Explore the intriguing world of fraud as Cem Dilmegani and Sean Martin discuss its impact across various domains, highlighting the sophisticated techniques employed by fraudsters and the countermeasures companies can use, including AI and machine learning, to protect themselves from these ever-evolving threats.
Guest: Cem Dilmegani, Principal Analyst at AIMultiple [@aimultiple]
On LinkedIn | https://www.linkedin.com/in/cem-dilmegani/
On Twitter | http://twitter.com/dilmegani
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Edgescan | https://itspm.ag/itspegweb
___________________________
Episode Notes
In this podcast episode, Cem Dilmegani and Sean Martin discuss the various types of fraud that exist and how machine learning can be utilized by both fraudsters and companies to outsmart each other.
The conversation delves into the world of fraud and its impact across various domains, from financial systems to advertising and even healthcare. The discussion highlights how fraudsters are using sophisticated techniques, such as machine learning and automation, to bypass rules-based systems and carry out illicit transactions or manipulate user behavior.
The conversation shifts to the financial services industry, where Cem explains how illicit actors might use automation to transfer funds through smaller transactions to avoid detection or bypass sanctions. They also discuss the challenges faced by banks in identifying fraudulent transactions and the complexities involved when dealing with nation-state actors.
Sean brings up the concept of open-source intelligence (OSINT) in the cybersecurity world and wonders if there's a similar database for fraud rules and vulnerabilities in the financial world. Cem explains that while OSINT might not be as powerful in the world of fraud, fraudsters can still find ways to exploit systems and bypass controls.
Throughout the conversation, intriguing use cases are presented, such as ad fraud in the B2B tech industry, where competitors employ machine-generated clicks and utilize bots to drain marketing budgets, or the concept of "feature fraud," where malicious actors manipulate user feedback to drive companies in the wrong direction.
The episode also delves into the challenges faced by the healthcare industry, including insurance fraud, where patients are overcharged for services or billed for therapies they never received. In the financial services realm, fraudsters resort to account takeovers, complex transaction models, and even shell entities to bypass security measures.
The discussion also highlights the ever-evolving world of fraud, emphasizing the need for businesses and industries to leverage advanced technologies, like AI and machine learning, to stay ahead of the curve and protect themselves from these sophisticated threats. This episode is a must-listen for anyone interested in understanding the simple complexities of fraud and the countermeasures that can be employed to mitigate its impact.
Tune in now and stay ahead of the curve!
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllQZ9kSG7X7grrP_PsH3q3T3
ITSPmagazine YouTube Channel
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Cloud Security Podcast: https://www.cloudsecuritypodcast.tv
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
SUMMARY KEYWORDS
fraud, cases, transactions, systems, machine learning, companies, ai, rules, models, identify, business, data, people, bank, learning, fraudulent, cybersecurity, solutions, entities, world
SPEAKERS
Voiceover, Cem Dilmegani, Sean Martin
Voiceover00:15
Welcome to the intersection of technology, cybersecurity and society. Welcome to itsp magazine. You're listening to a new redefining Security Podcast. Have you ever thought that we are selling cybersecurity insincerely buying it indiscriminately and deploying it ineffectively? Perhaps we are. So let's look at how we can organize a successful InfoSec program that integrates people process technology and culture to drive growth and protect business value. Knowledge is power. Now, more than ever. Imperva is the cybersecurity leader whose mission is to protect data and all paths to it with a suite of integrated application and data security solutions. Learn more@imperva.com Edge scan offers continuous vulnerability intelligence as a service, accurately identifying Vulnerabilities and Exposures across the full stack. All threats are verified by cybersecurity experts providing exploitable risk and remediation guidance. Virtually false positive free. Learn more at edge scan.com.
Sean Martin01:35
Hello, everybody, this is Shawn Martin, and you're very welcome to episode of redefining cybersecurity here on itsp. Magazine, where we talk about how to operationalize cybersecurity in all types of businesses, shapes, and different sizes, all over the world. Each has their own unique way of looking at risk, and how to mitigate risk. And oftentimes we turn to technologies and look for ways to help our people do do a better job at protecting the business and the revenue that the that they generate. And lots of risk. In today's digital world. One seems to be growing in popularity in the world of cybercrime. And that's the area of fraud. And it's not a new concept. We've seen it for a long time, and it's certainly not noon, new in terms of cyber either. But perhaps the the methods in which organizations are attacked, have changed. And certainly the way that we need to look at protecting ourselves and battling these attacks certainly have changed. And Marco, my co founder, and I often say that technology isn't going to save the world that humans have to create the technology and use it to save the world. But certainly technology does play a role here. And we're going to talk about that, specifically around AI. And we'll look at how AI perhaps can can help fight fraud and and maybe I suspect is being used to generate fraud and conduct fraudulent activity. So I'm thrilled to have great guest on I think, Jim, we met online on social media, I think there was a post that you made that that triggered some interest for me. And thanks for being active on social media talking about this stuff. And more importantly, thanks for joining me here today on redefining cybersecurity.
Cem Dilmegani03:33
Thank you very much indeed.
Sean Martin03:36
And let's give our audience a view into who Jim is and and what you're up to and why. Fraud is something that you're interested in talking about today.
Cem Dilmegani03:48
Of course, so I have been in b2b Tech for the past 20 years now. Started out as an engineer then switched over to the consulting side. I was at McKinsey for about a decade then I was on the enterprise side, buying technology solutions. I was also on the vendor side selling technology b2b tech solutions and at multiple visit in the middle as an industry analyst we help enterprises pick the right technology solutions for themselves using using vendor data. And fraud is quite an important area for me because a significant set of my time at McKinsey was spent serving PAC banks, and this was back in the day. And there are various types of fraud and we will get to other types of fraud. But banks are probably one of the largest spenders when it comes to dealing with fraud. And back in the day when I was working at banks, these global institutions they had hundreds of people looking at potential cases of fraud across the road. ations. And you know, this could be, of course, in various stages in the process, it could be at the Know Your Customer stage, or it could be about a customer's transactions and so on. And to tell a bit of the story of how things evolved. In the beginning, we had sets of rules. And these were guarded quite, quite well, in short, people tried to keep the rules a secret, and use them to identify fraudulent transactions. But of course, over time, the criminals learn about rules as well. And then they start to get not get detected by the current rules, and then you add more rules on top etc. And what you end up in when
Sean Martin05:50
you say rules, are these business process rules, are they transaction rules, what are the application rules? What are they?
Cem Dilmegani05:58
So it depends on the on the specific context. So when we look at transactions, it could be a leveraging the network, like how similar two nodes are to identify whether this could be fraudulent. Like, you could say that, you know, if it's new, new transaction from an entity in another country, and if the country is a high risk country for you, then you should be flagging it. And these approaches are, of course, quite. I mean, the problem is creating lots of cases that actually there is no fraud. That's why you need these, you need these hundreds of people to look at cases individually. Because you know, even when a rule triggers most of the time, that is not a fraudulent case. And that has two problems. I mean, first problem, of course, you are spending a significant amount in an operational work that is not really evaluating for your business, but then you are also not catching enough of the fraudulent cases. That's because there is this phenomenon in human psyche, where that is we are exposed to inputs that are not really changing. So let's say the default case that you get is not a fraudulent case. And then you get into this mindset, or the psychology of doing the default, because it is true most of the time, but then you end up missing the important fraudulent cases. So in short, you end up as an institution, you end up spending quite a bit. But as a result, the fraudulent cases still managed to get through your systems. And, of course, over time, the maintenance of rules becomes another challenge for you, because you have this complex set of business rules. And most of the time, they're not so well documented. So you have another layer of complexity, let's say. And, I mean, we haven't discussed the types of fraud much before going into the solution, we can also start to discuss that a bit. As I mentioned, banking is definitely an area from the time you onboard a customer, to the transactions of that customer, whether these transfers or whether these, this is a customer taking credit out of your bank, all of these are subjected to different types of fraud, and there's different terminology around it and there is also different expertise around it. But banks are definitely not the only place where this happens. Pretty much any payments. Actor is dealing with fraudulent cases as well. And you know, for example, the payment providers, credit card companies, ecommerce companies, these are all dealing with with payment fraud
Sean Martin09:09
and card companies, right, even even points, loyalty card companies as well.
Cem Dilmegani09:16
Definitely, definitely. And also not not just specific to the financial system. ad fraud is another large area that companies are burning hundreds of millions getting no value for their business via you know, paying these actors that perpetrate fraud. We were recently talking to a customer so they were getting ad fraud. This is a b2b technology company. They are getting these clicks through search that will not really belong to their target market at all. It belongs to their competitors clicking their keywords through through some machine generated approach but That doesn't stop that these bots are also leaving leads trying to act like buyers, in short, attempting to waste the efforts of the of the tech man. So in short, even in domains like advertising, this plays a big role. And not just in reducing, you're reducing your effectiveness of your advertising. But it can also impact your sales efforts as well. So
Sean Martin10:30
because he is he made me think of a use case here, since we're talking about different types of fraud. And this may be way out there. But I'm thinking about organizations, we use a few services that have an open portal to recommend new features or address bugs, and you can upvote and downvote and all kinds of funny things. And so you just mentioned a competitor, using click fraud, to presumably get their competition to spend money that will obviously take funds away from other activities that they can invest in. And I'm just wondering, have you seen any cases where feature fraud, so the these feature request forms being misused, to get companies build stuff that, that users don't even want? Really, these some, some bought, or some competitors said that
Cem Dilmegani11:26
this would be creative case? I mean, not specifically, this, but as you know, social media and our bot bot activities on social media, you can see them as fraudulent. I mean, especially if you consider cases like how they're impacting elections. And, and I mean, it is it is a bit like an extension of that activity, in short, misrepresenting your audience's reactions. So you are, you know, following the wrong direction. And, of course, this could be targeted against businesses, they could this this could be personalized to save my perception. And, you know, when it comes to these domains, of course, tools like, Okay, I have to mention generator AI here, I think, pretty much in every in every discussion we have, we have to mention it somehow. And yeah, I mean, having the stronger language capabilities, makes these bots pretend much better, to be human. And then, of course, shape the decisions of it, whether it's people or whether it's businesses, to shape their decisions in the in the way that they want. So there is definitely an expanding applications in different domains.
Sean Martin 12:47
So I don't know if we can pick a couple examples to help illustrate how a fraud event works, right? Why does it? Well, you kind of alluded to, in some instances, people's brains work a certain way. And they we get into, you can say, right, but we get into a rut for how we look at things and and some of those things might seem normal, and they might be actually fraudulent. So I'm wondering, can you kind of go beyond that a little bit and just talk through maybe who some of the actors are the tools they use, how they targets, certain entities, kind of how that process flows, before it hits the hits the business? So we kind of get that part of the picture.
Cem Dilmegani13:34
i It really depends on the on the domain, though. So are we thinking about something like, like the social media that I mentioned? Or is it more in the in the banking domain, for example? Maybe?
Sean Martin13:46
So I don't know. Let's see, we haven't talked about health care, what kind of fraud might we see in health care?
Cem Dilmegani13:55
Insurance fraud, that's definitely a big domain. So what we are seeing here is, in short, people be insurance companies being overcharged for the therapies that they are issued, patients have been subjected to, and the Scambia there are various estimates on how large the size of the market is. But in short, what ends up happening is that you have this document that explains in detail, what has been done to a patient using specific codes. And that doesn't reflect what has happened in reality. And as an insurer, this is quite hard for you to verify. Because, you know, you get this document from a healthcare provider. And you usually they're audited. which is which is costly and cumbersome, or you should be doing the payment. So it is because the audit process is complicated. And it is hard to assess how big such insurance fraud cases are in healthcare, but there's definitely a significant area where, you know, certain healthcare institutions could be significantly overcharging for their services. And of course, we are all getting impacted by this, because as a result, insurers are also needing to charge more for their services. And, you know, we end up paying the the result of this specific case of fraud as the as the people who are purchasing that type of insurance. And here, the, the important thing is to is to make these, these interventions look as realistic as possible. And over there. Again, machine learning isn't I mean, sadly, we are talking about ways how machine learning can help fraudulent activities. But there's definitely a case where you can personalize the interventions that have been performed on a patient to make them look more realistic, and as a result, have a lower chance of getting or an audit on your organization, and be able to profit more easily from this activity. And of course, when we start to talk about how to resolve such cases, we will also talk about machine learning.
