hello world [what’s up]

Hey there, Cartomancers! So last week I admitted to getting pulled into productivity YouTube. I spent the weekend fiddling with Notion, and although I’m not sure it can replace my bank of spreadsheets (anyone who’s ever worked with me knows I loved a linked-up, color-coded, multi-tab worksheet), I do like the flexibility of a “home page” plus sub pages and tables. I am not interested in habit tracking, but I am interested in getting my to-do lists out of my inboxes. The plurality of calendars isn’t doing me any favors, either.

It’s mid-February, anyone who’s picked up some health goals for 2024 and is still working your plan, good on you. Personally, I wait until March to head back to the gym - because I don’t like waiting around for a spot on the treadmill. But, thanks to my Peloton and some old-fashioned walking around, I am almost to Mount Doom (via The Conqueror Virtual Challenges) and I can’t wait to get my Eye of Sauron finisher’s medal. I’ve done a few of their challenges already, including my very proud completion of the Appalachian Trail. Don’t need a fancy completion medal? Maybe you want to try Fantasy Hike, and take the Verge’s advice to  Ignore your fitness tracker and walk to Mordor instead.

I mention it below, but since it’s this week wanted to flag that on this Thursday, Feb 22 from 8:30 AM - 12 PM PT, I’ll be discussing How AI Is Radically Reshaping Compliance, Cybersecurity, and Business Strategy on a [free] panel hosted by AuditBoard along with presenters from Fannie Mae & Saviynt. Join us!

In today’s notes:

• New Training Data aka News

  • Meanwhile, In Manhattan - Bold as Brass: How one canny New Yorker shifted from living rent free to attempting to basically “imminent domain” the New Yorker hotel

  • Regs to Watch: We got content moderation, we got AI, and we got deepfakes - all getting more rules

  • Coming for your bank account: Fraudsters have no boundaries and will call you, trick you, or hack your bank’s website to snuggle-up to your funds

• Noodling in the Lab

  • Capital One buying Discover: Is it DiscOne or CapCover?

training data [what’s news]

🗨️ Meanwhile, In Manhattan - Bold as Brass: Okay, so on the face of it, this article: A loophole got him a free New York hotel stay for five years. Then he claimed to own the building is a good primer on what a little old-fashioned audacity might get you, but please dig-in because this article is a RIDE. After hanging-out rent free, our fearless New Yorker tried to transfer ownership of the building to himself…and then charge rent to other tenants. “I never intended to commit any fraud. I don’t believe I ever committed any fraud,” [the subject of the article] said. “And I never made a penny out of this.” OKAY, SIR.

🗨️ Regs to Watch

Trust & Safety folks are watching as the EU’s tough new moderation rules are about to cover a lot more of the internet - enforcement eyes and actions are now coming for smaller entities. The Digital Services Act (DSA) rules - which purport to protect social/search platform users - have been in place since last August for the 19 Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). [Editor's note: those are some acronyms]. Here are some of the policies:

• Reporting: give users the ability to flag/report illegal content, goods, or services

• Limitations on targeting: No targeting underage users (based on their personal data), and no targeting people based on sensitive data (inferred or expressed sexual preferences, religious beliefs, etc)

• Enforcement actions: Platforms have to provide reasons for moderation actions on content or accounts

• User challenges: Users must be offered escalation/challenge enforcement decisions

As you read through this list, know that this creates a lot of obligations for platforms that don’t have armies of moderators and policy analysts. It also generally creates a thicket of policy questions, some difficulty charting a low-liability path forward - which may be why Apple is officially dropping iPhone support for web apps in the EU rather than rearchitecting the components needed. 

Meanwhile, over in AI development: The DSA isn’t the only EU reg package garnering interest right now – the EU AI Act attempts to wrangle incorporating safety and “EU values” into the innovation of models that are revolutionizing content generation, commercial automation capabilities - and skimming intellectual property off the work of human creatives, spreading disinformation, and facilitating scams.

