In May of 2022, when we recorded Episode 167, Yvette Bohanan sat down with Patrick Chen, a co-founder at Spec – then called SpecTrust – to talk about combatting fraud. We covered a wide range of topics around fraud operations. What is it, what makes it challenging, and the delicate balance of creating a great customer journey and still catching the bad actors.
A lot has happened since 2022. GenAI is redefining the payments risk landscape, and fraudsters are having a heyday with their new tech.
To dig into some of the tactics and tech that is enabling today’s fraud schemes, Yvette welcomes the other Spec co-founder, their CEO, Nate Kharrl, to Payments on Fire.
Yvette Bohanan: Hello, I’m Yvette Bohanan, a partner at Glenbrook and your host for this episode of Payments on Fire. In May of 2022, when we recorded episode 167, I sat down with Patrick Chen, a co-founder at Spec, then called Spec Trust, to talk about combating fraud. We covered a wide range of topics around fraud operations. What it is, what makes it challenging, and the delicate balance of creating a great customer journey and still catching bad actors.
A lot has happened since 2022. Gen AI is redefining the payments risk landscape, and fraudsters are having a heyday with their new tech. So to dig into some of the tactics and tech that are enabling today’s fraud schemes, we’re speaking with the other Spec co-founder, their CEO, Nate Kharrl. Nate, welcome to Payments on Fire.
Nate Kharrl: Thanks for having me on the show, Yvette.
Yvette Bohanan: We are delighted that you’re here with us. A lot is happening and I’m always fascinated by how people land into the space because it is such a niche, right? And your career path, you have a background in tech, customer engagement, technical product management, consulting. Can you share the thread that wove all this together and led you to become a co-founder of Spec?
Nate Kharrl: Fraud in general is weird, right? You walk into any organization like, hey, who is the person, the whisperer, who can figure out where fraud is and what they need to be doing? And they may have been opportunistically pulled in from the data science team. They may have come up through the customer service ranks. They may be a product manager who just really sunk their teeth into it. I don’t think there’s really a one way to get into the fraud detection industry, whether if you’re a practitioner or you’re working on a solution side.
My background specifically is I have been, I’m going to say like hacker curious since I was very young. My dad was getting called by the ISP because I was distributing malware as a 13-year-old. Don’t learn that way.
Yvette Bohanan: We’re not advocating for this.
Nate Kharrl: Yeah, not advocating that. That was always the world that I was just fascinated by. And I think, getting into that as I got into a career in tech, it was more about who’s using software and what are they using it for? And a lot of times these were websites, you kind of think about where my career really started to move, circa 2007, 2008, more and more is moving online where the iPhone is putting the internet into everybody’s pocket. And that was a point in time, I was like, Oh, there’s so many people using the internet. Who are they? What are they trying to do? How can we reach them? How can we make sure that things are going the way that we want them to?
And then understanding enough about the underlying internet. It’s like, Oh, this is a big herd of people on the internet that you can hide inside of now. Right? Now it’s very regular, but at that point in time it was like, Oh, this is a really fascinating spot to be.
Akamai was great for that. Web security was a wonderful way into it, but a lot of what web security was tackling was really basic. It was really shallow, right? So just think like a mile wide and inch deep. A lot of the more interesting things that were happening were a lot of this crossover where you can kind of imagine this is the world where, Apple Pay was becoming a thing, where, people were moving out of PayPal and kind of onto other platforms.
Stripe was starting to come up at this point in time. It became Really clear that norms around how money moves, between businesses and customers, or even between consumers was going to change really, really dramatically.
Yvette Bohanan: Yeah. What was it that caught your attention at Akamai in particular? You’re talking about sort of hiding in the herd, and I think that’s a really great way to think about it, actually a great metaphor for what fraudsters discovered at that point. And probably back then it was a lot of individual actors that we’re talking about, right? So onesie, twosie folks who are trying to take advantage of something and they realize they’re in the mix and figuring out ways to evade detection.
Is that what you were seeing at Akamai? Like sort of this anomalous, how did you spot that? How did you, how did that dawn on you, right, at that moment?
Nate Kharrl: I’ve started to get old, right? I’m starting to notice that I’m starting to get old, right? I repeat some of the same stories over and over again. And for a while that bugged me and I was like, No, no, these are just foundational moments for me.
So I’m not going to use any names on this one, but we were, well I’m going to use one name. We were doing some work at the time for Visa, which is the only name we’re going to use. And there was this very specific event where they wanted to promote a product by giving digital Best Buy gift cards to anyone who would sign up with an email address. So basically just giving away free, instantly, redeemable money. And that was a bad idea on so many levels. But there was so many people who didn’t understand that it was a bad idea.
Yvette Bohanan: Well, it was a naive idea.
Nate Kharrl: Yes, totally. Right. And they wrapped this entire thing around a promotion that was going to happen for the Super Bowl, right? And so just imagine you have this high pressure, big marketing spend, there’s going to be a big marketing spend to basically give this free money away. And the idea is that you are going to get millions of people to sign up for a service that would make them very lucrative customers over a long period of time.
Well, it turns out that it’s pretty easy to create a fake email address and sign up for this service, right? What ended up happening was all of the data looked terrifying, but no one could really understand or humanize what it was. So like, No, no, this is normal. This is fine. This is normal. This is fine. Turns out about the, I don’t remember the exact number, I know it’s somewhere between $1.2 and $1.8 million worth of these digital gift cards basically ended up in the hands of one person, like instantly redeemable, right?
So it’s this thing of, if you could see this the same way that you would see someone at a check stand, like in the physical world, you would instantly know at a human level what you were supposed to do. But just the work that goes into understanding who’s there, it’s like reading the matrix, like turning data into people, right? That was just this fascinating thing. I was like, Oh no, I need to sink my teeth in here and solve this problem in a really meaningful way.
Yvette Bohanan: Where did that lead you? What were you doing at Akamai and how did that move you into this space even further?
Nate Kharrl: I think the interesting thing about a security company, really any security company is they’re really thinking about the devices on the internet, or just in general, like how they’re networked together, how they’re communicating together. The human element is largely scrubbed from it, right?
Hey, there may be like someone who is trying to get elevated access or they shouldn’t have it, but like the human element is out. These are bad packets, bad requests, whatever. The fraud world is really different, it’s the other way, right? They don’t really care how someone visited the site.
They don’t really care if exploits were used to maybe dance around some form validation or to insert things into databases that ought not be there. All they really care about is, am I going to get a financial discrepancy that’s going to show up, it’s going to hit the CFO, the CFO’s going to have to drill down into what happened here.
And then we pull on the threads and just figure out, Oh, where did this money go? Who took it and how, right, and how do we prevent it from happening again? That I think is that thing that is missing from the security standpoint.
And I want to be really clear. I don’t fault any security for it. If you Google search for CISO mind map, it’s just like, Here’s a CISO, here’s the entire universe of things that they need to care about, right? So I get it, they can’t really care about fraud with all the things that are already in their plate. But it’s missing, right? That gap is missing.
Yvette Bohanan: Let’s put a pin in that and come back to it, because that’s really something I wanted to dig into a little bit more with you. But, okay, so you were back here at Akamai circa, when was that whole-
Nate Kharrl: I think I left Akamai around like 2013.
Yvette Bohanan: Okay. 2013. Yeah. So you say you’re getting old. I can go way back. We are not going to on this episode, but yeah. So 2013, that stuff was all happening. That incident was sort of like what we would call maybe a lone wolf or a small group of bad actors, right.
Nate Kharrl: That was one guy. We found one guy, I think he was in like Wisconsin or Minnesota, somewhere, kind of somewhere cold.
Yvette Bohanan: So basically a lone wolf is what we would call it today. Now you talk with people in the industry, and I’m very curious, I keep asking this question to people because it’s really hard to test, the data in this space is, let’s just not go there, like all the industry reports, it’s very hard to decipher actual data loss. But a lot of people are saying the fraudsters with GenAI are now rings, right? We know it’s professionalized since then in a big way. We still have lone wolves, but we do have these very large professional rings, even like transnational organized crime, right. And everyone’s saying they’re two to three years ahead of the good guys in implementing the new tech like GenAI. Do you think this is true and why?
Nate Kharrl: Yeah, so I think like, Yes And, right. I think a part of this is the smaller an organization is, the more nimble they are. Spec is a relatively small organization, we can adjust to things much more quickly than a company with 1000 or 10,000 employees, right? As you think about these really small operators, if a new tool gets released, they’re testing it and evaluating it that week which is like impossible in the world of the brands that are trying to protect themselves. I think the other end of it is they’re a lot more AI curious. If you think about the, we basically see three major tiers of people that we’re fighting, right? One of them are these relatively large rings. When I say rings, sorry, this is a little bit different. This is effectively oligarch funded money laundering slash fraud that is happening at just massive scale.
Yvette Bohanan: Yeah, transnational organized crime is what I would put that into.
Nate Kharrl: Exactly. Yes, exactly, right. These are people who are, if you zoom out and look at them, they’re moving tens of millions of dollars a year through a single site. We have smaller fraud rings, which will generally be like, we’ll say somewhere between 10 to 50 people. They’ll have dedicated developers inside the house, will build some of their own tools. These people will have tools that the general public doesn’t see. And then we have these prosumer lone wolves, right, that are hanging out in Discord channels, they’re hanging out in Telegram groups. They are buying monthly subscriptions to commercialized versions of what the fraud rings are using.
Yvette Bohanan: Fraud as a service. Yeah.
Nate Kharrl: Yeah, yeah. Exactly. Exactly. Those people are too inexperienced to not cover their tracks but also they are trying out the wildest stuff and whenever they get it right, this sauce that they find, they will use it to generally pull down somewhere between, I would say, like $10k to $30k a month, which can be a lot if you spread that out over these like consumer level things. So to answer your question directly, for these small guys, they pick stuff up instantly, right, but they’re generally like a little bit too inexperienced to avoid detection.
That kind of mid-tier, the rings, the rings are doing some wild stuff. We saw the rings starting to use gen AI against some of our customers as early as like early 2023. I think that was more of a function of our customer footprint got big than they started using it. As our customer footprint started to expand, there was something that was like, Hey, we have fraudsters doing fraudster things manually. We have bots doing bot things. And we had this middle section that would, when they knew that they were detected, would wildly change their methods every 15 minutes. Not little threshold changes, but just complete, just pivots.
Yvette Bohanan: Like a phase shift. Like we’re now going to just pivot and do something different.
Nate Kharrl: Yeah. And 10 years ago it would’ve been like, Hey, we’re getting caught. Let’s maybe slow down our requests. Let’s adjust our purchase prices. Let’s put different things in our cart and try little things. Now it is like, Hey this isn’t working through the login, let’s pivot quickly and try password resets. That’s not working through that place, let’s spread this out over like longer periods of time and mature these sessions on these and try to get positive, good customer rating before we dive in to do the bad stuff. Wild changes.
Yvette Bohanan: That is super interesting to me because a lot of the folks that I talk to who are clients, in our client base is everybody in the industry, you could be talking to bankers, you can be talking to merchants, e-commerce merchants or whatever. When we’re talking with them, they’re saying, We have invested so much in all of the things that we were told to invest in in the last say, five years, right? So the behavioral analysis and the you name it, voice detection and this, and that, and ID verification tools and all sorts of things, and it’s not working, right. And they’re like, What do we do now?
I think there’s a big hurdle to overcome, right? And so the fact that you’re observing these sort of mid-level fraud rings, if you will, engaging in these sort of fast moving tactics, I don’t know that anyone that we’re talking with on a regular basis, I guess, has really figured out how to pivot as fast as those rings can.
And that’s probably like, if you think of the normal distribution curve that everyone always looks at, right, you’ve got the state funded transnational crime over here, there’s a handful of them that’s typically, they’re cited in like five major countries that they’re doing this kind of stuff. You have the lone wolves on the long tail. And then you have these guys in the middle.
And that’s probably the vast majority of people we’re dealing with all the time on a daily basis. And they’re pivoting faster than the transnational. So when you’re trying to deal with this, this begs the question, how do you get ahead of this? Is this a pure tech race?
And now I’m going to bring back that other comment you made with the CISO has all of this stuff in their universe. The fraud ops, risk ops people have their universe. Is it a matter of figuring out the tech? Is it a matter of changing perspective or is it something else, or a combination? How do the good folks get ahead of all of this? Because if they can attack the middle of the curve, they’re getting some traction, but I don’t think people are feeling like they’re getting that traction.
Nate Kharrl: I think what you are describing is something that we’ve recognized at Spec as we’re doing the work and building our point of view and figuring out what works for the platforms that we’re protecting is that the norms for this don’t really exist yet. if I was to give you a list of all the things that’s like, Hey, these are things that are really important while we’re doing this, they will feel a little bit like scattershot, all over the place because it’s not like a norm that has existed previously.
