Allison Miller - BSides 2024 Keynote - Watching the Detectives

hey everybody nice to see you I'm joining you today from Charlotte so East Tennessee hello from West Carolinas just the blue ridges between us really great to be here and congratulations on your 10th event um that's an indicator of a strong community and I'm delighted to be here at yet another bsides I love bsides as an institution as an organization our communities and I'm here to talk to you about detection so I really appreciated that that was the theme for this year because I love detection but I come at it from a little bit of a different angle because of all the time that I've spent in fraud detection and Abuse Prevention so a little bit about who I am um if you

spent time on the artist formerly known as Twitter uh over the last decade you may have seen me there as Selena Kyle profile picture looks like a red vampire that one's me um I've also spent time at places like Reddit Bank of America Google Electronic Arts little little bit of time in video games tagged PayPal visa and today I am an independent consultant my consultancy is called camany labs and I'm kind of vibing in this space between cyber Fraud and Abuse and digital systems and the reason why I call it digital systems as opposed to Consumer facing platforms which is how I talk about it sometimes is because the the a lot of the organizations I'm

working with are going through a digital transformation um and so howal their business changes when they go digital I find very interesting especially when there are economic or social systems at play which you can see a few of those names up there known as being economic or social so how are we going to spend our brief time together today uh I tried to organize things like any good who done it we're going to have a Prelude that kind of um provides some clues about where we might wander I'll provide some context that's just needless Exposition but I enjoy it uh then we'll have a hook um where I'm going to talk a little bit about why I

think it's interesting for cyber folk to understand about fraud things that we can learn from each other and then there will be a reference to the Matrix after which the plot will thicken and I'm going to mention AI because hey it's 2024 then we'll move into the hustle where things just get a little bit confusing I'll look for some easy answers in the frame up then tensions will rise as we escalate and kind of go into our conclusion and then day new mon so like any good mystery I'm going to leave things open for for a sequel so I'm going to leave lots of loose ends and we can tie them up some other time

if we feel like it all right Prelude so our plot evolves from a single point so going to take us back back to the days when we talked about perimeter security I know some of us still talk about perimeter security but there was a time a brief romance where we were able to actually sit inside and kind of create this perimeter that we use to protect each other and then Cloud happened Cloud happened um third party Services happened what we had as a perimeter kind of got extended it got a little lumpy where we had interconnections with other systems and any company that has had technology as much as they would like to have closed

it behind a a great perimeter it's always been porous they've always been interconnected because that's a big part of what we get out of Technology the ability to interconnect and then something else happened and that was companies started to go digital meaning they were going to have to let their customers in so they used to be able to sort of hide all of their systems behind the firewall but now actually you're inviting your customers in to connect to your systems in fact that's usually your business the services that you're offering to your customers so of course they have to be able to get in and then what happened oh then other folks tried to get in and

they they were trying to get in for lots of different reasons and lots of different ways and here's the thing all of their bad behavior almost all of it denial of service attacks maybe not but but a lot of this bad behavior lives at layer eight meaning the product the system the technology it's all working as intended it's just the behavior is bad their intent is bad and they're abusing the product which is working as designed so this left companies in an interesting place where you used to be able to kind of like put some rules on your firewall to maybe block bad behavior trying to sort of get into your systems but now you're going to have to

selectively determine which customers to say no to and how and that that is the background on our little our little our little story that we're getting into so now I'm going to set some additional context uh looking at this lovely this lovely um porous perimeter that we used to depend on there was the firewall so there was a sort of a we would try and drive all Ingress and egress traffic to a point that we controlled a place where we could inspect it and we could make decisions about it we could say yes or no those were those were usually decisions yes or no and that always reminded me of a particular visual sort of thinking through it um I have a

little theme song running in the back of my head but the point is that it was a in when you sort of think of things as flows or it is a point a decision Point um around which we can start to put technology we can start to put strategy and we can make decisions okay now we're moving into the hook we're moving really fast I might have time for questions at the end which will be great oh okay this might take a few seconds all right so I I mentioned that about half of my career has spent spent in fraud and anti-abuse as well as the time I spent in cyber so uh let's talk about your credit cards

debit cards um travel cards what have you the interesting thing about cards to me like if you want to take out your card and look at it I find it fascinating how much of the security features or fraud prevention features for a long time were on the card so you're sort of looking at this this is a newer card so you see there's a chip there um you see the card number which in a lot of cases is embossed does anyone remember Zip Zap machines where you take your card in and run it through carbon so they had to be embossed so that they would show up nicely on the carbon and that's how the merchant

proved that you were actually there you've got the expiration date you've got the the first four digits of the card number also printed so that if anyone was trying to do anything funky to the card it shows up easily and there's a hologram there so funny story if you have a Visa card it has a dove hologram I believe it still has a dove hologram um counterfeit Holograms were a thing for a while they looked like flying turkeys some of them they were pretty easy to eyeball so when you when you look at a card most of the most of the fraud game most of the fraud controls on the card um they look like

they're on the front of the card but it's actually the back of the card card where the best parts of the game are so you have the uh the sort of I it will show you if it's been messed with signature panel there's the CSC not the cbv the CSC or the um cvv2 printed on it and then the mag stripe the delicious mag stripe so the mag stripe is where the actual CVV is the original OG cbv and there's also some information about the card and card holder very limited and there's a bunch of data in there that is basically the issuer the person who created the card essentially and issued it to customer um some some codes

and information on the back that they um it's Clues to the processor about how they want the card processed so what I'm showing here if you were to look up if you were to look up on Wikipedia we looking at track one um I skipped track two because it's pretty repetitive of track one and track three so as you're sort of looking at this um it's like transport yourself back to 2000 those of you who were alive in 2000 and does the sort of visual on the right remind you of anything well it reminded me of a packet um because in let's say like the late the late 90s is when uh I spent a lot of

time working with TC dump and um Network had and and I think that's around when nmap was born and it's when snort was born right and so and so to me when I sort of think about okay A a lot of what fraud prevention was about um uh earlier was it was there was a lot that was based on the card and the data on the card and if the combination of flags made sense which is very similar to what we were doing with network intrusion detection at the time which was we were looking at packets and trying to see if the things in the packets made sense and then of course if there were too many of

them if they were all coming from the same place things that kind of didn't make sense to us and it is through our interpretation of the data that came through in the packet that we would apply a policy decline something refer something for review what have you and of course we were able to keep create really cool tools and Technology off of that and map and snort being examples of that so kind of going back to the point or this is the part where I talk about well well what can what um hold on okay okay so what happened with cyber so I'm going to talk a little bit more about fraud detection and how it has grown but

what happened with cyber we went from the situation where we had a point a decision point where we were empowered and could make decisions about whether we were going to let traffic pass or not based on what's in the headers or what's in the packets well what happened is we we ended up having multiple applications and um multiple like you know there's one you one packet does not tell you goodness or Badness alone you kind of had to roll them up like what other Clues did you have about behavior and it started being oh okay well we were having lots of different maybe points where we needed to make a decision on a lot of different dimensions and then

suddenly we and cyber are talking about threat surfaces because of course our perimeters weren't a nice neat little perimeter with one decision point is basically now our exterior facing technology surfaces are it's a surface of decision points um because our perimeters are now software and then you know forgive me for this but so we went from a point point to a line to a surface what's next a solid right because we there's seven layers application and network are like the top two layers but there's other things under them so a lot of modern Defenders went from being able to be very rational and make a considered decision at a point to having a a solid

basically that they are an in an infinite number of decision points and the thing that's not on here because this is of course is sort of meant to look Matrix is as a sort of like a cube type solid but honestly the that that suggests that there's like nice straight lines behind between some of these points and it would have looked like a mess if I had zigzagged but that's the truth is that not only are there almost infinite points of decision there's it becomes infinite when you consider all of the different paths between the point thank you for entertaining my need to get a little bit philosophical about it um we're going to switch back a little

