols. Well-established methods to thwart these attacks already exist, and issuers may in fact already be implementing these defenses. But even today, in most cases an attacker has easier avenues to exploit than RF-based attacks to perpetrate financial fraud. For instance, simple cloning of cards is often not sufficient to commit fraud. There are many backend fraud detection measures in place to help thwart fraudulent use of card information. Nevertheless, privacy vulnerabilities should be addressed wherever they are found; privacy invasion may lead to financial fraud, but preventing financial fraud is not the only reason to protect privacy. Comparison with other types of fraud It is hard to directly compare the security of traditional magnetic stripe cards and RFID-enabled cards. RFID-enabled cards are only more secure than their traditional counterparts against certain kinds of attacks. For example, some traditional card reading mechanisms, such as taking a physical carbon copy of the face of the card, leave a physical image of the card in the hands of a possibly adversarial merchant or clerk. In fact, the use of a magnetic stripe generally means handing one’s card to a clerk who may have nefarious intent. By contrast, an RF transaction leaves behind no physical carbon copy; in fact, the card never leaves the cardholder’s hands. Certainly, the effort required to obtain an RF copy of the transaction is greater in this case. Additionally some RFID-enabled cards include a unique code for each transaction replacing the static data in a magnetic stripe. This mechanism protects against some kinds of attacks, but creates opportunities for new types of attacks that cannot be easily addressed by traditional fraud control (such as cardholder tracking attacks). Perhaps the most important difference between RFID-enabled cards and traditional cards is the difference in the cardholder’s control. Whereas a traditional magnetic stripe reveals one’s name and card number only when the artifact is physically handed to a merchant, an RFID-enabled card is in some sense “always on.” The card can be scanned and privacy 56 can be compromised remotely without the knowledge or consent of the cardholder. Comparison with other electronic cards The relationship between the cards we examined and the EMV series of standards is unclear (EMVCo LLC, 2004). Certainly in Europe, EMV techniques such as the UK’s “Chip and PIN” (personal identification number) are seeing wide deployment and analysis.5 But based on our observations, the protocols used by the U.S. contactless cards do not appear in the EMV standards. It is not clear to us why the U.S. payment associations have chosen to develop new protocols, with significant vulnerabilities, rather than use the more secure protocols that have already been deployed in Europe. We can surmise that this choice was motivated by the prevalence of online readers in the U.S. (some of the expense of supporting the EMV standards has to do with support for off-line operation) and a focus on contactless operation (whereas most of Europe’s cards are contact-based). Policy and regulation Several state legislatures have recently considered bills on RFID. For instance, California Governor Arnold Schwarzenegger recently vetoed his state’s bill SB 768, which would have required interim protections for RFID cards, especially cards carrying personally identifiable information, and a process for figuring out long-term protections (Ferguson, 2006; and Molnar, 2006). The information made available by the cards, including the cardholder’s name and card number are called personally identifiable information (PII) in the parlance of that bill (Molnar, 2006). If signed into law, ID cards issued by the state government carrying PII would have been required to implement mutual authentication and encryption to release the data. While credit cards are not state ID cards, as time goes on we can expect more RFIDrelated legislation like California’s SB 768 to be introduced. Indeed, U.S. Senator Charles Schumer (D–NY) recently announced his intent to increase federal regulation of RFID-enabled credit cards (Chan, 2006). Beyond regulation, it is an important open question as to how best to offer incentives for all custodians of personal data to take adequate precautions. Risk management