- Better understanding of the prevalence of remote authentication fraud and why its imperative to continually strengthen authentication practices
- Risk and weakness of current authentication methods
- Key considerations for implementing effective authentication comprised of multiple layers and factors.
Paul Stockton (00:09):
Hello everyone. Hi, and welcome to track four. This is our third session in track four. I'm Paul Stockton from NTT Data. Really glad to be presenting track four to everybody. And I will turn it over to Kate Fitzgerard to talk about remote authentication.
Kate Fitzgerard (00:29):
Thank you, Paul. Well, we are Visas on his way out. And now we have, on our way in, we have bank, your bank, pure Bankers. You can see from their titles here. I'm going to Kate Fitzgerard, Senior Editor, American Banker, and starting with Mary, everyone can see your title, but can you give us in plain English the scope of your job? What do you do every day?
Mary Rosendahl (00:54):
Sure, two pieces. So I do the authentication roadmap for our product for large corporates and commercial banks, all the way down to the small, that's the small businesses. And I manage what our authentication is, what our roadmap is, whether it's through file, whether it's API online or the mobile channel.
Kate Fitzgerard (01:16):
For remote authentication or for all kinds of authentication?
Mary Rosendahl (01:20):
All kinds of authentication.
Kate Fitzgerard (01:21):
Okay. Yes and then Mike?
Michael Timoney (01:24):
Yeah, Mike Timoney. I'm with the Federal Reserve Bank of Boston. Actually, my team is part of a larger group called Payments Improvement, and my focus is really around fraud and security about the US payment system. So my team typically works with the industry to try and identify fraud security gaps and then try to identify ways to solve those.
Kate Fitzgerard (01:46):
So our topic here about remote authentication fraud, we are going to focus on a couple of the hotspots which have to do with business to business and business to consumer fraud. And so with that, taking a look at where, why, where we are right now in that work, the wanted to talk about the pandemic's effect on remote authentication and from the perspective of Bank of America, what happened in the pandemic that you guys were not expecting to happen and what did you have to do to react to that?
Mary Rosendahl (02:18):
Yeah, so a lot of the challenges were when people went hybrid. So you go hybrid and the fraudsters know it, right? So they're always trying to be a right there. And so you go hybrid and then people aren't in their offices anymore. So you see something suspicious. There's nobody there to just tap a shoulder. You've got the younger generation that's not afraid of anything and you've got the older people that are more frightened of what they know that can happen. So you deal with some of the generational and there's nobody to tap. The fraudsters know that they need to get into the email fraud. The phishing is at the height of what most businesses are having problems with. And so then they attack those emails even more because they know that companies are becoming dependent because on that email even more, because they're not sitting in the offices together.
Kate Fitzgerard (03:08):
And it isn't email so ancient, why are businesses still relying on email? And was that what I guess I'd like to know in covid, what was exposed about that process and has anything changed?
Mary Rosendahl (03:22):
Well, email is always a challenge. It's kind of where people still communicate. And we talk and we discuss all the time about the importance of validating payment instructions. But you can see that 99%, pretty much of the fraud that we see is all from the phishing, still from the emails where you get the changes in the payment instructions and they're not validated and they're coming in through email, they can come through phone call, but then there's not that second person that's actually authenticating that change in payment instructions.
Michael Timoney (03:55):
Email is still relevant today, so it's easy to use. We all do it. It's flexible. How many times have you been doing something and someone IM's you, right, or Teams or Zoom, whatever you use in your platform, it interrupts. And so people like email still, I personally have a challenge with it because I get way too much of it, but there's a stat recently, I just read that 72% of people still say it's the preferred way to communicate. That's a big number right now. I don't know if we all would agree with that, but that's what the survey said. I wanted to back up on what Mary said. There was a huge shift to people going to work from home, and that was obviously an effect on authentication. Part of the challenge there too is that companies weren't ready for it. I think Dustin might have mentioned that as well.
(04:44)
They just weren't ready. All of a sudden you had everyone going home. Just think I know in our organization, just the idea of trying to order the equipment, the laptops and everything for everybody was a real challenge. And what happened during the pandemic, just for one example, out a lot of munis, a lot of municipalities really got affected from the fraud because the frauds knew all this confusion was going on and literally started trying to sell them personal hygiene, the equipment, the mask, everything that we needed for the pandemic that PPE and basically it was scams. And so they were taking advantage of people from that perspective, whether it was business email compromise, whether it was scams. So anytime there's that type of confusion, the frauds are going to capitalize on it, as Dustin was mentioning earlier as well.
