Subscribe
Share
Share
Embed
Payments fraud doesn't begin and end with stolen credit cards. There are sophisticated international networks of criminals who dedicate their entire lives to scheming and scamming merchants and consumers for every cent that they can extract. But there are also experts in the payments fraud field who are actively fighting back. True Fraud features real-life stories of the battles that are raging across the world, one transaction at a time.
Welcome to True Fraud. I'm your host, Pablo Torres. Today, we're talking to Tim Graham. He's our security analyst here at Reach. Tim, welcome to the podcast.
Tim Graham:Thank you for having me.
Pablo Torres:Yeah. I'm really glad that you're here because I think I would like to talk with you, and I would like for you to talk more about the misconceptions on cybersecurity, how they cross with the field with fraud, the anti money laundering. Maybe we can talk a little bit about the trends that you're seeing in the market. Maybe some predictions, since you're a wizard. And can you define cybersecurity?
Tim Graham:I'm sure most people they've seen the movies, the TV shows where they see the, you know, the person in the hoodie and they're behind the computer and they're, you know, just typing away and the screens moving all over everywhere. And that's, that's Hollywood. That's definitely Hollywood. Cybersecurity is just basic. It's, it's not as complicated as people think it is.
Tim Graham:It's
Pablo Torres:You mean there's no Will Smith with 20 screens looking at the code come down?
Tim Graham:No. Unfortunately, no. It's, it's a lot less glamorous than that. It's, it's a lot of basically just making sure that things that are confidential stay confidential, things that are meant to have a steady state and their integrity intact, have that stay intact, and that things are available when people need them. And that's the basics of cybersecurity, and people call that the CIA triad.
Tim Graham:And that's confidentiality, integrity, and availability. That's that's basically it. And then that's a gross oversimplification, but that's basically just what it boils down to.
Pablo Torres:What are some of the the challenges or maybe some of the things that that you deal with on a daily basis? Or let's say maybe somebody with your role. What are some of those things that they would deal with on a daily basis?
Tim Graham:Within the last, I'd say probably 10 years, there's been a big push to have everything in the cloud, everything software as a service, you know, accessible from pretty much anywhere, where traditionally IT and security and that sort of thing would be in house. Everything's in house, your data centers at your head office. You have maybe have a disaster recovery data center off-site, but everything is under control of the company. But now with the push to cloud and all these different services, a lot of what we handle is basically just attack surface management, and that's our our main concern for this year. Yeah.
Tim Graham:It's keeping track of where everything is, who has access to it, who shouldn't have access to it.
Pablo Torres:Would you would you say that some of the the challenges that, corporations, and companies just in general deal with on on a daily basis. Would those threats be mostly external, or or how much of that could be internal as well? And I guess that's a kind of very open question.
Tim Graham:But it is. And that's that's it's a good question. A lot of companies will they will have in a in a risk assessment, they will tend to weight things differently. So external threats are usually higher up and internal threats. So rogue staff, that sort of thing.
Tim Graham:They it's not as common, but it does happen. So they tend to risk them a little bit lower. Mhmm. Because when somebody's internal to your organization, you you you have more information. And the problem with external threats to your organization, you don't know what they know.
Tim Graham:And it's it's gotten to the point where a lot of companies will just assume that an external threat actor knows more about their company than they do, which is oftentimes quite true and, somewhat terrifying.
Pablo Torres:Have you ever heard of of any cases where that threat came in from an internal source and, you know, what can you tell us about that? What, what, what are the bigger challenges for a company when, when that is the situation?
Tim Graham:With internal threats, I would say most of the time it's staff that have become upset. Actually, I just saw last night that Verizon and T Mobile staff were getting text messages from SIM Swoppers offering $300 cash if they would do a SIM swap Wow. On on T Mobile and Verizon staff personal phone numbers. It's, with the way security is going, the defenders have been getting a lot better in the last 5 years, and that is good for good for the defenders because then the tooling's better. People are able to detect things faster, and then insider threats, to your point, are they're detected more quickly.
Pablo Torres:Mhmm.
Tim Graham:Where before someone in our our organization were to be contacted from someone outside, even just the, like, just the culture has gotten better to where people will now say, hey, Somebody's contacted me from wherever or somebody texted me on my phone and said, hey. I'll give you cash to do this. Where before, people wouldn't even know who to talk to or if if that was even a thing where now people will say, oh, hey, I saw this weird thing. What do I do? Who do I talk to?
Tim Graham:Where before it was more people were embarrassed, I guess you could say. And they just, they didn't want to talk to anybody about it. They would just, you know, keep quiet about it. And I think the culture is, is also key to just preventing the insider threat sort of thing.
Pablo Torres:That's, that's so interesting that you mentioned that because, you know, I mean, when you think about it, that's sort of outside of the realm of cybersecurity, right? The culture of a company, but in the end, it makes the difference.
Tim Graham:It does. It does. It's a, it's a huge difference.
Pablo Torres:I find it so interesting because, so number 1, I, I think that whenever people think about, cybersecurity, there's, there's already, you know, within, within a company, there's, it's already put in a, in a very different level than other things that take priority. Right? Like we need to generate revenue. We need to generate sales. We need to blah, blah, blah.
Pablo Torres:And, but then some of the focus on, on some of the important items, gets, deprioritized, I guess. And, but then it also talks about the connectivity between, the different departments in the company, right? When you talk about, the, the culture and how that can make a difference when you're dealing with a disgruntled employee, that could be the lead for a leak of data. That's, that's something that probably a lot of people within a company wouldn't even think about. Because everyone thinks, oh, you know, we all work together in a team.
Pablo Torres:You never suspect that somebody that was just upset because they didn't get approved for vacation time or something like that. They're gonna be the ones that are, are gonna be the, the, the point of, like the source, I guess, of, of the, the issue. But I find it super interesting because in the end, it kind of translates to different levels within what a company can do or, or the activity of, of, the commercial activity of, of a merchant. You know, if you're, if you have somebody from the fraud team, for example, from my perspective, somebody that's, that's upset and somebody that's not happy with, with what we're offering or the way that we're doing the work and the way that we're communicating as a team, then that person can just say, you know what? I screw this and just let a bunch of stuff through or, or, or, change controls, or I don't know.
Pablo Torres:There's, I mean, there's so many ways that you can go about it. But I think, mentioning this, it just goes beyond that cybersecurity. It goes beyond that, that fraud department. It goes beyond the, the sales team. There's.
Pablo Torres:Yeah. It's, it's so interesting that you mentioned that, and, and I'm really happy that you, that you brought it up.
Tim Graham:The PCI Council and, the organization that, set out SOC 2, they've, they've started to realize this and they've started to put controls in and requirements and say, you know, you need to start monitoring for these things, which is it's awesome. It's great to see that sort of that sort of thing happen and to realize that the defenders are getting information through to regulatory organizations and saying, hey, this is what we're seeing, and we need to start accounting for these sorts of things. And this is a good control to have, and they're actually listening and changing things like with PCI DSS, the 4 point o standard that just came into effect this year. The controls definitely speak to a defense in-depth sort of program where before it was just real basic stuff. And not necessarily real basic, but, you know, make sure you are using strong passwords.
Tim Graham:Make sure you're using multifactor where you permit access to a card data environment. And now they're they're really ramping it up, which is it's great to see. I love it. It's so good. It's so good.
Pablo Torres:Yeah. I mean, if you think about it, 2 factor authentication is kind of, I think for a lot of people is sort of new news.
Tim Graham:Yeah, unfortunately.
Pablo Torres:Yeah, I know. But when, when you put it in perspective, this whole security thing has also just become a lot more popular. And, and I wanted to ask you, would you, do you think, and from what you you've been exposed to, do you think that a lot of this, focus is mostly in the North American and European markets? Or is or is it something that we're seeing that's more prevalent across the world?
Tim Graham:It's definitely global. It's definitely global. That's a lot to do with the push to cloud. A lot of and, like, even just looking at Amazon and their AWS service, they have regions in pretty much every corner of the globe, and it's not going away. And a lot of organizations, a lot of companies, a lot of regulatory organizations, they've started to realize that, you know, the Internet is not fad anymore.
Tim Graham:It's it's it's here to stay and ecommerce is it's growing every day.
Pablo Torres:Would you say that, you know, in previous conversations, I've mentioned that, at least on the fraud end, you can, you don't even have to go into the dark web anymore. A lot of this stuff is just available everywhere. Yep. Absolutely. Is that the same case with you and what you do?
Tim Graham:Yeah. It's, it's gotten to the point where you can not gonna tell people how to do malicious things, but it's it's getting it's getting to the point where a lot of information is just available on clear web. You go into a Discord server, you go on to Telegram forum or just any forum really, and it's all there. You don't need to go to the dark web. A lot of defenders are catching on to that.
Tim Graham:And it actually makes our lives a little bit easier because then we can just have things scrape those services for any information that's related to our company or their company or whoever and start compiling that information into certain databases and then start, you know, using graph databases and start putting all of that together and having it make sense. And as far as, threat analytics, it it's great. Like, now you don't have to potentially have a burner computer to go onto the dark web with and start, you know, going to sketchy sites. It's it's good.
Pablo Torres:Hearing you talk about all of this. I'm wondering if and I'll put it in perspective. In the fraud world, it almost seems like everyone can do it. You don't need a level of, expertise. You can just start very basic and that might even get you through and it might be successful for some people.
Pablo Torres:There's of course, you know, if you want to get fancy and you want to learn more than of course that your affectivity or efficient profile just goes way up. Right? Would you say that it's, it's similar in the, in the cybersecurity world?
Tim Graham:Yeah. I would say again, in the last 5, 10 years, a lot of people have started to just put information online and say, oh, you you wanna learn how to do carding? Go to this YouTube page. And and it's it's all there. And it's it's terrifying.
Tim Graham:And it's but it's good because then with that information readily available, that makes the defenders and the anti fraud teams, you know, they they have to do better. So it's it's a bit of a cat and mouse game and that's in the fraud world, in the cybersecurity world. They're, they're, they are definitely linked.
Pablo Torres:With this new artificial intelligence era and, and the way that things are moving. You knew that I was gonna ask you this.
Tim Graham:Oh, yeah. Yeah.
Pablo Torres:How do you see this? Like, I mean, it's still pretty early on and I'm sure that a lot of it, you can sort of identify easily right now, but where are things going with this? How, how are you seeing this right
Tim Graham:now? It's made phishing a lot harder to detect. It's it's yes and no. When chat tp t first came first came along and, these threat actors who were running phishing campaigns, if English wasn't their first language or that sort of thing, and they were trying to communicate with someone who did speak English as a first language, it you could tell. You could tell.
Tim Graham:And the messages were always very terse. Like, hey. I'm pretending to be the CEO. Please send me your phone number. We're now with chat gpt 3 and 4 coming out.
Tim Graham:The messages are very, very professional. They they sound legitimate, and they're getting harder and harder to detect. And, eventually, with chat chatgpt5 on on the horizon, it's it's not gonna get easier, and it's gonna be harder to harder to detect.
Pablo Torres:What what are some tips that, you know, for your the regular John Doe, you know, working at an office, what are, what are some of the tips that you could, or maybe can you educate us a little bit on how we could identify this on our daily life.
Tim Graham:Hallmark of a phishing campaign is the urgency. It's like you need to reply. You need to reply now. I need to reply right away. Anytime you see something like that, especially through email, email is a very passive service.
Tim Graham:And, you know, you send an email, you expect a response back in a day. If it's not a day, it's, you know, it's not good. But to see an email come in and have it be, like, you need to respond right now, right away, that's that's your first red flag. That's and it's the best one. Anytime you see any sort of, like, false sense of immediacy and urgency, that's no.
Tim Graham:No.
Pablo Torres:I get, well, I mean, I don't know. I don't know how much of it you can reveal to us, but, you know, give us some of the juicy stuff where, where are most of these attacks or where what's geographically, what's the higher risk source of most of these attacks?
Tim Graham:It's probably very similar to the like, credit card fraud world. Russia, India, the Maldives, if you can believe it or not, that's that's a big source for just phishing email. It's, it's interesting. Mostly, mostly Russian IPs and that's, that's pretty standard. And for pretty much any organization, you're going to see that just because lack of laws, lack of regulations.
Pablo Torres:Yeah. I mean, I remember early on, on my, on my years when I started, doing anti fraud and anti money laundering. I remember anytime that we saw a domain Yandex, that was, there was, there was a questionable, source for, for that activity. No, that's, that's very interesting to know. How, how much of it do you see that comes from within North America?
Tim Graham:Sure. You run into this in in the fraud world as well. Attribution is hard. It's any any sort of threat actor. They they will do what they can to obfuscate where they're coming from, where their traffic's originating from.
Tim Graham:So with services like VPN services and you don't even really need VPN services anymore. You could just buy a virtual machine on Amazon, AWS, or DigitalOcean, and pretend, you know, or just use that as the point where you're launching your attacks from to know where the other traffic is coming from. That's controlling that machine without a without a warrant. You won't see any of that. So
Pablo Torres:Yeah, that's that's very interesting that you mentioned that because, you know, in the last few years, I've definitely seen more of that where the source of the attacks that we have identified, sometimes they come from, from AWS, servers. Yep. And, and you would think that corporation that big would have a better compliance, regulatory underwriting process that, that would identify all of this stuff. But like you said, the, the, these people's, these actors' jobs are to make everything look as legitimate as possible. Right?
Pablo Torres:So getting a server from a service like that, wouldn't be too hard. And, and I think it's a good reminder for, you know, not only people that are in the e commerce world, but just overall in any sort of industry, it's important to, to understand that this is, this is the this is their job. And and they're always that the number one thing, the priority is how do I make this look as legitimate as possible so that I can get through?
Tim Graham:And that is the other side of the coin where, stolen credit cards, stolen credentials, stolen identities help them do that. And if they can take that information and pretend to be somebody else, and they're spending $5 a month on a virtual machine. If people aren't really watching their credit card statements, they won't know. They won't notice, like, oh, it's $55 a month, and it says Amazon.
Pablo Torres:That's fine. $5.
Tim Graham:Yeah. Until it's not. And then Amazon's knocking up or disclosing your information to police or RCMP or whoever and saying, hey, this guy over here, and then they show up at your door and you're like,
Pablo Torres:what,
Tim Graham:what are you talking about? So yeah, it's it's important to keep track, like, just as on a personal basis to just even look at your statements and make sure there's nothing strange, like anything out of the ordinary.
Pablo Torres:Mhmm.
Tim Graham:That's it's a huge indicator, and you'd need to contact your your credit card provider right away and say, hey, there's this looks fraudulent.
Pablo Torres:Yeah. And I think for for anyone that's listening or or watching this, I think, if, if you're not aware of how to do this, when you log into your online banking, there is an option to file an inquiry for payments. Normally, if not, you can always just call your bank. And, and basically this inquiry is called a request for information, also known in the industries as an RFI. Basically what you're asking for is just a little bit more details on where this transaction is coming from.
Pablo Torres:What's the name of the merchant? Because I think there's this, you know, the, the importance of, of sending the right descriptor or, or sending the right legend on, on the payment that will appear on your bank statement gets undermined it. I think sometimes. And, and a lot of merchants don't follow-up, businesses in general, they don't follow-up with, making sure that the name that they, that the buyers are gonna see and their bank statement matches is with who they are. And, and it's so interesting because then, you know, going back to kind of like the interconnectivity of, of all departments, it sort of matches with, with marketing.
Pablo Torres:Right? Because it's also part of your brand, even though it's a technical deal to, to And, and it might not be as hard for, for some, companies to update that. But if you're, if in the bank statement, for example, you're going to see that it says Agian or, you know, checkout Stripe, or, you know, you name it. There's so many different payment processors, in the industry. But if, if you don't make sure that the name of your company shows up there, then you're going to start getting a lot of these requests for information, you know?
Pablo Torres:And Absolutely. Yeah. And, and as a cardholder, it is so important that you, I guess, get your monies back worth. Right? When you're, when you're dealing with a bank and sending this type of increase, it doesn't cost you any, any money.
Pablo Torres:It doesn't cost the, the, the merchant, or the, the company any money to, to really to receive those. I mean, there's a cost associated with having somebody looking at that request and getting, and sending the, the invoicing, for example, or, or proof of whatever it is that the, the, the payment facilitator is, is asking for. It's important to, to keep track of that. And it's kind of like that, the saying of keep everyone on their toes, you know, like keep your bank on, on their toes. It's important that they know that if you're going to be asking for, for that information, well then on their end, they should be asking for that information.
Pablo Torres:And they should be asking, the, the people that they're processing payments for, or, you know, from an issuing bank perspective, if you're authorizing that, that, purchase, then make sure that you're getting the right data from, from that end. And that's Yeah. I think that's super important.
Tim Graham:Absolutely. 100%.
Pablo Torres:Can you give us some predictions on, on the market? What, what is it that you're seeing that's coming up?
Tim Graham:Ransomware as always, it's not going away. It's, it is here to stay. I saw earlier this week, I don't remember which country, but, they had put in legislate or were attempting to put in legislation that limited ransomware payments as a way to combat ransomware because it's so prolific. If you look at any sort of ransomware feeds and it's constant, it's all day. It's another company every probably every hour or 2.
Tim Graham:And it's just for most companies, it's a matter of time. Aside from ransomware, I would say business email compromise is a big one. That'll be if it's if it's not a $1,000,000,000,000 a year problem, it will be soon. Mhmm. A lot of a lot of companies are having to deal with that sort of thing.
Tim Graham:And a business email compromise is it's hard to detect. It's it's extremely hard to detect, unfortunately. And the other one, unfortunately, is pig butchering scams where people it's basically just a romance scam. But instead of for a week or a month, that's many months and people get strung along for months months, and they they hand over tens of 1,000 of dollars of their own personal money.
Pablo Torres:Mhmm.
Tim Graham:And they after 6 months or so, then they say, well, how do I get my money back or anything like that? And Yeah.
Pablo Torres:They don't care.
Tim Graham:That's it. Yeah. Like, it's like switch. It's just bang. All that stuff's gone.
Tim Graham:You're you're never gonna see that again. And I think the worst one I've heard was almost close to $1,000,000 where somebody lost to a pig butchering scam.
Pablo Torres:Yeah. So I've heard of
Tim Graham:a few cases like that.
Pablo Torres:You're welcome. I love talking with you. We could go for hours. I think there's so much information that you can share. And I think, anyone that's listening, they're probably thinking of so many questions that they want to ask you.
Pablo Torres:If there's anything that you want to share with, with every everyone before we close. Yeah, go ahead.
Tim Graham:Don't click the link.
Pablo Torres:Yes. That's so important.
Tim Graham:And just take your time, take your time. And if there's anything urgent where somebody is trying to get you to do something right away, just take 5 minutes and just think about it.
Pablo Torres:Thanks so much for listening. Until next time.
Voice Over:Brought to you by The Reach Network. Visit with reach.com/network for more.