MRC Vegas Aria Resort

5 things I learned at MRC Vegas 2018

MRC Vegas 2018 from a non-technical person’s perspective.

As a marketer, it’s sometimes challenging to understand tech people when they are blabbering about technology. To avoid this, my boss sent me to MRC Vegas 2018. “Go and learn little padawan,” she said – or that’s how it sounded in my head. Once at the Aria hotel, where MRC is held, I met dozens of merchants suffering attacks of all shapes and forms. They all had one thing in common: they are losing money every minute. They are losing money as they chat with me, as they grab a coffee, as they read a funny joke on WhatsApp or as they drink up to forget that they are losing money every minute. As a security solutions provider, all we can do is make it as easy as we can for merchants to find the information they need so they can implement the right solutions for them. And so we did: we talked to people at our booth, demoed our product, and shared the stage with Ticketmaster during our session about bot-driven attacks and how to stop them.

From left to right: Ryan Wilk during the NuData demo session, Karen Taylor meeting merchants at the booth, Ryan Wilk and Carolyn Davis (Ticketmaster) fighting bots during a session.

After attending as many sessions as I could, I can say that my tech levels are now very healthy – Thank you MRC! As a summary, here are five things I learned at MRC Vegas 2018.

Mobile fraud is a neglected threat

Dustin Clinard from Risk Ident had an eye-opening session about mobile fraud. According to Risk Ident, 42% of fraud comes from mobile, and this trend has been growing every year. Clinard believes merchants tend to be less suspicious about mobile fraud because its numbers are still lower than desktop fraud. However, this trend is growing, and it’s time to start looking at mobile fraud as a threat that can hit you any day. The first two most prevalent mobile fraud techniques Risk Ident has seen are device cloning, (25%) and SMS interception (16%). With both, an SMS can be easily spied on, rendering good-ol’ SMS-based two-factor authentication useless. The session also talked about the bad actor’s creativity when it comes to bypassing traditional security barriers. It was a good reminder of how important it is to have a multi-layered solution that can get ahead of the fraudster’s creativity.

It’s not about if but when you are breached

Marie Russo from Mastercard highlighted the importance of having a strategy prepared in the event of a data breach. Yes, one day your company may suffer a breach. And when that happens, you will need a ‘breach first aid kit’ to reduce the damage. Russo has dealt with thousands of data breaches and still hears the same reaction from merchants: “I wasn’t expecting it.” No one expects it, and yet, it happens so fast that companies barely have time to handle it. A breach plan will help you, for instance, deal with the investigation, have the information the investigators ask for ready to go, send approved statements to media, manage the wave of customer calls and emails that you will receive… The way companies manage a data breach can reduce brand damage in the short and long term.

You can stop fraud before it starts

This was our colleague Ryan Wilk’s presentation with Carolyn Davis from Ticketmaster – OK, I didn’t technically learn this at MRC, but I didn’t see the presentation until then, so it still counts. This session dug into the sea of automated attacks that is suffocating many companies. For every account takeover, there are tens of thousands of attacks that are happening at the login. Unfortunately, not many companies have visibility outside of their environment, making it impossible for them to build prevention rules. Davis reiterated the importance of having access to more information than the one your customer provides willingly – such as device and passive biometrics information. The earlier you get this information, the sooner you can stop threats before they generate losses.

If you receive a package, hold on to it

All types of creative fraud were covered during the panel The Most Unique, Unusual, and Little-Known Forms of Fraud, but here is my favorite: Bad actors were taking over accounts and making purchases without changing any information on the account – not even the shipping address – thus, bypassing traditional security measures that look for odd changes in an account. Once the goods were delivered to the legitimate account holders’ addresses, the bad actors went to the account holders’ home wearing a T-shirt with the retailer’s logo. They knocked on the door and said, “I believe we sent you a product you didn’t order, don’t worry, we’ll take it back.” And away they go with the purchase in their hands.

Meet my marketing nemesis: BIT Bandits

This is a Stranger Things upside-down moment I had during EJ Jackson’s presentation (First Data) Preventing Fraud in The Age of The Internet of Things. Jackson showed a sleek ad from a marketing company called BIT Bandits “Need PII to grow your business? Start growing it here. BIT Bandits.” This marketing company sells stolen data to whoever wants to purchase it – your and my data may very well be there, behind that sexy ad. It just hit me that, in the cybercrime landscape, there are also black-hat marketers trying to offset white-hat marketer’s prevention messages. How dare they? Time to step up the game. Now that MRC is over we have our eyes set on RSA. If you are also going and you’d like to meet, email us at bizdev@nudatasecurity.com   — Related to this post: RSA Conference Takeaways 2017   Authenticating on today’s breached world? Watch our webinar featuring Forrester analyst firm. Want to read more posts like this? See our full blog here.