Cyber Pros Offer Insight On Credit Card Fraud, Mobile Payments & Data Scandal



Dan Gunderman
04/24/2018

The most recent episode of “Task Force 7 Radio,” hosted by information security executive George Rettas, focuses almost exclusively on credit card fraud and mobile payments. The opening segment, however, reviewed the controversy swirling around data firm Cambridge Analytica and the social network Facebook.

Rettas outlined the position of Aleksandr Kogan, who developed the app that the controversial firm utilized to collect data on millions of Facebook users. Rettas said that the developer has been “singled out” in recent weeks – as evidenced by his recent appearance on “60 Minutes.” Rettas said that the interview, one in which correspondent Lesley Stahl called Kogan “guileless,” must have given Facebook “heartburn.”

Cambridge Analytica Scandal

The allegation against Kogan involves harvesting and subsequently selling Facebook user data. According to the “60 Minutes” segment, Kogan thought he was doing everything the right way. Rettas said that Kogan did not “come across as sinister” in the interview, and pointed out that “tens of thousands” of people/firms used Facebook in the same way. Kogan suggested he’s been singled out because of the politically sensitive topic which he did research for (political demographics).

The “TF7 Radio” host said that Kogan was not “exploiting a bug on the Facebook platform,” but a “feature” – and one that has been abused. This feature, called “Friend Permissions,” was seemingly built into Facebook.

The social network’s CEO, Mark Zuckerberg, who recently testified before Congress, said that if a developer goes in violation of their user agreement and sells data, “that’s a big issue,” and one that was upsetting to him, and to the company. Facebook says its developer policy does not allow for the transfer or sale of collected data. Kogan, however, reportedly said that he may not have read the user agreement. Rettas said that Kogan’s user policy contradicted Facebook’s developer policy – regarding the dissemination and transfer of data.

See Related: Cyber Expert Defines CISO 'Tribes,' Talks Software Life Cycle

Credit Card Fraud

In the show’s middle segment, Rettas spoke with Tom Pageler, the Chief Security Officer and Chief Risk Officer for Neustar, Inc.

Pageler, a former Secret Service agent, spoke about his time in the electronic crimes task force in the early 2000s, when credit cards were just going online. He spoke of “big cases” that he worked on in conjunction with law enforcement entities such as the FBI, IRS and USPS. Pageler discussed his work taking down an online (Russian and Ukrainian) organized crime group called the Boa Factory (play on Bank of America along with the snake).

Discussing credit card theft, Pageler said, “Back then, it was easy pickings to go after this, and steal credit card data or merchandise online. Today, it’s more sophisticated. It’s different, with giant fraud and security teams out there. There’s been a transition from credit card financial fraud to other areas – to easier stuff.”

On whether credit card fraud was, initially the “cost of doing business,” Pageler said that it’s different today than it was when we he began in the space. In his time at Visa, beginning in 2005, Pageler said that the fraud was considered a business cost – a nickel to every $100, he said. While the company was proactive and tried to fight fraud, Pageler said they were forced to accept a good amount of cost.

He added that for a time, fraud rates went up because more people began storing their credit card data online. Also, more and more merchants were going online. Pageler said that eventually the Payment Card Industry Data Security Standard (PCI DSS), through the Security Standards Council, emerged and helped unify anti-fraud policy. He said it was the first time that the private sector came together and self-regulated this burgeoning space.

Pageler said that “cost of business” mindset is no longer the practice. In a more secure world, credit card companies run the risk of losing large sets of consumers if security measures are faulty.

Today, the “TF7 Radio” guest said we’re seeing far less credit card fraud since the transactions are no longer “low-hanging fruit.” However, because of the regulation ramp-up within the credit space, Pageler said that breaches have occurred elsewhere – such as credit reporting agencies like Equifax. Some industries, he insisted, are not as self-regulated, with no governing standards. Because of that, fraudsters have shifted their focus.

Cryptocurrencies

The “TF7 Radio” guest said the currencies are new but “here to stay,” as they allow for convenient transactions around the world. However, the next biggest focus is security around these digital currencies. Part of that is the fact that the money is not recoverable once lost. Cue the introduction of digital wallets, Pageler said, which allow for secure storage. Pageler cited the CryptoCurrency Security Standard (CCSS) as a means to continue heightening security around crypto-transactions.

See Related: 'Evolution Not Revolution': Kenna Security CEO Talks Risk Management

On the other side of the (bit)coin, Pageler said that, indeed, cryptocurrency transactions are more dangerous. He said there must be intermediaries – to dole out keys – to make the space safe. More and more, he said, cyber-criminals cannot just breach one customer to access funds – they must also tap into the proverbial “bank,” at which point they might expend their energies elsewhere.

Task Force 7 Radio Mobile Payments

Mobile Payments

In the final segment of the show, Rettas spoke with Eduardo Perez, SVP - Regional Risk Officer, Visa Latin America and Caribbean, about the shift in mobile payments – and Visa’s presence at the cutting edge of multi-factor authorization (MFA) beyond the password.

On the VoiceAmerica Business Channel program, Perez said that there has been an “explosion of different types of (related) solutions coming to the market.” He cited Apple Pay and Samsung Pay as two useful tools. EMV Chip technology, he said, generates a code/cryptogram for each unique transaction. Perez also cited the growth of biometrics as something that could enhance the space. Biometrics, he said, will allow the consumer to authenticate themselves – even using fingerprints. In the near future, it could also include voice recognition.

Perez said there’s been an explosion of use cases around mobile payment solutions, many of which allow for payment at the point of sale and within applications.

Perez said that a combination of tools – tokenization, EMV chip technology and biometrics – will more securely allow consumers to make transactions “in any way and any day.”

The SVP said that many of these features/services have already been offered around the world – with high usage rates.

For higher-value transactions, he added, “biometrics can help to provide users the confidence they may want.”

In the closing minutes of the show, Perez touted Visa’s Threat Intelligence program (including the “indicators of compromise”) and its ID Intelligence platform, which provides authentication services to partners in the payment system.

Perez also spoke about the evolution of the password, and whether the ID Intelligence service is its “death knell.” He said that with the platform, solutions are offered that “don’t depend on static credentials.”

“(We) believe biometrics and other forms of authorization offer consumers a secure, convenient and fast way to pay…”

Regardless, though, criminal groups and operatives will continue to target the financial system. Perez said the industry must “remain vigilant.”

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Find Tom Pageler on LinkedIn, here.

Find Eduardo Perez on LinkedIn, here.

Task Force 7 Radio

Be Sure To Check Out: CISO Calls For Sweeping Policy Changes To Address Cyber Concerns