The latest edition of my interview series Crypto Opinion with Mike Ermolaev focused on the topic of security, featuring Michael Jabbara, the VP and Global Head of Fraud Services at Visa V.
From data breaches to cryptocurrencies, Michael shared Visa network-level insights on the ever-evolving world of cyber and fraud security and discussed the measures the company is taking to safeguard transactions. He explained the current fraud landscape, highlighting how he and his team use AI and behavioral analytics to detect and prevent fraud.
About Michael Jabbara
In this role, Michael is in charge of proactively anticipating and mitigating data breaches and payment security incidents across Visa's portfolio, geographic regions, and client ecosystems, using network-level intelligence and advanced detection tools. He has the responsibility to stay one step ahead in the industry to protect Visa's clients from any potential cyber threats.
He manages a team of 70+ cross-disciplinary forensic investigators, cyber security experts, and data analysts. Michael is instrumental in providing Visa partners with the necessary knowledge and tools to improve their fraud and cyber security capabilities. He's definitely a go-to expert in the area of fraud and cyber security.
In addition, he contributes to Visa's biannual Threats Report, a valuable resource for cybersecurity professionals. His teams' findings and research have had a positive impact on the global fraud landscape, leading to a decrease in losses and a better understanding of cyber security threats.
Visa's Multi-tiered Security
The first thing we discussed was how exactly Visa works to keep fraudsters at bay.
“At Visa, we have a multi-tiered layer of defense in terms of protecting any participant that plays within our ecosystem. Because we know that there is no single line that is going to be 100% effective against fraudsters who are very innovative, very resilient. So we have multiple lines that when combined together make it very challenging for them to be successful in their attacks,” he said.
The first point Michael brought up was the intelligence line, where a dedicated team monitors the dark web to determine fraudsters' intentions in order to adjust Visa's defenses accordingly.
“We are looking at things like how malware and ransomware families are evolving and how they are being injected across different players in the industry. We are looking at the type of data that's being sold on the dark web, personal identifiable information, card numbers, and the trends there. Is there a specific bank who all of a sudden has a lot more of their cards being sold and if that's the case, why is that? We need to go ahead and investigate it,” he explained.
In some cases, his team receives access to Telegram groups where fraudsters are looking to sell information or access, so they try to understand what they are offering.
“We're one layer behind it. The focus of our efforts is on monitoring transactions on both the bank and merchant sides, so if we see anomalies or deviations from what we believe to be legitimate activity, we will contact the bank to let them know about what we have discovered. If we suspect that substantial fraud losses will occur, we may even block some of these transactions on their behalf,” he said.
As he explained, Visa does not directly operate with cardholders or merchants, but does so through banks.
“We work with those entities to provide an additional layer of defense that ultimately will benefit the cardholder. But it's not as if Visa reaches out to you directly as a cardholder and says, “Hey there's been a fraudulent attack on your account”. It is your bank who will contact you and explain what happened,” he said.
According to him, the Visa intelligence team examines any significant data breach that occurs around the world, looks into its forensic investigation, obtains samples of the code used in those attacks, integrates it into its library, and then scans for it.
“We have a global view that we can deploy on an individual merchant level. If we find a merchant has been infected with malware, what we're going to do is go talk to that merchant's bank. Then we let them know, "Hey, this merchant in your portfolio has malware, here is the malware." You should go ahead and remediate that so that the malware doesn't steal payment information.
Also, we analyze how long the malware has been on the merchant's website. We find the accounts that transacted during that window of exposure, and we contact the banks to inform them that these accounts had been exposed to malware," Michael said.
Then, he continued, they either put these accounts under greater monitoring as hackers are likely to try and make illegal transactions on them or reissue the cards if they want to be extra cautious.
“That's how we can think of protecting the ecosystem, the transaction, and the account at the same time. We work with the banks on both sides of the transaction to make sure that they're aware of these threats and are taking appropriate action,” he concluded.
Cybercriminals Pay Special Attention To Crypto Companies
Then I asked Michael whether he and his team detected a surge in cybercrime following the growth of crypto-related activity.
According to him, Visa is paying close attention to specific malware families targeting crypto merchants and exchanges.
“Thinking about a taxonomy of malware, different malware types are meant to be doing different things. Some of them will try to shut down your system. Some are going to go in and scrape your data.
And there's a specific one that we actually just released an alert on called CageyChameleon. It is a nation state-backed malware sample that is meant to target crypto specifically through different ways.
We do see this evolution from a cyber chronic perspective where there's a lot of attention and a lot of money being focused on crypto-related firms. They're evolving their tools and their methods so that they can take advantage of the pot of money that exists in crypto,” he said.
You Can't Launch A Product That's Entirely Safe Right Out Of The Gate
With the launch of CBDCs by central banks around the world, I wondered if Michael thought cybercrime activity would increase, and if so, whether banks were prepared for it.
“I believe there will always be a learning period when a new product is launched. It is important that you think proactively about how you will mitigate the risks. But as you launch it and people get their hands on it, unforeseen vulnerabilities will arise.
So it's not a question of whether you'll be able to launch a product that's 100% safe from the get-go. In that case, you'll never be able to launch that product. It's all about the security foundation underneath that product. The key is whether or not it's flexible enough to deal with fraud when it happens, so you'll be able to quickly adjust, set up controls, monitoring, and mitigations, allowing you to deal with the fraud and let that product gain scale and acceptance,” he said.
“It applies to crypto, CBDCs, and any other payment innovation that you have out there like one-click checkout, mobile wallets, P2P, etc. There will always be those who want to hack all of those capabilities when they first come to the market. Then you can quickly react, adjust, and make sure that those attempts are stopped. After that, you keep on growing adoption,” he added.
Fraudsters Are Increasingly Using Artificial Intelligence
Following up on the previous question, I asked Michael about the challenge of combating fraud now that ChatGPT is being abused by fraudsters.
“We're currently considering ChatGPT both from a timesaving perspective and as a means of streamlining and automating some of the manual processes we perform. It can help us do some more interesting data analysis and conclusions that we're doing manually right now.
But we are also seeing a lot of developments on the fraud side with ChatGPT. We've seen documented cases where fraudsters used it to come up with new malware and ransomware families that are meant to lock access to user files in exchange for cryptocurrency,” he explained.
He added that they see attempts at using Artificial Intelligence Modelling Language (AIML) to generate much more sophisticated social engineering and phishing emails.
“You get a suspicious text or an email message and hopefully you'll be able to say, "Oh yeah, this isn't legitimate. I'm going to delete it. I'm not going to click on that link.” But if I can run these emails through a natural language processing engine and also have them include personal information about you that I've been able to get from the internet, you may think this email is from a friend or from a company that you trust, and click on that malicious link as a result,” Michael said.
“So if you have even a small increase in the number of people that click on these links and multiply that by hundreds of millions of people targeted by these emails on a daily basis, then you start to see how things like ChatGPT expand the attack surface that we on the fraud and security side have to deal with,” he said.
Cybercriminals Primarily Target Humans, Not Technology
Next, I asked him what tips he could give users to protect themselves from fraudsters using AI.
“I think the best tip is you have to stay educated on what's going on from a fraud and scam perspective, even if it's not the topic you're most interested in.
My main takeaway is that if you're ever in a virtual interaction that puts you in a heightened emotional state, for example, you get a message that says, "Hey, you're going to get an 80% discount", or "Hey, you'll lose access to your account if you don't validate it within 24 hours," then you probably have been manipulated by a fraudster. Their goal is to make you anxious or excited so that your judgment becomes clouded so that you make incorrect decisions and click on links or give away personal information,” he said.
“Regardless of technological innovations, what fraudsters are all about is manipulating human nature and exploiting your cognitive biases. So as long as you're aware of your mental state when you're going about these day-to-day interactions, you should be OK,” Michael added.
Tactically speaking, he recommends not taking an email or text message at face value.
“If you get an email from your bank saying, “We need you to validate your information.” Don't trust it. Call your bank directly. Go access your mobile app and see if that message is legitimate or not.
Here's another example where fraudsters buy usernames and passwords for your email account, then send an email to your contacts saying, "Hey, I'm stuck in a foreign country without my wallet. Can you please wire me cash to this address?” And of course, your grandmother who loves you and is worried about you is going to do that because she wants you to have access to that money,” he said.
Michael explains the key is to tell our friends and family, and especially our elders, "Hey, no, call me. Hear my voice, get my actual validation before you take that action”.
“At the end of the day, it's about trust and being a lot more discerning about who you place your trust in as we move forward,” he said.
You May Not Realize How Much Visa Knows About You
We then discussed the Visa Token Service (VTS), which replaces the 16-digit primary account number with a unique code, also known as a token, for making payments without revealing credit card information. Michael explained the security behind it in more detail.
As he noted in his comparison to airport security, which is very friction-filled, one of the best things about security is that it works without you noticing it is working.
“You have to go and take your shoes off, take the liquids out, walk through the scan or you may get an extra screening or not. And you put up with that because you don't have a choice because you have to go and get on that plane.
In payments, that's not really the case. You would use cash if there was that much friction at every step, wouldn't you? Security in payments has to be pretty much invisible, but it has to be effective.
How are we going to enable that? This is because we can build personalized and unique profiles for every account based on the data we have. It lets us know if this is consistent with the behavior of this user.
What we had previously was just transaction data – where you shop, how much you spend, when you shop, etc. With all of these additional data elements from your phone, we can analyze some behavioral biometrics, such as your typing style and scrolling speed,” Michael said.
He explained that in addition to our actual biometric data, such as thumbprints and eye scans, they can aggregate even more data to identify the user more precisely and whether this transaction originates from the device associated with that token.
There's an automatic update that occurs when you change your device, just as you don't have to change your card when it expires, he said.
“The idea is that we're creating these very tailored personalized profiles that allow us to create a seamless and secure experience as we go from the physical channel to the digital channel. And that's a lot of what we've been doing with tokenization, 3DS, cloud token framework is to incorporate all of these enhanced data streams so that we can create a much more robust view for who you are as a consumer and protect you when a fraudster has illicit access to your account. We therefore can say, "You know what, it's very different from what we've seen for this account," he explained.
Fraudsters Are Business People, Just Like Us
The next question I asked Michael was about the types of fraudster groups that Visa deals with.
“There is a pretty broad level of sophistication in terms of the folks that we deal with. You have folks who are the stereotypical 16 year-olds in their parents basement who are able to buy a script from the dark web and generate a whole host of brute force attacks that are looking to guess the card number, the expiry date, and the CVV2 by generating hundreds of thousands of test transactions in a few minutes.
There is another group of organized criminals he mentioned that profit from ransomware, malware, attacks, and lapses, some of whom were arrested not too long ago after Visa fraud investigators tracked them down.
“And then you have some state-backed organizations that are well-funded and well organized that carry out some large-scale attacks against financial institutions. You can think about the Swift hack that happened several years ago with the Bangladesh central bank, for instance. We deal with pretty much everything across this entire spectrum. And for us the overall mechanism doesn't change,” he explained.
“Our team is proactive in detecting vulnerabilities and putting in the right alerts and monitoring. When something does get tripped up, or get together, we figure out what's going on, who put the mitigation in place. And then we start to look for attribution – who carried this out, what are the indicators of compromise, as we call them, data points that can help us link an IP address to a location and ultimately to a suspect,” Michael said.
Further, he said they work closely with law enforcement to disrupt these actors and put them away, so their operations continue to be challenging.
“The whole name of the game is that fraudsters are business people, just like us. They're looking for a higher return on their investment and the harder we make it for them to do their business, the more likely that they are going to go and focus elsewhere. So that's kind of the process. Those are the types of groups that we deal with,” Michael said.
When I asked him if Lazarus Group was the most influential cybercrime group, he said Lazarus has shifted its mechanisms following some significant indictments, but they're still pretty heavily focused on crypto.