bit to okay well that's kind of what happened to cyber which is why like if you we have so many different technologies that collect Telemetry do we not and we then and what did that be get so many Technologies to hold the Telemetry that was collected did we not and then we have all of these Technologies to make sense out of the technology that we collected as fast as it can um and making sense as fast as it can that calls for AI well it played out a little bit differently over in fraud so over and fraud we had this point this beautiful delicious single point and where we were going to make a decision

and and and folks started to get very mathy I'll just say that um you're probably familiar with the terminology false positive and false negatives essentially that's what happens when you are making a decision unless you are making a decision on something that is simply like it's an illogical combination of data and so you can block it with no further thought right is something that is prohibited you can block it with no further thought you are making a risk-based decision and when you make a risk-based decision that means you're dealing with uncertainty and so you have false positives where a good action is going to accidentally get blocked and on the other side you have false negatives

where a bad action is is mistakenly authorized and gets through like we are happy when the good actions are authorized true positives or actually yeah true positives and then we are we are happy when the bad events get blocked but um but largely we know that any decision that we make is going to be one of these four outcomes when we make a risk-based decision and so what happened in fraud is they started getting really good at creating models models by the way that would run in real time while you were standing at a point of sale um so what I have here is a little bit of math you know it's after lunch guys high energy

right it's nice and cool in here so uh so what I have here is an example of what we call a gains chart so this graph we've got percentage of bad is true uh is the vertical axis and then percentage of total is the horizontal axis so if you just close your eyes and imagine you have like all of these transactions coming through if you were to randomly guess which ones are bad if randomly then you would um if you randomly guessed then if you if you flagged 50% of the total you would catch 50% of the bad is true right if you flagged 100% of the total you would catch 100% of the bad is true but we're we're getting

really random so that's the line the the line the the line that's going straight up and the right is guessing um and generally we don't like to guess we like to use some sort of set of theistic or statistics or machine learning or something so that um we can flag as few as possible like let's say 5% of the total in order to get as much of the bad as true as possible like we would like to get 90 95 100% with blocking as few as possible and that curvy part is the lift above random that's the gains and so what we're looking for the the the distance between the distance between our line and the model performance curve

if you will is the gain so right here we're looking at the gain versus random and then if you now here's the part where I think a lot of cyber folks are going to have real empathy for fraud folks which is so that Horizon is as good as your model gets and so your false positives and false negatives you can choose where you sit on the curve so right here we have our our our DOT that's like the left lower point we're declining as much or blocking as as little as possible of the total volume but you see we don't catch much of bad is true if we want to catch more bad is true then we need to block more of the

more of the total we move up and to the right but we can't we can't get Beyond The Curve that's the power of the model that's as good as the model is and we would never we would never um want to uh like not live on that we can't live not on that curve when we're using the curve okay that was a poor way of explaining that but that's okay because what I what I wanted to say is um when we get more information or improve our technology then we can improve model performance so this is where we seek investment we seek investment because we want to lower our false positive rate while still catching as much of whatever

bad is true and this is kind of where fraud went where fraud went is they had their decision point and what they did is they made tremendous amounts of investments in behavioral analytics scoring Technologies Intelligence on transactions and on their customers and now we sort of come back to where this went for fraud the high stakes card Chase do you like that I really worked hard on my I I'm not very good at titling talks so I I like I really was like I smiled when I came up with high stakes card Chase so I'm very proud of myself okay so here we are we're back to our Point um by the way all of this talk about points and lines

is homage to a story called it's a romance novel called the dot in the line I'm pretty sure that's what it's called it's this teeny tiny little book about a DOT who a line Who falls in love with a DOT um and he and he win wins her away from a squiggle but anyway okay so so operating a risk system this is how this plays out you you're a customer and you go to a point of sale let's say it's on the web because there's a form here versus you swipe your card um you enter your information there's a magic moment and then a response comes back and and you go along your Merry way maybe it's a

