POPULARITY
In this Brand Highlight, Kevin Surace, CEO of TokenCore, catches up on a market that has accelerated faster than even his team expected. Biometric-assured identity has gone from the fringes to the core, and the clearest example is the video call: on Zoom or Teams, there is often no reliable way to know whether the person on screen is real, human, or an AI avatar. Surace points to cases where employees wired money because a synthetic version of their boss appeared to ask for it. That risk is pushing the work outward. Beyond using TokenCore internally, the larger banks are asking how to extend biometric assurance to the customers who move wires, because a phone call no longer confirms who is actually on the line. The goal is to know that it is the right person, on the right domain, within a few feet of the device, and not someone operating from another country. For security leaders, Surace offers direct advice: start moving off MFA and authenticator apps now, since those methods are being compromised constantly. He acknowledges the change is hard, often for cultural reasons more than technical ones, and suggests starting with admins and the people who touch real data before expanding over roughly a year. The upside, he notes, is that employees tend to welcome it, going passwordless or even ID-less and logging into tools like Salesforce in under two seconds. This is a Brand Highlight. A Brand Highlight is a ~5 minute conversation that captures a focused idea, update, or perspective from the guest. Learn more: https://www.studioc60.com/creation#highlight GUEST Kevin Surace, Chief Executive Officer, TokenCore LinkedIn: https://www.linkedin.com/in/ksurace/ RESOURCES Learn more about TokenCore: https://www.tokencore.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Kevin Surace, TokenCore, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, biometric assured identity, identity security, deepfake, AI avatar, video call security, MFA, passwordless, FIDO2, CISO, account takeover, wire fraud, Zoom security, identity assurance Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
For most of the internet's life, proving identity has meant proving something you know or something you hold: a password, a code, a text message. Kevin Surace, CEO of TokenCore, argues that era is closing fast. As one of the people who helped invent the AI assistant at General Magic, he has a clear view of why the same technology now makes faces and voices simple to fake. Why isn't MFA enough? Because it protects a weak foundation. A decade-old paper mapped fifteen ways to defeat SMS codes, auth apps, and push approvals. Few attackers bothered with them until platforms like Salesforce and Microsoft made those methods mandatory. Now the attack has moved to where the door is. Surace walks through one of the common methods: an AI-written phishing email from a service you already trust, a PDF, and a pixel-perfect login page generated in moments. The credentials you enter relay to an attacker who is logging into the real site in real time. The push prompt asks if it is you, you approve, and the intruder is inside within minutes. The numbers back it up. Palo Alto Networks Unit 42 found that roughly ninety percent of successful intrusions over the past year involved hacked identity, almost all of them MFA or auth apps. The people compromised had privileged access, which means they had MFA in place. So what actually works? Surace makes the case for biometric-assured identity, a category Gartner projects growing into a twelve billion dollar market. TokenCore ties access to a fingerprint stored only on your device, the exact domain your account lives on, and physical proximity over a short-range wireless link. Look-alike domains never register, remote relays never get close enough, and the company never holds your biometric. The hardware comes as a ring, a portable, or a node about the size of an AirTag, and it is FIDO2 compatible, so it works with existing single sign-on. Most customers go passwordless once it is running. The reaction Surace hears most often from security leaders is that they can finally sleep at night. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Kevin Surace, Chief Executive Officer, TokenCore LinkedIn: https://www.linkedin.com/in/ksurace/ RESOURCES Learn more about TokenCore: https://www.tokencore.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Kevin Surace, TokenCore, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, biometric assured identity, identity security, multi-factor authentication, MFA bypass, phishing resistant authentication, FIDO2, credential theft, passwordless, deepfake, AI security, account takeover, Unit 42, Gartner Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Fraud teams rarely struggle with the obvious cases. It's the in-between moments that are hardest: a suspicious login here, a profile change there, a third-party signal that something might be off. The problem is that most account takeover defenses still force a binary choice. Lock the user out or let them through. In this episode, Q2 Product Manager Kristina Wingers joins host Jim Young to talk about why that binary approach no longer fits the reality of modern fraud, what a more proportional response looks like, and how financial institutions can buy themselves time to investigate without shutting down legitimate customers or letting fraud slide. Related Links [Blog] Beyond Binary: A Smarter Way to Respond to Account Takeover Risk [Webpage] Stop Account Takeover Before It Does Damage [LinkedIn] Kristina Wingers
We explore AI, member behavior monitoring, and the growing sophistication of digital fraud with Jeff Scott, VP of Fraud Intelligence at Q2. Also, Michael subjects Natasha and Producer Zach to a new game he invented, this one called "No Kidding?"
Carlos da Silva, Chief Product Officer of Unibeam, discusses SIM-based authentication technology with Don Witt from Channel Daily News a TR Publication. Carlos explained Unibeam’s SIM-based authentication technology, which uses information stored in SIM cards to provide enhanced security against account takeover and fraud, particularly addressing the limitations of traditional SMS OTP authentication methods. He discussed how their solution works through cellular networks rather than the internet, making it more secure while maintaining ease of use for users. Carlos DaSilva Mr. Carlos da Silva also shared some insight on the following topics: The top cybersecurity threats facing customers of mobile operators today Why passwords, traditional MFA, and other authentication methods are no longer effective in this threat landscape. SIM-based authentication, and how is it making a difference. Additional insight about Unibeam. SIM-based authentication is being adopted in a few markets For more information, go to: https://unibeam.com/
Arkose Labs sits at the intersection of bot management, fraud prevention, and identity protection -- working with the world's largest consumer-facing brands to make fraud unprofitable. Frank Teruel walks through how the threat landscape shifted from nation-state actors and organized crime to fully democratized crime-as-a-service platforms, where MFA bypass kits are sold online and multi-billion dollar fraud operations run with the efficiency of a product company. The conversation covers three of the biggest attack categories hitting organizations today: SMS toll fraud, bonus abuse, and fake account registrations. Each one exploits legitimate business flows -- onboarding, loyalty programs, referral bonuses -- and often goes entirely undetected by security teams because the attackers never trigger a traditional alert. In one example, a rideshare company's cell bill climbed by millions before anyone connected it to a fraud campaign. With agentic AI now in the mix, the attribution problem has become exponentially harder. Is that agent booking a hotel room a legitimate user action or the opening move of an account takeover? Arkose Labs places its defenses at the very top of the funnel -- registration and login flows -- combining risk scoring, challenge technology, a 24/7 SOC, and a dark web intelligence program called ACTOR. When a novel attack technique surfaces in gaming, Arkose Labs writes a global mitigation; when that same technique hits banking two days later, the defense is already deployed. Frank Teruel closes with a direct message to CISOs: 75% of organizations surveyed cannot perform attribution, and 97% expect a major AI-driven incident within the next 12 months. The signal to watch for is not always in the security stack -- it shows up in rising SMS bills, unusual account-linking activity, and transaction abandonment rates that do not match marketing spend. The answer is internal fusion: security, fraud, finance, and operations sharing data before the incident, not after. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Frank Teruel, Chief Operating Officer, Arkose Labshttps://www.linkedin.com/in/frankteruel/ RESOURCES Arkose Labs: https://www.arkoselabs.com RSAC Conference 2026: https://www.rsaconference.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Frank Teruel, Arkose Labs, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, fraud prevention, bot management, account security, SMS toll fraud, agentic AI, fraud deterrence, identity protection, crime as a service, RSAC Conference 2026, CISO, account takeover, fake account registration, bonus abuse, loyalty fraud, federated threat intelligence Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
A decade ago, Kevin Gosschalk was talking CAPTCHAs and bot mitigation with Marco Ciappelli at a security conference. Today, at RSAC Conference 2026, the conversation has shifted to agentic AI -- autonomous systems that browse, click, and transact on behalf of users. For Gosschalk, the Founder and CEO of Arkose Labs, the technology has changed but the challenge is familiar: how do you tell the difference between a legitimate automated actor and a malicious one? Gosschalk explains that the vast majority of agentic traffic today is not self-identifying. Rather than announcing themselves as AI agents, these systems impersonate real Chrome browsers on Mac OS -- choosing configurations with stronger privacy features to evade fingerprinting. There are two technical categories to contend with: headless browsers running in the cloud, which can be caught through device spoofing checks, and on-device agents that control a real browser instance, which require a deeper look at behavioral patterns and intent signals. Arkose Labs builds intent models around payment fraud, fake account creation, and account compromise to distinguish the good agents from the bad. The economic framing Gosschalk brings to this conversation is striking. He describes SMS toll fraud -- where bad actors acquire millions of premium phone numbers and trigger OTP messages from victim companies, earning three to six cents per message while costing those companies tens of millions of dollars annually. He walks through micro deposit fraud targeting fintechs. His core thesis: fraud is an economic activity, and the best defense is making attacks more expensive than they are worth. Arkose Labs builds challenge mechanisms designed to raise that cost through novel stimuli that ML models have not been trained to solve -- presenting something genuinely new forces a brute-force approach that is less effective than purpose-built attacks. The platform's consortium model is a key differentiator. Arkose Labs protects large enterprises including Expedia and Meta, and when an attack signature appears on one customer but nowhere else in the network, its uniqueness is itself a strong fraud signal. Customers can also feed labeled outcome data back into the system -- if something slips through and later proves malicious, that label sharpens the model for the entire consortium. Gosschalk is equally clear about the opportunity side of agentic AI. Blocking all automated traffic is no longer viable -- legitimate agentic commerce is coming, where consumers will delegate shopping, comparison, and purchasing to AI assistants. The future is not blanket blocking but granular, policy-driven enforcement: letting each customer define what kinds of agentic behavior they want to permit on their platforms. Integration is accessible -- a basic JavaScript deployment for web, SDKs for mobile, and extended support for IoT devices and CDN integrations. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Kevin Gosschalk, Founder and CEO, Arkose Labs LinkedIn: https://www.linkedin.com/in/kgosschalk/ RESOURCES Arkose Labs: https://www.arkoselabs.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Kevin Gosschalk, Arkose Labs, Sean Martin, Marco Ciappelli, brand story, brand marketing, marketing podcast, brand spotlight, agentic AI, bot detection, bot mitigation, fraud prevention, SMS toll fraud, micro deposit fraud, behavioral biometrics, intent detection, CAPTCHA, account takeover, synthetic identity, RSAC Conference 2026, cybersecurity Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Madhav Nakar — AI Security Researcher and Documentarian of Spirituality and Play No Password Required Season 7: Episode 3 - Madhav Nakar Madhav Nakar is a Security Researcher at BeyondTrust specializing in identity threats, endpoint security, and cloud attack paths. With a background in theoretical mathematics, his current research focuses on analyzing attacker behavior to build practical systems of detection. In this episode, Madhav shares the pivotal moments that shaped his career, including his first experience witnessing a nation-state attack unfold in real time from his seat in a SOC. He explains how mathematical thinking sharpens security strategy and why strong research is rooted in exploration, not predetermined outcomes. Jack Clabby of Carlton Fields, joined by co-host Kayley Melton of the Cognitive Security Institute, welcomes Madhav for a conversation on modern cyber defense. From AI-driven attacks and agentic systems to privilege escalation risks in role-based access environments, Madhav breaks down what teams are getting wrong about AI and why defending against AI increasingly requires AI-powered tools. The conversation turns to Madhav's philosophy of “serious play,” where curiosity, experimentation, and failure fuel better research and resilience. He also shares insights from his spiritual and philosophy project, The Fire of Knowing, exploring consciousness and belief through a neutral lens. In the Lifestyle Polygraph, Madhav pitches a cybersecurity documentary, debates growth versus comfort, and reflects public dancing experiments. Follow Madhav Nakar here: https://www.linkedin.com/in/madhav-nakar/ Follow "The Fire of Knowing" on Instagram and Youtube! CHAPTERS: 00:00 Introduction with Kayley and Jack 08:08 Transition from Theoretical Math to Cybersecurity 16:13 Exploring Spiritual Traditions and Madhav's Documentary 19:48 The Intersection of Art and Science in Content Creation 25:20 The Lifestyle Polygraph: Challenging Perspectives on Security
Sue Serna - Social Media Security and Governance Leader and Lover of All BeaglesNo Password Required Season 7: Episode 2 - Sue SernaSue Serna is the CEO and Founder of Serna Social and the former head of global social media at Cargill. She brings more than two decades of experience at the intersection of storytelling, strategy, and security.In this episode, she shares her journey from business reporter to leading her own consultancy serving companies around the world on social media strategy.Jack Clabby of Carlton Fields, P.A, joined by guest co-host Rex Wilson of Cyber Florida, welcomes Sue for a candid discussion about the realities of enterprise social media. From managing more than 150 Facebook pages for a single company, to navigating internal politics, agency relationships, and regulatory pressure, Sue explains why social media is far from “free” and why most organizations still under-resource it.Sue dives deep into the gap between social media teams and cybersecurity departments. She outlines how personal account compromises can escalate into enterprise-level incidents, why governance frameworks matter, and how large organizations can regain control of sprawling digital footprints. Drawing from real-world examples, she argues that social media must be treated like finance or HR, a core business function requiring structure, ownership, and accountability.The episode wraps with the Lifestyle Polygraph, where Sue reveals her love of Apollo-era space history, debates iconic Philadelphia traditions, and imagines what magical talent her beagle would bring to Hogwarts.Follow Sue at SernaSocial.com or connect with her on LinkedIn: https://www.linkedin.com/in/sueserna/ Chapters: 00:00 Introduction and First Impressions 02:45 The Evolving Role of Social Media in Corporations 04:58 Transitioning from Journalism to Social Media 11:11 Building Social Media from Scratch 13:00 Becoming a CEO and Founder 16:28 The Importance of Networking 16:54 Bridging the Gap Between Social Media and Cybersecurity 20:51 Real-World Social Media Security Incidents 28:35 Navigating Internal Conflicts in Social Media 30:32 The Lifestyle Polygraph Begins 31:17 Nerd Things That Expose Sue: Space and Harry Potter! 35:16 Sue's Love For Beagles 37:50 Wreckless Intern or Overconfident Executive? 40:42 Hogwarts and Magical Beagles
Rob Hughes — CISO at RSA and Champion of a Passwordless FutureNo Password Required Season 7: Episode 1 - Rob HughesRob Hughes, the CISO at RSA, has more than 25 years of experience leading security and cloud infrastructure teams. In this episode, he reflects on his unconventional career path, from co-founding the original Geek.com and serving as its Chief Technologist during the early days of the internet, to leading security and systems design at Philips Home Monitoring.Jack Clabby of Carlton Fields, P.A. and Kayley Melton welcome Rob for a wide-ranging conversation on identity, leadership, and the realities of modern cybersecurity. Rob currently leads RSA's Security and Risk Office, overseeing cybersecurity, information security governance, and risk across both RSA's products and corporate environment.Rob explains his dream for a passwordless future. He unpacks why passwords remain one of the largest sources of cyber risk, how real-world incidents and password-spraying attacks have accelerated change, and why phishing-resistant technologies like passkeys may finally be reaching a tipping point. The episode wraps with the Lifestyle Polygraph, where Rob lightens the conversation with stories about gaming with his kids, underrated horror films, and classic cars.Follow Rob on LinkedIn: https://www.linkedin.com/in/robert-hughes-816067a4/Chapters: 00:00 Introduction to No Password Required01:43 Meet Rob Hughes, CISO at RSA02:05 The Role of a CISO in a Security Company05:09 Transitioning to the CISO Role08:00 The Early Days of Geek.com12:14 Launching a Startup During the Dot Com Boom14:30 The Push for a Passwordless Future18:21 Tipping Point for Passwordless Adoption20:20 Ongoing Learning in Cybersecurity26:09 Managing Stress in High-Pressure Environments33:46 The Lifestyle Polygraph Begins34:15 Career Insights in Cybersecurity36:08 Dream Cars and Personal Preferences39:58 Underrated Horror Films41:19 Creating a Cybersecurity Monster
As AI makes it easier for attackers to launch account takeover campaigns at scale, organizations face mounting pressure to protect their customers and their brand. Israel Mazin, Co-Founder and CEO of Memcyco, joins the conversation to discuss how real-time detection and protection capabilities are changing the game.Memcyco is built on four products within a unified platform, each designed to detect and block both traditional and AI-driven attacks in real time. Unlike reactive threat intelligence solutions, Memcyco identifies victims as they interact with fake sites, provides detailed attacker data, and even deploys credential deception to neutralize stolen information before it can be used.With an agentless deployment that takes just minutes to implement, Memcyco delivers more than 10x ROI for customers across financial services, retail, airlines, logistics, and hospitality. The company has achieved nearly 300% year-over-year growth, serving organizations across North America, Latin America, Europe, and beyond.This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlightGUESTIsrael Mazin, Co-Founder and CEO of MemcycoOn LinkedIn: https://www.linkedin.com/in/israel-mazin-62215b/RESOURCESMemcyco: https://www.memcyco.com/Are you interested in telling your story?▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlightKEYWORDSIsrael Mazin, Memcyco, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, account takeover, ATO fraud, digital impersonation, phishing protection, real-time fraud detection, credential deception, website spoofing, AI-driven attacks, fraud prevention platform, agentless security Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
AI-integrated tools, such as OpenAI's Atlas and Microsoft Teams, are introducing new trust and identity risks, particularly through vulnerabilities like prompt injections and guest access features. The Atlas browser, launched on October 21, 2025, has been identified as having security flaws that could allow attackers to inject harmful instructions. Similarly, Microsoft Teams has a vulnerability that permits attackers to bypass security protections when users join external tenants as guests. These developments highlight the fragility of AI integrations and the need for robust security measures in collaborative environments.The FBI has reported over $262 million in losses due to account takeover fraud schemes, with more than 5,100 complaints filed this year. Cybercriminals are employing social engineering tactics to gain unauthorized access to online banking and payroll accounts, often locking victims out by changing passwords. The FBI recommends that individuals monitor their financial accounts closely, use complex passwords, and enable multi-factor authentication to mitigate these risks. This trend underscores the importance of managing trust and identity in security practices, as attackers increasingly exploit human vulnerabilities rather than technical flaws.In the managed service provider (MSP) sector, a recent survey by OpenText Cybersecurity revealed that while 92% of MSPs are experiencing growth driven by interest in AI, fewer than half feel prepared to implement AI tools effectively. This marks a significant decline from the previous year's 90% readiness. Additionally, 71% of MSPs reported that their small and medium-sized business clients prefer bundled security solutions, indicating a shift towards integrated offerings that simplify decision-making for clients. The findings suggest that MSPs need to focus on data governance and readiness before deploying AI solutions.For MSPs and IT service leaders, the key takeaway is that modern security is increasingly about managing identity and data governance rather than merely adding more tools. As AI vulnerabilities and account takeover fraud become more prevalent, providers must prioritize establishing secure trust boundaries and effective data management practices. By doing so, MSPs can differentiate themselves in a competitive market, ensuring they are equipped to deliver secure AI solutions and meaningful automation to their clients. Three things to know today00:00 New AI, Collaboration, and Fraud Threats Underscore That Identity—not Infrastructure—is the Real Security Battleground05:15 Survey Shows MSPs Expanding Services Amid AI Interest, Yet True Opportunity Lies in Readiness and Governance07:45 New MSP Integrations, Funding, and AI Platforms Underscore the Shift Toward Identity and Data Governance as the True Control Plane This is the Business of Tech. Supported by: https://try.auvik.com/dave-switchhttps://scalepad.com/dave/
Listeners, give us your feedback to help us make The Purposeful Banker more meaningful for you! Take our brief, 10-question survey at q2.com/podsurvey In this episode of The Purposeful Banker, Sara Seguin from Alloy joins Jim Young to talk about the increasing threat of account takeover and email compromise and how financial institutions can help their business customers fight back. Related Links Sarah's LinkedIn https://www.linkedin.com/in/saraseguin/ Ongoing Fraud Monitoring from Q2 https://hub.q2.com/product-overview/ongoing-fraud-monitoring
Enjoy this encore of Word Notes. The prevention of the first part of an intrusion kill chain model exploitation technique, where the hacker steals valid logging credentials from a targeted victim. CyberWire Glossary link: https://thecyberwire.com/glossary/account-takeover-prevention
Enjoy this encore of Word Notes. The prevention of the first part of an intrusion kill chain model exploitation technique, where the hacker steals valid logging credentials from a targeted victim. CyberWire Glossary link: https://thecyberwire.com/glossary/account-takeover-prevention Learn more about your ad choices. Visit megaphone.fm/adchoices
In the latest episode of The Voice of Retail, host Michael LeBlanc speaks with Yale Holder, Vice President of Customer Experience at Moneris, about emerging retail fraud prevention trends and strategies for payment security. Drawing on Moneris' extensive transaction data—covering billions of annual payments—Yale explains how fraud cases in 2024 dropped by 15% overall, primarily due to increased awareness and more widespread adoption of secure payment technologies. Despite this good news, he notes that the real challenge lies in underreported incidents, signalling that fraud may still be more prevalent than official numbers suggest.Moneris Fraud Resourceshttps://www.moneris.com/en/solutions/fraud-prevention/resourcesA key issue is mail order and telephone order (MOTO) fraud, which accounts for 62% of reported cases. According to Yale, criminals gravitate toward the easiest targets, and card-not-present transactions remain especially vulnerable. He recommends that retailers of all sizes adopt secure online gateways for phone or email orders rather than manually keying in credit card numbers. Yale also highlights how modern point-of-sale systems, such as Moneris' new generation of devices, have built-in tools—like secure payment links—that help small businesses reduce fraud exposure.While online fraud decreases thanks to built-in multi-factor authentication and centralized security measures, in-person fraud rises through “crimes of opportunity.” One growing concern is refund fraud involving stolen terminals, representing nearly a third of reported cases. Yale urges retailers to implement strong password protection on every terminal and to store portable devices securely. He underscores that these simple, often-overlooked steps can dramatically reduce refund fraud and terminal theft.Regional insights reveal that Ontario leads with around 40% of reported fraud due to higher transaction volumes, followed by Quebec at 30%. Saskatchewan stands out for its high incidence of employee refund fraud, emphasizing the need for tighter controls and individual employee logins. Meanwhile, Alberta shows an uptick in account takeover, underscoring the importance of guarding personal and business information against phishing attacks.Throughout the conversation, Yale returns to a central theme: proactive fraud prevention is far less costly than remedial action. He stresses immediate reporting of suspicious activity and diligent monitoring of transactions, enabling acquirers like Moneris to reverse or block fraudulent payments. From robust password protocols to leveraging secure e-commerce gateways, Yale's guidance provides retailers with clear, actionable strategies to safeguard revenue and maintain consumer trust. Ultimately, the episode serves as both a wake-up call and a resource for merchants seeking to stay ahead in the evolving world of retail fraud. Michael LeBlanc is the president and founder of M.E. LeBlanc & Company Inc, a senior retail advisor, keynote speaker and now, media entrepreneur. He has been on the front lines of retail industry change for his entire career. Michael has delivered keynotes, hosted fire-side discussions and participated worldwide in thought leadership panels, most recently on the main stage in Toronto at Retail Council of Canada's Retail Marketing conference with leaders from Walmart & Google. He brings 25+ years of brand/retail/marketing & eCommerce leadership experience with Levi's, Black & Decker, Hudson's Bay, CanWest Media, Pandora Jewellery, The Shopping Channel and Retail Council of Canada to his advisory, speaking and media practice.Michael produces and hosts a network of leading retail trade podcasts, including the award-winning No.1 independent retail industry podcast in America, Remarkable Retail with his partner, Dallas-based best-selling author Steve Dennis; Canada's top retail industry podcast The Voice of Retail and Canada's top food industry and one of the top Canadian-produced management independent podcasts in the country, The Food Professor with Dr. Sylvain Charlebois from Dalhousie University in Halifax.Rethink Retail has recognized Michael as one of the top global retail experts for the fifth year in a row, the National Retail Federation has designated Michael as on their Top Retail Voices for 2025, Thinkers 360 has named him on of the Top 50 global thought leaders in retail, RTIH has named him a top 100 global though leader in retail technology and Coresight Research has named Michael a Retail AI Influencer. If you are a BBQ fan, you can tune into Michael's cooking show, Last Request BBQ, on YouTube, Instagram, X and yes, TikTok.Michael is available for keynote presentations helping retailers, brands and retail industry insiders explaining the current state and future of the retail industry in North America and around the world.
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Romanian Distillery Scanning for SMTP Credentials A particular attacker expanded the scope of their leaked credential file scans. In addition to the usual ".env" style files, it is not looking for specific SMTP related credential files. https://isc.sans.edu/diary/Romanian%20Distillery%20Scanning%20for%20SMTP%20Credentials/31736 Tool Updates: mac-robber.py This update of mac-robber.py fixes issues with symlinks. https://isc.sans.edu/diary/Tool%20update%3A%20mac-robber.py/31738 CVE-2025-1723 Account takeover vulnerability in ADSelfService Plus CVE-2025-1723 describes a vulnerability caused by session mishandling in ADSelfService Plus that could allow unauthorized access to user enrollment data when MFA was not enabled for ADSelfService Plus login. https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html Android March Update Google released an update for Android addressing two already exploited vulnerabilities and several critical issues. https://source.android.com/docs/security/bulletin/2025-03-01 PayPal's no-code-checkout Abuse Attackers are using PayPal's no-code-checkout feature is being abused by scammers to host PayPal tech support scam pages right within the PayPal.com domain. https://www.malwarebytes.com/blog/scams/2025/02/paypals-no-code-checkout-abused-by-scammers Broadcom Fixes three VMWare VCenter Vulnerabilities https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
The Cybercrime Magazine Podcast brings you daily cybercrime news on WCYB Digital Radio, the first and only 7x24x365 internet radio station devoted to cybersecurity. Stay updated on the latest cyberattacks, hacks, data breaches, and more with our host. Don't miss an episode, airing every half-hour on WCYB Digital Radio and daily on our podcast. Listen to today's news at https://soundcloud.com/cybercrimemagazine/sets/cybercrime-daily-news. Brought to you by our Partner, Evolution Equity Partners, an international venture capital investor partnering with exceptional entrepreneurs to develop market leading cyber-security and enterprise software companies. Learn more at https://evolutionequity.com
Ravi Yadav, Global Head, Cybersecurity Business Unit, Tata Consultancy Services (TCS)Banks and financial services firms are turning to next-gen security solutions to better protect themselves and their customers. Ravi Yadav of TCS reviews the biggest cyber threats banks are now facing and tells Robin Amlôt of IBS Intelligence how cyber fusion centres, merging security and fraud staff, processes and technologies, may provide an answer.
Top Headlines: Embrace The Red | DeepSeek AI: From Prompt Injection to Account Takeover: https://embracethered.com/blog/posts/2024/deepseek-ai-prompt-injection-to-xss-and-account-takeover/ Huntress | Cleo Software Actively Being Exploited in the Wild: https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild Zscaler | Unveiling RevC2 and Venom Loader: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader Cyble | Threat Actor Targets Manufacturing Industry with Malware: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/?&web_view=true ---------- Stay in Touch! Twitter: https://twitter.com/Intel471Inc LinkedIn: https://www.linkedin.com/company/intel-471/ YouTube: https://www.youtube.com/channel/UCIL4ElcM6oLd3n36hM4_wkg Discord: https://discord.gg/DR4mcW4zBr Facebook: https://www.facebook.com/Intel471Inc/
Welcome to another episode of Category Visionaries — the show that explores GTM stories from tech's most innovative B2B founders. In today's episode, we're speaking with Ori Eisen, CEO & Founder of Trusona, an account takeover prevention platform that has raised $38 Million in funding. Here are the most interesting points from our conversation: Persistence Pays Off: Ori's relentless pursuit of Frank Abagnale for mentorship and his insistence on John Doerr's presence at a crucial pitch meeting exemplify his "never take no for an answer" attitude. Creative Marketing Strategies: Ori emphasizes the importance of standing out in the crowded cybersecurity market by using unconventional and memorable marketing tactics. First-Party Data Focus: Trusona's strength lies in using first-party data to verify user identities, which Ori believes is crucial in the age of AI-driven fraud. Real Vacation Culture: Ori advocates for founders to take real vacations to recharge and avoid burnout, providing a detailed process for effectively disconnecting from work. Security Through Innovation: Ori's development of computer fingerprinting and other technologies showcases his innovative approach to solving complex security problems. Challenging Conventional Wisdom: Ori often goes against traditional Silicon Valley advice, focusing instead on what he believes will truly benefit his company and its mission. // Sponsors: Front Lines — We help B2B tech companies launch, manage, and grow podcasts that drive demand, awareness, and thought leadership. www.FrontLines.io The Global Talent Co. — We help tech startups find, vet, hire, pay, and retain amazing marketing talent that costs 50-70% less than the US & Europe. www.GlobalTalent.co
Today, we sit down with Ori Eisen, CEO of Trusona, to explore the cutting-edge world of cybercrime and account takeovers. Ori shares his journey from early fraud prevention to pioneering innovative security solutions.Discover how Trusona's ATO Protect revolutionizes ID verification by directly accessing DMV records, making it almost impossible for fraudsters to succeed. Watch as we demonstrate this powerful tool in real-time, showcasing its effectiveness against identity theft and sophisticated attacks.Learn about the evolving tactics of cybercriminals, the role of AI in creating fake identities, and practical tips to protect yourself and your business. Ori's insights and Trusona's technology offer a compelling glimpse into the future of cybersecurity.Join us for this eye-opening discussion, and don't forget to like, comment, and subscribe for more episodes of Criminal Thoughts! Follow more of Brett: https://www.thebrettjohnsonshow.com Watch Brett Johnson on the Lex Friedman Podcast: https://www.youtube.com/watch?v=cC1LFC0KFSw&t=3s Watch Brett Johnson on the Jordan B Peterson Podcast: https://www.youtube.com/watch?v=cz0GVLzzYlg ABOUT BRETT Brett Johnson. Former U.S. Most Wanted Cybercriminal. Now Good Guy. The United States Secret Service called Mr. Johnson "The Original Internet Godfather" for his role in refining modern financial cybercrime. Or to put it another way: Brett was convicted of 39 felonies, placed on the U.S. Most Wanted List, escaped from prison, and… he built the first organized cybercrime community, Shadowcrew was a precursor to today's darknet and darknet markets, and it laid the foundation for the way modern cybercrime channels operate today. Johnson was sentenced to 90 months in Federal Prison. End of story? Not hardly. Brett found redemption through his sister, his wife Michele, and finally the FBI. He was given the chance to turn his life around. He took it. Today, Brett is considered one of the leading authorities on cybercrime, identity theft, and cybersecurity on the planet. He works hard to protect businesses and consumers from the type of person he used to be.
In this episode of The Lending Link, host Rich Alterman sits down with Adam Elliott, the CEO and Founder of Kevari, to delve into the critical issue of identity fraud and its evolving complexities. Adam begins by sharing his journey from holding senior roles at Check Systems to founding Kevari, a leading identity fraud prevention company that combines machine learning with consortium velocity and identity networks to detect fraud in real-time. He explains the reasoning behind rebranding from ID Insight to Kevari, aiming to convey strength and technological innovation. Adam also shares his optimistic outlook on the future of fraud prevention, emphasizing the potential of emerging technologies and data networks to turn the tide in the ongoing battle against fraud. Tune in now!
After years in the industry, inventing and exploring emerging technologies, Gideon Hazam, Co-Founder, COO and CSM at Memcyco, https://www.memcyco.com/home found a way to solve a problem outside the normal cybersecurity approaches. He joins us behind the scenes to discuss innovative ways to reduce website spoofing. Key Topics:new ways to reduce cyber risks in financial institutions,ways to prevent account take overs,innovative ways to reduce website spoofing, latest types of phishing, dangers of website spoofing, social engineering attacks against financial institutions,Chapters01:09 The Importance of Brand Protection04:01 The Impact of COVID-19 on Cybercrime06:28 Methods of Website Spoofing08:37 Account Takeover and Phishing09:30 Current Solutions and Challenges20:13 Expanding to Other Industries24:38 Alerting the Original Brand and Customers26:19 Real-Time Detection of Spoofed Sites27:46 Customer Alerts and Integration with Security Operations Centers30:51 Introduction to Memsico and its Integration with Risk and Fraud33:25 Challenges Faced by Organizations in Impersonation Attacks35:38 Focus on Brand Reputation and Customer Trust36:34 The Need for Protection Against Spoofing Attacks46:15 Marking and Tracing Stolen Credentials48:04 Uniqueness of Memsico and Patented Technology49:14 The Three Parts of Memsico's Platform: Detection, Protection, and ActionTry KiteWorks today at www.KiteWorks.comDon't Miss our Video on this Exciting KiteWorks Offer! Try KiteWorks today at www.KiteWorks.comDon't miss this Video on it!The Most Secure Managed File Transfer System. Watch Video Episodes! And Please...Subscribe to our YouTube Channel. Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews. Submit Your Questions Direct and Find out more www.CyberCrimeJunkies.com Stay up-to-date on Cybersecurity with VIGILANCE Newsletter. Want Gear? We love our Small Business Sponsor, BlushingIntrovert.com. has it all. Women's clothing, cool accessories supporting Mental Health Research. https://blushingintrovert.com
En este episodio exploraremos los riesgos del account takeover, un tipo de ataque que ha proliferado con el creciente papel de la digitalización en la sociedad moderna. Dado que el factor humano es crucial para prevenir este tipo de fraude, es fundamental utilizar de manera adecuada las tecnologías disponibles para mitigar y anticiparse a estos ataques.
A short bounty episode featuring some logical bugs in Apache OFBiz, a GitLab Account Takeover, and an unauthenticated RCE in Adobe Coldfusion. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/235.html [00:00:00] Introduction [00:00:20] SonicWall Discovers Critical Apache OFBiz Zero-day [00:11:40] [GitLab] Account Takeover via password reset without user interactions [00:24:05] Unauthenticated RCE in Adobe Coldfusion [CVE-2023-26360] [00:35:08] No new iPhone? No secure iOS: Looking at an unfixed iOS vulnerability [00:36:45] How we made $120k bug bounty in a year with good automation The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9
In an increasingly connected world, the need for robust cybersecurity practices has never been more important. Join us as we discuss practical, up-to-date cybersecurity tips and best practices. Don't miss this opportunity to fortify your digital defenses and stay one step ahead of cyber threats.
Free, ungated access to all 260+ episodes of “It's 5:05!” on your favorite podcast platforms: https://bit.ly/505-updates. You're welcome to
Full episode available on your favorite podcast platform: /bit.ly/505-updates
In this story on the ITSPmagazine podcast network, hosts Sean Martin and Marco Ciappelli invite guest Karl Triebes to take a look back at 10 years of Bad Bot Reports. Looking forward to the future, they discuss the increasing sophistication of bot attacks, the challenges in detecting them, and the potential damage to businesses and society.As they discuss the evolution of bot attacks in the last decade, they outline the increasing focus on API security, account takeover, and business logic attacks. They also discuss the challenges of detecting bot attacks with the rise of AI. The conversation raises philosophical questions about the future of humanity and the potential damage to businesses and society caused by bot attacks.Note: This story contains promotional content. Learn more.GuestKarl Triebes, SVP and General Manager, Application Security at Imperva [@Imperva]On Linkedin | https://www.linkedin.com/in/karltriebes/On Twitter | https://twitter.com/TriebesResourcesLearn more about Imperva and their offering: https://itspm.ag/imperva277117988Download the 2023 Imperva Bad Bot Report: https://itspm.ag/impervv0sgAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
In this story on the ITSPmagazine podcast network, hosts Sean Martin and Marco Ciappelli invite guest Karl Triebes to take a look back at 10 years of Bad Bot Reports. Looking forward to the future, they discuss the increasing sophistication of bot attacks, the challenges in detecting them, and the potential damage to businesses and society.As they discuss the evolution of bot attacks in the last decade, they outline the increasing focus on API security, account takeover, and business logic attacks. They also discuss the challenges of detecting bot attacks with the rise of AI. The conversation raises philosophical questions about the future of humanity and the potential damage to businesses and society caused by bot attacks.Note: This story contains promotional content. Learn more.GuestKarl Triebes, SVP and General Manager, Application Security at Imperva [@Imperva]On Linkedin | https://www.linkedin.com/in/karltriebes/On Twitter | https://twitter.com/TriebesResourcesLearn more about Imperva and their offering: https://itspm.ag/imperva277117988Download the 2023 Imperva Bad Bot Report: https://itspm.ag/impervv0sgAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
Eva Valasquez, Internet Theft Resource Center CEO joins Megan Lynch talking about social media takeovers. (Photo illustration by Christopher Furlong/Getty Images)
Guest: Cem Dilmegani, Principal Analyst at AIMultiple [@aimultiple]On LinkedIn | https://www.linkedin.com/in/cem-dilmegani/On Twitter | http://twitter.com/dilmegani____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Edgescan | https://itspm.ag/itspegweb___________________________Episode NotesIn this podcast episode, Cem Dilmegani and Sean Martin discuss the various types of fraud that exist and how machine learning can be utilized by both fraudsters and companies to outsmart each other.The conversation delves into the world of fraud and its impact across various domains, from financial systems to advertising and even healthcare. The discussion highlights how fraudsters are using sophisticated techniques, such as machine learning and automation, to bypass rules-based systems and carry out illicit transactions or manipulate user behavior.The conversation shifts to the financial services industry, where Cem explains how illicit actors might use automation to transfer funds through smaller transactions to avoid detection or bypass sanctions. They also discuss the challenges faced by banks in identifying fraudulent transactions and the complexities involved when dealing with nation-state actors.Sean brings up the concept of open-source intelligence (OSINT) in the cybersecurity world and wonders if there's a similar database for fraud rules and vulnerabilities in the financial world. Cem explains that while OSINT might not be as powerful in the world of fraud, fraudsters can still find ways to exploit systems and bypass controls.Throughout the conversation, intriguing use cases are presented, such as ad fraud in the B2B tech industry, where competitors employ machine-generated clicks and utilize bots to drain marketing budgets, or the concept of "feature fraud," where malicious actors manipulate user feedback to drive companies in the wrong direction.The episode also delves into the challenges faced by the healthcare industry, including insurance fraud, where patients are overcharged for services or billed for therapies they never received. In the financial services realm, fraudsters resort to account takeovers, complex transaction models, and even shell entities to bypass security measures.The discussion also highlights the ever-evolving world of fraud, emphasizing the need for businesses and industries to leverage advanced technologies, like AI and machine learning, to stay ahead of the curve and protect themselves from these sophisticated threats. This episode is a must-listen for anyone interested in understanding the simple complexities of fraud and the countermeasures that can be employed to mitigate its impact.Tune in now and stay ahead of the curve!____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist
04 April 2023 Cyber and Tech NewsIn today's podcast we cover four crucial cyber and technology topics, including: 1. FTC extends deadline for new cyber security rule implementation 2. Bitcoin ATMs attacked in 1.5 Million dollar heist 3. ByteDance and TikTok to safeguard data from governments 4. Germany follows Italy's steps and bans ChatGPT over privacy concerns I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
Guest: Cem Dilmegani, Principal Analyst at AIMultiple [@aimultiple]On LinkedIn | https://www.linkedin.com/in/cem-dilmegani/On Twitter | http://twitter.com/dilmegani____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsImperva | https://itspm.ag/imperva277117988Edgescan | https://itspm.ag/itspegweb___________________________Episode NotesIn this podcast episode, Cem Dilmegani and Sean Martin discuss the various types of fraud that exist and how machine learning can be utilized by both fraudsters and companies to outsmart each other.The conversation delves into the world of fraud and its impact across various domains, from financial systems to advertising and even healthcare. The discussion highlights how fraudsters are using sophisticated techniques, such as machine learning and automation, to bypass rules-based systems and carry out illicit transactions or manipulate user behavior.The conversation shifts to the financial services industry, where Cem explains how illicit actors might use automation to transfer funds through smaller transactions to avoid detection or bypass sanctions. They also discuss the challenges faced by banks in identifying fraudulent transactions and the complexities involved when dealing with nation-state actors.Sean brings up the concept of open-source intelligence (OSINT) in the cybersecurity world and wonders if there's a similar database for fraud rules and vulnerabilities in the financial world. Cem explains that while OSINT might not be as powerful in the world of fraud, fraudsters can still find ways to exploit systems and bypass controls.Throughout the conversation, intriguing use cases are presented, such as ad fraud in the B2B tech industry, where competitors employ machine-generated clicks and utilize bots to drain marketing budgets, or the concept of "feature fraud," where malicious actors manipulate user feedback to drive companies in the wrong direction.The episode also delves into the challenges faced by the healthcare industry, including insurance fraud, where patients are overcharged for services or billed for therapies they never received. In the financial services realm, fraudsters resort to account takeovers, complex transaction models, and even shell entities to bypass security measures.The discussion also highlights the ever-evolving world of fraud, emphasizing the need for businesses and industries to leverage advanced technologies, like AI and machine learning, to stay ahead of the curve and protect themselves from these sophisticated threats. This episode is a must-listen for anyone interested in understanding the simple complexities of fraud and the countermeasures that can be employed to mitigate its impact.Tune in now and stay ahead of the curve!____________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist
In today's podcast we cover four crucial cyber and technology topics, including: 1. Western Digital addressing security incident; some services down 2. Ukraine arrests scammers who made 4.33 million USD 3. Elementor Pro allows takeover of WordPress websites 4. Italy bans ChatGPT citing GDPR, privacy concerns I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
In today's podcast we cover four crucial cyber and technology topics, including: 1. ChatGPT flaws leading to account take over fixed 2. QNAP flaw fixed which could result in Sudo Bypass 3. 3CX users impacted in supply chain attack 4. UK poses as criminal service to identify potential criminals I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
Is it possible to escalate a self-XSS into an account takeover? Perhaps, we take a look at some potential options by abusing single-sign on. Then we take a look at a few Facebook/Meta authentication issues, and a deserialization trick to increase the usable classes in PHP. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/185.html [00:00:00] Introduction [00:00:21] Single-Sign On Gadgets: Escalate (Self-)XSS to Account Takeover [00:11:11] Account takeover of Facebook/Oculus accounts due to First-Party access_token stealing [00:14:00] DOM-XSS in Instant Games due to improper verification of supplied URLs [00:18:55] Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation [00:29:33] Unserializable, but unreachable: Remote code execution on vBulletin [00:34:54] Lexmark MC3224adwe RCE exploit The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9
Starting off the week strong we have a CSS injection turned full-read SSRF, and a MyBB exploit chain from XSS to server-side code injection. And we've got a couple auth token disclosures to end off the episode. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/183.html [00:00:00] Introduction [00:00:22] Unleashing the power of CSS injection: The access key to an internal API [00:06:50] MyBB
In this episode of The Protectors, Mike and Mark delve into the dark world of financial fraud. From sophisticated phishing schemes to insider collusion, we examine the various methods criminals use to steal from banks and their customers. Chris, a subscriber to the podcast, shares his personal story of how he almost became a victim of an attempted bank takeover. Join us as we uncover the secrets of illegal bank takeovers and learn how to protect yourself and your money*** This episode was previously recorded on 11/11/22GUEST CONTACT INFO:Website: IAFCIProtectorspodcast@gmail.comFederal Trade Commission: www.ftc.gov
First episode of the new year, and we've got some cool stuff. Several authentication issues and "class pollution" in Python. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/177.html [00:00:00] Introduction [00:00:31] ReDoS "vulnerabilities" and misaligned incentives [00:17:14] Web Hackers vs. The Auto Industry [00:37:19] Prototype Pollution in Python - Correction: We discuss a bit of a disagreement regarding calling the issue "Prototype Pollution" in Python, turns out we missed the fact the author calls it "Class Pollution" in the actual article which is a more fitting name. [00:50:26] [MK8DX] Improper verification of Competition creation allows to create "Official" competitions [00:56:36] 0 click Facebook Account Takeover and Two-Factor Authentication Bypass [01:01:18] How SAML works and some attacks on it The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9
Is Pwn2Own worth it for bug bounty hunters? A handful of trivial command injections, and some awesome WAF bypasses. Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/175.html [00:00:00] Introduction [00:00:34] Pwn2Own Toronto 2022 - Results [00:10:31] Cool vulns don't live long - Netgear and Pwn2Own [00:15:03] The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022 [00:26:54] Abusing JSON-Based SQL to Bypass WAF [00:26:54] RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass [00:37:25] Abusing JSON-Based SQL to Bypass WAF [00:46:47] OTP Leaking Through Cookie Leads to Account Takeover [00:50:47] ChatGPT bid for bogus bug bounty is thwarted The DAY[0] Podcast episodes are streamed live on Twitch twice a week: -- Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities -- Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. We are also available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosec You can also join our discord: https://discord.gg/daTxTK9
We dive into the lessons of Refinitiv's new report: US Identity Theft in 2021. We discuss the shocking responses consumers gave about their attitudes towards account takeover, including their willingness to change financial institutions that allow their personal information to be compromised. We also cover new findings about fraud in buy now pay later programs, peer-to-peer (P2P) payments, and more.An interview with James Mirfin, Global Head of Digital Identity and Fraud Solutions at Refinitiv, an LSEG business.
