mnemonic security podcast

Financial Cyber Crime

November 09, 2020 mnemonic
mnemonic security podcast
Financial Cyber Crime
Chapters
mnemonic security podcast
Financial Cyber Crime
Nov 09, 2020
mnemonic

For this episode, we’re happy to have Sebastian Takle from the DNB Financial Cyber Crime Center (FC3) with us to share how one of the largest banks in the Nordics works with Threat Intelligence. Sebastian is Subject Lead for Threat Intelligence at FC3, and in his conversation with Robby he explains their threat actor centric approach to TI.

We also get to hear what threat actors they are observing and are most concerned about, and the importance of identifying who.

Technical level: 1/5

Host: Robby Peralta

Producer: Paul Jæger

https://www.mnemonic.no/podcast 

Show Notes Transcript

For this episode, we’re happy to have Sebastian Takle from the DNB Financial Cyber Crime Center (FC3) with us to share how one of the largest banks in the Nordics works with Threat Intelligence. Sebastian is Subject Lead for Threat Intelligence at FC3, and in his conversation with Robby he explains their threat actor centric approach to TI.

We also get to hear what threat actors they are observing and are most concerned about, and the importance of identifying who.

Technical level: 1/5

Host: Robby Peralta

Producer: Paul Jæger

https://www.mnemonic.no/podcast 

mnemonic:

From our headquarters in Oslo, Norway, and on behalf of our host Robby Peralta - welcome to the mnemonic security podcast.

Robby Peralta:

Think of the word mafia or cartel, what sort of picture comes to mind? I think of a hacker, try to imagine those two groups in the same team. Working with a common goal kind of makes you want to change a password, right? And 2021 cybercrime is expected to cost the world $6 trillion a year, making it more profitable than the global illegal drug trade. Now, I won't echo the fact that we are no longer dealing with script kiddies in their hoodies. But as this episode's guest will confirm, we are now up against a very organized type of crime. Sebastian Takle. Welcome to the podcast.

Sebastian Takle:

Thank you very much. Thanks for having me.

Robby Peralta:

Or should I say Vloggcast? We're having identity crisis with this podcast of ours. But you're at least the pilot of the identity crisis today. So it's only downhill from here.

Sebastian Takle:

It's always good to be the test subject.

Robby Peralta:

So Sebastian, tell us about yourself.

Sebastian Takle:

So I work at what is called the DNB financial cybercrime center. So the DNB is one of the largest banks in the Nordics and their financial cybercrime center, our FC3 as we call it is basically for all intents and purposes, their counter fraud unit. So DNB is present in something like 19 countries. And we have the global responsibility for the counter fraud work working everything from sort of awareness training and prevention and all the way to you know, monitoring transactions, stopping them and and communicating with with customers. So we have the sort of full spectrum of counter fraud work. Awesome. So yeah, within that, within that sort of dynamic, my role is I'm subject lead for threat intelligence. So basically, what I do is I identify, map, what is usually organized criminal groups, I'll probably talk more about that later, but identify and map organized criminal groups, and then I sort of assess To what degree they pose a threat to either DNB as a group or our customers.

Robby Peralta:

Awesome. That sounds so cool, it's so cool to

Sebastian Takle:

Yeah I have a very exciting job, or at least have you here I'm fortunate enough to think so myself.

Robby Peralta:

So tell us a little bit more at this financial crime center, how many people are in there.

Sebastian Takle:

So we're about 13 people at the moment, and it's a very sort of interdisciplinary group. So you've got everything from obviously, we have a lot of highly technical people, doing things like writing our own rules, and the systems and transaction monitoring and stopping transactions and automating whatever can be automated. So there's an awful lot going on, on the technical side. And then on the absolute opposite side of that, you'll find me with approximately zero technical skills, but hopefully a different skill set I can bring to the team. So I think that's one of our strengths is, is being able to, to value different aspects, you know, not everyone needs to be the technical guy or girl we can, we can have different strengths. So that's sort of the role there. And my job sort of becomes to, to feed FC3 with with was basically intelligence. I suppose I should take a little step back at some point and make it clear that actually, obviously finds a lot of its intelligence, and, you know, they find it themselves. They're extremely competent people who, who know what they're doing, and, and, you know, an awful lot of the information we gather, and the information we gather about threat actors and how they work and what they're doing and who they're targeting. This is coming directly out of FC3 with no interference from me, obviously, it's, they're more than capable enough to do that themselves. But my job sort of becomes to tie it all together and have the slightly larger picture on not necessarily just what's happening now. But what will happen in the future? Awesome.

Robby Peralta:

Maybe a stupid question. But why does the bank need a financial crime center?

Sebastian Takle:

Well, it's actually a very good question. I think it's important that I make a little distinction here that you know, where our where the sort of counter fraud unit and that means that we don't handle the anti money laundering work, you know, there are lots of people in in a large financial institution like DNB who handle AML work as it's known, and you know, an awful lot of resources very, very competent people. That's not what we do. So we sort of handle what I call the sort of primary crime where where someone is defrauded in the sort of first instance. So if you were to defraud me that's where hopefully a cybercrime center would come in and and and stop that. If you were successful in defrauding the end decided to launder the money. That's when a sort of anti money laundering team would hopefully pick up on it. So So therefore, we're we're quite early in when we're looking at what's going on and we're able to prevent a lot of transactions from going as opposed to just being being reactive to what's happened. Cool.

Robby Peralta:

What do you really have to react most to? You mentioned fraud.

Sebastian Takle:

Yeah. There are several things going on in that landscape. But once we I mean, we, we spend an awful lot of time looking at sort of private customers, you and me at home in the evening. And then there's a lot of things like love scams, investment fraud, you know, that type of that type of thing going on, obviously, as looking at the tools, there's not a lot of phishing emails going around, and things like this, that people have to be aware of. And then on the business side of things, I think, you know, the one thing we always need to mention is the business email compromised aspect where, where they can be, you know, companies can really lose a lot of money. I mean, there are, there are hundreds of millions at stake in those, those frauds. So that's sort of the two main aspects the company side and, and the sort of private customer side of things. And they're both equally important. And they're both equally, they sort of take you out as much of both things take about as much of our time, to be honest, some things are obviously easier to detect than others, but, but that's just always gonna be the case. And then obviously, we handle fraud against DNB as well, you know, so that'll be things like loan fraud and carry credit card fraud and things like that not all of those things necessarily fall within our scope, but quite a few of them, quite a few of them, we'll deal with. Yeah, that's, that's it. And to make it more complicated, in addition to, to being sort of, I sort of wear two hats in, in this organization. So on the one side, my primary role is to feed the financial cybercrime center with with actionable intelligence. But then on the other side of things, I sit in what's known as DNBs threat intelligence group, or TIG which looks at the threat, the full threat picture facing the end. So they will handle everything from, you know, the threat of, you know, what's the threat of terrorism, you know, physical robberies, things like that. And then in another corner, you have the whole sort of cyber defense aspect where things get very technical, and if you guys know, an awful lot of stuff. And then in the third corner, you have me with the sort of financial crime aspect. So I think, tickets, again, one of the DNBs strengths, when it comes to threat intelligence, we have a few sort of regular products we push out, then we have our annual threat assessment, which for the first time this year, we published publicly, so you know, anyone can have a look at that, if you want to get a feel for, for how we work, and what we do, then we obviously do quarterly threat assessments that are internal, we do assessments on, you know, incidents or things that sort of crop up internally, so, but being able to have that those several different disciplines, being able to attack subject is surprisingly valuable, even within subjects that are really, you know, you look at financial crime that I and you'd think that a lot of it was pure financial crime. But even if you go to the purist of financial crime aspects, you know, those responsible for physical security, those responsible for the terrorism assessments, and those who are sitting in our sock will have valuable input, both to how to attack it to begin with, but also on sort of very sort of concrete sort of, have you thought of this detection wise things.

Robby Peralta:

So, I brought you in today to talk about threat intelligence, but I'm gonna be all over the place because everything is so cool to me So the subject lead for threat intelligence, what do you do when you go to work?

Sebastian Takle:

So I spend a lot of time looking at the threat actors who's attacking us and and, and and how I think that threat intelligence, if you look at the way it's been done for a long time, it's it's at a large focus on the How are people attacking you to be able to sort of counter that a bit sort of efficiently, but I spend a lot of time on, on on who is responsible, I find it surprising that we're no more interested in who you know, someone's trying to steal a billion dollars from you, you know, the first thing I ask is who the first thing I should ask is how but the first thing I ask is who so it's a very sort of very sort of response from my side that I want to know who's behind this and not just how they're doing it. So for me, that's, that's important, because that lets me assess the threat and that's basically my job right? I need to be able to assess who's posing what threat to us within the sort of financial crime sphere at any given time. So I look it was hitting our customers at the moment globally, what's going on? Are there any effects of things like COVID-19, and things like that, that are that are hitting, and then I'll look at Okay, we'll track the threat that is are involved there, and what threats do they pose to DNB and what threat they pose to DNBs customers, then I spend a lot of time on awareness. I think that awareness work is one of the most important things you can spend your time on. There are several reasons for that but if you I mean if you ask the police if money in financial crime go disappears abroad, what are the chances of getting them back they're slim to none right? That's that's the reality are the lots of examples of people getting their money back Yeah, you know, of course there are but but You know, if you look at it as a whole, the chances of getting your money back are very, very slim. So the trick here has to be to prevent money from leaving the country, there are several ways you can do that. I mean, you have like FC three will monitor transactions will stop transactions as we think they're suspicious, and we'll, we'll investigate them. But awareness work is very, very valuable, because it allows us to sort of contact the people who with we think you're going to be the victims of these frauds, whether it's companies or individuals, and really make them aware of what's going on. And I think that the problem you have with awareness work is that it can be very, very boring, right? Because the sad truth is that when you look at what things pose the biggest threat to you and me privately, for example, those things aren't particularly, they're not particularly exciting. You know, it's things like phishing emails is sort of the thing you need to be aware of right? You get hundreds of them every month, most of them get automatically deleted. This is sort of where the threat is. So in order to make sure that people are aware of the threat, I think that you and many people will disagree with me, but I think that you need to sort of give them some, some hooks to sort of hang information on. So instead of just saying, you know, this is the this is phishing campaign number 752. This month, you know, I like to say that, you know, we're being attacked again, by the same group that attacked us last month, you know, at that point, we think they were working from abroad, but we suspect they have people on the ground in Norway handling this aspect of their operations, right. So months ago, when we were looking at that we set a task force down, and we looked at it. And I think we need to do that again. And I think this both makes it more exciting, which means people will actually pay attention, because you need to remember that there's no point in writing anything, or talking to someone if they're not going to read what you've written, or listen when you talk, right. So on one point or another, you need to catch their attention. And this threat, actor centric focus will help you do that. And it'll also help you give them some sort of categories to put these threats into. And at the same time, that's just one sort of facet of awareness work, it's the most common one and the most boring one. But I think that most of us sort of recognize the the issue of internal awareness work where you need to make your own organization aware of what's going on. That's not a problem, because your own organization is incompetent, it's a problem because people have their own jobs, right. And that, surprisingly enough, everyone doesn't keep an hour free on Mondays in case of nastiness, something to tell them so. So when I sort of step into a room and say, I need your attention now, you sort of need to make it clear why they need to prioritize you, in this case, intelligence really helps us do that. And the same goes for when you're working with external parties, for example, the police, I work a lot with the police, I think the police do a brilliant job with with the resources they have. But there's no doubt that the more I can show connections between cases, the more I can give indications of when you have direct access on the ground, and Norway, and when we think they're purely abroad, the more I can show that you're not just talking about, you know, even if each fraud case is just $1,000, you know, I can still, you know, if I'm able to show that this is still a million dollar case, and then it sort of helps the police prioritize, at least to some extent, so. So you've got awareness, both with customers, you've got awareness internally, and you've got awareness with with the people you're working with. And I think that's definitely takes a lot of my a lot of my time. Hmm, we're not bored at work. I'm not bored at work. And I'm glad

Robby Peralta:

you're there at work that makes me feel safe as a DNB customer. But can you tell me anything more about these threat actors?

Sebastian Takle:

