Visa's Dustin White will discuss the following:
- How cyber threats have evolved since the pandemic
- The role security plays in enabling the digital economy, how to adopt more advanced security capabilities, including enhanced authorization technology like tokens and fraud detection through biometric authentication and AI.
- Tips for creating an efficient security strategy based on lessons learned from Visa's experience in preventing fraud across its network as a result of its investments in AI.
Daniel Wolfe (00:10):
Good afternoon to everybody again. Paul Stockton from NTT Data. Thanks to everybody for joining this track. NTT is sponsoring Track four and very pleased to present Kate Fitzgerard. I'm moderator for our next session here, so I will turn it over to Kate.
Kate Fitzgerard (00:28):
Thank you. So you see who we are here. We're here with Visa and really head of US. Risk is a heavy, heavy responsibility. Dustin, why don't you tell us your real job title, I mean the scope of your job. What exactly does this involve?
Dustin White (00:45):
I was racking my brain. I was like husband, father, what do, yeah, so my group is responsible for proactively engaging participants in Visa's payment ecosystem to help them both proactively and reactively address risks and fraud that are facing their portfolios or businesses.
Kate Fitzgerard (01:04):
You're working with banks?
Dustin White (01:06):
Banks, merchants, FinTechs.
Kate Fitzgerard (01:10):
So the title of this thing is The Post Pandemic sort of fallout. What happened, what We've Learned Where we are, which is constantly evolving. Would you agree?
Dustin White (01:21):
I would a lot changed in the pandemic for us personally. And I think a lot of folks started to build savvy and experience in the digital environment if in some ways for the first time, and I'm not just talking about the way that like my grandma now orders her groceries and still does like that's fine, that's all good. But a lot of businesses also started to digitize themselves to remain relevant, to survive not having foot traffic in a brick and mortar location. And much like cardholders and consumers were trying to navigate new spaces. A lot of these merchants, I think were also figuring out what it means to operate in a secure digital environment.
Kate Fitzgerard (02:04):
So there were some number of merchants that had never really taken accepted card, not present transactions, maybe restaurants, local takeout restaurants. Would that be a good category?
Dustin White (02:15):
That's a great example, Yes.
Kate Fitzgerard (02:16):
And so almost overnight they had to not only accept payments but manage fraud.
Dustin White (02:24):
Correct. And security and understanding what information they can store or shouldn't store and how to operate in those worlds. And so I think if you think about that journey, it was a treacherous place because fraudsters are nothing if not opportunistic and creative. And so in an environment where you have people experiencing a new way of doing business and are learning as they go, there were a lot of pitfalls along the way.
Kate Fitzgerard (02:55):
And so part of that was in the rough period march of 2020 to, I'm not maybe let's say next six months, everybody didn't get on go online overnight. It was a process because I knew that there were a lot of people scrambling to try to get the technology to accept card not present. And in that journey I think it was more common that people would say there were problems and it was easier to disavow transactions. We laid the groundwork for friendly fraud for one thing. Can you talk a little bit about what was going on in that chaos on the merchant side and on the consumer side and on the issuer side?
Dustin White (03:35):
Sure. Well let's start on the merchant side cause I think that's pretty interesting. What you were looking at I think is fraudsters not just looking to compromise transactions or credentials, but also to move into new spaces in the ecosystem. And there was this, as you said, very chaotic sort of period of rapid onboarding of merchants for the first time. And there were a lot of pressure on parties within these various ecosystems to try to get that done as quickly as possible. And fraudster took advantage of that. There were a good number of merchants that started popping up that were not authentic merchants, that we're not selling goods or services. And so it moved beyond the traditional transactional type fraud and crime into a place where identity came into play. Not identity like my driver's license, my social, anything like that identity. Is this business really a business that's selling what it says and selling? And that environment I think was one that thankfully folks started to get their arms around really quickly because when you have disingenuous entities, it's certainly about the fraud and crime, but it's also about where those institutions might be funneling the money that they do monetize.
Kate Fitzgerard (04:51):
So that was the merchant side?
Dustin White (04:52):
That was the merchant side.
Kate Fitzgerard (04:53):
The consumer. We had this push to contactless that when the merchants weren't even ready for contactless but they were paying through new channels and devices. What's the word for it? What was the variable for fraud there in the consumer shift?
Dustin White (05:12):
On the consumer side? I think there were a few things, right? One is when you start interacting with a phone or a laptop to move money around ensuring that you were in the right place is really important. Looking at websites, making sure they are what you expect them to be looking for the secure link and all those things. So there's some of that. I also think folks, there was some learning, you mentioned friendly fraud. It certainly was not uncommon for consumers to see a charge show up on their bank statement in a way that they didn't recognize because the merchant or whomever they were shopping with maybe had a slightly different name or maybe a completely different name when they process digital payments than they do on the storefront.
Kate Fitzgerard (05:57):
Or maybe there was a supply chain issue and the product never showed up and they had been charged for it.
Dustin White (06:01):
Yes, So that also on the dispute side definitely came into play. So as you said, right, you have a whole bunch of things that are moving in a way that was creating some friction for folks and on, I think if I rewind to where we were in the summer of 2020 to where we are today and then kind of look ahead, I think consumers have certainly become much more savvy about operating in these environments and I think people have a much better understanding of how to interact as it relates to moving money digitally similar to what they would've done with cash in a brick and mortar environment. As an example.
Kate Fitzgerard (06:37):
Well, jumping ahead a little bit. Since very recent days I've had conversations with people about some new changes in the landscape. One card network, I understand as of April 15th, introduce some new rule rules, guidelines around friendly fraud requiring more factors on the merchant side. And this is changing the dynamics because whereas a lot of issuers they said had sort of trained people to go ahead and just disputed this transaction because due to the friction you're mentioning the supply chain problems, it was just easy to go to your mobile web, your mobile bank account and say, I don't recognize that Gone gone. And the bank would say fine. But now there are more hoops to jump through from what I'm hearing from people, I just heard from someone today about this increasing levels of friction now that we're the pandemic's in the rear view mirror, we are now settling into this new landscape. Are you, what's happening there in terms of the kinds of tools, risk management tools that you guys are introducing and how they're working or not working for people?
Dustin White (07:50):
Sure. Alright. There's a lot there. So I'm going to work through that in a few ways. I think one of the things, whether it's you, I'm going to set friendly fraud aside for just a moment, I'll come back to it. One of the things I think that makes fraudsters really good at what they do is they democratize information extremely well. They are not shy about sharing what they know, pieces of information, creating markets to do that. So the proliferation of information, I think on the fraudster side gives them a leg up in terms of attacking financial systems that sometimes don't talk to each other. The reason I started there is the notion of some of the new data elements and information that transactional payments are capturing to help fight friendly fraud has a lot to do with ensuring that parties who are present in the transaction have the best information possible. So I may not recognize a merchant name as an example, or maybe I do and maybe I had an issue with, as you said, like a supply chain issue. I ordered a couple of nightstands and they never showed up, or they keep telling me it's going to be 12 weeks and they do that for 12 months. What we're doing is we're giving those parties in the transaction, the consumer, the bank, the merchant, they all have visibility into the notion of some of the things that were used in that credential. It could be IP addresses and device IDs or login credentials. So at that moment, rather than just kind of defaulting to an exception process or a dispute process, which really creates a lot of operational noise in the ecosystem, folks now have much more data at their fingertips to be able to say, Hey, here's the factors around that transaction to try to determine if this truly was an unauthorized third party performing a transaction or if this is just a matter of education for the consumer.
Kate Fitzgerard (09:37):
So how's that working? Is it getting to the point where you're locking out more fraudsters or is it just a question of making sure that consumers are being honest about which transactions challenging or trying to charge back?
Dustin White (09:54):
Yeah, so it's been two weeks, so I'm going to say TBD on how it's going, but I think from a fundamental direction standpoint, having the utmost trust and integrity in a payment ecosystem is fundamental to its value and convenience. And so initiatives like this one to help ensure that parties who are prevalent in a transaction are operating with integrity, I think are always a step in the right direction. And I don't think it stops with just say the merchant, the issuer and the cardholder. Because as you start to get folks familiar, you talked about issuers getting into a sort of cycle of behavior and a pattern like, oh, the easiest way is just to dispute this. Well, once you start going the other way, you start creating this pattern of behavior that transactional integrity is something that people are looking at and they are looking for places where there are common factors to try to educate. I think you start to change behavior for the positive. And so it extends beyond those parties. It starts to become sort of a knock on effect that raises the level of integrity of the ecosystem overall.
Kate Fitzgerard (11:03):
So we always talk about how, and it's so frustrating to me covering fraud for years, that the systems keep getting more and more sophisticated, but fraud is still overwhelming in many areas and it almost, it seemed like an industry that is part of payments. You think, well, we ever wipe out fraud and now we have AI, we have additional factors, we are moving closer with some of these tools, but we don't seem any closer to solving the fraud problem. Do you think we're actually going to ever get there? And if so, what are some of the factors that would get us there?
Dustin White (11:40):
So I think there's a couple of things there. So one, as I mentioned, making sure that the parties involved in a transaction or movement of money have as much information as possible is really important. But the reason I think fraud might seem worse is because there's a few things here. One, fraudsters are no longer predominantly these smash and grab artists that get a credential and go on a $500 fraud scheme. They're very sophisticated, well-resourced operations. That's a big change because the same tools that we're using artificial intelligence, they're using them too. And so the battle is really becoming a bit of a data arms race and a capability arms race. Because the same things that we're using to try to keep them out, they're using to try to get in now overall are like, I'll just talk about Visa. Our ecosystem is actually seeing some of the lowest levels of fraud in history. For us it's about 7 cents for every a hundred dollars of spend on our products. It's not something to be complacent about, but it is.
Kate Fitzgerard (12:45):
Give us a little some parameters. 10 years ago, what was the basis point ratio of fraud?
Dustin White (12:51):
10 years ago, I'm going to roughly estimate mid eight to nine.
Kate Fitzgerard (12:57):
So we've actually reduced the proportion of fraud in the overall massive transactions.
Dustin White (13:03):
And that has happened against a backdrop of digital expansion in more attack surface for fraudsters to hit. And I think part of why fraud might seem worse, even with that positive trend is that when fraudsters today as well resourced as they are, find something to exploit, they exploit it rapidly and very hard because you have to think this is an organized kind of enterprise and their appetite from their business model, they want to grow too. So the appetite doesn't go away, but now there's fewer places for them to actually succeed. And so when they do, they've got to get as much as possible as fast as possible.
Kate Fitzgerard (13:40):
You mentioned this democratizing of fraud.
Dustin White (13:43):
Yes.
Kate Fitzgerard (13:43):
Can you talk a little bit more about that? Are you saying there's, can the convenience store out there if you want to join the broad industry?
Dustin White (13:53):
They are organized and they do publish a lot online, whether it's marketplaces to sell compromised data, whether it's, Hey, here's a scheme that's working for us, you should try it. We see this all the time. Visa actually sees about 2 million attacks on our ecosystem a day. And so a lot of it, you can watch the patterns play out. It's like, oh, well Kate tried this say in Brazil, and now I'm seeing it pop up in Iceland and here it is in Singapore and in the States. And so well, they're not just stumbling upon the same things by chance. They're sharing intel rather successfully.
Kate Fitzgerard (14:28):
And there's a speed could rapid, rapid, they play it out rapidly you until you stop that and then they go look for another one, share the information, move on.
Dustin White (14:41):
Yes. Yeah, I mean that's exactly it. And it's not just how fast they start and stop attacks. They know what's worked and so they'll try new things for say three to six and then they'll circle back. And we're actually seeing that in the card present environment now that volumes have kind of come back to where they were pre pandemic, a lot of old tricks starting to pop up again. And a lot of businesses and banks have been so indexed on the digital side of fraud prevention coming out of the pandemic that they've in some cases dropped the ball a bit on the card present side. And oh, guess what? All those fun schemes that we knocked down in 17, 18, 19, they're coming back again.
Kate Fitzgerard (15:18):
That is extremely interesting. So they collaborate?
Dustin White (15:22):
They do collaborate.
Kate Fitzgerard (15:23):
Is there anything you can say about what looking forward to this year? I mean actually we didn't really spell out what we were talking about a few minutes ago, but the new guidelines, I think it's called Visa Compelling Evidence three point. And it consists of some elements that the merchant needs to have and prove they have in order to push back on dubious chargebacks in which the consumer said, Hey, I didn't do that. I didn't buy that video game. Or that in many cases there it's gaming and it's gambling. This is a couple of areas where people kind of want to disavow the transaction. And when the merchant can say no, it was maybe you do these things better than I do.
Dustin White (16:09):
So there are a suite of attributes that we look for consistent patterns with transactions. So things like could be your device ID or your login credential, shipping address. And if a merchant can demonstrate a history of successful payment. Then it, it is exactly what it says. It's compelling evidence to say, okay, Kate, I actually think you might have done this transaction and we should talk about it. Versus the old way of like, oh, you didn't do the transaction. Let's just pull big dispute lever. There it goes.
Kate Fitzgerard (16:44):
Can fraudsters hack this new approach that you're laying out? And if, I mean, I don't want you to be avoid secrets, they always say there are ways that fraudsters can beat anything. But does this narrow the target or does it still leave openings for them to try to figure out how to fake the device ID or the device footprint?
Dustin White (17:03):
Yeah, so I'll go back to what I started with. Fraudsters are opportunistic and creative. And whenever a system is put in place to deter them, they will by their very nature try to seek ways around it. So I'm sure that folks who are operating in these fraud rings that attack our network and others financial institutions, they're actively learning and watching what happens as networks evolve, as payment credentials and capabilities evolve. And they're putting on that creativity hat to think about ways that they can take advantage of it. So I don't think the notion of fraudsters hunting for data is new. If anything, data is becoming actually a higher priority target than just getting a credential that they can be able monetize at a gift card.
Kate Fitzgerard (17:55):
Data's becoming the new vector.
Dustin White (17:58):
Yes. Okay. So take something like for those here who are from a card issuer, I think the term enumeration or account testing is probably familiar to a lot of you that used to be a very sort of low hanging fruit fraudster sets up a scheme, test the card numbers over and over, oops, got to hit monetize it here. Oops, got to hit monetize it. Here we're actually seeing less fraud on enumeration. And I think the reason for that is it's becoming one component of data that fraudsters are using for more sophisticated card schemes and tax.
Kate Fitzgerard (18:33):
So I think we've talked about the fact that you are getting more sophisticated and so are the fraudsters. And how would you characterize that?
Dustin White (18:46):
That's going to be a battle that plays out for years and years to come.
Kate Fitzgerard (18:50):
An arms race?
Dustin White (18:51):
It is an arms race. I think that's the right term. I was listening to the panel before this talking a lot about ai and AI plays a role in security. Obviously I think there is a much more accessible feeling to folks about AI today than there's probably ever been. We've kind of moved away from this sci-fi world of what is AI to like, Hey, I know what that is, that powers my Alexa device. Or I go to chat GPT and type some stuff in. So I think people are finding AI more accessible. And there's even places where you can go, I'll give you the good example of this, where there are bloggers and internet publishers that will say, here's ways to stack various AI type credentials. Here are things you can do to try to put these pieces together in a creative way to solve some problem. Processors do that too. And they've got as much access to these kinds of tools as anybody because of the open source nature of the tools themselves. And so everything that we put up to test, or excuse me, to prevent, they're going to test. And they're not just testing it with their own fingers on the keys, they're testing it with machines.