The Act bans certain types of “risky” models, requires developers take steps to ensure models are safe and explainable to users, and require additional transparency - disclosing that the entity on the other side of chat is an AI versus a human.

• UK will be launching their own guidance but have advised companies that compliance with EU AI law will satisfy UK guidance.

• California is also looking to add some guardrails -  California proposes government cloud cluster to sift out nasty AI models.

Impersonation & Deepfakes: Will other countries follow suit with broad based regulation? We’ll have to wait and see, but targeted legislation is coming, too - FTC Issues Proposal to Ban Impersonations as Fraud Rises.

• The FTC has noticed the same things we’re noticing, and their proposal specifically is meant to combat AI Impersonation of Individuals, this following Proposed Amendments to Trade Regulation Rule on Impersonation of Government and Businesses.

• Election season is coming, so in the US we’re all kind of bracing for both the fundraising piece (robo-calls from “candidates”) and potential for misinformation - but if election fraud is “seasonal”, plain old scams are ongoing: As Nationwide Fraud Losses Top $10 Billion in 2023, FTC Steps Up Efforts to Protect the Public (yo, that list is topped by losses at more than $4.6 billion in investment scams).

• Cartomancers, expect to see deepfakes start pushing investment advice both hard and subtly before things get reined-in. Big names we need not mention have nudged the market (on purpose or by accident) with cryptocurrency, and even with banking (it’s been less than a year since we had a run that almost turned into a panic). Deepfakes are definitely coming for your non-FDIC protected investment assets.

🗨️ Coming for your bank account, too: Friends, inbound telemarketing has always been a problematic area that invites scam artists, and as time has gone by, the evolution of these scams has become diabolical. This article from The Cut - How I Fell for an Amazon Scam Call and Handed Over $50,000 - both gave me chills and also surprised me not at all. These types of scams start-out both alarming but low-key; no information is actually being requested, they’re not asking for your SSN or credit card in the first few minutes. But after a few minutes on the call, the victim is reeled in, gaslit, and isolated from assistance. This capitalizes on people’s natural tendency to want to help, defer to authority, avoid trouble, protect their loved ones – and leverages “escalation of commitment” to sickening levels. If you’ve watched Netflix’s Tinder Swindler or Bad Vegan, you see many of these same concepts play out up-close-and-personal, but alarmingly deep cons are playing out on phones all over the world, and losses are up. 

If a guy pretending to be a CIA agent steals my debit card and drains my bank account, I have some recourse. But If a guy pretending to be a CIA agent tricks me into draining my own bank account and handing him the money - well, is the bank obligated to cover my losses, or isn’t it? 

Don’t get me wrong - criminals are still stealing credit cards, checks, and bank accounts - and if they’re not getting cash straight from a victim, where are they getting it? And that’s where the P2P payments are having some troubles, because while bank-backed P2P payments may have completed thorough KYC on the users, some entities might not really be checking very well who’s behind the account, leading to situations like this, where Federal regulators are probing whether Cash App leaves door open to money launderers, terrorists. Entities that are not banks but selling financial services (check cashing, international money transfers, prepaid cards) are often regulated separately as Money Services Businesses (MSBs), and given their generally quick access to funds are an attractive method for criminals to leverage as the “money out” mechanism. 

Finally, hackers are still knocking on the doors of financial institutions, too – Critical Software Vulnerabilities Impacting Credit Unions Discovered by LMG Security Researcher. Cross-Site Scripting (XSS) and SQL Injection attacks strike again, potentially granting admin access to an attacker. This is not the most exotic or sophisticated set of vulns, but in software that’s often used by credit unions, who typically have modestly sized & budgeted IT teams, which is what makes this noteworthy. 

a noodle from the lab [what we’re working on]

A relatively short noodle: Capital One Is Buying Discover Financial for $35 Billion, and I find this wild. 

Visa and MasterCard, the two major global card networks, leverage the “four corner” model of payments, meaning - the network connects four players: 1) The cardholder, 2) the Issuer, aka the cardholder’s bank, 3) the merchant, and 4) the Acquirer, the merchant’s bank. The network sits in between as a mediator and connector between the banks, sets policy, aligns incentives - actually a lot of things - but basically they’re in the middle. (Or, on many powerpoints throughout time, the network is the point roof of a weird looking house) This model has more or less stayed the same since introduced, although fintech, intermediary processors, and retailer interests have reshaped it a bit. 

Amex, who we talked about last week, with their Accertify spin-off, is different. American Express is their own bank, and for the most part connects directly to both merchants and consumers. A lot of this grows out of Amex’s original business model: they were a charge card (not a credit or debit card), and primarily sold to businesses versus “consumers” as T&E (Travel & Expenses). Remember they marketed a lot on exclusivity (i.e. you’d be on a business dinner, pick up the tab, look magnanimous, and not be embarrassed by any pesky declines). Some of you may also remember the hubbub around the original Amex Black Card.

So we come to CapOne & Discover. 

First off, among card networks, Discover is a little bit more like Amex in that Discover is their own issuer. But Discover is definitely more midmarket than Amex. Like - ordinary consumer, not swanky business T&E card. Also like Amex, Discover had pretty limited acceptance for a while. Meaning - you go to a mom & pop shop and they’d begrudgingly take your Visa, but no way were they paying Amex fees, and had never heard of Discover. That’s not true anymore, thanks to a lot of the merchant card processing expansion: DIscover’s now accepted by 99% of the places that take credit cards.

CapitalOne is a huge credit card issuer in the US. If you’ve been to a business school you may have read one of the HBS case studies on them. I think this is the one that I most remember: Capital One Financial Corporation - Case - about how in the 90s they harnessed the power of *data* (they called it information-based strategy (IBS) at the time). [Editor’s note: Unfortunate acronym, now] How they used data to drive strategy, customer segmentation, and evaluate risk (credit and fraud) was phenomenal. We call it data science now, and they led the pack.

On the face of it, this feels like an Issuing play - meaning, CapOne consolidates and juices the combined portfolios of both Discover and CapOne. But I’m also interested to see what they bring to the network game: as an Issuer CapOne has likely been watching, but now they may be able to add value somehow to the merchant side of the house. And there’s a bit of a wild card aspect to it, too. Fintech has tried disrupting payments quite a few times, and seems to end up riding the same rails everyone else does - this feels like a potential revolution from the inside in the making.

WSJ describes this as a big bet at a booming time, but the side note about credit debt continuing to rise is both a boon (all that interest paid goes to the issuers) but also a data point I’m sure CapOne is noting (hearing rumors about delinquency rates never good for holders of debt). And we know they know how to work data points.

Welcome to the (network) party CapOne, this is a spicy cocktail you’re shaking up and we’re interested how this plays out.

find more cartomancy [what’s out there]

coming soon

▶️ On Feb 22, Join me at InfoSec Compliance Now, a free virtual event hosted by AuditBoard from 8:30 AM - 12 PM PT. I’m kicking off the event on a panel (How AI Is Radically Reshaping Compliance, Cybersecurity, and Business Strategy) with presenters from Fannie Mae, Saviynt, and Cartomancy Labs (that’s me!), where we’ll discuss what 2023 taught us about AI and the ways it’s reshaping the compliance landscape. Reserve your spot today!

on demand

I was delighted to spend some time discussing cybersecurity career paths, leadership development, and industry trends while reconnecting with my friend and colleague Sandra Liu (if you haven't seen what she's working on over on YouTube I encourage you to check out her projects). this interview, we cover cybersecurity career and industry topics including:

• 🤝 What do hiring managers look for when hiring candidates for a job?

• 💻 What cybersecurity skills are most relevant?

• 💭 What are the biggest challenges facing organizations today?

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle