hello world [what’s up]

Aloha Cartomancers! 

This last week I went to Las Vegas for Black Hat USA, where I had a great time attending and pulling off a Black Hat Summit “Hat Trick”, speaking at the CISO Summit, Financial Services Summit, and the AI Summit. That…was a lot…for a Tuesday.

I had a lot to finish-up last week, because this week I start a new job. So expect this newsletter/blog to go Very Very Quiet, as I’m about to be Very, Very busy. 

Not to bury the lede, but some of you know the impetus between Cartomancy Labs was to conduct research and innovate at the intersection of Fraud, Cyber, and Digital Systems, and so it’s not entirely surprising I would be tempted towards opportunities to conduct research and innovate at the intersection of Fraud, Cyber, and Digital Systems…at scale.

So before I close down the lab, here’s a recap of what I talked about at Black Hat (key points and links to slide decks are below):

• CISO Summit: Cyber Fraud Fusion

• Financial Services Summit: Beyond the Hype: What AI Means for Fraud, Threats, and Compliance

• The AI Summit: Strategic Track | AI vs AI: Defending Against the Rise of AI-Generated Fraud 

CISO Summit presentation

Abstract: This session explores the convergence of techniques and technologies across enterprise cybersecurity and product abuse/fraud, as defender teams work together to tackle evolving threats from bad actors that attack our systems, products, and customers. Attendees will learn more about how our cyber teams are positioned to build stronger controls against hybrid attacks, and proactive strategies where we can learn and borrow methods from partner teams.

Key Points

This presentation is designed to inform CISOs about how Fusion may be affecting their security programs, regardless if their threat surface includes “traditional” fraud or product abuse problems. Slides are linked below: key points roughly follow the slides.

Some Background on Cyber, Fraud, & Fusion

• Digitization has changed the game for cyber: the perimeter model has changed. Not only is the perimeter cloudy & porous, we must invite customer and partners in - despite the fact that abuse and attacks are intermingled with their activity.

  • Note: This has also changed what’s “inside” the perimeter; we’ve gone from a focus on corporate assets to what’s “in” our digital platforms.

•  We’ve developed controls around the concept of a “front door”, with cyber focused on edge technologies (the front of the front door) and fraud/abuse focused on product experiences (the back of the front door).

  • Activities like customer onboarding and authentication are good examples of this “front door” mentality. Front of the front door is looking for bots & credential stuffing, back of the front door is looking for fake accounts and ATOs.

• We’re both risk functions and have connected missions, but typically we are NOT aligned in terms of use cases or technologies. much less metrics and data. Even the language we use, and unit of interesting action, differ.

• This can stifle collaboration (Fusion) but there are other dynamics that might encourage CISOs and their partners to reconsider Fusion.

The Cyberification of Fraud

• Digitization has expanded the threat surface, it’s also changed how fraud fighters need to consider addressing the problem of fraud.

• Typically, threat models in fraud focus on the customer experience (traditionally focused on “move money”, but have already migrated to Login.

• Likewise, the decisioning systems (and their learning loops) that are built to prevent & detect fraud have always centered around these use cases WITHIN the customer experience. (although we are starting to see more services/real time data calls being incorporated in)

• But fraud is starting to incorporate more understanding of the fraud ecosystem into their on-platform controls… cyber folks can think of this as extending the killchain…AND THE SOLUTION CHAIN…both upstream and downstream of the decisioning system.

• Introducing additional decision points creates more complexity for the fraud systems, and also requires more visibility into correlated data/activities, coordination of decisions (orchestration), and puts pressure on the data strategy and architecture.

  • BIG NOTE: I introduce the concept of the Consumer Edge here, what I mean is leveraging “edge” infrastructure technologies (typically selected and managed by Cyber) such as WAFs and Anti-bot tech) into fraud prevention. This is both good and not-great for the fraud team - good that it prevents attacks, but not-great in the sense that can often occlude data/activities that would be helpful for improving and tuning the fraud decisioning systems.

• Thus we find our fraud teams relying more and more on what has been traditionally cyber tools & tech.

• Also it’s all about the data.

The Fraudification of Cyber

• This dynamic is weirder and I didn’t notice it until a friend (Heather A) asked a well-phrased question about deepfakes.

• Social engineering has always been a problem for cyber: we’ve focused on phishing for credentials and access in the past, and watched as attackers have evolved into BEC.

• Fraud is dealing with a wave of scams. Scams are a bit different from other types of fraud because the victim authorizes the movement of money (this is different from unauthorized fraud - where a payment instrument/account is stolen, counterfeited or taken over).

• Scams are fast money, and we are seeing more and more businesses being targeted by scammers who are skipping credential theft and going straight for the money.

• Deepfakes are making everything worse, because scams always include deception and often involved impersonation or masquerading of some kind. Here I talk about my taxonomy of deepfakes (also discussed in the AI Summit presentation below). Broadcast, Out-to-In (Incoming), and In-to-Out (Reflective).

• A big problem cyber is going to have, whether our organizations are dealing with fake job applicants or executives being impersonated, is that as difficult as IAM is, we are going to need to rely on consumer-grade identity verification to address some of these threats.

  • Note: Business identity is way harder than consumer identity.

  • BIG NOTE: Here I introduce the concept of the Corporate Process Perimeter (partially so there’s symmetry with the Consumer Edge, but also because corporate processes are a growing part of our threat surface that cyber will need visibility into).

• Thus we find our cyber teams relying more and more on what has been traditionally fraud tools & tech.

• Also it’s all about the data.

Industry Dynamics

• This is where I talk about the industry (solutions) map I’ve been working on, and how it’s grown since I expanded beyond traditional fraud tooling and into broader (Fusion-y) vendors.

• Some interesting areas:

  • Threat intel & Brand Protection: I talk about the industry (solutions) map I’ve been working on, and how it’s grown since I expanded beyond traditional fraud tooling and into broader (Fusion-y) vendors.

  • Edge tech/Web tech: Consolidation in this space, edge tech (WAFs, CDNs) trying to move closer to the front door, and boutique fraud-ier vendors trying to capture more of the user experience up and down the customer lifetime.

  • Queueing & Workflow + Investigations / Analysis: Why so sparse? Also a note here that cyber tends to buy tools “fit for purpose” (i.e. designed for cyber), and fraud/abuse tend to leverage more general tooling (like Pega, ServiceNow). How will Fusion teams integrate with such different platforms?

  • Testing & Assessments: A staple category for cyber, we are just now starting to see service providers that can test fraud defenses.

  • Consumer facing / UX / Awareness: Not sure how this category is going to expand, but it’s hard to imagine every company that needs to do this/improve this doing everything bespoke. Possibly will grow on a track similar to Brand Protection.

  • Deepfake Specific: I mean, obviously.

Fusion Futures

• So with all that said, I’m interested in seeing more adoption and evolution of Fusion teams/systems.

• Fusion started in the 2010’s with a “shared location” model, and that has evolved into more aligned operating models, but I’m most interested in Fusing Operating (and Tech) stacks as a way to improve alignment, visibility, and performance.

• Opportunities to innovate and collaborate are clustering at integration points, where today there are both gaps and overlaps.

Financial Services Summit - Panel Discussion

• Abstract: AI is reshaping cybersecurity within the financial services industry—from how we detect threats and prevent fraud to how we manage identity and regulatory risk. However, as adoption accelerates, so do the challenges: fragmented teams, inconsistent safeguards, expanding attack surfaces, and increasing pressure from regulators demanding explainability and accountability. This panel convenes experts to explore the current and future landscape of AI in financial cybersecurity. We will unpack the practical realities of integrating AI into SOC operations, identity and access management, fraud detection, and compliance programs. Panellists will discuss how institutions are navigating the tension between innovation and risk, what is working (and what is not), and where the greatest opportunities and vulnerabilities lie as AI continues to evolve.

• Moderated a panel that included:

  • Jeremiah Dewey  |  Head of Cyber Products, Visa

  • Rich Friedberg  |  Chief Information Security Officer (CISO), Live Oak Bank

  • Jason Mical  |  Field CTO, Devo

AI Summit presentation

Abstract: This session explores the evolving use of AI in adversarial operations, including synthetic content creation, impersonation, disinformation, and social engineering. It also examines how defenders can respond.

Key Points

This presentation is designed to inform cyber AI enthusiasts how AI is affecting fraud - both from a threat analysis and defender perspective. Slides are linked below: key points roughly follow the slides.

Context on fraud prevention and AI

• I cover what I mean by fraud, and why fraud lends itself so well to discussions about AI. Then I explain how fraud prevention systems work - as decisioning systems - and the role of models, scores, stats, ML…and ultimately AI…in those systems.

• My favorite slide showing my reference model for fraud decisioning systems, laid out against the customer experience/use cases.

Fraud use cases & updates on the fraud ecosystem

• Fraud used to be a fairly physical problem - remember stolen cards and skimming? But fraud has evolved with e-commerce and digitization of online services. (hello bots & ATO).

• Then I talk about how application fraud has always been a “thing” but is getting worse with deepfakes and other digital fake tech, and how easier fakes also are a companion problem to the growth of scams.

  • Here I also explain the difference between App (application) and APP (Authorized Push Payment) fraud. App fraud is either stolen or synthetic identities applying for services, while APP fraud is typically these “one-way” digital payments. (The one-way nature draws in scammers)

Evolving use of AI in adversarial operations

• Adversaries are loving the growth of AI, but AI isn’t doing “hand-to-hand” combat within decisioning systems. Instead, adversaries are using AI to speed-up and scale their own operations:

  • More automation (making attacks faster)

  • Scaling social engineering (using bots to interact with potential targets)

  • Better fakes (More convincing counterfeits, and deepfakes of course)

• Speaking of deepfakes, here’s Allison’s Taxonomy of deepfakes:

  • Broadcast: Campaigns, like spam or early phishing, that are hoping to go viral. They are spammy and scammy, often featuring fake versions of high profile executives or influencers.

  • Incoming (Out-to-In): Where customers, vendors, or other external folks are pretending to be something they are not to our employees & teammates. Example: Deepfaked job candidates looking to cheat their way through the hiring pipeline.

  • Reflective (In-to-Out or In-to-In): Where we are the ones being deepfaked, to external folks. Example: Deepfaked executive, looking to deepfake their way to paying a fake invoice.

• I comment on the issue of scams, they can be deeply personal, but there are business-focused counterparts. And scams are on the rise.

• Here are a few stats on the growth of AI-generated fraud/scam problems.

How can defenders level-up with AI

• Besides traditional areas where defenders are using data science, like in detection and investigations, there are opportunities in data analysis and automation that I see many teams exploring.

• I’m perhaps most excited about defenders engaging in the ecosystem in different ways, such as how:

  • Scam-baiters like Kitboga (amazing YouTube scam-baiter) are both proactively engaging with scammers (wasting their time and resources), as well as learning their methods and generating rich threat intel.

  • Incorporating Gen-AI powered functionality within the user experience to clarify intent/context, and augment fraud detection.

In Sum

• Attackers are leveraging AI in creative ways. Defenders will likely need to both leverage AI themselves, and refactor their threat models to reflect the evolution of AI-powered fraud use cases.

a noodle from the lab [what we’re working on]

I got pretty tired working on my grand unifying theory of fraud models & frameworks, but here are some of the interesting articles and references from the past year or two:

If the Fraud Framework series is of interest to you, and you’d like a more intense talk track — check out my talk linked below (entitled “Watching the Detectives: Scam Artistry, Deep Fakery, Fraudsters, Frame-ups & Other Highlights of the High Speed Card Chase“) at BSides Knoxville’s 2024 event. This was the birth of the CARTO model (and an unfinished series of articles on the foundations of fraud).

find more cartomancy [what’s out there]

coming soon

▶️ TBD

on demand

▶️ Fraud is scaling with AI. Are your defenses keeping up? Check out this virtual panel (FRAUDOMATIC), hosted by the awesome folks at MirrorTab. Had a great conversation with with fellow fraud & cyber experts, including:

• The Kitboga Show – YouTube scam-baiting icon with 3.7M+ subscribers

• Jerry Tylman – Fraud Red Team leader with 20+ years at top banks

• Brian Silverstein – Founder & CEO of MirrorTab, former CTO & co-founder of Honey

▶️ It was lovely to talk all things payments & fraud with my recently re-connected friend Karisse Hendrick on her Fraudology podcast.

▶️ Here’s a little fun from LAST summer at Black Hat USA 2024, where I spoke with Jeff Man about the Rise of Deepfake-Driven Scams.

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I hope to see you in the lab, again, where we can talk about how our experiments are going.

See you next time, in the Future!

Allison

@selenakyle