Sontiq’s recognized expert on cybercrime helps financial institutions fight identity theft and authentication fraud.
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security, cybersecurity and information governance to protect data and transactions at credit unions and other financial institutions.
For Al Pascual, senior vice president of data breach solutions at Sontiq, a TransUnion company, a career in information security seemed inevitable given his natural affinity for computers at an early age, and his inquisitiveness about crime inherited from his parents, a pair of New York City detectives.
“I was very into computers as a kid, spending time exploring the internet before the dot.com boom,” recalled Pascual. He even built his own computers. “I was a geeky kid who ended up going to technical school in New York (Staten Island Technical High School).” There he took tech-oriented courses including computer-aided design, manufacturing, and robotics.
However, when Pascual headed to college at the University of Florida at Gainesville it was to become a doctor, before switching over to the University of South Florida in Tampa, where he earned a Bachelor of Arts in history.
A Knack for Financial Crime Investigation
It was after college that Pascual’s career started taking shape when he went into banking and discovered an aptitude for determining fraud. “I found specifically in the mortgage space that I was really good at identifying financial crime,” he said. This included finding misrepresentations, fraudulent applications, and people committing scams. “Maybe that had to do with my parents being in law enforcement, growing up under their watch.”
Taking advantage of his skills revolving around being very analytical and inquisitive, Pascual ended up focusing on the resolution part of financial crime investigations. First at HSBC as an investigator of borrower verification; then as fraud investigator at Goldman Sachs, during the mortgage crisis of 2007-2008, and later at FIS.
In 2012, Pascual transitioned to work in research with advisory firm Javelin Strategy & Research, where he worked as an industry and security analyst, as well as senior vice president, research director and head of fraud and security. At Javelin Strategy & Research, he directed the company’s often-cited research and analysis on consumer identity theft trends and led product development efforts, which represented a shift from more traditional financial crimes into cybercrime.
“This was a nice opportunity to bring back together the kind of interest and excitement I had around information security with all of the experience and success I'd had working in financial crime,” said Pascual. For the last 10 years or so, he has focused on cybercrime, specifically on the intersection with identity and authentication. “It evolved into thinking about the implications of cybercrime as it relates to consumers and financial institutions.
The Birth of Breach Clarity
His knowledge and experience led Pascual to co-found San Francisco-based Breach Clarity with Jim Van Dyke (now the senior vice president of innovation at identity security company Sontiq) in 2019. “It was to take data breaches and figure out what it really means for everyone downstream from a risk perspective and provide some useful tools to managing that risk,” recalled Pascual. Nottingham, Md.-based Sontiq, which provides digital identity protection and security, bought Breach Clarity in March 2021 and renamed it BreachIQ.
BreachIQ analyzes every member's breach footprint, mainly through a personal email address. It searches the dark web for possible breach exposures, converts that information through artificial intelligence and runs it through a 1,300-element algorithm.
Pascual explained that his team intends to use BreachIQ technology to provide broader applicability, including threat intelligence analytics. “Now as part of TransUnion, BreachIQ’s design helps engage consumers on the front end, better manage their own identity, risk, and security and the things that they can do in concert with their financial services provider to protect themselves.” (On Dec. 1, 2021 Chicago-based information and insights company TransUnion announced it completed acquisition of Sontiq for $638 million; and identity resolution company Neustar for $3.1 billion).
He added, “We want to take all those insights and put those back into the hands of trusted providers that work with Sontiq and TransUnion so that they can also make better decisions on behalf of the end user, the consumer of the businesses they serve.” Pascual noted BreachIQ is starting to adapt to user facing applications of the technology, while also looking to leverage and disseminate the insights and data to the overall organization.
Cryptocurrency Causes Concerns
When asked “What keeps you up at night?” Pascual quickly pointed to cryptocurrency as a poorly regulated $3 trillion market with some financial institutions rushing to provide services once they are in a position to do so. “Banks and credit unions will ultimately be custodians. They will offer services as they relate to cryptocurrency. (However) generally fraud and security tend to be second string considerations.” He noted when it comes to innovative technology it is always firstly about getting the product into the user's hands and figuring out how to make the new product profitable. “Then we worry security and fraud down the line. He suggested credit unions and banks are entering the cryptocurrency space blind, “which makes it even worse.”
Pascual warned that financial organizations must make smart decisions about what kind of controls to implement whenever rolling out new products and solutions to consumers. He offered a cautionary reminder. “Remember I used to work for Goldman Sachs during the during the mortgage crisis. (Cryptocurrency at financial institutions) has the potential to be worse. We are still in the early days but I can see the writing on the wall.”
He acknowledged some larger players are interested in playing a significant role as gatekeepers and stewards. “We're thinking a lot about it as well. But I can see this going off the rails quickly and causing all kinds of systemic problems. It really starts with just good security, fraud, and identity-oriented controls.”
Other Cybersecurity Concerns
What about other specific information security dangers? Pascual cited financial crime and cybercrime generally as becoming a big business. “You have criminal organizations around the world, enabling an economy of crime, providing all these different services,” said Pascual. He described how these vast cybercriminal organizations provide the technology, data, malware and people at scale focused specifically at circumventing controls that financial institutions have in place to manage fraud and security risk.
These gangs of frauds facilitate crimes by providing stolen data and identity documents, malware; distributed denial of service (DDoS) attacks, botnet services, keyloggers; phishing/spearphishing tools; and hacking tutorials on how to dupe call centers, use social engineering; and take advantage of stolen personal identifying information (PII), credit card and debit card numbers, false identification documents, and hijacked SMS texts containing one-time passwords.
Pascual believes there is a role for banks and credit unions to play in partnership with law enforcement, working with law enforcement to identify the cybercriminals.
Such as massive financial crime crackdown, which took place over four months from June to September 2021, coordinated by INTERPOL (codenamed HAECHI-II) and involving specialized police units from 20 countries. HAECHI-II resulted in the arrest of 1,003 individuals, allowed investigators to close 1,660 cases; and intercept a total of nearly $27 million of illicit funds gained from types of online fraud such as romance scams, investment fraud and money laundering associated with illegal online gambling. Operation HAECHI-I (September 2020 – March 2021) saw more than 500 arrests, nearly 900 solved cases, and the interception of $83 million in illicit funds transferred from victims to the perpetrators of investment fraud, romance scams, money laundering, online sextortion and voice phishing.
Pascual suggested, “It behooves all legitimate players in the space to really focus on that infrastructure of crime, that's where they're going to make the most progress in mitigating risk longer term.”
Justifying Cybersecurity’s Existence
The role of cybersecurity at financial organizations has evolved. “If you are working in a job whose goal it is to prevent losses to the institution, you are going to think about the tactics, procedures, processes,” Pascual maintained.
If someone works in cybersecurity, Pascual pointed out one of the big things has always been how to justify cybersecurity’s existence in an organization. “What are the metrics we can use to really prove there's value in those investments beyond just meeting some regulatory mandate.”
The answer lies in return on investment (ROI). “If I can prevent financial crime, that's something I can measure. It creates ROI or it shows ROI.”