Kate Fitzgerard (20:02):
So usually we have some questions and we have the guy here from Visa who can tell us the future. Anybody got any questions here? We have somebody in, I think she's coming to you with a microphone. Standby. Here we go. She's right there.
Audience Member 1 (20:29):
Hi. So you're going to love me. Good boy. I work for the USDA on the retailer side of food stamps. And so obviously we don't run your rails, but we have experienced a lot of post pandemic fraud because of all the benefits, the increase in benefits that we pushed out as well. So we're seeing that a lot on our side. I have two questions for you right now. So in October, last October, we issued guidance to states and our card issuers, which are the E B T processors on how to protect their benefits from being stolen. And a lot of states are coming to us with their state plans in order to do this. And what we're hearing from them is that the cost, which is always a thing to issue more or to implement more controls into the E B T system in order to protect the card holders. But the other one is that we don't know if we want to have all of these buy controls and these because we're worried that the cardholders will not use them, they'll not utilize them. Do you see that in your world?
Dustin White (21:58):
So yes, here's the way I think about that. There is a delicate but important balance between friction and acceptance that I think security has often, whether it's security for fraud or identity, however you want to think about that has tried to figure out, one very interesting thing we are seeing is that I mentioned earlier that consumers are getting much more digitally savvy. There is a growing body of evidence that suggests that consumers are actually much more tuned into security and upfront security is something that you actually can lose card holders if they perceive that their information is not secure. So leading with security as a part of that onboarding of a new account or a new credential is something that consumers are actually coming to expect more. Now it's not a perfect science for sure, and I think there's going to be always be kind of a continuum of adoption versus sort of resistance. But I do think that there is a growing understanding of the importance of ensuring that your digital identity is secure and a growing desire of consumers to seek out services that demonstrate that on the front end.
Audience Member 1 (23:16):
Okay, Thank you. And then my second question is, in 2019 we implemented the online purchasing pilot where Snap Cardholders Canal purchase food online using their benefits, and obviously in order to make a EBT purchase, you need to have the card in pin. So we integrated a pin pad as well and the retailers had to integrate this. Obviously opened up a new transaction type and a new way to shop for SNAP card holders. What we're seeing now with this, because in light of the pandemic, we were asked to start out with five states, five retailers, and then we got asked to open it up to the whole nation and anyone who's interested. So it went from five to 200 really quickly and it was just supposed to be a pilot. So we're learning a lot in this process right now as well. But with that, what we're seeing with the fraud is that because of the PIN and the card is that they're like fraudsters are running scripts and so they're just hitting and they're just doing balance inquiries, just seeing if they could figure out that pin. And that's another issue too, because card holders a lot of times will have a pin of one, a common pin and that we're trying to help them out there. But what we're thinking with modernizing, because as well we're looking, we're just starting off the mobile payment pilot, so we're moving mobile now where Snap card was to move, put their card onto a wallet, and then we're also states are going towards EMV on their SNAP card, but online with the card not present, we don't have a cvv. And do you think that would be beneficial for us to have something like that right now because we're still on MAG and we're still using pin?
Dustin White (25:13):
Sure, There's good news, bad news on that front. The bad news is, and when I say bad news, you have to invest in higher order technology capabilities to combat this stuff. Just to give you a sense of scale, over the last five years, visas invested 10 billion in cybersecurity defense. So you have to do it. But I do think what we're seeing is that it doesn't always have to be the most sophisticated machine learning or AI algorithm. We have that we have an entire team called payment fraud disruption, and they've got a whole suite of analytical capabilities that are constantly combing our network for what we call enumeration attacks. It's what you just described. The good news is a lot of merchants and a lot of places that we're seeing where the connectivity exists can implement some simple things that disrupt those scripts like captures and testing on the payment cycle page and even working with their web host providers to look at common volumes and stopping or shutting pages down or blocking IP's. There's a lot that can be done there that isn't billions of dollars worth of sophistication. So it does take a collaborative effort here, but there are some places I think that you can really make some progress on the merchant side as well.
Kate Fitzgerard (26:37):
Here's another question.
Audience Member 2 (26:39):
Hi, my name is Katrina Lasota. We're from USA and what you stated related to the fraud and when something works, it is, I mean it's all hands on deck to get it under control because it seems to spread everywhere and it's happening really quickly, the velocity, right? Yep. And when you stated the stuff that you guys are seeing, the 2 million attacks a day and how it goes from all over the world, I'm curious to know whether Visa is working with local or international law enforcement and whether they're doing anything back to the sophistication. There's fraudsters that aren't sophisticated, but the groups that we're up against and the communication that they have, it seems like we're not going to the arms race with the right arms, I mean in some ways, right? Because they're able to move faster than us. And I'm just curious to know what VISA has done and whether you've had success.
Dustin White (27:36):
That's a really good question. We do have an entire law enforcement engagement arm to our payment fraud disruption team. That team I was talking about before, that works on what I'll say, the bleeding edge of our network to monitor and prevent attacks. And that is could be fraud rings, it could be what I'll refer to as integrity risk. So people that are trying to leverage VisaNet to move money for things that they shouldn't be, like human trafficking and other things like that. We work with the Secret Service, the FBI, Interpol, various other agencies, and often are a key part of helping them to apprehend and take those down. Now the challenge is in the very nature of the globalization of the economy in a way in that these fraud rings are set up. We've seen them set up with like a hub and spoke model. They've got kind of central operations, but they proliferated around the globe and they're working 24 7 in a connected way. We can't always stop all those folks in the same way, in the same time and with the same veracity. But we do definitely work with law enforcement and have been a key part of bringing down several rather large rings in the last, I would say even, I just was reading an update to this morning actually about another one that we took down. So it's a big part of what we do because as you alluded to, you do have to take deliberate steps to coordinate and battle fraudsters who are very good at democratizing information.
Kate Fitzgerard (29:04):
Another question
Audience Member 3 (29:07):
I'll add to that, Tony lost, I work for Verizon, so we work very closely with the banks regulators and we shut those services down from a voice perspective. So lots of the voice account takeovers, a lot of folks from Nigeria, fraud rings that will come in with a small VOIP provider making phone calls for account takeover or text messages when we work with the banks and find those situations and shut down those carriers. Unfortunately, they move around a lot to the next, but definitely coordination.
Kate Fitzgerard (29:46):
Anybody else? So our friend from the USDA mentioned pins, is that something that's commonly used now for online or is that sort of on its way out?
Dustin White (29:59):
In the digital world? I think what we're seeing more is tokenization technology as a way to sort of devalue data and secure transactions where I think a lot of the focus is going because depending on the type of token, whether it's like a device bound token or just something a merchant does, it adds a level of scrutiny and authenticity to a transaction that we're seeing drive not only better fraud rates, but also higher approval rates.
Kate Fitzgerard (30:28):
I guess I'm trying to understand why the US government wouldn't have access to that. Is it a path of on the merchant side that's expensive?
Dustin White (30:38):
I don't know. The US I don't know the EVT rails in tech very well. So go ahead. Use tokenization technology on your network.
Audience Member 1 (31:06):
We don't have the contracts with the states for their E B T systems. It's with their card issuers or the EBT host processors.
Kate Fitzgerard (31:14):
So you're working with a lot of different fragmented systems and then you are trying to you're the, you're upstream of that.
Audience Member 1 (31:21):
We pay 50% of the admin costs in that a hundred percent of the benefits. Interesting. So whatever the states want to implement, we would pay half that cost.
Kate Fitzgerard (31:29):
Well now I'm sure that Dustin will go to work on that weekends and get that all.
Audience Member 1 (31:34):
I would love that.
Kate Fitzgerard (31:35):
Oh, of course. I think it wrapped it up for us. Thank you very much. We're going to move right into another session. Thank you.