“You also have a whole host of different organizations that have really accelerated their focus on malware and ransomware. Whenever you whack one group, another one pops up using leftover tools and people that hadn't been put away,” he concluded.
IoT Is More Of A Cyber Threat Than A Fraud Threat At This Point
The conversation then turned to IoT, and I asked Michael about the ease of hacking IoT devices and whether fraud activity would increase with the growth of this sector.
“In my opinion, it's more of a cyber threat than a fraud threat, at least at the moment. And there's a couple of reasons for that. A big part of that is you have a lot of IoT manufacturing happening in low-cost markets where the focus is much more on getting products shipped out versus building a secure product that consumers can leverage,” he said.
“We've seen situations where IoT devices were shipped out with default passwords that anyone could guess really quickly and then take over them. We saw IoT devices being used for DDoS attacks with a really good example of that being the Mirai botnet which carried out a pretty significant DDoS attack a couple of years ago. So for us, it's really about how you secure these IoT devices.
Then the second component of that is how you authenticate these IoT devices. I have my smart fridge and I want it to order milk for me whenever it knows that it's run out. The challenge is how do I know it's my fridge, Michael’s fridge, that is actually authorized to make that transaction? Fundamentally, that's not a huge difference from how I know this is Michael's Netflix account that's looking to charge me 10 bucks for the monthly subscription. It's kind of a similar concept to it,” he said.
“We can work through something because you are dealing with a device instead of an account. But before we get to that point, there are some enhancements that we need to do to IoT cybersecurity to make sure that we continue to secure those endpoints as they come into the ecosystem,” he added.
“If we can leverage standards that are global and scalable, then it doesn't matter if there are vulnerable endpoints from an IoT perspective because the data is devalued. That's where Visa's token service comes into play in a pretty big way.
Essentially, what it does is that it takes the sensitive card information out and it just puts in a random set of numbers in. Those random sets of numbers can still make the transaction, but if there is a hack and somebody is able to get that number out, they won't be able to buy an iPhone.
So it's very much about how we take these security standards that are interoperable, global, scalable, and extend them into these new use cases like IoT,” Michael said.
“Again, it's all about those multiple layers of security that we want to put in. We need to ensure that every entry point is really strong, because we know there will inevitably be some sort of gap. Fraudsters are very persistent so they will find some missing piece and then jump through it. They will then encounter another layer of defense that will frustrate them.
Therefore, we are working closely with all the big digital platforms and hardware manufacturers to develop these security standards,” he added.
According to him, the likelihood that your password is being sold on the dark web is like 80% and above.
“It's already been hacked, it's already out there. So it's more about everything that happens in the background, all the analysis, all the data, all the monitoring that Visa does along with its partners – that's where the defense is happening,” he said.
Don't Give Up On Technology Just Because Some People Abuse It
In Michael's opinion, technology in itself is neutral, it's how humans use it that matters.
“For example, AI has been incredibly transformative for us because it allows us to break that tradeoff between security or seamlessness. We can have both because we can create some really complex models that allow us to differentiate good transactions from bad transactions.
But we're also seeing how AI is being used by the fraudsters. So it's really about how we create, innovate and stay ahead from some of the dark destructive impulses that some human beings have,” he said.
He compared attempts to stop AI to trying to stop math from happening. “It's really more about how you create a set of principles, guidelines, controls, standards, rules, so that the development and evolution of AI helps humanity overall rather than being used for destructive purposes,” Michael added.
In his view, technological evolution today is similar to the invention of smartphones, when people had no idea what opportunities these devices would bring other than the mobile internet. Now that smartphones can run apps like Uber and Instagram, which aren't possible on other devices, we can say mobile technology has revolutionized our lives.
Therefore, it is likely that current technological advances may bring about similar unexpected opportunities and revolutions, with potential we can't yet fathom. As that happens, Michael and his team at Visa are proactively planning to address potential problems before they occur so we can take full advantage of these innovations.
NB! This interview is co-authored with Cassio Gusson.
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
