Thomas Müller: [00:00:00] at the end of the day, it comes down to, uh, yeah, as we said in the beginning, taking the right smart technical measures, but combining that with what is these days known as information security awareness, which is to actually take your employees on a journey and teach them rather than to write up a policy and sh their policy down their throat.

[00:02:00] 

Josh DeTar: Welcome to another episode of the Digital Banking Podcast. My guest today is Thomas Müller, CEO and co-founder of Rivero. You know the saying, the grass is always greener on the other side. I really enjoy having an opportunity to have guests on the podcast from other countries. It helps to shed insight into how others are navigating banking and tech with different geographies, culture, banking laws, and approaches to tech, et cetera.

What it also highlights is we all face challenges, both unique and similar. Now, Thomas is a dead serious German, so I know I’m gonna get the nitty gritty unbridled insights from him. But at the same time, he’s someone who understands that life is meant to be lived, enjoyed, and optimized for fulfillment. I.

And to do [00:03:00] that, you have to have fun and not take yourself too serious. He said, especially when you’re named one of the most common German names. And share the name with the famous Bayern Munich Football, soccer for US Americans players, you gotta have some fun with your personality. And out Thomas will be the first one to admit.

He’s a total hardcore cybersecurity nerd. The majority of his career was focused in this area. However, after spending time as the chief information Security officer for one of the largest credit debit card companies in Switzerland, he took on a new passion, born of a love hate relationship on payments.

Now having a father as a German car mechanic taught him grit, hard work ethic, and to be a problem solver. So when he saw problems he was facing in the payments industry, he set out to do something about it. Thomas loves technology and seeing the impacts it has on society, [00:04:00] but also loves to be present and emphasize the human element as example by his love for electric cars and self-driving capability with a caveat saying, if I just wanna get to my parents’ house in Germany, gimme an electric self-driving car to take me there autonomously.

But if I’m going for a drive in the Swiss mountains on the weekend, I want a nine 11 with a steering wheel that I control. Today’s episode is gonna be an interesting one, cruising through the twisty mountain roads that connect people, tech and banking. 

Thomas, thanks for coming and joining me on the show today.

Thomas: Hi, Josh. Uh, great, uh, to be here and thanks for having me.

Josh: Yeah, man. Um, you know, like I said, it is always kind of cool to get, uh, you know, the opportunity to just get connected to people that I, you know, I obviously otherwise probably would never have had the opportunity to meet and talk to. And it is, it’s so funny, I feel like so many times, you know, I go to conferences here in the US right?

And we’re having [00:05:00] conversations about the challenges that our industry is facing. And so many times we look to say Europe, right? And say, oh, they’re, you know, they’re so far ahead of us and oh, they’re doing things so much better or different. And, and then I talk to you and you’re like, oh man, I had that same problem.

Right? So it’s just always interesting to like get the different perspectives from people

Thomas: Yeah, absolutely. Absolutely. It’s, it’s, it’s really, um, uh, quite important. Uh, I, I also believe to sometimes really break out of, uh, the bubble we obviously all live in

Josh: Mm-hmm.

Thomas: of where we live, right? So as much as you might have, uh, in those conversations, some certain stereotypes about, uh, European financial industry, believe me, we have the same stereotypes about the us.

Josh: Yeah, exactly. Well, you know, the one thing I am a little disappointed about this episode though, is in hindsight, I really think we should have recorded this, you know, together in person. And I probably should have [00:06:00] come, you know, there, and we should have done like a drive through the Swiss Alps together to where we decided to record this.

I, I feel like that would’ve been a better use of use of our time. But, you know, I guess, I guess virtual works too.

Thomas: could, couldn’t agree more. But I would also say, I mean, maybe that’s just now a good excuse to put me on the podcast, uh, a second time.

Josh: There you go. I like it. See, I like the way you think. Well, so I, I want to start things off by, um, you know, it’s funny when, when we got connected the first time and we started talking, right? Like you were talking me through a little bit of just, um, your kind of hardcore passion for cybersecurity. And what’s interesting is I think one of the areas that we’ll probably end up spending even more time talking about is kind of the impacts on the payments industry and people and in, you know, their ability to interact with their money.

But kind of having the cybersecurity background I think is a really interesting one and plays into [00:07:00] this. And, and I think it’s also pretty interesting when you talk about. Like just how much you nerd out on the cybersecurity side of things. The fact that you kind of quote, almost abandoned that to focus on something else tells me just how important the something else is.

But, so maybe just start by talking us through a little bit of like, why, why did cybersecurity become such a big passion for you and you know, what were some of the experiences that you had just in your time in that field?

Thomas: Yeah, sure. I’d love to. So I’m in my journey around, uh, cybersecurity or how it was back then called information security, right before it had to be all, uh, cool and stuff. And then people started calling it cybersecurity. Um, was basically during my time, uh, in university, uh, when I studied computer science because I think first of all I got kind of like passionate about everything that was more connected to kind of like connect the computer systems, [00:08:00] networking and so on.

And I think then naturally you get a little bit into the cybersecurity domain. And I would say it was then down ultimately to one great professor or two great professors I had at the time that really kind of like sparked this interest for, uh, uh, cybersecurity. And I’m going to be honest here, I think originally my initial, uh, fascination with the topic of course came out of kind of like all, you know, like this fascination. With this underground, uh, culture and the hacker culture and so on, right? But I think that ultimately, and it was also the reason why then after finishing university, I would be looking for basically, uh, a chop in the cybersecurity space, was that I realized cybersecurity is this incredibly broad domain. That, uh, you can’t just kind of like, you can, you can nail or basically achieve great security in technology or on the human side [00:09:00] alone. It always takes both of, of those elements, right? Because you can build, arguably an incredibly secure system from a pure technology point of view. But I will tell you probably even I to this day would be able to break it with social engineering, right?

So you just then as an attacker, you go to the human factor, which however, is not to say you therefore shouldn’t care about technical, uh, security. And so I think it was ultimately this complexity that, um, yeah, really got me, uh, uh, hooked and got me kind of like deeper and deeper into the space.

Josh: You know, I wanna stop and touch on that for a second. ’cause I, I’m with you. I like that one just fascinates me because it is, it’s this like, cybersecurity is such a blend of the tech and the human side. And I like the way you said it. It’s like, just because we know that the humans can be a weak link doesn’t mean that we just forego the security side of things.

And just because [00:10:00] the security side of things, um, is, or the technology side I guess is, is shored up doesn’t mean that the human side won’t impact it. And it’s so case in point and evident in, uh, you know, we see so much account takeover fraud because people willingly give out their credentials. I mean, just stop and think about it for a half a second.

Like, where in your logical brain would you ever give out your credentials? I. But we do it time and time again. Right. Um, and, and just do silly things. I mean, I, uh, I remember, this was actually a couple of years ago, Thomas, but I was talking to a, uh, a regional bank that was telling me a story of they had a business owner of a fairly large business that banked with them, who was at a coffee shop, working from the coffee shop, [00:11:00] had his laptop open, was logged into his email, his corporate email, and logged into his banking platform and got up and went and had a conversation with somebody like outside and just left his laptop in there.

Somebody sat down at his laptop, went into his logged in banking profile. Changed all of his user settings, changed his username, his password, changed his, you know, mailing address, changed his contact info, sent all the OTPs to his corporate email, which he was also then logged into. So went and validated all the OTPs and then systematically went home and just drained the account of millions of dollars.

Right. And it, [00:12:00] again, it’s, you know, it doesn’t mean, oh, okay, if that kind of scenario is gonna happen, then we don’t even have to bother thinking about cybersecurity ’cause people are just gonna be stupid and just give out their credentials anyway. Or do stuff like that. You don’t really get to just, you know, I guess hang your hat on that, but at the same time we have to recognize that that is a factor.

And so how do you, how do you then take that into consideration and kind of your holistic cybersecurity strategy and thought process?

Thomas: right, right. And I think that is actually, uh, uh, uh, I think it’s a per perfect story. Um, even though of course it’s an extreme one,

Josh: Yeah.

Thomas: I think it is actually generally true. And I think that was then also one of the things I had to learn somewhat, uh, hard way when I went from the theory of university into, you know, applying cybersecurity in the world of, uh, uh, uh, business. That I think I was quite surprised. Kind of like, you know, how, how kind [00:13:00] of like narrow minded a lot of people in the security space are including even some fellow security officers. Even to the extent that they sometimes seem to believe that, well, the first thing is anyway, you have to, we have to be compliant.

We have to put out all the security policies. And I was like, sure, one has to do that. But we must not focus just on policies because not a single policy in this world has ever made a company more secure. Right? Because there’s two big misconceptions, which

Josh: Hmm.

Thomas: well only because you define it in the policy doesn’t make it a smart thing to do technically.

And only because he wrote it in a policy doesn’t necessarily mean people read and understood it and act now according, uh, uh, Lee, right? And what it taught me ultimately is also in my role that I then had. As a CO is whenever you know, you get approached as the security office or to also make a decision about whether something uh, uh, [00:14:00] uh, is according to policy.

I would always try to look at this in terms of kind of like trying to do a real world risk assessment, right? So I would very often recommend even to product to do something that is potentially arguably from a cybersecurity point of view, slightly less secure. I was like, but it’s more likely that people will actually adopt it and then as a result it is more secure, right?

Josh: Huh, that’s an interesting way of thinking about it.

Thomas: like, and I’ll give you probably like an example that everyone can relate to, at least everyone that has ever worked in the financial industry, right? So to this state, there are banks that believe it’ll make the bank more secure they highly restrict the internet access that people have from the workplace, right?

So they lock everything down. People can’t use Google Meet, uh uh, they can’t use whatever other tools, kind of like the rest of the fast moving industry and fintechs are using. [00:15:00] But I can tell you the result is then not that your bank employees don’t actually use it, they just find a way to circumvent the security you put in the in place, right?

Josh: Yep.

