Information Security

Defending the digital infrastructure

alexlukin - Fotolia

Ron Green: Keeping the payment ecosystem safe for Mastercard

"We have invested a billion dollars over the last couple of years just in security," says Ron Green, Mastercard's chief of security, who joined the company in 2014.

A household name in the global payments industry, Mastercard Inc. continues to partner with other organizations to develop financial services technology, from data anonymization for GDPR to blockchain for cross-border payments.

Ron Green, the executive vice president and CSO at Mastercard, is in charge of a global team that has the high-stakes job of keeping the credit card giant and its services secure. Part of the payment ecosystem, the company's proprietary network -- which is used for the authorization, clearing and settlement of payment transactions -- connects consumers, financial institutions, merchants and other partners and businesses worldwide.

The CSO built his career on an engineering education from the United States Military Academy at West Point and several foundational years, at the "dawn" of the cybersecurity era in the 1990s, with the U.S. Secret Service, where he was one of the first agents to receive formal training on seizing and analyzing electronic evidence. One of the lessons Green says he has learned from that experience is the necessity of engaging with capable partners rather than instinctively trying to go it alone. "Back then, there weren't forensic tools; you just figured it out on the job."

His team needed a way to capture traffic into an internet service provider (ISP) that was suspected of being complicit in "helping the bad guys." So, he and his team came up with a plan; they purchased a pair of servers and got permission to install them into an upstream ISP. It was a good concept; however, Green admits, "The traffic going through just melted the CPU, so we realized we were not the subject matter experts and, in the future, we would need to get help."

Green joined Mastercard in 2014. Previously, he served as the deputy CISO at Fidelity Information Services, director of investigation and protection operations at Research in Motion, and senior vice president at Bank of America.

How would you summarize your mission at Mastercard?

Ron Green: At Mastercard, we strive to be a partner in helping the ecosystem -- by which I mean the payment ecosystem -- by being a good citizen. We're talking about people buying groceries or things for their kids and conducting that transaction with their card or their phone; they want to know that it will work. It is just assumed we'll be there. We do what we can by working with others -- the telecom companies, the power utility companies and other financial institutions -- to ensure the safety of that payment ecosystem and to ensure that it is a stable transaction environment.

Mastercard operates some leading-edge programs such as Early Detection. Can you explain what that is and how it works?

Green: Early Detection allows us to help issuers make better decisions about whether or not to approve a transaction. We can see a lot of information about how transactions are being processed and can then create a score for how likely the transaction is to be legitimate or fraudulent. We provide that information, and then issuers can decide whether to use that information. It is information designed to help them make better decisions. We also have something called Safety Net. It is exactly what the name implies. Early Detection is based on the way we see transaction patterns emerging. Then with that insight, we can see when a cash-out scheme is underway and we can act on behalf of the victim company.

A cash-out is when a hacker breaks into an organization such as a debit card processor. When they get in, they inflate the withdrawal limits on cards and eliminate any limit on the number of transactions. Then, in a coordinated effort across the globe, the hackers provide an army of people with copies of the cards and all the information to put it into an ATM, including the PIN numbers, so this army can go get money. The only limitation they face is the amount of money that's in the ATM. They usually work over a weekend because it's harder to get in touch with people at the processors and alert them during those times.

Organizations have faced losses of millions of dollars: the worst cash-out attack netted $40 million. The same insight we have that helps us with Early Detection systems can help make decisions on these accounts that have been compromised. We will even act on behalf of a processor. We will stop the activity before it gets too far.

How does it work?

If you are with a group, you are more informed when there is a threat and you can move against it.
Ron Greenexecutive vice president and CSO, Mastercard Inc.

Green: It is built from a lot of proprietary things. It is built on the power of our network; we can see so many transactions. We have also invested a lot in AI companies such Brighterion Inc., which Mastercard acquired in 2017. We have invested a billion dollars over the last couple of years just in security. We have security teams in everything at Mastercard. My team protects Mastercard and our applications, but another team focuses on making sure different participants in the credit card-debit and payment ecosystem do the right things they need to do. Another team helps create security solutions to help our customers protect what is dear to them, both issuers and acquirers, and individuals.

We have things like NuData Security, which is another Mastercard entity that provides more and better insights on digital transactions. NuData helps us understand how -- and where -- a device is making the transaction to provide assurance that the transaction is made by you and not someone else pretending to be you.

What is the Mastercard Fusion Center?

Green: That's connected to the idea of working with others in an inclusive way. We have two security operations centers. They are focused on looking at and monitoring security events. Fusion is a cooperative team across Mastercard. Within that, we have representatives from communications and a lot of security people, but also people from the IT operations side, customer service and legal. Altogether, there are 15 different teams involved in staffing that Fusion Center, but they all still belong to their respective business units.

The members see what the business units see as they talk about what has happened in each of the units. But, at the same time, because they're all there together, as soon as one of the teams sees something of interest -- like an attack or breach happening, perhaps even to another organization -- they're talking about it. It is a chance to ask: What do we need to learn? How does it affect us? Do we need to talk to customers? Do we need a new product to help customers?

How unique is the Fusion Center?

Green: I think it is unique for progressive companies. There aren't a lot of fusion centers out there; I only know of a few. Fusion centers are modeled after what the government did after 9/11 with law enforcement and intelligence agencies combining resources. I have used the wildebeest analogy to explain its value. If you are with a group, you are more informed when there is a threat and you can move against it. If you are with a wildebeest alone, and not paying attention to what's around, life can become really challenging.

From our perspective, I have a lot of team members really focused on making sure we have close partnerships with others in the sector. We look to partner with different government agencies to help inform them about things we can do together and to make sure they can help us and others like us. We do a lot of direct sharing within the financial services sector, and even beyond. If they share with us, we'll share with them and with those that have fusion centers. We connect the sensors, and we can share what has happened with some partnership companies. We will do benchmarking and hear what others do to protect their companies. We find that people who have to do this every day know a lot about how they do their jobs. I get more information from people in other organizations than I do when I hire a consultant!

Ron Green, executive vice president and CSO, MastercardRon Green

One other thing we do is an annual game, a cyberdefense exercise. We have red and blue teams, and we work with a few other companies. My red team will attack their company, and my blue team will defend against the attack. We don't use production systems, of course. The goal is to develop tighter partnerships, so we will have people deep in the team who know similar people in other organizations and have developed the craft and skills we need. It is a way to learn from each other.

You mentioned your relationship with other industry players in the payment ecosystem; what about Information Sharing and Analysis Center groups?

Green: We are members of FS-ISAC, or the Financial Services Information Sharing and Analysis Center, which is the global financial industry's ISAC. There are a lot of ISACs out there, but I think FS-ISAC -- because it has been doing it for so long -- has achieved so much more. It is like the famous quote attributed to the bank robber [Willie Sutton]. When they asked him why he robbed banks, he said, 'Because that's where the money is...'

We are where the money is and where the fraudsters are; we have so many adversaries. It is compelling for us to stay on our game and stay ahead of them. In other sectors, you don't have an adversary that vicious, and perhaps you don't need to be so focused, so to some extent, they may have to start to catch up.

With the strength of the current economy, do you find yourself with staffing challenges?

Green: It is always a challenge. I don't know if the economy is the issue so much as it is that other companies have finally realized how important cybersecurity is. On the government side, we hire people with government backgrounds, people from [the National Security Agency] or the Secret Service, the FBI or Interpol. This helps us when we look at things; we think about it from a perspective of government enforcement. There is a program called CoderVets for people about to leave the military, and there is a training program that gives them more exposure. They work for us as sort of apprentices, and then, if there is the right cultural mix, we can make them part of the team. There's a lot of college recruiting, too, and internships; and we work with universities to make sure that their curriculum is right for what we need.

There will never be a complete way to fill the gap. The technology is always advancing.

With your own background in government, do you see a need for more of a role for national governments in cybersecurity?

Green: We have seen some good progress in government as of late, wanting to help us with getting access to more information. The government is helping us with getting together different sectors as well. One area with Homeland Security is their focus on the critical energy, financial services and communication sectors. They are paying attention. We are also blessed to have a CEO, Ajaypal Singh Banga, who is so well regarded. He is at the Financial Services Sector working group. We are continually working with these groups and other companies on how to share information and address things collectively.

Are there geographic areas that are especially challenging from a cybersecurity perspective?

Green: The adversary is everywhere. You must treat the environment like you were under attack all the time and, essentially, we are. The life expectancy for an unprotected computer on the internet is minutes. We're always under attack. We have 2.3 billion card holders. We are accepted at millions of merchants. We have to think about everything. We want it to be as safe as it can possibly be.

Article 5 of 6

Dig Deeper on Threat detection and response