Bots and the Weaponization of Identity

Posted May 18, 2018

In this episode Frank is joined by Alisdair Faulkner, Chief Products Officer of ThreatMetrix. They explore bots and other attack vectors mentioned in the Q1 2018 Cybercrime Report.


Frank:   Hey everybody, welcome to another edition of Digital Identity 360. We’re super honored today to have Alisdair Faulkner, our founder and Chief Products Officer, here with us today. Alisdair, welcome aboard.

Alisdair:   Thank you very much Frank. One of the team behind ThreatMetrix’s great success.

Frank:   Absolutely. And it’s been a pleasure collaborating over the last bunch of years. Hey, one of the things that’s been really interesting, Alisdair, as we’ve developed the digital identity concept is being able to take our data from our global network and look at threat patterns and vectors and so forth. And that’s manifested itself in something we call the Cybercrime Report.

Alisdair:   Right.

Frank:   And I think most of you folks may have seen it already. It’s out on LinkedIn quite a bit. But the latest one in Q1 continues to show a fantastic proliferation of bots. Hit a billion bots this last quarter. And then in concert with those bots, we tend to see identity spoofing follow right behind that. Comment a little on those trends and why those two are so closely related.

Alisdair:   Yeah, I mean identity’s become weaponized. That’s what’s been evident in it. And that’s a number of things. I think we’ve seen, just in terms of technology, the curve in terms of automation is just blowing everyone out of the water just how fast AI and automation has happened, which means on the bot side it’s pretty easy for a script kiddie. Used to be a script kiddie, either a script kiddie or even worse now unfortunately state sponsored actors to be able to spin up a huge amount of resources that can just target directly ecommerce merchants and others who just aren’t prepared. That’s one element of it. And then secondly, we’ve heard of the huge number of deluge of people’s identities being out there on the net, and now what we’ve seen in the Cybercrime Reports, really great that we’re able to see year on year, now you can see a step change. In 2018 in comparison to just a year, two years ago, we’re seeing a step change into the level of fraudulent activity which is happening. So increased automation, the fact that people can very cheaply target anybody anywhere at any time, and then now you’ve got these identities that have been weaponized.

Frank:   Yeah. It’s so interesting. The weaponization’s cool, because the reality of what happens is the machines come in, test the account, and then go away. We call that the fast and dumb ones. And then slow and low is when they come back later and a human being actually tries to infiltrate the account using those credentials. So I agree with you. It’s been an amazing influx, and a step function year over year.

Alisdair:   I’m glad you actually brought that up, because there is a very big distinction. Sometimes I think customers get confused that the bot problem is their account takeover issue, and it’s not. It’s just another vector. It can be malware on a machine or it come data from elsewhere, it could be social engineering. And predominantly what we’re seeing from bots is there’s two elements to it. One is just the infrastructure level. You know, fast but pretty easy to detect. And in many cases your existing CDN provider or others, web application, firewall, can help with that somewhat. Then you’re seeing dedicated providers who are providing dedicated bot detection. And they can also do a great job in terms of offloading some of the work at the application level. But the challenge is that to do a really good job of account takeover protection, you’ve got to protect against those low and slow. And unfortunately, your infrastructure, whether it’s CDN provider or a dedicated box you have on your network, never gets to the level of being able to definitively, and you would never trust it 100% to say should I accept this transaction or reject it based on the data it has. And it’s predominantly because it has to deal with scale, and because of the scale it loses things around identities and people who are actually human beings and good bots and those sorts of things. I guess that’s sort of wrapping your point up about the Cybercrime Report. Really it’s saying you have to have a look at your bot strategy, but it’s more than just at the infrastructure and security level. You really actually have to understand that end user, their behavior, how they’re using an account. Such that, for many of our ecommerce customers, they know that an account has been compromised, or there is a password on the dark web. But what do you do? You’ve still go to allow those people to transact. And that’s exactly why we built ThreatMetrix, to enable people to transact even knowing that person’s identity’s been phished. Even that device might be compromised, but with great assurance we can allow a good transaction to go through and a bad transaction to be stopped.

Frank:   It’s so critical, because the natural reaction by the IT guys or others is to say “account compromised, shut everything down.” But you’re talking about context. Context aware risk authentication. We go, yes, Frank may be compromised somewhere else, but let him in here because he’s fine with this session, this transaction. So very cool, and congrats on the Cybercrime Report. Folks, that comes out of the Products group, so it’s a fantastic asset for us. The other thing, Alisdair that’s been really interesting for us and very formative the last couple of months is the acquisition.