Sean Martin16:47
Let's let's stick with this example from it and see how deep we can go on and not technically but just kind of operationally how this how this looks. So this is an insurer.
Cem Dilmegani17:01
It's a person that this
Sean Martin17:02
is a person. Okay, so not a company. So it is a person through their insurer. committing fraud against the insurer. Yeah. Okay. So it's directly to the company. So what? I guess so are they? How are they changed? Are they changing their medical record? Or? So? I guess that's what I'm trying to figure out. Where's this information coming from and getting inserted? And therefore,
Cem Dilmegani17:35
I mean, one source? Yeah, of course. So one source is the healthcare provider. So the healthcare providers, or the employee working at the healthcare provider, could be adding additional charges on top of the insurance, whatever therapies or interventions that they receive. So here's the healthcare actor is gaining at the expense of the insurance company, and the person who was issued.
Sean Martin18:13
Nice, I suspect there are cases where if the insurer doesn't pay than the than the insured, ends up paying directly as extra costs, right?
Cem Dilmegani18:28
I mean, even if it nothing gets paid by the issued person, it then the cost of insurance goes up for all of us, because the insurance company has paid more than it needed to. And this, of course, changes their how they price risk. And as a result, it impacts how they price the premiums. And as we become new customers, or as we continue our relationship with the insurance companies, we ended up paying more in terms of our insurance premiums, just because some of the patients at some of the health care institutions are getting overcharged for the services that they receive.
Sean Martin19:13
And do you know if some of that is automated, some thinking of the provider? They have some medical system that they use to generate the reports and do the billing and are they are they automating the insertion of we run a reran a blood lab or we we did this analysis that this assessment that that takes time and money and therefore that's an added expense on the invoice that we're sending to the insured or is it a manual one by one or what do you think
Cem Dilmegani19:47
so the alteration is not something that I know of it is more likely to be an individual person at the at the healthcare institution that is possibly somehow incentivized by, by what they are charging to the patient. Or it could be done by the by money short, somewhere in the healthcare organization or the healthcare organization itself. I mean, it doesn't have to be a massive hospital, it could be a private clinic and the doctor in charge, they could decide to, in short, to include some interventions that they haven't taken place, whether the there are actual cases that use automation in such a process that I am not familiar with. But, but in short, it's definitely possible. But manually is is more likely to be the case. And then, of course, there is the view of the healthcare provider, and is the view of the insurance company, its Insurance insurance company. I mean, it's quite hard to prove that actually, fraud has taken place. But there are estimates that a significant number of fraudulent cases are
Sean Martin21:05
happening. And maybe we'll come back to that. So let's, let's shift over to world that you lived in for quite a while. So the the financial services world where I suspect there is probably some automation, and it may not happen, well, maybe it happens internally, by internal actors, but it's probably driven from external and probably a lot automation there. So maybe a different view, can you can you describe some cases, from a financial services perspective that we're seeing,
Cem Dilmegani21:38
of course, of course, I mean, this is a very common one. But one complicated thing is to transfer large sums, because it will, of course, get flagged and so on. So if you want to, I mean, if you have these illicit gains that you want to transfer to another party, making it through through smaller sums that are transferred through various actors could, for example, fool old rules based systems that were just relying on, on transaction amounts, and also relatively simple network relationships, but they by I think, of course, Moros, they roll set, this is something that banks have started tackling even with rules based systems, but then I mean, actors that want to do such illicit transactions, they're just, they can definitely rely on automation and rely on having more accounts and doing account takeovers, and this is of course, another type of fraud, to be able to facilitate the flow of funds. For example, when it comes to taking over accounts, that is, that's another type of fraud that they are providing wrong information to the bank to take advantage of some of the security flaws and to get access to accounts that do not belong to them. Or for example, you know, another type of fraud is related to transactions where they are having complicated models and a number of actors a number of transactions to be able to bypass getting flagged, and I mean, we have discussed a bit things that are in let's say, individual levels, but then also in if you think about sanction entities and nation states over there as well there is significant incentive to bypass sanctions and using simple rules based controls where you are looking at the country of origin and you know, trying to find that with with certain keyboard combinations, etc. And similarly with names of entities. Let's say you know, my company's name is Jim Incorporated, Jim Inc. and then like, if you are not catching companies that are that are of similar names, I could have a I could introduce typos in the process, try try different company names and try to in short, get my invoices, get my transactions approved. And as a result, bypass sanctions and this is an area but of course, even even nation state actors can invest quite a bit of resources to make all parts of the transaction more more difficult to catch. They could be Working with the with the amounts with the number of transactions, they could be working with the different parties involved with the names of the parties with using shell entities etc, they could create a complicated and you know, hard to identify paper trail and as a result avoid being identified as the Benefactor from that transaction. So there are different levels of complexities when it comes to dealing with entities that entities or individual that perpetrate fraud.
Sean Martin25:39
We just crossed over in the supply chain. Yeah, definitely super complex environment there. So, I mean, as you're talking, I'm envisioning this, this world where, I mean, if we look at weaknesses and vulnerabilities in hardware and software, there are sites one can go to, to look up. Alright, which version of this IP camera security camera has a weakness default password that's hard coded, and we know what it is. And that can be exploited. Right? So somebody, bad people, good people that fold this information together, made it public. And tools and cybercriminal services can use that data to conduct fraud, or conduct cyber attacks against those devices and applications that I am referring to, is there such a world for fraud, in terms of the rules, banks use, I'm envisioning this database that says, here's the general scope of, if you if you're coming from here and do this transaction amount from from this device, on this system, it's gonna get flagged, but if you cut the threshold here, and you do it from a different location, you're gonna get through, alright, so kind of that open source intelligence. And then selling that and selling services that use that intelligence, and I'm kind of leading us to data, right, which then ultimately leads us to the, the algorithms for doing bad things and the algorithms for hopefully protecting against them. But let's start with the dough. If there's a world of, we call it Osen, and security, open source intelligence for that type of data, the workflows and the business.
Cem Dilmegani27:27
I think the awesome data here isn't as powerful as the one in the in the cybersecurity world where you have, you know, certain software and hardware limitations, because first of all, there is some obfuscation and the rules based processes are no longer in place. So it is a it's a bit of a harder challenge, you look at the bank, and you don't know, I mean, you can put some effort, you can figure out which vendor they are using. But it is, let's say not so easy to identify, these are internal systems that do not live so much digital fingerprints on the web, so but of course you can, working with internal resources, etc, you can identify the software being used, but then the the rules based systems that I have mentioned, are like something as something of a relic divers, they were around 20 years ago, maybe 15 years ago. Last being your so all of the modern institutions now use a combination of machine learning based approaches, and some rules based approaches or complete the machine learning based approaches. So it is hard to have these long lasting tricks anymore. However, I believe, you know, if you search for this strongly enough, I'm sure on some, you know, some with Tor, I'm sure you can find some channels where people are discussing their successful exploits and then learning from one another's knowledge. But it is a bit harder to reproduce compared to the software or hardware world because I mean, these these algorithms are also constantly learning and then once one type of fraud has been discovered, and it's going to get caught across different different institutions that that use the same software as well. So it's a bit less straightforward and I would say it relies a bit more on creativity versus something like looking for cybersecurity flows in a company's attack surface which you know, you could just do with with some off the shelf tools even and But here it is, it's, let's say a bit less straightforward.
Sean Martin30:06
I can see that. I'm also picturing maybe kind of a an ecommerce ecosystem where there's an application that uses a payment platform, I should say, payment processing system. So an E commerce site that uses a payment platform that uses multiple payment providers that connected multiple credit cards, and and there's a lot of players in that chain, and some may be a little more prone to lending transactions through, let's say,
Cem Dilmegani30:36
Indeed, indeed, of course, because you know, everything is a trade off in this business. You know, stopping transactions also has its own trade off ecommerce companies don't like it, of course.
Sean Martin30:49
Yeah. Yep. So that the higher threshold fraud providers, if you see that one there, then target a different different ecommerce system. Well, Oh, good.
Cem Dilmegani31:00
Oh, no, I'm just saying yes, I'm in absolutely, you can increase your chances of getting getting through, but then, you know, not as, not as guarantees as as you know, attacking in an old version of a software. But still, yes, you can, of course, increase your, your chances. Let's,
Sean Martin31:22
let's talk a bit now about I don't know, maybe we haven't really gotten into where AI may be used the attack side. And then then we'll then we'll go inside and talk about how to how to spot stuff.
Cem Dilmegani31:36
Yes, I mean, on the on the attack side, depending on the on the type of attack, doing it at scale can be definitely facilitated with machine learning. And it also depends on the results of getting caught by the system. While some types of fraud have significant consequences. When you are caught some types of fraud, like for example, credit card fraud, you could, you could have scenarios where you can, you can do and get caught and still get away without being identified. And in such cases, machine learning makes sense, where the cost of a mistake is relatively low, and you have high chances to try different approaches. But I'm much more familiar with its use on the defensive side, because I mean, on the on the attacking side, that the players let's say, disclose, disclose a bit less or disclose a bit more with the people that they work with. But on the defensive side, it's definitely the tool to go just because if you look at any of the domains that we have discussed, whether it's ads, whether it's you know, financial transactions, know, your customer know, your supplier, any of these processes, these are extremely high volume processes. And, and there are complex ways that fraud could be happening in these processes. And, as a result, definitely manual work, it's just impossible to, to deal with all the cases, rules, as I mentioned, they're quite fragile approach and hard to maintain approach. Therefore, since the past 1015 years, machine learning players are playing an increase increased role here. And some of the interesting I mean, from the benefit side, of course, having having less cost and having a potentially higher rate of catching fraudulent cases. I mean, these are, these are, of course, clear benefits. And if you think about the datasets that you can train your machine learning bots on, and if you take into account the case that you can connect these models can continue to learn, as your analysts identify new cases, this is just that much better way to deal with fraud. And of course, it comes with its own costs you this time, you know, instead of paying for for a lot of work or force your issue making that a bit smaller, but then you are also of course, paying the companies for the for the services and identifying fraudulent use cases. But overall companies are able to both reduce the rate and also have have less cost and more, let's say stronger systems for catching cases of fraud, because this includes not just everything that has happened in the past, but machines can identify those patterns in ways that we may not be able to. And for new types of fraud that come up, they could see parallels, and then they could identify even new types of fraud. So compared to a rules based approach, you have significant more benefits in such a case, but of course, it has its challenges. First of all, the model needs to be trained on your data. And you should, of course, be watching out for model performance decay, I mean, this is a general issue in machine learning models that start extremely well can see their performance degrade over time, as I mean, as the people committing fraud gets smarter, as your input data changes, etc. And, but if you manage to, you know, have have the model, change well for your for your specific transactions, and keep on measuring the success rate, and also take into account how much effort you are putting in dealing with false positives, etc, and make sure that the model performance remains that at best practice levels, then there's definitely significant value to be generated by this approach.
Sean Martin36:35
So much in there. At the beginning of that, I was just thinking, business email compromised, where it may not be an action by a fraudster directly to an entity, but through a quote unquote, trusted source. So, so an email going to an employee saying I'm, I'm the CEO, transfer this money for me, is fraud, right? And so AI in certainly generative AI can help craft some of those emails, live and learning from CEOs previous, perhaps, it's not hard to not hard to get into an email system and collect emails like that. So. So that's one one use of AI. So which makes me wonder. When we're talking about scale here, right, the scale of business processes, the scale of systems, the scale of transactions, all of that makes it hard for people to keep up, which is where technology and things like machine learning and AI come in. And it makes me think of, in the security world, we say you can't protect what you can't see, which means you have to have an inventory of all your stuff, which never happens. And if you do it once it's changed tomorrow and doesn't look in the same reserve element at that point. So in my mind, the assets and the discovery process is the data, right? And the documentation or the knowledge of how the processes on top of that data are supposed to work, so that you can then write some rules that say, well, in the old days write rules and the new days, I don't know, that's kind of what I'm going to, what do we do now? Is it is it still rules in in the system that's been in the orders? And where do we write natural language, don't let transactions of this size, you know, and we create the stuff in that way. Or tell me a little bit about that, how we go from discovery to actual creation of something that can detect,
Cem Dilmegani38:48
of course, I mean, one of the common approaches is to use a supervised machine learning approach where what you have examples of historical data that includes of course, all normal cases that weren't identified as fraud and the cases where you are sure that they are fraudulent. And then instead of you know, prompting or giving any input to the machine that this data becomes the input and source of the machine learning. So looking for patterns of similarity between the fraudulent cases, the machine learning model can make predictions about about new cases that it sees that could be because they're similar to the old ones or even though they are not similar. There is some In short, there is some some similarity that machine can pick up and you know, this technology the way it works for the past 1015 years, the the models have been using of course constantly The updated data constantly improving themselves. And any important metric that companies are working to lower is the is the false positive rate. Because with machine learning as well, you're going to get quite a few cases where it's not a fraudulent transaction. And a human needs to take the time take a look at the transaction. And, I mean, it's the it's the nature of the Fraud Management work. But that metric is the one that companies are putting significant effort in reducing. But of course, like not all types of fraud are really, really that that straightforward, there are new types of fraud emerging, like you mentioned, using large language models for email fraud, it's going to be a new challenge for, for provider for pretty much any company not also just in the end, you know, making the spam systems more more vigilant, educating employees, you know, this is a, this is a cybersecurity, like, challenge, but in short, with these new technologies in the new challenges are going to be coming up. But if we need to keep on identifying the new types of fraud, and educating the models, I'm retraining the models, so they continue catching them. And over that the fraud detection software, vendor ecosystem has a lot to do. They need to be coming to their clients with these, with these, let's say, you know, new, I mean, it's not really a new capability, but these, let's say, expanded detection models, so they can they can be rest assured that you know, they they are systems that safe.
Sean Martin42:00
Love it. And as we wrap here, I want to maybe close with kind of full circle back to the human element here. And two parts of that let's look at it from from two different teams collaborating with each other security and fraud, because I think there's one, I don't know how much there is now or if they're completely separate teams, there's certainly overlap in some organizations, but your view on the need for increased integration and collaboration of those two, those two groups, if you think there is a need for that. And then the second is the fraud team themselves looking at AI enabled technologies, what do they have to do in their mind to kind of prepare for that. So the first is the collaboration of security and fraud teams, and what that looks like, and then things AI or fraud teams can do to prepare for AI enabled.
Cem Dilmegani43:05
I think the collaboration is is definitely a no brainer, given that the fruit teams themselves are now relying on quite a bit of software systems and the security of these systems are paramount. So if your fraud detection system gets compromised, of course, that's the worst possible thing that could be happening. And as the systems get more complex, that is, that's something critical, because, for example, back in the day, when you had the set of rules, the system was, I mean, it was hard to maintain. But it was, you know, a set of rules. While Now in some cases, you have a blackbox model. In some cases, you have a model that offers you some explainable theory of why it chose this case, or you know, of course, in the, in the best case, a full explanation of why a certain case was chosen. So in short, you could be at a case where you have less visibility into how the model works. And then of course, this means you have less transparency about how healthily the model is performing. And the security of the systems, the communication of the systems with your bank's internal systems. These are these are extremely important aspects and as fraud, fraud detection becomes more, more machine learning