Fraud Intelligence at Stripe: Inside the Financial Fraud Kill Chain

Where there is money, there is fraud. Fraud is a fact of life when money is involved; however, until recently, there has not been a structured fraud-specific taxonomy to standardize the understanding of fraud and eliminate communication gaps. 

This week in the Future of Threat Intelligence podcast, Will Baxter is joined by Vincent Passaro, Engineering Manager, Security at Stripe. Passaro shares with Will the need for a fraud intelligence framework, the work they have done at Stripe to standardize one, and the value of infrastructure targeting and law enforcement collaboration. 

Why Fraud Intelligence Needs a Financial Fraud Kill Chain Framework

Soon after Passaro joined Stripe, he heard it discussed during a fireside chat with the Stripe CEOs the idea that Stripe had to be “guardians of the financial ecosystem.” This lofty goal was driven by the knowledge that fraud was omnipresent in all the domains of money movement. 

Whether it was moving checks, wire transfers, banks, fintech, or other associated activities, fraud was an issue. And the scale of fraud was not limited to specific organizations or by size. Instead, Stripe noticed that fraud could potentially impact everyone. 

For Stripe to succeed in this financial space, the company had to find a way to limit and disrupt fraud activities. But Stripe could not deal with this problem alone. 

“We might have to partner with people,” Passaro said Stripe realized. “We have to partner with intelligence organizations, other banks, financial institutions, other fintechs and stuff like that. Other payment processors, like we have to do this together.”

However, the issue quickly became apparent that there was no clear definition of what fraud was. Unlike in cybersecurity, where there are robust intelligence frameworks in place for tracking incidents or explaining observations in standardized ways, fraud was too broad a term. This lack of specificity in the fraud domain caused a lot of time being spent reverse-engineering what “fraud” actually meant in any specific case. 

Passaro realized that to effectively curb fraud, there needed to be a standardized framework in place. 

What is the FT3 Fraud Intelligence Framework

In response to the ambiguity related to the term fraud, Passaro and his team created the FT3 (Fraud Tools, Tactics, and Techniques) framework modeled off of MITRE ATT&CK. This matrix-based framework allows security practitioners to differentiate between attack methods, such as account takeover, key leak, or card testing.

FT3 brings significant help to fraud teams by providing a common language to describe an attack beyond just saying fraud. This granularity helps describe an incident from end-to-end, allowing for greater cross-team collaboration. Now, instead of each team having their own terms, fraud specialists could have a standardized way to explain an incident across an organization, to security or executive leadership, and to law enforcement. 

In Passaro’s experience, the FT3 framework was a quick adoption for those already familiar with MITRE ATT&CK. The framework helped Stripe’s team tie downstream fraud activities back to consistent patterns, allowing the team to move to the left of the attack timeline. 

Passaro does acknowledge, however, that the FT3 framework was more difficult to introduce to traditional fraud teams, who were not familiar with MITRE ATT&CK. These team members required significant education. However, once teams were brought up to speed, fraud team members were able to use FT3 as a data-backed road map to identify points of concern outside of their single product focus. 

From Detection to Disruption: Infrastructure Targeting Packages and Takedowns

With a fraud framework in place, Passaro and his team worked to focus on generating proactive intelligence. Part of this process involves putting together “infrastructure targeting packages.” The ultimate goal of this activity is to allow Stripe to trace the activity back to the “puppet master” with the intent then of deciding if Stripe wants to block the infrastructure or monitor it. 

This infrastructure targeting is facilitated by Stripe’s partnership with Team Cymru. Specifically, Team Cymru’s data helps Stripe to track connections throughout internet infrastructure. Once Passaro and his team identify infrastructure, they are then able to partner and share information with law enforcement. 

Stripe’s connections with law enforcement were started at and facilitated by Passaro’s attendance of Team Cymru’s Underground Economy conferences. These conferences feature high levels of crossover between industry and law enforcement, fostering a trusted environment. 

Since putting in place FT3, partnering with Team Cymru, and building out connections with law enforcement, Passaro’s team has completed infrastructure targeting and takedown operations. This has allowed Stripe to carry out their mission of being the guardian of the financial ecosystem, while having the option to make strategic decisions rather than rely solely on retroactive, defensive options. 

You can listen to the entire podcast at Apple podcasts, Spotify, YouTube, or on the Team Cymru website.