Mary Rosendahl (05:30):
And so then when you take what Tim, Mike, we call him your last name, Timothy, but Mike, Tim Timothy said, is the fact that then you, you're in home environments, so you're no longer in your office. And so how protected is your wifi? What about the passwords, the authentication there? And so now you, like you said, you've got all this confusion going on. You don't even know if the environments are protected. Some companies allow people still to print what's going on at home, who's seeing what's being printed, where is it being thrown out, all that kind of communication, all the equipment, like you said, again, is it protected? And so then when you've got the flush of emails coming in here, it gives even more opportunity for the fraudster to attack.
Kate Fitzgerard (06:18):
It amazes me that because we've been hearing about business email compromise 10 years ago. That there had really been no protections built into any of these systems, and the pandemic was a perfect storm for this kind of fraud. So what's happened since then? Can you give me some perspective on maybe, Mike, did you do any research where you saw Spike?
Michael Timoney (06:43):
We've done a lot of research on different types of fraud during the pandemic, but specifically to remote authentication, I think the big thing that wouldn't surprise you is that we're so reliant on ID and password still, if you think about it, this is 2023. We're talking about AI, we're talking about all these other things, but most of us companies are still using an ID and a password. And I just talked about this last week. If you go out and look up the top 10 passwords in 2023, it's the same as 2022, the same as 2021. It's passwords number four actually, but it's like 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 5, 6, 7, 8, 9, Cordy, Cordy 123 and then password. And then it goes on from there. So that's part of the problem. The second one, and I'm not going to, I know people will probably nod their heads or bow their heads with however they feel about it, but a lot of us use the same password.
(07:40)
So fraudster only has to get one password to get into, take advantage of it. So because we're still so reliant on some of that technology, we're vulnerable. And so the research we've shown is that multifactor authentication works in this space. It's a way to try and protect us. The problem is that it's inconsistent across the us. It's not even used by everybody. And Mary and I were having this conversation yesterday. I've had my account with the bank for 30 plus years. My kid's now bank there and I use multifactor. So I have another factor, but it's optional. It's optional. And why is it optional? Because the bank doesn't want to create the friction that we talked about earlier. But again, if it's a way to protect the individual as well as the organization, it's something that we should be thinking about. But nonetheless, part of the challenge in the country is that it's inconsistent. It's not used. It's not mandatory to,
Kate Fitzgerard (08:42):
So despite this uptick, which I assume you tracked, what has anybody made any significant strides forward? Bank of America? Did you change your policies?
Mary Rosendahl (08:51):
Well, well, so two things I want to comment on. What he said too is the thing about also email before we get off of that is that people think, oh, it's just my email. But when you think about it, it's just my email. Where do you change your passwords? You change your passwords in your email. If anything that you have that should be the most secure, it's your email, right? Because that's where they can get ahold of it, change the password and get into your systems. So when you think about the changes, so we think about biometrics, yes. Bank of America now has the QR code and we're getting to biometrics. So biometrics, you're not sharing those passwords, as Mike said it, the passwords are all out there. And so we can get away from passwords. One of the steps that we've done is the biometrics, because your passwords aren't out there, you can easily update your password even with the rules by just using the QR code in your biometrics. And they're not sitting out there. And so that is the approach that we're going, is to go password list so we can get rid of those passwords sitting out in the wild.
Kate Fitzgerard (10:00):
When you say you, do you mean Bank of America employees or Bank of America Corporate customers or corporate customers?
Mary Rosendahl (10:07):
The platforms I manage.
Kate Fitzgerard (10:08):
How far have you advanced in this conversion?
Mary Rosendahl (10:13):
So we offer it today, all completely biometrics. The difference is, and what's slowing down the adoption is the use of the mobile phone. If you're going to do biometrics, you've got to be able to trust your mobile phone. And the adoption of companies isn't all right there that they'll let their employees use a mobile phone, even though that biometric on here is actually safer.
Kate Fitzgerard (10:38):
What's than your password is? What's the resistance? You want to talk about that, Mike?
Michael Timoney (10:41):
So because I don't know all the answers on why people resist, but I'm going to go with we heard cost is a challenge. So where we've evolved from is we are now using multifactor, right? But again, like I said, it's inconsistent. But what did we do? We started using email, right? It'll send you a six digit code in an email or in an sms, right? SMS was even better than email. We used to always get it in email. Now we kind of get it. Sms, the problem is now companies can say, Hey, we've got multifactor, we're using this as well. But those are not vulnerable. So if you paid any attention to what's happening with scams, yes, the person can have a six digit code, but they're getting a call from a froster that's saying, Hey, we're going to send you a six digit code when you get it, give me the number.
(11:30)
And then they get the number they tell the froster. And so it's fishable. So where we have to get to is like a non fishable. And so what Mary's saying is biometrics, whether it's fingerprint, eye, whatever, or behavioral on how we use the device, that's where we've got to get to. But that takes, that's cost. And that then does have to change the consumer experience. And so there is always, again, the challenge around friction. And Dustin did say it or one of the groups said it. It's not about optimally getting rid of all fraud. How do you balance the friction? Because we all want transactions to go through.
Kate Fitzgerard (12:10):
So is our SMS messages now less secure than email?
Michael Timoney (12:15):
I don't know. The gentleman left from Verizon, we could have probably asked him. I would hate to opine on that. I will say either one of them is vulnerable again, because they can be phished. I'm not so much that they're going to break in to the email, but email and SMS are both followable. Cause either you can have a man and middle attack. The fraudster can be in between people sending emails. So they take over an email server, they have access to that, but they can do the same thing with sim swaps on phones. So now you'll see that they can swap what my wife called and said something to them and they said, oh, we'll just change the sim on the fly. And they went to a virtual sim and it was like, okay, well wait a second. What if she didn't?
Kate Fitzgerard (12:58):
That could, she could've been. She could've been
Michael Timoney (13:00):
Broadstone. So all you have to do is get the SIM change and then when any message, when that six digit SMS comes, it's not coming to me, it's going to Mary. And so now she's in the middle as well. So there's lots. You asked the question in the last session, what do the frauds do? They look for the opportunity, right? So okay, we put in sms. Well, they're going to find a way around it. And you got to remember, SMS was meant as a communication for us. It wasn't built as a security function. So
Kate Fitzgerard (13:31):
For notifications, for alerts, right? Yeah. So when you think about having an O T P or a two-factor authentication, it's the push notification from the phone that's secure. It's not the sms. SMS is just a message vehicle. Yep. Interesting. Because I do remember now the OTP O ota in the original before we had, before there was mv, the attempts to do over the air authentication. And that didn't work probably for these reasons. So it seems so low tech, but what are some of the challenges in trying to explain these and train people to protect against these threats in the business environment? How do you push that and what are you up against? Well, I think it's for the corporates, it's the mobile adoption. Do I want my employees to have to put the token on their personal phone or do I want to invest and give all the employees a work phone?
(14:36)
So you have two phones. So part of that is the slow adoption to am I going to trust my employee to take care of their phone? Now, what people don't realize is that I can have an OTP on my phone and is as secure as the one that's sitting in my pocket. I can generate it here, this hard token, or I can generate it on my phone. But that's trying to convince people because they think the mobile phone isn't secure and it actually can be very secure. So there's a cost thing. Is there an education element? Absolutely. What's the challenge there?
Michael Timoney (15:12):
Well, I think you have to change behavior, right? And this is, I'm thinking more from the consumer side, Kate, because that's kind of some of the work we do, but looking from the consumer side, people fall victim to scams and they're victims. The frauds are trained to take advantage of them, but they get a notice. It's from their bank's fraud department, and they think it's their bank's fraud department. So they fall along. We need to get them to change. Change. Not usually it's in the moment. Your kid, you've got fraud in your account. Probably the big one now is Netflix account's been locked out, right? Oh, I can't. I got to get to my Netflix. So panic. Yeah, there's a panic there. And so people react to that and sometimes it needs to slow down. The UK for example, has a take five campaign where they've been advertising and they go hard about it, just take a few seconds before you hit the button, right?
