Summer 2014
magazine
Mercedes Kelley Tunstall ’95 As a FTC attorney, she tackled Internet fraud. Now this music alum is making it safer for us to spend. Also in this issue: Think: Environmental Impact Newest Fellows Program Live: Right on Target Not your regular student organization Summer 2014 DePauw Magazine i
Shaping the Future of Dollars and Sense Shaping the Future After litigating FTC’s first Internet fraud case, attorney moves to forefront of Sense of Dollars and Shaping the Future financial privacy and data security After litigating FTC’s first Internet fraud ofattorney Dollars andofSense case, moves to forefront financial by Larry G. Anderson
privacy data security After and litigating FTC’s first Internet fraud
case, attorney moves to forefront of financial privacy and data security
by Larry G. Anderson
by Larry G. Anderson
12 DePauw Magazine Summer 2014
Summer 2014 DePauw Magazine 13
Mercedes Kelley Tunstall ’95 was 25 and fresh out of law school when she went to work as a staff attorney in the Consumer Protection Bureau(CPB) at the Federal Trade Commission(FTC) in Washington, D.C. It was 1998, and she recalls her assignment. “My bosses basically said, ‘Hey, there’s this Internet thing, and you’re young; you should be able to figure this out. You’re our Internet lawyer.’” Tunstall became a member of the CPB’s Internet Fraud Rapid Response Team, which addressed a growing number of Internet schemes and scams that popped up and sometimes disappeared literally overnight. Eventually, she investigated and litigated the FTC’s first Internet fraud case, FTC v. JK Publications. “Through that I learned a lot about how credit cards are processed,” Tunstall says. “I learned how the system works and how a credit card number in the wrong hands can end up the way people have nightmares about – identity fraud where they’re getting charged for something they never authorized.” It also placed Tunstall, a vocal performance major at DePauw and former aspiring opera singer, at the forefront of dealing with an entirely new set of issues in the burgeoning field
14 DePauw Magazine Summer 2014
of online financial and data security. She continues to ride that cyber wave and now has a leading role in shaping new financial instruments for credit card security, online shopping, mobile commerce, cybersecurity and virtual currency, including testifying before Congressional committees about the challenges involved with the use and abuse of virtual currencies, such as bitcoin.
privacy legal matters. “In that role, I learned a ton about privacy and data security,” she says. “Bank of America gets targeted a lot because of its name – targeted particularly by foreign criminals. The bank staff included former Secret Service agents who had worked on cyber warfare issues. That was a great opportunity to learn a lot and see how banks are attacked in a cyber context.” She left Bank of America to help set
She investigated and litigated the Federal Trade Commission’s first Internet fraud case, FTC v. JK Publications. After two years at the FTC, she joined a Washington, D.C., law firm that specialized in defending companies, including then-dominant America On Line (now Aol), against the FTC. Tunstall worked on Internet issues for Aol in the early 2000s before anyone really realized the importance of online privacy and data security. Three years later, she joined a Chicago bank to work on subprime mortgage lending; however, given her Internet background she soon focused on the bank’s North American e-commerce clients. Tunstall went next to Bank of America, where she handled the financial giant’s e-commerce and online
up an online bank for Ally Financial. Then in 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act created a new regulatory entity, the Consumer Financial Protection Bureau. “I had basically done consumer protection financial services my entire career, and now there was a whole agency in D.C. called the Consumer Financial Protection Bureau, and I knew the people who were setting it up. It was time to go back to D.C. and to a firm where I could do this work as an outside counsel,” she explains. Tunstall is now a partner in Ballard Spahr LLP and practice leader in the firm’s Privacy and Data Security Group.
about identity theft and how to create strong passwords,” he says. “A password is like a toothbrush. Use it often, change it frequently and never share with others.” And never write your password, anywhere. Levinson also recommends using a cross-cut paper shredder. “Shred everything that has to do with financial statements – bank statements, credit card statements and even the envelopes they come in,” he says.
Vulnerability, real and imagined
At the three banks that employed her, Tunstall had opportunities to develop new products and services for consumers, such as mobile banking apps, online banking, mobile payments, mobile wallets and more. As a result, she is on the ground floor of establishing new financial instruments for e-commerce, just as she had been for addressing Internet fraud in 1998.
Guarding consumers’ cyber identity
While developing new financial products and services is a favorite part of her job, Tunstall’s experience makes her aware that she must pay close attention to privacy issues and data security. “In the United States, there has been a real lag in adoption of online banking and mobile banking among certain demographics because of concerns people have about the security of the Internet and mobile phones,” she explains.
“When we’re developing new products, we have to ask what is it that might make consumers feel uncomfortable, or scare them that we are setting them up to have their identity breached and lose their credit information. We have to consider what we can do to protect all of that.” Curtis KS Levinson, United States Cyber Defense Adviser to NATO based in Washington, D.C., notes what is at stake. “You can lose all your money; you can lose your identity. In other words, everything,” he says. “All of us have two separate identities. We have our physical, personal identity, and we have a completely unrelated identity in the cyber world. Because virtually no one realizes that they have two separate identities, no one thinks about the second one.” The biggest threat to online financial transactions is identity theft, according to Levinson. “The most important thing is for people to educate themselves
Tunstall believes that online banking and shopping are safe if consumers use security controls. However, convincing people of that can be daunting. A spate of recent reports that hackers compromised major department stores’ and banks’ credit card and financial information has fueled fears and misconceptions. “There are a lot of big headlines about companies being attacked, and it leads to a lot of anxiety and inconvenience,” acknowledges Steven R. Carlson, president and CEO of Ascend Consumer Finance, a San Franciscobased online lender. “But overall risk from financial loss is minimal. People should have confidence. Everyone should know that any legitimate company that works with financial information is working very hard to protect that information.” In reality, your financial and credit card information is vulnerable even if you do absolutely no banking or shopping online. “No matter what type of controls you have, a bank can be hacked,” Tunstall says. “But the same is true of checks put in the mail. No
Summer 2014 DePauw Magazine 15
Mercedes Kelley Tunstall ’95
» Current position/title: Partner, Ballard Spahr LLP, Washington, D.C.; Practice Leader in the firm’s Privacy and Data Security Group » Academics at DePauw: Vocal performance major, member of the Honor Scholar Program » DePauw activities: Alpha Omicron Pi sorority, Student Friend, Prison Visitation Program, Semester in Vienna » Further education: J.D. degree, University of Michigan Law School matter the amount of security you have, your post office box can be broken into, and those checks can be stolen and processed. That does happen today, but it doesn’t get as much press. From that perspective, there are risks no matter
of cyber attacks. Unless you use cash everywhere and don’t use cards at all, you could have your information stolen even if you never signed on to the Internet.” Carlson thinks that the risk of using a credit card as a main payment
“We have our physical, personal identity, and we have a completely unrelated identity in the cyber world. Because virtually no one realizes that they have two separate identities, no one thinks about the second one.” — Curtis KS Levinson, United States Cyber Defense Adviser to NATO how you choose to pay. “If you totally don’t purchase anything online, the way our financial systems are set up and the way our economy is set up today, you could still have your information stolen because
16 DePauw Magazine Summer 2014
instrument has been blown out of proportion. “A credit card is actually a pretty safe vehicle for shopping online. Credit card companies limit your loss to about $50 usually,” he says. “The biggest risk is with online banking, brokerage
accounts, any type of financial account. You have to protect yourself when giving financial information to a third party, such as a large retailer or bank.” He also points out that diners in the United States often give their credit card to a server, who takes it out of sight to ring up the sale. Customers have no guarantee that their server won’t write down the card number and use it to purchase things elsewhere. The risk of buying online is not much greater. European eateries do it differently. Levinson says, “In Europe, the waiter brings a wireless machine to the table, and you swipe the credit card yourself. The card never leaves your hand. In America, we don’t do that, so generally, Europeans are more secure than we are.” The United States also could take a lesson from how debit cards are secured in Europe. There, Automated Teller
Machines(ATMs) have encryption standards, so you cannot use a debit card unless it has a special chip in it called an EMV. The method is used in the Netherlands, and other European countries are moving toward adopting it. “In the United States, we don’t have that kind of encryption at all. The security we have is basically your PIN (personal identification number),” Tunstall notes. “In just the past year or so, a number of major frauds have occurred because of ATM weaknesses. One foreign bank that did not have the cybersecurity requirements of U.S. banks was hit for $25 million. If the ATMs in the United States had stronger encryption standards and required that chip in the card, it would not be as easy for cyber criminals to do that. It would be almost impossible and too expensive for them.”
Smartphone future
The smartphone is the key to an evolving brave new world of e-commerce, Tunstall predicts. Fifty-two percent of American adults have a smartphone, lower than many other countries but a sign that mobile commerce can and will grow. “Other countries, even much less developed countries, are actually far ahead of the United States in the mobile commerce world,” she says. “But those countries don’t have the controls that we do; they don’t have the protections in place for consumers that we do. It’s going to take longer for us to get up to speed. People will become more and more reliant upon their smartphones.” Smartphones already offer some handy payment options. Person-ToPerson (PTP) payments, which are increasing, allow users to transmit funds directly to another person’s account
through a protected system and with no paper involved. PTP offers convenience for such things as paying a babysitter when you don’t have cash. Mobile wallets, which are available in either closed or open forms, provide other easy methods of payment. A closed mobile wallet allows users to put a card, such as a Starbucks or other gift card, on a smartphone. In the store, the user pulls up the app, and the cashier scans the prepaid card on the smartphone. Purchase done. Open mobile wallets can hold a variety of payment cards, including debit cards, credit cards, prepaid cards and loyalty cards – everything you normally carry in your wallet. When you check out, you wave the smartphone over a pad, which reads a chip in the phone. You don’t have to swipe a card, but it
works like any other credit or debit card transaction. “Mobile wallets are actually much more secure than carrying around plastic in your pocket. The reason is because you have your full 16-digit number on a piece of plastic in your pocket. All that information is stored on the phone and nobody sees it,” Tunstall says. Still, consumers’ perceived concerns about safety of mobile wallets is an obstacle, and not all businesses currently have the device required to read them. Another promising development for mobile commerce is Square, a mobile payments company that makes it possible to use a smartphone to swipe cards, bundle transactions and send them over a mobile network. That enables anyone to become a merchant anywhere with very little start-up cost. Food trucks have been early adopters of Square. How does Tunstall prefer to shop? “I try out all new things,” she says. “I do Person-to-Person payments for things like maid service and babysitters, and I pay
Summer 2014 DePauw Magazine 17
all of my bills online, if I possibly can. I like to pay using my bank’s online pay service because I know personally what its systems are,” she says. “I like to buy things on Amazon and have them shipped to my home. I also have an app on my smartphone that lets me order pizza on the drive home on Friday night, and the pizza is hot and ready by the time I get there.”
Virtual currency
Another Internet creation might even more significantly change the way we shop. Virtual currencies, such as bitcoin, provide a new – and as yet, unproven – way to pay for purchases. But they are vying for a role in our financial system. Bitcoin exists only online and operates completely outside of the existing financial system. The value of a bitcoin derives only from the value that people choose to assign to it, and that value can change
18 DePauw Magazine Summer 2014
dramatically and at Internet speed. Therein are a number of opportunities as well as legal challenges, which is where Tunstall comes in. Bitcoin and other virtual currency transactions are conducted online and are completely anonymous. This feature allows criminals and others to buy and sell illegal items and services – guns, drugs and a host of other illicit things – in an online black market. The FBI shut down Silk Road, a Dark Web marketplace that operated with bitcoin, in October 2013 for that very reason. A Costa Rican website called Liberty Reserve had its own virtual currency and also was shut down last year. “The other disturbing piece about virtual currencies and bitcoins, in particular, is that they act like a commodity,” Tunstall explains. “The price goes up; the price goes down. If you bought a bitcoin at the $1,200 high mark and then sold it at today’s $600 or $700 mark, you lost a lot of money. There’s no full faith and credit behind it.” That danger was demonstrated earlier this year with the failure of Mt. Gox, a Japanese-based exchange that began as a platform for gaming points. Mt.
Gox became one of the largest exchange points for bitcoins. A cyber hacking precipitated a run on Mt. Gox, similar to a run on a bank, and it collapsed. The site filed for bankruptcy. When Tunstall spoke to Congress, she emphasized these three points: The anonymity feature has to go; it’s a real problem for law enforcement. The fluctuation in price and value of bitcoins make it difficult for commerce. And because they’re virtual, protecting
Virtual currencies, such as bitcoin, provide a new – and as yet, unproven – way to pay for purchases. bitcoins from cyber attack is difficult. Still, there is some movement toward bringing bitcoins into the mainstream. The Federal Election Commission voted unanimously to allow political action committees to accept bitcoins as contributions. Legitimate third-party bitcoin companies have sprung up that make it possible to pay employees with bitcoins as well as to exchange bitcoins for dollars. Even banks and other businesses are interested in bitcoins because they involve no fees, making them much less expensive for large numbers of transactions and moving large amounts of money. Federal Reserve Board Chair Janet Yellen has testified to Congress that from her perspective, and from the board’s perspective, bitcoins are still outside our financial system, so the Securities Exchange Commission or Commodity Futures Trading Commission should not regulate them.
Interestingly, as a result of the Silk Road shutdown, the U.S. government is one of the biggest holders of bitcoins. There is historical precedent for virtual currencies to enter our financial system. U.S. dollars were previously based on a gold and silver standard; now they are a fiat currency, which means dollars have the value the government says they have. “They’re not backed by anything at all. That’s the way most first-world country currencies are today,” Tunstall says. “That is part of the reason people get really excited about bitcoins. They look at fiat currencies and say, ‘It has the full faith and credit of the government behind it, but what value is that? It’s just the government saying this is the value.’” Consumers probably are not going to do anything in a meaningful way with virtual currencies until a lot of the issues are resolved, or until merchants and banks feel comfortable enough with the bitcoin system to accept it. “The financial services industry is not going to be content with debit cards and credit cards the way they are today,” Tunstall says. “The financial services industry will continue to want virtual currencies, alternative payment methods, and to push in that area because the existing transaction costs are so high that it’s worth their while to take risks and examine other payment methods.” The future of virtual currencies – how many might exist and how they might work – is just beginning to unfold. Once again, Tunstall is at the right place at the right time.
TIPS TO PROTECT YOUR FINANCIAL INFORMATION » Change your passwords frequently. It is recommended that you use strong passwords with at least 10 characters, including numbers, symbols, and both uppercase and lowercase letters. » Use unique passwords for each site, if possible. Hackers can get your username and password and use them on other sites. » Check your credit card and bank statements frequently. Immediately report any suspicious activity on your accounts to the financial institution. » Set up Alerts to notify you about any transactions of an unusual size. The biggest risk is with online banking, brokerage accounts and any type of financial account where a hacker can gain access and transfer money out of your account. » Never provide your financial information in response to an email or phone call. No legitimate company will ask for your information in that way. – Courtesy of Steven R. Carlson, president and CEO of Ascend Consumer Finance
Summer 2014 DePauw Magazine 19