Stay safe when shopping online

Chris Sienko: Welcome to this week's episode with the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of Infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. Hopefully, you've all finished your holiday shopping, if you have any, or are well on your way to doing so. Any more, of course, we'll wait until the last minute to complete this time-honored ritual of buying lots of stuff for friends, loved ones, random acquaintances, and others. That's why cyber criminals have such a field day in the months of November and December, finding new ways to glean credit card info, steal identities, or use there people's credentials to buy themselves a bunch of ill-gotten presents. Sam Bouso build the company, Precognitive from the ground up as a cyber crime prevention platform that uses device intelligence, advance behavior analytics and AI to monitor more personalized aspects of the user's behavior, e.g. gestures, typing patterns, et cetera to pre-detect and prevent fraud across a wide variety of industries: banking, Vintech, travel, entertainment, retail, eCommerce, et cetera. Precog also recently partnered with ShopRunner and is now protecting hundreds of the world's top retailers like Tommy Hilfiger, Kate Spade, Kenneth Cole, et cetera. We're going to talk today about some of the security risks currently happening in the shopping sphere, fraud-creating bots and how to mitigate, as well as fraud prevention measures that actually hurt retailers. We'll also talk about how these issues can be studied and learned by aspiring cyber security professionals to make them more marketable come next year's holiday shopping cycle. Sam Bouso founded Precognitive in 2016, marking a dramatic leap forward in the way companies combat online fraud to protect consumer accounts and authenticate users. Prior to starting Precognitive, Sam joined the product team at 41st Parameter where he enhanced their fraud technology and helped develop the 41st Parameter's advertising division, Ad Truth. He led global product innovation and liaised between clients business development and engineering to develop ad tech and device fingerprinting products. Forty-first Parameter and Ad Truth were acquired by Experian in 2013. Sam remained with the company to help further develop and innovate the ad tech platform before striking out on his own to begin work on Precognitive and that brings us to today. Sam, thanks for joining us.

Sam Bouso: Thank you for having me, Chris, glad to be here.

Chris: Great, and we're very glad to have you. So, let's start where we start with all of our guests. How did you get started in computers and security?

Sam: You know, computer, I think I've been involved with since I was very young. My parents purchased me a Radio Shack PC with eight megahertz, I think, at the time.

Chris: Okay, yep.

Sam: So I've been playing with computers since I was very young but entering into security was a bit of a coincidence. I was working at a bank on analyzing card portfolios to make them more profitable. And I noticed the biggest problem was fraud. And one thing led to another and I was studying comp-sci at the time and is started building, essentially, what was my first fraud systems at that time to try and stop some of the fraud we were seeing. So that was really how I got into the security side of it and it's really just progressed from there.

Chris: Okay, so this was something that you weren't necessarily moving towards but you just saw something that was interesting to you and a sort of space that needed filling and you jumped in the breach.

Sam: You got it. Something that I observed at the time and then found a way of fixing and, from there, I was asked to take over managing fraud for that financial institution and I've stayed in that field since.

Chris: Okay. So, we're going to jump right in today and talk about some security issues currently cropping up around the holiday gift-buying season. You told me earlier about eCommerce companies who had their Cyber Monday and online holiday deals were bought up unmasked by bots, taking advantage of lightning quick processing that humans can't match which could be resold at later dates for a higher price. Is that something that's new that's been discovered this year or has that been going on for a while and how does it work?

Sam: Yeah, that's a great question. So, bots have been around for a while and, I think, where we initially saw them were consumers wanted sneakers that were in very high demand and would sell out very quickly. So, some people started writing their own scripts to do these types of things, piecing together their own bots and then, what we saw was people started letting you use them as a regular consumer. So there are websites out there now where you can go in there, put in your credit card information, say I want this sneaker and they will get it for you using one of these sneaker bots.

Chris: Sort of a fraud software as a service kind of situation.

Sam: Yeah, and, you know, in some sense, that's not always, I guess depending on the terms of the website, et cetera, it's not necessarily fraud and they're not necessarily doing it maliciously, it's kind of the fear of missing out. I really want this thing--

Chris: Yeah, I gotta go to my final exam but I want those shoes or something.

Sam: You got it. They know they sell out really fast and you want to be one of those people that get them. We have seen this around for a while and you can go find GitHub repositories even that are open source that have code that lets you do this type of stuff, right. So you can modify it, point it at a different website, do what you need to do. So, I think it started off not necessarily being malicious in the sense that people just wanted something and they didn't want to miss out so they had these bots. What we are seeing a bit more of now is with some of these door-buster deals, the retailers are selling those products or certain items to get people to come to the website, come to the store and they are discounting them heavily, right. So they can be sold on a secondary market like eBay or some other auction type site. And this is where we are seeing, now that the technology is been more prevalent, you have people using it to snag up all the hot door-buster deals. And that does create an issue, obviously, for the retailer, for legitimate consumers, and then, this kind of layout, if you will, that's taking place, it's not because they want it for themselves to use and fear of missing out, it's because there's a profit to be made by reselling it. And while it's not necessarily your classic type of fraud, it is certainly a form of abuse. And one that ruins user experience for other people.

Chris: Yeah, and I was going to say, that seem like, apart from the people who want to get the thing at the right price or whatever, it's also hurting the sort of natural promotion that the store intended to get lots of people there and, instead, their reason for getting you in the door is completely gone before you even have a chance to browse around.

Sam: You got it, yeah. And it is unfortunate that we've certainly seen an uptick in that this year. We have seen some of this previously in the prior holiday season but it seems to be growing year over year. So, I think that's also a natural progression of technology becoming more readily available and now you don't have to be a programmer to do this. You can put in a credit card and it'll do it for you. Or you can really configure something.

Chris: Sure, is there some sort of strategy that retailers can use to get around this, have sort of a one per person kind of thing, is there a way of noticing that 67 pairs of shoes just went very, very quickly or is it just one of those things that is the new normal?

Sam: No, there's a couple ways of stopping this. Some of the, depending on the sophistication of the service and even the individual, you could do things as simple as saying you can only ship one of this item to this address. So you limit, not necessarily the cart but just overall because what they will do is transact once and transact again. You can look at other people's data. Like, we're only going to let one transaction be allowed for this item per IP address. But that, in and of itself, will stop, I would say, probably 50% of this. They are the most sophisticated groups that change the IP for every transaction.

Chris: Yep.

Sam: I mean, to really stop that, you do need bot mitigation system, something that could assess when the activity is happening, is it actually a human or a bot, and be able to make a decision at that level. So, it really depends, I think, for the retailer. Certainly, if you're a larger retailer, you're going to need something more sophisticated and you need to have a bot mitigation system to stop this. But if you're a smaller eCommerce shop, you might be able to do something like just looking at things like velocity and how many times you've seen things like an address, or an IP, or even a credit card number and limiting the number of items they can purchase from your door-buster list to one or something along those lines.

Chris: Is this sort of a fight fire with fire situation where some sort of automated system is doing most of the work or would this be something where you would have a certain person really checking the logs as it's happening and watching for aberrations?

Sam: Generally, you're going to do this in an automated manner. So you're going to set up some logic that says, hey, if I see the same IP purchase the same SKU and we know this is one of our door-buster SKUs, we're going to reject it after the first one. Likewise with a bot mitigation system, a lot of those are set and forget, right. You configure it, set it up, and it will stop the bots on your behalf and you don't really have to deal with this.

Chris: Okay, but someone has to obviously write that at one point but always looking for opportunities for our students to get into the game here but can you tell me about some other types of consumer fraud, shopping fraud, online fraud that are, unfortunately, hot at the moment?

Sam: So, hot during the holiday season, there are certainly a number of different frauds that pop up we see every year. One we're seeing a bit of now is fake sites. So they are setup to look like eCommerce websites, they have the product that you want and they have it at a very good discounted rate. And in a lot of the cases we've seen, the offer is just truly too good to be true.

Chris: That's always a good sign.

Sam: But it does work this time of year. Some of your people are shopping and they're looking for great deals, a lot of times, there's no inventory at all, so you, as a consumer, might purchase and you won't get anything. We have some more sophisticated instances where the front store, if you will, once and order is placed there the fraudster will actually pick up the stolen credit card and go place a secondary order at a merchant that really has it and have them ship it directly to you to try and make the illusion that it is a legitimate store.

Chris: I see.

Sam: And that helps them prevent from getting shut down too quickly.

Chris: Right.

Sam: Or from people filing chargebacks right away when they thing something might not be right, then they get the package. And the goal for these guys is to keep their merchant account open on that website long enough until they can pull the cash out. And there's, as with any kind of banking setup, there's some delay for them to be able to get the cash that you spent on that website into their bank account, generally a couple of weeks. So, they want to keep the appearance of everything looking really nice and legitimate for that period of time. And then, afterwards, they'll probably stop filling the orders or whatever it may be. So this is one we're seeing quite a bit of. The other thing we are seeing a lot of is an uptick in phishing around this time of the year. A lot of it is coming from, you know, this is your bank, did you make a purchase, please click here. Which, we do, sometimes, get from our financial institutions but fraudsters are aware and hackers are aware that this time of the year, these emails do increase because shopping increases. So they also are looking to take advantage of that where everybody's on the run, we're all busy doing our holiday shopping, can they get us to click on a link or get us to, essentially, can they social engineer us? So, one of the plays we've seen on this now is you'll actually get an email that says, hey, and it'll be legitimately from your bank or from a provider that says, hey, you tried to do a sign in and request a code. And what you'll get, subsequently, is a phone call from the actual fraudster pretending to be the bank and saying, hey, we sent you a verification code, I need to confirm it's you, can you read back the code that you're going to get in this text message or this email? But what they're really having you read back is a multifactor authentication code or the two factor authentication and then, what you're basically doing is getting them access to whatever account it is, your bank account, your telephone account. And we've been seeing this increase as well over the holiday season. It's not necessarily a new scam but one that's just picking up and the number of occurrences. Fraudsters are taking advantage of the holiday season and the chaos that ensues sometimes.

Chris: Yeah, it's evergreen 'cause it works.

Sam: Yep.

Chris: Yeah. So, back in 2008, I remember reading stories about Magicard groups that specifically use malware to steal credit card numbers at the checkout stage of actual retail sites. Is that still a persistent issue or is that something that retailers have got better at defending it?

Sam: Yeah, so this is still an issue. Generally, with these Magicard hacks, if you will, what's taking place is the fraudsters or hackers, in this case, want to go after a big retail website, or airline, or whatever it may be, and those companies, generally, have good security. So what they do is go to the weakest link and what they'll generally do is say, okay, let's find some sort of advertising player that has their JavaScript embedded inside of this website we want to go after. British Airways was a great example of this, right? British Airways itself had a Magicard attack. It wasn't them that was breached, it was an advertising vendor that they let run JavaScript on their website. So, what the hackers are doing is compromising the weaker link in the chain and they're replacing code or they're injecting code that does this skimming of credit card numbers or credentials. So, we do continue to see this. I think this is something that we knew as a security community was a risk. When we go pitching our technology to a bank, they generally say, wait, wait, wait, you want to put JavaScript on our page and you're going to host it? And there are ways to mitigate around this. I mean, if you put something in a iframe, for example, you can sandbox it but there are certain types of tech that you can't run in an iframe. Like, I don't know, if I want to see a heat map of how my user navigates through my website for user experience, it needs access to the DOM, to the Document Object Model. So I can't put it in an iframe, it has to run on the paid feed. And that's what these hackers are going after is, let's go compromise these types of services, replace the script with our code, our inject from the bar code and that's how they're lifting this data.

Chris: Okay.

Sam: So, it's a persistent threat and I think it's one we'll continue to see for a long time.

Chris: Yeah, and there's not sort of a one size fit all remedy to it just yet, doesn't sound like.

Sam: There is, like, the iframe is obviously a great thing if you can do it but sometimes you need to have the script on the page. I am seeing some entrepreneurs now and cyber security people starting to create services to help solve this. What they're primarily doing is connecting an actual browser that's automated or running something like a Wget or a Curl, if you will, to pull down the page and all its scripts on a periodic basis for a merchant or retailer. And what they're doing is seeing the script change and if it did, it triggers an alert and says, hey retailer, or whoever the company is, go look at this script, there's been a modification to it. So there's some technology coming out to help detect it. We haven't seen much in terms of mitigating yet because somebody has to take the script out. There are some ways of doing this but I think we just haven't built the tech yet.

Chris: Okay, on its way. So do account takeover scenarios figure into all this at all and, if so, have you seen any cases of this and is there a way to defend against that?

Sam: Yeah, account takeover has been growing year over year for the past five or six years. A lot of what we do now, at Precognitive, is preventing account takeover. It wasn't something that, for us, a primary use case. It was just something we knew how to do but there is a lot of demand around that because how much account takeover fraud is happening. I think, year over year, the increase we see, they went from 30 to 40% in the number of account takeover attacks that we're seeing. So, it continues to grow pretty rapidly. From an account takeover perspective, I think there is a number of things that are already being done. Obviously the shift to things like two factor authentication MFA, hub pardon and make it a bit more difficult for fraudsters to do. A lot of these account takeover attacks are generally starting out elsewhere too, right. Someday the breach happens like the Magento marketplace one that you mentioned, for example.

Chris: Yes.

Sam: Assuming there were credentials where, which I don't think there was in this case, most credentials are unfortunately getting used by the consumer on many different websites, so the fraudsters will go and conduct what we call a credential swapping attack. So, I'll take a list of username, passwords that were breached, maybe even a year or so ago, I'll put them into a tool that I have and I'll plug them up to a bunch of websites and let it go test to see which credentials have been reused. So, if you use the same username and password on your Yahoo email, and then you've used it on your Bank of America credit card, they could potentially access that account.

Chris: Yeah, that's a classic.

Sam: And then, the actual usage of it takes place. So, credential stuffing itself continues to arise in terms of the number of attacks we're seeing. But there is good technology now to help stop that. So, if you're a large enough target, there's a plethora of solutions out there that you can plug in to mitigate these types of attacks.

Chris: Okay, so one of the topics we discussed in the introduction that's very intriguing to me and I had not heard of before was eCommerce fraud protection strategies that hurt retailers, can you give me an example of that?

Sam: Yeah, so, when we generally looking at what people are doing to try and defend against fraud, one of the big issues that a lot of the techniques tend to introduce is friction for the consumer. So we have seen a number of retailers try to do things where when they have issues with account takeover or credential stuffing, they're doing things like inserting reCAPTCHA type approaches. So, you'd have to solve the reCAPTCHAs to get in. You can also see, though, from those same analytic scripts that we're using for our bot mitigation and so forth that people tend to bounce pretty frequently when they're prompted with these reCAPTCHA type challenges. We've seen other sorts of friction like that where retailers are unable, or businesses are unable to make decisions in real time and are requiring consumers to have some sort of contact with the business directly. Either someone from customer service calling to verify an order, things along those lines.

Chris: I see.

Sam: And we also see that those tend to really hurt sales. A lot of those orders are actually legitimate, they're false positive just because the decision tends to put it on hold which is not good. And people are out and about, they're not picking up their phones and certainly not for a number they don't know. And, ultimately, the retailers, in a lot of these cases, don't end up sending the product because they didn't make contact with the consumer. They'll tag it as suspected fraud and cancel it. When we go an analyze these, we see, on average, about 50 to 70% of these rejected orders are actually false positives. So, if you're a retailer, you're putting on a review, for example, say, five or six percent of your orders, and then half of those you are rejecting or not fulfilling. That's anywhere from two to three percent of revenue, depending on how much you're stopping like that. So that's another technique we're seeing is generally around just introducing friction, not being able to make decisions in real time where it has a negative impact on both revenue for the retailer as well as the consumer shopping experience. Another thing we've noticed there is when you put up friction for a consumer and they go elsewhere, I believe that stat we came up with was 37% of the time, they never come back to your site.

Chris:  Yeah, yeah, they've been burned.

Sam: Yeah, they're like okay, I'm going to another site instead and they have it and they forget about you.

Chris: Right.

Sam: So, it is a big risk, I think and certainly a strategy that's been fairly harmful for a variety of retailers out there.

Chris: Do you get the sense that retailers are getting the message about this, do they see that they're losing this revenue or are you having to explain it to them and then they have to change their tactics?

Sam: That's a really great question. I would say it's a bit of a split. There are retailers where when we actually start showing them the numbers, the have the jaw-drop effect and say, oh my god, I didn't know this was happening, how long has this been happening. And they may have been doing it for years. And there's also another, I think, even more knowledgeable group or subset, if you will, of retailers that are aware that this is happening, they are trying to take steps to help mitigate it and reduce the friction for the consumer. So it's a bit of a split but, if I had to say one way or the other, I would say most are unaware has been my experience.

Chris: Okay, so that's on the to-do list for the next couple of holiday seasons then. Change the minds. So, I'd like to sort of speak, or ask you about strategies and stuff at various levels of eCommerce. So, for instance, what are some security strategies that smaller mom and pop type stores should be familiar with in the shopping heightened season as opposed to larger corporations or enterprises?

Sam: Yeah, that's a great question. For smaller shops, getting a fraud tool in a system might not be financial viable for you, right, depending on the volume.

Chris: Sure.

Sam: There are certain things you can look at that are basic checks. Looking at even something like where is an item shipping to on Google Maps and taking a look at the street view can be very compelling. A lot of times, you'll find fraudulent packages are going to what appear to be abandoned buildings or warehouses, things of that nature. So you don't have to be fraud expert or anything else to be able to pull something like that up on Google Maps and say, okay, this just isn't right. I would also look at the data that you do get from the bank. There's something called an address verification service or an AVS that on every time a card is processed, the merchant gets back a response that says it matched, it didn't matched, it partially matched. And, furthermore, you get the, it's the one thing is actually confirming for you. It's whether or not this address that they gave you as their billing address is correct.

Chris: Right.

Sam: So, I think one of the more basic things is making sure you do have a good match and what you will sometimes is a fraudster knows the right billing address, they're going to put that in but they're going to ship it somewhere else. So looking at when you have a good match but a different ship, where is it shipping to, does this make sense, does it make sense that they have a billing address in New York but the it's shipping to New Mexico?

Chris: Right.

Sam: You want to use some common sense there and kind of take a look at what's taking place. So, I think those are kind of basic tips for your mom and pop shops. There are certainly services you can use as well to do things like look up a consumer's email address to see how long it's been around, if anybody else has had a problem with that consumer. So, those cost a little bit of money but they're not very expensive services and could kind of be the next step up before you get yourself a proper system.

Chris: Gotcha. So, turning the lens in the other direction, as shoppers and users, the online experience, what tips are general guiding principles you think there should be for people who are doing a chunk of their shopping online this season?

Sam: Yeah, so I think there are three things consumers can really kind of do to help protect themselves. First of all, I think when you're shopping online, as I was mentioning a bit earlier, make sure you're on a reputable website. We are seeing a lot of these bogus sites that are coming up. If it sounds too good to be true, it probably is. You should move on and go find something else. I think the other thing we see a lot of which happens around this time of year is, you are, as a consumer, signing up and creating a lot of accounts. You're creating accounts on websites because you're purchasing from them. One of the big weak points we see in consumer activity is reusing the same username and password.

Chris: Yep.

Sam: And doing things like saving your card number on there. You've, now, basically, one of these sites now gets hacked and the username and password gets out there. Anywhere you've saved your card number or your billing information, or have purchased before and signed up wit that same username and password is now at risk of either that data getting out there and you becoming a victim of identity theft at some point, or them just using your card that you've saved on file with these retailers to commit fraud. So, I think, number two is do not reuse the same password. Make sure you're using a different password on each site. If it's a pain, get yourself one of those password tools that are out there where you have one master password and it remembers and automatically logs you in with a different password for each site. So I think that's another important tip. And the third one, I think, would go back to a bit around the social engineering stuff we're seeing. So, this fraud scheme I was mentioning earlier where consumers are getting called by who they think is their bank and being asked for codes, we're seeing a lot of it this holiday season. It's a pretty good trick but I would say, when you're getting phone calls and you think you're speaking with your financial institution, one, financial institution should never ask you for anything like that, should never ask you for a password, should never ask you to read them a code. So, if they're asking you to divulge information to them, you should take that as a red flag. And what you should do is say, you know what, let me call back the number on the back of my credit card. So disconnect that conversation, you call the bank directly and, that way, you know you're really talking to the bank and you can inquire and see if there's an issue. So, I think, the third one would be, be vigilant of who you're actually talking to and if you're ever in doubt, cancel the communication and go directly through a channel that you know is getting you to the right place.

Chris: Right. So, we've talked about it a couple times here that there are certain fake or disreputable looking sites that are offering at too good to be true prices. Do you have any sort of guiding principles, are there any particular sites or things online that you want to just kind of call out and blacklist now or even just sort of like be on the lookout for things that look like this? Because, like you said, everyone's looking for the best possible deal and sometimes you think with your heart rather than your gut.

Sam: Yeah, you know, I think, one, if it looks too good to be true, obviously, that's a big red flag. It usually is. If you want to do a little bit of research, you could take that site name and do something like Google search it to see if you can see other reviews and what people have done. If you're a bit more tech savvy and you know how to do a WhoIs lookup, I would actually do a WhoIs lookup on the domain and see when it was created. One commonality we see with a lot of these is they are brand new, they've been created like five days ago.

Chris: Yeah.

Sam: The site gets thrown up and suddenly it's selling $500 shoes for $200, right?

Chris: Right.

Sam: So, I would say, if you know how to do that, take a look at when was the site created and just see if anybody has reported this company as being good or bad and how far back does that go. 'Cause we also do see fake reviews. So some of these guys are clever enough to go put reviews about the site but you'll generally see though the reviews maybe go back a month at most. There's nothing a year ago talking about this website because it is brand new.

Chris: Or they all hit the same point in the same way.

Sam: Yeah, exactly. So I think that really, if it doesn't seem right, it probably isn't and if you really want to double check at that point and do a little bit of research and, most of the time, you'll find plenty of red flags. Probably your initial assumption was correct and you should go elsewhere.

Chris: Okay, so we noted, also in our intro, that Precognitive partnered with ShopRunner and that you're protecting hundreds of the world's top retailers, so without giving any specific secrets away, what are some of the highest level security strategies for retail sites like this that are working on a global scale? We talked about mom and pops but what are some of the higher level of threat that places like Kate Spade and stuff have to worry about?

Sam: Yeah, so the amount of fraud that you see in the larger business obviously increases in the sophistication level changes as well. One thing with fraud is it's always changing, right. So that attack you see this week will be gone by next and they'll be a new one with some sort of tweak or modification or something completely new you've never seen.

Chris: Yep.

Sam: So, generally, at a large enterprise, what we're doing is setting up a bunch of safety nets and doing a multilayered approach. Typically, up front, we're looking at things like bots, is the activity that we're seeing human verus automated and being able to differentiate there. We do a lot around understanding the device and the connection itself. So when a device connects to a website, we have what we call a device grid which is, essentially, a database of all devices we've seen. We've got a billion plus active user devices we see. What we look at there is has anybody else reported a device being bad within our network.

Chris: Okay.

Sam: How long has the device been around? Usually newer devices are higher risk. If we've seen you around for a while, you're more legit. And then, where is the device coming from? Geo location-wise, what type of connection it's coming off of, are they using something like a Tor relay, a reverse, a proxy or a VPN. So looking at all of those flags and really understanding the device itself, the connection, differentiating if it's a human or a bot. What we do that's really interesting at Precognitive then is looking at the consumer behavioral pattern. So, I'm sure you shop online. Do you ever go to a website and just buy the pair of jeans you saw?

Chris: Yeah, oh yeah, sure.

Sam: Do you just buy them as soon as you see them or is there generally, you typically will look at them and you'd probably thing about it--

Chris: Oh, I see, yeah, put it in your wish list or think about it or mull it over, comparison shopping.

Sam: See if you can get a coupon, yeah, or comparison shop.

Chris: Right, sure, of course.

Sam: There is a pattern to what normal consumers look like that we profile and look at.

Chris: I see.

Sam: So if you come to a website and up put in $1000 item in your cart and you check out. We want to look at, have you looked at this $1000 item before, did you show any interest in it last week or the week before, it's kind of a big purchase, right?

Chris: Yeah, it's not an impulse buy.

Sam: You got it. So this is where we use behavioral analytics to look at, what has this consumer shown us intent in, how fast did they go through the website? We also find, like, if you think about a website you use a lot, maybe a Facebook or a Gmail or something, how quickly you go through it. Fraudsters who are actively committing fraud on enterprise sites, they get good at going through that website.

Chris: Yeah.

Sam: So we can also see things like, this checkout happened in 35 seconds and, whereas, we know the average time is about five minutes, so these are also anomalies that we look at. So, at an enterprise level, we are employing technology like this on behavioral analytics side as well as device intelligence and then what we do is take all this data and when you finally hit that submit button and make your purchase and we feed it into a machine learning model that's been trained against prior fraud. So it'll come back and tell us, hey, this looks good, this is definitely bad, and it's up to the retailer but sometimes you can create what we call a manual review range. And this is where a human analyst would come in, take a look, and make a decision.

Chris: Okay, that was going to be my next question is whether, since we talked about false positives before with reCAPTCHAs and things like that but it sounds like you're not so much shutting things down as you are sort of offering suggestions through this--

Sam: Yeah, we are blocking the, in real time, we will block fraud that we know is 100% fraud. We've seen them commit fraud before, we know this pattern is fraudulent, we'll block it. Our goal's always to improve, obviously, as many consumers as we can and not reject them.

Chris: Right.

Sam: But there is also this kind of gray area where the order might not look exactly legit but we're not sure it's bad. And that's usually about one to two percent of transactions for us that will cue into work, pending some analyst to review and make a decision. And it's interesting, at the enterprise level, that one or two percent for a big retailer, now, actually becomes pretty significant. So, during the holiday season, we actually do adjust it down to reduce everybody's workload there, we really don't want to inundate anybody with thousands and thousands of orders a day to review.

Chris: For sure. So, turning things to a career slant here because I'm sure we'll still be talking about this topic come the holiday 2020 season. I want to ask this for our aspiring security professionals amongst us watching and listening today who might like some career advice: What types of skills, education, or experiences would you recommend for people who want to be on the front lines of defending against and finding ne forms of eCommerce fraud and bot fraud and so forth what you do?

Sam: Yeah, that's a great question. I think, depending on what you want to do within that space, fraud prevention space is pretty big, find something that is of interest to you within the fraud space and kind of go after it. I think one natural area who come in with a data analytics mind set, so having experience with things like databases, analyzing large amounts of data, being to identify patterns and data, those are all good skills to have. Obviously, being able to write code and develop, a lot of what we do to stop the fraud is based off of business logic that we're putting in place. Furthermore, I would say, just one thing that we always find with good fraud analysts is just people who are very inquisitive, who will look at something and want to understand why is this the way it is, how does it work, how was it put together? So, if you have those sorts of, I would say, aptitudes and enjoy things like that or enjoy the idea of investigating something sounds fun to you, those are all skills that are very valuable in the space. So, I think the ability to really analyze data, dig into it, is what a lot of folks can par in terms of how good they are, right, as fraud prevention, whether it's analysts or people setting up fraud strategy, a lot of it, though, comes down to being able to analyze data and extract insights from that that you can act upon.

Chris: Okay, can you suggest any kind of strategies for learning that kind of stuff if you're not already doing that in your day job, outside of your current experience?

Sam: Yeah, I think a great learning ground if you're interested in getting into analytics, data science is Kaggle. I don't know if you're familiar with it but it's a website that has a lot of open source data sets that have been released.

Chris: Okay.

Sam: And then, individual users there can download these data sets and they can model against them, they can analyze them and they can actually show their work and everybody does. So, even if you don't know where to start, you'll see other people's pages who have worked on this set and how they can offer their solution, what their results were, what their stats were, what type of metrics they were able to get. So, I think, for anybody trying to get into data science and data analytics, especially in the fraud type of security space, there's a lot of good data sets there. You can play around and get sense of, one, do I like doing this, am I good at it, and is it something I want to pursue further?

Chris: Great. So, as we wrap up today, what are some security trends and fraud strategies that you expect to see or that you're even spearheading yourself in 2020 and beyond?

Sam: That's a great question. There is some interesting changes happening in the fraud space in general on the card payment side. So, in Europe, we have something called strong consumer authentication now that's come out that says for transactions you have to get a secondary factor of confirmation from the user that they're buying something. So, if you're in the EU now and you buy a pair of jeans, you either have to login to your bank's website, you're going to get a text message or something to say is it really you buy these jeans? So, I'm expecting that we'll start to see some of this trickle into the U.S. There's another big push from the payment networks themselves on something called 3D Secure 2.0 which lets merchants send more data back to the bank so the bank can give you a better fraud decision as to whether or not they're going to accept it. So, I think, what we're going to start to see from the card fraud perspective is there will be a decreasing amount of card fraud that we're seeing. Where we anticipate there will be an initial lift in increased fraud is going to be on account takeover and credential stuffing, account takeover as it's been growing year over year, so we think this problem will continue. And the other thing we're expecting to see a lot more of is automated attacks coming into 2020. So, automated attacks traditionally have been things like credential stuffing attacks to perpetrate account takeover. What we're seeing now is automated attacks that do other things like scrape the II data or even put up more complicated fraud screens. So, we are seeing some attacks that are automated that will not only login but even go through and create the purchase themselves. And that's a pretty interesting step whereas, generally, it would be a real user, the fraudster would login and kind of commit the fraud, what we call the cashout, the final step of the fraud. But we're seeing some of that now. The number of occurrences where that's automated is going up and I think this is also going to be a really big issue for 2020 because some of the ones we've seen are very clever. They will do little dollar amount orders, they will place them on almost a schedule. So the same fraud bot will come back every day and buy a similar item or same item but try to stay under the radar. Some are somewhat clever. Somebody's sitting there at a warehouse collecting packages. That's something we are beginning to see more of as 2020 rolls in.

Chris: Okay.

Sam: So, you told us a little bit about it but as we wrap up here, tell me all about Precognitive and some of the strategies and services that you offer your clients.

Chris: Yeah, so Precognitive is a cyber crime prevention platform is kind of, at heart, what we've built. It's a platform that has three different products linked into it. The first thing we do, I was touching on it earlier, was around device fingerprinting and device intelligence. So, if you're on a the mobile device or on a web browser, we're able to get and gather a lot of information on your device itself. So, what type of device is it, where is it coming from, is there anything wrong with it that we can tell. The second thing that we do and our second product is around behavioral analytics and behavioral biometrics. So we can see, again, how do you go through a website, what are you looking at, we can even see how do type. So, if you're typing your username, for example, what's your key-down to key-up time, your flight time to the next key, your key-down, key-up time there and we actually measure those on things like logins over and over so that we can get a physical sample of how you type. We never see your username or your password, just how long it takes you to type it and how you actually type it. So, that's the second product that we have. And the third product really ties the first two in and that's a decision engine called Decision AI. So Decision AI is a hybrid, it's a rules engine with a machine learning layer in there as well. And when something happens like a transaction or a login, our clients give us a call to our API and say, hey, I have this purchase, for example, is it good or bad? What we do, at that point, is go connect all the data. We connect the device intelligence, geo location data, behavioral data, what you're actually purchasing and can tell you if it's good or bad. So, at a high level, that's what Precognitive does. We've got some other functionality, you know, things like bot mitigation, et cetera that play into that but also the core products and how they work.

Sam: Great. If our listeners want to know more about Precognitive or you, where can they go online?

Chris: Yeah, certainly. You can visit us at Precognitive.com which is our corporate site and you'll find plenty of information there, not only about our services and technologies but we do have some active articles that we push out there on what we're seeing as the latest fraud trends or what's changing in the fraud and payment ecosystem.

Sam: Okay, do you have a Twitter or anything you'd like to, do you do social media at all?

Chris: I do. Most of my social media for Precognitive is done through the Precognitive account.

Sam: Got it.

Chris: So it's Precognitive Inc. If you'd like to connect with me, you can find me on LinkedIn as well, Sam Bouso. So I can certainly share a link with you afterwards.

Sam: Terrific. Sam, thank you so much for joining us today.

Chris: Thank you so much for your time today. I really enjoyed speaking with you and I hope your audience enjoys our holiday chat.

Sam: Yes, and I hope we save a few credit cards this season here.

Chris: We're trying. And as ever, thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just to go to YouTube.com and type in Cyber Work with Infosec and check our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher. To see our current promotional offers available to listeners of the podcast, go to InfosecInstitute.com/podcast And as we've been saying before, we have a free election security training resources that you can give to your poll workers in your area to alert them to the cyber security threats they might face during this election season. For information about how to download your training packet for poll workers, visit InfosecInstitute.com/IQ/election-security-training or click the link in the description. Thank you, once again, to Sam Bouso and thank you all for watching and listening. We'll speak to you next week.