A

Foreign and welcome to another Soapbox edition of the Risky Business Podcast. My name's Patrick Gray. As regular listeners know, each edition of the Soapbox Podcast is sponsored. And that means that everyone you hear in one of these soapbox editions, they paid to be here. And this edition of the Soapbox podcast is brought to you by MasterCard, which is a real sign of the times because, you know, when we think MasterCard, we think credit card brand, we don't think cybersecurity vendor. But that is kind of changing. I mean, they're always going to be a card brand first, right? But they are increasingly offering cybersecurity related threat intelligence and services to various, what would you call them, stakeholders, I guess, in their ecosystem. You know, they even bought Recorded Future. They announced that deal in December 2024, $2.65 billion they paid for Recorded Future, which is a, you know, a fairly large threat intelligence company. So why is MasterCard getting into cyber security or why is MasterCard in cyber security? Because it has been in the cybers for a little while now. So joining me to explain it all is Johan Gerber, who is the executive vice president of security solutions for MasterCard. And yeah, he really joined me to talk about why it is that, that a card brand is getting involved in the threat intelligence and cy security game. So, yeah, really at a fundamental level, as Johan's about to explain, it comes down to the fact that if you want to prevent fraud, you know, it's one thing to be able to do it at the transaction layer, but really you kind of have to shift left a bit and, you know, cyber threat intelligence is a good way to do that. So here is Johan Gerber explaining that. I do hope you enjoy this conversation.

B

When we get to the final transaction, it's almost too late to prevent fraud. So if you really want to be preventative and be proactive, you need to move upstream and you need to look beyond the transaction. And so in a world that where everything is connected and we are being represented by machines or things, be that an IoT device or a phone or an actual machine, the two biggest problems that I think we need to understand and resolve is, are you who you say you are, which is an identity problem, and is this device authorized to do what it's trying to do, which is in essence the cyber problem that most of us face in CISO land every single day. And so that's at the essence of why cyber became so important to us. And so we have a traditional CISO in the organization who looks after protecting what we call the house, which is MasterCard. But then we've got this global network where we connect three and a half billion consumer who carries a card with our Lobo on 150 billion sorry million merchants or businesses where you can use that card. About 22,000, 23,000 finance institutions in the middle. As you look at that connected ecosystem, how do we go and protect beyond just our house? And that's really where my focus is in that area. And that's where cyber is becoming a big problem for us. Every time somebody hacks into a business and steal your data, sells it on the dark web, it becomes a problem eventually for us and our brand and the integrity of our brand. And so cyber just became one of those things for us. I almost get to the point where how can you be in the online business without having a cyber capability? And that's really where that came into the threat intel component of it was how do we become more proactive? How do we understand where the threat actors are going, especially in a world where geopolitics are playing a much bigger role for us.

A

So how are you positioned to actually be able to execute on a bunch of this? Right, because look, I'll be completely honest, my knowledge of the credit card ecosystem is not great. You know, I understand that you have the card brands like MasterCard, Visa, whatnot, but then you have the sort of issuing banks and I have no idea even what sort of data MasterCard itself as a card brand can see when there are these transactions happening, happening online. So you know, okay, you've got this amazing threat intelligence capability. You develop it, you've got all of this good information, is this stuff that you can apply yourself to transactions as they happen. I mean, you already mentioned that, you know, we need to sort of shift left in disrupting the fraud cycle. But I guess I'm asking what do you do with all of this wonderful information that you, that you're collecting? How do you then turn that information into fraud prevention?

B

So maybe let me just debunk a few myths around the data that we see. So for instance, when the data that travels or traverses our network, we don't see who you are. We only see the 16 digit number that's on your card. And often that's represented by a token. If it's an online transaction, we don't see what you buy, so we have no idea what's in the basket that you buy. We see the amount, we see the name of the business where you buy, the date, time, there's a Whole bunch of data around that, but there's very little. There's basically almost no PII data in terms of. Other than card numbers, which is considered pii. But it's not your name or your address or anything like that that doesn't flow over our network. That stops at a point before it hits our network. But where we see the cyber attacks happen could be a couple of places. We have cybercriminals that will do brute force attacks on our network to try to enumerate valid card numbers in order to find them, to then go and make counterfeit cards and go and use them. That's one. We have places where criminals have tried and successfully hacked into banks and actually put a piece of malware in front of their authorization system. Do they just approve a bunch of ATM transactions? In fact, there's a very famous case dating back to 2013, which I think was at a lot of media attention, where the criminals breached a financial institution in the Middle east, put a piece of malware in front of their system, and every ATM transaction that came in was just approved. And they had 300 people in 26 countries all hitting ATMs at the same time, and they pulled out a whole bunch of money. So there's all sorts of attacks.

A

I think it was 9 million bucks, if I remember correctly.

B

It was 40 million, it was 5 million in the first. First four minutes. So, yeah, so they hit them at scale, and so you see that happen. Now, other places where this becomes relevant is, let's say we have a criminal who just stole 1,000 or 100,000 or a million card numbers out there, and they're offering it for sale on the Dark Web. When that card number now gets sold and tried to get used on our network, that intelligence for us is extremely helpful, because now we can make sure that you get a new card in your hand. We block the criminals from actually executing that transaction, because every time they're successful, there's a whole process now of getting you your money back, making sure all the stuff is restored. That takes time, it takes money, it takes effort. So being proactive on that space, very important. At the same time, one of the things that we've learned is that the criminal community, they go through a great lens to either hack into existing businesses or establish businesses with fake credentials to supply the demand for test transactions. Every time somebody tries to sell or buy a card number on the Dark Web in one of these marketplaces, one of the services they offer is to run a test transaction. And those test transactions have to cross our network. So how do we find these things, how do we know about them and then just shut them down? So there's a lot of application for threat intel that comes in into our systems. And the last thing that I will mention is just helping our banks understand what kind of threats are moving around our network. So for instance, if we see an attack happening in Brazil, how do I make sure that that attack cannot immediately evolve to the United States or to Japan or to Australia or South Africa, wherever. So that's where we use a lot of this intel and then also in our network with very advanced systems and AI to just make sure it doesn't spread and we can be as preventative as possible.

A

I mean, everything that you've just described though, seems to revolve around lists of card numbers, detecting when there's strange patterns with things like transactions and whatn Curious, because that's the fraud discipline, I've always thought this sort of payment card fraud and bank fraud stuff, it's like this parallel discipline to pure cybersecurity, if you will, where you've got your own sort of ttps, you've got your own detections. But it's like the indicators, the data is all very different to say, trying to determine when a file hash might be bad or an IP might be bad or whatnot. So where are you, as I understand it, you're moving more towards that sort of complete picture cyber less, just about card numbers. You know, how do you, how do you then start gluing all of this together where you've got the insights that you're developing from just doing detections on payment data, payment streams, whatever, you know, however you want to phrase it. But then you've also got this threat research going on, which is looking at what's happening on the wider Internet. Like, how do you start to bring those together? Because I'd imagine, you know, that threat research is really useful to you, but, but you're not really best positioned to execute on that. Like, is this a case where you start sharing with banks? Or like, you know, why don't you just tell us how it all works?

B

We do. So we do a lot of sharing with the banks. We also do a lot of sharing with the government. You know, one of our biggest missions is, you know, if you look at Mascot as a, as a company, we do well when economies do well. You know, we do well when governments are doing well, when economy's doing well, when people spend and they use it. So we go to great efforts to work with governments, especially when we see threats. So for instance, if you think about what we did with recorded future, they bring more than 47 sovereign governments as part of their client list. This allows us to connect data between the banks, between governments around the world in order to help figure out how these attacks work. Because ransomware, for instance, ransomware per se, may not be a big threat to the actual payment ecosystem, well, to our specific transaction network. But every time one of our businesses gets attacked that cannot do transactions anymore, that loses a bunch of data of their clients and all those transactions that gets used later on by criminals. That is how the cyber and the fraud world are fusing more and more. And we actually see several financial institutions around the world that are actually merging their fraud and financial crime systems with a CISO office because they're all looking for these patterns. You know, cybercrime and fraud nowadays is almost impossible to disconnect the two. A lot of scam attacks, for instance, is being perpetrated by using deepfakes, hacking into doing social engineering. The same things we see with attacks on phishing attacks, very similar attacks is being deployed across both of them. So we see a lot of patterns and a lot of similar groups behind the scenes that are doing the same things that intelligence be able to share that through, not just the banking system, but broader. So for instance, if you take what we've done with recorded future, I mean we're not turning that into a financial services company. In fact, we still want to expand its footprint because we think the financial industry is learning a tremendous amount about all the attacks that's coming that we can provide to the whole world and the same to government as well. Risk Recon is another company we acquired which is a third party risk management assessment piece. The first thing we did with that is when we bought that company, we deployed it across every single finance institution on the world, as well as about 13 million of the highest transaction processing businesses out there. And we started establishing a baseline of all the vulnerabilities that we see across our network. Now we can use that data to inform the CISOs at all of our banks say this, these are the commonalities. And now if you overlay that with freight intel, we've got the vulnerabilities, we can see through the threat intel which vulnerabilities are being exploited, and we can help our CISOs in the banks much sooner to kind of prioritize which ones they should fix. So there's a transaction layer which I talked about, but there's also an ecosystem, let's call it hygiene that we're trying to work and fix to say, how do we just raise the bar of cybersecurity across those that are connected to our network?

A

Well, I guess that's why I was asking about how are you in a position to be able to execute on threat intelligence? Right? Because you're really not. It's not like you are seeing the originating IP of transactions. It's not like you are able to understand if a merchant website has skimmer code in it or whatever. You might be able to see, hey, there's a lot of dodgy transactions coming from this merchant, which might imply that there's been a compromise, but you don't have that visibility. The banks are much better positioned for this. And you know, the banks and the merchants are much better positioned for this. So is this the idea here to sort of unify this, this fraud intelligence and cyber threat intel, sort of package it up and offer it to. Is it the vendors, sorry, is it the merchants and the banks? Or is it just the banks? Or like, what's the plan here?

B

It's both. And through the acquisition of recorded future, we actually do get insights into the merchant websites that have got skimming devices on them. And in fact, you know, just in July, we started actually disabling through law enforcement and relationships with companies like Shadow Server to actually take down some of those underlying infrastructure below them just to stop some of those scheming efforts as well. So this allows us to offer a package to merchants to work closer with companies like Shadow Server, law enforcement, the administrators of a lot of the directory services, just to start taking down some of these criminal pieces as well. All in that move to move up a little bit more proactive and upstream and not wait for this until it hits our transaction network because by that time you're fighting with one hand behind your back. To your point, I don't see the IP address, I don't see. I only see a very limited set of data. So all of this is giving us that ability to see more of this and then to be proactive and just keep it away from the system to start with. That's a very important. That's a good observation that you've had there.

A

Yeah. Now, you mentioned ransomware too. I'm curious about this. You mentioned ransomware and about how it looked like that's just bad for everybody. It's bad for the, you know, for people who are in your ecosystem. And as you mentioned, you literally have billions of cards out there. I mean, I'm a MasterCard holder. Right. Like Pretty much everyone I know has one. Yeah, well, I mean, it's hard not to be right, like, let's be honest. But when you mentioned ransomware, you know, I sort of got curious because you know, obviously Recorded Future has done a lot of work around ransomware and all sorts of cyber threat intel, even state actor based stuff. You know, as a payment card company. I mean, do you have any interest in, in keeping that side of the threat intel practice going? Because you've said, oh absolutely, because warm and fuzzies and you know, feels good. But like, is that really a concrete business case for you? I mean, to what extent do you see this push as being MasterCard getting into the cybersecurity business as opposed to getting into the securing payments business?

B

Yeah, look, if you, if you, if you listen to how we explained the, the services side of MasterCard. So our cybersecurity business is part of what we call our services division that we have. And ultimately the goal here is that we provide services that will ultimately differentiate the MasterCard brand. Make it more secure, make it more safe, make it more profitable, make it easier to use for our consumers, easier to use to accept for our businesses. That will allow us to expand our business, which means we get more cards out there, more customers, we grow that 3.5 billion to something more than that and that you get this flywheel of effect. So ultimately this all has got to do with how do we create to pave the road for massacre, to become a bigger brand and to continuously grow our business. Security in this online system is foundational to that. And that's why us helping our small businesses with ransomware attacks, preventing them from ransomware attacks, builds relationships between us and them, helps us to create a more secure environment where they can continue to do their businesses. Because like I told you, every time a business can successfully perform a transaction, that's where we benefit. So it's in our interest to make sure that we kind of protect, protect businesses. Small businesses, for instance, is one where we are particularly concerned in a world of AI where attacks can be automated and you know, you can set an agent to try and penetrate these businesses so criminals will have the ability to scale. Somebody needs to help these small businesses. For us, every small business is potentially a business that will accept our cards. So it's in our interest to kind of protect those businesses to make sure that they can protect themselves from ransomware attacks. So for us, it's a very real business piece. Now I can see why you kind of look at this and say this doesn't feel like a true cyber thing. But for us, ultimately the trust and integrity in this online ecosystem is fundamental to our future success in a world where everything is connected.

A

I actually take a happier view on the impact AI is going to have on small business security. I did a fascinating interview recently with one of my sponsors who works with a AI based like SOC agent. They make an AI based SOC agent and his opinion is finally, small to medium businesses are actually going to be able to access a lot more detection technology and whatnot because it's going to be automated by AI. Like it might not be as good as the enterprise stuff, but it'll be something. And that's the first time we can actually say that. Now look, speaking of emerging threats, you know, you just mentioned AI there. I feel like in some ways AI has already changed some stuff, but like the true impact of AI on criminality is like yet to be borne out. As things are today though, like currently not looking to the future, but right now, what would you say the major problems are when it comes to the online criminal ecosystem? Because in your position you're sitting on top of recorded future and MasterCard data. So I'd imagine you'd have some good insights there, there.

B

Yeah, look, some of the biggest threats we have today is still, I almost say, you know, just the basic security things. If people just do the basics right, we can already prevent a big chunk of them. I have to say, ransomware for me is probably still one of the largest problems out there that folks are facing. The other piece that is coming through very clearly today is the fusion between. The lines are really becoming very gray between cyber fraud and financial crimes. Criminals are using cyber elements to get access to data in order to scam you. And once they have that money, they need to wash the money through the banking ecosystem. So the lines are grayed out. And in addition to that, we have nation states that are all this geopolitical fractions that we have around the world. It feels like cyber is somehow becoming weaponized in the hands of some of the nation states. A lot of the technology is coming to the hands also of criminals. And so again the lines are blurring, which is why the collaboration we have with governments and so forth are also so important. But those are some of the threats that for me are very, very concerning. Ransomware is still on the rise. We see more and more advanced technology coming into the hands of threat actors that are deploying them not just for criminal activity, but also for other types of activities as well. And somehow the financial industry in Many countries we are considered critical infrastructure because you operate a big chunk of the economy as. So you have that role as you see attacks coming from you, some of them with criminal intent, some of them with other intentions. And so that's some of the threats that I see will persist. And that worries me most. Now, future. Wait, we can talk about that. I think AI will definitely feature there.

A

I mean, it's interesting what you said about how some of this financial, the blurring of the lines between financial crime and cybercrime. I know what you mean there. Like you look at these online, fake online casino kits that you can license reskin and then you're using dodgy ad networks and stuff to try to pull people into your, you know, fake casino. I mean, there's no actual hacking involved there, but there's a million terms of service violations, some shady browser tricks. Like it's, it's a, it's a blurry.

B

Line, you know, and what happens here is it the criminal activity creates a market for the cybercriminals to sell more of their goods. So the need for data to phish or to do social engineering creates a market for stolen data of personal data. So people are hacking into hotel systems, into hospital systems to get as much personal data as they can. That becomes a very lucrative business for the cybercriminals that's then bought by the, let's call them the fraud criminals to execute their crimes. And then it's being offered. If you go to the dark web now, the range of services is all the way from hacking in a box to money laundering in a box. And we'll do all of this for you as a managed service. And so there's a flywheel of demand being created here where those lines are really crisscrossing. A lot of the data that gets offered on the dark web marketplaces are being pumped into AI models to create deep fakes, to create phishing scams and so forth that eventually then extract different other things. So it really has become they kind of feed off each other almost.

A

Yeah. It's interesting because earlier you mentioned identity. Right. And have you made an acquisition in the identity space? Because I was literally just chatting with an identity verification company yesterday, recording an interview for them, which was really about how they try to, you know, scan, do live capture of government id, live capture of a face, use various signals and whatnot. I mean, I, I know that the card brands have various extra verification steps to profile devices and whatever, but I haven't seen much around that, you know, around technology to Identify a person using like Live Capture or whatever. Is that, is that something you're looking at? And if not, why not? Like, how are you thinking about the identity problem? Because in my mind, there is no solution to that problem. You can do things to minimize the amount of fraud that would be prevented if, you know, if you were doing that sort of stuff, but you can never fully solve it. So I'm really curious to know what you're thinking about all of that.

B

It's a tough problem, Rodrigo, I won't lie. We did an acquisition a couple of years ago of a company called Ekada. And what they've done is they've built a very large identity graph. And so we're not so much concerned around you and your specific identity, but we are concerned around, or we are concerned around the attributes that surrounds your identity. So, for instance, I'm Johan, I've got five email addresses, two home addresses, three phone numbers. And we create this graph of how these things in the future we will build this out with. You've got so many agents that you use to buy things or that does things on your behalf. And so when you apply for a bank account or you apply to open up an account at any business, to create a business relationship with anybody out there, we look at the attributes that you put in in addition to your identity. So for instance, the address that you put in, we will say, what is the integrity of this address association with your identity? Has that been well established over many years? Is it something that's brand new? The phone number? You know, we've never seen this phone number associated with your name and your address. There's something wrong. This may be a synthetic identity. So we've got these signals of risk.

A

But as you, as you pointed out, as you pointed out, there's an entire underground marketplace for fools. And what a full is, it's all of that information, right? So this is why, this is why I'm curious about how you're thinking about it. Because criminals really have adapted to those sorts of checks, right? And to go the next level, it's like it gets, it gets hard.

B

It gets really hard. And so you have to do, you have to do that and you have to look at more granular because one of those elements, ultimately, if I take over your identity, I need something that will give me control. Something like an email address or something where that's different that the notifications goes to me instead of to the real person. So we look for those anomalies. It's not easy. There's no solver bullet for this stuff, but you put that in, you put device IDs in and you start binding these things. So if I also know your typical, I've got, I don't know how many devices, 20 of them, let's say. The more integrity we have around the established relationships between your identity and the things that you use around it, the attributes, the devices, the more we can help give you a smooth path. And remember, when it comes to fraud prevention, and the same is for cyber, it's not always identifying the bad stuff, it's also identifying what we know is good and give those good transactions a really happy path. So a big part of our efforts around fraud detection is also how do I detect what's good and if it's good, how do I make sure your transaction is as smooth, as frictionless as possible versus then I create a smaller bucket of high risk transactions which I then have to disseminate. How do I deal with this? Which is very similar to the way in which we deal with cyber things. Right there is the stuff that I know that's good, this is stuff that's high risk and then I have to prioritize my high risk and start working from the highest priority. Fraud is not very, very different, which is why I think we see this interesting interaction of similar technologies being applied, similar methods, they have different data, but there's a lot of similarities and synergies between those two worlds.

A

I mean, it's interesting when I think about it, what you're most concerned with is making sure that an established identity is correct. And really when it comes to like live capture and stuff, that's about establishing the identity in the first place. And that's up to the card issuer, not you. Right. So everything that you've just said, that.

B

Is up to the card issuer, correct? Yeah, yeah.

A

So look, you know, loathe to talk about it in some ways, but we've, we've, we've touched on it a couple of times. Which is the future of AI and criminality. Like do you have any concrete sort of feelings about where that's going and what sort of challenges it's going to present in financial crime in particular? Because everyone's got an opinion, but I figure someone who's worked at MasterCard for 25 years and has your job probably going to be a more educated guess than most.

B

Patrick, I'm actually, I'm actually, believe it or not, fairly optimistic as long as people invest in AI in the right ways as well. Look, there's no doubt that criminals will benefit. They're already benefiting from this. If you just look at the progress that's been made. If you look at HackerOne, the bots now are the best red teams. So we know they can read the CVEs, they can translate them into attack vectors and they can start hitting them and they can adjust and fly. We've seen examples in the world of red teams, but we've also seen real examples in the world out there where criminals have used AI effectively to do this. Now, the same way AI can be used on the inside. And you mentioned this a little bit about small businesses getting a SOC or something that can be in my system, identify those vulnerabilities and then automatically go and patch them. I do believe this is going to be a great way for us, in a much better defensive mode, to automate things in a much better way. So I'm very optimistic when it comes to that.

A

Yeah, it removes some of the asymmetry. I think that's something that the doomers forget, right, Is that it sort of levels the playing field a little bit, a little bit more, but between attackers and defenders. I remember like it was even a couple of years ago when, you know, a good friend of mine was saying, well, I mean, you know, the vuln research that these models will eventually be able to do, there's going to be an explosion in O day. And I'm like, well, there's going to be an explosion in patching.

B

Exactly.

A

So it's. There's going to be a period of disruption followed by like a new equilibrium. That's probably us in a better place, is my opinion.

B

I'll give you a real good example. So Recorded Future has a malware sandbox. And so we get all these samples of the malware in there and then we extract the signatures. Now we've got AI that automatically writes your Yara queries for you and then go threat hunting. So in a similar way, we can react way faster as long as we actually invest in AI in the right ways to do this. So I'm optimistic that this will allow us, and this is to your point, the way in which small businesses can benefit from this. The problem we have to solve though is how do we get into the small businesses at scale? And this is where I think the collaboration with telcos, hosting providers, all of those will all have to come together to collectively do this and enable these technologies to actually operate within the environments of which these small businesses operate. That's something that we ourselves sees as a big task for us ahead to actually bring the right parties to the table to enable this at scale. I can tell you I've lost half my hair in trying to get access to small businesses to actually pay attention that cyber is a problem. Many of them just stick their heads in the sands like it won't happen to me. My business is too small. It's irrelevant. They forget that everything is automated. Criminals will just deploy these crawlers and they will attack you. But I do think we have tech on the other side that can defend us way better and more effectively. It will remain an arms race, but it's not a doomsday scenario as far as I'm concerned.

A

Well, everything that you just described in terms of getting AI to write a YARA rule and then go threat hunting with it, I think I heard recently someone on a podcast describing AI as like automation of simple brain tasks. Sort of in the same way that factory robots automated simple manual labour tasks. So manual labor didn't disappear because we had factory assembly lines with robots on them and, you know, intellectual labor, if you will, won't. Won't disappear because we have AI models. We just won't have to do the mind numbingly repetitive annoying stuff like writing YARA rules and then figuring out how to query large data sets with them.

B

Exactly right. And the same will be true for patching. Right. The stuff that probably most people hate most. The question in my head is, will our AI models have access to the right data to automate and be more sophisticated than just the simplified rules? Exactly what you said. So a lot of that's going to be an action of how we design and what we give action and how we can safeguard those things. Not to go out of control, but I feel the power is there for both the attackers and the defenders. And there's a lot of promise in there that the defenders can be way more sophisticated and let our security professionals really focus on some of the more advanced things out there that needs human attention.

A

Okay, well, Johann Gerber, we're wrap it up there. It's been fascinating to talk to you. The latest cybersecurity company, MasterCard. It's a bit strange, really, a bit of a sign of the times. A pleasure to chat with you. Really appreciated your insights. Thanks for joining me.

B

Appreciate it. Thank you so much for having us, Patrick.