Art Coviello, the former CEO of RSA, opened his keynote to ISMG’s Fraud Summit 2018 with this profound, simple declaration: We are responsible for the proliferation of fraud because we permit it. Coviello discussed how technology “accelerated the pace and reach of fraud and fiction” and went on to connect the theme fraud to larger issues: Russian trolls and American politicians’ denials of simple facts. It was a powerful message that resonated with a lot of the audience. Although the conference only spanned one day, the speakers were both experts and experienced practitioners, so their insights were both hard earned and unique. Below are a few highlights of key takeaways from outstanding talks.
Jim Cunha of the Boston Federal Reserve highlighted that we, as fraud professionals, have to ask ourselves: how do you measure progress? We need to think along the lines of creating metrics that we can measure over decades. The fraudsters are constantly improving, and simply because the fraud moves to different channels, it doesn’t mean a reduction in losses. Collaboration is critical to outcompeting cybercriminals.
What are the insider threats of a fraud program? There isn’t a more dangerous adversary than one that knows the risk controls. Randy Trzeciak from CERT Insider Threat Center at Carnegie Mellon University explored the human factors of insider threats and the unpredictability of the audit and fraud detection process. For example, human resource choices can disenfranchise employees: “Good managers of technology aren’t always good managers of people.” Trzeciak insightfully identified that cultural and other factors can create a permissive environment for insiders. He concluded with an approach that we at Terbium share: “Building a risk profile is key to understanding how to deploy resources.”
Troy Leach of the PCI Security Standards Council educated the crowd about new and emerging standards within the payment ecosystem. Opportunities and challenges stem from innovation, as long as we understand how standards have changed; back to Cunha’s point, our effectiveness is a function of what we measure. Other talks covered the emergent threat of synthetic identities and signatures of behavioral analytics—for instance, how keystrokes can leave a clickstream of suspicious activity that reveals intent—to the proliferation of fake account creation, and how loyalty programs can be used to launder money and further amplify the impact of credit card fraud. Lastly, a number of talks touched on the “speed of security”—rather, that we depend on old security protocols for new technology. Very simply, today is a different environment, and requires updated data protection.
After a day of conversations and talks, little question remained in our minds that we are on the right pathway, focusing on the combination of automation, analytics, and partnerships. As we face today’s and anticipate tomorrow’s challenges, more of Coviello’s words resound: we need to stop being victims and have to call out fraud that we see in society each and every day.