45 posts categorized "Payments Processors" Feed

Western Union Admitted To Money-Laundering Charges. To Pay $586 Million Fine

Western Union Company logo A news item you may have missed during the run-up to the Presidential Inauguration. The U.S. Federal Trade Commission (FTC) announced settlement agreements with Western Union where the company admitted to money-laundering charges and agreed to pay $586 million in fines and restitution.

Western Union inked settlement agreements with the FTC, the Justice Department (DOJ), and with several U.S. Attorneys’ Offices: the Middle District of Pennsylvania, the Central District of California, the Eastern District of Pennsylvania and the Southern District of Florida. The FTC announcement stated:

"In its agreement with the Justice Department, Western Union admits to criminal violations including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud... According to admissions contained in the deferred prosecution agreement (DPA) with the Justice Department and the accompanying statement of facts, Western Union violated U.S. laws—the Bank Secrecy Act (BSA) and anti-fraud statutes—by processing hundreds of thousands of transactions for Western Union agents and others involved in an international consumer fraud scheme. As part of the scheme, fraudsters contacted victims in the U.S. and falsely posed as family members in need or promised prizes or job opportunities. The fraudsters directed the victims to send money through Western Union to help their relative or claim their prize. Various Western Union agents were complicit in these fraud schemes, often processing the fraud payments for the fraudsters in return for a cut of the fraud proceeds."

The FTC alleged in a complaint filed in U.S. District Court for the Middle District of Pennsylvania that the company’s conduct violated the FTC Act. The complaint alleged that fraudsters globally used Western Union’s money transfer system for many years, even after the company was aware of the problems. The complaint also alleged that some Western Union agents were complicit in fraud. Also, the FTC’s complaint alleged that Western Union failed to implement effective anti-fraud policies and procedures, and it failed to act promptly against problem agents (e.g., suspensions, terminations).

Also, the announcement described the extent and duration of the fraud:

"The BSA requires financial institutions, including money services businesses such as Western Union, to file currency transaction reports (CTRs) for transactions in currency greater than $10,000 in a single day. To evade the filing of a CTR and identification requirements, criminals will often structure their currency transactions so that no single transaction exceeds the $10,000 threshold. Financial institutions are required to report suspected structuring... Western Union knew that certain of its U.S. Agents were allowing or aiding and abetting structuring by their customers. Rather than taking corrective action to eliminate structuring at and by its agents, Western Union, among other things, allowed agents to continue sending transactions... Beginning in at least 2004, Western Union recorded customer complaints about fraudulently induced payments in what are known as consumer fraud reports (CFRs). In 2004, Western Union’s Corporate Security Department proposed global guidelines for discipline and suspension of Western Union agents that processed a materially elevated number of fraud transactions. In these guidelines, the Corporate Security Department effectively recommended automatically suspending any agent that paid 15 CFRs within 120 days. Had Western Union implemented these proposed guidelines, it would have prevented significant fraud losses to victims and would have resulted in corrective action against more than 2,000 agents worldwide between 2004 and 2012."

U.S. Attorney Eileen M. Decker of the Central District of California said:

"Our investigation uncovered hundreds of millions of dollars being sent to China in structured transactions designed to avoid the reporting requirements of the Bank Secrecy Act, and much of the money was sent to China by illegal immigrants to pay their human smugglers... In a case being prosecuted by my office, a Western Union agent has pleaded guilty to federal charges of structuring transactions – illegal conduct the company knew about for at least five years. Western Union documents indicate that its employees fought to keep this agent – as well as several other high-volume independent agents in New York City – working for Western Union because of the high volume of their activity. This action today will ensure that Western Union effectively controls its agents and prevents the use of its money transfer system for illegal purposes."

U.S. Attorney Bruce D. Brandler said:

"The U.S. Attorney’s Office for the Middle District of Pennsylvania has a long history of prosecuting corrupt Western Union Agents... Since 2001 our office, in conjunction with the U.S. Postal Inspection Service, has charged and convicted 26 Western Union Agents in the United States and Canada who conspired with international fraudsters to defraud tens of thousands of U.S. residents via various forms of mass marketing schemes. I am gratified that the deferred prosecution agreement reached today with Western Union ensures that $586 million will be available to compensate the many victims of these frauds."

Terms of the settlement agreements require Western union to:

  • Pay a monetary judgment of $586 million,
  • Implement and maintain a comprehensive anti-fraud program with training for its agents and their front line associates,
  • Monitor to detect and prevent fraud-induced money transfers,
  • Conduct due diligence on all new and renewing company agents, plus suspend or terminate non-compliant agents,
  • Stop transmitting money transfers it knows or reasonably should know are fraud-induced,
  • Block money transfers sent to any person who is the subject of a fraud report,
  • Provide clear and conspicuous consumer fraud warnings on its paper and electronic money transfer forms,
  • Increase the availability of websites and telephone numbers that enable consumers to file fraud complaints,
  • Refund fraudulent money transfers if it failed to comply with its anti-fraud procedures, and
  • Not process money transfers it knows or should know are payments for telemarketing transactions.

Western Union's compliance with these requirements will be monitored for three years by an independent compliance auditor. Western Union said in a January 19th press release:

"The Western Union Company (NYSE: WU) today announced agreements with the U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) that resolve previously disclosed investigations focused primarily on the Company’s oversight of certain agents and whether its anti-fraud program, as well as its anti-money laundering controls, adequately prevented misconduct by those agents and third parties. The conduct at issue mainly occurred from 2004 to 2012."

"As part of this resolution, Western Union will enter into a deferred prosecution agreement with the DOJ and a consent order with the FTC. The Company will pay a total of $586 million to the federal government, which is to be used to reimburse consumers who were victims of fraud during the relevant period. Western Union also will take specific actions to further enhance its oversight of agents and its protection of customers... Over the past five years, Western Union increased overall compliance funding by more than 200 percent, and now spends approximately $200 million per year on compliance, with more than 20 percent of its workforce currently dedicated to compliance functions. The comprehensive improvements undertaken by the Company have added more employees with law enforcement and regulatory expertise, strengthened its consumer education and agent training, bolstered its technology-driven controls and changed its governance structure so that its Chief Compliance Officer is a direct report to the Compliance Committee of the Board of Directors."

"... [Western Union] will simultaneously resolve, without any additional payment or non-monetary obligations, potential claims by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) relating to conduct in the 2010 to 2012 period that FinCEN contended violated the Bank Secrecy Act. The Company received a notice of investigation from FinCEN in mid-December 2016. The separate agreement with FinCEN sets forth a civil penalty of $184 million, the full amount of which will be deemed satisfied by the $586 million compensation payment under the DOJ and FTC agreements."


Federal Reserve Study: Noncash Payments In The United States

Americans still love to use the plastic in their wallets and purses. Just before the holidays, the Federal Reserve Board (FRB) released the results of its study about how Americans use non-cash payment methods: debit cards, credit cards, prepaid cards, ACH payments, and checks. The study included the total number and value of non-cash payments by consumers and businesses through 2015.

The total number of U.S. non-cash payments was more than 144 billion payments with a value of almost $178 trillion in 2015. That represented an increase of almost 21 billion payments or about $17 trillion since 2012. Other key findings from the study:

"The number of debit card payments (including payments with prepaid and non-prepaid cards) grew to 69.5 billion in 2015 with a value of $2.56 trillion, up 13.0 billion or $0.46 trillion since 2012. This was the largest increase in number of payments among the payment types considered. Debit card payments grew at an annual rate of 7.1 percent by number or 6.8 percent by value from 2012 to 2015 with most of the growth occurring in non-prepaid debit card payments. The number of credit card payments reached 33.8 billion in 2015 with a value of $3.16 trillion, up 6.9 billion or $0.61 trillion since 2012. Credit card payments grew at an annual rate of 8.0 percent by number or 7.4 percent by value from 2012 to 2015, the largest growth rates among the payment types considered... The number of check payments fell to 17.3 billion with a value of $26.83 trillion, down 2.5 billion or $0.38 trillion since 2012. Check payments fell at an annual rate of 4.4 percent by number or 0.5 percent by value from 2012 to 2015. The decline of checks over the period was slower than previous studies had shown for prior periods since 2003."

Prepaid cards typically include gift cards and payroll cards which consumers load money onto and which aren't linked to bank accounts (e.g., checking, savings). Past studies have documented numerous fees with prepaid cards while some consumers use prepaid cards instead of traditional bank accounts. "Non-prepaid debit cards" refer to debit cards linked to traditional bank accounts.

There are significant differences between the volume and value for each non-cash payment type. For example, debit cards generated the largest share of payment volume and the smallest share by value:

Figure 1: Distribution of noncash payments by type, volume and value in 2015. FRB Study 2016. Click to view larger version

Another way of looking at the variety of non-cash payment types is the volume of payments over time:

Figure 2: Volume of noncash payments from 2000 to 2015. FRB Study 2016. Click to view larger version

Additional findings about prepaid cards:

"The number of prepaid debit card payments reached 9.9 billion with a value of $0.27 trillion in 2015, up 0.6 billion or $0.04 trillion since 2012. Almost all of the growth in prepaid debit card payments by number and value came from general-purpose prepaid cards, which can be used over the same general-purpose networks as non-prepaid debit cards. General-purpose prepaid card payments increased to 3.7 billion in 2015 by number, up 0.6 billion from 2012 to 2015, which was much less than the growth of 1.8 billion from 2009 to 2012... The average value of payments using these types of cards dropped slightly from $35 in 2012 to $34 in 2015.

Private-label prepaid card payments declined slightly by number, but rose somewhat by value from 2012 to 2015. In 2012, such payments totaled 3.7 billion by number or $0.05 trillion by value, while, in 2015, they totaled 3.6 billion by number or $0.07 trillion by value. Private-label prepaid card payments dropped at an annual rate of 0.3 percent by number but rose 15.0 percent by value. Hence, the average value of these payments rose from $13 to $20.

Payments made by prepaid EBT cards increased slightly from 2.5 billion in 2012 to 2.6 billion in 2015, or 1.7 percent per year, while the value of these payments also increased slightly from $0.07 trillion to $0.08 trillion, or 0.20 percent per year. The average value of prepaid EBT card payments declined slightly, from $30 to $29.

In 2015, non-prepaid debit and general-purpose prepaid cards were used in 5.8 billion cash withdrawals at ATMs, virtually the same level as in 2012, after dropping from 6.0 billion ATM cash withdrawals in 2009. The average value of ATM cash withdrawals rose from $118 to $122 between 2012 and 2015, continuing an upward trend in average value since 2003."

To minimize fraud and waste, banks and retailers began the migration to chip cards in the United States in 2015. The FRB study included findings about fraud:

"Payments with general-purpose cards using embedded microchips, which improve the security of in-person payments to help prevent fraud, have grown by 230 percent per year since 2012. But payments with the chip-based cards amounted to only about 2 percent share of total in-person general-purpose card payments in 2015, reflecting the early stages of a broad industry effort to roll out chip card technology. In 2015, the proportion of total general-purpose card fraud by value attributed to counterfeiting, the most prevalent type of in-person card fraud in the United States, was substantially greater than in countries where chip technology has been more widely adopted."

The United States was one of the last developed countries to switch to chip cards. So, chip card usage in the United States still has a long way to go. The types of fraud with debit/credit/prepaid cards:

  • Counterfeit card: Fraud is perpetrated using an altered or cloned card.
  • Lost or stolen card: Fraud is undertaken using a lost or stolen card.
  • Card issued but not received: A newly issued card sent via postal mail to a cardholder is intercepted and used to commit fraud.
  • Fraudulent application: A new card is issued based on a fake identity or on someone else’s identity.
  • Other: “Other” fraud includes account takeover and other types of fraud not covered above.
  • Fraudulent use of account number: Fraud is perpetrated without using a physical card.

Fraud is perpetrated via two channels: 1) in-person when the cardholder has their card, and 2) remote when the cardholder is not present (e.g., postal mail, online, telephone). To learn more, download the "2016 Federal Reserve Payments Study" (Adobe PDF) and/or read the FRB announcement.


Data Breaches At HEI Hotels & Resorts Affects 20 Properties In At Least 10 States

HEI Hotels and Resorts logo On Friday, Hei Hotels and Resorts (HEI) announced data breaches that affected 20 properties in 11 states. According to the company's breach notice, hackers installed malware within the company's payment processing systems to collect customers' payment data.

The payment information stolen included the names, payment card account numbers, card expiration dates, and verification codes of customers who used their payment cards at point-of-sale terminals. The list of hotels by state:

State City & Property
California La Jolla: San Diego Marriott La Jolla
Pasadena: The Westin Pasadena
San Diego: Renaissance San Diego Downtown Hotel
San Francisco: Le Meridien San Francisco
Santa Barbara: Hyatt Centri Santa Barbara
Colorado Snowmass Village: The Westin Snowmass Resort
District of Columbia Washington: The Westin Washington DC City Center
Florida Boca Raton: Boca Raton Marriott at Boca Center
Fort Lauderdale: The Westin Fort Lauderdale
Miami: Royal Palm South Beach Miami
Tampa: InterContinental Tampa Bay
Illinois Chicago: Hotel Chicago Downtown
Minnesota Minneapolis: The Hotel Minneapolis Autograph Collection
Minneapolis: The Westin Minneapolis
Pennsylvania Philadelphia: The Westin Philadelphia
Tennessee Nashville: Sheraton Music City Hotel
Texas Fort Worth: Dallas Fort Worth Marriott Hotel & Golf Club
Vermont Manchester Village; Equinox Resort Golf Resort & Spa
Virginia Arlington: Le Meridien Arlington
Arlington: Sheraton Pentagon City

The exact date of the breaches varied by property. Some breaches occurred as early as March, 2015 while others continued until as recent as June 17, 2016. A card processor notified HEI of the breach. The HEI breach notice stated:

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties."

HEI is notifying affected customers and consumers that may have been affected:

"... We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card..."

The HEI breach notice contains more information for affected consumers to review their credit reports, place Fraud Alerts, and place Credit Freezes.

HEI appears to have been caught unprepared. It did not detect the intrusion, and its breach notice did not arrange for any free credit monitoring for affected consumers. Hopefully, more information is forthcoming.

If you received a breach notice from HEI, what are your opinions of the breach? Of HEI's response so far?


Facts About Debt Collection Scams And Other Consumer Complaints

Logo for Consumer Financial Protection Bureau The Consumer Financial Protection Bureau (CFPB) recently released a report about debt collection scams. The report is based upon more than 834,00 complaints filed by consumers nationally with the CFPB about financial products and services: checking and savings accounts, mortgages, credit cards, prepaid cards, consumer loans, student loans, money transfers, payday loans, debt settlement, credit repair, and credit reports. Complaints about debt collection scams accounted for 26 percent of all complaints.

The most frequent scam are attempts to collect money from consumers for debts they don't owe. This accounted for 38 percent of all debt-collection-scam complaints submitted. This included harassment:

"Consumers complained about receiving multiple calls weekly and sometimes daily from debt collectors. Consumers often complained that the collector continued to call even after being repeatedly told that the alleged debtor could not be contacted at the dialed number. Consumers also complained about debt collectors calling their places of employment... Consumers complained that they were not given enough information to verify whether or not they owed the debt that someone was attempting to collect. "

The two companies with the most complaints:

"... were Encore Capital Group and Portfolio Recovery Associates, Inc. Both companies, which are among the largest debt buyers in the country, averaged over 100 complaints submitted to the Bureau each month between October and December 2015. In 2015, the CFPB took enforcement actions against these two large debt buyers for using deceptive tactics to collect bad debts."

Compared to a year ago, debt collection complaints increased the most in Indiana (38 percent), Arizona (27 percent), and New Hampshire (26 percent) during December 2015 through February 2016. Debt collection complaints decreased the most in Maine (-34 percent), Wyoming (-26 percent), and North Dakota (-23 percent). And:

"Of the five most populated states, California (10 percent) experienced the greatest percentage increase and Illinois (-4 percent) experienced the greatest percentage decrease in debt collection complaints..."