There has to be a better way. A safer way. There has to be a way to swiftly let a member re-set a password to gain entry to his/her accounts and to also defeat the account take-over criminals who specialize in seizing control of others' accounts and swiftly draining them.Know this: the criminals who do this are an industry. They are professional. And they work fulltime at this.Case in point: in the podcast Abrar Ahmed, CEO of Cozera Solutions, relates that criminal gangs will patiently call the same credit union, failing to win entry to the accounts they lust after but what they are doing is gathering intel. Pretty soon they know all the challenge questions and that means they also can know the answers.A credit union needs to know how to fight back. id-go, a Cozera Solutions' tool, is one such way.Cozera Solutions explains how it works its magic: "id-go replaces discoverable secrets like passwords and one-time passcodes with strong passwordless biometric authentication so there are no secrets for attackers to steal. To protect privacy, authentication is executed with device based biometrics that never leave the consumer's device."In the podcast, Ahmed says that deployment of this tool to members is fast and seamless and can proceed with essentially no tech heavy lifting on the credit union's part..The company is still in start-up mode but has already implemented its tools at four credit unions, a sector Ahmed is focused on.Listen up.Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.comAnd like this podcast on whatever service you use to stream it. That matters.Find out more about CU2.0 and the digital transformation of credit unions here. It's a journey every credit union needs to take. Pronto
A new year and a new Bad Bot Report from Imperva. How is it looking? Well, this year, we see an increase in the sophistication level of bad bots compared to last year, with advanced bad bots accounting for 25.9% of all bad bot traffic in 2021, compared to 16.7% in 2020. In addition, evasive bad bots are on the rise, no industry is immune, and Account Takeover attacks are more prevalent than ever.The good news is that not all bots are Superbad — they go from Simple to Moderate, Advanced, and, Evasive — and we are getting better at finding them.During our conversation this year, we take a quick look back in time to last year's report to see what some of the changes are. Sadly, the team at Imperva is seeing more of the advanced bots we discussed during this conversation. Unfortunately, their ability to emulate human behavior makes them much more difficult to detect.What's driving a lot of this rise in bad bots? More and more services are moving online.We hope you enjoy this Part 1 of 2 conversations as we explore and uncover the consequences of bad bots for our business and society.About the 2022 Imperva Bad Bot ReportLeveraging data from its global network, Imperva Threat Research investigates the rising volume of automated attacks occurring daily, evading detection while wreaking havoc and committing online fraud. The 9th annual Imperva Bad Bot Report is based on data collected from the Imperva global network throughout 2021. The data is composed of hundreds of billions of blocked bad bot requests, anonymized over thousands of domains. The goal of this report is to provide meaningful information and guidance about the nature and impact of these automated threats.Bot attacks are often the first indicator of fraudulent activity online, whether it's validating stolen user credentials and credit card information to later be sold on the dark web, or scraping proprietary data to gain a competitive advantage. Often bots are used to surveil applications and APIs in an attempt to discover vulnerabilities or weak security. Online fraud from automated bot attacks is not only a threat to the business, but it is first and foremost a risk to customers. Bad bot attacks might cause customers to be unable to access their accounts or have sensitive information stolen from them due to successful account takeover fraud.Bad bots mask themselves and attempt to interact with applications in the same way a legitimate user would, making them harder to detect and block. They enable high-speed abuse, misuse, and attacks on your websites, mobile apps, and APIs. They allow bot operators, attackers, unsavory competitors, and fraudsters to perform a wide array of malicious activities.Such activities include web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, denial of service, denial of inventory, spam, transaction fraud, and more.Note: This story contains promotional content. Learn more.GuestRyan WindhamVP of Application Security at Imperva [@Imperva]On Linkedin | https://www.linkedin.com/in/rwindham/ResourcesLearn more about Imperva and their offering: https://itspm.ag/imperva277117988Imperva Bad Bot Report 2022: https://itspm.ag/impervwurdWant the Bad Bot 101 Story? Check out the Imperva 2021 Bad Bot Report Podcast Series here: https://www.itspmagazine.com/their-stories/the-good-the-bad-and-the-ugly-the-bad-bot-report-2021-an-imperva-storyBe sure to listen to Part 2 of this conversation here: https://itspmagazine.com/their-stories/how-bots-fake-human-behavior-to-conduct-online-fraud-the-bad-bot-report-2022-part-1-an-imperva-story-with-ryan-windhamAre you interested in telling your story?https://www.itspmagazine.com/telling-your-story
ShadowTalk host Chris alongside Stefano and Kim bring you the latest in threat intelligence. This week they cover: * AlphV breaching victims' data in open source * 'BidenCash' website sells your credit card information for only 15 cents * Account Takeover paper ***Resources from this week's podcast*** POLONIUM: Proxy Warfare And Iran's Cyber Strategy https://www.digitalshadows.com/blog-and-research/polonium-proxy-warfare-and-irans-cyber-strategy/ Vulnerability Intelligence Roundup: Leveraging The OODA Loop For Vulnerability Management https://www.digitalshadows.com/blog-and-research/vulnerability-intelligence-roundup-leveraging-the-ooda-loop-for-vulnerability-management/ Credential Stuffing: What Is It, Are You At Risk? https://www.digitalshadows.com/blog-and-research/credential-stuffing-what-is-it-are-you-at-risk/ ALPHV/BlackCat ransomware gang starts publishing victims' data on the clear web https://securityaffairs.co/wordpress/132339/malware/blackcat-ransomware-clear-web.html New 'BidenCash' site sells your stolen credit card for just 15 cents https://www.bleepingcomputer.com/news/security/new-bidencash-site-sells-your-stolen-credit-card-for-just-15-cents/ The Anatomy of a Cyberattack https://www.wsj.com/articles/anatomy-cyberattack-11654543046 Subscribe to our threat intelligence email: https://info.digitalshadows.com/SubscribetoEmail-Podcast_Reg.html Also, don't forget to reach out to - shadowtalk@digitalshadows.com - if you have any questions, comments, or suggestions for the next episodes.
Money laundering looks different in the securities industry and that poses its own challenges. But add to that a landscape of constantly evolving threats and it is a lot to keep up with. On this episode, Jason Foye, Senior Director of the National Cause and Finance Crimes Detection Program's Special Investigative Unit joins us once again to tell us about the latest trends, emerging threats and how firms can ensure their AML program remains strong and effective. How are we doing? Take the FINRA Unscripted survey today. Resources mentioned in this episode:Episode 33: Beyond Hollywood: Money Laundering in the Securities IndustryEpisode 34: Beyond Hollywood, Part II: AML Priorities and Best PracticesEpisode 71: Overlapping Risks, Part 1: Anti-Money Laundering and CybersecurityEpisode 72: Overlapping Risks, Part 2: Anti-Money Laundering and Elder ExploitationEpisode 86: FINRA's Financial Intelligence Unit: Connecting the Dots2022 Report on FINRA's Exam and Risk Monitoring Program: Cybersecurity2022 Report on FINRA's Exam and Risk Monitoring Program: AMLFinancial Crimes Enforcement Network (FinCEN) PrioritiesFinCEN Alert: Potential Russian Sanctions Evasion AttemptsSEC Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced SecuritiesRegulatory Notice 20-32: Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account FraudRegulatory Notice 22-06: U.S. Imposes Sanctions on Russian Entities and IndividualsRegulatory Notice 21-18: Practices Firms Use to Protect Customers From Online Account Takeover AttemptsFINRA Key Topics: Cybersecurity
In the latest edition of the Omni Talk Retail Spotlight Video Series, Chris Walton and Anne Mezzenga sit down with Signifyd's CMO Indy Guha to learn all they can about the latest fiendish effort being used to defraud consumers, aka Account Takeover (or AKO, if you are in the know). Together they discuss: The rise of e-commerce and the increasing strain placed on fraud prevention What account takeover is and why it is so much more sinister than just using someone's credit card number And why a networked approach may be the only way to solve the problem To access Signifyd's pulse reports, head here: http://www.signifyd.com/ecommerce-pul... Music by hooksounds.com *Sponsored Content*
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
A Good Old Equation Editor Vulnerablity Deliverying Malware https://www.welivesecurity.com/2022/02/22/teenage-cybercrime-stop-kids-wrong-path/ Horde Webmail 5.2.22 - Account Takeover via Email https://blog.sonarsource.com/horde-webmail-account-takeover-via-email NoVNC Phishing https://mrd0x.com/bypass-2fa-using-novnc/