The Retail & Hospitality ISAC Podcast 10.11.23
Ep 37 | 10.11.23

RH-ISAC CISO of the Year, Security Control Validation with Aaron’s, Inc., and Credit Card Fraud Landscape with SecurityScorecard


Luke Vander Linden: Hello, Retail and Hospitality cybersecurity professionals. I'm Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center, and you're listening to the RH-ISAC Podcast. If you're a regular listener, I think by now you know that these podcasts aren't recorded live in some swanky studio at the RH-ISAC's Command Center and Security Compound. No, today I'm recording from the Hilton Granite Park in Plano, Texas, where the 2023 RH-ISAC Cyber Intelligence Summit just wrapped up last night. Almost 400 attendees, three great days of sessions, keynotes, a capture the flag, a tabletop exercise, and more importantly, I got to see so many of our members that maybe I've only met once or twice in person, or I've never met. It was absolutely terrific and I am exhausted, but I also got the opportunity to grab some of our members and even a few of our presenters into the makeshift studio we set up off the exhibit hall to record some segments that we'll be rolling out over the course of the next few months on the RH-ISAC Podcast. Something to look forward to in your podcast listening life. On this episode, I have a couple conversations we recorded just yesterday. One with Brett Cumming of Skechers. Brett is on the RH-ISAC board and very excitingly was selected by his peers as the 2023 CISO of the Year. Brett's dedication and expertise were cited as having not just protected Skechers, but having fostered a culture of trust and reliability that extends far beyond Skechers security efforts to building a future where security is core to the delivery of their product and technology. A great honor and very well deserved by Brett. We also gathered Tyler Compton and Jonathan Buckner, both of Aaron's, who gave a great presentation on a project they've been developing for over a year on security control validation. This definitely veered into the highly technical, so we enlisted the help of our own Ian Furr, who you may remember was a guest on the podcast not too long ago, and we dug a little deeper into their project. Finally, I'm sitting down with Alex Heid, the VP of Threat Research and a fellow at SecurityScorecard. SecurityScorecard is a great associate member of ours. We're going to talk about the evolution of credit card fraud and how retail and hospitality businesses can stay ahead of the threat actors. So no rest for the weary when it comes to the RH-ISAC Podcast. Let's get to a great episode. All right, I am now excited to be joined by Brett Cumming, who's the Senior Director of Information Security at Skechers, and more importantly, a board member of the RH-ISAC, and as of last night, the CISO of the year for 2023. Congratulations, Brett, and welcome to the RH-ISAC Podcast.

Brett Cumming: Thank you. Thank you, Luke. Very good to be here.

Luke Vander Linden: So tell us a little bit. You were surprised by being CISO of the year when it was announced last night?

Brett Cumming: I was very surprised. Yes, very honored, very surprised. It was cool to win that award. This group has meant a lot to our organization from a cybersecurity perspective over the years, really helped us out in a lot of different ways, and we always tried to contribute a lot back. So it was surprising, but very, very honored to have received it.

Luke Vander Linden: That's great, and we're so lucky to have you on our board. So I guess we should back up a little bit. For the listeners who don't know you as well, maybe tell us a little bit about yourself, how you got to the role where you are now.

Brett Cumming: Sure. So I have been with my current company, Skechers, for almost 12 years now, and did a number of different roles in technology throughout that time, and about six years ago, was asked to build out our information security program. So that's what I've been up to for the last six years, having the opportunity to start from scratch and build it out has been a fun ride. It's been a great learning opportunity. It's been great to do it at a company that's been growing. It's been great to do it with all the challenges and how dynamic everything is, and have the opportunity to get involved in a lot of different things. And RH-ISAC was a group that we got involved with early. Don't ask me how I originally found out about the group.

Luke Vander Linden: I was going to ask.

Brett Cumming: The memory doesn't go back that far, that much detail, but really glad that that was a choice that we made because it's been a lot of help as the program has grown at various different stages throughout.

Luke Vander Linden: That was good. You know, we have members, we're up to 250 members now of all different sizes and levels of maturity. So it always fascinated me when you get the chance and the opportunity to build something from scratch. A, you can make it as you want it, but also it's a huge project to just figure out what to do next. How did the RH-ISAC play a role in that, or what resources did you use to figure all that out?

Brett Cumming: Yeah, so it was really invaluable, especially early on, getting that peer perspective, getting to meet with peer organizations in the same industry, but organizations that were at different phases of their own programs. Some very large organizations that had been building programs for many years, and some that were even earlier in the process than we were. So being able to connect with those organizations and those peers at those different stages and hear, hey, what are you doing right now? Where were you when you started? What types of things do you tackle first? Getting together with other organizations that had teams that were about the same size of ours, and that was throughout as the team had grown. A lot of perspective, invaluable insight, and again, to do it with peers that are at the similar companies, the same type of companies, facing the same types of threats. Really unique and really invaluable, again, throughout that process.

Luke Vander Linden: That's great. For those listeners who couldn't tell yet, we are recording this at our summit, which wrapped up in early October, and there were some great sessions, a lot of presentations on emerging threats and how info security teams can stay ahead of those. What are some of the biggest challenges and opportunities you see now in cybersecurity?

Brett Cumming: This is a really interesting question. I am going to say something about AI.

Luke Vander Linden: I would have asked.

Brett Cumming: If you ask me about emerging threats, given the year, we have to say something about AI. I think the stuff that is really top of mind for us right now is a lot of the identity-based threats, both from the perspective of how the landscape is changing with the way that companies are using the technology, with that continuing trend that we have seen for a lot of years around leveraging more diverse and distributed technology, that traditional perimeter going away. That has been the case for a number of years. I think the part that is really significant over the last year, year and a half, is how we have seen the threat actors evolving their techniques and getting really good at attacking those identities, at bypassing some of those things that were really foundational controls for us, the push-based and SMS-based multi-factor. We have seen really dramatic acceleration in threat actors' ability to attack those things. Identity is a big focus area for us. It's a big focus area for us going forward. Then I was joking about AI, but I think that is really fascinating as well. We had a lot of really interesting conversations around how threat actors are going to use that, how that is going to change their tactics, and how it is going to enable them to accelerate some of the things they are doing, lower the barrier to entry with some of the techniques they might want to employ. I think it is also really interesting, the important part and the thing that I am trying to keep mindful of when we talk about those types of technologies, is we can expect the good guys to be able to leverage those as well. So I'm also really interested in how, as defenders, we can leverage some of that AI stuff and some of the generative technology. We've already seen it popping up in some of the technologies and capabilities that we are using today. Keep an eye on both of those as we go forward, and it's going to be interesting no matter what happens. >> Yeah, I'm glad you brought up both the good and the bad, because some people focus on one over the other, but there is good and bad to it. And you really can't stop people from using it. Any company that tries to prohibit their employees from even thinking about it, it's not going to be successful. Not going to work.

Luke Vander Linden: Might as well put some guardrails up around it. One of the other topics that seem to be touched on a lot at this summit is fraud, organized retail crime, areas where cyber and physical security may be merging together and fusing together. How does your team work with other departments within your company to have a more holistic approach to security?

Brett Cumming: That's definitely a big focus area for us, specifically the collaboration, working with other teams. It's something that we have been able to really start to leverage some of the capabilities that we built originally to focus on more of the traditional cyber threats, bringing in data from different sources, being able to gather and develop insights across those and correlate activities between different types of data and platforms. Certainly, the collaboration is essential when you talk about those types of threats, when you're talking about things that cross over between a fraud team or a cyber team, a physical team, depending on what it is you're talking about. So that is really an area, like I said, that we're leaning on collaboration, but also trying to bring some of our own expertise that we built on the cyber side over the years.

Luke Vander Linden: Right, And then looking beyond the folks who are necessarily in security, whether we are talking cyber or physical or anything, what advice do you have for creating a culture of security throughout an organization?

Brett Cumming: Collaboration, I mentioned that word, that's a really important one. And going back to an earlier comment I was making about having had the opportunity to build out a security program from scratch, one of the things that was really important at the very beginning was the identity of the program, the relationship that we were going to have with the business, with the rest of the different departments in the organization. So we had that golden opportunity to really build a relationship how we wanted to. So starting from a culture of being proactive, bringing awareness, really asking that question all the time, how can we help, trying to bring value in whatever way we can, again, going back to some of our own competencies and capabilities and taking a second look at those and trying to figure out who else could benefit from some of these things that we have developed and some of these things that we think we do well. So leading from that approach, again, partnership and communication and collaboration.

Luke Vander Linden: So I'll ask you another culture question now. We talked about the culture of security. The S in RH-ISAC stands for sharing. We think it's very important, our members think it's very important to share and collaborate amongst other members of the RH-ISAC. How do you create a culture of sharing amongst your security team?

Brett Cumming: Leading by example, I would say, is the first and most important way. Having had the opportunity to get involved with what was actually R-SISC at the time we first got involved and having a small team, building that internal culture of collaboration and sharing by showing folks that it's okay, that it's important, it's valuable, helping to set up those guardrails so that folks know what type of stuff is valuable to share, what type of stuff is okay to share. Getting involved and leading in that way and really trying to push the team to get involved and help them see the value and see the benefit, and I think that's a place where RH-ISAC has been unique because of the different working groups, the different folks that get involved at the different layers of our organization that really are peers, no matter what level you're at or which part of an information security or cybersecurity program you're working in, you can find a peer that's got your job or a very similar job working at a very similar company. So that peer-to-peer connection transcends throughout our entire organization. So we're really trying to help the folks, again, leading by example, but also help them to connect with those other peers, get them involved in the working groups, and it doesn't take long for them to figure out the value and appreciate it and be able to share back.

Luke Vander Linden: That's terrific. I hope all of our members and non-members are listening to that because it's so vital to protecting our property. So you mentioned that when you joined the RH-ISAC, it was called R-SISC. We have a bit of a history. That was a while ago. You've been on the board for about a year now, so you have some insights into the organization now and how it's run. Next year, 2024, is our 10-year anniversary. You've been around for 10 years. What are you most excited about for the RH-ISAC as an organization as we look forward as an organization?

Brett Cumming: Well, I've been really impressed. It's been incredible to see how the organization has grown and changed over the years that we've been involved, the ways in which RH-ISAC as an organization has matured, their own operations, their own capabilities, the quality of some of the services, the intelligence reports, the value add that RH-ISAC brings, along with the maturity of all the different organizations, the member organizations that are sharing and contributing. Seeing that journey of both growth, where there's more member organizations, there's more sharing, and there's really good frameworks for high-quality sharing. So we're seeing a value in a lot of different ways. So I'm excited to see that trend continue. I'm excited to see continued growth, and I'm excited to see that continued maturity.

Luke Vander Linden: So speaking of growth, last night you didn't just get the CISO of the Year award, you also got a new award from the RH-ISAC, one that I'm more proud of because I got to give it to you. And it honors members who have done exceptional work in helping us grow the RH-ISAC membership and develop the community by helping us reach out to non-members and cultivate those. So you and I have worked a little bit on our membership initiatives. You're on the membership committee with me. So I'd love to hear your thoughts on why and how do we prioritize this effort of growth and why you think it's important.

Brett Cumming: It's important because of the value that we get from the organization. And it's real easy for me to talk about RH-ISAC to other folks because it really comes from a place of complete honesty. This is not a vendor-led organization. This is an organization that's really driven by the members. These are peers that are fighting the same battles that we are day in and day out. They have the same kind of challenges, the same kind of struggles. And so when I'm out in the world meeting different folks and we're talking about the challenges and struggles, it's not hard to bring up RH-ISAC as a great resource for other peers. And again, like I mentioned before, being able to operate at different levels and different stages, it doesn't matter if you're a huge organization and you have a really advanced program or you're just starting out and have no idea what you're doing, there's probably going to be something that's valuable for you.

Luke Vander Linden: Excellent. That's so great. Brett, congratulations again for being CISO of the Year. Thank you for serving on our board and thank you for joining us on the RH-ISAC podcast.

Brett Cumming: Thank you. Great to be here.

Luke Vander Linden: By the way, CISO of the Year was one of 35 awards that were given out at the member meeting and celebration last Tuesday night. These awards recognize outstanding companies and individuals who have displayed extraordinary dedication to the RH-ISAC's mission to build a collaborative sharing community that enables consumer-facing organizations to defend against cyber threats. CISO of the Year was one of the Peer Choice Awards voted on by RH-ISAC members. Target was also acknowledged by their peers with awards for both Overall Team of the Year while their Director of Cyber Threat Intelligence, Matt Brady, was named Practitioner of the Year. And for the second year in a row, Paolo Alto was voted Associate Member of the Year. Then there were a boatload of awards given to member companies and individuals for sharing and collaboration. In fact, we have a challenge where members compete against each other. The big award winners were the teams from Contour Brands, IHG Hotels and Resorts, Marriott International and Target. Teams and individuals from Sheehan, Kroger and Dick's Sporting Goods were also singled out. Congratulations to all the award winners and kudos to them and all of our members for making the RH-ISAC such an active and robust sharing community. All right. And now we're joined on the podcast by Jonathan Buckner and Tyler Compton, both of Aaron's and you're both in Security Engineering team. Welcome to the RH-ISAC podcast. And we're also joined by our own Ian Furr. You might recall Ian was on the podcast talking about his more volunteer activities a couple episodes ago. Welcome back to the podcast. Also from our Security Engineering team.

Jonathan Buckner: Thanks, Luke. Happy to be here.

Ian Furr: So Jonathan and Tyler, you did a session for us at our recent Cyber Intelligence Summit on security control validation. Why don't you tell us a little bit about yourselves, what you do at Aaron's and a little bit about the subject that you had for the session?

Jonathan Buckner: Yeah. So I guess just real briefly, I'm still relatively new to the cybersecurity field. I went to Sam Houston, graduated, got my degree in cybersecurity, graduated about a year ago, came on as an intern and managed my way to a full-time position. And now here I am. Last year, I attended the summit as an intern and then somehow turned around and now I'm here presenting this topic. So security control validation is a really interesting topic and something that I wasn't honestly super familiar with until we got here. But security control validation, if you're not aware of, it's just making sure everyone has established security controls, but you don't know that it's working until you actually start getting attacked. And none of us actually want to be attacked. So you might as well attack ourselves so you know what's happening. And then you can, you know, validate your controls are working as properly and go from there.

Tyler Compton: Right. And I'm Tyler Compton. I lead what we call the ATS team. We really just do threat services and internal Red Teaming at Aaron's. So I'm the lead engineer on the team with Jonathan. This was mostly his project, but a lot of guys on the team had a hand in building it out, even from other departments in the Aaron's security team. So just shout out to all those guys while we're here as well. For the higher level, security control validation is really a way to show value in your security control program as well. So what we're mostly concerned with when we built this out is how do we build some metrics that we're going to report up to the people that are eventually going to be buying back into our security program. This has had great success in getting organizational buy-in for offensive security operations at our organization.

Ian Furr: Awesome. So that's a great intro, guys. Thank you so much. The title of your talk was security validation on a budget. So can you go a little bit into the talk itself and what brought you to this point?

Tyler Compton: Right. So I'll take that one. We were originally paying an exorbitant amount of money for security control validation, as many organizations are. And I've talked to several people, other engineers who are utilizing some of the same tooling that we're using for this project, and they said, well, it's just the time sink and we already pay a vendor to do it, so we haven't really put the time into it. When Jonathan here was an intern, he took this on as a project, and I don't know that many of us thought anything big was going to come from it at the time until we looked at what Jonathan had done, and all of a sudden we were like, whoa, there's incredible value in this, right? So we ended up completely cutting out our security control validation vendor. I won't name any names, but we saved our organization into the six figures, and I've been telling a few people as I'm talking to other engineers that if they just take the time, and it's a time sink, it is, but if you take the time, the monetary value you get out of it, the customization you get out of it, and the organizational buy-in and value that you're going to add back into that top level visibility into what you're doing is immeasurable. You can't quantify that with revenue. Our budget is $0, so this is a completely free thing that just takes human labor.

Ian Furr: That's fantastic. So you mentioned that $0 budget. Do you want to get into some of the tools that you're specifically using in this project?

Jonathan Buckner: Yeah, so we actually use a combination of technically three different tools. Two of them are free or open source tools, and one of them is actually -- so shout out again to our Aaron's team. We have an absolutely amazing automation engineer who's done a lot of the behind-the-scenes grunt work to kind of pull it all together, but more on that later. So basically our main two tools, so you have to have some way of actually attacking or testing your controls, some way of documenting and reporting those tools, and then to make it hands-off, you have the automation to kind of tie it all together. So that first tool we have is from Red Canary. It's Atomic Red Team. It's an open-source project hosted fully on GitHub, and you basically just download this. Everything's routed back to the MITRE ATT&CK framework as well. So all the TTPs and all that follow perfectly with MITRE ATT&CK framework. Actually, all of our tools do. And it hosts all of those attacks that we can then run and choose to run against any of our network machines, whether it's a Windows, Mac, or basic Linux, or any of those. So it's a lot of customization ability and scalability with it, all run locally that you can then run either to attacks either on that machine itself or using remote PowerShell or anything else to attack other machines on the network as well. So that second tool we have is Vector. It's from the guys over at Security Risk Advisors, and they created a great tool that's used primarily for documenting everything you've done, so you know exactly what you've already ran. You can put in there saying, hey, I want to run these in the future, and then you can report exactly what happened. And they work well together, so they actually partnered, I believe, the two. So they actually have a specific logging style from Atomic Red Team that then works perfectly when you import it into Vector. It logs everything, attack times, techniques, every command run. And then, so that's the Red Team side of that, and then you actually have the ability to go in and record your Blue Team side and see, okay, well, exactly what alerts fired, what got blocked, what just, you know, squeaked by without notice. And then our automation is just pulling them all together, making it all hands-off, and making it run flawlessly.

Ian Furr: Awesome. So you mentioned that Red Team side of things and the Blue Team side of things. What do you see as the relationship between security control validation and something like a Purple Team?

Tyler Compton: Right. So security control validation is a necessary component of a robust Purple Teaming operation, right? So you can have human Purple Teams where we're doing human testing, and we've done that in the past. We have a qualified incident response team that we work with who mans up our Blue Team side of things, and there is a place in some of the tooling that we use to record those processes as well. So it's all in a unified system, that's Vector. Security control validation, as we're using it, is an advanced form of Purple Teaming where we're automating a lot of the processes. So it's not related to Purple Teaming in and of itself, more that it is Purple Teaming in and of itself.

Ian Furr: Awesome. That was exactly what we were looking for. So kind of moving down into this, in your presentation, you outlined that five-step process, and you had hit on some of those points. You just want to go back through them as you guys did in the presentation real quick?

Tyler Compton: There are five components to this, right, and I'll start back to front and then go front to back because I feel like a lot of people understand it better back to front and then front to back. So we always talk about how we communicate our results, right, and a lot of organizations have that figured out already. You've got Power BI, you've got some metrics, you've got somebody that maybe generates and reports your metrics, you've got a board meeting every quarter where you talk about metrics. Everybody loves metrics and bar graphs and all that stuff. I'm not a huge fan. So we didn't really worry about that portion of what we did because our organization has that figured out, as most do. Going back behind that is usually where the engineers get interested because before reporting, you have to think, what are your successes and what are your failures? So we're validating security controls, so did things alert as intended? No. Okay, somebody's got to fix that, right? And so assigning those roles is also something organizations usually have done already. That's going to be your incident response team, your EDR team, the guys that are really tuning and tooling. You might even have a specific engineer for tuning and tooling. We have in the past, and that's another component of this that's already built out for most people. You go back a step further and you have to have a way to interpret your results and collect the results. Those are really two separate components of one thing, though. So Vector does all of the collection as well as makes it very human readable for our interpretation, right? Obviously, a lot of old school engineers can interpret data as it comes in many formats, but we're really concerned with repeatability of processes. So using something like Vector to make the data very human readable and get not only engineer interpretable results, but if I hand this stuff to my CEO even, who's not a technical guy at all, he can make heads or tails of it, right? And so that's really why we kind of targeted Vector for that portion of things. And taking it a step further, before you can interpret any of the results, before you can collect the results, we have to generate them. So we have to make a test, right? And that's what we use Atomic Red Team for. So back to front, and then front to back, we test the security control using Atomic Red Team. We collect the results using Vector. We interpret the results using an engineer doing the human readable output from Vector, and that interpret result step, that includes much more than just an engineer in the organization. Anybody can get in on that. So our CISO loves to drop in. He's an old engineer, so he loves to drop in on our engineering calls and stuff, and he'll sit there and talk about ideas and what we might do. And from there, your organization's already got it figured out. You know who's going to remediate your results usually, and you know how you're going to report these things. So a lot of our task was just those first three steps, and it didn't take much time for us to nail those down. Jonathan did a pretty good, great job at it.

Ian Furr: Awesome. So you kind of mentioned this with the failure mediation and stuff, but do you want to get into kind of gap analysis and how you've been able to work that into your process?

Tyler Compton: Yeah, so what we realized is that we never had a formal gap analysis program to begin with, and the security control validation program allowed us to start making those gap analysis. So it was kind of the, we put the horse before the cart in a sense. A lot of people have formalized gap analysis, but they're seeking something to better get an idea of what needs to be analyzed. This gave us a head start on that. So we were able to already kind of start noticing things that cropped up as part of the process, and it was very intuitive gap analysis at that point.

Ian Furr: So from here, do you want to get into kind of a breakdown on the Atomic Red team's attack patterns and how you've been able to use those to your benefit?

Jonathan Buckner: Yeah, so like I said, everything is mapped back to the MITRE framework. I mean, it's pretty much an industry standard now, and so it's awesome that not just one tool but all of our tools are able to map back to that. So that's a great framework to start with. The exact attack vectors that you use with Atomic Red team is it's all PowerShell based. And it uses something called Invoke Atomic. There are also Python availabilities out there. I'm not super familiar with that side of things, but basically it's all just command line driven and PowerShell. It gives you all the switches. You just go and identify, okay, I'm running, you know, T whatever. You can specify even which subtests of that you want to run. There's plenty of other switches for different logging styles. There's an atomic runner scheduler of sorts. And what's actually neat about that is it'll actually go in and change the host name of the machine that it's actually being run on, or the victim machine, which helps correlate for alert correlation, because that can be one of the more difficult aspects and most time consuming aspects for sure. So there's a lot of different switches there and including custom input ARGs as well. So let's say you're running a password attack of some sort, or let's do a new user ad. You go in and so the defaults may be admin and password123, but let's say our network requires special characters, the default and have one, you can just quickly add in dash custom ARGs for the password and change that to something that does fit your password complexity. Just a random example there. And then everything is actually -- so taking a step back from the command line, everything is built in YAML files and markdown files. And you actually have access to those once you download them from GitHub. And it's extremely easy to go in and modify everything. So if you're doing like a DLP test, I think their standard from MITRE is, you know, just this is a DLP test, which most DLP tools probably aren't going to pick up on unless you have really strict exfiltration rules. But you can actually go into the YAML file and change that text from being, this is a test to, hey, this is John Doe social of blah, blah, blah. So it really gives you that customization and scalability all the way to the fact of creating your own brand new custom atomic. So if there's a zero day that comes out and no one out there has created an atomic for it yet, you can just as easily go in and create something new to test that new zero day.

Ian Furr: So you've mentioned that repeatability, but also the scalability there. How often are you guys doing these tests to get those baselines and maintain them?

Jonathan Buckner: Yeah. So we created a two week cadence that just works best for, you know, our workloads. So basically, you know, biweekly we'll be actually executing tests. We have a weekly meeting where we discuss, hey, we're going to run this test, make sure that, you know, our Blue Team or response team is on board that, okay, here's what we expect it to do. And then the following day we'll go execute it, take the rest of the week to, you know, go through our SEM and see, okay, what actually got alerted to what were the results of these tests. Following week, we report back and then send for a mediation and then just continue that cycle every week. Go ahead, Tyler.

Tyler Compton: Yeah. I just wanted to add that a big component of this is taking the entire team into a space where you're actually Purple Teaming now. So one of the challenges that we had to overcome is we have very traditional security group and no Purple Team to start out with. So we got the incident responders really interested in this tool just by showing it to them. And then after we created this cadence, probably about a couple of months in, we were like, hey, let's just start a Slack channel and we're going to call it Purple Team Slack channel, you know, but we're not a formal Purple Team. We never told anybody they were going to be on a formal Purple Team. We just kind of eased them into it. And getting that interest first, you kind of get people to drive the truck themselves, so to speak, and you get your Blue Team aspect really on board there. And the reason we call it a Purple Team though is because we also don't need those incident responders, right? So in true Purple Teaming, you're one unit. There's not a Blue Team, Red Team scenario. And we can function because we have access to the SIM and things like that as our own Purple Team as well. But we like to work with the people in the organization that are responsible for the tools that we're testing.

Ian Furr: Yeah. Have you seen the buy-in from those, that Blue Team side of the house match what you guys have done on the Red Team side?

Tyler Compton: Yeah, absolutely. If not more, I'd say anytime somebody does something like what Jonathan did and brings a whole new project on and it's free and it doesn't cost any money and you don't have to go through, no offense to any of our vendors, you don't have to go through a vendor sales route to get anything done with it.

Jonathan Buckner: Yeah, it is called on a budget after all.

Tyler Compton: We get a ton of engagement from everybody in the team, from our automation engineers to our application security guys. They're wondering, you know, like, how can I test my web applications with this? And a lot of that has to do with a good security culture at our organization as well. So from top to bottom, you have to have a good security culture to really unlock the power of anything you're doing.

Ian Furr: I mean, it takes a village, but especially with Purple Teaming, you're not going to see any of those benefits unless you've got everybody on board.

Tyler Compton: Right, right. And like Jonathan said, having a good automation engineer who's a super nerd to grab ahold of this stuff and just obsess over it is helpful too.

Jonathan Buckner: Oh yeah. The amount of time she's been like, I'm finally having fun on an automation project. So she's really developing it just for us engineers. So we're nerding out with all the Star Wars references, all the Lord of the Rings references and all of that.

Tyler Compton: Oh yeah.

Jonathan Buckner: So, you know, we're really able to have a lot of fun with it because I'm sure most of us in security already love our jobs, but we just love it that much more now.

Tyler Compton: Just a caveat, because I am the Star Wars nerd. Our automation engineer has come up with custom icons for whether or not a test was successful or not in this little GUI that she's developed and the Death Star destroying Alderaan is a successful test.

Ian Furr: Well, that begs the question, successful for who?

Tyler Compton: Well, I was about to say successfully failed.

Ian Furr: Okay. Yeah, yeah. So it sounds like you guys have been working on this project for a good amount of time. What's the timeline been from when you started to what got you to this point?

Jonathan Buckner: Yeah, so it's been about a year, give or take, probably a little over a year now. So it started when I first got hired as an intern, May of 2022. And our security architect or my manager was like, hey, so I got this really cool project I want you to take a look at and see if it's something that you could implement, something we could utilize. So that really happened, you know, obviously coming straight out of college, not knowing anything about the enterprise. It took me a couple of months to get my feet wet and understand the enterprise environment. So I'd probably say about mid-summer. And then, I mean, it's still actively being developed. We're not going to sit here and say, hey, we have it exactly how we want it. We just have a lot of really cool ideas that we may or may not be able to get there. So at this point, I'd say we're really far along. And we're finally able to get to a position also with just schedule availability and cycles to get that automation part really rocking and rolling. And so I think we're at a point now where all the legwork is done, and so now it's just going to skyrocket from there.

Tyler Compton: Right. And I want to point out, too, this isn't a continuous process of development that's occurred, either because we also have responsibilities that are legacy from the organization, right? So we couldn't just go off and do Atomic Red Team with no other responsibilities. So sometimes it's been, hey, we're going to run what we got, and it's not great right now, but we have other responsibilities to take care of. But we always keep it on our mind. I think keeping your organizational sprints in line is going to be the key to success here. Never table something and just don't come back to it. Because we've all done that before, right? Like everybody said, we're going to get this done this quarter. And then life happens. It doesn't get done that quarter. But then it doesn't get put on the sprint cycle for the next quarter or the next quarter. And then you're looking at fiscal year next year and, oh, there's that thing we were doing.

Jonathan Buckner: Three years ago that we put in the mothballs, yeah. So to add on to that, I lost what I was saying, but one of our questions that we realized I kept getting asked over and over in our presentation was, so how big is your team? And really, it's just the two of us. Two of us and an automation engineer with the direction of our managers. But it's a really small team, again, who have other responsibilities. So you don't have to have a massive team of 10 people just dedicated on this project. And like Tyler said, a good chunk of it has really just been done by one person, obviously with the help of everyone else. But it could be done by a team of one if you needed to.

Ian Furr: That's amazing. So with that in mind, is there any advice you would give to an RH-ISAC member or a listener that was looking to go through this process with either a team your size or with any more resources?

Jonathan Buckner: Get an automation engineer.

Tyler Compton: Right, but really, take it slow and do it right, okay? You're not generating value if you're just hammering things out as fast as you can, right? You want to make sure that this is the right fit for your organization. I believe it can fit any organization, but you need to get that buy-in from your senior leadership and make sure they're on board, put it on the sprint cycle, make it official, get other people involved. If you have someone in your organization who's Red Teamed in the past, Blue Teamed, Purple Teamed, et cetera, get them involved even just as a consultant. I think this project could be one of those things where junior engineers really make their name off of it, because it's not incredibly difficult to do, but it takes cycles. And what do a lot of junior engineers have a lot of? They've got some time, right? But they have to be allowed to do it is the thing.

Ian Furr: Yeah.

Tyler Compton: So that senior leadership buy-in, it's really critical. No one should ever hear the phrase, why are you wasting your time on this, right? And we've all heard that phrase before. It's not contingent to healthy business practice and it's not contingent to innovation. So if you want to innovate, you want to take things to the next level, let the junior engineers junior engineer, let them be creative, right? Like the entire idea behind why we're called engineers in the first place is because we're creative scientists. That's the way I look at it. That's why IT guys, along with mechanical engineers can be called engineers because yes, we have a technical skillset, but our creativity has to shine through that at times to really get good work done.

Jonathan Buckner: I would say so as the junior engineer with the extra cycles, I would say, you know, to really anyone, but you know, obviously, especially the juniors who, you know, this may get pawned off to, is take advantage of your resources. Don't be afraid to ask questions, and that goes for everything really. But the documentation specifically with atomic Red Team with vector are incredible. So like I said, with atomic Red Team, everything is already documented on GitHub and they truly do take advantage of their Wiki page. So everything is well documented there and they even have a ticketing system. So if you have questions, you can submit them there, submit feature requests. So there's a lot of great documentation there as well as a Slack community as well. So you can hop on a Slack meet for Atomic Red Team, ask any questions, hear ideas from others utilizing it as well. And the same thing goes for Vector. I think it's actually a Discord server that you can go in and ask questions, get advice. You know, they push all their, you know, new updates, give you advice of things to take advantage of. And again, they also have a very robust documentation on their website as well.

Ian Furr: Fantastic.

Luke Vander Linden: Yeah, this is great. I mean, congratulations, Jonathan, on spearheading this project and congratulations, Tyler, on finding Jonathan when he was an intern and holding on to it.

Tyler Compton: Thank you.

Luke Vander Linden: That's good stuff. And I want to thank both of you, Jonathan Buckner and Tyler Compton, both security engineers and our own security engineer, Ian Furr. You guys are from Aaron's. Thank you very much for sharing this, not only on our summit, but here on the podcast. I think it's going to be very valuable for your fellow members.

Jonathan Buckner: Yeah, it's been a pleasure. Thanks for having us.

Tyler Compton: Thanks for having us, guys.

Luke Vander Linden: We're now joined by Alex Heid, VP of Threat Research and fellow at SecurityScorecard. Welcome to the RH-ISAC podcast.

Alex Heid: Thanks for having me, Luke. Looking forward to speaking today.

Luke Vander Linden: Yeah, thank you. And thanks to SecurityScorecard for being such a great associate member of ours, very supportive of our members and of the RH-ISAC. Tell me, what does it mean that you're a fellow also, in addition to being a VP of Threat Intel?

Alex Heid: Yeah, sure. So with my fellowship role, it's essentially, it was a promotion after having been in the executive team for, what, about nine, ten years now. And so I was moved into a fellowship role, which is essentially sort of an honorary title where I get to work with basically all the teams and have a lot of the institutional knowledge from basically since the company was still a PowerPoint. And so I bring that to the table and basically I'm able to liaison with all the different teams to make, the way I phrase it, to get the ball across the line.

Luke Vander Linden: Excellent. So you have a pretty good insight into what's going on across different sectors and across all your clients. You know, usually when we talk to members who mention SecurityScorecard, and we do, they have a pretty good sense of what you guys are and what you guys do. So for those of us who might be listening that don't know what SecurityScorecard does, maybe you can give us a quick description.

Alex Heid: Sure. So SecurityScorecard is a platform that acts as a third-party risk management rating system. And in addition to that, we also have an array of threat intelligence and cyber risk management services. But primarily we are a vendor risk management platform for the purposes of third-party vendor risk management.

Luke Vander Linden: Excellent. Yeah, third-party risk is something we talk about a lot on the podcast. So I was thinking we would pick your brain today on credit card fraud. So from your viewpoint, from SecurityScorecard's view, what is the current landscape on credit card fraud and how is it evolving?

Alex Heid: Sure. So it's quite interesting because a few years ago when the EMV chip was introduced into credit cards, personally I kind of expected a decrease in credit card fraud, especially when it comes to physical card fraud such as cloning. But one of the things that we've observed is that not only did that not make much of a difference, but credit card fraud is now more prolific than it was ever before. Just the number of underground resources selling websites, the methodologies of malicious actors that are collecting credit card numbers from both skimming and web application attacks has also evolved and scaled. And we can go into this a bit, we can talk about this later, but it's actually entered the mainstream now where there's a very popular genre of hip-hop called scam rap that will actually break down step-by-step how to engage in these types of credit card fraud activity. And it's not just some corner underground niche, it's actually mainstream now.

Luke Vander Linden: That's amazing that you can get instructions on how to commit credit card fraud in musical format. So what are the most common methods? I think we've heard of skimming, but what other methods are threat actors using that target, specifically retail and hospitality if you wouldn't mind delving into our sector?

Alex Heid: Sure. So there's a few methods of going about it. So primarily with retail and hospitality, so we'll break it down into two buckets. In-store fraud and card not present fraud, or being present using a cloned card or doing something online with just the card number. So we'll start off with the online version of it. So when it comes to the -- I'd say 10 years ago, maybe a little over 10 years ago, the way malicious actors would be able to obtain credit card numbers is typically they do a web application attack, usually an SQL injection that would dump the database from a website. And if they're not storing it right, they would have the unencrypted credit card, the three-digit codes and all that. And no one's supposed to do that even though it's not PCI compliant. There's still enough shops doing that to make it an issue. But fast forward to modern day, all that's pretty much handled. Everyone's using tokenized authentication features like Stripe. So what the hackers have done -- and it's really interesting -- is they're no longer really interested in attacking the backend. They're attacking the frontend. So once they're able to hack the web application, they're not necessarily interested in the database, but they are interested in what the user is typing. So there's a piece of malware called Magecart that is incredibly popular right now and circulating. And what they'll do is they'll infect -- and it's not just Magecart. There's various JavaScript keyloggers that attackers are now using on the checkout forms of websites in order to keylog everything that a user's typing in and then send it off to a command and control center. So that's one of the primary methods that credit cards are being collected online through JavaScript keylogging and also phishing attacks. Just the standard setting up a fake website and entering the info.

Luke Vander Linden: So almost like you could call it a virtual skimmer.

Alex Heid: Yeah. Correct, correct. And then you'll still have the occasional breach of processing services or giant big retail stores. I would say there's a lot of cards that are available from those types of things, but I would say those are kind of seasonal. So whenever there's a big breach, then those cards will flood the market until they're gone. But for the most part, the year-round type credit cards dumps that are available is mostly stuff from skimmers. So either people being a crooked waiter or someone who has access to cards doing scams and collecting it and then reselling those and reselling those. And those will end up on these credit card shops. And it's not even the dark net. It's the clear net where you can just Google CVV shop and you'll find tens of thousands. Every time one gets taken down, another one pops up. And then carding forms will filter you through to them. And even with the increase of all the different types of fraud protection mechanisms, the convenience mechanisms from all these different peer-to-peer payment systems has basically rendered all those security things useless, because a credit card plus combined with all the personal PII info that's been circulating from various breaches of, say, credit rating agencies, pretty much everyone's social security number and birthday are out there by now. So if you're able to make a purchase from, say, an underground website, you get a dump and it's got a credit card and it's got someone's first name, last name, and their general location, for a few dollars more, another underground resource will give you their social security number and birthday. And now you can start using that information on things like Cash App, Venmo, PayPal. And that's where a lot of the game is these days, setting up these fake accounts on these peer-to-peer payment services, linking up, and they call them linkables, to link up the stolen cards with stolen identity info and then just start making transfers. And in addition to that, making big purchases from stores. So specifically as it affects retails, one of the common linking scams is to use things like Google Pay or Apple Pay or any type of payment system that can be used at a register, and they'll use stolen credit cards to link up to that account and then they'll pay with their phone. And that will oftentimes go -- it'll fly right through. It'll be authorized and looks much less sketchy than someone trying to swipe with a white credit card and that type of stuff. It looks much more natural and it's been a huge problem across the entire industry right now.

Luke Vander Linden: There's a lot to unpack there. I mean, I think you're kind of illustrating the convergence between the online world and the physical world, because no matter where the card details were stolen from, they can be used both online and then in person with these new tap-to-pay systems. So it's a very complicated and complex problem to try to solve.

Alex Heid: And geographically, it doesn't matter geographically anymore because with the personal information that's used in combination with the cards, a simple phone call to the bank with a voice changer, or some of these guys don't even care, they'll just call the bank with their regular voices. A simple call to the bank will be able to authorize certain things and get them to link up. So it's definitely all the mechanisms that were implemented to mitigate fraud, it seems like there are complementary methods to make it more convenient for the user and those are what the actors are exploiting. So they could call the bank and say, oh, I'm going to be traveling. So if this card from America starts showing up used in Europe or vice versa.

Luke Vander Linden: Then it's covered.

Alex Heid: Yes.

Luke Vander Linden: Right. So it's funny. You brought up the EMV chips and I didn't know they were called EMV chips. They were just chips. And you brought up geography, which I remember when I was traveling to Europe on vacation like maybe 10 years ago, they had introduced chips before we had and we didn't have chips in our American cards. We were still swiping, a little embarrassing. Everybody knew I was American so they pulled out a different machine and made me do my signature and stuff. But you have chips and contactless payments, which have taken off everywhere both with the card present or with one of the pay apps you mentioned. But all these things are being adopted now globally and ostensibly to protect against fraud but not having the effects that we had hoped.

Alex Heid: Yes. So specifically about how those specific technologies are not having the effect that we had hoped. So with EMV cards, so again, when it's hooked up to a pay app, it doesn't matter. The chip itself is off the table. There's this one song called How to Write a Dump by a rapper named PunchmadeDev. And specifically in the last verse of this song, he'll say, don't worry about cloning the EMV card. If you've got the track data, that's all you need. Then it's just a matter of social engineering. I mean, he makes it rhyme, and he says it much more clever than I do. But he says, you stick the card without a chip into the little card reader. It'll have problems reading. You just look at the cashier like, oh, what's going on? And you do that a few times, and the cashier will just be like, ah, just swipe it. And then you swipe it. It goes through, and you're gone. And he just says, if it doesn't happen after twice, then you just drop and get out of the store as quick as possible.

Luke Vander Linden: You don't have a future in rapping, but we'd rather have you in threat intelligence anyway. You know, it's funny. I moderated a panel at a grocery store conference earlier this year. And we had video from one of our panelists of that kind of social engineering happening. There was a woman that had a list of credit cards on her phone that she had gotten off dark or clear web. And with social engineering, the woman -- the cashier typing them in or letting her --

Alex Heid: It's wild. She didn't have a card, just like typing it in. That's incredible.

Luke Vander Linden: It's crazy. So going back globally, are there regions where credit card fraud is more prevalent, or is it really just a global issue now?

Alex Heid: 1,000% a global issue, absolutely. But I would say the United States is probably the one that's most impacted by it simply because we have the most credit cards that are available. And it's a big target. But I would say a lot of the groups behind it, pretty much you've got very organized groups and you've just kind of got hobbyists and small crews. But the real big organized groups, they're usually associated with Vietnamese organized crime, Russian organized crime. Usually, it's organized crime groups that are pretty organized. And regionally, we've been seeing a lot of the activity. I mean, going back 10, 15 years, and it's still quite prevalent, coming out of Vietnamese hacking crews. And the group that is in charge of, or I would say in charge of the group that pretty much started and launched and runs the Magecard operation is a Russian group. And all these groups will work together. And kind of like the ecosystem is cards get collected and then they're bundled and then sold and then resold down to these credit card shops. And people will buy them from there.

Luke Vander Linden: Right, to be used. So it is global, but how big of a problem do you estimate it is in terms of financial losses or reputational damage?

Alex Heid: So the biggest losses, so reputational damage, usually the reputational damage is -- I mean, essentially, because from a retail perspective, the brand gets labeled as cardable. It's technically good for the brand because it means more people will be shopping there. It's like, oh yeah, they will accept my stolen credit cards. But it's bad because there's going to be a convergence of folks doing fraud on that entity. So that's another thing that the carding team looks for. They try to determine which retail stores are cardable and not, both online and offline. And what they mean by cardable is how difficult or simple is it to actually get a transaction to go through. You know, how much finagling do they need for it to go through. So being labeled as cardable, probably not something that companies want to aspire to, but everyone is cardable. And from the standpoint of the global, it all depends on how dedicated the attacker is. But from a global perspective, it seems that the United States has the most activity and the most cards on the market. And I'm making that assessment because of the prices. So there are prices and quantities. So there are more United States cards available than any other country. And because of that, they are the cheapest to use. And they oftentimes will have some of the more advanced security features. So they're actually more difficult to use, hence the lower price, because it takes more effort to get something out of them. And with European cards, there's less of them on the market. And because there's less on the market, European cards will oftentimes be more expensive and they might not have as much advanced security features. So say with the United States card, you might not be able to use it out of the country. A European card will not have issues being used in different countries throughout Europe because it's much smaller and that's just how it's set up over there. So European cards will oftentimes be three to four times more expensive than the United States card because there's less of them and they take less effort to use. Whereas the United States one, there's more of them and it takes a little more effort to use. And one of the things that attackers will do is they'll analyze the BIN numbers of the credit card. So the bank identification numbers, the first five or six digits will tell you where the bank is from. So an attacker will be able to determine which BINs work for them. And so they can find out, it's like, okay, this BIN works good on this store. So then they'll go into a carding shop and buy a bunch of those specific BINs in order to use them.

Luke Vander Linden: That makes sense. Because obviously, the store itself will have its own security measures but then the issuer will have its security measures. So you've got to find the right combination.

Alex Heid: Exactly. It ends up being the merchant, the retail outlet, ends up getting burned by this because not only do they get hit, not only do they lose the service or the merchandise that's being taken out the door, they're getting hit with a chargeback fee from the cardholder. And so now it's like lost inventory plus chargeback fee and that accumulates and the banks don't really care. They'll kill a card, they'll issue a new one. It's already written in -- the fraud is written into their business model and the risk management model. Cards have expiration dates, for example. They'll send you a new one. But when an outlet gets hit, the onus is always pushed to the merchant. In fact, that's specifically been the case with -- that was one of the big reasons that these EMV chips were rolled out, because there was that back and forth. It's like, oh, well, the bank should be doing something. No, the merchant should be doing something. Well, now with the EMV chips, like, hey, now it's on the merchant. So that kind of gave the banks more of a hey, if this happens, it's your problem.

Luke Vander Linden: So obviously a huge, huge financial issue for retailers, consumer-facing businesses, but also it affects customer experience as well. There's badness all around. Let's try to be a little bit more positive here. What are merchants and retailers doing to combat this, whether it's cybersecurity-related or otherwise?

Alex Heid: Sure. So one of the things that can be done to essentially combat it is first and foremost, probably employee training on what to do to spot suspicious types of behaviors at the checkout. Working with the local loss prevention team within the store or the loss prevention team. There's surveillance cameras. I'm sure there's a bunch of surveillance camera footage of these particular incidents taking place. Analyzing those, looking for types of behaviors and patterns to look for. Sometimes it's just very difficult to tell, but when enough of it happens, there's always going to be patterns that emerge. Observing patterns of behavior of incidents that have taken place. For myself, without having analyzed videos, there's no direct suggestions I can make on this, but if I worked in loss prevention in a retail, this is probably where I would go for.

Luke Vander Linden: Good awareness.

Alex Heid: Yeah. That would be first and foremost, because no matter what type of technical protections you put into place, if the cashier can be social engineered or the person processing the card can be social engineered, then that's the weak link. Then secondary to that, I would say just having a -- especially if it's a retail place that has their own type of gift cards that are available, a lot of times gift cards will be used to launder stolen credit cards. They'll make a bunch of purchases with those. That's another thing to be looking for if you're a retail outlet. Putting different types of controls or restrictions or monitoring on gift card programs to prevent it from being exploited in that manner. Also online pickup where people can purchase stuff on the internet and then go pick it up in store. That's also a very common thing that credit card processors will use. They'll do a card not present purchase on the internet and then they'll either send themselves or their friends to go pick it up. Basic due diligence like checking IDs, making it more difficult for them to do so. I know there's a convenience factor and this probably will impact the customer experience a bit, but customers know that this is going on and they're willing to deal with -- I mean, me personally, I'm willing to deal with a little of inconvenience. If I go to a store and they ask me to show my ID before I make a pickup, that's not a big deal, especially if I know that someone else can come in and take my purchase for me. Unfortunately, that seems to be hazardous. Adding little bits of things that might inconvenience the speed of the process, but will go a long way to preventing the fraud because if you're not doing that, the bad guys are definitely trying to steal stuff.

Luke Vander Linden: And it doesn't need to be for every transaction, but just the ones that raise the red flag.

Alex Heid: Yeah, the ones that raise the red flag.

Luke Vander Linden: Like 50 gift cards at once, or you're reading a list of credit card numbers off your phone. That kind of thing.

Alex Heid: Or you get three failed transactions and they're like, let me try another one. Let me try another one. They got a different card here. Yeah, so those types of things. And that will definitely go a long way, because eventually the carders will know, find a different spot. They're a little too diligent, so then they'll just look for a spot with lower enforcement. And if you're a big store and you've got multiple chains then that's where the employee awareness comes in.

Luke Vander Linden: Yeah. You talked a little bit about the friction between merchants and issuers because of their willingness to accept this kind of risk as part of their business model. Are there any collaborations either amongst in the retail space or with them and other groups that help mitigate this or help solve these problems? I imagine there are. One I can speak to that I know of, this is a few years ago, MasterCard was partnering with people in the retail world, I believe it was just companies, any company that would take credit cards in general. And they also had a bunch of AI projects and startups that they were working with to kind of basically use AI to identify the anomalous patterns of credit card fraud and try to minimize that. So that was a few years ago. I'm sure it's advanced considerably beyond that and that's just the one I've heard about. So I'm sure there are definitely -- on the counter side, if there are not, there definitely needs to be. I definitely don't want to underplay the fact that this is becoming a mainstream phenomenon now. It's not just hackers like it was 10 years ago or little organized groups of people from other countries coming in or teenagers. I mean it's a mainstream hip-hop now. So just like kids think it's cool to do the rapper thing, smoke marijuana or whatever, that's just what rappers say is cool so kids do it. And so just like how we saw gangster culture rap influence the youth for the last 20 years, if this takes off, those kids are going to be good at making money without going to work. Yeah, they call it scam rap. Scam rap. We'll see probably TikTok challenges as well.

Alex Heid: Yeah, that's already all over there. TikTok is a massive spot for showing this off and recruiting. Some of the keywords that they'll use is they'll call them glitches, so a CashApp glitch, a PayPal glitch, a Best Buy glitch.

Luke Vander Linden: It makes it sound blameless if they do it that way.

Alex Heid: Yeah, it's just a glitch. It's a bug like a video game.

Luke Vander Linden: We can't get through a podcast segment without mentioning AI, so thanks for doing that. If you're playing at home, you can take a drink if you're playing at home alone. I often ask our guests to get out their crystal ball and talk about, make predictions for the future. We talked about chips and contactless payments. What's next? I'm thinking like biometric. The last time I flew, I didn't have to take out my ID or my boarding pass. My face just got me through security, for better or worse. What's next, do you think with attempts to make the cards more secure?

Alex Heid: I don't know if biometrics are going to be the next thing, because it'll probably be -- in the United States anyway, there'll probably be a lot of pushback from the customers. I mean, people don't really mind going biometrics when it's things like traveling or stuff when it comes to physical safety, but when it comes to just financial safety, then their privacy kind of comes into play. It's like, well, I don't necessarily want to tie all my biometrics to my bank. It depends, again. I guess it depends on how it's marketed and how it's sold to everyone. And again, with biometrics, at the end of the day, a biometric is just a hash on a back-end system. So in the event that there's some way that that's compromised, just replaying the hash could kind of get past the biometric. So I don't see it as a foolproof thing, but it would definitely be a stepping stone to make it less easy for the attackers. But with every --

Luke Vander Linden: It's just another tool that they'll try to find a way to get around. So then just broadly, like looking at the next five, 10 years, what kind of trends can you predict for us?

Alex Heid: So I definitely predict a spike, like a hockey stick spike in mobile payment in-store fraud. Google Pay, Apple Pay, any of those services that a company may accept, or even a hotel or anything. And if your business accepts mobile payment from one of those service providers, chances are a percentage of those will end up being fraud, and it's going to be bigger cities impacted. Not just bigger cities, but the town surrounding that city, because a lot of times people will take a drive to do it. So I mean, honestly, I don't even want to just say big cities, because people will travel and they'll do cross-country sprees, and small towns are known to be targets.

Luke Vander Linden: It'll start where the people are, but then move out where the targets are.

Alex Heid: Yeah.

Luke Vander Linden: Just as an aside, are those mobile payment apps, are those viewed as card-present or card-not-present transactions?

Alex Heid: Yeah, that's a good question. I guess I don't know if it would be considered card-present, but the person is there physically. So the person is there physically, and they're using a combination of stolen PII with stolen credit cards, because that's how they're able to get that --

Luke Vander Linden: Right, so it's kind of a murky gray area.

Alex Heid: Yeah.

Luke Vander Linden: Obviously, I've used it without the card being present. If I forgot it, then I have it.

Alex Heid: Yeah, just like I too use the mobile wallets, because it's just like, ah, I left my wallet in the car. In the old days, I'd have to walk back out to the car and it'd be all embarrassing, and now it's just like, oh, okay, good, like, beep, done.

Luke Vander Linden: Thank you, Alex Heid, VP of Threat Research and Fellow at Security Scorecard, for joining us on the RH-ISAC Podcast. Thank you to all of my guests, in person from the summit and virtual. Brett Cumming, RH-ISAC 2023 CISO of the Year, Tyler Compton and Jonathan Buckner of Aaron's, Alex Heid from Security Scorecard, and our own Ian Furr. By the way, for those members listening, Ian's the man to talk to when you need to set up a way to automatically ingest and share cyber threat intelligence with our MISP instance. Shoot us an email at to set up a meeting. And if your company's not yet a member of the RH-ISAC, what are you waiting for? Go to to learn more and to start the process. If you have something cybersecurity related that you just have to get off your chest, shoot us an email at, or if you're a member, hit me up on Slack or Member Exchange. Finally, thank you to the production team who do their best to make us sound good. For the RH-ISAC, that's Andy Chambliss and Marisa Treshinecki, and from N2K Networks, formerly known as The CyberWire, Jennifer Eiben, Tré Hester, and Elliott Peltzman. And thanks to you, our loyal listeners, as always, for listening, and stay safe out there.