hello world [what’s up]

S̄wạs̄dī Cartomancers!

Delighted to be done (mostly) with Black Hat USA CFP reviews for the season. After several hundred reviews, I can switch back over to creating content rather than simply reviewing it. I’m also between events myself - a few weeks after the Prove Improve2024 event, and less than a week away from Bsides Knoxville, where I will be keynoting. I’m happy to be 100% bought into their theme is “Detectives”, with a talk titled: “Watching the Detectives: Scam Artistry, Deep Fakery, Fraudsters, Frame-ups & Other Highlights of the High Speed Card Chase”. Given the theme, in addition to polishing talking points, I’m also still planning my disguise. Should there be a moustache involved? Or maybe just a trenchcoat and a noir theme to my slides? 

Let’s get into it:

• News nuggets 

  • Dangerous Ideas & Weaponized Information

  • The Future of Fake Fakes: What’s not Past is Prologue

  • Scammers @ Scale

• Noodling in the Lab

  • Some late thoughts coming out our discussion on fraud-fighting Scams at Prove’s #improve2024

training data [what’s news]

🗨️ Dangerous Ideas & Weaponized Information: Encryption has been challenged many times over the years, for shielding dangerous or illegal data/information. While additional challenges to “illegal” data are not a surprise, I’m a little unnerved by the ongoing pressure on public libraries.

• Bill that could lead to prosecution of librarians advances from Alabama House to the Senate. The bill, which could see librarians individually prosecuted for controversial materials they select or choose not to remove from shelves, removes existing exemptions for public libraries in the state’s obscenity law. Lawmakers supporting the bill hope it will protect children; this bill is part of larger nationwide trend to ban books.

• FTC says Amazon executives destroyed potential evidence by using apps like Signal - The Verge - Weird they didn’t pick Telegram, eh?

• Supreme Court rejects Elon Musk's challenge to SEC agreement to vet his social media posts - This is interesting because we’ve seen several situations where celebrities, and Musk in particular, have moved markets while at the same time benefiting from the market movement. If Musk hadn’t signed the settlement with the SEC, would this have been a case that weighed free speech against market-shocking mis/disinformation? 

…and I’m not the only one who’s watching the situation with public libraries. This is a good summary by John Oliver.

🗨️ The Future of Fake Fakes: What’s not Past is Prologue

I don’t know what to say about this article other than that this was a pretty interesting read, and while it left some loose ends, I did not have a “Minority Report x Bring it On mashup” in my BINGO card for this year. So for that alone, it’s worth a click through.

• Here’s the next wave on deepfakes that I’ve been wondering about: what happens when we’re faced with audio/video “proof” of something, and the accused claim “that’s not me, it’s a deepfake”? Here’s a mindbender whodunit that is also kind of a whodunwhat: She was accused of faking an incriminating video of teenage cheerleaders. She was arrested, outcast and condemned. The problem? Nothing was fake after all

🗨️ Scammers @ Scale: Scams (as I discuss in more depth below) are rising on several fronts, here’s some of the trends we’re watching:

• When asked by CBS News to discuss the trend of overseas criminals and crime rings stealing more than $1 billion from victims via online romance scams Match Group CEO Bernard Kim said of romance scams: "Things happen in life". So true. The FTC provides Consumers with Advice About Romance Scams, the US Secret Service provides Tips on Avoiding Romance Scams, even the AARP is publishing advisories, like ​Online Romance and Dating Scams: How to Spot a Scammer​. 

• It makes sense the AARP would be keeping an eye on these trends: elder fraud is continuing to rise. The FBI reports that in 2023, scams targeting individuals aged 60 and older caused over $3.4 billion in losses (+11% over 2022), with the average victim losing almost $34k. Of course, not all elder fraud involves the internet and organized crime rings, many seniors are getting scammed much closer to home, for example: Culver City elderly woman loses thousands to check fraud

• How do we get the scammers back in the nest? The Guardian offers a thought piece on why they think platforms that rely on moderation are doomed to fail - or at least, to fail us - with Silicon Valley’s business model is incompatible with the moderation of online horror and hatred. Relevant since we still expect platforms to protect people from hate, harassment, influence campaigns, and scams. TL;DR AI might not be the answer.

🗨️ Interesting Event: Announcing APWG eCrime 2024 at Boston

Our friends at the Anti-Phishing Working Group are hosting APWG eCrime, a conference that is watched closely by industry, research community, global law enforcement organizations and multilateral treaty organizations. Focused on eliminating the identity theft and frauds that result from the growing problem of phishing, crimeware, and e-mail spoofing, the APWG connects researchers, experts, and practitioners working on solving this global problem. This year their event will be in Boston from Sept 24 - 26 for their 19th symposium. Curious to know more? Helpfully, you can check out their papers here: https://ecrimeresearch.org/ecrime-research-papers/

a noodle from the lab [what we’re working on]

I had a great time attending & presenting at the Prove #improve2024 event a few weeks ago, wanted to share a couple of points from the discussion we had on scams (below).

For those who aren’t involved in fraud-fighting directly, the TL;DR on scams is that incoming fraud pressure has shifted from:

• Stolen/counterfeit/compromised financial instruments (example: someone skims your credit card at a point-of-sale) to

• Account hijacking (example: someone hacks your financial/e-commerce account and makes purchases for themselves), all the way over into

• Scams: tricking a person into sending money, rather than stealing the means of moving money (example: someone convinces you to send them crypto for them or a third party they vouch for, to invest on your behalf).

Scams are more complicated for FI’s to unwind, and don’t always have the benefit of years of refining what’s considered “proof” and clarification on transactional liability, like we have with other types of fraud endemic to credit cards and bank accounts.

Here are a couple of points that I made. and a few I took away:

• Scams put pressure on FIs because unauth fraud is someone other than the customer doing the fraud-ing. To detect scams, FIs have to be good at identity, but also decipher intent and context.

• Many of the indicators of intent and context are going to happen off-platform, before the customer arrives in a digital flow - I'm interested to see if we can engage the threat intel community and our teams in more direct and compelling ways, since those are our eyes & ears into the ecosystem

• Speaking of intel, data sharing comes up again and again. I referenced the model provided by credit card fraud, and how the networks are able to consolidate and clear indicators/signals system-wide, as well as the relationships that exist between fraud folk. I also referenced the model provided by Spamhaus and spam providers - we have gotten fancy with content-based clues in emails, but largely the reason spam filters are effective is because email platforms have honed their ability to understand and update sender reputation signals. (Respect to SPF & DKIM & DMARC)

• Also relevant to info sharing: We focus on the financial transactions, but FIs are actually towards the end of the scam. Who's at the front? Messaging and social apps. Who else is affected? P2P fintech apps. It's an ecosystem beyond the traditional FIs for sure.

• Given the customer is the human in the loop, methods to detect and combat mean we need to enlist their help - both in the transaction and likely after the fact. FIs will need to engage in more proactive education & awareness (outbound campaigns), look to modifying UX in clever places (I see lots of interstitials and butter bars in our future), and also prep CS/Fraud Ops to add some Q's into their workflows to reinforce taxonomies and such.

• Speaking of taxonomies, we talked about how we can firm up dispute taxonomies and definitions - the Fed has been offered their Fraud Classifier Model (linked) - meant to assist and accelerate discussions on these topics.

  

  The Fed’s Fraud Classifier model, linked from: https://fedpaymentsimprovement.org/strategic-initiatives/payments-security/fraudclassifier-model/

Takeaways:

• To me, ATO (Account Takeover) is pretty straightforward unauth, but at least one bank is challenging the idea that ATO-related fraud is covered by Reg E/Z, so the industry is faced with deciding whether ATO is unauth or "authorized" fraud - acknowledging the account holder was manipulated. Where I landed: from a detection perspective "not conducted by the account holder" is the piece I want to focus on.

Great discussion w David Kerman, Michael Timoney, & Ian Mitchell - we only got to scratch the surface but I suspect there will be more conversations to follow. TY #improve 2024 for hosting us.

find more cartomancy [what’s out there]

coming soon

▶️ On Friday, May 24th, I’m delighted to join the 2024 BSides Knoxville speaker lineup as their keynote. (Happy 10th Anniversary, Knoxville Bsides-ians!) The theme for this year is near and dear to my heart - detection - and it should be a fun day of detective-ing and clue-deciphering wrapped by a Hacker Jeopardy after party. It’s elementary, dear Cartomancers - come on by!

on demand

I was delighted to spend some time discussing cybersecurity career paths, leadership development, and industry trends while reconnecting with my friend and colleague Sandra Liu (if you haven't seen what she's working on over on YouTube I encourage you to check out her projects). this interview, we cover cybersecurity career and industry topics including:

• 🤝 What do hiring managers look for when hiring candidates for a job?

• 💻 What cybersecurity skills are most relevant?

• 💭 What are the biggest challenges facing organizations today?

A bit of a throwback to but it was so much fun chatting with Andy Ellis, and so much in here is true even a couple of years later.

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle