CyberSound
CyberSound™ is a podcast built by and for business owners and professionals. Tune in as our cybersecurity experts cover the latest news regarding IT security, the most recent and relevant threats organizations are facing today, and provide tips to keep your business safe.
CyberSound
094 - Banking in the Digital Age Mastercard’s Security Innovations
Mastercard is committed to protecting consumers and businesses from fraud, particularly in the realm of open banking. Real-time identity and data validation are crucial to implement in the transactional financial space.
In this episode, Jason is joined by Steve and Michael, with a special guest, Patrick Pearson, Vice President of Open Banking Partnerships at Mastercard. The team delves into cardholder data security, with an emphasis on the prioritization struggles faced by organizations tackling fraud and the importance of partnerships built on trust in the cybersecurity landscape.
Stay up to date on the latest cybersecurity news and industry insights by subscribing to our channel and visiting our blog at https://www.vancord.com/ 💻.
______________
Stay up to date on the latest cybersecurity news and industry insights by
subscribing to our channel and visiting our blog at https://www.vancord.com/💻.
Stay Connected with us 🤳
LinkedIn: https://www.linkedin.com/company/vancord
Facebook: https://www.facebook.com/VancordCS
Instagram: https://www.instagram.com/vancordsecurity/
Twitter: https://twitter.com/VancordSecurity
00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:12
Welcome to CyberSound. I'm your host, Jason Pufahl, joined today by Steve Maresca and Mike Grande. Hey guys.
Steven Maresca 00:17
Hey.
Jason Pufahl 00:17
Joining today via Zoom is Pat Pearson, Vice President of Open Banking Partnerships at Mastercard. Welcome, Patrick.
Michael Grande 00:17
How are you doing?
Patrick Pearson 00:24
Thanks, guys. Great to be here.
Jason Pufahl 00:26
Yeah, I mean, this is, I think, an exciting podcast for us, right? Because obviously, Mastercard is so focused on protecting consumers and businesses from fraud. Obviously, we spend a lot of time clearly in the security space relative to identity protection and data protection overall. So I think this will be an interesting conversation.
Michael Grande 00:45
For sure, for sure. I've had the pleasure of knowing Patrick for a very long time. And I'm just so happy to have him join us today to talk about his background experience and some of the initiatives that Mastercard is taking on. But maybe to kick off Pat, you want to just give us a little review of your bio and where you came from and what you're working on today?
Patrick Pearson 01:04
Absolutely, Mike, thanks. It is great to be here in a different setting with you guys. So I've been in in the financial services and financial technology space for the past 14 years. For the last seven I've spent at Mastercard, a number of roles, I now lead our partnerships team, as was mentioned at the top, focused on proliferating distribution of Mastercard open banking technology, which I'm sure we'll get into over the course of the conversation. But prior to that spent seven years in, in the financial services space in higher education, ultimately providing all the technology that helps move money on and off campus through the business offices of colleges and universities.
Michael Grande 01:44
So, you know, we spend a lot of time in many of those arenas, especially higher ed, where we're, you know, a great number of our clients are based, also municipal work, state and local governments, and small businesses as well. Maybe talk us through where Mastercard is looking ahead, and some of the things that they see as initiatives for 2024 and beyond in that space.
Patrick Pearson 02:08
Sure. So I'll kind of start from an outside in view, and we can we can zoom into the particulars. I think, at the core, we look at ourselves from a network perspective as stewards of data, our job is to connect two sides of a transaction, and to process sensitive data between those parties to make sure that the people trying to transact on our network are who they say they are. And so that merchants can, you know, whoever is accepting those payments can have a high level of confidence that those payments are legitimate. So that's what we've done on the core network for Mastercard for the last 50 years. And then contrary to a lot of people's beliefs, and certainly I still correct my family members after seven, seven Christmas and Thanksgiving dinners, that we're not a credit card issuer. So you don't have a credit card directly with Mastercard, we work with banks, who ultimately ashore cards, so we operate a franchise and and our job as a franchise is to make sure that data is processed securely on that on that network. And that we bring additional capabilities to help ultimately resolve identities, ensure availability of funds so that people can transact and stay on our network. What we're focused on now coming from a looking ahead perspective is, you know, we got into a space called open banking. You know, a lot of people listening to this may not have any idea what we mean by open banking. But I can guarantee you that most people have used open banking, they just don't know it by that name. Ultimately, we enable people to connect the bank accounts to more easily transact amongst some other use cases. And so again, same principles, people need to transact out of their bank account, send money to a third party or receive money from a third party. And we're using technology to be able to make sure that the people transacting on each side, and most importantly, the person who is wanting to get money in or out of that account is the actual rightful owner of that account. And we can get into the particulars about how we're how we're enabling them.
Steven Maresca 04:02
Yeah. So thanks, Pat. I, I'm curious, because we deal with a lot of fraud investigations regarding disbursements that went to parties that should not have received them, attempts to collect money redirected elsewhere. How does that intersect with open banking and the validation that you're referring to?
Jason Pufahl 04:17
And actually, before you answer that, can you give a couple of examples of maybe consumer facing applications that you would consider open banking so, to help ground that for people?
Patrick Pearson 04:27
Sure, I'll use a really simple account opening use case. So I'm willing to bet that most people listening to this have a Venmo account. So Venmo is a is a store value wallet, right? And when you open a Venmo account, there's not just money sitting in that Venmo account, unfortunately, when you open it, right, so you open a Venmo account. Venmo then prompts you to say, hey, Pat, before you can actually transact with your Venmo account, you need to put money into that account from an external bank account you have elsewhere and what then happens is Venmo will say, hey, you know, 10 years ago without open banking, it would have been, hey, Pat, can you please manually type in the name of the bank where your account sits, the routing and account number which none of us ever have on hand, I don't even own a checkbook. And so and then there would be a validation that would happen over the course of time, hey, Pat, we're going to drop a couple of transactions under $1 into that account, remember to come back here three days later, to see if those transactions went right and what they're doing, and that, that's called micro deposit verification, what they're doing is assuming that if you're able to go see that those transactions posted to the account successfully, that you must have been able to log into that account. So you must have known you know, how to write credentials, you gave us the right routing and account number, you didn't fat finger it in, right. And that's, that's a very old school way. What open banking is, hey, Pat, we need to fund this account, Mastercard, to validate all of the information that I just described before routing an account number that you own the account, all you have to do is log into your bank account. So up pops our widget, and it says, hey, identify the bank. So I click on the Chase logo, I log into my Chase account, I connect the actual, I select my savings account or my checking account, and then I'm done. And then our system will actually go to Chase, retrieve the routing and account number, will retrieve the name and address on file with Chase for that bank account, and we send that to the receiving party. And then they can verify probably some data they have from you guys to say, do we actually believe these two people to be the same? And there's some other biometrics we can talk about that we're doing as well. But from, from a most basic perspective, that's hopefully a pretty digestible example.
Jason Pufahl 06:38
Yeah, and you certainly dated everybody here, because we all understand when people gave you one penny and took away one penny, and that's what validate. Right?
Patrick Pearson 06:46
And it's still very, it's still very prominent today, I'm sure.
Michael Grande 06:50
Oh, yeah?
Patrick Pearson 06:50
So, yeah.
Michael Grande 06:51
And I would disagree slightly in that, I think my nieces and nephews would think that Venmo accounts are automatically opened up with deposits ready to go, ready to spend, and magically, they're refilled. But sorry, you were you were saying?
Steven Maresca 07:06
Yeah. So I mean, ultimately, you're using the validation that the originating banks did in person, or however the account was established, as a means of establishing that chain of data, is that effectively one way of interpreting it?
Patrick Pearson 07:21
Yeah, I would think so, I would just say that it's usually not the originating companies. So if you think about it, these these ACH transactions are usually a pull, so I give you my information, your bank then sends a request to my bank to pull the funds out of my account. And so yeah, it's it's validating the, the, the, I guess, the the originator of the transaction, but it's, you know, it's not the person who's sending the money. In your case, it's the person who's receiving it.
Michael Grande 07:48
And you know, and one of the areas that I'm sure is a, you know, you're on a knife's edge is, you know, building more security into the product sets, and more assurance, but at the same time, making the user experience enjoyable, quick and efficient. And sometimes those those two areas sort of work against each other. So maybe you could talk about some of the initiatives and some of the things that your, your you and your team are looking at in that area.
Patrick Pearson 07:48
Yeah, absolutely. You're right, Mike, there needs to be some kind of natural tension, right, you want to make it as easy as possible for the person to open and fund their, you know, online account. But you need to take the necessary steps to make sure that there's not fraud happening. And in these spaces, account opening fraud and account takeover has become very, very prevalent because of the lack of data, real time data, available to the entities that are transacting. So some of the things we're doing, you know, it's one thing for us to tell Venmo team, hey, the bank said, Chase says it's Patrick Pearson at 123 Main Street that owns the account, we just pass that data through, that's kind of moderately helpful. But what we're also able to do now is we can say we can tell them as well, hey, here's the IP address of the device that this person is using to connect this bank account. Have we ever seen this IP address match this name and address before? Have we seen that name and address match at all before? If so, how prominently? You know, if we've seen pings too, we have a proprietary database through a separate asset that we have at Mastercard, that looks at all that combined with the biometrics we see on the phone. So you take all of this information in real time, you can really figure out, you know, does the IP address make sense like is the IP address in Connecticut where Pat lives according to the address you got from the bank, or is the IP address in you know, Vietnam? Because it's part of a, you know, a server farm for account takeover, where they're just, you know, stuffing credentials into third party apps.
Steven Maresca 08:14
So you know, on the balance, is the fraud that you're trying to reduce and detect earlier more dominant at account funding, after the account has been established, what sort of timeline is more typical for, you know, criminal intervention with legitimate accounts?
Patrick Pearson 10:12
Yeah, all of the above, for sure. You know, to varying degrees account, account takeover fraud has been around for a while, you know, the the old school way, is say you dropped your debit card at the gas station, somebody picks it up and starts, you know, emptying your bank account on the debit card. You know, ecommerce has become even easier, because, you know, like, like me, I'm sure you guys get notifications every couple of weeks that your username or your password, or the combination has shown up in some data leak on the dark, and it's available on the dark web. So those credentials are being used. And by third parties who have 10s of 1000s of combinations of username and passwords, you guys know this, but I'm preaching to the choir. So you know, that stuff is happening all day long. We're, the new one and they always stay ahead, right, they're always one step ahead, as you guys know, right. And so account takeover has been around for a while, account opening fraud has become very, very prevalent, especially when if you think about it, you know, you open up a new checking account, sometimes there's, you know, a $200 bonus that you get as soon as you open the account. So, you know, these fraudsters are opening accounts. They're connecting some kind of legitimate third party bank account, and they're getting the reward, transferring the money out, and, you know, see you later, they never, and then they close the account. So it's, it's all over the place. But you know, that that latter part is what we're trying to help, especially financial institutions guard against today.
Michael Grande 11:36
So as fast as the marketing gurus are coming up with new ways to increase sales and increase activity and new client acquisition, the fraudsters and in bad actors are figuring out ways to abscond with those with those games.
Patrick Pearson 11:52
Yeah, no, not very literally, there's a direct correlation, when you watch the Superbowl. And there's ads for new, you know, when, remember when, a couple of Superbowls ago where every other commercial was crypto?
Michael Grande 12:04
Yeah.
Patrick Pearson 12:05
There was a direct, direct correlation between the spike in accounts opened and fraud that happened in those institutions directly was tied to the ads in the Superbowl 24 hours thereafter.
Jason Pufahl 12:18
Do you? So I know you have a background in higher ed. Here, we've got a whole variety of sort of government and state/local companies that we work with. Are there any industries that you think are more prone to fraud, or you have a greater risk for sort of some of the activities that you talked about? Like I think about just a transactional volume within higher ed, my instinct would be that that's a high risk area. But I'm curious, your thoughts.
Patrick Pearson 12:47
It absolutely is. So from a risk perspective, within higher ed, a lot of the risks that's associated with money movement is disbursements. You know, not a lot of people will try to take somebody's checking account over to pay, you know, a $40,000 tuition bill, right, they're more wanting to fraudulently receive excess funds for you know, somebody drops out of a class and deserves a refund for the for the course fee. So that is where a lot of the fraud tends to happen in higher ed from our experience, and, you know, a lot of that, and whether it's higher ed or, you know, municipalities or utilities or whatever, you know, I think it's a lot about the adoption curve. And, you know, it's reliant on all of us to bring the same level of sophistication to those constituents and partners and clients that, you know, big tech firms and big banks have had availed themselves to for a number of years.
Steven Maresca 13:43
So there's an interesting intersection here, because we've spoken with other organizations that help detect application fraud, Yeah, absolutely. This is precisely what you're talking about, where it's not a real person, they're claiming to be or they're, you know, rinsing and reusing an identity, joining a course, and then with illegitimate funds to begin with, using the school as a mule and redirecting it elsewhere. So very interesting kind of a scenario you're talking about. It's the other end of that equation.
Jason Pufahl 13:51
That's Maurice, a couple months ago. It also shows, because I think Maurice brought up you know, there are four year institutions that are actually less prone to that risk than community colleges, which have that open enrollment, sort of continue enrollment, right.
Michael Grande 14:29
You know, yeah, sorry, I had sort of a two parter. But the first part would be, you know, sort of looking forward, you know, New Year, objectives in 24 and beyond, you know, you've talked about some of the strategies and some of the ways that you know, you and Mastercard are approaching the market. You know, what do you see out there, sort of I don't want to say what keeps you up at night, but you know, what are the areas that when you're talking to your clients and your partners, that is sort of really top of mind and really the areas they really want focused on moving forward?
Patrick Pearson 15:04
Yeah, well, Mike, you know, my kids keep me up at night. Outside, no. Yeah, exactly. So no, but to your to your question. You know, I think one of the things that, that our clients and partners struggle with, and again, you know, I'm talking to technology providers who are serving, you know, municipalities and governments while I'm one step away from you guys, but at the end of the day, I think there's so much talk about fraud, that it's like a prioritization exercise, I'm getting inundated by all these new capabilities. You know, Pat's telling me that, you know, he can validate all this sensitive information in real time. And, you know, meanwhile, like, you know, we barely have a bank has a separate login for online banking, verse mobile, mobile banking, like that is a real thing that 10s of 1000s of banks struggle, so it's like, how do you even begin to prioritize where to start? And, you know, is it more of like, a thumb in the, you know, in the huge gaping hole in the dam? Or is it, you know, I can be proactive? So I think it's, I think it's a prioritization struggle. They all know, everyone's aware that there's fraud happening. It's, you know, how, how precise can I be? And how much effort does it take to do that? And how do I prioritize it against a number of other priorities that have nothing to do with fraud, but there's some kind of technological component, which is obviously, you know, where you guys can come and help.
Michael Grande 16:30
Back to our security fundamentals, leading.
Steven Maresca 16:33
I think there's some other, you know, trends underway, the FTC has lowered its reporting thresholds for certain types of disclosures and security incidents, I think that's helpful. It's, you know, shedding more light on those situations where organizations need to defend the data more appropriately. So the under other end of the equation, I suppose.
Michael Grande 16:53
Maybe, you know, putting a bow on some of this, you know, your your area, you know, partnerships, partnerships are built on trust, you know, and trust it comes with trust comes, you know, what are you doing with my data? What are you doing with my information? So, I think you've got, you know, quite a heavy lift of responsibility to your partners and your clients. But I really appreciate you joining us today, for sure.
Patrick Pearson 17:20
Yeah, absolutely Mike.
Jason Pufahl 17:22
Any, any closing thoughts, anything that we haven't covered that you're hoping that we might ask?
Patrick Pearson 17:28
Um, let's see. I mean, I think just, you know, it wasn't a question that, but the statement Mike just made, I think the term partners and partnership has become co opted a bit by the entire sales world. And, you know, I think there is a big difference between a vendor and a partner, a vendor is transactional, they may just make the sale, you know, they'll talk to you again, when your contract renews in whatever, three, five years. And I think, for us, I'm sure the same for you guys. And I know from having talked to Michael, over a number of years, as the business has grown, you know, having someone who can come in and really understand your business, as well as you do is, is the only way a partnership really evolves. Because there is a two sided trust, to know that, you know, you're only suggesting to me the things you know, I need, you're not trying to sell me stuff I don't need. And, you know, as cliche as that all may sound, I think in this day and age now, that having a partner who you truly, truly trust. And again, I'm sure you can look across, you know, your book of business, too. And there's just, there's just clients, you have that, you know, there's just like this two way intrinsic trust, and they're, they're helping you be smarter at your business, and vice versa. So I think I spend a lot of my day trying to understand how we can be better in our business. And a lot of that comes from external feedback we get from clients or prospects.
Steven Maresca 18:50
I think that's very true. Security, information security is the trust business. That's our job.
Jason Pufahl 18:57
I think that's the spot to end right there. Partnership and trust. So yeah, Patrick, thanks for joining today. I really appreciate your perspective. Especially coming from that financial side of the practice, right. We tend to do a lot in other ways, and probably not quite as much in the day to day transactional financial space. So I appreciate your perspective there and joining us.
Patrick Pearson 19:19
Yeah, absolutely guys, it was really fun. I appreciate, appreciate the conversation.
Steven Maresca 19:23
Likewise.
Jason Pufahl 19:24
Alright. If anyone ever has any questions about sort of cardholder data security, or you have anything you want to continue? Of course, feel free to reach out to us we can engage Patrick again and continue the conversation. So thanks for listening as always.
19:37
We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.