no in which case going on your Merry way might be calling customer services do I you or declined but regardless there's an attempt you try something something happens there's an an outcome and then on the back end what's happening is there's a decisioning system that has uh that sort of has a lot of data that is able to take into consideration and usually I'm not going to necessarily say sophisticated but I'm going to say elaborate set of rules heuristics models scores information um block lists allow lists velocity limits all of these things um that are sort of pulled together in that moment in milliseconds and then render back a decision so we've we've sort of taken our Point our point

is now what the decision is right there's a lot that goes into making the decision and then that there's what the decision is and I've sort of abstracted that woo oh that's the mic I've abstracted that out to this diagram which um I've used over and over and over again um and that there and this is why when a company goes digital their life Chang changes so much because um what we have is we have this sort of platform layer where the decision strategy is implemented but that decision is making decisions that affect the ux it affects the product it affects the customer experience usually in flow um and there is a feedback loop that

system must be that must system must have a learning Loop in order to maintain performance because the thing I didn't say about model performance in the gain chart is as soon as you release a model it starts to degrade ah and depending on how good your models are um how much data you have um you you care a lot about how fast things degrade uh it's one of the reasons why I always ask vendors who are selling me detection technology how is this model trained how can I tune it um and how how can we update it because if I'm waiting on someone else a third party for signatures I'm really unhappy because because I know my model

performance is degrading and I don't have any control um and I and I want to have more control back because they're my customers potentially being affected okay so uh in a fraud in a payment or billing fraud situation we we tend to put this decision point at move money in the fraud world right that makes sense you're at checkout you're at send money you're about to click submit that's where the decision happens um it turns out fun fact that this decision point where value shifts or exits the system or changes hands within a system um it it there's there's analogies in a bunch of different systems So like um move money request money okay how about

message post friend request listing attachment wink poke all of these like anything that you can kind of Imagine earn gold um trade Shield like it the the where value moves is the first place we look there's a lot of different versions of that in some of them there's content invol involved like messages where we're looking to detect spam but the point is the same you have to have a point at which you're able to make some kind of decision um here's what happened in fraud what happened in fraud is account hijacking account hij and maybe some of you have worked on credential stuffing campaigns at clients or at your own organization um which sort of okay now

we have two points that's okay right cuz we're kind of asking different questions at the different points but then we realized oh well actually we also have you know risk associated with new accounts and oh uh sometimes they make Profile changes and and and actually maybe they filed disputes and all of these became points so what's happening in fraud what's happening in fraud is kind of what happened in cyber in that we started with a point and now we have a buch bunch of points in a row um not necessarily in the same order and that's when uh oh sad TR bone um fraud is now and Fraud and Abuse Prevention are now life cycle risk management versus a

single flow a single log into a transaction uh it's created some dimensionality so we have gone from a point to a bunch of points to maybe to a surface uh and and so that is just just like when that happened in cyber um that happening in fraud I think folks are trying to figure out how to react to that and um in a lot of systems what we see is well we see a lot a lot more work being pushed to the analysts people to make sense of these situations and in other organizations we have folks saying well maybe we could actually move some of this out to the edge remember the firewall remember the wff you know

there's lots of Bot detection Technologies or sort of um session risk things that we could maybe put in place before the customer even hits the ux so you have this sort of like okay some folks want to go to the edge some folks want to push things more into operational work um help help us cyber you're you're our only hope um so this is where I've I I'm I'm going to confess to you that I'm about to talk to you about Frameworks but that I I have been a non-believer in Frameworks in the fraud space because I feel like y'all you saw the performance curve you pick you pick your loss rate you know if you if you

