hello world [what’s up]

Hallå Cartomancers! 

I had a great time attending and speaking at BSides Knoxville - the venue, the vibe, and people were awesome! Highly recommended. Congratulations again to them on a successful decade of BSides events!! As promised, I share my slides below (as an embed - those who want the .pdf please drop me an email).

Note: This is the second time my newsletter is too long or too large, and might get clipped. It turns out that I needed a lot of words to properly frame the framework. So Gmail folk, definitely click through so you can see experience the full delight of this issues of the Futurecast!

Let’s get into it:

• News nuggets 

  • Fraud on the Radar: A couple of big cases and concerning trends on the radar

  • Adventures in Payments-Land: Changes in rules and programs, also innovations unveiled

  • Siege on Libraries: Bans, banning bans, and Library cyber takedowns.

• Noodling in the Lab

  • I am skeptical of fraud frameworks, so I looked for fraud frameworks, and then I experimented with designing one - introducing the CARTO (Digital) Fraud Framework (a different one will be needed for banks, likely - I promise not to call that one “MANCY”).

training data [what’s news]

🗨️ Fraud on the Radar: A series of high-impact identity theft and fraud cases on my radar, with an elaborate business fraud plus identity theft scheme happening out of New York, the DOJ going after a scammer that spoofed Coinbase and as part of a crypto-phishery, and a concerning trend of skimming EBT cards as a way to steal funds (and SNAP benefits) from families.

• New York pair indicted for $1.4 million bank fraud scheme that victimized customers across the U.S.

  • The two used stolen personal information to register businesses with Washington state, and then with fraudulent identity docs, would open business bank accounts at banks where the victim already had personal accounts, then transfer money from the victim account to the fraudulently-created business account. 

  • The business account (debit card) would then be used to purchase money orders and high value goods. Money orders would then be cashed-out, again leveraging the fake identity docs, at check cashing business.  

• Western District of North Carolina | Indian National Pleads Guilty To Wire Fraud Conspiracy For Stealing Over $37 Million By Spoofing Coinbase's Website | United States Department of Justice

  • Coinbase’s “Pro” version of their (Pro.Coinbase.Com) was spoofed (at the URL CoinbasePro.Com) by a group of phishers who were able to collect Coinbase credentials from victims.

  • The phishers also impersonated Coinbase representatives and tricked victims into installing remote desktop software - giving the phishers control of the victim computers as well as access to Coinbase credentials - or into providing 2FA creds over the phone.

  • Once the fraudsters gained access to victim accounts, they drained the accounts’ cryptocurrency holdings, stealing victim assets and funds. One victim in Western NC lost over $240,000. 

  • Chirag Tomar pled guilty to federal charges for stealing more than $37 million through this scheme and remains in federal custody.

• Recipients of SNAP benefits are falling victim to rampant EBT card skimming schemes

  • USDA statistics point to more than 59,000 homes impacted by food stamp fraud - $30M in benefits that went to fraudsters instead of families.

  • Stolen benefits have been reported in Florida (356 claims), Michigan ($4M in SNAP benefits from 8,000 cardholders), and also in Illinois (2,800 Walmart customers EBT cards skimmed when shopping).

  • EBT cards are mag-striped based (no chip), which lends itself to old-fashioned skimming.

  • Unlike credit/debit cards, unauthorized transactions aren’t automatically covered by the issuer - cardholders have to file claims to recover benefits. A survey from Propel indicated that impacts from this fraud include eating less or skipping meals (53% of victims), while others had to borrow money/go into debt to cover the lost benefits (44%). 

🗨️ Adventures in Payments-Land: The payments ecosystem is made of rules, incentives/liability policies, and technology. Changes take months and years to happen, but here are some interesting items on the horizon:

• Visa recently announced some changes to their ecosystem risk monitoring programs - VAMP Enhancements and Retirement of VDMP and VFMP. 

  • TL;DR  Effective 31 March 2025, Visa will retire their VDMP (Dispute Monitoring) and VFMP (Fraud Monitoring) programs effective March 31, 2025 - and then on April 1st 2025 (no April Fools here!) will enhance VAMP (Visa Acquirer Monitoring Program).

  • Mainly this is a consolidation since there was duplication between programs - but they are also shifting thresholds for determining compliance, and the assessments (i.e. penalties) they’ll make for non-compliance.

  • Card testing schemes (or “enumeration attacks”) are clearly in Visa’s cross-hairs.If you are an Acquirer or Merchant with a risky transaction portfolio and tendency to dip into “excessive” territory, you’ll want to read these changes carefully. 

• Visa Reinvents the Card, Unveils New Products for Digital Age: Visa’s APAC region issued a press release highlighting a number of payment innovations they’re making available in their region. Always interesting to see what’s coming onto the market here, such as:

  • Visa Flexible Credential: ability to access multiple accounts through a single credential 

  • Tap to Everything: Now that we’ve hit a critical mass of cardholders with chip, Visa’s looking to add features to the popular “Tap to” NFC-enabled capabilities, including: Tap to Phone (phones as a POS), Tap to Confirm (E-commerce authentication), Tap to Add Card (to enable adding a card into a wallet or app) and Tap to P2P (tap to send money to friends & family).

  • Visa Payment Passkey Service: Visa’s Fast Identity Online (FIDO) bid adds more capabilities the consumer verification/authentication options for e-commerce. 

• Not getting a ton of press, but I still think is kind of cool - biometric credit cards. These cards incorporate a fingerprint scanner into the card itself, which is used in conjunction with contactless payments to add security to a transaction at the point of sale. (Reminds me a bit of - and some of you may remember - in the 2010s when some 2FA was made available via a card). The card industry has been experimenting with biometric cards since 2017, and a few banks have had major roll-outs, including in 2021 when BNP Paribas became the first bank in France to offer its clients a biometric card. That said, while both Visa and MasterCard support biometric cards, you might have to hunt to find one as they are still not commonly issued. 

🗨️ Siege on Libraries: My news feed continues to be flooded with articles about book bans around the country - for those unfamiliar with what this means in practical terms, this NPR overview is nice - What's a book ban anyway? Depends on who you ask. 

• In an odd ouroboros of a situation, Book about book bans banned by Florida school board. Ban This Book by Alan Gratz (about a child who creates a secret banned-books library out of her locker after she can’t get her favorite book from the library) was taken off school shelves in Indian River county after opposition from parents (linked to Moms for Liberty). The school board voted to remove the book after complaining about references to other banned books, and that the book is “teaching rebellion of school-board authority”, according to the Tallahassee Democrat. 

• The ouroboros takes another bite out of it’s tail with this response to the siege of book challenges - States begin to push back on book bans – by banning them.

  • New laws are being passed to limit book challenges, perhaps in response to a huge jump in challenges — more than 4,300 book bans occurred from July 2023 to December 2023 (report from PEN America). This across across 23 states and 52 public school districts.

  • Minnesota is the latest state to impose restrictions on public library book bannings. (Meanwhile, in other states like Missouri, librarians can personally face fines and jail time for distributing books deemed to be inappropriate in school).

• The siege on libraries became a bit more literal for the Seattle Public Library when it got ransomwared in late May, taking their online services offline.

  • The library kept going with offline services, and encouraged borrowers to keep their checkouts for a little while longer - at least until the library is able to check them back in.

  • This all begs the question: Why did ransomware hackers target Seattle Public Library? Turns out, Libraries in Toronto and London also recently suffered major cybersecurity breaches - although they don’t have funds to pay ransomware demands, perhaps simply being affiliated with governments (who want to make sure basic services are restored fast) might be keeping them in the target zone.

a noodle from the lab [what we’re working on]

This year’s BSides Knoxville (their 10 year anniversary) had a great theme - Detectives (& Detecting). So I went full throttle, providing an overview and discussion of the evolution of Detection - from a fraud defense perspective (I actually worked in network intrusion detection at the beginning of my career, so there are a lot of parallels which are interesting - and differences, which are even more interesting).

Before heading over to Knoxville, thought, I posted a request on LinkedIn – recommendation for peoples’ favorite fraud-fighting frameworks for folks dealing with payment risk or in-product abuse. I wonder how frameworks can help fraud and trust & safety teams. See, I’ve always been a bit skeptical of the role of frameworks within a fraud program. Many cyber programs use maturity models - and their ability to shift maturity - as a way to benchmark against the industry, and as an indication of progress and performance. But fraud and abuse teams have metrics and impact measurements (loss rate, chargeback rate, decline rate) that they can use to understand performance in a more objective way (understanding that measuring impact is still pretty hard).

That said, the dynamics have gotten fairly complex, with fraud/anti-abuse teams now working across entire customer and product lifecycles, as well as at the point of a (monetary) transaction. So I’m starting to appreciate the role of frameworks more and more.

Here’s a sample of what I found when I dug in on frameworks (a blend of cybersecurity and fraud-specific exp):

• Attacks/Abuse cases

  • ATT&CK Data & Tools

  • The Fraudster’s Periodic Table of Attacks and Exploits 

  • Matrix | BLADE: Business Logic Attack Definition Framework 

  • Top 10 Digital Commerce Account Risks & How to Mitigate Them – Forter 

• Vendor maps

  • Cybersecurity: Industry Overview, Market Map, Global Investments | by OMERS Ventures 

  • Canadian Cybersecurity Startup Ecosystem - SERENE-RISC

  • Cybersecurity's Next Step Market Map: 80+ Companies Securing The Future With Artificial Intelligence In One Infographic 

  • eCommerce Fraud Protection Ecosystem Infographic

• Conceptual models / Taxonomies

  • OASIS STIX^TM Version 1.2.1. Part 5: TTP Committee Specification 01 / 05 May 2016: STIX Version 1.2.1 Part 5: TTP

  • FraudClassifier Model - FedPayments Improvement 

• Maturity Frameworks

  • NIST Cybersecurity Framework 2.0 

  • Capability Maturity Model - Wikipedia 

Of these frameworks, I find maturity models the most useful - but the most lacking, for a new fraud team. I’m often asked the question by growing digital companies: where do we start? What’s the best way to organize efforts? And so with that in mind I’ve drafted the (VERY drafty) CARTO Fraud Framework.

It’s not perfect by a long-shot, so I highly welcome feedback on this. Let me explain a little bit about my thinking here - in general, a (digital) fraud system looks something like this (and apologies for the super-high level of detail, there are a lot of details especially in operations and customer service that are missing here). 

To be fair, the diagram of the system focuses on the technology. But a program framework needs to consider a lot of other things. Here’s an overview of the CARTO Fraud Framework, which leverages the Fraud Decisioning System model above as a basis for the approach.

As you move from left to right, the program matures. As the program matures, the focus - tends to evolve from “stop the bleeding” to “enable the business”. Here are the main stops along the journey:

• CONTEXT: What I’ve found is that digital companies (retailers, FinTech, and tech companies) with start their journey over on the right hand side of the system diagram - in operations, customer service, and billing systems - trying to figure out what’s going on and get some kind of context for the incoming contacts, chargebacks, and reports/requests from their Acquirers. (For example, the first time some companies hear about the High Risk Monitoring program is when they’re on it.) 

  • The part of the tech/data stack that’s often the focus: the back office, post-transaction systems. 

  • The question to answer is: What’s the problem & how bad is it?

• ACT: What teams seek to do next is find where they can affect the fraud problem - where can they deny, slow-down, or at least detect fraud attempts. 

  • The part of the tech/data stack that’s often the focus is: the back-end systems that support checkout or billing, but roughly, the parts of the system where you could write rules or filters. Manual reviewers also need basic tooling to enforce policies.

  • The question to answer is: Where can we take action / block / decline?

• REFRAME: After the team has slowed down the fraud, the business often wants to understand what the impact of all of these fraud and security declines are having on customer experience - and revenue. The team has rough controls, but now will want to introduce more targeted interventions, lower false positives. Work from scores, not just rules.

  • The part of the tech/data stack that’s often the focus is: a better Back End plus Front End - in the back-end we start introducing scores in addition to rules, and wire in appropriate user experience - for example, giving users more tools to “self serve” out of a decline. 

  • The question to answer is: What’s the bigger problem, considering the user experience & business?

• TRAIN: With a framework in place for more sophisticated decisions, the team will really shore up the learning loop needed for an effective risk decisioning system, and making them better, faster, stronger. The keyword is usually faster. 

  • The part of the tech/data stack that’s often the focus is: Data and data science tech - modeling/ML tools, an emphasis data quality and availability, the customer and transaction data model, tuned for the fraud fighters. Manual reviewers also need improved tools at this point, as they are part of the learning loop (they are both upstream and downstream of the models at this point). 

  • The question to answer is: How can we uplevel detection, leverage AI/ML, and improve speed to detect?

• OPTIMIZE: Now that the pieces are in place, the team can orchestrate the capabilities together tuned for specific business outcomes. When deploying a model, we know that we need to set cutoffs that hit a preferred balance between precision (accuracy) and recall (coverage). At the optimization phase, teams can start discussing the preferred balance between revenue and fraud losses, between customer experience and customer contact volumes.

  • The part of the tech/data stack that’s often the focus is: The whole system - how the different capabilities work together in an integrated fashion, considering impacts end-to-end.

  • The question to answer is: How can we automate further to streamline and prioritize both decisions and work?

I really liked this noodle that came out of brainstorming the framework (below) - because the emphasis of the program, across all dimensions — people, process, technology — all of those things change as the program evolves. (Note: As one moves from left to right, new capabilities/elements are additive, not replacements. Models and manual review are both “forever” capabilities, even as they become more sophisticated.

This is an incomplete overview, because I haven’t even talked about how the risk decisioning system overlays with the customer journey (one of my favorite topics!!), this is really more about the indicators of maturity. In any case, I think this sketches out enough so that you can kind of understand what I’m trying to do in my slides 50-60 (The “An Escalation” section). If BSides Knoxville posts any follow-up video I will let you know.

Full deck is here:

find more cartomancy [what’s out there]

coming soon

▶️ I’ll be at Black Hat USA and the CISO Summit this summer in Las Vegas (early August). Not speaking (as of yet), just listening - and maybe hanging out with you, fellow Cartomancers?

on demand

I was delighted to spend some time discussing cybersecurity career paths, leadership development, and industry trends while reconnecting with my friend and colleague Sandra Liu (if you haven't seen what she's working on over on YouTube I encourage you to check out her projects). this interview, we cover cybersecurity career and industry topics including:

• 🤝 What do hiring managers look for when hiring candidates for a job?

• 💻 What cybersecurity skills are most relevant?

• 💭 What are the biggest challenges facing organizations today?

A bit of a throwback to but it was so much fun chatting with Andy Ellis, and so much in here is true even a couple of years later.

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle