Futurecast | Fakes on a Zoom, Cyber-Busts, & Your Risk Philosophy Brain on AI

#0003 Trust And Cyber Online 🌮

hello world [what’s up]

Hey there Cartomancers, hope you are doing well. A few days ago, Punxsatawney Phil predicted an early spring after not seeing his shadow in the morning at Gobbler’s Knob. For those of you who are Gophermancy devotees, let’s take that as good news that some of us will be getting some spring sunshine soon. 

Regardless, here we are back for another issue of the Futurecast – I have to admit that there is so much happening in our space that I just decided to call time on the process and shift the analysis of all of the Rest Of All The Things to next time. 

  • Noodling in the Lab

    • Gearing up to go full throttle on card fraud - which is a bit of a rabbit hole, so let’s enjoy the journey

  • New Training Data aka News

    • More deepfakery shenanigans…And you may tell yourself, this is not my beautiful team meeting

    • A round-up of some of the interesting takedowns and cyber-busts happening

    • Dire warnings about unprotected state of critical infrastructure giving us all the wiggins

    • Relationship between AI and risk modeling getting interesting

a noodle from the lab [what we’re working on]

Techniques of credit card fraud management have set the stage for everything that has come after, including the layering of device “security” mechanisms, authentication, and applying stats/ML/AI (i.e. all the data things) to the problem in real-time. So we’re going to go on a deep dive…but, this is going to take me a while to write - one, because I have so many strong opinions, and two, because the…beauty? majesty? core lessons?...of card fraud kind of require a prerequisite understanding of how card payments work, and the players and incentives in the system.

Thus I’m thinking we should take a bit of a different approach here, I’m going to:

  • Publish a half-baked article (sometime soon-ish), and refer to it in this newsletter as I add to it over time. It will essentially be living lab notes, and you can peek at it as it develops, or I come back and add things.

  • Ask you for any questions you have on the topic, so I can be sure to answer them and to frame them up in the Living Lab Notes. If you have any questions off the bat, lmk by hitting “reply” to this newsletter and listing them out. Here are some questions that might inspire your thinking:

    • Are credit cards safer than debit cards?

    • What happens if I experience fraud on my company card?

    • Why didn’t the US market adopt chip + PIN faster?

    • I work for a company, and the billing department keeps asking me about 3D Secure - what is it and why do we need it?

training data [what’s news]

🗨️ New Deepfake Horrorshow - Can’t Trust Internal Meetings, Either: So I thought we might be able to go a week without highlighting deepfakes, after last week’s TayCeption, and discussion of imminent availability of real-time voice deepfake software, but no, we find ourselves instead in “that escalated quickly” territory, as over the weekend a Hong Kong firm lost over $25mn after employee’s video call with deepfake ‘chief financial officer’, others.

🗨️ Cyber Consequences, Maybe?: Ransomware, breaches, and cybercrime schemes tend to make a  big impact and then disappear into the ether. For those who have been tracking some of these situations, here’s some of the arrests, takedowns, call-outs, and indictments we’re watching:

  • Myanmar Hands Over Mob Bosses in Cyber-Fraud Bust: for the past few weeks we’ve been talking about the human trafficking pipeline into scam sweatshops/camps, in one notable case Myanmar is putting additional pressure on a set “pig-butchering” scam camps by arresting and extraditing a few of the ring-leaders, although at least 4 suspects on China's most-wanted list are still at large.

  • Interpol's 'Synergia' Op Nabs Dozens of Cybercriminals, Zaps Global C2s: Interpol worked with ~60 law enforcement agencies and outside cybersecurity firms (including Group-IB, Kaspersky, ShadowServer, Team Cymru, and TrendMicro) on a coordinated takedown effort which took out a slew of command-and-control (C2) servers globally. The operation was designed and executed to address a surge of phishing, banking malware, and ransomware attacks.  

  • Three people indicted in $400 million FTX crypto hack conspiracy: Not that FTX needed help imploding, but three people were indicted for conspiracy (identity theft; the hack - powered by SIM-swapping - drained funds directly out of wallets) that allegedly included the $400 million hack from FTX on the day that the firm filed for bankruptcy protection in 2022. 

  • FTC orders Blackbaud to boost security after massive data breach: FTC complaints regarding the Blackbaud data breach and subsequent response have resulted in a settlement requiring Blackbaud to improve security and delete unneeded customer data. This FTC complaint is in addition to a very annoyed SEC (Blackbaud left out details of the breach and risk in their 8-K) and very, very annoyed customers/stakeholders (6 months after the breach, there were already 23 proposed class-action lawsuits on the docket).

  • Fingerprint photo led investigators to therapy centre hacking suspect: In a long line of Oopsie Selfies that lead to locating suspects, here’s a new one: don’t take palm-pics, because that sci-fi “enhance” function we’ve gotten used to in movies now works. Investigators were able to examine fingerprints from a social media pic, and help connect the virtual dots that led to the suspect’s arrest.

🗨️ Infrastructure gets the Hax: Now for a string of bad news - as much time as we spend talking about the human factor of cybersecurity, and how ordinary people are tricked and hacked, it turns out major infrastructure is similarly vulnerable to attack. Which means we’re all vulnerable. On the one hand, we see the U.S. government able to identify and sanction (via OFAC) 6 Iranian Officials for Critical Infrastructure Cyber Attacks (noting that sanctions aren't a preventative measure for cyber operations) on the other hand we hear leaders also issuing Warnings of Chinese Attacks on Critical Infrastructure (various sectors, including water and power). The sectors themselves are feeling the pressure:

We see attacks incoming, including municipalities and hospitals, but where are the plans? CyberScoop reports that when it comes to national cybersecurity plans, the GAO is seeing “neither the strategy nor the implementation plan included outcome-oriented performance measures for the initiatives or for the overall objectives of the strategy to gauge success.” Take a look at the implementation plan for yourself, but perhaps you could predict the response of teh ONCD staff – who agreed outcome-oriented performance measures are preferred, but that “such measures do not currently exist in the cybersecurity field in general”.

Ouch - but it’s a common sentiment. It’s far easier to quantify impact after the worst has happened. Our infrastructure is such an obvious target, even the Onion is poking fun: China Unable To Recruit Hackers Fast Enough To Keep Up With Vulnerabilities In U.S. Security Systems

🗨️ Speaking of Measuring Risk, Would You Like Your Existential Risk with a Side of AI? Risk nerds are having a mid-AI crisis. For years we’ve been leveraging Machine Learning in our models, with various frameworks and algorithms coming in and out of vogue - we’ve been balancing complexity and accuracy, and the burden of supervised techniques with the need for explainability, gently nudging and training and generally juicing the tech for all it’s worth: from search to finance and back again. But how do we model the risk of AI itself? 

  • We’ve got lots of opinions on how it can be used in cybersecurity (for example The pros and cons for AI in financial sector cybersecurity), but keep your eyes on the big-AIs in the room - A New Cause for Concern: Alphabet Inc. Class A Adds a New Technology Risk, Google and Microsoft will likely have some of the more sophisticated approaches to factoring AI-risk into their enterprise risk programs - and how they report to the street - because they’ve had a lot of practice in the arena already, thanks to Search, Ads, & Cloud.

  • I think this is an interesting place to look - financial statements - because the market is trying to weigh the risks and the opportunities simultaneously, a la the Motley Fool’s comments in Measuring CrowdStrike's Meteoric Rise as Its Artificial Intelligence (AI) Revolutionizes Cybersecurity. MF’s understanding of how CS is using AI might not match the depth of a cyber analyst’s view, but going forward look to AI not just gracing every marketing pitch you receive this year, but also influencing valuation in a bigger way.

  • And if using AI to model AI risk/opportunity isn’t your speed – maybe it’s time to bring back…prediction markets? Because crypto(currency) startups are trying to make (or quash) Prediction Markets as a Mechanism to Hedge Crypto Startups' Regulatory Risk. Coindesk goes on to report that Bitwise Asset Management has predicted (actually, Coindesk said that Bitwise had used the term ‘forecasted’, but I think ‘predicted’ is more poetic here) that "more than $100 million will be staked in prediction markets, which will emerge as a new 'killer app' for crypto."

find more cartomancy [what’s happening]

coming soon

▶️ On Feb 22, Join me at InfoSec Compliance Now, a free virtual event hosted by AuditBoard from 8:30 AM - 12 PM PT. I’m kicking off the event on a panel with presenters from Fannie Mae, Saviynt, and Cartomancy Labs (that’s me!), where we’ll discuss what 2023 taught us about AI and the ways it’s reshaping the compliance landscape. Reserve your spot today!

on demand

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle