Søren Winge: Welcome to this new podcast, Nexi Talks, where we will be doing a deep dive into fraud prevention. We have one aim: to help you understand and prevent deception as the war on payment fraud continues to heat up. We'll be joined by some of the best minds in the business, so you can learn from those who know payment fraud the best.
My name is Søren Winge, and I'll be your host.
Today, I'm joined by Jerry Tylman, Partner at Greenway Solutions and Founder of Fraud Red Team. His company mimics the tactics of fraudsters to highlight the risks to banks. Welcome to you, Jerry.
Jerry Tylman: Hi, Søren, very happy to be here today.
Søren Winge: I'm also joined by Sean Neary, Head of Fraud Risk Management at Nexi. Hi, Sean.
Sean Neary: Well, thanks, Søren. It's good to be here and I can't wait to jump into detail with you and Jerry on these subjects; specifically from a banking side: the challenges that we're facing on this increased agility from the fraudsters as a result of the increased availability of the technology, such as AI.
Søren Winge: Great to have you both with us. Right, let's get into it.
So, Jerry, how did we end up here today? How has fraud evolved, not least driven by AI?
Jerry Tylman: Fraud's been around for a long time, and it always follows the opportunity, and it adapts to the changing control environment. So, as banks introduce new products and services, you are always going to see fraud slightly behind that new introduction.
Søren Winge: Can you maybe elaborate a bit on that? How do you see the criminals follow these new opportunities?
Jerry Tylman: Generally, what happens in banking is: you roll out a new product and then you see where the fraud comes from, and over time you adapt your controls to the fraud that you are seeing. So, as banks came out with credit cards, fraudsters figured out ways to steal those credit cards, or steal all the numbers on those credit cards, to be able to use it through electronic channels. When they introduced online banking, they figured out ways to be able to steal your user ID and your password and to break into that account to commit what we call account takeover and move that money to other bank accounts.
The fraudsters are always looking for that gap, either in the actual code itself or in the processes associated with it. And generally, they find those things and it takes quite a while for the banks to be able to catch up.
And in the interim, there's a lot of money to be made.
Søren Winge: So, is it, in a way, a flaw in terms of how we design these systems?
Jerry Tylman: It's not that there's an absence of thinking about any of the fraud attacks that are there. It's just that you can't think of everything that the fraudsters are going to be able to do.
So, at some point in time, you have to release that product. And then you have to see where the fraud manifests itself. And one of the reasons that we created our service is to help banks accelerate finding those gaps and those weaknesses in their products and in their channels. And hopefully we can find them faster than fraudsters, and we can help them close those gaps before customers lose money, they are disrupted, and the banks have to spend a lot in operational expense to be able to deal with those defrauded customers.
Sean Neary: And that's interesting, right? So, Jerry, if you think about it: if we look back to how fraud was many years ago, when I started 20 years ago to where it is now, it's also a discussion point of how scalable it was back then to how it is now, right, and the rate of change of those attack vectors or MOs that we are seeing that your team are being brought in to do.
Because if you look back to when digital banking first, sort of, came out, there was lots of unknowns. Authentication wasn't that great. The tooling available to fraudsters didn't really exist. You found that it could be one specific gang that was then trying to work, but they were having to buy a specific list for one single bank at any one time, attack that bank for a certain period in a specific way, with very limited information they have.
So, that rate of change just wasn't there, right? And it gave banks the possibility to try and get on top of it. Is it fair to say, also, that because of the digital explosion, the availability of tools now that was opened up through, not just AI, but also through the anonymous communication channels, such as the dark web? Scaling is now almost infinite for these fraudsters, and they are able to try multiple attack vectors at any one time to try and see if there are any flaws in more of a broader aspect of the business.
Jerry Tylman: Yeah, a great example of this would be new accounts and identity verification. One of the problems that financial institutions deal with today is that these data breaches that have been happening for the last 15 years are so big that you can basically assume everybody's information is on a bad actor database somewhere in the world.
Søren Winge: So, Jerry, how do you see that the banks can adapt to this?
Jerry Tylman: I think of adaptation in two ways. One is how the banks have always done it, which is a reactive mode. And what you are doing there is you are looking at the true frauds that you get. And you are asking yourself, how did we miss this particular fraud? What changes do we need to make to our rules to be able to catch this the next time that we see it?
The difference between fraud detection and I would say cyber security has been: cyber security a long time ago, they adopted this sort of Red Teaming approach to proactively testing their controls. So, they are constantly probing and seeing, hey, how can I break into the interior of the bank and be able to exfiltrate data or something like that.
Whereas the approach in fraud has always been somewhat the opposite, which is we look at where we have losses, and we figure out how do we change our controls. And so, what we have been trying to do is say, let's flip that a little bit and let's be proactive, right? Some people will call it “offensive security”, where you are trying to beat your controls ahead of the bad guys and allow you to tweak those things before the losses manifest themselves.
And I would really say this, that fraud follows a couple of things, right? One is fraudsters are always going after our customers because our customers seem to be the weakest link in the whole chain. They go after any kind of change. So, anytime you introduce a new channel, like a digital wallet, or when they were introducing banking over phone and banking online, so anytime a new channel is introduced or anytime a new control is introduced, they are going to test that control. So, things that we are seeing right now would be like biometrics, fingerprints, voices, faces, etc. And then you also have to keep in mind what your competitors are doing, because they might be pushing that change to you, so, you have to be aware of the entire banking ecosystem and what those competitors are doing because fraud might be coming to you.
Sean Neary: The fraudsters, they are not a corporate organization, right? Some of them could just be a group of two people, some of them could be a group of 50 working across certain boundaries, but they don't have the restrictions of adaptability like we do in the banks.
So, how can the banks adapt to that change? And how fast can banks change? Because before, you had very more lockdown channels, there were very few attack vectors, like I was saying earlier on. So, you could control that, and they didn't come along as often.
I'm not sure if you have seen a similar thing in the US but like we have seen across in Europe: as soon as one hole goes down, the other one opens up but then the bank itself has to get funding, has to then get the right competencies and team together to make that change. Quite often by the time that change has been put in, at least from a back-end perspective, you are almost behind the curve, and I like this “offensive” approach to preventing fraud.
I see the industry quite often being a detection and an investment for fraud detection, which is a bit too far down the line given the speed and the rate of change that we are having today. And it's something that is truly driven by the boundaries you have when working in tier one, tier two, or any financial sector. We can only work as fast as our businesses can make decisions and our technology can also catch up because again, you were not all running on the top end technology, you are bound by legacy/huge platforms that have been there for a long time, maybe with different data structures, different connectivity types. Whereas the fraudsters, they'll just go and buy a new service. They'll spin up a new AWS environment and throw some applications running off that because they can, or their friends have just written a new algorithm to help write the new smishing aspect.
Jerry Tylman: We like to think of problems in three buckets. There are the “known” problems where I'm working on fixing something that I know is a problem right now. And then there are the “known unknown” problems where I know I have a problem. I don't know how the fraudsters are beating me. And then there are the “unknown unknowns”, which is there may be some problem that I'm not aware of yet and I have no idea what it is and how it's going to manifest itself. And so great example of rapidly fixing problems is in this known unknown category.
So, we have been approached several times by our clients where they are getting beat and they haven't figured out how they are getting beat. So, in the case in the United States, we have a person-to-person payment method called Zelle, which allows me to send money to you up to, depending on the bank, maybe $5,000 at a time and the money arrives instantly. So, obviously fraudsters love speed and attacking Zelle transactions is something that they like to do. So, one of the controls that the banks put in place was: before I could send a Zelle to you, I would have to enter a one-time passcode into the system. All makes sense, right? And one of the ways that the fraudsters have been stealing the one-time passcodes is through social engineering and they would essentially get the customer to give them the passcode.
In this particular situation, this fraud was happening at such a magnitude that there was no way that the bad guys were getting the customers to give away that many codes. And the customers weren't calling into the bank saying, “I gave the code to somebody”. So somehow, they were able to go into the system and redirect that one-time passcode instead of going to the legitimate customer, it was going to the bad guy. And so, they gave us that problem and they said, what's going on? How are they doing it? And so, our team started taking a look at it and within a couple of days, we figured out in the code, how this was actually happening. And we went back to the bank, we said, “it's in the code, they are doing this in the middle of the transaction. They are inserting their phone number, so the one-time passcode is going to them”.
And they took that to the development team. And the development team was like, “no, that can't be possible, there's no way they can do it”. So, we actually videoed our guys doing it and showed them exactly where in the code we were doing this insertion during the transaction. And they were like, “ah, yes, it's possible, we see where it's happening”. So, sometimes when the problem is big enough and thousands of customers are being impacted and millions of dollars are lost, then all of a sudden, you get all the resources you need to be able to fix something and it can happen within days, and we have seen this multiple times.
So, in the United States, 2022-2023, our FBI estimated that over $10 billion was lost to scams. This is where customers gave the money to the bad guys because they were scammed. And a lot of people think that was just based on the reported number of incidents. So, they think the number was probably five times larger, so, call it $50 billion.
A $50 billion company is, I think, in the United States would be in the Fortune 100. So, if Scam Inc is really 50 billion, we are dealing with entities that are combined, essentially a Fortune 500 company. And there's a tremendous amount of incentive to be able to continue to do this and that attracts a lot of very bright people in a lot of different parts of the world where ripping off Americans isn't necessarily against the law. So, we are up against what I would say is a well-funded adversary that they are technically adept. They are attracting great talent, and they are persistent threat, and we have to treat it that way. And if we start treating it that way, which is what the cyber community has been doing for the last 20 years, I think you'll see that we get more resources and more collaboration.
Søren Winge: So, Jerry you mentioned before, the example that one bank hired you and you devoted a lot of time and resources to identify an issue in their one-time password process towards their customers, where in fact criminals had found a way to redirect these codes and could exploit this bank.
I guess what will happen is that they will then – the criminals – move on to the next bank. Can you see that the banks could collaborate more closely to exchange insights around what is going on? I expect that the next bank would have the same or similar system that they could exploit in the same way.
Jerry Tylman: Yeah, that's something that we are thinking about because that “known unknown” at the one bank that came to us and said, we are getting beat, this is how we are getting beat. That's potentially an “unknown” at 50 other banks. So, do we go test 50 other banks to see if we can do this at 50 other banks? Or do we put a bulletin out and do we say, “hey, we found this problem at this financial institution. You should check this. It was a security flaw there that, resulted in, millions of dollars being lost”. And so, within our network of testing customers, we are looking at: could we issue these bulletins and then run these tests simultaneously to see if that gap exists there.
So, that's one form of collaboration that we are looking into as part of our service. But I would say that collaboration is difficult because it requires lots of banks agreeing on how to share information and when to share information and the legality of sharing that information. So, it's not something that gets done quickly, right? And again, fraudsters don't have to create committees and figure out if it's legal. Fraudsters can go ahead and do something the minute they think that it's profitable. So, in instances where collaboration is taking place, it's been very successful. It just takes a long time to get there.
I would say that other things that have been going on in the industry for years would be things like consortium databases, where if you find a particular device, like a laptop or a phone that's associated with fraud, you could put it on to a vendor’s negative list and if you are working with that vendor, you could check their negative list, that is built based on all the customers that they have. But I think for the bad guys, think of how well funded they are. If they lose a device, they just get a new device and a new one and a new one.
And what we have seen are that there are these, what they call SIM farms, where you might have in one room, 500 iPhones or 500 Android phones all hooked up and all being used to send out smishing text messages or putting something out on WhatsApp or some other social media platform. So, what we’re finding is that as soon as we make a change, like you are sharing data about that one bad device, the bad guys just figure out, “hey, here's a way to get around that, I'll just have 500 devices”.
So, what we really have here is a cat and mouse game where every move that the banks make to control the environment just creates a counter move on the part of the bad guys to figure out how do I pivot and get around that new control.
Sean Neary: Exactly back to that point about their ability to scale and adapt now. Based on that growth of technology again, 20 years ago, it would have cost a fortune to try and acquire all those mobile phones, have a racking system, acquire contracts and mobile phone numbers to get it working and now you can buy phone cents on the dollar that are digitally enabled with some software that's running it, right? As you say, they can spin one farm down and spin one up. And that's, as a result of that exponential growth and cost reduction in tech.
Jerry Tylman: And what they have also done is to ensure the life of that phone goes a little longer is they don't try to send 50,000 messages from it in one day. They might send one every 10 seconds. And they just dial down what they send out to. And so instead of talking about an IRS refund, they might just send a message that says, “hello”. And then all of a sudden, if you respond to that and you don't report it. As in, you don't delete it and report it as a junk text message and you respond to it, then the fraudster starts engaging you, they start grooming you, and all of a sudden, you are locked into the beginnings of a romance scam with that bad guy.
So, they not just adapt in terms of the scale of devices, but also the speed at which they send these things out. They throttle it down and they change the language in it, which makes it really difficult to detect that's a bad guy using a phone trying to scam me.
Sean Neary: And this comes also down to that end user, right? Because we have spent a lot of this conversation talking about us as institutions who are fighting against this adversary. The one consistent thing here is the customers, is the cardholders, the end users, us who were on the end of that mobile phone. And I don't know about you, but there is a huge change in an end consumer, again, thanks to the digital age technology availability; expectation of instantaneous gratification from shopping or buying. But you mentioned scams and there's only so much you can technically do from a scam perspective when really the person being scammed is a human and it comes down to sort of education.
Jerry Tylman: Yeah, it's a tricky situation. But scams are interesting. I love this topic because scams are this… I call it the intersection of psychology and technology, right? And people don't fall for scams because they are stupid. People fall for scams because they’re humans. And these psychological factors in play in scams are what make them so effective. These psychological factors are like curiosity and scarcity and authority, greed and urgency…
Sean Neary: And that winning right? Feeling like you are getting a good deal. You feel like you are winning.
Jerry Tylman: Yeah, exactly. That's greed, right? And so they are, they come into play, and I've fallen for these, right? I had a situation where I got a scam text from the toll road company about a recent toll that I had. And it said, “hey, make sure you pay the $12.47 cents before Friday. Otherwise, you are going to get a $50 late fee”. And what is that? That's authority! It looked like the text came from the toll road company and its urgency. Pay before Friday because otherwise you'll get a $50 late fee. And it was also convenience, the technology was just “click here” and I'll go to where I have to pay.
So, I didn't even have to get off the couch. I just had to just sit on the couch and pay the bill. And I went in there and I gave them all of my information except my social security number. And then I gave them my credit card information and I clicked enter and then literally two seconds later, I'm like, what did I just do?
Sean Neary: And it's crazy how you immediately knew. But in the moment, being a human, you wanted to quickly get it off your to do list. It's actually a regular item that you do. It was just coincidence, right? I had the same thing when trying to pay tax bills. It just happens to be a coincidence that I was waiting for communication to come back. And it's that immediate, fast, “get it off my to do list” rather than sit back, double check, really look at the originating –
Jerry Tylman: That's what I did. And so that was just a human behavior tied to three psychological factors, right? That made it really good. And I looked at that again and I'm like, “that was pretty clever”. That was good. And that toll road scam, that's being done in every state in the United States right now. It's probably happening all over Europe.
Sean Neary: Oh, definitely.
Jerry Tylman: So, that's a pretty clever one. And so wouldn't it have been better maybe from an education perspective, if that scam text message had actually been sent by a good guy. And if I clicked on that link, it would have said something like “you might've clicked on a phishing link, you better be more careful next time”. And what's interesting is in corporate America, we do those tests with our employees every single day.
And there's this whole concept of friendly phishing, where we send our corporate employees these phishing messages to test them. And it's a very effective way of testing them. It's classical conditioning, right? It's learning by doing. And so, the first time they get one of these really clever scams that are combining authority and urgency and convenience that I'm not getting it from a bad guy. I'm getting it from a good guy who's testing me.
And I think that's a paradigm shift that's going to be really, really hard for people inside financial institutions to think about, should I scam my customers as a way of educating them? It's going to be a difficult conversation, but eventually, I think we are going to get there because the current methods, just quantitatively, the evidence would say are not working because the losses just continue to grow every year.
Søren Winge: Jerry, leveraging on the same methods, if you will, that the corporates use internally about friendly phishing, that could actually be a tool for the banks to use towards their customers, rather than the classical information campaigns, which are not apparently working to, the extent that they hope for.
Jerry Tylman: The reason that we don't pay attention to these messages, the current educational messages where you log onto a website and it says beware of scammers is because you are not going to your bank to be educated about scams, you’re going to your bank to pay a bill or to check the balance. You have a task. That's why you are there, right? And so, there's another psychological principle called selective attention that essentially says that we filter out noise. And so that message about, educating you about scams, beware of scams, right, it's just noise because I'm trying to complete the task. And what we have to do is we have to look back at what are the effective ways of training people and use those, and It's a little bit daunting to think about sending a scam message to your customer, but that's really the best way that they are going to learn.
Søren Winge: So maybe Sean, maybe you can explain, you at Nets/Nexi, you are serving a number of banks across Europe in terms of fraud detection, fraud management. How are you leveraging the insights you might get around one bank or around a certain situation you identify in one country maybe, and share that across for other banks to benefit from?
Sean Neary: Yeah. It’s a good question. When you look at what's happening in a specific market or in a specific country, there are many variables that you have to consider that might not be the same in a different country. You have to know the ins and outs of your customers. And you have to layer, that's the other part, one system will not do it for you. It will not be able to meet all your needs, especially if you try and put all your changes into that one system, you will see a very slow rate of change and the capabilities to change due to your backlog becoming huge.
So, what you have to do is layer it. You layer it with external research and data sharing between banks and different entities and general domains, so you take that information, you bring it in. You then take actual data from your actual systems, and you write rules, physical rules. People might say it's old school, I don't see rules disappearing for a very long time. They are there to manage a strategy and a balance. They are there to have a fast adaptability because whilst you have AI / machine learning, which could be your second layer of defense at least in the detection perspective. The rate of change: you have to retrain the model, you have to also layer it on top of what are your customer education strategies? What are your operational defenses in the call centers where fraudsters try and phone up and fish information out of the bank themselves? What are your authentication strategies for the customer? How have you applied them within your 3-D Secure channels? Are you sharing data between the different aspects of the user journey when they make a payment, when they move money, because they all go through different systems. Are they connected? If so, how are they connected? How are you utilizing what we call in the industry signals, so identifiers of fraud.
Jerry Tylman: The one thing I would add where I really think that AI can help is that if you can increase the size of the dataset to include the other financial institution that is involved in the transaction. So, when you think about scammers, you have a lot of customers that are being scammed by, say, the same gang or the same person, but they are at 50 different banks. But a lot of that money is finding its way to one or two bank accounts on the other side.
And so, if you add visibility into both who's sending the money and who's receiving the money, then you might be able to do a better job of being able to spot the scam because if 50 people are all sending $12.47 cents, take my toll road example, right, all that money's going to some bank account over here.
You could then say, ah, everybody who just sent money to that bank account, there's 50 different accounts out there. This is a scam. And so somehow if you can see both sides of that payment equation, and you could instantly see that this is a scam that's playing out.
And so, it's interesting, most banks only have visibility into what their customer is doing and where they are sending it. And maybe if ten from their bank all sent to the same person, they should be able to spot that. But then if you had information from the other side and the other side was alerting all these incoming banks of all these incoming transactions, you might have better visibility across the industry to what's going on with that particular scam.
So, the scale of being able to collect more data or have more insight is where AI is really going to be leveraged because then we are going to be able to spot things a lot faster.
Sean Neary: Yeah, I agree. And before, if you pitched that to me, maybe five years ago, I would be going, I don't have an unlimited budget to create such a huge dataset and maintain it and run it. But luckily, we are also seeing it to be more of a commodity and readily available at a cheap cost for us to use this technology in this space as well. And we are going to see that grow even further and even faster, I think, from what you are seeing in the market and its adoption.
Jerry Tylman: Because when you think about it today, your system might be able to detect that this is probably a scam. So, what do we do? We call it the customer and say, “hey Jerry, did you mean to send money to the toll road company? Cause we think it's a scam. And I'm like yeah, yeah, I meant to send that, it's legit”.
But if you said,” Jerry, we have determined on the other end that you just sent money to a scammer”. That's a different conversation. And so, a lot of times what's happening is banks are actually picking up on the anomalous behavior. But when they talk to the customer, they are convinced that, yeah, this is legit.
And so, you are like, okay, it's your money, go ahead, right? But if you can see all of this then it's a different conversation with the customer. So, you caught it. You can, and maybe what you do in that situation and say, I'm not going to let you send money because I know that's a scammer on the other side.
And you block the transaction, and you block the beneficiary and just say, look, you are on our negative list now. Your strategies will adapt based on the richness of the data set and your ability to drill into it using the AI tools.
Søren Winge: So, I guess a key takeaway of today's conversation, Jerry and Sean, is that the more data we have, the more insights can include, the more we increase our ability as fraud monitors or fraud detectors to identify and stop these type of scams quickly and maybe also, in terms of our rule setting to identify this next time it happens.
So, getting this broad input of information, adding more pieces to the puzzle, so to speak, will enable both the banks and/or providers to the banks to pick up on these things quickly as the banks will usually only be able to be reactive to these, and the question is how quickly can they close the gap? How quickly can they react? So, it doesn't continue to go on towards another bank in the domain.
Jerry Tylman: Yeah. And then, for me personally, the big paradigm shift is not just always being reactive, but just adding that proactive category to things to trying to get ahead of this.
Søren Winge: Yeah, because maybe having, maybe feeding your machine with a lot of data, a lot of transaction data that might enable also even the fraud prevention part of it to react very quickly and maybe even in real time as it would, leveraging on AI be able to detect it at the very beginning, right?
So, a great conversation! Could be interesting to hear, I mean, what are the key takeaways that you feel we should call out as summing up our conversation today?
Jerry Tylman: Yeah, I would say that having both a reactive capability where you learn from what went wrong and where the losses were to also adding that proactive capability. So, don't always let the fraud come to you, but constantly be testing all of these different layers because layers add complexity and complexity leads to gaps, right?
And find out where those gaps are because that's where the fraudsters are going to be focusing too. So, have a proactive capability that meshes well with your reactive capabilities. And I think that does a really good job of being able to spot the weaknesses before the bad guys get there. And that hopefully will protect customers and data and obviously reduce the amount of losses that financial institutions have to deal with.
Søren Winge: And I think this aspect of AI is also a very important lever to activate those layers we talked about earlier, right?
Anyway, this is something we'll address in the next episode, where we'll be joined by Troels Jensen, Director of NextGen Operations in KPMG Denmark, and Alberto Danese, who is part of the data science team at Nexi.
We're going to bust a few myths around AI in fraud and explore what it really means for you.
In the meantime, please visit nexigroup.com for more information on combating fraud. You can also connect with us on LinkedIn at Nexi Group. And of course you can also connect with our guests throughout the series.
The podcast is available on Apple Podcasts, Spotify, and indeed anywhere you usually get your podcasts. So, please like and subscribe and the next episode will be delivered straight to your device. Thanks for listening and join us again next time as we get to grips with the word on everybody’s lips: AI.
