I've Been Mugged Blog

On Tuesday, Facebook announced its first financial services offering which will be available in 2020:

"... we’re sharing plans for Calibra, a newly formed Facebook subsidiary whose goal is to provide financial services that will let people access and participate in the Libra network. The first product Calibra will introduce is a digital wallet for Libra, a new global currency powered by blockchain technology. The wallet will be available in Messenger, WhatsApp and as a standalone app — and we expect to launch in 2020... Calibra will let you send Libra to almost anyone with a smartphone, as easily and instantly as you might send a text message and at low to no cost. And, in time, we hope to offer additional services for people and businesses, like paying bills with the push of a button, buying a cup of coffee with the scan of a code or riding your local public transit..."

Long before the announcement, consumers crafted interesting nicknames for the financial service, such as #FaceCoin and #Zuckbucks. Good to see people with a sense of humor.

On a more serious topic, after multiple data breaches and privacy snafus at Facebook (plus repeated promises by CEO Zuckerberg that his company will do better), many people are understandably concerned about data security and privacy. Facebook's announcement also addressed security and privacy:

"... Calibra will have strong protections... We’ll be using all the same verification and anti-fraud processes that banks and credit cards use, and we’ll have automated systems that will proactively monitor activity to detect and prevent fraudulent behavior... We’ll also take steps to protect your privacy. Aside from limited cases, Calibra will not share account information or financial data with Facebook or any third party without customer consent. This means Calibra customers’ account information and financial data will not be used to improve ad targeting on the Facebook family of products. The limited cases where this data may be shared reflect our need to keep people safe, comply with the law and provide basic functionality to the people who use Calibra. Calibra will use Facebook data to comply with the law, secure customers’ accounts, mitigate risk and prevent criminal activity."

So, the new Calibra subsidiary promised that it won't share users' account information with Facebook's core social networking service, except when it will -- to "comply with the law." The announcement encourages interested persons to sign up for email updates. This leaves Calibra customers to trust Facebook's wall separating its business units. "Provide basic functionality to the people who use Calibra" sounds like a huge loophole to justify any data sharing.

Tech and financial experts quickly weighed in on the announcement and its promises. TechCrunch explained why Facebook created a new business subsidiary. After Calibra's Tuesday announcement:

"... critics started harping about the dangers of centralizing control of tomorrow’s money in the hands of a company with a poor track record of privacy and security. Facebook anticipated this, though, and created a subsidiary called Calibra to run its crypto dealings and keep all transaction data separate from your social data. Facebook shares control of Libra with 27 other Libra Association founding members, and as many as 100 total when the token launches in the first half of 2020. Each member gets just one vote on the Libra council, so Facebook can’t hijack the token’s governance even though it invented it."

TechCrunch also explained the risks to Calibra customers:

"... that leaves one giant vector for abuse of Libra: the developer platform... Apparently Facebook has already forgotten how allowing anyone to build on the Facebook app platform and its low barriers to “innovation” are exactly what opened the door for Cambridge Analytica to hijack 87 million people’s personal data and use it for political ad targeting. But in this case, it won’t be users’ interests and birthdays that get grabbed. It could be hundreds or thousands of dollars’ worth of Libra currency that’s stolen. A shady developer could build a wallet that just cleans out a user’s account or funnels their coins to the wrong recipient, mines their purchase history for marketing data or uses them to launder money..."

During the coming months, hopefully Calibra will disclose the controls it will implement on the developer platform to prevent abuses, theft, and fraud.

Readers wanting to learn more should read the Libra White Paper, which provides more details about the companies involved:

"The Libra Association is an independent, not-for-profit membership organization headquartered in Geneva, Switzerland. The association’s purpose is to coordinate and provide a framework for governance for the network... Members of the Libra Association will consist of geographically distributed and diverse businesses, nonprofit and multilateral organizations, and academic institutions. The initial group of organizations that will work together on finalizing the association’s charter and become “Founding Members” upon its completion are, by industry:

1. Payments: Mastercard, PayPal, PayU (Naspers’ fintech arm), Stripe, Visa
2. Technology and marketplaces: Booking Holdings, eBay, Facebook/Calibra, Farfetch, Lyft, Mercado Pago, Spotify AB, Uber Technologies, Inc.
3. Telecommunications: Iliad, Vodafone Group
4. Blockchain: Anchorage, Bison Trails, Coinbase, Inc., Xapo Holdings Limited
5. Venture Capital: Andreessen Horowitz, Breakthrough Initiatives, Ribbit Capital, Thrive Capital, Union Square Ventures
6. Nonprofit and multilateral organizations, and academic institutions: Creative Destruction Lab, Kiva, Mercy Corps, Women’s World Banking"

Yes, the ride-hailing company, Uber, is involved. Yes, the same ride-hailing service which which paid $148 million to settle lawsuits and a coverup from a data breach in 2016. Yes, the same ride-hailing service with a history of data security, compliance, cultural, and privacy snafus. This suggests -- for better or worse -- that in the future consumers will be able to pay for Uber rides using the Libra Network.

Calibra hopes to have about 100 members in the Libra Association by the service launch in 2020. Clearly, there will be plenty more news to come. Below are draft screen images of the new app.

Many consumers prefer to pay for products and services using methods other than cash. How secure are these non-cash payment methods? The Federal Reserve Board (FRB) analyzed the payments landscape within the United States. Its October 2018 report found good and bad news. The good news: non-cash payments fraud is small. The bad news:

• Overall, non-cash payments fraud is growing,
• Card payments fraud drove the growth

The FRB report included:

"... fraud totals and rates for payments processed over general-purpose credit and debit card networks, including non-prepaid and prepaid debit card networks, the automated clearinghouse (ACH) transfer system, and the check clearing system. These payment systems form the core of the noncash payment and settlement systems used to clear and settle everyday payments made by consumers and businesses in the United States. The fraud data were collected as part of Federal Reserve surveys of depository institutions in 2012 and 2015 and payment card networks in 2015 and 2016. The types of fraudulent payments covered in the study are those made by an unauthorized third party."

Data from the card network survey included general-purpose credit and debit (non-prepaid and prepaid) card payments, but did not include ATM withdrawals. The card networks include Visa, MasterCard, Discover and others. Additional findings:

"... the rate of card fraud, by value, was nearly flat from 2015 to 2016, with the rate of in-person card fraud decreasing notably and the rate of remote card fraud increasing significantly..."

The industry defines several categories of card fraud:

1. "Counterfeit card. Fraud is perpetrated using an altered or cloned card;
2. Lost or stolen card. Fraud is undertaken using a legitimate card, but without the cardholder’s consent;
3. Card issued but not received. A newly issued card sent to a cardholder is intercepted and used to commit fraud;
4. Fraudulent application. A new card is issued based on a fake identity or on someone else’s identity;
5. Fraudulent use of account number. Fraud is perpetrated without using a physical card. This type of fraud is typically remote, with the card number being provided through an online web form or a mailed paper form, or given orally over the telephone; and
6. Other. Fraud including fraud from account take-over and any other types of fraud not covered above."

The increase in fraudulent application suggests that criminals consider it easy to intercept pre-screened credit and card offers sent via postal mail. It is easy for consumers to opt out of pre-screened credit and card offers. There is also the National Do Not Call Registry. Do both today if you haven't.

The report also covered EMV chip cards, which were introduced to stop counterfeit card fraud. Card networks distributed both chip cards to consumers, and chip-reader terminals to retailers. The banking industry had set an October 1, 2015 deadline to switch to chip cards. The FRB report:

The FRB concluded:

"Card systems brought EMV processing online, and a liability shift, beginning in October 2015, created an incentive for merchants to accept chip cards. By value, the share of non-fraudulent in-person payments made with [chip cards] shifted dramatically between 2015 and 2016, with chip-authenticated payments increasing from 3.2 percent to 26.4 percent. The share of fraudulent in-person payments made with [chip cards] also increased from 4.1 percent in 2015 to 22.8 percent in 2016. As [chip cards] are more secure, this growth in the share of fraudulent in-person chip payments may seem counter-intuitive; however, it reflects the overall increase in use. Note that in 2015, the share of fraudulent in-person payments with [chip cards] (4.1 percent) was greater than the share of non-fraudulent in-person payments with [chip cards] (3.2 percent), a relationship that reversed in 2016."

For better or worse, the type of smart device you use can identify you in ways you may not expect. First, a report by London-based Privacy International highlighted the changes within the financial services industry:

"Financial services are changing, with technology being a key driver. It is affecting the nature of financial services from credit and lending through to insurance and even the future of money itself. The field known as “fintech” is where the attention and investment is flowing. Within it, new sources of data are being used by existing institutions and new entrants. They are using new forms of data analysis. These changes are significant to this sector and the lives of the people it serves. We are seeing dramatic changes in the ways that financial products make decisions. The nature of the decision-making is changing, transforming the products in the market and impacting on end results and bottom lines. However, this also means that treatment of individuals will change. This changing terrain of finance has implications for human rights, privacy and identity... Data that people would consider as having nothing to do with the financial sphere, such as their text-messages, is being used at an increasing rate by the financial sector...  Yet protections are weak or absent... It is essential that these innovations are subject to scrutiny... Fintech covers a broad array of sectors and technologies. A non-exhaustive list includes:

• Alternative credit scoring (new data sources for credit scoring)
• Payments (new ways of paying for goods and services that often have implications for the data generated)
• Insurtech (the use of technology in the insurance sector)
• Regtech (the use of technology to meet regulatory requirements)."

"Similarly, a breadth of technologies are used in the sector, including: Artificial Intelligence; Blockchain; the Internet of Things; Telematics and connected cars..."

While the study focused upon India and Kenya, it has implications for consumers worldwide. More observations and concerns:

"Social media is another source of data for companies in the fintech space. However, decisions are made not on just on the content of posts, but rather social media is being used in other ways: to authenticate customers via facial recognition, for instance... blockchain, or distributed ledger technology, is still best known for cryptocurrencies like BitCoin. However, the technology is being used more broadly, such as the World Bank-backed initiative in Kenya for blockchain-backed bonds¹⁰. Yet it is also used in other fields, like the push in digital identities¹¹. A controversial example of this was a very small-scale scheme in the UK to pay benefits using blockchain technology, via an app developed by the fintech GovCoin¹² (since renamed DISC). The trial raised concerns, with the BBC reporting a former member of the Government Digital Service describing this as "a potentially efficient way for Department of Work and Pensions to restrict, audit and control exactly what each benefits payment is actually spent on, without the government being perceived as a big brother¹³..."

Many consumers know that you can buy a wide variety of internet-connected devices for your home. That includes both devices you'd expect (e.g., televisions, printers, smart speakers and assistants, security systems, door locks and cameras, utility meters, hot water heaters, thermostats, refrigerators, robotic vacuum cleaners, lawn mowers) and devices you might not expect (e.g., sex toys, smart watches for children, mouse traps, wine bottles, crock pots, toy dolls, and trash/recycle bins). Add your car or truck to the list:

"With an increasing number of sensors being built into cars, they are increasingly “connected” and communicating with actors including manufacturers, insurers and other vehicles¹⁵. Insurers are making use of this data to make decisions about the pricing of insurance, looking for features like sharp acceleration and braking and time of day¹⁶. This raises privacy concerns: movements can be tracked, and much about the driver’s life derived from their car use patterns..."

And, there are hidden prices for the convenience of making payments with your favorite smart device:

"The payments sector is a key area of growth in the fintech sector: in 2016, this sector received 40% of the total investment in fintech²². Transactions paid by most electronic means can be tracked, even those in physical shops. In the US, Google has access to 70% of credit and debit card transactions—through Google’s "third-party partnerships", the details of which have not been confirmed²³. The growth of alternatives to cash can be seen all over the world... There is a concerted effort against cash from elements of the development community... A disturbing aspect of the cashless debate is the emphasis on the immorality of cash—and, by extension, the immorality of anonymity. A UK Treasury minister, in 2012, said that paying tradesman by cash was "morally wrong"²⁶, as it facilitated tax avoidance... MasterCard states: "Contrary to transactions made with a MasterCard product, the anonymity of digital currency transactions enables any party to facilitate the purchase of illegal goods or services; to launder money or finance terrorism; and to pursue other activity that introduces consumer and social harm without detection by regulatory or police authority."²⁷"

The report cited a loss of control by consumers over their personal information. Going forward, the report included general and actor-specific recommendations. General recommendations:

• "Protecting the human right to privacy should be an essential element of fintech.
• Current national and international privacy regulations should be applicable to fintech.
• Customers should be at the centre of fintech, not their product.
• Fintech is not a single technology or business model. Any attempt to implement or regulate fintech should take these differences into account, and be based on the type activities they perform, rather than the type of institutions involved."

Want to learn more? Follow Privacy International on Facebook, on Twitter, or read about 10 ways of "Invisible Manipulation" of consumers.

A news item you may have missed during the run-up to the Presidential Inauguration. The U.S. Federal Trade Commission (FTC) announced settlement agreements with Western Union where the company admitted to money-laundering charges and agreed to pay $586 million in fines and restitution.

Western Union inked settlement agreements with the FTC, the Justice Department (DOJ), and with several U.S. Attorneys’ Offices: the Middle District of Pennsylvania, the Central District of California, the Eastern District of Pennsylvania and the Southern District of Florida. The FTC announcement stated:

"In its agreement with the Justice Department, Western Union admits to criminal violations including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud... According to admissions contained in the deferred prosecution agreement (DPA) with the Justice Department and the accompanying statement of facts, Western Union violated U.S. laws—the Bank Secrecy Act (BSA) and anti-fraud statutes—by processing hundreds of thousands of transactions for Western Union agents and others involved in an international consumer fraud scheme. As part of the scheme, fraudsters contacted victims in the U.S. and falsely posed as family members in need or promised prizes or job opportunities. The fraudsters directed the victims to send money through Western Union to help their relative or claim their prize. Various Western Union agents were complicit in these fraud schemes, often processing the fraud payments for the fraudsters in return for a cut of the fraud proceeds."

The FTC alleged in a complaint filed in U.S. District Court for the Middle District of Pennsylvania that the company’s conduct violated the FTC Act. The complaint alleged that fraudsters globally used Western Union’s money transfer system for many years, even after the company was aware of the problems. The complaint also alleged that some Western Union agents were complicit in fraud. Also, the FTC’s complaint alleged that Western Union failed to implement effective anti-fraud policies and procedures, and it failed to act promptly against problem agents (e.g., suspensions, terminations).

Also, the announcement described the extent and duration of the fraud:

"The BSA requires financial institutions, including money services businesses such as Western Union, to file currency transaction reports (CTRs) for transactions in currency greater than $10,000 in a single day. To evade the filing of a CTR and identification requirements, criminals will often structure their currency transactions so that no single transaction exceeds the $10,000 threshold. Financial institutions are required to report suspected structuring... Western Union knew that certain of its U.S. Agents were allowing or aiding and abetting structuring by their customers. Rather than taking corrective action to eliminate structuring at and by its agents, Western Union, among other things, allowed agents to continue sending transactions... Beginning in at least 2004, Western Union recorded customer complaints about fraudulently induced payments in what are known as consumer fraud reports (CFRs). In 2004, Western Union’s Corporate Security Department proposed global guidelines for discipline and suspension of Western Union agents that processed a materially elevated number of fraud transactions. In these guidelines, the Corporate Security Department effectively recommended automatically suspending any agent that paid 15 CFRs within 120 days. Had Western Union implemented these proposed guidelines, it would have prevented significant fraud losses to victims and would have resulted in corrective action against more than 2,000 agents worldwide between 2004 and 2012."

U.S. Attorney Eileen M. Decker of the Central District of California said:

"Our investigation uncovered hundreds of millions of dollars being sent to China in structured transactions designed to avoid the reporting requirements of the Bank Secrecy Act, and much of the money was sent to China by illegal immigrants to pay their human smugglers... In a case being prosecuted by my office, a Western Union agent has pleaded guilty to federal charges of structuring transactions – illegal conduct the company knew about for at least five years. Western Union documents indicate that its employees fought to keep this agent – as well as several other high-volume independent agents in New York City – working for Western Union because of the high volume of their activity. This action today will ensure that Western Union effectively controls its agents and prevents the use of its money transfer system for illegal purposes."

U.S. Attorney Bruce D. Brandler said:

"The U.S. Attorney’s Office for the Middle District of Pennsylvania has a long history of prosecuting corrupt Western Union Agents... Since 2001 our office, in conjunction with the U.S. Postal Inspection Service, has charged and convicted 26 Western Union Agents in the United States and Canada who conspired with international fraudsters to defraud tens of thousands of U.S. residents via various forms of mass marketing schemes. I am gratified that the deferred prosecution agreement reached today with Western Union ensures that $586 million will be available to compensate the many victims of these frauds."

Terms of the settlement agreements require Western union to:

• Pay a monetary judgment of $586 million,
• Implement and maintain a comprehensive anti-fraud program with training for its agents and their front line associates,
• Monitor to detect and prevent fraud-induced money transfers,
• Conduct due diligence on all new and renewing company agents, plus suspend or terminate non-compliant agents,
• Stop transmitting money transfers it knows or reasonably should know are fraud-induced,
• Block money transfers sent to any person who is the subject of a fraud report,
• Provide clear and conspicuous consumer fraud warnings on its paper and electronic money transfer forms,
• Increase the availability of websites and telephone numbers that enable consumers to file fraud complaints,
• Refund fraudulent money transfers if it failed to comply with its anti-fraud procedures, and
• Not process money transfers it knows or should know are payments for telemarketing transactions.

Western Union's compliance with these requirements will be monitored for three years by an independent compliance auditor. Western Union said in a January 19th press release:

"The Western Union Company (NYSE: WU) today announced agreements with the U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) that resolve previously disclosed investigations focused primarily on the Company’s oversight of certain agents and whether its anti-fraud program, as well as its anti-money laundering controls, adequately prevented misconduct by those agents and third parties. The conduct at issue mainly occurred from 2004 to 2012."

"As part of this resolution, Western Union will enter into a deferred prosecution agreement with the DOJ and a consent order with the FTC. The Company will pay a total of $586 million to the federal government, which is to be used to reimburse consumers who were victims of fraud during the relevant period. Western Union also will take specific actions to further enhance its oversight of agents and its protection of customers... Over the past five years, Western Union increased overall compliance funding by more than 200 percent, and now spends approximately $200 million per year on compliance, with more than 20 percent of its workforce currently dedicated to compliance functions. The comprehensive improvements undertaken by the Company have added more employees with law enforcement and regulatory expertise, strengthened its consumer education and agent training, bolstered its technology-driven controls and changed its governance structure so that its Chief Compliance Officer is a direct report to the Compliance Committee of the Board of Directors."

"... [Western Union] will simultaneously resolve, without any additional payment or non-monetary obligations, potential claims by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) relating to conduct in the 2010 to 2012 period that FinCEN contended violated the Bank Secrecy Act. The Company received a notice of investigation from FinCEN in mid-December 2016. The separate agreement with FinCEN sets forth a civil penalty of $184 million, the full amount of which will be deemed satisfied by the $586 million compensation payment under the DOJ and FTC agreements."

Americans still love to use the plastic in their wallets and purses. Just before the holidays, the Federal Reserve Board (FRB) released the results of its study about how Americans use non-cash payment methods: debit cards, credit cards, prepaid cards, ACH payments, and checks. The study included the total number and value of non-cash payments by consumers and businesses through 2015.

The total number of U.S. non-cash payments was more than 144 billion payments with a value of almost $178 trillion in 2015. That represented an increase of almost 21 billion payments or about $17 trillion since 2012. Other key findings from the study:

"The number of debit card payments (including payments with prepaid and non-prepaid cards) grew to 69.5 billion in 2015 with a value of $2.56 trillion, up 13.0 billion or $0.46 trillion since 2012. This was the largest increase in number of payments among the payment types considered. Debit card payments grew at an annual rate of 7.1 percent by number or 6.8 percent by value from 2012 to 2015 with most of the growth occurring in non-prepaid debit card payments. The number of credit card payments reached 33.8 billion in 2015 with a value of $3.16 trillion, up 6.9 billion or $0.61 trillion since 2012. Credit card payments grew at an annual rate of 8.0 percent by number or 7.4 percent by value from 2012 to 2015, the largest growth rates among the payment types considered... The number of check payments fell to 17.3 billion with a value of $26.83 trillion, down 2.5 billion or $0.38 trillion since 2012. Check payments fell at an annual rate of 4.4 percent by number or 0.5 percent by value from 2012 to 2015. The decline of checks over the period was slower than previous studies had shown for prior periods since 2003."

Prepaid cards typically include gift cards and payroll cards which consumers load money onto and which aren't linked to bank accounts (e.g., checking, savings). Past studies have documented numerous fees with prepaid cards while some consumers use prepaid cards instead of traditional bank accounts. "Non-prepaid debit cards" refer to debit cards linked to traditional bank accounts.

There are significant differences between the volume and value for each non-cash payment type. For example, debit cards generated the largest share of payment volume and the smallest share by value:

Another way of looking at the variety of non-cash payment types is the volume of payments over time:

Additional findings about prepaid cards:

"The number of prepaid debit card payments reached 9.9 billion with a value of $0.27 trillion in 2015, up 0.6 billion or $0.04 trillion since 2012. Almost all of the growth in prepaid debit card payments by number and value came from general-purpose prepaid cards, which can be used over the same general-purpose networks as non-prepaid debit cards. General-purpose prepaid card payments increased to 3.7 billion in 2015 by number, up 0.6 billion from 2012 to 2015, which was much less than the growth of 1.8 billion from 2009 to 2012... The average value of payments using these types of cards dropped slightly from $35 in 2012 to $34 in 2015.

Private-label prepaid card payments declined slightly by number, but rose somewhat by value from 2012 to 2015. In 2012, such payments totaled 3.7 billion by number or $0.05 trillion by value, while, in 2015, they totaled 3.6 billion by number or $0.07 trillion by value. Private-label prepaid card payments dropped at an annual rate of 0.3 percent by number but rose 15.0 percent by value. Hence, the average value of these payments rose from $13 to $20.

Payments made by prepaid EBT cards increased slightly from 2.5 billion in 2012 to 2.6 billion in 2015, or 1.7 percent per year, while the value of these payments also increased slightly from $0.07 trillion to $0.08 trillion, or 0.20 percent per year. The average value of prepaid EBT card payments declined slightly, from $30 to $29.

In 2015, non-prepaid debit and general-purpose prepaid cards were used in 5.8 billion cash withdrawals at ATMs, virtually the same level as in 2012, after dropping from 6.0 billion ATM cash withdrawals in 2009. The average value of ATM cash withdrawals rose from $118 to $122 between 2012 and 2015, continuing an upward trend in average value since 2003."

To minimize fraud and waste, banks and retailers began the migration to chip cards in the United States in 2015. The FRB study included findings about fraud:

"Payments with general-purpose cards using embedded microchips, which improve the security of in-person payments to help prevent fraud, have grown by 230 percent per year since 2012. But payments with the chip-based cards amounted to only about 2 percent share of total in-person general-purpose card payments in 2015, reflecting the early stages of a broad industry effort to roll out chip card technology. In 2015, the proportion of total general-purpose card fraud by value attributed to counterfeiting, the most prevalent type of in-person card fraud in the United States, was substantially greater than in countries where chip technology has been more widely adopted."

The United States was one of the last developed countries to switch to chip cards. So, chip card usage in the United States still has a long way to go. The types of fraud with debit/credit/prepaid cards:

• Counterfeit card: Fraud is perpetrated using an altered or cloned card.
• Lost or stolen card: Fraud is undertaken using a lost or stolen card.
• Card issued but not received: A newly issued card sent via postal mail to a cardholder is intercepted and used to commit fraud.
• Fraudulent application: A new card is issued based on a fake identity or on someone else’s identity.
• Other: “Other” fraud includes account takeover and other types of fraud not covered above.
• Fraudulent use of account number: Fraud is perpetrated without using a physical card.

Fraud is perpetrated via two channels: 1) in-person when the cardholder has their card, and 2) remote when the cardholder is not present (e.g., postal mail, online, telephone). To learn more, download the "2016 Federal Reserve Payments Study" (Adobe PDF) and/or read the FRB announcement.

On Friday, Hei Hotels and Resorts (HEI) announced data breaches that affected 20 properties in 11 states. According to the company's breach notice, hackers installed malware within the company's payment processing systems to collect customers' payment data.

The payment information stolen included the names, payment card account numbers, card expiration dates, and verification codes of customers who used their payment cards at point-of-sale terminals. The list of hotels by state:

The exact date of the breaches varied by property. Some breaches occurred as early as March, 2015 while others continued until as recent as June 17, 2016. A card processor notified HEI of the breach. The HEI breach notice stated:

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties."

HEI is notifying affected customers and consumers that may have been affected:

"... We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card..."

The HEI breach notice contains more information for affected consumers to review their credit reports, place Fraud Alerts, and place Credit Freezes.

HEI appears to have been caught unprepared. It did not detect the intrusion, and its breach notice did not arrange for any free credit monitoring for affected consumers. Hopefully, more information is forthcoming.

If you received a breach notice from HEI, what are your opinions of the breach? Of HEI's response so far?

The Consumer Financial Protection Bureau (CFPB) recently released a report about debt collection scams. The report is based upon more than 834,00 complaints filed by consumers nationally with the CFPB about financial products and services: checking and savings accounts, mortgages, credit cards, prepaid cards, consumer loans, student loans, money transfers, payday loans, debt settlement, credit repair, and credit reports. Complaints about debt collection scams accounted for 26 percent of all complaints.

The most frequent scam are attempts to collect money from consumers for debts they don't owe. This accounted for 38 percent of all debt-collection-scam complaints submitted. This included harassment:

"Consumers complained about receiving multiple calls weekly and sometimes daily from debt collectors. Consumers often complained that the collector continued to call even after being repeatedly told that the alleged debtor could not be contacted at the dialed number. Consumers also complained about debt collectors calling their places of employment... Consumers complained that they were not given enough information to verify whether or not they owed the debt that someone was attempting to collect. "

The two companies with the most complaints:

"... were Encore Capital Group and Portfolio Recovery Associates, Inc. Both companies, which are among the largest debt buyers in the country, averaged over 100 complaints submitted to the Bureau each month between October and December 2015. In 2015, the CFPB took enforcement actions against these two large debt buyers for using deceptive tactics to collect bad debts."

Compared to a year ago, debt collection complaints increased the most in Indiana (38 percent), Arizona (27 percent), and New Hampshire (26 percent) during December 2015 through February 2016. Debt collection complaints decreased the most in Maine (-34 percent), Wyoming (-26 percent), and North Dakota (-23 percent). And:

"Of the five most populated states, California (10 percent) experienced the greatest percentage increase and Illinois (-4 percent) experienced the greatest percentage decrease in debt collection complaints..."

The report lists 20 companies with the most debt-collection complaints during October through December 2015. The top five companies with with average monthly complaints about debt collection are Encore Capital Group (139.3), Portfolio Recovery Associates, Inc. (112.3), Enhanced recovery Company, LLC (65.7), Transworld Systems Inc. (63.7), and Citibank (54.7). This top-20 list also includes several banks: Synchrony Bank, Capital One, JPMorgan Chase, Bank of America, and Wells Fargo.

While the March Monthly Complaint Report by the CFPB focused upon debt collection complaints, it also provides plenty of detailed information about all categories of complaints. From December 2015 through February 2016, the CFPB received on average every month about 6,856 debt collection complaints, 4,211 mortgage complaints, 3,556 credit reporting complaints, 2,021 complaints about bank accounts or services, and 1,995 complaints about credit cards. Most categories showed increased complaint volumes compared to the same period a year ago. Only two categories showed a decline in average monthly complaints: credit reporting and payday loans. Debt collection complaints were up 6 percent.

Compared to a year ago, average monthly complaint volume (all categories) increased in 40 states and decreased in 11 states. The top five states with the largest increases (all categories) included Connecticut (31 percent), Kansas (30 percent), Georgia (25 percent), Louisiana (25 percent), and Indiana (24 percent). The top five states with the largest decreases (all categories) included Hawaii (-25 percent), Maine (-19 percent), South Dakota (-14 percent), District of Columbia (-8 percent), and Idaho (-6 percent). Also:

"Of the five most populated states, New York (12 percent) experienced the greatest complaint volume percentage increase, and Texas (-8 percent) experienced the greatest complaint volume percentage decrease from December 2014 to February 2015 to December 2015 to February 2016."

The chart below lists the 10 companies with the most complaints (all categories) during October through December, 2015:

The "Other" category includes consumer loans, student loans, prepaid cards, payday loans, prepaid cards, money transfers, and more. During this three-month period, complaints about these companies totaled 46 percent of all complaints. Consumers submit complaints about the national big banks covering several categories. According to the CFPB March complaints report (links added):

"By average monthly complaint volume, Equifax (988), Experian (841), and TransUnion (810) were the most-complained-about companies for October - December 2015. Equifax experienced the greatest percentage increase in average monthly complaint volume (32 percent)... Ocwen experienced the greatest percentage decrease in average monthly complaint volume (-18 percent)... Empowerment Ventures (parent company of RushCard) debuted as the 10th most-complained-about company..."

To learn more about the CFPB, there are plenty of posts in this blog. Simply enter "CFPB" in the search box in the right column.

Would you use a smart watch, fitness band, or other wearable device for banking? How about your smart television or refrigerator? Many bankers think you will, and are racing to integrate a broader range of mobile devices and technologies into their banking services. A recent survey of financial executives found that:

"... 20 per cent expect it to be common for consumers to make financial transactions using wearables within one year, 59 per cent within two years and 91 per cent within five years... 87 per cent expect it to be common for consumers to make financial transactions using Smart TVs and 68 per cent via home appliances."

The survey included 500 executives globally in several financial areas: banking, financial advice, consumer finance, investment management, insurance, and payments. So, consumers are likely to see these changes not just at your bank, but in a variety of financial and insurance transactions. Here's why:

"... too many banks are out of touch with what customers really want: one survey found 62 per cent of retail banking executives believed their bank offered excellent service compared to just 35 per cent of customers.... Millennials will have annual spending power of US$1. trillion [in 2020] and represent 30 per cent of total retail sales... Millennials not only have an appetite for disruptive new technologies but also an affinity with brand-savvy digital leaders... The Millennial Disruption Index, a three-year study of industry disruption conducted by Viacom subsidiary Scratch, found that banking was most vulnerable to disruption..."

The report discussed the desire by executives to serve customers via a variety of methods:

"Today’s customers expect a flawless end-to-end experience across all channels, yet fewer than 4 per cent of our respondents say they have achieved full omni-channel integration... by 2020, 89 per cent of our respondents expect to achieve full omni-channel integration. This either suggests a massive surge of investment over the next five years – or an industry in denial about the scale of the task ahead... 70 per cent expect video chat to largely replace branch appointments. Indeed, six out of ten now believe a digital-only channel model is viable."

Bankers view the Internet-of-Things (IoT) as both a collection of endpoint devices to provide services through, and a rich source of data:

"...93 per cent agree that finding innovative ways to provide value-added services to customers based on data-driven insight will be crucial to long-term success... 86 per cent agree that once consumers recognize the data potential of the IoT they will increasingly seek to benchmark their own behavior against their peers..."

Banks will probably develop more non-human (e.g., self-service) interfaces:

"... 76 per cent agree the widespread use of virtual assistants such as Siri on the iPhone means customers are more willing to engage with automated assistance and advice... almost three quarters of our respondents agree that in the future customers will interact with a human-like avatar..."

Another technology being considered:

"... 60 per cent [of survey respondents] believe that blockchain, a distributed public ledger which can securely record any information and the ownership of any asset, will prove to be the most significant technology development to affect financial services since the Internet and 45 per cent think the combination of blockchain wallets and peerto-peer (P2P) lending could herald the end of banking as we know it... 12 per cent expect the settlement of insurance claims using IoT data, blockchain and smart contracts to be mainstream practice within two years and 74 per cent expect it to be mainstream by 2025..."

Don't expect your bank to provide these new services next week or next month. It will take them time. New systems must be built, tested, debugged, and integrated with legacy computer systems and processes. All of this suggests that to fund their investments in innovation projects, banks probably won't lower their retail banking prices and fees (e.g., checking, savings, etc.) any time soon. While writing this blog the past 8+ years, I've found it wise to always keep an eye on the banks.

Download "The Future of Retail Financial Services" report by Cognizant, Marketforce, and Pegasystems.

Part one discussed the challenges and privacy threats smart devices for the home create for consumers. Today's blog post discusses data ownership, and how to shop wisely.

You've probably heard the terms: Internet of Things. Smart Home. Connected home. All refer to the myriad of devices in your home that are connected to the Internet, outfitted with sensors, collect information about your usage (e.g., who, what, when, where, why, and how long), and transmit that digital information collected to the device manufacturer and others.

The collected information is often shared with corporate partners or affiliates, such as the device's operating system software developer and mobile payments provider. (See this chart for partners by payment type.) Data may also be shared with the Internet Service Provider and/or the wireless service provider (for mobile apps).

The types of devices vary far beyond smart phones and tablets. Some include security, lighting, temperature controls, and safety devices (e.g., smoke alarms, carbon monoxide detectors). Some may be toys used by very young children. Some may be fitness devices that collect your health information and transmit it to entities not bound by HIPAA and HITECH laws.

This data collection isn't new. It's been happening long before the Internet and smart phones. You might say that digitization and mobilization made the data collection far easier and far more extensive.

A wise consumer is bound to ask: who owns the data these collect (and transmit) about me and my family? Great question. ZD Net explored the answer:

"According to law firm Taylor Wessing, end users don't really have ownership rights to the data gathered by off-the-shelf systems they've installed. If you've rolled out a smart home set-up, you can't legitimately claim that all the details about when you switched on your lights or opened your garage belong to you and you alone."

The term "end users" refers to consumers... you. So, consumers in the United States have few property rights. That means you have little control over the data collection and sharing with others. Not good.

And, it's worse because devices don't always indicate when they are recording your activity, what you do and say:

"... One recent high profile misstep case in point: the privacy policy for Samsung smart TVs told customers that if they had discussed personal or sensitive information in front of the TV, "that information will be among the data captured and transmitted to a third party through your use of Voice Recognition", causing consternation among users. The company subsequently published a blog to explain to users exactly how and when their TVs were listening in."

Whatever smart home devices you purchase, shop wisely:

1. Read both the terms of conditions and privacy policies before purchase. If you don't like the terms, don't buy it and keep shopping for alternatives.
2. Buy devices that include regular software updates, just like your computer. This helps protect you (and the data collected about you and your family) against malware, hacks, and computer viruses by unauthorized persons.
3. Buy devices that are truly smart. Avoid devices that are simply outfitted with a touch-screen and Internet connection. You're probably paying (a lot) more, so make sure you get more. And,
4. Buy devices with robust privacy settings, so you can control what information you share, when, and how.

What do you consider when shopping for smart devices for your home?

Last night, the "60 Minutes" news magazine broadcast an interesting segment about mobile banking in Kenya without banks. Since 80 percent of citizens have mobile phones, the country' took the innovative approach of allowing consumers to easily and securely pay for products and services via their mobile phone provider.

Meet M-PESA. Mobile banking without banks.

It is possible. It can happen. No bank accounts. No credit reports. No prepaid cards. No payroll cards. No digital wallets. No payment processors. And, Kenyans don't need the latest Apple iPhone or Android Galaxy phone. A far simpler system. Safaricom, the Kenyan mobile service provider, launched M-PESA in 2007. The mobile payments system was designed for the most basic phones with text messaging capabilities. A smart approach that puts consumers' needs first.

The segment highlights several issues:

• All digital wallets are built based upon traditional banks and payment processors. No so with M-PESA
• Silicon Savannah: digital innovation is happening globally, and not only in Silicon Valley
• Banking deserts: traditional banking, with branch offices and tellers, comes with a cost structure making it difficult to provide services to poor people. Yes, there are banking deserts in the USA, too. (Bankers prefer to label consumers in banking deserts as unbanked or underbanked.) Read about HOPE which servers farmers in the USA
• We live in disrupting times. Online services like AirBnB and Home Away have disrupted the hotel industry. Services like Lyft and Uber have disrupted the taxi industry. Perhaps, the banking industry is next, given its hold on politicians, politics, government regulation, and the economy by "too big to fail" banks or "too big to jail" bankers
• Mobile devices are marketed in the USA like cars, with slick advertisements that imply: in order to be happy and productive, consumers must have the latest device. The Kenyan M-PESA system proves otherwise.

Watch the 60 Minutes segment, "The Future of Money" or read the transcript. What are your opinions of M-PESA? Of banking deserts?

The Consumer Financial Protection Bureau (CFPB) helps consumers in many ways. To learn more, read:

• CFPB Considers Proposal To Ban Some Arbitration Clauses
• The CFPB Consumer Complaints Database Does What It Was Designed To Do
• To Learn More About Prepaid Cards, Try The 'Ask CFPB' Service
• CFPB Accepts Complaints From Consumers About Money Transfers
• CFPB Begins Supervision of Credit Reporting Industry
• CFPB Accepts Complaints From Consumers About Checking And Savings Accounts
• CFPB Reports List Of Complaints From Consumers About financial Products

Today, October 1, 2015 is the date banks and card issuers set to transition to the new EMV chip cards. The transition was to reduce card fraud. EMV is the name of the technology jointly developed by Europay, MasterCard, and Visa. Was the transition completed? The American Banker reported:

"Most credit cards (about 70%) will have chips on them. But most of these cards will be chip-and-signature cards, not chip-and-PIN... Many small merchants won't be ready. Depending on which study you believe, somewhere between 20% and 30% of merchants have purchased and deployed the EMV-capable point-of-sale terminals and software they will need to handle EMV chip cards. Big-box stores like Target that have suffered data breaches have done this work. But most small stores and restaurants have not. New EMV equipment is expensive and sometimes difficult to implement, and many seem unaware of the dangers of not adapting."

So, the transition is incomplete. In Europe, the United Kingdom transitioned to chip-and-PIN in 2006, and saw store-related card fraud drop 70 percent. The PIN is a short number the cardholder enters at the terminal to authorize their purchase. Chip-and-signature refers to new chip cards when the cardholder signs at the terminal to authorize their purchase.

It' is troubling that many retailers in the USA haven't upgraded to the new terminals. The result: consumers will encounter a frustrating mix of stores with and without the new chip card terminals. Cardholders will have to insert their chip cards at stores with the new terminals, and swipe the swipe the magnetic stripe on the back of their chip cards at stores without the new terminals.

The new chip cards contain both a chip that encrypts and stores your sensitive payment information, plus the obsolete magnetic stripe on the back of the card, which fraudsters have used to clone cards. Some experts have criticized this approach, arguing that the less-secure magnetic stripes should have been eliminated. The counter argument:

"Duplicating the chip on a chip card is difficult if not impossible [for ciminals]. Most new cards are being issued with both a magnetic stripe and a chip and the new EMV terminals accept both the chip and the stripe. So theoretically [criminals] could duplicate just the magnetic stripe on the chip card, create a new magnetic stripe card and try to use that. However, if an EMV card is swiped on an EMV-compliant merchant terminal, the system will reject the transaction and force the consumer to insert the chip."

Time will tell which experts are correct. Some cite two statistics. First, 37 percent of total card fraud is from criminals using cloned cards in stores. Second, the bulk of card fraud is online:

"Online card fraud is expected to rise. So-called "card not present" fraud — where someone uses a card but does not physically present the card (this could be over the phone, over a fax machine, on a mobile device or a computer, but most people equate "card not present" with using a card on a website) — represents the bulk of card fraud in the U.S.: 45%, according to Aite Group. The analyst group expects online card fraud to more than double from $3.1 billion in 2015 to $6.4 billion in 2018."

To help consumers, the Consumer Financial Protection Bureau (CFPB) provides easy answers about the new chip cards. The CFPB is a great resource for consumers to learn about their rights and to get help. The CFPB enforces rules that financial institutions must follow when marketing financial products to consumers. For unresolved problems with credit/debit/prepaid cards, student loans, debt collection agencies, or other financial products, you can submit online a complaint to the CFPB for assistance.

Discover notified its credit card customers in July about the transition. Its notice provided helpful images of the new terminals, the new chip card, and how cardholders insert chip cards into the new terminals. As I wrote then, before traveling in Europe, Discover cardholders should set up a PIN number, since Europe requires chip-and-pin authorizations.

What are your opinions of the new chip cards? Of the partial transition? If you have experienced problems with a new chip card, please share below.

Bank of America (BofA) has decided to move forward with charging large monthly maintenance fees to its checking account customers. Yesterday, I received a notice via postal mail from BofA dated March 6, 2015:

"We're updating our checking products and, as a result, the existing checking account listed above will become an Advantage Regular Checking account...

What's not changing
Your account information, including your account number, checks, and debit card all remain the same. Your account features, such as direct deposit, Online and Mobile banking. Bill Pay, as well as accounts linked for overdraft protection, will also remain the same.

What's Changing
Monthly maintenance fee: You can avoid the monthly fee on this account when you meet any ONE of the requirements shown below during each monthly statement cycle. Otherwise, the $25 monthly fee will be deducted from your account. This change takes effect on your first statement cycle that starts on May 15."

I checked the BofA website for any press releases about its price increase. I saw nothing. Not good.

A $25 monthly maintenance fee equals $300 yearly. That's a big price increase. You may remember Bank Transfer Day in 2012, when many consumers moved their money from the big banks to smaller, regional banks and credit unions. Several banks and BofA had tried to raise prices in 2011 by applying monthly maintenance fees, but then reversed their decisions after considerable push-back by consumers.

BofA tried to justify its 2011 price increase by saying their transaction costs had gone up and the, "economics of debit cards have changed," After some research in 2011 (see image on right), I found that BofA partnered with another company, First Data, to create a separate company that actually processes the bank's debit-card transactions, and both share in those debit-card transaction revenues.

That partnership continues today. The 2015 Hoovers profile states:

"The next time you swipe your card and it clears, you might thank Banc of America Merchant Services. A 2009 joint venture between Bank of America and First Data, it is one of the largest processors of electronic payments in the US. The firm handles more than 7 billion check and credit, debit, stored value, payroll, and electronic benefits transfer card transactions (worth a total of some $250 billion) annually. Its clients are small businesses and large corporations including retailers, restaurants, hotels, supermarkets, utilities, gas stations, convenience stores, and government entities. First Data owns 51% of Banc of America Merchant Services, while Bank of America owns 49%."

I'll bet you didn't know this. Most people don't. Most of the big banks have similar arrangements with First Data. So, the big banks make money off your money by investing it (what you'd expect), but also by both charging customers monthly maintenance fees and from collecting revenues from their debit-transaction processing partnership (not what you'd expect). Some people might call making money at both ends of the transaction double-dipping. I do. That didn't pass the smell test in 2011, nor today.

Fast-forward four years, and the transaction cost reason has been replaced with the "updated our checking products" excuse. It's still lame. A price increase is a price increase. Plus, the notice I received from BofA failed to mention any cost cutting done before passing along a huge price increase to its checking customers. That's just bad.

Moreover, the bank's latest price increase couldn't be more confusing. The bank's notice explained how checking customers can avoid the large monthly maintenance fees:

"Keep an average daily balance of $5,000 or more in your checking account or linked Regular Savings account, or

Keep an average daily combined balance of $10,000 or more in checking with linked savings, money market savings, CDs or IRAs, or

Keep an outstanding balance of $15,000 or more in an eligible linked installment loan or line of credit, or

Have $15,000 in total combined assets in your eligible Merrill Edge and Merrill Lynch investment accounts that are linked to your checking account, or

Have a linked Bank of America first mortgage loan that we service."

This reads like legalese written by lawyers. Why not keep it simple and say: keep $5,000 in an account to avoid the monthly maintenance fees. Simplicity matters.

Let's review some more of BofA's history. In August 2014, the bank agreed to a massive settlement with the U.S. Justice Department and several states' attorney generals. The $16.65 billion settlement agreement resolved both federal and state civil investigations into activities by the bank's former and current subsidiaries, including Countrywide Financial Corporation and Merrill Lynch, related to the packaging, marketing, sale, and issuance of residential mortgage-backed securities (RMBS). The bank acquired Merrill Lynch in 2009, and Countrywide in 2008.

To be fair, other big banks have paid massive settlement amounts during the past few years: Bank of America, $61.1 billion; JPMorgan, $31.4 billion; Citigroup, $10 billion; and Wells Fargo, $5.8 billion. A 2012 survey found that junior bank executives view wrongdoing as necessary to advance their careers. Based upon all of this, there clearly seems to be an ethics problem in banking.

I find BofA's reason (e.g., updated their checking products) for its price increase disingenuous. More likely, the price increase was driven profitability concerns given the massive settlement payments. Why not reduce senior executive compensation and bonuses instead (e.g., especially those executives that committed the wrongdoing that led to the massive settlement payments)? Why put the burden on customers?

That BofA decided to place the burden on its customers speaks volumes. Banks can clearly raise prices if they want. They are free to do that. Customers are free to move their money to a bank (or credit union) with lower or no monthly maintenance fees.

I'll make it easy for BofA checking customers to avoid the price increase: move your money to a small, regional bank or credit union. It's easier than you think, and there are a lot of benefits. Last month, Bankrate compared checking account fees between banks and credit unions:

"You're twice as likely to find free checking at a credit union than a bank, according to a new study by Bankrate.com. Nearly three quarters of credit union checking accounts -- 72 percent -- come with no balance requirements or monthly maintenance fees. That's in sharp contrast to banks, where only 38 percent of checking accounts are free... Most of the time, when you encounter dramatically lower prices for the same product, you assume that the cheaper product is somehow inferior. But that's not the case with credit unions, which typically offer services comparable to similarly sized banks. Instead, it comes down to the way credit unions are organized, says Jon Jeffreys, managing partner at Callahan & Associates, a management consultancy that works with credit unions..."

Thankfully, I had already begun to move my money. BofA's latest price-increase notice just accelerated my schedule. While I have sufficient account balances to avoid BofA's new monthly maintenance fees, I simply dislike the way the bank operates. For me, it goes to values.

If you are looking for a small bank or credit union to move your money to, a good resource is the Move Your Money Project. Some consumers have tried to move their money to prepaid cards instead. I believe that is a poor decision, because there usually are many fees with prepaid cards. Plus, experts have advised consumers to be wary of prepaid card protections.

What are your opinions of Bank of America? Of its latest price increase? Has your bank increased prices?

The National Retail Federation and 43 other retail associations sent a letter dated November 6, 2014 to Congressional leaders in House and Senate demanding laws that promote stronger data security, eliminate exemptions to certain industries from data breach notification laws, and provide consistent data breach notification rules.

There are currently 47 different breach notification laws across the states. The makes for a complicated, patchwork of state laws that retailers must navigate when informing affected shoppers about data breaches. The laws vary in defining the data elements to be protected, data formats, the methods of notification, and when affected consumers must be notified by.

The retail associations' letter to Congress (Adobe PDF) stated:

"Organized groups of criminals, often based in Eastern Europe, have focused on U.S. businesses, including financial institutions, technology companies, manufacturing, retail, utilities and others. These criminals devote substantial resources and expertise to breaching data protection systems... Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information. Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit. Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

The letter cited current banking practices:

"... the recently reported data breaches have taught us, it is that any security gaps left unaddressed will quickly be exploited by criminals. For example, the failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature makes the card numbers particularly attractive to criminals and the cards themselves vulnerable to fraudulent misuse. Better security at the source of the problem is needed. The protection of American’s sensitive financial information is not an issue on which sacrificing comprehensiveness makes any sense at all."

The letter described the threats retailers face data breaches at banks and payment processors:

"... some recent examples are instructive. This summer, it was reported that JPMorgan Chase had suffered a data security breach... affecting 83 million accounts that had been accessed online or through mobile devices. The criminals involved reportedly took over computers around the world... Given the sophistication of the attack, even months after initial disclosure, it is not clear whether the bank’s system is free of the hackers involved. It has also been reported that nine other banks suffered similar data breaches and there is evidence that there is a focused effort to breach financial institutions by these criminals... Despite all that reporters have uncovered to date, however, financial regulators have not required financial institutions to provide the same detailed notice to their customers as is required of other businesses under law... it was revealed in September that over 100 account subscribers to Apple’s widely-used iCloud service had suffered a series of targeted attacks that ultimately led to the unlawful acquisition of sensitive photographs stored on the iCloud servers. Merchants have also been attacked by criminals employing sophisticated and previously unseen tools to steal payment card numbers. Payment card data has been targeted by criminals in data breaches at every type of entity that handles such data – from financial institutions to retailers, card processors, and telecommunications providers."

The letter also cited a key industry study about where data breaches occurred:

"The Verizon Data Breach Investigations Report is the most comprehensive summary of these types of threats. The 2014 report (examining 2013 data) determined that there were 63,437 data security incidents reported by industry, educational institutions and governmental entities last year and that 1,367 of those had confirmed data losses. Of those, the financial industry suffered 34%, public institutions (including governmental entities) had 12.8%, the retail industry had 10.8%, and hotels and restaurants combined had 10%."

The Online Trust Alliance supports the retailer associations' letter with calls for better, stronger, consistent data breach laws. The American Bankers Association and several financial services groups responded with their own letter (Adobe PDF) to Congress dated November 12, 2014. The banking groups' letter said the retail associations' letter was:

"... inaccurate and misleading, and recommends solutions that leave consumers vulnerable to enhanced risk of data breaches... As evidenced by the massive breaches at Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen and others, retailers are being targeted by cyber criminals. While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks and are required by Federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. In contrast, retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached."

Given the frequency and large size of data breaches, in my opinion, both groups have failed at adequately protecting consumers' sensitive personal and financial information. Neither is in a position to criticize the other.

The financial groups' letter cited "Strong Federal Oversight and Examination" and:

"Financial institutions on their own are aggressively implementing new systems and leading the development of new technologies like tokenization to combat the ever-changing criminal threat."

Banks may lead the way upon defending against external threats, but seem to have failed miserably against internal threats. Several examples illustrate my point. Banks have settled lawsuits about data breaches, settled lawsuits about residential mortgage back securities abuses, paid massive amounts ($128 billion and counting) in settlement payments and fines where terms are often kept secret and payments are tax deductible, and failed to solve their growing ethics problem where young bankers feel they must break the law to get ahead. Nobody forced banks to violate laws resulting in these lawsuits, settlements, and fines.

Rather than fight, both groups should stay focused on their shoppers and account holders: collaborate on better data security. Otherwise, they both look silly; like children at the dinner table arguing over who gets the last slice of chocolate cake.

View the full text of the retail associations' letter to Congress (Adobe PDF). Download the 2014 Verizon Dat Breach Investigations Report. Learn more about hacking attacks against Apple iCloud services.

There seem to be more and more huge billion dollar settlements by banks for wrongdoing. Earlier this week, the U.S. Department of Justice (DOJ) announced an agreement with Bank BNP Paribus (BNPP) where the bank has agreed to plead guilty for illegal financial transactions with countries under U.S. sanctions. The French bank allegedly violated:

"... the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) by processing billions of dollars of transactions through the U.S. financial system on behalf of Sudanese, Iranian, and Cuban entities subject to U.S. economic sanctions. The agreement by the French bank to plead guilty is the first time a global bank has agreed to plead guilty to large-scale, systematic violations of U.S. economic sanctions."

Investigations found that the bank processed $8.8 billion in illegal financial transactions with sanctioned entities.To avoid detection, the bank allegedly routed illegal payments through third-party banks and instructed other banks not to disclose the names of sanctioned entities in those transactions.

The bank entered a written plea agreement and will pay total financial penalties of $8.9736 billion, including a forfeiture of $8.8336 billion and a fine of $140 million. The DOJ annouced additional terms of the plea agreement:

"BNPP will waive indictment and be charged in a one-count felony criminal information, filed in federal court in the Southern District of New York, charging BNPP with knowingly and willfully conspiring to commit violations of IEEPA and TWEA, from 2004 through 2012."

The bank is scheduled to formally enter its guilty plea in United States District Court on July 9, 2014 at 4:30 p.m. Deputy Attorney General James M. Cole said:

"BNPP ignored US sanctions laws and concealed its tracks. And when contacted by law enforcement it chose not to fully cooperate... This failure to cooperate had a real effect -- it significantly impacted the government’s ability to bring charges against responsible individuals, sanctioned entities and satellite banks. This failure together with BNPP’s prolonged misconduct mandated the criminal plea and the nearly $9 billion penalty that we are announcing today.”

Assistant Attorney General Caldwell said:

"By providing dollar clearing services to individuals and entities associated with Sudan, Iran, and Cuba – in clear violation of U.S. law – BNPP helped them gain illegal access to the U.S. financial system... In doing so, BNPP deliberately disregarded U.S. law of which it was well aware, and placed its financial network at the services of rogue nations, all to improve its bottom line. Remarkably, BNPP continued to engage in this criminal conduct even after being told by its own lawyers that what it was doing was illegal.”

BNP Paribus stated in a press release:

"BNP Paribas also accepts a temporary suspension of one year starting 1st January 2015 of the USD direct clearing focused mainly on the Oil & Gas Energy & Commodity Finance business line in certain locations... BNP Paribas will maintain its licenses as part of the settlements, and expects no impact on its operational or business capabilities to serve the vast majority of its clients... "

In its press release, the bank announced new internal compliance and control processes:

"... a new department called Group Financial Security US, part of the Group Compliance function, will be headquartered in New York and will ensure that BNP Paribas complies globally with US regulation related to international sanctions and embargoes... all USD flows for the entire BNP Paribas Group will be ultimately processed and controlled via the branch in New York. As a result of BNP Paribas’ internal review, a number of managers and employees from relevant business areas have been sanctioned, a number of whom have left the Group."

The bank generated annual revenues in 2013 of Euros 36.1 million. The current exchange rate: 1.0 Euro = 1.37 U.S. dollars.

I congratulate government officials for the investigations and for enforcing the law. I look forward to the results of investigations of banks that worked with BNP Paribus to hide the illegal transaction. However, I have only one question: why are no BNP Paribus bank executives going to prison? The criminal conduct seems to warrant prison time.

What are your opinions of the plea agreement by Bank BNP Paribus?

Late last month, Maryland Attorney General (AG) Douglas F. Gansler issued a warning for consumers interested in using virtual currencies such as Bitcoin. Many consumers like virtual currencies because of lower transaction fees compared to banks and traditional payment options.

AG Gansler said in a press release:

"Virtual currency, which includes digital and crypto-currency, is gaining in popularity and controversy. Growing numbers of merchants, businesses and other organizations now accept Bitcoin, one example of crypto-currency, in lieu of traditional currency.

Virtual currencies exist with little to no regulation and there is no safety net, such as federally-backed insurance, if you lose your hard-earned money," said Attorney General Gansler. "It pays to know what's in your e-Wallet and the many ways your money can disappear if you're not careful. Unlike the dollar, these highly volatile alternatives are not issued by a government authority and are typically not backed by tangible assets."

Mark Kaufman, the Maryland Commissioner of Financial Regulation said:

"Bitcoin and all virtual currencies have inherent risks that Marylanders should consider prior to transacting with or investing in these currencies... The entities that accept and transmit, or exchange virtual currencies for U.S. dollars are subject to federal law, and may be subject to state law, including the requirement to be licensed as a money transmitter. It is important to note however, that Maryland does not currently regulate virtual currencies. I encourage any Maryland resident interested in virtual currencies, to do their homework first."

Accounts with virtual currencies are not insured by the Federal Deposit Insurance Corporation (FDIC), which insures bank accounts up to $250,000.The Internal Revenue Service (IRS) has issued some guidance on the tax status of virtual currencies.

Residents of Connecticut can download the "What's In Your E-Wallet?" alert by the Department of Banking (Adobe PDF). The State Of Washington's Department of Financial Institutions issued a similar warning for consumers:

"One of the major risks of holding virtual currencies is their volatility. Their value can rise or fall substantially over a short period of time... Bitcoins, and others like it, are basically lines of computer code that are valued by the marketplace with no governmental support or oversight. Anyone holding virtual currencies should understand that they could lose a significant part of their investment as the market changes... There are no deposit guarantees like FDIC insurance to protect customer funds held by virtual currency exchanges. Once the funds are gone, there is no way to retrieve them... Some exchange companies that offer to store the consumer’s virtual currencies in virtual wallets have been unable to protect them... Because virtual currencies provide some anonymity, criminal elements have found them useful for money laundering and other crimes. When exchanges are shut down as a result of either knowingly or unknowingly facilitating a crime, customers may have difficulty accessing their funds."

Earlier this month, the U.S. Securities and Exchange Issued an alert about Bitcoin and other virtual currencies.

So, the old saying apples: do your homework first. Wise consumers should first check the financial laws in their state to see what regulations and protections exist, if any.

A prior blog post discussed the Target data breach, the retailer's security preparations, and management's post-breach response. Months before the breach, Target installed robust breach-detection software. During the breach, that software provided alerts which management missed. That blog post referenced a Bloomberg Businessweek article which reported breach details.

The Businessweek article went further and explored possible links between the breach and Russian hackers operating in Odessa, Ukraine. First things first. There will be plenty of time later to profile the hackers. Today, stay focused on breach details, the retailer's post-breach response, and the breach investigations. The goal is to report what happened so things can be fixed. Consumers want and need to know they can trust banks and retailers to protect their payment card information.

The article also published this flow diagram:

See box #1 which mentioned a HVAC vendor and used the word "probably." The conclusion seems to have been based upon an email attack described in this KrebsOnSecurity article:

"... investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical... Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers. Two of those sources said the malware in question was Citadel – a password-stealing bot program..."

Fazio confirmed that it experienced an attack (Adobe PDF). The KrebsOnSecurity article included a "theory" about how hackers with billing credentials accessed systems with point-of-sale cashiers. I expected something more definitive than a "theory." I expect something more definitive than "investigators believe" -- ideally, "investigators analyzed" or "investigators found."

Knowing the exact scenario is important, so relevant fixes can be applied to prevent a massive breach like this from happening again. Hopefully, Target's final breach investigation report will clarify and explain things.

I wonder about the investigators' conclusions. How do investigators know with 100 percent certainty that (only) this specific HVAC vendor breach was the setup? How do the investigators know that credentials weren't stolen from any other Target vendors? How do investigators know that no other vendors experienced data breaches allowing hackers access to Target's systems?

During the past 6+ years I've written this blog, I've learned that online thieves are smart, persistent, and go where the money is. A January 2014 Let's Talk Payments article mentioned several of Target's major partners:

"Companies performing these [payments processing] roles for Target were identified in a research note by Robert W. Baird & Co analysts on Dec. 19... the merchant acquirer used by Target for credit and debit card transactions is Bank of America Merchant Services, a joint venture of Bank of America and KKR’s First Data Corp... The note also identified Vantiv of Cincinnati as processing transactions for Target customers who type in personal identification numbers for debit transactions... Target-branded payment cards are issued by Toronto’s TD Bank Group."

Regular readers of this blog recognize First Data and understand how much information the processor collects about consumers. (New to this blog? To learn more, select "Data Breaches," "Payment Procesors," or "Retail" in the right-column tag cloud. Or enter a company name in the right-column search mechanism.) Regular readers of this blog also recognize Bank of America Merchant Services, and its joint venture with First Data to process the payment transactions of the bank's retail (e.g., checking, debit card, credit card) customers. Other banks probably have similar arrangements with First Data.

Target's REDcard loyalty program includes the Target-branded credit and debit payment cards. According to a quarterly filing with the S.E.C., REDcard penetration increased from 12.8 to 18.6 percent during 2013. That's huge growth in one year. Good for Target: its shoppers like using REDcards. Bad for Target: its data breach has threatened that growth, REDcard usage by shoppers, and payments processors' revenues (and profits).

Smart hackers would focus on vendors with the best credentials; credentials that provide the best access to Target's computer systems and network. Another question: which vendor probably has the best credentials: a small HVAC vendor or a key business partner? The KrebsOnSecurity article discussed how Target required two-factor authentication for some vendors and not others. Maybe a small HVAC vendor was the easiest way in for the hackers. Maybe not. I hope that the formal Target breach investigation clarifies and explains things. Maybe the answers will be the same as reported in the KrebsOnSecurity article. Or maybe not.

In a January 2014 new story by SC Magazine, a First Data Corp representative denied that the processor's systems were breached:

"First Data processes some transactions for one of Target's acquirers, but we have no indication that our systems were involved in any of the incidents reported by Target,"

"No indication" doesn't sound to me like a resounding, definite "no" with 100 percent confidence. Reportedly, the First Data representative also said:

"The situation being reported by Target is a concern to all of us in the payments industry... data security is of paramount importance to First Data, which is why we work closely with our clients to protect cardholder data through our own system monitoring and the risk management solutions we offer our clients.”

Hmmm. Payments processors have had data breaches... massive ones. You may remember the Global Payments and Heartland breaches. First Data Corp has experienced a data breach too, at its Western Union unit.

Reportedly, the U.S. Secret Service is also investigating the Target data breach. That implies an interest in any systemic retail or banking security issues affecting the country's money supply. Systemic issues that come to mind are breaches at multiple retailers, the obsolete technology for payment cards, weaknesses in retail payment processes, and breaches at banks or payments processors. To me, a breach at a tiny HVAC vendor don't seem to rise to level of systemic.

Again, this is all speculation. I'm not saying one of Target's partners was breached. I don't have access to the data investigators have. All I'm saying is that a thorough, broad breach investigation needs to ask the question: was anyone else breached? The Target breach shook consumers' trust, and the breach investigation needs to address that. Trust matters. Consumers want to trust that banks and retailers can protect their card payment information.

Maybe the answer to this question will be the same; a small HVAC vendor's breach was the setup. Maybe not. A lot has happened since January. When 110 million records are stolen, one has to ask... one has to look, thoroughly.

I'd hate to think that the breach investigation stopped after finding the HVAC vendor breach and didn't look further for earlier breaches at other vendors or partners. If one wants to reassure consumers of secure card payment  processes, you have to look further... and thoroughly. And if there were other breaches, report them, too.

If a payments processor was also breached, then those partners would likely be added as defendants to any lawsuits. The Businessweek article mentioned 90 lawsuits. Several lawsuits have already been filed by banks and by shoppers.

What's your opinion of the Target breach? What questions do you have? How were you affected by the Target breach?

If you haven't read it, there is an excellent article at Finextra Research about the Target breach; specifically the value of stolen shoppers' information. The article explains how your location information makes consumers' stolen payment information more valuable to thieves:

"... Target hackers have undertaken to selling location usage data alongside the card data, and can charge a premium for such data. Value added service to the fraudsters and clearly a strategy that is paying off. Fraudsters are paying anything between $20 and $100+ for a skimmed Target payment card – location data has added a premium to what the fraudsters charge. That’s puts the “value” on the 40million+ payment cards stolen from Target at between $800million and $4billion! If we assume that their ROI is a minimum of 10 times their “investment” then we are looking at a fraud value of between $8bn and $40bn."

Plus, the numbers are much worse. Why? First, Target increased the size of its data breach to 70 million from 40 million. Second, this math is based upon what we know so far. The breach news is far from over. Third, news reports have mentioned three other retailers impacted besides the Target and Neiman Marcus breaches.

This math is important because any risk-analysis systems used by retailers (and banks) use data elements (e.g., location data) that thieves have stolen... and will continue to steal. The thieves are upping their game, and industry needs to respond. It is long past time for the U.S. retail and banking industries to upgrade from obsolete credit/debit card technology to smart payment cards.

The math is important to consumers. Why? You now know how valuable your location information is for thieves. Don't be so quick to give up your location data to social networking websites, banks, and retailers without getting something substantial in return.

Yesterday, the U.S. Attorney's Office in New Jersey announced the indictment of five persons for operating a worldwide and data breach and hacking ring that stole information about more than 160 million credit- and debit-cards, resulted in losses of hundreds of millions of dollars. The theft and fraud ring targeted financial institutions and companies, including alleged:

"... attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard."

How the theft ring operated:

"The five men each served particular roles in the scheme. Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each specialized in penetrating network security and gaining access to the corporate victims’ systems. Roman Kotov, 32, of Moscow, also a hacker, specialized in mining the networks... The hackers hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine.  Dmitriy Smilianets, 29, of Moscow, sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants. Kalinin and Drinkman were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches – including the breach of Heartland Payment Systems Inc.,..."

Drinkman and Smilianets were arrested in the Netherlands on June 28, 2012. Smilianets was extradited to the USA on Sept. 7, 2012, The other three defendants are still at large. Four defendants are Russian citizens. Rytikov is a citizen of Ukraine. The number of 160 million cards stolen is an estimate, and could be higher.

Addition information from the announcement:

"The five defendants conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals. They took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders."

Thanks to the several federal agencies involved in pursuing and capturing these defendants.

To me, this case is another example that identity-theft thieves and fraudsters are smart, creative, organized, and persistent. The days of the lone hacker are gone. Identity thieves target firms they believe are vulnerable. Identity thieves go where the money is.

I find this case highly interesting, as both Global Payments and Heartland experienced massive breaches previously. That the hackers targeted these and other payments processors means that all of these firms' computer systems are still vulnerable, despite executives' claims otherwise.