Alisdair:   Obviously, yeah.

Frank:   As you can imagine, we thought you more than anybody are knee deep in the integration of these two things. As you think about digital identity and the digital attribution that we provide our customers, how does the physical world that Lexis bring kind of fit into that?

Alisdair:   Yeah. I think our motto’s been, from the ThreatMetrix side, has always been “We don’t need to know your name to know you’re not who you say you are.” But then as an organization, if I’m trying to onboard a new customer, there are regulations where I need to prove that this a valid identity, or it’s a citizen within that country. And so the two really are such a complementary fit together.

Frank:   Strengthens the chain, right?

Alisdair:   It does. One of the biggest complaints that we have, even with our bigger banking customers, larger eCommerce customers is that they’re looking for rationalization amongst all the different tool sets. It’s just becoming unwieldy. So now if you have Lexis Nexis you have a single throat to choke to be able to say, look, we can take your customer, not only from the onboarding journey, but leverage that intelligence at onboarding for very rich contextual decisions down the path when they’re doing login, subsequent authentication, maybe you’re upselling them new products or they’re going to pay somebody that might look unusual based on if you just looked at the average norm. Maybe they’re sending a payment overseas. But if you have the combined deep resolution of that identity and what they should and shouldn’t be doing, and then you combine that with an infrastructure that enables an organization for the first time to be able to have a single decisioning system around all of the identity interactions. And that’s huge. That’s never been done before.

Frank:   One perspective. That’s right. Very cool.

Alisdair:   One perspective. And I think the sea level is now starting to get it. Because they realize at the end of the day, their business is relying on having good customer experience, better than their competitors. And what they don’t realize is their Achilles’ heel is in all the different systems from when you onboard a customer, you might deal with one provider. You’re doing authentication, you might be dealing with with multiple providers. And then you’re doing payment transaction screening and to have them all within one system within one provider, Lexis Nexus providing that umbrella, it’s a big thing.

Frank:   It’s a trust thing; it’s operational efficiency. It’s one system to cover it all. So very very cool. One of the thing’s that been interesting, I’ve been thinking about this since the merger, is the financial crime space and our ability with a real time global network to think about transaction monitoring in that space in a very different way. What are your thoughts on how we can bring our intelligence to bear to solve that problem?

Alisdair:   Yeah. There’s a couple of elements. One of the bigger frustrations, challenges with money laundering and other sorts of things is some of the false positives that you get. Which is obviously cost incurred by the bank, you know people are manually investigating cases.
The other issue is just being able to connect all the dots. Each bank’s kind of operating as a silo, and even many global multinational banks have challenges resolving different transactions that originate in one jurisdiction and move off to another. And ThreatMetrix was born global. So the only way you’re really going to solve AML is by having that careful balance, which I think we’ve proven that we’ve struck, between anonymity, privacy, protecting data, but making sure that leverage shared intelligence allows you to capture linkages that may not otherwise be apparent. And to be able to do that in a fast automated way is really what the market is looking for.

Frank:   It’s interesting. It’s the same way that our customers solved muling in the banking industry. How can I track these transactions? I know destinations because I am global, I get a better picture of the account.

Alisdair:   Right. And that’s a good example. Often our entry into a bank or something else is through the fraud or through the customer experience angle. We get both in the authentication strategy. But we are solving mule use cases, and the way that we think about it is a mule in those transactions is equivalent to a proxy. If you get really good at identifying proxies, then you don’t need to worry about is this a trusted name or individual? You know that something’s not quite right.

Frank:   It’s self selecting.

Alisdair:   Self selecting. And similarly, if you’ve identified very quickly and accurately what are your mule accounts, then you’re taking away this real problem for crime, which is how do you keep recruiting new marks, new people that you can now wash money through. So saves a lot of money for banks, fantastic in terms of regulatory oversight. You can show that not only are we stopping mules, but for many of our banking customers, they’ve increased by 300% their ability to detect mules in a semi real time fashion.

Frank:   It really is. We have a theme in our company called the power to predict. It really is predictive behavior based on what we’re able to do though the engine. So Alisdair, it’s a pleasure. Thank you for your leadership here. Folks, check out the Cybercrime Report coming to you every quarter from ThreatMetrix. I appreciate it, and look forward to doing it again.

Alisdair:   Thanks Frank, very much. Thank you.

Frank:   Alright. Thank you.

close btn