driven. I think security teams need to be more involved to make sure the integrity of these services. And I mean when it comes to using machine learning, I think I think this is something that that most institutions are starting to get used to. I mean, I remember the previous machine learning were like six years ago, in 2015 2016, there was this nice graph of CEOs mentioning AI in their, in their analyst calls. So, you know, with quarterly reports, etc. They talk about their business environment. And then there was this this graphic where the number of measures of AI is like going through the roof. And back in 2015, or 16, I forgot the exact date. And then some of the systems that we have discussed these, for example, supervised machine learning systems that gets fraud, that were a part of that wave. And now that they got integrated into the bank's workflows and their operating fine, we don't even really see them as as machine learning so much. It's like, you know, bank systems, it's Fraud Management Systems, but then, you know, you get a you get to generate the AI system, it can prompt and it gives you a video, that is Ay Ay, ay, there's a nice saying by a computer scientist, that says, if something works, it's no longer AI. And so I think, especially given the hype cycles in AI, it is, it's quite true. A generative AI is, is quite an important part of AI. But it will definitely not be the last wave of AI. But it is going to get integrated by attackers, it's going to be used by, by companies in the defense as well. For example, we have mentioned things like, like transaction screening for, for sanctioned entities, I mean, that's an interesting use case for large language models, if they can go through all of the transactions, and this is not just just a network problem, also, the names in the network may not be matching the exact names of sanctioned entities, etc. So language understanding also plays a role and, and these models could be could be creating interesting benefits that and I think what's important for the for the business team, is to definitely have an open mind and a fast experimentation mindset. When you work with any B, any enterprise companies, b2b vendor, and I had experience with this, you are looking into even in a PA POC. Like three months, four months cycle, of course, vendors want to reduce these time periods, quickly show benefits, but then how are you going to get the data? How are they going to ensure that even if your data, get leaks, their data will not get leaked? And then you know, how are you going to show the results? How are you going to access a systems etc. There's quite a bit of challenges in adopting new machine learning solutions and in enterprise, but there are also some emergent solutions that are technologies like homomorphic encryption or synthetic data. So you don't have to share your data to be able to see how a vendor is going to perform given your data. So in short, you could you could build a sandbox environment, experiment with new and upcoming companies see how they resolve your fraud related challenges, and then be able to relatively quickly identify what are the new trends in the in this field and adopt them relatively fast, because you know, you have had the chance to add, let's say, low cost, try different solutions, and build enough confidence that, let's say one of the solutions, you try this higher performing than your existing solution, then, you know, you could, you could, of course, changing things in production takes significantly more time, but you could incorporate it into your plans. But instead of this most of the time, what we see is that companies take a take significant time in running POCs, identifying the accuracy of solutions, and it takes, you know, months of investment, and then the result is well actually our current solution is performing better than this one. So getting into a mindset of continuous improvement and experimentation, I think is going to be helpful as new forms of fraud emerge, and as new capabilities emerge on the side of these fraud detection companies.
Sean Martin49:53
So teams can't can't be afraid, shouldn't be afraid. I think that it's kind of reinforcing the The quote from the scientist where, if, if it's working properly AI doesn't exist, right? I mean, it's not going to work properly. So there will always be AI.
Cem Dilmegani50:12
Exactly, exactly. There's always going to be some new and shiny AI that's gonna things that do things that we've called betting as exactly
Sean Martin50:21
and point out the flaws and then we'll need some more. Exactly, we're ending circle. Listen, Jim, it's been it's been a pleasure chatting with you and great to get your insights. I love the have the history and all those different roles in in the in financial services and analyst role and GSI role kind of have a very broad picture of all all kinds of things here and I'm grateful to have you on the show today.
Cem Dilmegani50:51
Samia, Shawn, thank you very much for us.
Sean Martin50:54
And thanks, everybody for listening to this episode of redefining cybersecurity here on I guess we magazine. Jim will share a few resources with us to help you keep learning after you've listened or watched. Watch this episode. And stay tuned for more thanks everybody.
Voiceover51:15
Edge scan offers continuous vulnerability intelligence as a service, accurately identifying Vulnerabilities and Exposures across the full stack. All threats are verified by cybersecurity experts providing exploitable risk and remediation guidance virtually false positive free. Learn more at edge scan.com.
51:37
Imperva is the cybersecurity leader whose mission is to protect data and all paths to it with a suite of integrated application and data security solutions. Learn more@imperva.com
Voiceover51:56
We hope you enjoyed this episode of redefining Security Podcast. If you learned something new and this podcast made you think then share it SP magazine.com with your friends, family and colleagues. If you represent a company and wish to associate your brand with our conversations sponsor, one or more of our podcast channels, we hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society