Right on the CNP payments with Karisse Hendrick & Brett Johnson

As hosts of The Online Fraudcast, could you please provide a short presentation of this initiative? What topics you address and how has the project been received by the public so far?

With our combined unique backgrounds and experiences, we are able to provide listeners with a-360 degree view of cybercrime. Because Brett is a former cybercriminal - and not just any former cybercriminal, he was on the US “Most Wanted” List and was the founder of the first online forum for cybercriminals to buy & sell credit cards online, prior to the darkweb – he’s able to discuss how fraud is committed, why it’s committed, the methodologies & tools of cybercriminals and general observations on both the cybercrime and fraud prevention industries. 

And because Karisse has worked with hundreds of online merchants internationally in various capacities, and is often trusted by merchants to confide their current fraud issues and vulnerabilities, she can provide insight into current fraud trends from a merchant perspective along with best practices for fraud and chargeback prevention.

This first season, we’ve concentrated on providing information on how online fraud is being committed and preventative best practices for online merchants. In our upcoming 2nd season (starting late June), we will expand the content to be interesting to everyone that can do something to prevent cybercrime.

We’re greatly to be able to provide inciteful, relevant, actionable information about current cybercrime tactics, and are looking forward to continuing that live at CNP Expo, and in Season 2, on all major podcast platforms.

What are the current fraud challenges in the CNP payments environment? Any new fraud techniques that the industry should know of?

Brett: Challenges? They are Legion. The biggest challenge is a question of speed, because the cybercrooks are much faster now. The system tends to be decentralized, allowing attackers the speed of action. They have better intel, better communication, better training. It costs criminals much less to attack than it costs the good guys to defend. The good guys’ forces are centralized – they have to ask permission from upper management, the legal department, etc. They react, but they are rarely proactive. To fight on the “fraud battlefield”, merchants need to become proactive. Don’t just react to what you are seeing. Anticipate future trends and attacks, share information where you can with others, both inside and outside your organization.

Techniques? 90% of all attacks use known exploits. 92% of all attacks begin with a phishing attempt. Pay attention to known exploits and fraud trends. Pay attention to social engineering as well.

Karisse: The specific types of tactics being used against online merchants vary based on vertical, average ticket size, brand/product being stolen, and the types of fraud prevention tools a merchant already has in place. In general, however, we are seeing fraudsters find workarounds to a lot of fraud prevention technology merchants are putting in place. That’s not to say that most of those systems and tools aren’t working; most do. But fraudsters are like toddlers – if they want something bad enough, they’ll find a way. For instance, retailers with physical goods have seen a large uptick in social engineering calls trying to place orders or re-route packages in the last year. This is a low-tech workaround because those retailers have gotten better at identifying fraudulent purchases. Orders placed over the phone with a representative don’t capture device information (including IP address), and in some cases, a customer service representative may become an advocate from that order because the person on the phone was “in a hurry”, “really nice” or “having a lot of personal problems”.

Account takeovers are another example of fraudsters adapting to prevention technology. They recognized that new accounts were being scrutinized for fraud, so they have started buying usernames and passwords instead of credit card numbers and found they could bypass the typical flags a new order would receive.

What recommendations do you have for both merchants and solution providers to address these new issues?

Brett: Know your place in the cybercrime spectrum. How will a criminal defraud your company? How will a criminal defraud you? Answer that and design defences based on how you will be attacked. As an example, a fraudster will victimize a food service worker much differently than a CEO. A fraudster will attack an electronics retailer differently than a hospital, school, or avionics company.

Karisse: Most solution providers won’t be happy that I say this, but there is no 3rd party fraud prevention system that will work for every single online company. For merchants, identify the types of fraud you are experiencing in detail, then determine what you will be seeing in the future, and finally, identify the specific type of fraud prevention solutions that would help with these issues. Merchants should be identifying which layers they need to add to their prevention strategy, such as additional authentication (3D Secure, identity document verification, two-factor authentication, etc.), verification tools (like public records data, social media intelligence, etc.) or additional device information, as just a few examples.

You offer consultancy to a large pool of organizations, each of them with their own approach in terms of fraud prevention departments. Can you share some best practices for building a payments and fraud team?

Brett: Don’t compartmentalize. When you are hit, if you have been segmenting departments you will find it hurts your efforts to recover. Share and talk between departments. Build a team of members of all departments. The training needs to look at compliance versus effectiveness. Compliance is desired, but it’s just a checklist. Training employees to recognize exactly what a criminal attack looks like is the one that matters. Better yet, train employees to be safe online throughout their entire online life, because that will translate to the work environment.

Karisse: I often work with online companies at various stages of fraud and/or payments department growth within a company. Every company and situation is unique, but there are some foundational best practices that will set a department up for success.

1. Identify clearly, both within the company and within your department what the key responsibilities and KPIs will be. Often the directive for a fraud department is just “reduce chargeback losses without cancelling any good orders”. That’s not enough to build a functioning department on.

2. Communicate outside of your team what you are doing. Most people in other departments don’t know what a “fraud department” does, (or a payments department for that matter, either), let alone the impact of fraud on the company. Educate others within your company and communicate monthly metrics to senior leadership.

3. Learn from your chargebacks. Chargeback data is a company’s check engine light. It is telling you that there is a problem, and even gives you clues where to look at. Every time I work with a consulting client on root cause analytics in order to create a chargeback reduction strategy, the client is always surprised at the findings.

Considering your very different backgrounds and profiles, do you think that it is this exact combination of experience that drove the success of your program?

Brett: Both of us have over 20 years of experience as fraud professionals. Having the juxtaposition of the good and (former) bad is something that isnt seen on other podcasts. We are able to give a complete picture of cybercrime and fraud which isn’t available anywhere else. Going forward, our focus is going to be toward giving a picture of what online crime looks like from end to end, for all parties involved.

Karisse: The combination of a “good guy”/”bad guy” is definitely unique and usually what interest people at first, but often we hear from our listeners that the content, and the ability to provide two different perspectives that aren’t available in any other context is what has them tuning in week after week.

You can meet Karisse and Brett at CNP Expo, where they record The Online Fraudcast in front of a live audience. You will learn from these two experts what is going on behind the scenes and what future threats are emerging.