(16:10)
Try. And they're trying to change human behavior. And that's really part of it is we've got to get people to change. Look, you asked the question earlier around chip and pin, and I heard the question was asked earlier. I worked in an organization very similar to the lady with the USDA. We had mags strip cards without a chip and no pin. Well, that's just not right. Had had discussions around the cost and as a fraud guy, I'm like, Hey, we need to go chip, we need to go chip. And the problem is they go, well, the cost is so much more. When the pandemic hit and we took the hit, then it was like suddenly, well, that cost of that card really didn't look that bad after all right? But then when we went chipping on consumer cards, we went chipping signature.
(16:53)
We didn't go chip and pin why the people can't remember a four digit code. That was sort of the font at the time. And I'm like, well wait a second, we all have a debit card and it all has a four digit code, so what's another four digit code? People are probably going to make it the same number anyway. So it was more sometimes we go, oh, well, we don't want to affect the customers. Had we just made that decision at that time, people would've adapted to using a chip in a chip and pin card.
Kate Fitzgerard (17:20):
I think there was another side to that story, which we had something to do with some card networks and some emergence. Yes, but nevertheless, there was a back to the business email compromise and the businesses and these antiquated approaches. What are some of the challenges there in making changes at the business level? Is it a matter of each business has to get hit by some crisis in order to make changes or can you push change across the industry? If so, what's it going to take?
Mary Rosendahl (17:52):
It's education education and education!
Kate Fitzgerard (17:55):
Of the small business and medium size business.
Mary Rosendahl (17:57):
It's a large corporates, and then that's a reconcilement because I'll see it where they'll come in, they took the instruction, they didn't verify it, they reported it the next day and they get all their money back. And I saw two this week where the transactions was four months ago. There is no way they're going to get their money back. There's no way because there's no reconcilement. But it's education, we've been doing this. If the education was there and people would validate any change in payment instruction, we would wipe out.
Kate Fitzgerard (18:30):
You're talking about educating the employees of your corporate customers and what are the problems there? High turnover. I mean, it might be that you have the same challenges people have in hiring and retaining employees. You're trying to constantly educate these people on these practices that are?
Michael Timoney (18:48):
Yeah, I mean, if you think about it, and I don't know the total makeup of the audience, but probably most of your companies have some sort of testing where they test you on a fish, right? We all get that.
Kate Fitzgerard (19:02):
Well, from the IT department!
Michael Timoney (19:04):
Okay. Some of them are really good, some of them are pretty obvious. But I mean if that's an indicator. So that's part of the testing of employees. But the reality is we all kind of know there's a test. The problem is that people do, they get that email from someone within their organization that's telling them to make that payment and for whatever reason, same. They panic.
Kate Fitzgerard (19:24):
We're talking about a potential business email compromise. Which still happens routinely despite the fact that it's so low!
Michael Timoney (19:31):
It's on the rise. If you look at, it's so obvious. If you look at the FBI's stats business email can compromise is still growing. And you're right, I started in fraud in 2009 and it was because of business email compromise that I got recruited into fraud. And so it's been going on all that time and it's been growing, so it's not going away. And now there's just email account. Well, email account compromise was always there too, but now they're doing the consumers as well.
Kate Fitzgerard (19:56):
So now is ransomware part of this discussion or is it not that? Is that a whole different vector?
Michael Timoney (20:03):
For me, we don't really look at ransomware, but there are a lot of, again, email comes to play a lot around ransomware, getting people to click on the links. I also was doing a little bit of stat searching for this and thinking about ransomware. Interestingly enough, if you get a file or an email and it has an Excel or a PowerPoint attachment, you're much more likely to click on it. And that's interesting. They said over 20% of the people when they get that, they would click on that versus thinking it was suspicious. So because they somehow equate trust to PowerPoint and Excel. Right.
Kate Fitzgerard (20:45):
Are you saying the fraudsters have figured that out?
Michael Timoney (20:47):
Yes. Yes. And so now they're attaching those kind of files and when you open that Excel file, it might look fine and it may not even do anything right away, but it's giving the fraud the access to the system. And that's again, who would've thought that we trust PowerPoint and Excel greater than some other programs, right?
Mary Rosendahl (21:08):
Right. And exactly. It's not just the email coming in. Give you an example where 1 million invoice was paid and the company company, the person called and said, Hey, you didn't pay me. And they're like, yeah, we just paid you another a million dollars and they tried to track it down. Well, again, they called the associate on the phone and them got conversation going and saying, Hey, I lost, how do I go in and put payment instructions in? And so they sent them out the form, they put the payment instructions in the correct way. So it took them months to try and figure out where this fraud occurred. So it's not just a simple education of, oh, you get an email in that says change payment instructions, but you have to educate the people that are on the phone. You've got to educate the receptionist who gets a phone call and says, who's a temp at your company and says, Hey, there's something wrong with your pc.
(22:07)
I need to take it over. And they don't just give that PC over to the person on the fraud. So it it's, and even if I call Tim and I said, okay, Mike, here's a call and and he trusts me. I didn't verify the person well enough on the phone. And then he calls the next person at the company and next person calls the next company and they perpetuate the fraud. And it started at one part of the company and it happened at another end because I didn't do my job. But everybody trusted him because they knew who he was. So it's education in all different facets.
Kate Fitzgerard (22:42):
And this time it does feel like companies are struggling to hold onto employees. So there's a greater likelihood of a temp or people moving between offices, people not trying to get the hastily, trying to get things done and leaving gaps.
Mary Rosendahl (22:56):
Can people not believing we'd have a small company. They'd say, oh, that'll never happen to us, never happened to us. And then their CEO's on the plane and they broke into the CEO's calendar, knew that she was unavailable, perpetuated the fraud.
Kate Fitzgerard (23:16):
How common is this fraud? We talked about small businesses, medium size businesses, how confident common is it happening to municipalities and governments?
Michael Timoney (23:25):
All right, so I'm not an active person in this space anymore, but I used to do this at a bank and I was on the corporate side. And so municipalities were always very vulnerable because they're small and they have, look, I'm not trying, I'm not going to say I don't want to disparage municipalities. I think they're just, because they tend to be smaller organizations.
Kate Fitzgerard (23:46):
Well, they're more likely to have antiquated systems?
Michael Timoney (23:49):
They usually have a tax base. They're sitting there there with tax dollars. And so they can be very vulnerable to invoice, get getting invoices that they pay that they shouldn't pay at all. Right? So just fake invoices or manipulated payments instructions. And so I've seen in my career, multiple municipalities or small local governments become victims because a lot of times they also didn't have some of the dual controls that they probably should have had in place. So it is right.
Kate Fitzgerard (24:21):
And I happen to know firsthand about a small town county government that had a ransomware attack last week in Oregon that one of my family members is involved in. And that's only one that we know of. Yeah, you do the math on this. How does where to wrap things up? Are we closer to reaching a point where we're going to find some solutions that will have more greater accessibility and adoption from this layer of the attack surface I guess they call it?
Michael Timoney (24:54):
I was going to say from an authentication perspective, I think there's a lot of things going on out there that can help. Definitely moving away from passwords is one, and the industry has got a lot of momentum in that direction. It's not going to happen tomorrow. It's going to take time to do that. But there are new technologies we've heard about ai, same thing. Some of the new technologies are going to help us, but it still comes back to Mary's point around education of the individuals. Because unless you teach people that hey, this is what fraud looks like and you shouldn't just send a payment on an invoice that someone hands to you going to be, that type of risk is always going to be there. You asked the question earlier, is fraud going to go away? No, fraud's not going to go away. But how do we manage? We've got to look for where the vulnerabilities are. Well,
Kate Fitzgerard (25:40):
It feels like it has to reach a point, like you said, that it's not worth doing EMV until we have a crisis. Then all of a sudden it makes sense. So you have to wonder. Yeah, but we're neck and neck in the race. So think about the companies that have voice authentication and now we have deep fake, so you can't depend on voice authentication anymore because you've got deep fake where you could fake that voice and all you have to do is listen to somebody talk. So it's a race. If anyone has the silver bullet, they always say there's no silver bullet. But I'm going to see if we have any questions from this audience on business and remote authentication fraud, which really covers a lot of scenarios. And if you have, oh, here's someone with a question or a comment. We might even have some.
Michael Timoney (26:37):
When you say new currencies, is that what you said? Are you talking specific like a central bank digital currency or something? We're a long way in this country from a central bank digital currency. Actually my boss is the one that was leading that project. So it's going to take a long time to get there. In fact, there's a lot of policy and things that would to happen first. In fact, a lot of people in our US government don't believe that we even need it. So that, but yes, and when we get there, there are going to be new challenges. The other that is big, and it was mentioned earlier was instant payments, right? Faster payments. And so the Fed is releasing Fed now this summer, and so fraudsters have been moving money for a long time. This is going to be a challenge in the sense that it's irrevocable and quick and it's already in play today. We already know it's happening, but it does sort of get fraud fighters a little bit hyped to try and figure out ways to stop the bad guys. But on the flip side, they don't have the same governance or investment requirements that we have and they can pretty much do what they need. So it is, it's always a catch up game, I feel, even though if we're trying to think ahead, they're still finding ways around it. But I do think new products do bring new challenges.
Kate Fitzgerard (27:57):
We have a question in the back from Marsha. Thank you. Hi. Given that so much of this fraud is happening through the email channel, I'm wondering if you've noticed a commonality of language or content of the email that you could then use as an indicator of fraud? I'll start and I'll let you continue because I know you're going to love this question. So it's morphed. It's so sophisticated. It used to be kind of humorous that email that came in, but it's not anymore there. That's why when Mike talked about the fishing and the exams and the testing that we do employees, I can see that even in the bank, the heightened. And I have people that are on my team saying, is this fraud? Because it's so good because they're trying to educate. Because if you didn't ask for it, don't click on it. If you get a text message, don't click on it. You get something from Amazon that says, your account's going to be closed or they've charged this. You didn't ask for it, don't click on it. It's just that education but the sophisticationiIs unbelievable.
Michael Timoney (29:05):
I totally remember 15 years ago we used to, well and still probably happened at some organizations teach people to watch for spelling mistakes or bad gram or all that. It's to Mary's point, it's not like that anymore. So I mean, I was talking with someone last week about chat. They can just even do that and use that type of technology, just develop it out.
Kate Fitzgerard (29:31):
Think about it because of that. And then using all the social media, they can make it familiar to somebody that, or you work with somebody says too much on LinkedIn and that type of thing. So it's even more believable yet even with the punctuation. I'll be in there too.
(29:49)
Well, we are about to wrap it up. It's a terrifying specter. We have another question here from my friend.
Kate Fitzgerard (29:57):
This guy!
Michael Timoney (29:58):
Kate. One of the things that we didn't talk about to, and I'll wait until gets the question, but check fraud we didn't touch on at all. We didn't get to that, but just think about that folks, next year old is new.
Kate Fitzgerard (30:09):
Something that we thought wasn't a fact is now one of the fastest rising categories of fraud. Yes.
Audience 1 (30:15):
So I know tools, one password are getting popular from consumer perspective. Two questions. What do you guys think of one password and do you see that being adopted in the corporate world?
Mary Rosendahl (30:28):
Yeah, definitely. So we are looking at the Fido standard, so the Fido standard where you can authenticate with one device across multiple companies and it's extremely secure. And so that's one of the ways that we look to move our authentication to the next step is that pass key that ties, oops, ties into that where it's, it's still on the beginning edge to actually incorporate it, but it's one password for all and it's a biometric. We can get there. That's where we're headed.
Michael Timoney (31:10):
If you're go, you're going to use a password, it's got to be a longer, look, my company, it's 16 digits and believe me, that's hard to remember all the time. Once you have to change it well
Kate Fitzgerard (31:20):
Inside or tip, how do you use one? Are those master key things secure?
Michael Timoney (31:25):
So are they secure? Yes, you can put all your passwords in one place, but what's the problem with the A store? Anyone takes one password to get into it. So again, if you don't have a good password protection on your password vault, then you're kind of vulnerable there. If you, that's, that's the challenge.
Kate Fitzgerard (31:46):
None of this is reassuring, but if there's some
Michael Timoney (31:49):
Great products out there, so I'm not on
Kate Fitzgerard (31:51):
A positive note, at least we know that the U S D A is working on some things and we can get some direction going on some of these things. We have reason to believe that the actual fraud, that Visa is actually conquering a little bit of it. And the we're on the verge of some breakthroughs you alluded to in broader adoption of more modern approaches to authentication. Eliminating passwords.
Michael Timoney (32:19):
Yeah, authentications have the problem. There's that still, if someone authenticates Mike does it, I can still send the money out by mistake or I get duped. So that's part of the challenge. But there's multiple different ways and the card networks have done a good job driving down fraud there. The problem is the frauds are see that and then they move over to other,
Kate Fitzgerard (32:39):
Right. There's always something with broad. Well, on that note, I think we're going to wrap up. Thank you very much and we'll talk to.