The report lists 20 companies with the most debt-collection complaints during October through December 2015. The top five companies with with average monthly complaints about debt collection are Encore Capital Group (139.3), Portfolio Recovery Associates, Inc. (112.3), Enhanced recovery Company, LLC (65.7), Transworld Systems Inc. (63.7), and Citibank (54.7). This top-20 list also includes several banks: Synchrony Bank, Capital One, JPMorgan Chase, Bank of America, and Wells Fargo.

While the March Monthly Complaint Report by the CFPB focused upon debt collection complaints, it also provides plenty of detailed information about all categories of complaints. From December 2015 through February 2016, the CFPB received on average every month about 6,856 debt collection complaints, 4,211 mortgage complaints, 3,556 credit reporting complaints, 2,021 complaints about bank accounts or services, and 1,995 complaints about credit cards. Most categories showed increased complaint volumes compared to the same period a year ago. Only two categories showed a decline in average monthly complaints: credit reporting and payday loans. Debt collection complaints were up 6 percent.

Compared to a year ago, average monthly complaint volume (all categories) increased in 40 states and decreased in 11 states. The top five states with the largest increases (all categories) included Connecticut (31 percent), Kansas (30 percent), Georgia (25 percent), Louisiana (25 percent), and Indiana (24 percent). The top five states with the largest decreases (all categories) included Hawaii (-25 percent), Maine (-19 percent), South Dakota (-14 percent), District of Columbia (-8 percent), and Idaho (-6 percent). Also:

"Of the five most populated states, New York (12 percent) experienced the greatest complaint volume percentage increase, and Texas (-8 percent) experienced the greatest complaint volume percentage decrease from December 2014 to February 2015 to December 2015 to February 2016."

The chart below lists the 10 companies with the most complaints (all categories) during October through December, 2015:

Companies with the most complaints. CFPB March 2016 Monthly Complaints Report. Click to view larger image

The "Other" category includes consumer loans, student loans, prepaid cards, payday loans, prepaid cards, money transfers, and more. During this three-month period, complaints about these companies totaled 46 percent of all complaints. Consumers submit complaints about the national big banks covering several categories. According to the CFPB March complaints report (links added):

"By average monthly complaint volume, Equifax (988), Experian (841), and TransUnion (810) were the most-complained-about companies for October - December 2015. Equifax experienced the greatest percentage increase in average monthly complaint volume (32 percent)... Ocwen experienced the greatest percentage decrease in average monthly complaint volume (-18 percent)... Empowerment Ventures (parent company of RushCard) debuted as the 10th most-complained-about company..."

To learn more about the CFPB, there are plenty of posts in this blog. Simply enter "CFPB" in the search box in the right column.


Survey: Bankers Expect Consumers To Use Wearable And Smart Home Devices For Banking

Pegasystems logo Would you use a smart watch, fitness band, or other wearable device for banking? How about your smart television or refrigerator? Many bankers think you will, and are racing to integrate a broader range of mobile devices and technologies into their banking services. A recent survey of financial executives found that:

"... 20 per cent expect it to be common for consumers to make financial transactions using wearables within one year, 59 per cent within two years and 91 per cent within five years... 87 per cent expect it to be common for consumers to make financial transactions using Smart TVs and 68 per cent via home appliances."

The survey included 500 executives globally in several financial areas: banking, financial advice, consumer finance, investment management, insurance, and payments. So, consumers are likely to see these changes not just at your bank, but in a variety of financial and insurance transactions. Here's why:

"... too many banks are out of touch with what customers really want: one survey found 62 per cent of retail banking executives believed their bank offered excellent service compared to just 35 per cent of customers.... Millennials will have annual spending power of US$1. trillion [in 2020] and represent 30 per cent of total retail sales... Millennials not only have an appetite for disruptive new technologies but also an affinity with brand-savvy digital leaders... The Millennial Disruption Index, a three-year study of industry disruption conducted by Viacom subsidiary Scratch, found that banking was most vulnerable to disruption..."

The report discussed the desire by executives to serve customers via a variety of methods:

"Today’s customers expect a flawless end-to-end experience across all channels, yet fewer than 4 per cent of our respondents say they have achieved full omni-channel integration... by 2020, 89 per cent of our respondents expect to achieve full omni-channel integration. This either suggests a massive surge of investment over the next five years – or an industry in denial about the scale of the task ahead... 70 per cent expect video chat to largely replace branch appointments. Indeed, six out of ten now believe a digital-only channel model is viable."

Bankers view the Internet-of-Things (IoT) as both a collection of endpoint devices to provide services through, and a rich source of data:

"...93 per cent agree that finding innovative ways to provide value-added services to customers based on data-driven insight will be crucial to long-term success... 86 per cent agree that once consumers recognize the data potential of the IoT they will increasingly seek to benchmark their own behavior against their peers..."

Banks will probably develop more non-human (e.g., self-service) interfaces:

"... 76 per cent agree the widespread use of virtual assistants such as Siri on the iPhone means customers are more willing to engage with automated assistance and advice... almost three quarters of our respondents agree that in the future customers will interact with a human-like avatar..."

Another technology being considered:

"... 60 per cent [of survey respondents] believe that blockchain, a distributed public ledger which can securely record any information and the ownership of any asset, will prove to be the most significant technology development to affect financial services since the Internet and 45 per cent think the combination of blockchain wallets and peerto-peer (P2P) lending could herald the end of banking as we know it... 12 per cent expect the settlement of insurance claims using IoT data, blockchain and smart contracts to be mainstream practice within two years and 74 per cent expect it to be mainstream by 2025..."

Don't expect your bank to provide these new services next week or next month. It will take them time. New systems must be built, tested, debugged, and integrated with legacy computer systems and processes. All of this suggests that to fund their investments in innovation projects, banks probably won't lower their retail banking prices and fees (e.g., checking, savings, etc.) any time soon. While writing this blog the past 8+ years, I've found it wise to always keep an eye on the banks.

Download "The Future of Retail Financial Services" report by Cognizant, Marketforce, and Pegasystems.


Smart Devices Create Challenges And Privacy Threats For Consumers, Part 2

Part one discussed the challenges and privacy threats smart devices for the home create for consumers. Today's blog post discusses data ownership, and how to shop wisely.

You've probably heard the terms: Internet of Things. Smart Home. Connected home. All refer to the myriad of devices in your home that are connected to the Internet, outfitted with sensors, collect information about your usage (e.g., who, what, when, where, why, and how long), and transmit that digital information collected to the device manufacturer and others.

The collected information is often shared with corporate partners or affiliates, such as the device's operating system software developer and mobile payments provider. (See this chart for partners by payment type.) Data may also be shared with the Internet Service Provider and/or the wireless service provider (for mobile apps).

The types of devices vary far beyond smart phones and tablets. Some include security, lighting, temperature controls, and safety devices (e.g., smoke alarms, carbon monoxide detectors). Some may be toys used by very young children. Some may be fitness devices that collect your health information and transmit it to entities not bound by HIPAA and HITECH laws.

This data collection isn't new. It's been happening long before the Internet and smart phones. You might say that digitization and mobilization made the data collection far easier and far more extensive.

A wise consumer is bound to ask: who owns the data these collect (and transmit) about me and my family? Great question. ZD Net explored the answer:

"According to law firm Taylor Wessing, end users don't really have ownership rights to the data gathered by off-the-shelf systems they've installed. If you've rolled out a smart home set-up, you can't legitimately claim that all the details about when you switched on your lights or opened your garage belong to you and you alone."

The term "end users" refers to consumers... you. So, consumers in the United States have few property rights. That means you have little control over the data collection and sharing with others. Not good.

And, it's worse because devices don't always indicate when they are recording your activity, what you do and say:

"... One recent high profile misstep case in point: the privacy policy for Samsung smart TVs told customers that if they had discussed personal or sensitive information in front of the TV, "that information will be among the data captured and transmitted to a third party through your use of Voice Recognition", causing consternation among users. The company subsequently published a blog to explain to users exactly how and when their TVs were listening in."

Whatever smart home devices you purchase, shop wisely:

  1. Read both the terms of conditions and privacy policies before purchase. If you don't like the terms, don't buy it and keep shopping for alternatives.
  2. Buy devices that include regular software updates, just like your computer. This helps protect you (and the data collected about you and your family) against malware, hacks, and computer viruses by unauthorized persons.
  3. Buy devices that are truly smart. Avoid devices that are simply outfitted with a touch-screen and Internet connection. You're probably paying (a lot) more, so make sure you get more. And,
  4. Buy devices with robust privacy settings, so you can control what information you share, when, and how.

What do you consider when shopping for smart devices for your home?


Mobile Banking In Africa Without Banks

Last night, the "60 Minutes" news magazine broadcast an interesting segment about mobile banking in Kenya without banks. Since 80 percent of citizens have mobile phones, the country' took the innovative approach of allowing consumers to easily and securely pay for products and services via their mobile phone provider.

Meet M-PESA. Mobile banking without banks.

It is possible. It can happen. No bank accounts. No credit reports. No prepaid cards. No payroll cards. No digital wallets. No payment processors. And, Kenyans don't need the latest Apple iPhone or Android Galaxy phone. A far simpler system. Safaricom, the Kenyan mobile service provider, launched M-PESA in 2007. The mobile payments system was designed for the most basic phones with text messaging capabilities. A smart approach that puts consumers' needs first.

The segment highlights several issues:

  • All digital wallets are built based upon traditional banks and payment processors. No so with M-PESA
  • Silicon Savannah: digital innovation is happening globally, and not only in Silicon Valley
  • Banking deserts: traditional banking, with branch offices and tellers, comes with a cost structure making it difficult to provide services to poor people. Yes, there are banking deserts in the USA, too. (Bankers prefer to label consumers in banking deserts as unbanked or underbanked.) Read about HOPE which servers farmers in the USA
  • We live in disrupting times. Online services like AirBnB and Home Away have disrupted the hotel industry. Services like Lyft and Uber have disrupted the taxi industry. Perhaps, the banking industry is next, given its hold on politicians, politics, government regulation, and the economy by "too big to fail" banks or "too big to jail" bankers
  • Mobile devices are marketed in the USA like cars, with slick advertisements that imply: in order to be happy and productive, consumers must have the latest device. The Kenyan M-PESA system proves otherwise.

Watch the 60 Minutes segment, "The Future of Money" or read the transcript. What are your opinions of M-PESA? Of banking deserts?


The CFPB Helps Consumers

The Consumer Financial Protection Bureau (CFPB) helps consumers in many ways. To learn more, read:


Today is The Date Banks Set To Transition To New Chip Cards. Are We There Yet?

Today, October 1, 2015 is the date banks and card issuers set to transition to the new EMV chip cards. The transition was to reduce card fraud. EMV is the name of the technology jointly developed by Europay, MasterCard, and Visa. Was the transition completed? The American Banker reported:

"Most credit cards (about 70%) will have chips on them. But most of these cards will be chip-and-signature cards, not chip-and-PIN... Many small merchants won't be ready. Depending on which study you believe, somewhere between 20% and 30% of merchants have purchased and deployed the EMV-capable point-of-sale terminals and software they will need to handle EMV chip cards. Big-box stores like Target that have suffered data breaches have done this work. But most small stores and restaurants have not. New EMV equipment is expensive and sometimes difficult to implement, and many seem unaware of the dangers of not adapting."

So, the transition is incomplete. In Europe, the United Kingdom transitioned to chip-and-PIN in 2006, and saw store-related card fraud drop 70 percent. The PIN is a short number the cardholder enters at the terminal to authorize their purchase. Chip-and-signature refers to new chip cards when the cardholder signs at the terminal to authorize their purchase.

It' is troubling that many retailers in the USA haven't upgraded to the new terminals. The result: consumers will encounter a frustrating mix of stores with and without the new chip card terminals. Cardholders will have to insert their chip cards at stores with the new terminals, and swipe the swipe the magnetic stripe on the back of their chip cards at stores without the new terminals.

The new chip cards contain both a chip that encrypts and stores your sensitive payment information, plus the obsolete magnetic stripe on the back of the card, which fraudsters have used to clone cards. Some experts have criticized this approach, arguing that the less-secure magnetic stripes should have been eliminated. The counter argument:

"Duplicating the chip on a chip card is difficult if not impossible [for ciminals]. Most new cards are being issued with both a magnetic stripe and a chip and the new EMV terminals accept both the chip and the stripe. So theoretically [criminals] could duplicate just the magnetic stripe on the chip card, create a new magnetic stripe card and try to use that. However, if an EMV card is swiped on an EMV-compliant merchant terminal, the system will reject the transaction and force the consumer to insert the chip."

Time will tell which experts are correct. Some cite two statistics. First, 37 percent of total card fraud is from criminals using cloned cards in stores. Second, the bulk of card fraud is online:

"Online card fraud is expected to rise. So-called "card not present" fraud — where someone uses a card but does not physically present the card (this could be over the phone, over a fax machine, on a mobile device or a computer, but most people equate "card not present" with using a card on a website) — represents the bulk of card fraud in the U.S.: 45%, according to Aite Group. The analyst group expects online card fraud to more than double from $3.1 billion in 2015 to $6.4 billion in 2018."

To help consumers, the Consumer Financial Protection Bureau (CFPB) provides easy answers about the new chip cards. The CFPB is a great resource for consumers to learn about their rights and to get help. The CFPB enforces rules that financial institutions must follow when marketing financial products to consumers. For unresolved problems with credit/debit/prepaid cards, student loans, debt collection agencies, or other financial products, you can submit online a complaint to the CFPB for assistance.

Discover notified its credit card customers in July about the transition. Its notice provided helpful images of the new terminals, the new chip card, and how cardholders insert chip cards into the new terminals. As I wrote then, before traveling in Europe, Discover cardholders should set up a PIN number, since Europe requires chip-and-pin authorizations.

What are your opinions of the new chip cards? Of the partial transition? If you have experienced problems with a new chip card, please share below.


Bank of America Raises Prices For Its Checking Customers. What You Need To Know And How To Avoid The New Fees

Bank of America (BofA) has decided to move forward with charging large monthly maintenance fees to its checking account customers. Yesterday, I received a notice via postal mail from BofA dated March 6, 2015:

Bank of America logo "We're updating our checking products and, as a result, the existing checking account listed above will become an Advantage Regular Checking account...

What's not changing
Your account information, including your account number, checks, and debit card all remain the same. Your account features, such as direct deposit, Online and Mobile banking. Bill Pay, as well as accounts linked for overdraft protection, will also remain the same.

What's Changing
Monthly maintenance fee: You can avoid the monthly fee on this account when you meet any ONE of the requirements shown below during each monthly statement cycle. Otherwise, the $25 monthly fee will be deducted from your account. This change takes effect on your first statement cycle that starts on May 15."

I checked the BofA website for any press releases about its price increase. I saw nothing. Not good.

A $25 monthly maintenance fee equals $300 yearly. That's a big price increase. You may remember Bank Transfer Day in 2012, when many consumers moved their money from the big banks to smaller, regional banks and credit unions. Several banks and BofA had tried to raise prices in 2011 by applying monthly maintenance fees, but then reversed their decisions after considerable push-back by consumers.

Banc of America Merchant Services 2011 profile. Click to view larger image BofA tried to justify its 2011 price increase by saying their transaction costs had gone up and the, "economics of debit cards have changed," After some research in 2011 (see image on right), I found that BofA partnered with another company, First Data, to create a separate company that actually processes the bank's debit-card transactions, and both share in those debit-card transaction revenues.

That partnership continues today. The 2015 Hoovers profile states:

"The next time you swipe your card and it clears, you might thank Banc of America Merchant Services. A 2009 joint venture between Bank of America and First Data, it is one of the largest processors of electronic payments in the US. The firm handles more than 7 billion check and credit, debit, stored value, payroll, and electronic benefits transfer card transactions (worth a total of some $250 billion) annually. Its clients are small businesses and large corporations including retailers, restaurants, hotels, supermarkets, utilities, gas stations, convenience stores, and government entities. First Data owns 51% of Banc of America Merchant Services, while Bank of America owns 49%."

I'll bet you didn't know this. Most people don't. Most of the big banks have similar arrangements with First Data. So, the big banks make money off your money by investing it (what you'd expect), but also by both charging customers monthly maintenance fees and from collecting revenues from their debit-transaction processing partnership (not what you'd expect). Some people might call making money at both ends of the transaction double-dipping. I do. That didn't pass the smell test in 2011, nor today.

Fast-forward four years, and the transaction cost reason has been replaced with the "updated our checking products" excuse. It's still lame. A price increase is a price increase. Plus, the notice I received from BofA failed to mention any cost cutting done before passing along a huge price increase to its checking customers. That's just bad.

Moreover, the bank's latest price increase couldn't be more confusing. The bank's notice explained how checking customers can avoid the large monthly maintenance fees:

"Keep an average daily balance of $5,000 or more in your checking account or linked Regular Savings account, or

Keep an average daily combined balance of $10,000 or more in checking with linked savings, money market savings, CDs or IRAs, or

Keep an outstanding balance of $15,000 or more in an eligible linked installment loan or line of credit, or

Have $15,000 in total combined assets in your eligible Merrill Edge and Merrill Lynch investment accounts that are linked to your checking account, or

Have a linked Bank of America first mortgage loan that we service."

This reads like legalese written by lawyers. Why not keep it simple and say: keep $5,000 in an account to avoid the monthly maintenance fees. Simplicity matters.

Let's review some more of BofA's history. In August 2014, the bank agreed to a massive settlement with the U.S. Justice Department and several states' attorney generals. The $16.65 billion settlement agreement resolved both federal and state civil investigations into activities by the bank's former and current subsidiaries, including Countrywide Financial Corporation and Merrill Lynch, related to the packaging, marketing, sale, and issuance of residential mortgage-backed securities (RMBS). The bank acquired Merrill Lynch in 2009, and Countrywide in 2008.

To be fair, other big banks have paid massive settlement amounts during the past few years: Bank of America, $61.1 billion; JPMorgan, $31.4 billion; Citigroup, $10 billion; and Wells Fargo, $5.8 billion. A 2012 survey found that junior bank executives view wrongdoing as necessary to advance their careers. Based upon all of this, there clearly seems to be an ethics problem in banking.

I find BofA's reason (e.g., updated their checking products) for its price increase disingenuous. More likely, the price increase was driven profitability concerns given the massive settlement payments. Why not reduce senior executive compensation and bonuses instead (e.g., especially those executives that committed the wrongdoing that led to the massive settlement payments)? Why put the burden on customers?

That BofA decided to place the burden on its customers speaks volumes. Banks can clearly raise prices if they want. They are free to do that. Customers are free to move their money to a bank (or credit union) with lower or no monthly maintenance fees.

I'll make it easy for BofA checking customers to avoid the price increase: move your money to a small, regional bank or credit union. It's easier than you think, and there are a lot of benefits. Last month, Bankrate compared checking account fees between banks and credit unions:

"You're twice as likely to find free checking at a credit union than a bank, according to a new study by Bankrate.com. Nearly three quarters of credit union checking accounts -- 72 percent -- come with no balance requirements or monthly maintenance fees. That's in sharp contrast to banks, where only 38 percent of checking accounts are free... Most of the time, when you encounter dramatically lower prices for the same product, you assume that the cheaper product is somehow inferior. But that's not the case with credit unions, which typically offer services comparable to similarly sized banks. Instead, it comes down to the way credit unions are organized, says Jon Jeffreys, managing partner at Callahan & Associates, a management consultancy that works with credit unions..."

Thankfully, I had already begun to move my money. BofA's latest price-increase notice just accelerated my schedule. While I have sufficient account balances to avoid BofA's new monthly maintenance fees, I simply dislike the way the bank operates. For me, it goes to values.

If you are looking for a small bank or credit union to move your money to, a good resource is the Move Your Money Project. Some consumers have tried to move their money to prepaid cards instead. I believe that is a poor decision, because there usually are many fees with prepaid cards. Plus, experts have advised consumers to be wary of prepaid card protections.

What are your opinions of Bank of America? Of its latest price increase? Has your bank increased prices?


A Fight Brews After Retailers Demand From Congress Better, Stronger, And Consistent Data Breach Laws

The National Retail Federation and 43 other retail associations sent a letter dated November 6, 2014 to Congressional leaders in House and Senate demanding laws that promote stronger data security, eliminate exemptions to certain industries from data breach notification laws, and provide consistent data breach notification rules.

There are currently 47 different breach notification laws across the states. The makes for a complicated, patchwork of state laws that retailers must navigate when informing affected shoppers about data breaches. The laws vary in defining the data elements to be protected, data formats, the methods of notification, and when affected consumers must be notified by.

The retail associations' letter to Congress (Adobe PDF) stated:

"Organized groups of criminals, often based in Eastern Europe, have focused on U.S. businesses, including financial institutions, technology companies, manufacturing, retail, utilities and others. These criminals devote substantial resources and expertise to breaching data protection systems... Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information. Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit. Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

The letter cited current banking practices:

"... the recently reported data breaches have taught us, it is that any security gaps left unaddressed will quickly be exploited by criminals. For example, the failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature makes the card numbers particularly attractive to criminals and the cards themselves vulnerable to fraudulent misuse. Better security at the source of the problem is needed. The protection of American’s sensitive financial information is not an issue on which sacrificing comprehensiveness makes any sense at all."

The letter described the threats retailers face data breaches at banks and payment processors:

"... some recent examples are instructive. This summer, it was reported that JPMorgan Chase had suffered a data security breach... affecting 83 million accounts that had been accessed online or through mobile devices. The criminals involved reportedly took over computers around the world... Given the sophistication of the attack, even months after initial disclosure, it is not clear whether the bank’s system is free of the hackers involved. It has also been reported that nine other banks suffered similar data breaches and there is evidence that there is a focused effort to breach financial institutions by these criminals... Despite all that reporters have uncovered to date, however, financial regulators have not required financial institutions to provide the same detailed notice to their customers as is required of other businesses under law... it was revealed in September that over 100 account subscribers to Apple’s widely-used iCloud service had suffered a series of targeted attacks that ultimately led to the unlawful acquisition of sensitive photographs stored on the iCloud servers. Merchants have also been attacked by criminals employing sophisticated and previously unseen tools to steal payment card numbers. Payment card data has been targeted by criminals in data breaches at every type of entity that handles such data – from financial institutions to retailers, card processors, and telecommunications providers."

The letter also cited a key industry study about where data breaches occurred:

"The Verizon Data Breach Investigations Report is the most comprehensive summary of these types of threats. The 2014 report (examining 2013 data) determined that there were 63,437 data security incidents reported by industry, educational institutions and governmental entities last year and that 1,367 of those had confirmed data losses. Of those, the financial industry suffered 34%, public institutions (including governmental entities) had 12.8%, the retail industry had 10.8%, and hotels and restaurants combined had 10%."

The Online Trust Alliance supports the retailer associations' letter with calls for better, stronger, consistent data breach laws. The American Bankers Association and several financial services groups responded with their own letter (Adobe PDF) to Congress dated November 12, 2014. The banking groups' letter said the retail associations' letter was:

"... inaccurate and misleading, and recommends solutions that leave consumers vulnerable to enhanced risk of data breaches... As evidenced by the massive breaches at Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen and others, retailers are being targeted by cyber criminals. While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks and are required by Federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. In contrast, retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached."

Given the frequency and large size of data breaches, in my opinion, both groups have failed at adequately protecting consumers' sensitive personal and financial information. Neither is in a position to criticize the other.

The financial groups' letter cited "Strong Federal Oversight and Examination" and:

"Financial institutions on their own are aggressively implementing new systems and leading the development of new technologies like tokenization to combat the ever-changing criminal threat."

Banks may lead the way upon defending against external threats, but seem to have failed miserably against internal threats. Several examples illustrate my point. Banks have settled lawsuits about data breaches, settled lawsuits about residential mortgage back securities abuses, paid massive amounts ($128 billion and counting) in settlement payments and fines where terms are often kept secret and payments are tax deductible, and failed to solve their growing ethics problem where young bankers feel they must break the law to get ahead. Nobody forced banks to violate laws resulting in these lawsuits, settlements, and fines.