Right. So to put this in perspective, one of the things that we do almost immediately for our customers is we figure out where their application, their software, their websites, or APIs are leaking data that attackers can use. And with almost zero exceptions, we always walk into a new customer and they’re leaking data that an attacker can use to train their attack models in order to figure out what’s going on and get some like inside perspective.
But that crosses so many different thresholds between what does an application developer say? What does a fraud person say? And like, is there any reason why they should have any domain over what an application response is? Could they read an application response if someone gave them the raw output? That’s just not there.
There’s a piece of this where it’s like, I don’t want to doom and gloom like, we’re not ready. It’s just there is definitely, I would say, a lacking, we’re going to call it like a standard in the sense of, if there is a world where you are being scraped and reverse engineered by reasoning machines, you need to think differently about the whole discipline between fraud and application security.
And that’s kind like the overall realm of a CISO in order to get there. And that I think is hard. It’s a problem that there’s no one clear owner inside of a business. Listen, I’ll be honest, it’s been helpful for us in some ways, in the sense of, we get to kind of drive as the catalyst, of we can put together a durable solution for this, but it’s so hard to do on your own.
Yvette Bohanan: Yeah. And I think that’s where organizations typically, if they have a compliance team, if they need to have a compliance team that’s focused on AML and that’s one side of the spectrum typically that’s dealing with AML for the most part. There’s probably some blur here, but the transnational crime is definitely AML, the focus of AML. We had the fraud, CISO, and then we had the lone actor kind of tail. And you have the CISO, the compliance and the fraud ops or risk ops folks kind of siloed and not speaking the same language even to understand what to do. And their systems are disparate and looking at different things and often competing for precious time on the site to do their analytics and stuff.
So when you say data is leaking and you’re identifying that when you walk in, because that’s probably the evidence that you’re giving someone, here’s why they’re reverse engineering you. I’ve heard you refer to bots, botnet, an agent here. Yeah. So I’m guessing there’s something at work with these bots with this data leak kind of situation sometimes.
But can we just for listeners, back up for a second when we’re talking about tactics. I want to know kind of how you find that there’s data leaks and what’s going on, but just to make that conversation here more clear. Can you define bot, botnet, and agent and use them correctly in a sentence?
Nate Kharrl: Yeah. So a bot is just software, right? So you can think of a bot almost like Microsoft Excel or Google Sheets. So you’re going to have a list of data and all the bot is like a piece of software that’s going to take that list of data and try to do something with it on your behalf on the internet.
And they’re usually like very, very pointed. So, here is a hidden connection point that actually powers the underlying login for a merchant or a marketplace, right? They’ll have a list of usernames and passwords. Maybe they pull from breach site, they might have a list of IP addresses. They want these requests to go out from, maybe like some device signatures that they want to attach to it. And then the bot is just a piece of software that’s going to chew through that list and then see what happens, right? And try to get to some sort of record the outcome of attempting to do that thing.
So it’s relatively dumb software, but they can get really sophisticated in terms of what is in that list? How do we build those lists? How do we work with whatever feedback data comes from whatever gets sent out? And there are plugins that can extend those bots a bit further, but I think, let’s touch that a little bit later.
So, bots, software, right? Botnets are the hardware that bots run on. Think about like AWS or Azure except for these are built to look like real people. Botnets are generally built from people who have either like compromised firmware on like their router at home or, a lot of people, honestly, like a vast majority of the botnets that we deal with come from compromised devices where the owner of the device knowingly-ish self compromises.
So what I mean when I say that. You could very easily get YouTube without ads or Spotify without ads or a version of Tinder that is like premium, but without having to pay for it. But you’re going to have to download a kind of cracked version of the app that will give you these things for free.
And what you don’t know is that you’ve now given your device to a botnet. So while you think you’re streaming Netflix without an account, what’s also happening is your device is being used to try to break into people’s bank accounts with stolen information.
Yvette Bohanan: Like a technology mule. A great way to describe it. You brought to life.
Nate Kharrl: Yeah. Agents are different. Agents are effectively also a piece of software, but this is software that has human-like reasoning and human-esque memory.
It will take a task that you can give it, and the task doesn’t have to be coded, the task can be just typed or spoken to an agent, and instead of what you do with a bot where you would fill out a big list of things, you would literally just say, Hey, these are the resources that I have. I’d like to get access to as many of these bank accounts as possible. Can you just figure a way in?
And using its own reasoning and its own memory for how its different attempts work together, it will start to work through different permutations of what’s working. And then when something starts to work, it will find the way to run that without tripping off any alarms, through a little bit of guess and check.
Scary things about agents are the same scary things about bots. They share memory across with each other. So if something works for one agent, then it kind of works for the rest of them. This is especially scary on right now, like it was, I think, largely constrained to this mid-market fraud rings.
There are a lot more happening now, down in the lone wolf area of the world where they’re downloading tools that will let them spin up a couple dozen agents. You can run 50 agents on most desktop machines. And they just simulate real users browsing your sites, looking really natural and normal, on their way into fulfilling their task.
Agents are interesting in the sense of like, you can think of an agent, instead of it just being the bot, it is the bot and also an expert operator to run that thing.
Yvette Bohanan: Very intelligent versions. And are these agents being sold to lone wolves? Is it like fraud as a service has gone to the next level and become AI enabled? Is that the right way to think about that?
Nate Kharrl: Yes. they’re largely being sold as bots. If you can think about the lone wolves out there, they are generally not technical. A lot of them don’t speak English as a first language or Russian as a first language, depending on who that’s being sold by. They are largely being positioned as like, Hey, these are advanced bots. These are bots with plugins, these are bots with gen AI. And there’s that layer on top of it. But yes, these are largely being sold to those groups.
There’s a little bit of an economy that rolls into it where a lot of these lone wolves, they come in in on something that doesn’t feel very crimey. Hey, if you want to scalp tickets or sneaker drops or limited release Pokemon cards, here’s a way to do this. Don’t worry, you’re paying for this with real money. You’re just going to instantly flip this for more money. So this advantage isn’t really breaking the law. And that is interesting to see all of the feeders that go from that into money laundering and more serious forms of fraud.
Yvette Bohanan: Yeah. Yeah. Well, this is the slippery slope. Actually, we had David Maimon on last year, he’s wonderful to speak with. And he was talking about sort of the psychology of how they’re hooking kids into organized crime and rings, right? And it starts with things that feel innocuous, will feel really good, and they normalize that behavior. And then they just build on it. And I think that’s kind of what you’re referring to here.
Nate Kharrl: Totally. How cool is it to be a 16-year-old who shows up to school with sneakers that nobody else can get. Oh, and by the way, it cost you nothing because you bought multiple pairs and then sold the other ones for a profit. Right. You feel like the coolest person.
Yvette Bohanan: You feel like you’ve just figured out the key to success, right? Yeah, and that’s where we really start to run into some serious issues. So, bots use botnets as technical platforms and agents are intelligent memory enabled bots.
Nate Kharrl: Yeah, bots are just software. Botnets are just the hardware the software runs on and agents are just bots that are sophisticated enough to act like humans.
Yvette Bohanan: Do the agents need the botnets, sort of the technical mules, or are they running on like their own, you said desktop. Do they require less horsepower or are they more centrally managed than traditional bots?
Nate Kharrl: Yep. So generally for the bots themselves, the core logic will be on a fraudster’s local machine, right? All the instructions of what needs to happen, happen, and then that gets packaged up and then distributed out to machines on the botnet to run.
Same is true for agents. I will say that like agents are, I don’t want to say that they’re more, a bot operator might be taking 20,000 login events and trying to jam them in in an hour or, if they’re sophisticated, they might be trying to spread those out over a period of time. A agent operator will have, we’ll say anywhere between, I don’t know, 10 to 50 agents that are sometimes just lollygagging on a site, just trying to look human.
It’s a little bit more of a slow burn. If you can use the store analogy, it’d almost be like, someone sitting outside in a van and they’ve got a bunch of secret shoppers inside who are just like shoplifting on their behalf slowly through on their way out.
Yvette Bohanan: Interesting. So how prevalent are agents then these days?
Nate Kharrl: We are seeing it start to tick up. We see a double digit growth about every quarter. Right now it is about, half of a percent of our customers, which half percent sounds small, but that’s one out of every 200 visitors that we see to our sites, they are agentic. What’s interesting about that is they’re not all bad. Most of them are, but they’re not all bad. We actually do see for our marketplace customers, and some of our ticketers, they have power users, brokers, like people who basically interact with the site for a living, who have leveraged agents to help make that happen.
Yvette Bohanan: So you go into someone and you say, We know that you’re leaking data that’s enabling people to basically take advantage of your site or your app.
Nate Kharrl: If you’re talking about Spec’s go to market, absolutely not. Absolutely not. Because no one understands that language, right? What they know is that, like I’m spending a bunch of money on bot defense and I’m spending a bunch of money on fraud defense, and I’m still losing millions of dollars. That’s about as sophisticated as the market is right now, which is fine.
Yvette Bohanan: Okay. Okay. So you’re kind of going into people who are trying to figure this out. How do you collect the information to show them that they have leaky pipes?
Nate Kharrl: For Spec, just where we are, it really just goes into letting them use the platform. The best way to start with it. We don’t have a strong analog to anything that came before us that acts like us, which makes it a little bit harder to imagine it. So it’s always just better for us to show.
That said, one of the things that I think is the most interesting or compelling is that we’re always walking into a place where they have maybe, let’s say, Auth0 or maybe something homegrown and on the login side, right, for customer identity. They’ll have a payments platform that they’re really, really deep into, maybe it’s the Certify, Stripe, Braintree, whatever, right, on the payment side.
And they see nothing in between. Right? There’s a lot of data, a lot of things happen in between, but they see nothing in between. And that’s usually the first place that we start is like, Hey, you would probably feel differently about this login on Auth0 if you knew that beforehand, they were testing attacks against your login page, they were switching on incognito mode, they were turning on a VPN, they completely skipped normal parts of the browsing experience, or if they failed a honeypot, there’s lots of different things. You would make radically different decisions about who you allow to get access to an account and who you allow to make a payment if you solve those gaps between, and that’s generally where we start.
Yvette Bohanan: It’s always that gap, that white space, that chasm, in the visibility that they just take advantage of.
Nate Kharrl: And it’s cool that we can show like the difference of like, Hey, we know what your current thing sees, and we know what we see that’s in between. It’s 93% of the customer journey is invisible to your fraud and identity tools, right?
That’s like the big zinger for us in the sense, I think, marketing says something like 14 times more data, which I think is just that ratio inverse. It’s an enormous amount of the customer journey that we’re typically like fraud and bot tools are blind to.
Yvette Bohanan: Right. You mentioned honeypots. Are people still using honeypots?
Nate Kharrl: We use honeypots differently.
Yvette Bohanan: But let’s back up the bus. For people that don’t know what a honeypot is, because a lot of people don’t come on and talk about that, I probably should have people talking about this. But it used to be, it was hard. Really super expensive to set up a honeypot, and so it kind of fell out of favor for a while.
And it’s basically a site that you are setting up that looks like a legitimate version of your company, but it’s not. It’s designed to capture or track fraudulent behavior so that you know how people are getting in so you can change your actual site to prevent stuff from happening, but the speed with which you’re talking about agents, adapting, are people still using honeypots and is it because they’re less expensive or do you change the technique or is it a different version or?
Nate Kharrl: Your observation that no one really uses honeypots because they’re expensive is spot on. We do something very different at Spec that’s very Spec specific. So one of the things that is kind of core to whatever framework should be invented around how to defend against an increasingly agentic web, is that blocks are a really bad idea, like blocks and declines are effectively a way of telling a attacker that they got the wrong answer, right? And that they can take the test an infinite number of times.
One of the things that we developed, was like, Hey, instead of a straight up block or decline, can we mislead them so they don’t know what we saw that we thought was suspicious when we made the decision? And then when that enforcement happens, can we, instead of giving them like a flat block or decline, can we give them a false confirmation page? Can we give them a trap response? Can we push them a misleading error that will kind of tip the hand of like, Hey, this is definitely not a human, this is an agent because they’re responding to things that humans wouldn’t respond this way. And then on the other end, also just prevent them from learning.
And it’s been fun to watch on the attacker side because we’ll be in some of the groups that as they’re spinning up attacks and they’re like, We must be crushing ’em, their site’s down. We’re getting these weird errors. And they just kind of peace out not knowing that the site is up and happy and zippy for everyone that’s not them.
Yvette Bohanan: Oh, wow. So this is like spy versus spy. This is agent versus agent. And is that really the state of play that we’re at? Like, if you’re not doing something agentic and clever and you’re kind of relying on, what I’d call basic block and tackle fraud, manage risk ops. Most of the systems out there today though are still doing that, right? Because it feels like the right thing to do and they don’t recognize the agentic nature of things and how gen AI has just totally transformed things so that we’ve had this sort of leap froggy phase shift going on and for whatever reason, the thought process is still three, four years old, the systems out there. And there’s nothing wrong with blocking at some point, I would say, but it’s no longer sufficient.
Nate Kharrl: Yeah, I think that what that turns into is a, how often do you want to respond to firefighting? And I think that’s been the most stark thing about what we’ve seen is that, if you get the mitigation pieces right, because there’s three pieces. There’s data collection, there is decisioning and there’s mitigation, right? If you get the mitigation part of it right, your detection and your collection, your detection, like that decision part of it, it’s actually more durable because it takes them longer to figure out that they’ve been caught or how they’ve been caught to try to find their new way through. So I would say at this point it’s a very big change, it’s a really beneficial change, but I don’t think it’s necessary at this point.
You would almost conceptualize this as, if you can imagine a graph and there’s two overlapping curves, and one of them is like, what’s the state of adoption by attackers for agentic defense. The other is, how normal or what’s the level of adoption for agentic defense against agentic attacks.
Right now, I think both of those two things are low, right? I think we’re going to hit a period where adoption will continue to grow on the pace that it is, and the adoption on the defense side will lag. We’re going to get into a pain point in that place. There will be a lot more rewards for early adopters on the defense side, right? But as adoption on the defense side goes up, eventually it will stop becoming a reward for early adopters and it’ll start becoming a punishment for laggards. I’m doing my best kind of Gartner impression, but that’s largely how this feels where this is going.
Yvette Bohanan: That’s pretty good. That’s pretty good. Yeah. I think that’s spot on. It’s the same curve you see over and over again played out, right? So sitting here today, I want to kind of end on a positive note because this is not, this is never an easy topic to get through, and it’s been a wonderful conversation.
But if people are listening and they’re under attack and they are starting to see this sort of wear and tear on their current processes, policies, tech that they’re employing, what are the 1, 2, 3 things they can do to start to help themselves?
Nate Kharrl: I think first and foremost on this is that everyone is in this together. Everyone is in the same kind of suck right now. So if you have a stack that you spent a bunch of money on, you spent a bunch of time implementing, it is like years and years of project to get you where you are and it just kind of feels the slide, everyone is feeling that. So step one, don’t feel alone. If you need to talk to your leadership or management about what the state of play is here, I think it is less about what an individual practitioner or a group is doing and more about like, Hey, there’s a sea change coming. Everyone’s working on figuring that out, right? Step one, get the communication right.
Yeah. I think the second step to get into this is really a, this is going to be a problem solved with data. And it is a problem that moves so fast that it’s really challenging for a fraud operations team to keep up unless you are running a kind of business where order fulfillment is slower or maybe customer expectations around their time to access value. They’re okay with more friction, they’re okay with more delay, they’re okay with those things.
That’s a little bit of, look at your business. If your business is peer-to-peer, instant money transfer, or tickets, or drop sales, that’s probably not an option for you. But if you’re talking more kind of structured retail banking or if we’re talking about physical goods where you can have a decent amount of lead time before you actually need to ship something out, you may able to solve this with people expensively for a time. Which of these businesses are we? And if you need to slow down, is slowing down an option, right?
I think the third piece of this, this is kind of the hardest, but you need to find a product or a, usually it’s product, but a product or a data champion internally. The same thing is true for organizations as it is for people. None of us is as smart as all of us. Your identity team and your payments team and your security team and your onboarding team, who are handling that piece of it. They all know a piece of the puzzle.
And the sooner that you can find someone who will help bring all of that together, so you’re pulling out of that same, larger repository, the better. It’s a little hard. That job’s not faint of heart. Those four teams that I just mentioned, and there’s probably three more, all speak slightly different languages. They’re going to have to have a really strong Rosetta Stone to hack through that. But that is, I think, the first movement to make, when it comes into being ready for that.
Yvette Bohanan: Great advice from someone who’s living the dream. Nate, it’s been an absolute pleasure talking with you on this episode. Thank you so much for spending time with us and sharing your insights. They’re super interesting and I just love all of the ways you can explain this in kitchen English, as we say. Thank you.
Nate Kharrl: It has been wonderful being here. Thank you so much.
Yvette Bohanan: And to all of you listening, thanks for joining us and until next time, keep up the good work. Bye for now.