is critical to the financial industry. However, as researchers and providers of risk management, we have yet to find a satisfying definition of privacy. How do we quantify user privacy when different users place a different value on privacy? In hard figures, how does this value affect the bottom line of businesses that are custodians of personal data? 1Q/2009, Economic Perspectives Conclusion Despite the millions of RFID-enabled payment cards already in circulation, and the large investment required for their manufacture, personalization, and distribution, all the cards we examined are susceptible to privacy invasion and relay attacks. Some cards may be skimmed once and replayed at will, while others pose a modest additional synchronization burden to the attacker. After reverse-engineering the secret protocols between RFID-enabled credit cards and readers, we were able to build a device capable of mounting several advanced replay attacks under laboratory conditions. While absolute security and privacy in a contactless card form factor may be impossible to achieve, we hope that the next generation of RFID-enabled payment systems will protect against the vulnerabilities that our study identifies. NOTES This article was originally published as Heydt-Benjamin, Bailey, et al. (2008). The full version of this paper appears as a University of Massachusetts Amherst technical report (Heydt-Benjamin, Bailey, et al., 2006). See www.rfid-cusp.org for the latest version. 1 See Associated Press (2003), Greenemeier (2006), Harper (2005), HowStuffWorks Inc. (2006), O’Connor (2005), and Schuman (2005). 2 While the referenced report is short on details, it seems likely that the tests involved passive eavesdropping of some kind, rather than direct skimming. 4 See Adida et al. (2006); Anderson, Bond, and Murdoch (2006); and UK Chip and PIN Program (2006). 5 See International Organization for Standardization and International Electrotechnical Commission (2006). 3 REFERENCES Adida, B., M. Bond, J. Clulow, A. Lin, S. Murdoch, R. Anderson, and R. Rivest, 2006, “Phish and chips (traditional and new recipes for attacking EMV),” University of Cambridge, Computer Laboratory, technical report, available at www.cl.cam.ac.uk/ ~mkb23/research/Phish-and-Chips.pdf. Carey, D., 2006, “NFC turns phone into a wallet,” EE Times, September 18. Anderson, R., M. Bond, and S. Murdoch, 2006, Chip and SPIN!, available at www.chipandspin.co. uk/problems.html. DIFRwear LLC, 2006, “DIFRwear: Faraday-caged apparel,” available at www.difrwear.com. Associated Press, 2003, “Wave the card for instant credit,” Wired.com, December 14, available at http://tinyurl.com/yc45ll. Averkamp, J., 2005, “ITS Michigan: Wireless technology and telecommunications,” presentation to Intelligent Transportation Society of Michigan, May 24, available at www.itsmichigan.org/ppt/AM2005/Joe.ppt. Bono, S., M. Green, A. Stubblefield, A, Juels, A. Rubin, and M. Szydlo, 2005, “Security analysis of a cryptographically enabled RFID device,” paper at 14th USENIX Security Symposium, Baltimore, MD, July 31–August 5. Bray, H., 2006, “Credit cards with radio tags speed purchases but track customers, too,” Boston Globe, August 14, available at http://tinyurl.com/lmjt4. Federal Reserve Bank of Chicago Chan, S., 2006, “Manhattan: Warning about credit risks,” New York Times, December 4, available at www. nytimes.com/2006/12/04/nyregion/04mbrfs-credit.html. Dougherty, G., 2000, “Real-time fraud detection,” Massachusetts Institute of Technology (MIT), Lab for Computer Science (LCS), Applied Security Reading Group, report, February 28, available at http://pdos. csail.mit.edu/asrg/02-28-2000.html and http://pdos. csail.mit.edu/asrg/02-28-2000.doc. EMVCo LLC, 2004, EMV Integrated Circuit Card Specifications for Payment Systems, Version 4.1, May, available at http://tinyurl.com/oo663. EPIC (Electronic Privacy Information Center), 2005, “E-passport mock point of entry test, November 29 thru December 2, 2004: Operational impact on the inspection process,” report, Washington, DC, August 24, p. 48, available at www.epic.org/privacy/us-visit/ foia/mockpoe_res.pdf. 57 Ferguson, R. B., 2006, “Schwarzenegger quashes RFID bill,” eWeek.com, October 4, available at http://tinyurl.com/y29z6s. Juels, A., 2006, “RFID security and privacy: A research survey,” IEEE Journal on Selected Areas in Communication, Vol. 24, No. 2, February, pp. 381–394. Greenemeier, L., 2006, “Visa expands contactless card efforts,” InformationWeek, March 27, available at http://tinyurl.com/ykzo4t. Juels, A., R. L. Rivest, and M. Szydlo, 2003, “The blocker tag: Selective blocking of RFID tags for consumer privacy,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, S. Jajodia, V. Atluri, and T. Jaeger (chairs), New York: Association for Computer Machinery, pp. 103–111. Hancke, G. P., 2006, “Practical attacks on proximity identification systems (short paper),” in Proceedings of the 2006 IEEE Symposium on Security and Privacy, Los Alamitos, CA: IEEE Computer Society, pp. 328–333. __________, 2005, “A practical relay attack on ISO 14443 proximity cards,” University of Cambridge, Computer Laboratory, technical report, February. Kfir, Z., and A. Wool, 2005, “Picking virtual pockets using relay attacks on contactless smartcard systems,” Proceedings of IEEE/Create-Net SecureComm 2005, 5–9 September 2005, Athens, Greece, Los Alamitos, CA: IEEE Computer Society. Harper, J., 2005, “RFID wiggles its way into credit cards?,” Politech, email to Declan McCullagh on mailing list, May 20, available at http://lists.jammed. com/politech/2005/05/0038.html. Koper, S., 2006, “Contactless acceptance made easy for business payment systems,” presentation at BPS 2006 Summer Conference, Las Vegas, NV, available at http://tinyurl.com/sjte6. Heydt-Benjamin, T. S., D. V. Bailey, K. Fu, A. Juels, and T. O’Hare, 2008, “Vulnerabilities in first-generation RFID-enabled credit cards,” in Financial Cryptography and Data Security: 11th International Conference, FC 2007, and 1st International Workshop on Usable Security, USEC 2007, Scarborough, Trinidad and Tobago, February 12–16, 2007, Revised Selected Papers, Sven Dietrich and Rachna Dhamija (eds.), Berlin; Heidelberg, Germany; and New York: Springer, pp. 2–14. Metropolitan Transit Authority, 2006, “Fares and MetroCard,” New York City, available at http://tinyurl.com/y5egfd. __________, 2006, “Vulnerabilities in first-generation RFID-enabled credit cards,” University of Massachusetts Amherst, technical report, October 22, No. CS TR-2006-055. Heydt-Benjamin, T. S., H. J. Chae, B. Defend, and K. Fu, 2006, “Privacy for public transportation,” in Privacy Enhancing Technologies: 6th International Workshop, PET 2006, Cambridge, UK, June 28–30, 2006, Revised Selected Papers, G. Danezis and P. Golle (eds.), Berlin; Heidelberg, Germany; and New York: Springer, pp. 1–19. HowStuffWorks Inc., 2006, “How blink technology works,” HowStuffWorks, available at http://money. howstuffworks.com/blink1.htm. International Organization for Standardization and International Electrotechnical Commission, 2006, “ISO/IEC 14443, proximity cards (PICCs),” technical report, available at http://wg8.de/sd1.html. 58 Molnar, D., 2006, personal communication. O’Connor, M. C., 2006, “At McDonald’s, ExpressPay fits the bill,” RFID Journal, January 23, available at http://tinyurl.com/yc58sa. __________, 2005, “Chase offers contactless cards in a blink,” RFID Journal, May 24, available at http://tinyurl.com/yzy9u5. Rieback, M., G. Gaydadjiev, B. Crispo, R. Hofman, and A. Tanenbaum, 2006, “A platform for RFID security and privacy administration,” in Proceedings of the 20th Conference on Large Installation System Administration, New York: Association for Computer Machinery, pp. 89–102. Schuman, E., 2005, “How safe are the new contactless payment systems?,” CIO Insight, June 20, available at http://tinyurl.com/y9a525. Selker, E., 2003, “Manually operated switch for enabling and disabling an RFID card,” Massachusetts Institute of Technology, technical report, and United States Patent, No. 20030132301. SourceMedia Inc., 2006, “PayPass subway trial starts in New York,” Card Technology, July 12, available at http://tinyurl.com/uya3k. 1Q/2009, Economic Perspectives UK Chip and PIN Program, 2006, Chip and PIN website, available at www.chipandpin.co.uk. Westhues, J., 2005, “Hacking the prox card,” in RFID: Applications, Security, and Privacy, S. Garfinkel and B. Rosenberg (eds.), Reading, MA: AddisonWesley Professional, pp. 291–300. Federal Reserve Bank of Chicago Yoshida, J., 2004, “Tests reveal e-passport security flaw,” EE Times, August 30, available at http://tinyurl. com/surgr. 59