Rather than fight, both groups should stay focused on their shoppers and account holders: collaborate on better data security. Otherwise, they both look silly; like children at the dinner table arguing over who gets the last slice of chocolate cake.

View the full text of the retail associations' letter to Congress (Adobe PDF). Download the 2014 Verizon Dat Breach Investigations Report. Learn more about hacking attacks against Apple iCloud services.


Bank BNP Paribus To Plead Guilty And Pay Almost $9 Billion For Illegal Transactions

There seem to be more and more huge billion dollar settlements by banks for wrongdoing. Earlier this week, the U.S. Department of Justice (DOJ) announced an agreement with Bank BNP Paribus (BNPP) where the bank has agreed to plead guilty for illegal financial transactions with countries under U.S. sanctions. The French bank allegedly violated:

"... the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) by processing billions of dollars of transactions through the U.S. financial system on behalf of Sudanese, Iranian, and Cuban entities subject to U.S. economic sanctions. The agreement by the French bank to plead guilty is the first time a global bank has agreed to plead guilty to large-scale, systematic violations of U.S. economic sanctions."

Investigations found that the bank processed $8.8 billion in illegal financial transactions with sanctioned entities.To avoid detection, the bank allegedly routed illegal payments through third-party banks and instructed other banks not to disclose the names of sanctioned entities in those transactions.

The bank entered a written plea agreement and will pay total financial penalties of $8.9736 billion, including a forfeiture of $8.8336 billion and a fine of $140 million. The DOJ annouced additional terms of the plea agreement:

"BNPP will waive indictment and be charged in a one-count felony criminal information, filed in federal court in the Southern District of New York, charging BNPP with knowingly and willfully conspiring to commit violations of IEEPA and TWEA, from 2004 through 2012."

The bank is scheduled to formally enter its guilty plea in United States District Court on July 9, 2014 at 4:30 p.m. Deputy Attorney General James M. Cole said:

"BNPP ignored US sanctions laws and concealed its tracks. And when contacted by law enforcement it chose not to fully cooperate... This failure to cooperate had a real effect -- it significantly impacted the government’s ability to bring charges against responsible individuals, sanctioned entities and satellite banks. This failure together with BNPP’s prolonged misconduct mandated the criminal plea and the nearly $9 billion penalty that we are announcing today.”

Assistant Attorney General Caldwell said:

"By providing dollar clearing services to individuals and entities associated with Sudan, Iran, and Cuba – in clear violation of U.S. law – BNPP helped them gain illegal access to the U.S. financial system... In doing so, BNPP deliberately disregarded U.S. law of which it was well aware, and placed its financial network at the services of rogue nations, all to improve its bottom line. Remarkably, BNPP continued to engage in this criminal conduct even after being told by its own lawyers that what it was doing was illegal.”

BNP Paribus stated in a press release:

"BNP Paribas also accepts a temporary suspension of one year starting 1st January 2015 of the USD direct clearing focused mainly on the Oil & Gas Energy & Commodity Finance business line in certain locations... BNP Paribas will maintain its licenses as part of the settlements, and expects no impact on its operational or business capabilities to serve the vast majority of its clients... "

In its press release, the bank announced new internal compliance and control processes:

"... a new department called Group Financial Security US, part of the Group Compliance function, will be headquartered in New York and will ensure that BNP Paribas complies globally with US regulation related to international sanctions and embargoes... all USD flows for the entire BNP Paribas Group will be ultimately processed and controlled via the branch in New York. As a result of BNP Paribas’ internal review, a number of managers and employees from relevant business areas have been sanctioned, a number of whom have left the Group."

The bank generated annual revenues in 2013 of Euros 36.1 million. The current exchange rate: 1.0 Euro = 1.37 U.S. dollars.

I congratulate government officials for the investigations and for enforcing the law. I look forward to the results of investigations of banks that worked with BNP Paribus to hide the illegal transaction. However, I have only one question: why are no BNP Paribus bank executives going to prison? The criminal conduct seems to warrant prison time.

What are your opinions of the plea agreement by Bank BNP Paribus?


Considering Bitcoin or Another Virtual Currency? What You Need To Know

Late last month, Maryland Attorney General (AG) Douglas F. Gansler issued a warning for consumers interested in using virtual currencies such as Bitcoin. Many consumers like virtual currencies because of lower transaction fees compared to banks and traditional payment options.

AG Gansler said in a press release:

"Virtual currency, which includes digital and crypto-currency, is gaining in popularity and controversy. Growing numbers of merchants, businesses and other organizations now accept Bitcoin, one example of crypto-currency, in lieu of traditional currency.

Virtual currencies exist with little to no regulation and there is no safety net, such as federally-backed insurance, if you lose your hard-earned money," said Attorney General Gansler. "It pays to know what's in your e-Wallet and the many ways your money can disappear if you're not careful. Unlike the dollar, these highly volatile alternatives are not issued by a government authority and are typically not backed by tangible assets."

Mark Kaufman, the Maryland Commissioner of Financial Regulation said:

"Bitcoin and all virtual currencies have inherent risks that Marylanders should consider prior to transacting with or investing in these currencies... The entities that accept and transmit, or exchange virtual currencies for U.S. dollars are subject to federal law, and may be subject to state law, including the requirement to be licensed as a money transmitter. It is important to note however, that Maryland does not currently regulate virtual currencies. I encourage any Maryland resident interested in virtual currencies, to do their homework first."

Accounts with virtual currencies are not insured by the Federal Deposit Insurance Corporation (FDIC), which insures bank accounts up to $250,000.The Internal Revenue Service (IRS) has issued some guidance on the tax status of virtual currencies.

Residents of Connecticut can download the "What's In Your E-Wallet?" alert by the Department of Banking (Adobe PDF). The State Of Washington's Department of Financial Institutions issued a similar warning for consumers:

"One of the major risks of holding virtual currencies is their volatility. Their value can rise or fall substantially over a short period of time... Bitcoins, and others like it, are basically lines of computer code that are valued by the marketplace with no governmental support or oversight. Anyone holding virtual currencies should understand that they could lose a significant part of their investment as the market changes... There are no deposit guarantees like FDIC insurance to protect customer funds held by virtual currency exchanges. Once the funds are gone, there is no way to retrieve them... Some exchange companies that offer to store the consumer’s virtual currencies in virtual wallets have been unable to protect them... Because virtual currencies provide some anonymity, criminal elements have found them useful for money laundering and other crimes. When exchanges are shut down as a result of either knowingly or unknowingly facilitating a crime, customers may have difficulty accessing their funds."

Earlier this month, the U.S. Securities and Exchange Issued an alert about Bitcoin and other virtual currencies.

So, the old saying apples: do your homework first. Wise consumers should first check the financial laws in their state to see what regulations and protections exist, if any.


Questions About The Target Data Breach And How Hackers Broke In

Target Bullseye logo A prior blog post discussed the Target data breach, the retailer's security preparations, and management's post-breach response. Months before the breach, Target installed robust breach-detection software. During the breach, that software provided alerts which management missed. That blog post referenced a Bloomberg Businessweek article which reported breach details.

The Businessweek article went further and explored possible links between the breach and Russian hackers operating in Odessa, Ukraine. First things first. There will be plenty of time later to profile the hackers. Today, stay focused on breach details, the retailer's post-breach response, and the breach investigations. The goal is to report what happened so things can be fixed. Consumers want and need to know they can trust banks and retailers to protect their payment card information.

The article also published this flow diagram:

Bloomberg Business flow diagram of Target data breach. Click to view larger image.

See box #1 which mentioned a HVAC vendor and used the word "probably." The conclusion seems to have been based upon an email attack described in this KrebsOnSecurity article:

"... investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical... Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers. Two of those sources said the malware in question was Citadel – a password-stealing bot program..."

Fazio confirmed that it experienced an attack (Adobe PDF). The KrebsOnSecurity article included a "theory" about how hackers with billing credentials accessed systems with point-of-sale cashiers. I expected something more definitive than a "theory." I expect something more definitive than "investigators believe" -- ideally, "investigators analyzed" or "investigators found."

Knowing the exact scenario is important, so relevant fixes can be applied to prevent a massive breach like this from happening again. Hopefully, Target's final breach investigation report will clarify and explain things.

I wonder about the investigators' conclusions. How do investigators know with 100 percent certainty that (only) this specific HVAC vendor breach was the setup? How do the investigators know that credentials weren't stolen from any other Target vendors? How do investigators know that no other vendors experienced data breaches allowing hackers access to Target's systems?

During the past 6+ years I've written this blog, I've learned that online thieves are smart, persistent, and go where the money is. A January 2014 Let's Talk Payments article mentioned several of Target's major partners:

"Companies performing these [payments processing] roles for Target were identified in a research note by Robert W. Baird & Co analysts on Dec. 19... the merchant acquirer used by Target for credit and debit card transactions is Bank of America Merchant Services, a joint venture of Bank of America and KKR’s First Data Corp... The note also identified Vantiv of Cincinnati as processing transactions for Target customers who type in personal identification numbers for debit transactions... Target-branded payment cards are issued by Toronto’s TD Bank Group."

Regular readers of this blog recognize First Data and understand how much information the processor collects about consumers. (New to this blog? To learn more, select "Data Breaches," "Payment Procesors," or "Retail" in the right-column tag cloud. Or enter a company name in the right-column search mechanism.) Regular readers of this blog also recognize Bank of America Merchant Services, and its joint venture with First Data to process the payment transactions of the bank's retail (e.g., checking, debit card, credit card) customers. Other banks probably have similar arrangements with First Data.

Target's REDcard loyalty program includes the Target-branded credit and debit payment cards. According to a quarterly filing with the S.E.C., REDcard penetration increased from 12.8 to 18.6 percent during 2013. That's huge growth in one year. Good for Target: its shoppers like using REDcards. Bad for Target: its data breach has threatened that growth, REDcard usage by shoppers, and payments processors' revenues (and profits).

Smart hackers would focus on vendors with the best credentials; credentials that provide the best access to Target's computer systems and network. Another question: which vendor probably has the best credentials: a small HVAC vendor or a key business partner? The KrebsOnSecurity article discussed how Target required two-factor authentication for some vendors and not others. Maybe a small HVAC vendor was the easiest way in for the hackers. Maybe not. I hope that the formal Target breach investigation clarifies and explains things. Maybe the answers will be the same as reported in the KrebsOnSecurity article. Or maybe not.

In a January 2014 new story by SC Magazine, a First Data Corp representative denied that the processor's systems were breached:

"First Data processes some transactions for one of Target's acquirers, but we have no indication that our systems were involved in any of the incidents reported by Target,"

"No indication" doesn't sound to me like a resounding, definite "no" with 100 percent confidence. Reportedly, the First Data representative also said:

"The situation being reported by Target is a concern to all of us in the payments industry... data security is of paramount importance to First Data, which is why we work closely with our clients to protect cardholder data through our own system monitoring and the risk management solutions we offer our clients.”

Hmmm. Payments processors have had data breaches... massive ones. You may remember the Global Payments and Heartland breaches. First Data Corp has experienced a data breach too, at its Western Union unit.

Reportedly, the U.S. Secret Service is also investigating the Target data breach. That implies an interest in any systemic retail or banking security issues affecting the country's money supply. Systemic issues that come to mind are breaches at multiple retailers, the obsolete technology for payment cards, weaknesses in retail payment processes, and breaches at banks or payments processors. To me, a breach at a tiny HVAC vendor don't seem to rise to level of systemic.

Again, this is all speculation. I'm not saying one of Target's partners was breached. I don't have access to the data investigators have. All I'm saying is that a thorough, broad breach investigation needs to ask the question: was anyone else breached? The Target breach shook consumers' trust, and the breach investigation needs to address that. Trust matters. Consumers want to trust that banks and retailers can protect their card payment information.

Maybe the answer to this question will be the same; a small HVAC vendor's breach was the setup. Maybe not. A lot has happened since January. When 110 million records are stolen, one has to ask... one has to look, thoroughly.

I'd hate to think that the breach investigation stopped after finding the HVAC vendor breach and didn't look further for earlier breaches at other vendors or partners. If one wants to reassure consumers of secure card payment  processes, you have to look further... and thoroughly. And if there were other breaches, report them, too.

If a payments processor was also breached, then those partners would likely be added as defendants to any lawsuits. The Businessweek article mentioned 90 lawsuits. Several lawsuits have already been filed by banks and by shoppers.

What's your opinion of the Target breach? What questions do you have? How were you affected by the Target breach?


Target Data Breach: The Math Says That Crime Pays Well

If you haven't read it, there is an excellent article at Finextra Research about the Target breach; specifically the value of stolen shoppers' information. The article explains how your location information makes consumers' stolen payment information more valuable to thieves:

"... Target hackers have undertaken to selling location usage data alongside the card data, and can charge a premium for such data. Value added service to the fraudsters and clearly a strategy that is paying off. Fraudsters are paying anything between $20 and $100+ for a skimmed Target payment card – location data has added a premium to what the fraudsters charge. That’s puts the “value” on the 40million+ payment cards stolen from Target at between $800million and $4billion! If we assume that their ROI is a minimum of 10 times their “investment” then we are looking at a fraud value of between $8bn and $40bn."

Plus, the numbers are much worse. Why? First, Target increased the size of its data breach to 70 million from 40 million. Second, this math is based upon what we know so far. The breach news is far from over. Third, news reports have mentioned three other retailers impacted besides the Target and Neiman Marcus breaches.

This math is important because any risk-analysis systems used by retailers (and banks) use data elements (e.g., location data) that thieves have stolen... and will continue to steal. The thieves are upping their game, and industry needs to respond. It is long past time for the U.S. retail and banking industries to upgrade from obsolete credit/debit card technology to smart payment cards.

The math is important to consumers. Why? You now know how valuable your location information is for thieves. Don't be so quick to give up your location data to social networking websites, banks, and retailers without getting something substantial in return.


Hackers Arrested In Large Identity Theft Ring That Stole 160 Million Cards

Yesterday, the U.S. Attorney's Office in New Jersey announced the indictment of five persons for operating a worldwide and data breach and hacking ring that stole information about more than 160 million credit- and debit-cards, resulted in losses of hundreds of millions of dollars. The theft and fraud ring targeted financial institutions and companies, including alleged:

"... attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard."

How the theft ring operated:

"The five men each served particular roles in the scheme. Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each specialized in penetrating network security and gaining access to the corporate victims’ systems. Roman Kotov, 32, of Moscow, also a hacker, specialized in mining the networks... The hackers hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine.  Dmitriy Smilianets, 29, of Moscow, sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants. Kalinin and Drinkman were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches – including the breach of Heartland Payment Systems Inc.,..."

Drinkman and Smilianets were arrested in the Netherlands on June 28, 2012. Smilianets was extradited to the USA on Sept. 7, 2012, The other three defendants are still at large. Four defendants are Russian citizens. Rytikov is a citizen of Ukraine. The number of 160 million cards stolen is an estimate, and could be higher.

Addition information from the announcement:

"The five defendants conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals. They took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders."

Thanks to the several federal agencies involved in pursuing and capturing these defendants.

To me, this case is another example that identity-theft thieves and fraudsters are smart, creative, organized, and persistent. The days of the lone hacker are gone. Identity thieves target firms they believe are vulnerable. Identity thieves go where the money is.

I find this case highly interesting, as both Global Payments and Heartland experienced massive breaches previously. That the hackers targeted these and other payments processors means that all of these firms' computer systems are still vulnerable, despite executives' claims otherwise.


Payment Processors: A New I've Been Mugged Topic

When consumers purchase a product or service with some form of plastic (e.g., credit cards, debit cards, prepaid cards) and their mobile device, usually several companies are involved in completing that transaction: getting the money to the retailer (online or brick-and-mortar). While many consumers may believe that only their bank is involved in processing the transaction, the reality is that more companies are often involved.

One type of company involved are payment processors, companies that process these financial transactions. Sometimes these payment processor companies experience data breaches where sensitive customer information is lost or stolen. With recent events in the banking industry, and the spread of prepaid debit cards, this new topic can help you more easily read about and understand what is happening within the banking and retail industries.

I have tagged this new topic retroactively to archived blog posts, so you read and understand the types of information available. See the new "Payment Processors" topic. I hope that you find it useful.


The Companies Involved In Payment Transactions When Consumers Buy Items

When consumers pay for products and services, today they have a wide variety of options. To make these options work, a variety of companies are involved behind the scenes in the payment transactions: the companies money and information flow through after a consumer purchases something at the checkout register. Consumers may not realize the wide variety of different companies involved.

Companies involved in the payment transactions flow often have their onw privacy policy, and data collection of consumers' sensitive information -- driven by their agreement with the retailer or bank. And, each company involved may experience data breaches where consumers' sensitive information is exposed or stolen:

  Payment Method
Company Type
CashCredit CardDebit CardRetailer's Prepaid Card (1)
Bank Prepaid Card (2)
Prepaid Card: FSA (3)
Smart Phone
Brick-&-mortar retail store No Yes Yes Yes Yes Yes Yes
Online retail website n/a Yes Yes Yes Yes Yes n/a
Retailer's partners &/or affiliates (4)
n/a Yes Yes Yes Yes Yes Yes
Your bank n/a Yes Yes n/a Yes Yes Yes
Retailer's bank n/a Yes Yes Yes Yes Yes Yes
Payments Processor (5) No Yes Yes Yes Yes (6)
Yes Yes
Your Employer n/a n/a n/a n/a Yes Yes Yes
Healthcare Vendor (7)
n/a n/a n/a n/a No Yes n/a
Wireless Provider n/a n/a n/a n/a n/a n/a Yes
Mobile Device Manufacturer n/a n/a n/a n/a n/a n/a Yes
Mobile Device Operating System Developer (8) n/a n/a n/a n/a n/a n/a Yes
Mobile App Developer (8) n/a n/a n/a n/a n/a n/a Yes
App Store
n/a n/a n/a n/a n/a n/a Yes

Footnotes:

  1. Includes gift cards offered by retailers that are good only at that retailer's stores.
  2. Includes general-purpose prepaid cards usually offered by banks
  3. Includes prepaid cards used by employers to adminster healthcare Flexible Spending Accounts
  4. Includes outsourced vendors that administer a retailer's email marketing programs, cloud-based storage services, customer relationship management databases, mobile marketing services, product fulfillment, and/or data mining services; plus companies that perform co-marketing campaigns
  5. The bank and/or company that processes the debit/credit card transactions
  6. Applies to employers that pay employees via a payroll debit cards
  7. Some employers outsource the administration of their healthcare Flexible Spending Account (FSA) program to an external vendor, and issue participating employees a special prepaid card
  8. The company that develops and maintains this software mobile devices

What do you think about the above chart?


Chicago Transit Authority Riders To Use New Ventra Card Starting This Summer

Ventra logo Last month, the CBS television network affiliate in Chicago reported about a new fare card to be offered this summer in Chicago by the local public transit authority. The news report stated:

"... one of the companies behind the new card gets an F rating from the Better Business Bureau... It will be offered by Money Network, which is owned by First Data. Money Network currently has an F rating with the BBB."

Reportedly, the "F" rating was based on complaints by consumers since 2010. Chicago officials said that the new Ventra fare system will save the Chicago Transit Authority (CTA) about $50 million during its 12-year contract with Money Network.

The new Ventra fare card will be available for Chicago consumers during the summer of 2013. Consumers will have the option to use the Ventra card to pay for CTA fares, or to opt in and also use it as a prepaid debit card to pay for purchases at local retail stores. By 2014, the CTA will migrate fully from the current Chicago Card and Chicago Card Plus payment methods to the new Ventra system. In the future, consumers will also be able to pay using their smart phones.

I visited the Ventra Chicago website to learn more. The website provides some information about this new fare and prepaid card:

"Cards are issued by MetaBank™, Member FDIC, pursuant to license by MasterCard International Incorporated. MasterCard and the MasterCard Brand Mark are registered trademarks of MasterCard International Incorporated."

This means that both the CTA and its riders will be doing business with MetaBank. Consumers that activate the prepaid debit option on their Ventra card will definitely want to know what bank is used, especially if there are problems or need help. (What could go wrong with a prepaid card? Read parts 1 and 2 about a consumer's experience with a healthcare prepaid card.) Since Money Network is a Ventra vendor, it means that Money Network (e.g., First Data Corp.) will likely perform the payment transaction processing.

You never heard of MetaBank? There is a pretty useful summary of MetaBank at the GetDebit website:

Summary of MetaBank at GetDebit.com

After reading the Ventra Chicago website, I also expected to find the full terms and conditions (e.g., contract) that applies when consumers opt-in to use the prepaid debit option with their Ventra Chicago card. In my experience, details matter with any prepaid card. Often, prepaid cards contain minimums, limits, and/or several fees (e.g., to load money onto the prepaid card, or make cash withdrawals at certain bank ATM network machines). Additional fees may apply if you use the prepaid card at a different ATM network.

In January, this blog reviewed the new AAA card. Like the coming Ventra Chicago card, AAA members can use their new AAA card as an identification card for towing services and discounts, or opt in and activate the prepaid debit option to use the card to make purchases at retail stores. The new AAA prepaid card has a $25.00 minimum to load money onto it, and a maximum monthly limit of $2,500 (or a $10,000 max with direct deposit). With the new AAA prepaid card, each month only the first ATM cash withdrawal is free, and all other ATM withdrawals cost $2.00 each. And, you have to use it at American Express network ATM machines.

I wanted to see if there were similar conditions with the new Ventra Chicago card, but the website didn't say. This is the type of information informed consumers look for, since there are legal differences and rights consumers have with prepaid cards compared to both credit- and debit cards. Informed consumers want to know their rights and specific rules, especially about replacing the funds on lost/stolen Ventra cards. Hopefully, CTA officials will update the Ventra Chicago website soon with the appropriate detailed information, so Chicago-area consumers can make informed choices.

I visited the BBB website to see if its rating of Money Network had changed since last month. It had and is now rated B+:

BBB rating of Money Network

You don't need to be a rock scientist to see that the Ventra Chicago business model is one that can be replicated with public transit systems in other cities across the country. As each system makes decisions about the payment methods they will use, transparency is critical. It is important for transit systems to provide consumers with as much choice, freedom, and privacy as possible with payment options, while minimizing fees and surcharges.

What else is going on here? As I see it, several things. First, banks are trying to capture more customers by targeting both consumers who don't have a bank account (called the "unbanked" in industry jargon), and consumers have a single bank account (e.g., checking or a savings but not both are called the "underbanked) with prepaid card pitches. Second, banking industry research has found that consumers who have used debit cards and were burned with multiple overdraft fees, now view prepaid cards as a way to avoid high overdraft fees. So, banks have targeted these consumers, too, with prepaid card pitches directly or through intermediaries (e.g., government, employers). These consumers often don't realize the limits, minimums, fees, and surcharges that often are included with prepaid cards.

Third, given current technologies it is fairly easy to make plastic identification cards perform the traditional functions plus act as a prepaid debit card. That's why you now see prepaid cards to receive government benefits, and with employer healthcare FSA programs. Fourth, it is no secret that banks perform huge data collection of consumers' purchases with all types of plastic in your wallet or purse: debit cards, credit cards, and prepaid cards. Banks analyze and sell your purchases with other businesses including data brokers. So, if you want privacy, keep using cash.

My advice to consumers is this: anytime a bank or company serves up a strong "convenience" pitch with a prepaid debit card, take the time to read closely the contractl details (e.g., often called the Terms and Conditions), the schedule of fees, and the privacy policy. Those documents will indicate what protections and rights you have (or don't have), and the costs. And, there are five things you should know about prepaid cards.

What is your opinion of Ventra Chicago? Of MetaBank? Of Money Network?