Not necessarily. No, I mean, if you look at DMV strat intelligence group as a whole, we have our own sort of threat actor pyramid. And that's not exactly black magic. I mean, that's going to be very familiar to you, although we've sort of internalized it and made it our own. So you know, at the top of the pyramid, like everyone else will have nation states, right. Within financial crime, there are definitely things we could talk about when it comes to nation states, but I don't think I'm going to spend all my time on that today. I think, you know, nation states, a lot of the time when it comes to financial crime, they, there are other people who will take your time talking about that. And then at the bottom of the pyramid, you'll have individuals, right, or groups of friends that work together, but they're not sort of, they're not closely knit or professional enough for me to sort of call them organized criminals. This organized criminals perhaps, and you know, things like companies or heads of companies trying to make a profit rather themselves or the company or things like that. So, and that area is an area where I think that if, if you'd ask people 1015 years ago, that's where the fraud problem would be individuals and groups of individuals getting into trouble. And that's simply you know, not the case. at all, so the middle of the pyramid for us is divided into two. And then we have, both of the categories are organized crime, basically. So we have less advanced and more advanced organized crime groups in the middle there. And they they dominate the attacks both against the MBA when it comes to financial crime and against and against our customers. So an example of, you know, the less advanced organized criminal groups, they will typically, you know, their intelligence is useless most of the time, which means that their attacks are fairly untargeted. The language can often be quite rough, not really technically up to it, if they're, if they're using any technical tools at all, they're not the best. And because of the the language issues and things like that, even things like social manipulation will often you know, not be quite on par. But they still make a fortune, right, because they've still, you know, they use the oldest trick of sales, which is volume. So the point is, they'll send out 50,000, phishing attempts, knowing that even if the language is bad, and the technical thing isn't up to speed, someone's still going to push that link, they'll get a few guests still gonna get a few, right, so there's still money to be made. And and we, you know, you must understand these groups on a lot of money, there is a lot of money floating around the less advanced organized criminal groups, and there are an awful lot of them. And then you have the the more advanced organized criminal groups, which are in many cases, not that different from nation states. And, you know, also when you're talking severity, in some cases, they're not that different. They, you know, they they're well financed, they have good time, they have amazing technical skills. And I think, you know, one of the most important things is it is that they're not in it for the profit today. They're in it for the promo, hi, yeah. So this is the long gone gone really, really big. And, and the distinction therefore, between advanced organized crime, nation states, or when nation states are using advanced organized criminal groups that can get quite blurry rather fast. So but you know, you could probably have a separate thing on that at some point. So that's sort of the the two main organized crime groups, I usually if I'm going to give some examples, I'll say that a lot of the West African groups, they fall into the less advanced organized criminal groups. That's not to say that there aren't advanced West African organized criminal groups, there are a lot of them highly competent, especially when it comes to social manipulation. But also on the technical side, there are some serious groups to watch out for there. But still, the majority will fall into the into the slightly less advanced category. And on the flip side, there you have the the reality groups, for example, who are extremely competent, work on a on a huge time frame, they have a good infrastructure to work off. And if you look at the biggest fraud cases in Norway over the past five or 10 years, you'll find involvement of Israeli crime in in a lot, if not all of them. So it's, this is sort of an aspect where you're gonna, there are a lot of different threat actors. And these are just some sort of examples of groups. But that's, that's probably a an important thing for me to sort of emphasize is that, you know, I said we had a very sort of threat, actor centric view when it came to when it came to threat intelligence on financial crime. And that's right, I think one of the first jobs I was given when I said we, I said to my boss, you know, we should work on this. And he agreed, and he said, but then I want you to find out who's behind investment fraud, because at that point, investment fraud sort of exploded in 2017, it had been going on for years, no one knew police didn't know financial institutions didn't know it was it was a mystery how this could be going on for so long without anyone sort of identifying. And his first sort of thing to me was, you know, I needed to find out who's involved in this. And by that he didn't mean you know, what individual is responsible, because it's important that you know, the limits of what you can do yourself. And very often, although it would be great to get down to an individual level, realistic, we're not going to do that, because it's got something to do with where in the chain we're positioned, and you know, what kind of views we have from there and out. But down to an organizational level, where are they based? How many are they? How long have they been doing this are professional larvae. And this is important, this is important for assessment purposes, because this will tell you to what extent you need to prioritize and it also tell you how hopeful you can be of your countermeasures, not just handling things for a while but but working over time.

Robby Peralta:

And if you're allowed to tell me, how do you even go about figuring this stuff out?

Sebastian Takle:

it you know, so it's, it's That's a lot of cooperation, as I thought, you know, you can break this down into several different aspects. The one thing is obviously, that I get a lot of information from FC three, right where I'm sitting, there's an awful lot of data going through our systems. And you can sort of extract quite a lot of useful information from that, then there's an awful lot of open source information out there, that the useful and a lot of my time is used, reading Open Source Intelligence and sort of working out how is this relevant to me? And where can we sort of find connections between what other people are seeing and, and what what what's hitting us. And then after that, it's all down to cooperation, right? So I mean, we work closely with all other more or less all other financial institutions in the Nordics. We'll good working relationship on the security side with them. And they're obviously private security companies that have input when, when that's appropriate, and they they know what they're doing. And then we work closely with the police, all branches of the police. To the extent it's possible, trying to help the police understand what to prioritize, and what kind of information we have that we can share with them, there is a limit to what information we can share with the police without a court order. But when talking about general trends and things like that we can talk rather freely. So obviously a good cooperation with the police is essential, or branches of them. And then whether you're talking financial institutions or police or private security companies, you're obviously talking both domestic and and abroad. So we have good connections with law enforcement abroad as well, and, and also other financial institutions. And it's sort of the combined efforts of all of that will, surprisingly enough to give you more information, I think, yeah, the you know, information is out there in 2020. The problem usually isn't, isn't finding information. It's, it's understanding how credible it is. And it's finding out where it's hidden in a in a large heap of information. So that's, that's usually our issue. Absolutely, yeah. So I think I'm just gonna take a quick step back, if I if I can just take a quick step back from there, I think that it's important to understand that when you're looking at these threat actors, they're not just involved in one type of thing. That would make our life very easy, wouldn't it if if Group A did ransomware, and that's sort of what they did. And they stuck to that, and they didn't tell anyone else what they were doing or how they were doing it, that will make our life very easy. And the reality is just that's not what's going on at all. So firstly, we know that within the sort of financial crimes fair, a group that's involved in one type of financial crime, for example, love scams or investment fraud or something, they will also be involved in other types of financial crime. And at the very least, they will obviously also be involved in money laundering, right? So because at some point, they need to be able to use these, these profits they've made so. So that's sort of the first aspect that when you find one type of financial crime, or I don't know if cyber crime is correct, or internet enabled crime or something like that, that I think maybe Europol calls it but but wherever you are, in that sphere, people are going to be involved in more than one thing. And then of course, the interesting aspect for me taking a step back from that, again, is that, you know, we're talking primarily about organized criminal groups. Okay, so organized crime, do they stick to one thing is that is that their sort of modus operandi? Do they have a silo? And you know, okay, so we're an organized criminal group. And, you know, we do human trafficking, that's, that's where we, we work? Well, we work financial grind? And the answer is no, that's not how that works at all, either, you know, organized criminal groups, they try to make the most profit and in the shortest amount of time, getting caught. Yeah. And therefore, they'll be involved in several different things. So you look at the groups involved in financial crime, they're also going to be involved in, you know, possibly narcotics weapons. Human trafficking is huge at the moment, you're hard pressed, you know, there are lots of groups involved in that. And then you have the terror financing or actual terror activities, you know, as well, that will happen, you know, again, mostly indirectly, but still there. So you end up with a situation where groups aren't just involved in one thing that there'll be involved in a host of different criminal activities. And they'll also have connections to other organized criminal groups that again, will be involved in other things. So if you follow the money through this, you're gonna find connections to a lot more things than fraud, which people might not think are so it might not be the most serious of crimes to most people. And I would Completely agree with that, you know that that's not necessarily the most, the place that is natural to focus on. So, but I but I think that, you know, we have a tendency to, you know, if FC three is going to work as efficiently as possible, we need to sit together in a team that works with the same thing. And we need to communicate only in a small group, right. And, you know, that's a cool way of saying we need to build a silo with with FC three. And it's right when you leave us alone to do our work. And most people have to work as efficiently as possible in 2020, there's not enough money to do sort of throw it around. And therefore, that's where you get, you get small groups of people working very tightly with and communicating entirely in their group. And I don't think that's necessarily a purely bad thing. That's, that's how it has to be. But the problem with these silos is that the criminals don't care about them at all right? It makes no difference to them. Like we've already said, they're just going to try to maximize their profits in the shortest amount of time, you know, how do we get to go with as much cash as possible, that's what they get. And the reality is that even in things that will be primarily financial crime, for example, they're still gonna pass through often things that have to do with physical security, or they're gonna pass you things that have to do with digital defense, right, and cyber defense, and therefore communication outside of your group, through for example, our threat intelligence group becomes so important, because despite us having to sort of constrain ourselves to these silos, the criminals, absolutely no intention of doing that at all.

Robby Peralta:

Yeah, they love it when you guys don't talk together.

Sebastian Takle:

Yeah, that's, that's without a doubt where their profit possibility lies. And, and I think that that's one of the biggest things criminals have understood is that if you just cross a few borders, while committing crime, then you're you're fairly safe, right? Because it's so difficult for police to, to communicate, so resource intensive for them to communicate cross border, that if you cross enough borders with a small enough amount of cash each time, then you're going to be fairly, fairly safe, because we don't talk together. Yeah, so that's, there are no, we're not gonna tell you that? No. Yeah, no, there are several ways they do that they have some quiet, they have some quite extensive money laundering operations run, frankly, quite impressive. I mean, you, you do have to take your hat off to some of these, some of these groups once in a while, when you look at the level of sophistication that they they actually managed to put into some of their scams, you know, and that can be anything from I mean, we've seen a lot of money go to Hong Kong and China, we've seen and, you know, we question sort of, okay, but how do you, how do you get your money? You know, okay, you send it there, and it might be a fairly locked system, but how do you get it out again, and there, there have been examples of, you know, Chinese organized crime, sending people, you know, keeping the money, but sending people abroad to build, you know, skyscrapers and hotels and things like that for the for the criminals abroad. So you never have to actually move the money out again, they end up with property where they're sitting and the organized criminal groups in in China will keep them. Right. And the person who really loses out is the the person who lost the money in the first place. Yeah. And the the poor people sent by organized crime abroad to build these buildings and hotels and what have you, because obviously, they're, they're not paid a lot to do this. their their their families are back home. And, yeah, so it's sort of an so there are a lot, there are a lot of a lot of ways organized crime, will, will will launder money. We've seen everything from that we've seen the during the COVID-19 crisis, some old narcotics money laundering channels were opened up again to handle cyber enabled crime or fraud and things like that, because some of their usual channels for money laundering went down due to COVID-19. And you know, then they're like, Okay, what do we do now? Well, you know, we've used these channels for money laundering, when it comes to narcotics for years, why don't we just pick up that trail and start funneling fraudulent funds through there instead. So they're very good at finding ways to launder money, whether it be whether it be by exchanging cash for something else, preventing funds being moved, like in the case where you build buildings, or using old narcotics routes to too long the funds, the exam, examples of huge amounts of money being taken out in cash and moved by containers. There are you know, there are there are a lot of A lot of ways to skin that cat so to speak. But the reality is that they adapt them all the time. And they find new ways of avoiding detection at any point. And that's one of the most important things when you're assessing a threat actor, right is, and one of the most important things that struck me when I started working with this was a you spend an awful lot of time and asking how they attack you. And that'll tell you how to implement some countermeasures. And that's great. But what I was interested in was okay, but what are these people gonna pose a threat to us in two months? And in two years, and in five years, you know, what's the chances of that happening? And, you know, if I implement countermeasures, now, is that sort of going to throw them off? Or are they going to spend 48 hours on working out how to get around those countermeasures? If we work with the police, and they arrest for people in Norway? It doesn't mean their operations are shut down? Or or does that make absolutely no difference to this group at all? And, and things like that, an important part of the the assessments we make, and the reality is that in a lot of cases, you see the you're talking about very large, very capable organized criminal groups, international, transnational, organized criminal groups, where it takes a lot to cut them off completely. So it becomes more about stopping and where you can, and then a slight cat and mouse thing from there now. Yeah,

Robby Peralta:

and I would assume it's kind of like the movies, right? When you catch somebody, when you actually get somebody red handed, they're kind of on the lower end of the scale, you don't get the the big bosses don't involve themselves?

Sebastian Takle:

they're very good at at distancing themselves. And I think that's more or less exclusively the case, we're saying there, it's extremely rare that you'll you'll walk in and catch someone on the on the high end. And I think that has to do with how early in the process they distance themselves from, from what's going on. So realistically, they're going to distance themselves from this extremely early on a long time before anything illegal, happens. And they're not going to be involved with the money again, until it's completely clean, and not only clean, but it won't even be in the form of cash anymore, it will be in the form of shares in a company that's, you know, legal and making a profit. And that's sort of where they come in again. So I think it's extremely difficult to to get some of these, these people and therefore, like I said, again, the work preventing them getting the funds in the first place is where a lot of this can be done. At the same time, you know, I don't want to sound to sort of defeat this there. I think it's important that international law enforcement works together with, for example, financial institutions to try to get hold of these, these organized criminal groups. And there's no doubt that the combined efforts of law enforcement, financial institutions and other third parties, it definitely that's how I mean, the amount of money we've been able to sort of prevent from going to these organized criminal groups, in a fairly sort of short time period is, you know, it's a substantial amount of money. And there's no doubt that that's gonna it's gonna hurt them. But yeah, I mean, you can't open the champagne every time they they arrest some guy in Oslo for this, because you know, he's not necessarily going to be the main guy, not necessarily.

Robby Peralta:

I'm sitting here thinking, how much does all this cost DNB and all these other banks and law enforcement, and this is like a huge economic burden on on your business.

Sebastian Takle:

I think the work we do, as opposed to anti money laundering work, the the sort of counter fraud work is not very little of it are we sort of required to do by law. So it's something we do ourselves. Now, obviously, it's something we do ourselves to reduce our own losses in the area. But But I think that the main issue for us is being able to sort of take a social responsibility where you can in a lot of cases, because the point there is that if we don't stop these transaction designs, you know, I often meet people who say, but why don't you know, this is the police's job? And I said, Yeah, but you know, how about how are the police supposed to prevent the transaction when you're in your in your online bank, and you press send, and you've got a West African account number there, and it goes, how are the police supposed to stop that? But you know, there's no way they can they're not part of that infrastructure. So it's got something to do with taking responsibility in an area where, where you're alone and being able to take responsibility. I think it was a billion wagering grounds just over a billion wintering grounds was the amount of attempted stolen from DNB and our customers last year, if I remember correctly, so it's a fair, fair amount of money that you're talking about. And, you know, I think we stopped like 725 million or 750 million or something in the in that range. So so you know, substantial amount of money that hasn't gone to organized criminal environments, you know, in 2019, because we were there. So I think that you What was your original question? How much does it cost? I don't know. Fortunately, that's not my motto there. But it's not cheap. But I would without a doubt say that it's cheaper than the alternative, which is not having us there.

Robby Peralta:

Yeah. Because that brings the next point not having you there. That's just fueling that whole underground economy.

Sebastian Takle:

Absolutely. And that sort of brings us to the the the issue that I spoke about earlier, where, where you sort of have where you don't have criminals in silos, just working distance email compromise, or just working ransomware. Right, you have groups involved in ransomware, and trafficking, or weapons and narcotics and business, email compromise, and things like that. And that sort of puts you in a bit of a difficult situation when you're looking to prioritize your work, right? Because, again, if we do an easy example, right, if I say to you that we've got two transactions going through our system, one transaction, you're going to lose $100,000. On the other transaction, you're going to lose $75,000. Which one do you stop? Right? This is an easy question, you stop the transaction and $100,000. But the issue becomes more complicated if I say that, okay, but we know that the guy who's stealing $100,000, he's gonna buy himself a new car, and the guy who's stealing $75,000, he's gonna buy heroin and sell that on, but then your issue flips. And suddenly, we're in agreement, basically, that here, we're gonna have to lose $25,000 extra, because here, we need to stop the money going into narcotics. And you're not, I'm not gonna overdo the situation here. I'm not saying that all money stolen in fraud will go to narcotics, or weapons or terrorist financing. But what I am saying is, it's such a large amount of it will, that when you're looking at a single transaction, it's really, really difficult to say that this transaction is going to go to the purchase of weapons, and this transaction is just going to go to some guy who wants to buy himself a new car, it's very, very difficult to say. And that puts the police in a very difficult situation, right? Because basically, for a long, long time, financial crime has been sort of not been the most important thing they work with, because you're in a situation where you can choose between, should we react to financial crime, or should we react to, for example, physical violence, and there's no doubt that you will make and sit there and have interesting podcasts about financial crime, and it's all fun and games until someone gets a punch in the face. And then it's not funny at all. And you know, we expect the police to show up. Therefore, for a long time, the situation has been sort of, Okay, we'll prioritize the physical threats. And we'll we'll let financial crime slide to a larger extent than we're comfortable with. But the problem is, so when you see the financial crime is fueling these criminal environments, when it comes to narcotics, weapons, trafficking, things like this, it makes those prioritizations a lot more difficult. Right. So saying that one type of crime is important. While another type of crime isn't. If you look at the extremes, that's easy, we can agree that murder should always be prioritized. And maybe a stolen bike isn't always the most important thing. But when you look at the the center there with financial crime, and and all of this, it's very difficult to say that this is an important type of crime. And this is a less important type of crime, because the the waters very quickly become muddied.

Robby Peralta:

That's why the work you're doing is so essential and important then

Sebastian Takle:

a lot of it is. Yeah, I think so. And I think if I could just shoot in as something sort of bit on the side, I think that one of the one of the important things to understand especially for for you and your listeners who are, who are infinitely more competent on the technical side, and than I am, is sort of the difference in how threat intelligence works. Because I sort of I meet a lot of people who are very good at threat intelligence, they've been working with it for a lot longer than I have, they're much better at it than I am. And they they'll quite often disagree with, with the way I approach threat intelligence, especially this sort of threat, actor centric view I have, I think they see it as a very sort of, it's very sort of headline friendly, it sort of look at him talking about all these organized criminal groups, who cares, you know, we should be talking about this. And I think that sort of boils down to a general sort of misunderstanding when it comes to, to how threat intelligence works. Because threat intelligence in different areas works differently. So I usually I sort of, I compare it to the face of a clock or a watch right? Where you have you have three hands going around, you have the second timer, you have the minute timer and you have the the the sort of the hour hand the going going around, where for me threat intelligence in the sort of cyber defense area that you guys and your listeners probably are very, very familiar with. For me, that's the second hand of the clock spinning around so fast that you can see it moving all the time, right. There's something happening there. All the time. And if you look away for a second, it's going to take without you seeing that sort of, that's the reality of the landscape, then cyber defense works in daily updates on a threat intelligence are not only required, sometimes they're not even enough, right. But when you look at financial crime, it's more like the sort of the minute hand going around, it moves a lot slower. I think I'll steal from Europe Oh, last week launched their internet and organized crime threat assessment. And they said that the the trend they were seeing was an evolution and not a revolution. And I think that sort of describes financial crime to me, when it comes to threat intelligence, you can, it's continually evolving, it's moving all the time. It demands that you're you're there and paying attention. But sometimes you'll have a day where nothing happens. And sometimes you'll even have a week, that's not particularly eventful. And if you look at the threats I talked about in this Yes, assessment, last year, threat assessment isn't, isn't publicly available. But what I can tell you is that a lot of the same groups, I'm talking about a lot of the same types of fraud. And that's because within this area, there's there's an evolution happening all the time. But that doesn't necessarily mean that there's huge changes on a daily basis. And you know, the fight the end of that clock watch. Example, for me is the sort of our hand which, which, you know, hardly moves at all, if you're sitting watching it. And for me, that's sort of the physical aspect, whether it's there the, you know, the terrorism threat, or that the threat of, you know, bank robberies, and you know, physical robberies and things like that, that sort of moves even slower. But the fact that these things work in a slightly different way, and that there's a different speed to which threat intelligence is is relevant in each area, by no means means that it's more relevant for one area than another. So I mean, the threat intelligence just as viable, whether you're talking about the physical threat, financial crime, or cyber defense, but we need to just accept the fact that it's going to work differently in different sides of things.

Robby Peralta:

Awesome. What are you looking forward to? If you look in your crystal ball for your world? Iif I was gonna have you back on, (you have to come back by the way), but when I have you back, what are you gonna talk about, then? What do you think is gonna change or evolve?

Sebastian Takle:

I think, you know, again, talking, talking about awareness and how boring it is, I'm gonna have trouble selling an exciting topic for you immediately. But I think that we need to talk about business email compromise, I think we need to talk about the fact that, you know, in Norway last year, you had 100 and 50 million rounds lost in one case, and this year, 100 million lost and another by companies who weren't acting recklessly, but who were targeted by extremely competent big international, transnational organized criminal groups. And that the amount of money there's that they are getting away with there is it's too big to be ignored. So we need to have a deep, deep and good look at business email compromise, and how business email compromise is many things all at once. When I say business email compromise. Now I'm sort of talking the the FBI version, which, which is sort of everything from spoofing of an email or things to add, changing the account number to an actual compromise, where, where you have threat actors in your system, of rages and monitor, you know, your behavior and how they can take advantage of it. I think we need to ever talk about business email compromise. And at the same time, I'm going to refer back to your boss internet organized crime threat assessment, which was released last week, which is it's an important document for me because despite having good cooperation with the police and things like that, you don't get a lot of FaceTime with Interpol, and Europol and things like that. So having a look at their perspective is important. They, there was nothing particularly surprising in that threat assessment this year, the newest thing was sim swapping, which has been big abroad for a while but it's it's new to Norway, so then we're gonna we're gonna come back to that. But I think maybe the most disappointing thing was that they said that, you know, investment fraud was on the rise, and that this was, I think they call it a fairly new trend or something. And I mean, I just I just so strongly disagree with this. It's been there for so long. And there are you know, Europol themselves in their 2017 report said that there was one organized criminal group that 3 billion euros from investment fraud alone, right and then you combine that with what I said about that, when you have an organized criminal groups around 3 billion euros, they reinvest this money, right. It's now called x and it's weapons and it's things like this. We need to get a we need to have a talk about investment fraud, and how this ties in with other other types of crime.

Robby Peralta:

Mr. Takle thank you so much for your time. There's lots of interesting stuff here, I have a million more questions. But it gives me a reason to have you back.

Sebastian Takle:

Thank you very much for having me.

Robby Peralta:

Well, that's all for today, folks. Thank you for tuning in to the mnemonic security podcast. If you have any concepts or ideas that you would like us to discuss on future episodes, please feel free to send us a mail to [email protected] Thank you for listening, and we'll see you next time.