can but if you can only stomach a decline rate then you pick this other loss rate and so I've always felt like well what's the point of Frameworks because um fraud teams can point to money lost like they can set their targets there how good is your program how low is your loss rate right um but actually since we now have a proliferation of decision points and all these life cycle questions not to mention product questions not to mention technology questions well maybe maybe we could use a little bit of a framework maybe we could use a little bit of a frame up so I I I looked to what cyber has um and and the reason why I

mentioned this so my my last gig at Reddit full-time was I was I was ciso and VP of trust at Reddit and it was it was easy for me to talk about Fraud and Abuse because it's easy to quantify or easier okay to quantify than cyber and so in cyber a lot of how we can speak to uh decision makers and our boards and things like that about our performance is via our maturity or via our coverage of a framework right right so we look to Industry standards and we say well this is how we're doing compared to that and that's how we are able to discuss Frameworks so I looked at a couple of

these Frameworks because maybe fraud could use that a little infusion of that and I put a call out um I put a call out like people's favorite Frameworks on the fraud space uh not a lot on that but here's kind of what I was looking at I did find something that looks kind of like attack which is a you know different attacks and exploits um I'm sure many of you have seen these vendor Maps um and and there are some of those for fraud and then conceptual models from Regulators that's interesting actually they have more of that on the fraud side probably because they're part of financial services and payments and there's a lot of

regulatory um in engagement there and then maturity framew marks so let me quick show you what I found and you're not meant to read those I just wanted to show side by side kind of cyber and fraud so we've got miter attack many of you probably familiar with that on the fraud side there's been efforts to kind of lay out all of the different attacks and exploits um uh here is so so the one on the right is the fraud one it's a it's an ecosystem map of vendors um I've seen a lot of cyber security ones laid out like that but I had never seen this one laid out on a maple leaf before so I

just wanted to give that to you as a gift that these ecosystem Maps can also come in the shape of a maple leaf thank you Canada um and then and then this this got kind of interesting actually because the Federal Reserve recently released a fraud classifier model and that's really a a decision tree taxonomy um and so while you can't read this and I apologize for that um what this is showing is like the difference between like like okay you're looking at something it's fraud first is it authorized or unauthorized and it has a definition of that and if it's authorized is it this use case this use case or this use case and that reminded

me kind of of um what we were trying to do with sticks and taxi and are are still trying to do because if we don't have firm taxonomies then sharing threat Intel data at scale in a in a really useful way gets hard so sticks is fair elaborated at this point um and what what's happening with the Federal Reserve released just a little bit more high level but this is interesting that the fraud industry which by the way like if you're in credit card fraud information sharing is kind of what the networks have been doing and what a lot of the vendors have been doing for a long time um it was harder for us to

figure out how to share that kind of information in a privacy preserving way in cyber because we didn't have that sort of central group doing that this is just kind of interesting because this is a place where I really do think um cyber's kind of leading the way but it's interesting because fraud has always had more leeway around information sharing and then I bring us to our favorite framework um which is the n CSF I'm sorry that's my favorite framework and uh so I I present it alone because it's really more of a process and like program overview kind of a framework and a lot of organizations then um map that into a maturity model

and some of you if you've if you've done a nist uh self assessment or gotten a third- party assessment you get scored um one through five on these different things which is basically showing your maturity against a framework and the reason why um there's no fraud version on here is because uh I think a lot of the folks who are providing guidance to fraud teams did look to something like n CSF because um they're they're paywalled and very tightly copyrighted so I I wasn't able to grab any of those to provide in a Public Presentation but they're roughly trying to like map the fraud life cycle to the N life cycle for cyber security which is kind of interesting um and now

we're going to raise attention a little bit so everybody kind of do this because you've been sitting now you had lunch and you were sitting all right all right we're going to get a little bit more philosophical about working at layer eight so I I showed you this sort of um risk decisioning system diagram before um and what I'm going to do is talk to you about okay so if you're starting from zero here here's the thing with maturity Frameworks they don't necessarily tell you where to start um and so what I the the reason why I sort of feel like I didn't quite find what I was looking for as far as Frameworks is

I think f books want things that are tangible they want to understand where to start where do you start and no one has one of these risk decisioning systems straight out of the box so where they start is they find context they sort of figure out what's going on what is the problem that I'm seeing and for a lot of entities that's actually their credit card chargeback rate but it you're going to find it in you're the the problem will probably rear its head in operations and that's where you're going to need to start looking for Clues um then you figure out where you're going to act so you might not have a a you know you might not have a

decisioning system yet but you're going to have where's your point where's your where you going to place your decision point and that's where you're going to start implementing policies and simple heuristics and things like that but you're going to figure out where you can act and you're going to start you're going to start at Hawk and cobbling things together um for a lot of entities if you're dealing with credit card fraud that is going to be at your processor maybe you might not have a native like um uh payment rule system but your processor probably does uh and then what you are going to do is you're going to reframe the problem because it's it's

really not just about the point you need Clues from all these other places through the life cycle and this is where we start having to talk to our friends in product um and so uh that is to me this is where things get really interesting because it takes us out of cyber like a lot of what we're talking about about figuring out what the problem is where the Bad actors are and then where we're going to implement our decision strategy that's still cyber to a certain respect but when we start acting and changing the ux and value prop potentially of a product that's a place where cyber isn't always invited um but it's really fun so I encourage you

because it's really helpful when you can help folks solve these problems their business problems and customer problems and then you move into this is like the Enter Sandman enter AI theme song here which is you you train your system and your system is not just your models and rules your system is the whole learning Loop so all of the data that gets generated and imp plowed into your model training you're constantly improving your models models are forever you can never leave them alone there's no such thing as set and forget you have to keep training tuning um collecting more Telemetry and so this is my experiment y'all the carto fraud framework from Allison of cartomancy

labs how did that happen I don't know did I force some of the words here I might have context act reframe train optimize um so this is my this is my attempt I'll open this up I want feedback on this doesn't have to be called cardo I'm not that cutesy but I I I do want to be able to offer folks a place to start um for some of these problems and the reason why I mentioned some of this to you is because we're seeing a lot of convergence happen between fraud abuse and cyber I mentioned when I was at Reddit I was their ciso nvp of trust so I was leading cyber I was also leading trust and

safety I've had a lot of roles where I've had one foot in cyber and one foot in fraud or one foot in cyber and one foot in product and it's a place where we're expanding and where we can play a leadership role um and here's a little extension of the cardo framework which is of course um it in itself is probably a process kind of like n CSF because it will repeat um but there is also people processed technology and metrix oh my gosh what a wonderful drive from Charlotte it was I started thinking I almost drove off of the road because I realized I could offer metrics that go along with maturity anyway um the first

place like uh so in context you're going to be mining operations a lot so leadership and talent in operations is where we're going to probably start growing there as we move into act it becomes more of a data game we move into um needing talent in analysts in analyst teams and then as we reframe product as we train and uplevel the backend systems that's development and then as we move into optimization data science and then the unit of Interest so in cyber in network intrusion detection for a long time it was the packet I think a lot of us are actually working higher in the application Level there now but for a fraud team the first Focus would be

chargebacks then transactions then Iden ities and then customers yep there's actually difference there um identity is like who showed up to your site that day customer um speaks to sort of a larger understanding of that customer and then optimize we're hitting life cycle Tech case management to start then we we get into more sophisticated rules deployment via rules engines identity technology like bot detection device ID device reputation and then we're putting a lot of in investment in AIML and in optimize we orchestrate the whole thing with integrated decisioning um a little bit about the sort of uh fraud prevention techniques um or or tools that we're going to most use and then last I just

needed to brag about it because I came up with metrics every day trying to find metrics for things so um chargeback rate to loss rate is actually a jump for a lot of organizations and then you move from how much are you losing to how much are you letting through and first we start talking about decline rates but then we start talking about the flip side of that which is how much good volume are we allow are we able to allow to go through well holding declines and losses steady and then in optimization we move into a higher value station where we're actually talking about things like customer lifetime value and profitability um and those are really

fun conversations to play a leader ship role in okay um okay so then here's where I make a brief segue and reinforce that I think one of the most interesting things about uh what I've learned in my time in fraud and anti-abuse is what what it takes to build a winning program and be involved in product and uh as I have managed Blended teams uh the sort of the evolution from application security to product security and then really infusing that with the context of the user experience and some of the risks associated with abuse that's a new vision of product security that's a fantastic opportunity for collaboration and folks with different skill sets to add value and it's it's

it's just one of my favorite Parts about trying to win this game is that it is a surface that we are not necessarily well-versed in in the beginning but it's it's where we can have a tremendous amount of impact um for our businesses as well as for our overall risk and so that may mean speaking with product managers or speaking with folks who are responsible for customer experience or the user exper or user experience in general so this slide is just uh a couple points that I like to talk to product managers about because uh you may have have the greatest security architects in the world who are the best at threat modeling but I tell

you when you are able to incentivize a product manager to design a user experience to be resistance in the face of adversaries they know those flows inside out they are creative for a living too and they can be a wonderful resource if you can if you can sort of clarify for them that all systems will be gamed fantastic paper by the way um Brian Arthur Santa Fe Institute all systems will be gamed love that paper um and it's true and here's the thing and the discussion point point with product is that all systems tend to be gamed on their value proposition right communication platforms spam influence campaigns harassment Payment Systems payment fraud um uh well I mean payment

fraud money movement stealing stuff and uh any any system that you named it's kind of like the feature that F folks most like or sort of consider game systems right and how game cheating works it's often manipulating mechanics of the game is designed they give players Great Value and enjoyment from the games those those are the features on which um abuse tends to happen because it's w working as an intended it's just the behavior is bad the intent is bad uh and then product managers also a lot of them have this concept of personas where they're sort of okay you know this is this this is being designed for um a young person or this is being

designed for uh someone who speaks this language well you have you can also have um good user and and and bad user um personas and you want to have appropriate experiences for all of them so the worst thing is when you have that magic decision point and you're so good at making decisions but you don't have any options in the ux um so a story I I remember is that uh there an organization that I worked with um you know a fraudster was correctly identified as being a fraudster and they and and the the system returned a user experience that said something like in Big Red Letters of course error error fraud alert try again later which is not

actually the experience you want to offer to your attempted fraud um users so you can product managers need to design for the happy path but then you as someone who is going to help reframe how they think about some of this you want to have that optionality so that when you do detect we are detectives all when you do detect you send them along the right Journey um and then a few other Concepts here but I will make these slides available uh after the event and I'm happy to take more questions on them but since I have five minutes left I have not been watching since I have five minutes left I'll wrap up which is okay

now we sort of got to a point where we have gotten a glimpse of how fraud has tackled uh detection and they've sort of elevated it to decision science and a product security and product risk type program um but don't worry nothing solved there's plenty of work to be happening and the highspeed card chase continues off into the sunset so we're about to head into the sunset and I just wanted to um remind folks that that fraud just payment fraud alone this is really just about credit card fraud this slide these are Big Numbers this is a lot of a lot of money a lot of value lost for hardworking businesses uh and so things that we can do to prevent

that or detect that before money moves uh huge it's all about speed and the game is just getting a little bit more complicated because uh the fraudsters are gassed up so I'll just mention a couple of these which is I mean you can't open up a news article without someone mentioning deep fakes right it's like it's either AI or deep fakes it feels like every article that I'm reading but but it's real and uh and and and how this is effective deep fake itself isn't fraudulent necessarily it's how it's used so whether it's used to juice up a fishing scam or whether it is used to um get someone into someone's account via a customer service

Callin this is something that uh systems are going to have to react to this is a place where I think cyber can play a role in helping I did also want to mention a bit about scams um because if any of you are involved even tangentially in solving credential stuffing and account hijacking uh scams are really interesting for banks and retailers specifically in a lot of what we we see in fraud um I've stolen or not I but like you know the fraudster the fraudster steals someone's Financial credentials right like a steals someone's card that's the classic or or steals their card information via compromise and uses it fraudulently okay that's like big use case one of online

digital fraud second is account hijacking how did I how did I hijack your account did I hack the product no probably not what's easier tricking you out of your login credentials Okay so we've seen a lot of that and that's what's driving a lot of credential stuff in campaigns lost credentials that are then going to be um used in account hijacking scams is different scams is um digital systems have gotten good enough at identifying and resisting account hijacking that now what frauders are doing is I'm going to trick you directly into sending me money and so you'll be reading a lot more about scams in the news the reason why this is interesting is because uh stealing your credit card

and hijacking your account have historically been considered unauthorized and therefore at least in the US you're covered under reg e and reg Z and the credit card companies and the banks have all agreed okay well we'll make the customer good for that scams is different because if you yourself are involved in sending the funds to the unauthorized party and a lot of this is expedited by P2P payments which you know as someone who is like a merchant sometimes and sells things sometimes I love P2P payments but it creates a problem when um the person on the other end is a scammer so scams are going to come up in the news a little bit um in the future and they are

driving a a a new wave of fraud because a lot of what we depend on in fraud detection systems is that the person in front of us is or is not who we think they are and now if we have situations where they are who we think they are they just happen to have been tricked how are we going to detect that big open question and then the last driver is finnovation right fintech and all the things that are happening cryptocurrency um faster payments they're making things move faster it makes it hard it makes it harder and harder for us to be able to manage in a single decision Point um when there there's like an explosion of different

financial instruments that things can shift around in so I just wanted to provide a little dot dot dot um for where fraud is going and on that note I will simply say thank you besides [Applause] Knoxville let's have one question for our speaker hi there um how much of this is a vendor just a straight vendor play like chargebacks is is the same for any company credential stuffing is the same for any company so it's well suited to just picking a vendor to solve it but then some of the other stuff you mentioned like you know likes and like that the sort of fraud around like the the you what what is unique to your

business doesn't work well with a vendor so how do we reconcile those two yeah uh so uh the question was how much of this is a pure vendor play and I think um a a lot of it so I tend to have worked for organizations that wanted to build their own and uh and or uh needed to solve those problems before there was effective vendor Solutions available I do think some of the technology on the edge some of the authentication Technologies those can be outsourced um and uh so a lot of it could be a vendor play but it really depends on how much the organization uh like if it depends on how much the

organization wants to own their own destiny so I I think that it is fairly rare for something like account risk um and I it it happens some place like rules engines might get outsourced but the rules development the model development a lot of that would stay inhouse because it's it's your customers and your products so it it varies and I think I mentioned that I see a little bit of convergence in the Cyber and fraud um technology universe and part of that is because there are some existing fraud detection service providers that you might kind of like call their apis right around the time of transaction to augment your own decisioning systems or even Outsource

that those folks are sort of like bridging back towards authentication you have authentication vendors who are sort of trying to take advantage of uh their experience with device ID and IP reputation to sort of sort of smoos in uh what's new for a lot of these folks is being uh being activated in a product context so it's a little bit different when um you're calling on those services to protect your corporate environment when you are calling on them within the context of your own user experiences and product um different organizations have a different willingness to Outsource that but great question a lot of the a lot of the technology is stock because a lot of it is based on analytics

technology and uh machine learning AI technology which of course is getting built into everything these days all right thank you so much Alison thank you [Applause] oh if you do end up wanting a copy of the slides I I will try and put them on skedge and also at cardan labs.com um where my newsletter exists