Thomas: they just start joining. Zoom calls and Google meet calls that are about business from their personal device. Right. And

Josh: Yep.

Thomas: you less secure. Right. But this is quite often I saw that, uh, and I was shocked by kind of like, you know, how narrow-minded people tend to look at the topic of cyber, uh, security.

Josh: That’s a really good point, man. You know, um, yeah. There’s, there’s the, on paper, what’s gonna be the best way to do this, but then there’s the reality of it all. Right. And you’re like, I think the way you said it was perfect. Like, and then people find a way to circumvent it and it’s like, I mean, let’s all be totally honest.

We’ve all a thousand percent circumvented some policy at some point [00:16:00] because it just didn’t suit our needs. Right. Um, and it just, it made me start thinking about, um, you know, I think probably a lot of organizations are thinking about this as well. You know, our company has been using AI heavily for a long time.

Um, because we always kind of took the strategy of, hey, we’re a tech company. Like we actually want to hire the types of people who are gonna be using the newest, latest, greatest, the tools for efficiency. You know, the stuff that’s really gonna innovate our products, blah, blah, blah, blah, blah. So we know we’ve hired the type of people that are gonna go use a bunch of this open AI stuff, right?

And I don’t just mean open ai, but you, you, you get what I’m saying. So let’s start talking about it. Let’s create reasonable policies around it. But let’s have a conversation, say, Hey, we know you’re gonna to use it, so let’s create ways for you to use it. Versus if you’re like, Hey, I don’t know what this [00:17:00] is.

It’s scary. Time out. Nobody use it. That’s exactly what’s gonna happen. Then I bet you anything, you get a bunch of, you know, developers. That are like, Hey, these tools could actually, you know, increase my productivity a hundred, a hundred x, but I can’t use it on my work laptop. So I’m gonna take all of my work data off my work laptop and I’m gonna put it on my personal computer and then I’m going to use chat GPT with my work data on my personal computer to do this stuff and then feed it back into my work computer.

Right? And now to your exact point, like you’ve opened up a can of worms, way worse than just saying, Hey, we know you’re going to use this. Be thoughtful about it. Here’s some bounding boxes, here’s some tools you can use that we trust. Here’s some ones that we’ve bought at an enterprise level. Right? That kind of thing.

But you know, being able to do that for absolutely everything I think is probably next to impossible. But at least having that kind of posture is interesting thought process.

Thomas: And, and maybe just to add to that, because I think it gets, um, kind of like, in a way, even crazier than that [00:18:00] because if you, if you really observe that, uh, who do you think are the people that will start circumventing it? It’s your high performance,

Josh: Mm-hmm.

Thomas: It’s not the lazy ones because the lazy ones will, if anything, see that as an excuse.

Why getting their stuff done takes forever. And then they will complain about all the hurdles you as an employer have put in their way. They, as the ones that actually, so to speak, breach the internal policies are the ones you want to keep. Because those are arguably the ones that are like, well, but I want to get this done, uh, uh, nevertheless, and I want to do it in a smart, efficient way.

Um, and then they, funnily enough, they breach your policies, but in the best interest of you, the company, right? But of course, the

Josh: Hm.

Thomas: with that is that, that, that you have just put your information that you wanted to protect in the first place at a much higher risk, right? So it’s kind of like absurd, uh, uh, in, in, [00:19:00] in on even two dimensions I would argue.

Josh: Yeah, that’s an interesting thought too. ’cause it, and then it also puts your high performer at risk because they’ve, they’ve broken the company policy, right? And so now you have to have a conversation with arguably one of your really awesome employees about having broken policy. And now does there need to be some sort of HR reprimand against them for that?

Thomas: exactly. Precisely, precisely, right. So you might ha have these kind of like, super driven, super, uh, uh, super, uh, uh, you know, uh, like takes, takes a lot of initiative, sees a problem, I don’t know, comes up with this, this smart idea to put together a custom GPT for the whole team to use, made the team 50% more productive, might have to be fired by hr, using a bunch of unapproved tools. Even though it just saved the company, uh,

Josh: Hmm.[00:20:00] 

Thomas: Right. And of course these are now extreme, somewhat

Josh: Yeah. Yeah, yeah.

Thomas: but I think it, it, it’s more to kind of like show that, uh, uh, uh, uh, there is really, uh, it is really funny to operate in cybersecurity, so to speak, in the real world, right? Having such a role

Josh: Yeah.

Thomas: within an organization.

I think especially too in the financial industry where the industry as such claims that it cares more about security, but I would argue they do not necessarily do many more smart things that actually make things more secure. They mostly do way more. For them to be compliant

Josh: Mm.

Thomas: uh, uh, uh, uh, paper. Right?

And then tell the world about the great bank level security. Uh, you know, I don’t necessarily think bank level security is a good thing because it’s certainly in a very bad trade off between productivity,

Josh: Yeah.

Thomas: security. And I think you mentioned that term even earlier, and I really like it, [00:21:00] which is about security on paper.

Because whenever I got upset, you know, and I had to talk to a fellow cybersecurity, uh, uh, expert, that was more, you know, uh, uh, uh, on my, uh, wavelength, we would always together a complaint about security officers that basically are just doing what we call paper security.

Josh: Mm-hmm.

Thomas: you know, on paper they delivered.

Right. They also got their ISO and PC ideas as certification because they could present all the policies and the evidence. But I was always convinced, uh, they are now not harder to preach than any of the other players that, uh, might have not done that. Right. Because at the end of the day, it comes down to, uh, yeah, as we said in the beginning, taking the right smart technical measures, but combining that with what is these days known as information security awareness, which is to actually take your employees on a journey and teach them rather than to write up a policy and sh [00:22:00] their policy down their throat.

Josh: Yeah. Yeah. You know, um,

like you were saying, I mean, like, this is so, there’s so many dimensions to this. Um, and, and policies I, I find personally just really fascinating, right? Because to your point, like sometimes there’s policies for so many different reasons, and sometimes it’s the, the good old fashioned, um, you know, CYO uh, or CYA, like cover your ass.

And I, I, as you were talking, I was literally thinking about, we were at, at a conference, uh, earlier this year at, uh, a resort in a, a, a tropical location, right? And so I brought my family with me and my son would’ve been, you know, a little over three and a half at the time, right? And they had one water slide [00:23:00] in the pools there at the resort.

And Thomas, this is one of the silliest little water slides I’ve, I’ve seen, right? I mean, it’s nothing intense. And mind you, we had just come back from, uh, another conference, uh, at Disney World a couple of months earlier, and they’ve got a whole waterpark with these intense water slides and all of this that my son had been doing like crazy.

So we go to go do this slide. We get up to the top of the slide and you know, the, the, the young person running the slide was like, oh, where’s his wristband showing? He met the height requirement. I was like, oh, I didn’t know I needed one. He’s like, yeah, you know, go to the, the pool desk. Go ask him for one of these.

He’s like, great. So we go down there. I ask him for one, they’re like, oh, we have to check his height. I was like, okay. I mean, sounds good. We go over. I, I am promise you, I am not exaggerating. He was under the height requirement by like two sheets of paper. I [00:24:00] mean, we’re talking like he was a bad hair day away from being on top of that, and he was so close.

That they had, like all levels of managers come and double check this. And ultimately they made the decision that he was too short and could not write it. And I was like, are you kidding? Like two sheets of paper is gonna make all the difference in the world for this kid and his safety on this. Um, you know, and, and initially like I immediately wanted to turn into that parent.

That was a total nightmare to deal with. And one of those crappy people that just like made a scene out of it. And then I was like, no, you know what I, and then it hit me, right? And it’s exactly what you were talking about. That hotel had a policy and the policy said if they’re under the height, we could get sued.

If anything happens for liability reasons, you do not let anyone on that slide. And they just ingrained that into their staff and said, this is the policy. There are no exceptions. Period. End of story. And that was that, right? And we just said, okay, sorry buddy. Like you don’t get [00:25:00] to write the slide. Here it is what it is.

And we went about our business. Right? But again, you think about it like, what would’ve been the real and true risk of him writing that slide? It was probably zero, right? But that policy was in place to protect them. It was in place because of, you know, maybe there’s a backstory behind this, and maybe they did have a kid that was, you know, a little bit short and got hurt and the family sued, and now they have a process in place, right?

So there’s so many layers to these different things. And, and it is, it’s that balance of, okay, is this policy for policy’s sake? Is it policy for liability’s sake? Is it policy for CYA? Like what is the policy for, or is the policy genuinely making it. So that we’re looking out for the best interests of the safety of the kids riding this slide.

Right. Or to your point, is this policy really designed in a way that is gonna encourage proper safety [00:26:00] behavior when dealing with technology from our employees? Or is it so that we can show our regulators like, yes, we have the cybersecurity policy that says our employees never, ever use Google meet. Haha, we are safe.

Thomas: Yeah, exactly. Yeah, exactly. That’s, that’s that, that’s my point. Right. And, and of course even the person that probably wrote up, uh, that policy or I don’t know, the consulting firm that was paid to write up their policy right, from a template they used with, uh, 10 other banks before, of course.

Josh: Tell me how you really feel, Thomas.

Thomas: You know how it goes. Right? Um, um, um, and, and I’m not even saying that there is no good intention in

Josh: Yeah.

Thomas: A lot of the stuff that is written in policies about security checks out, right? It, it, it, it, it makes sense. You can read it, you can understand it. But the thing is what I think sometimes is missing in the cybersecurity industry, at least over the [00:27:00] time I spent in that industry, I don’t think it has fundamentally changed in the last five, six years that I focus more on other things.

Now, it’s just that there seems to be kind of like this, like lack of balance, right? They try to really do it in a one zero approach. It’s either according to policy or it’s not. And then there’s very little kind of like room for reasoning, uh, uh, uh, in between. And that is the part. That I was, uh, yeah, always, uh, uh, or potentially sometimes a little bit frustrating, uh, frustrated.

But that wasn’t ultimately the reason why I, um, uh, you know, left, uh, uh, that part of the, uh, career, uh, behind.

Josh: Yeah, I want to get to that. But you know, I think, um, one of the other things that when you think about something like a cybersecurity policy, right, is, you know, I don’t mean to be rude about it, but a lot of times it’s written for the lowest common denominator too. Um, it’s kind of funny timing. I mean, literally just last week, Thomas, I finished my annual like [00:28:00] cybersecurity training for our organization.

Right. And um, and, and I actually think that the, the program we used this time around was really solid. And there were a couple of things that absolutely made me question be like, oh wow. Uh, like I don’t think I actually would’ve thought of that, that that was a really good piece of information. But then there were absolutely things that, you know, come out of the training where I’m like, holy smokes, does somebody really fall for that?

Like, is somebody really dumb enough to do that? And the answer is yes. You know? And that’s why these criminals are so successful, is because yes, like, and sometimes it’s not, you know, again, I, I make a little bit of light at, you know, is somebody dumb enough to, to do that? But sometimes we’re just moving fast, right?

Sometimes we’re just moving fast and you’re not using the appropriate part of your brain to, you know, analyze the scenario that you’re in. And we make mistakes. And you know, I think you can probably attest to this, right? I mean the saying, look, we’ve gotta get it right a [00:29:00] hundred percent of the time. The bad guys only gotta get lucky once like, and they’re just trying to get lucky once over and over and over again across different threat sources and they win.

Thomas: is, that is actually very, I think a very, very strong point you’re touching on because you know, I always like to make the joke. Um, that is like, why is phishing still happening? And the simple answer to that is because it works, right? And, and the thing is, it scales incredibly well on the attacker side, you

Josh: Yeah.

Thomas: attacker it’s totally fine.

If only, if substantially less than 1%, it’s enough. If 0.1% or even zero points, zero 1% fall for it because it costs you

Josh: I.

Thomas: nothing. Uh, if you do it in a smart way to basically set up your phishing campaign,

Josh: Yeah.

Thomas: you might totally hit the check port as the fraudster. If you only got one [00:30:00] person to be, uh, the dumb one, or let’s just say, uh, uh, the one that was currently not in the right mind space to. know, have the capacity to think about it long enough, right?

Josh: Yep.

Thomas: all been, uh, there that certain, uh, you know, especially certain maybe applications that even teach us to basically keep clicking on next, right? Because we just want to get to the, to the end of it. And people are not necessarily well trained in reading everything carefully.

Josh: Mm-hmm.

Thomas: be in a rush, it’s just like five minutes to the next meeting. So I also feel like, um, sometimes even if somebody falls for it, and this was also a big conversation I had with many colleagues in the field, um, you need to be careful often also not starting to do finger pointing, right?

When it comes to kind of like the human factor. Because a lot of companies these days love to run these phishing campaigns. And I’m not per se against them, but I [00:31:00] think it’s crucial that if you run a phishing campaign, you know, as an awareness, uh, uh, uh, tool, uh, that you then use the results out of that carefully.

And you really have to think carefully, whether you then kind of like, you know, if and to what extent you expose the people that fell for it,

Josh: Mm.

Thomas Because they’re not necessarily, you know, so to speak again, the dumb ones. Even though in that very moment, if you look at this kind of like, as an incident, you know, in a, in a box you are like, how on earth, right?

Would possibly somebody fall for it? But yeah,

Josh: Yeah.

Thomas I would say many factors, uh, at play. And if you don’t consistently kind of like, you know, train this behavior, and I think security awareness is all about telling people in a way that makes sense to them, in a way that speaks to them. And then tell them that you told them. Over and over again. Right. So that this is really becomes kind of like, you know, uh, uh, almost muscle [00:32:00] memory, so to say, to spot a, a, a phishing email. And it’s not an easy thing to do. Right. It’s, it’s hard.

Josh: You know, I’m, I’m glad you said that, um, because that’s such a good point. I mean, we’re all human and we’re all capable of making mistakes and just because I didn’t fall for it this time or just because I don’t fall for it, 99.9 with a monster set of repeating nines after it, you know, percent of the time, don’t fall for it.

All it takes is that one time. And yeah, if, if I’m really, really, really, really good about my cybersecurity posture and everything, but for whatever reason something is happening in life that causes me to be the one to fall for at that time. Right. Yeah. That doesn’t mean you’re a dummy. It just, it means you got, it means he got caught that time.

But that’s what’s so crazy about it, right? Thomas is, that’s exactly what the fraudsters are banking on, is they’re like, Hey, look, you know, Josh has [00:33:00] never fallen for a scam in his entire life. He’s really, really thought. But all it would take is one, all I have to do is get him once. You know what I mean?

You’re like, gosh dang. You know what? It’s crazy. I, uh, I think I’ve even told this story before, but, um, kind of a wild story actually. So our CEOA fraudster tried to get him right and he ended up. I mean, he spotted it right away and somehow ended up kind of having this conversation with the fraudster that escalated to the point where he actually got on the phone with the, like head of that little fraud ring and, and our CEO was livid.

And he was like, look, dude, like you’re kind of a piece of crap human. Like you are doing this to people and you’re capitalizing on them in their worst moments. And you know, you could be taking money from an elderly person who that’s the only way they’re [00:34:00] able to pay for food. Like, how do you sleep at night?

And literally, Thomas the conversation devolved to where this person was telling our CEO. He’s like, Hey, look man. Like I run this super simple scam over and over and over again. I’ve got like 10 people that work for me. I pay ’em all pennies on the dollar I make, you know, on average a couple hundred thousand dollars a month that obviously is tax free.

’cause I reporting this and, and he goes, look, and what are you going to do? Report me? He’s like, I’m a small fish in a big pond. Ain’t nobody coming for me. And he was just completely unabashed about it. Couldn’t care less. I was like, nah, yeah, I am a piece of crap. I am frauding people and I’m taking their money and I’m happy to tell you that to your face and I’m good with it.

’cause I’m gonna keep getting away with it. I’m making a ton of money and it’s really easy to do. And he was just running phishing [00:35:00] scams and it’s like, man, how sad.

Thomas Yeah. But also, how do you argue with that? Right.

Josh: Mm-hmm.

Thomas: if there are people, uh, uh, uh, on this planet that, uh, that, that, that don’t have, uh, even, uh, the slightest notion of a moral compass, then yeah, it’s hard also to, to to reason with them, right? Even if you speak to them, uh, uh, uh,

Josh: Yeah. Yeah. So what are some of the things that you’ve kind of thought through as well? Okay, so interesting. So let’s shift gears a little bit. So, right, so you go from being a CISO to, you know, starting your own company. So you know, now you’re the CEO of your own company. How do you think through cybersecurity policies for your organization?

Like any tips and tricks for, for our listeners, I guess.

Thomas: yeah. Sure. Um, um, well, I don’t, I don’t know how useful they are, but I, I, I try to, uh, walk you through, [00:36:00] through them, nevertheless, because you are, you are right in way. It’s funny, right? Because of course, now I’m in the position. I mean, of course, as a CSO already in the past I was in a position to kind of like try to make this trade off and call some of the shots.

But of course, ultimately I was an employee and I had to deliver on what of course, senior management also wanted at the end

Josh: Yeah.

Thomas: If the CEOI was, uh, uh, reporting to our, used to report to the COO, uh, but kind of like same, uh, same difference, right? So if they wanted to do something and they just wanted it for the, for the sake of, uh, wanting it, then of course there’s not a lot of freedom I have, which is, uh, substantially different, uh, uh, uh, uh, in my situation right now.

And that also means, well, first of all, I think I had the luxury of when, uh, because what we then built is like a technology company, right? We are software as a service company, so we are product slash technology company. And I think that gives you somewhat [00:37:00] often advantage in the early days because of course he would anyway, try to pick, you know, the right engineers, the smart engineers.

And I would say generally speaking, a lot of the engineers that I would label as the smart ones typically also have a fairly good understanding of, uh, security. And that probably comes almost kind of like inherently with more security and more security, uh, awareness. However, as we then of course also scaled the company, so we are right now a bit more than uh, 40 employees.

And also as we expand into more and more markets, and by the way, the customers we serve, our banks of course, also sometimes the formal requirements these banks have have increased. So some of our customers, even though we try to be smart about not even receiving any really sensitive data from our customers, nevertheless, sometimes just as a matter of principle, they ask us to show our certification against the, you know, well-recognized standards such [00:38:00] as ISO 27,000 PCID as SOC two, you name it.

Right? So unfortunately, I have to admit, we also then. Had to put a bit more resources and effort on achieving those formal certification because otherwise we realized that even though we would get a, a bank interested in our product, the conversation might just stop by somebody in procurement not being willing to open the gate just for the lack of a piece of paper. And so this means, of course, we also in that context, had to produce. Paper. Right? Again, we also, I had to also little be, even be the one to push for some, uh, paper security. But of course with my background, I think, uh, probably different for most other companies. We didn’t go from have, let’s have no policies to have like 25 policies and focus on just, you know, writing policies for the sake of policies.

But, but [00:39:00] already when writing the policies, constantly questioning whether what we write there is, uh, a, something we actually are willing to implement. And b, equally important, something we truly believe actually will improve the security posture of, uh, the company. So I think that’s our take on policy.

And

Josh: Yeah.

Thomas: you have to be willing to spend a lot of time on it, right? Because a standard like P-C-I-D-S-S will be quite detailed in certain areas. Just to pick a random example. I believe the notion of password aging is total nonsense, right? You don’t achieve stronger passwords by asking people every six months to change their password.

It’s a huge misconception that is in the industry. That is at least until recently, was also hard requirement in P-C-I-D-S-S, uh, but I would never accept that in a policy that our company would write. But then you have to be willing to, uh, [00:40:00] also set yourself up for explaining in more detail to the auditor why you go for a compensating measure in your policy instead of just copy pasting it off, uh, the standard, uh, so to say.

Josh: Yeah.

Thomas: we, at least as a company, I think we are, uh, uh, willing to do that, uh, because, um, yeah, I’m just not okay with. Writing something in the policy that already at the moment I put my name under the policy Right. As, uh, the CEO ultimately, where I already know, we as an organization are never going to really implement it the way we have written it there.

Right. But I can tell you a lot of, uh, companies, including banks, do exactly that, right?

Josh: Yeah. Yeah. I mean, that’s kind of a hard conversation and I, you know, as you were talking about, it makes me think too, you, you’re so right that there are some of these like big bodies that [00:41:00] have gained so much kind of notoriety, and I hate to say it, but like goes back to the CYA policy of, Hey, did you do your due diligence on, you know, Rivera?

Do they have, do they have SOC two compliance? They do. Okay, then they’re, then they’re secure, then they’re good. Right? And it’s like. Does that really mean that anymore? Right. You think about the, the speed at which the threats change and the speed at which innovation happens in technology. And do those giant governing bodies, do their policies update in real time to actually, again, create correct postures of cybersecurity?

Or do they just create really good policies? And I would argue there’s probably a little bit of both, right? They probably do a really good job in some things, but there’s also probably some things that they miss and then, you know, how do you push back against that and how do you say there’s alternatives?

So if somebody says, you know, Hey, we [00:42:00] wanna see that you have whatever, let’s just call it, you know, document A of their cybersecurity policy, and you’re like, actually I don’t, I have. Document B, document B is actually better and it’s created a better posture of security for our organization. And we are more secure because we do process B than A.

But the bank says, yeah, I don’t care. My regulator says you need to have a, if I’m gonna buy from you. So I need you to go ahead and create a policy A, and then to your point, you’re like, okay, great, I’ll create a policy A, and I don’t know, maybe this is, you know, a little taboo to say on recording, but you’re like, Hey, I’ll create policy A so you can see it, but I ain’t never gonna follow it.

We’re still gonna follow B because it actually makes us better and safer. But hey, you need policy A, so here’s policy A

Thomas: Yeah. That is exactly how the game, uh, how the game goes. Uh, uh, uh, uh, of course I have never done that in my whole life, [00:43:00] obviously. Right? I

Josh: of course.

Thomas: never, not, never do that. Right. Um, but, but this is the thing, right? But at the same time, this is also not me, kind of like, you know, calling out. Uh, certain kind security standards to, to be nonsensical.

I do believe there is value in certain things being put in standards Exactly. So that if somebody in procurement kind of like, you know, does vet us for example, as a supplier, that we don’t have to ideally answer every bank’s, you know, 250 question questionnaire individually. But we can also just tell them, look, we are ISO SOC two certified, and they’re like, okay, it’s great.

Right? So I get it that in business it can also be a good thing in an enabler, but just something we basically just as a principle for ourselves said like, look, we are, we are really, of course we want the certification and we might have to [00:44:00] also then be open to maybe do certain things. Uh, but really do them not just write them

Josh: Mm-hmm.

Thomas: policy that we are not necessarily fully convinced of, that it really adds all that much value.

But, uh, uh, uh, uh, but ultimately you really should start from looking at it from a way of, well, trying to mostly write and define in your policies the things that you deeply believe in. And what I deeply believe in is, of course, to try to not give people too many permissions that they don’t need for, for their work.

It’s of

Josh: Yeah.

Thomas: crucial to review, especially privileged permissions on a regular basis. It also makes a lot of sense to do awareness training. You just have to do it in a right, smart way and not your boring, you know, e-learning that literally everybody finishes in five minutes because they just press next until there’s a question, and then they press back five times to get the answer to the question and go forward again.

[00:45:00] Right? So you have to really make an effort. To basically teach, uh, uh, uh, security awareness. And of course these standards ask for that. And, and I think that’s a good thing. However, there, I think standards often take it too far is, for example, something like P-C-I-D-S as that tries to be in already the standard, as explicit as trying to define what makes a passport a good passport in terms of, you know, like MinMax length and stuff like that.

No, let that, you know, that you have to leave to the, to the actual company, uh, to decide what is the right strategy. And let’s face it in a perfect world, and I hope we get there in a couple of years from now, we, we shouldn’t have passwords to begin

Josh: Yeah.

Thomas: passwords are inherently broken. Uh, so it’s, it’s not a concept that actually works right.

Josh: Yeah. Yeah. I mean, that’s a, I, that’s a whole nother topic in and of itself is just, you know, the problem with passwords and, you know, [00:46:00] I, uh, I’m glad you kind of made the pa comment too. ’cause I feel like, you know, I, I feel like an idiot when, you know, a system asks me every month to create a new password and it’s like, man, when I create the first password.

I use a phrase, it’s long, it’s complex, right? I use as many characters as I possibly can, man, by like month 12, I’m outta idea like, I’m like, people would like to think maybe I’m creative, you know, I’m a marketing guy and all of these, no dude, I run outta creativity and by the end of it it’s like password.

1, 2, 3, 4. Okay. Because it’s all I can remember at that point. And then I keep locking myself out of the system because I forget what, you know, the 12 times I’ve changed the password is so it just keeps getting simpler and simpler and simpler, right? Until you realize you’ve gone too far and you’re like, ah, cru, I gotta create another complex one.

Like I’ve gotten too simple with this, but you know, it, it’s [00:47:00] again, it’s how do you create policies that actually create the right behavior versus just check mark a box? And I think that’s a challenge.

Thomas: Yeah. It’s a, I would even go as far as saying like, there is no policy that will ultimately create that. There’s only, of course, you have to write it in a policy also because of compliance reasons, because of certification reasons. But ultimately, if you really deeply care, then you need to be willing to also invest enough time, uh, to, to basically come up with an entertaining form of security awareness training.

Josh: Mm-hmm.

Thomas: so you have to start, even though it might be obvious to people like us, right? Uh, you have to really start by telling people why it is important in the first place, right? Right. As security, cybersecurity, even metal. And ideally, don’t explain that by saying, because the, the data of the company is so important, just make it personal to them, right?

Because all the things you [00:48:00] should basically do at the workplace in terms of security, guess what? You should do them in your

Josh: Mm-hmm.

Thomas: well, right? You

Josh: Great point.

Thomas: leave the laptop with a personal e-banking locked in, uh, on the table at the cafe, right? Not just the one from the company. Right.

Josh: Yeah.

Thomas: might have a lot more money than the other one, but I think you get, uh. You, you, you get my point. And so I think it’s all about kind of like making it more personal. And my experience is whenever you do that, people might even be appreciating of it because they’re like, oh, I just learned something.

The first thing I’m going to do when I get home is I’m going to change a lot of my passwords that I use, you know, for my Spotify or for my personal, uh, uh, online banking or for my trading account because I just wasn’t aware of, I don’t know how sophisticated an attacker might even, you know, circumvent the strong password or two factor authentication.

Right. So, um, but yeah, it’s hard, right? It [00:49:00] also, and that’s, uh, maybe also why I think this generally in the industry is done poorly because I would say your average security officer. is is typically not a great, how to say, uh, teacher educator, but in order to do good security awareness, that’s kind of like what you have to be, right?

You cannot just say like, well, but I am, uh, technically, you know, the in-house police and here are the rules and I expect you all to adhere to it. And security awareness becomes a thing of explaining policy, right?

Josh: Huh. I like the way you say that. I mean, that’s, yeah. You could have the smartest CISO on the planet on your staff, and they could be a hundred percent perfect their entire life and never, ever fall for anything or do anything wrong or anything that compromises the company or its data. But if they’re not good at [00:50:00] distilling down.

That posture to the rest of the organization doesn’t matter how good they are. You know, Tom from accounting opens up a phishing email and dumps in the company’s banking creds and you’re done.

Thomas: Yeah, exactly. I mean, guess what? The attacker is probably smart enough to not go after the CSO as their target. Right.

Josh: That’s probably true too.

Thomas: great, it would earn them great bragging rights if they would do so. Right. But that’s probably not, uh, not what they, uh, are after. So they are in fact, and the funny thing is that even already as a company as small as ours, right, like 40 employees roughly, we already see the first cases of uh, you know, fake president fraud attempt.

Josh: Mm-hmm.

Thomas: employees that join the company, especially new joiners, receive emails where the attacker pretends to be me. Now, so far, this is when like [00:51:00] people laugh about that because you know, we are close knit team. They will already detect, uh, this to not be me because of the type of way I talk or like I type right when I say something.

The funny thing is, anyway, we are one of these companies. The only reason why we have email accounts is because our customers banks use email internally. We do everything on Slack. So

Josh: Mm-hmm.

Thomas: an email from somebody claiming to be Thomas Müller already gives you enough You need to know I will never send any employee an email. Because we don’t use email. Right? So, so, but, but of course now still, if the company grows from 40 to maybe eventually 400 people, will you have then somebody within the

Josh: Yeah.

Thomas: nevertheless, right. Unless you have trained them well, that will totally fall for a fake president. Fraud. Of course, you will.

Right?

Josh: Yeah.

Thomas: to scale probably the efforts you make in this area, uh, uh, along the lines of, uh, yeah. How the company [00:52:00] grows and how diverse, how much more diverse, uh, uh, uh, yeah, your, your employee, uh, base is going to be.

Josh: You know, that’s funny. I, I love seeing those too. ’cause it’s like, you know, when, when I started here, we were a lot smaller than we are now. And even then, I mean, I talked to our CEO probably, you know, 50 times in a day and, and have known inferred now over a decade. And, um, and I, I absolutely love him because he’s just, he’s such an interesting personality, right.

He’s such a funny guy and like the way he communicates and everything is so unique. And so it is really funny when you get these, you know, people that try and spoof him and I’m like, I’m just dying. I’m like, oh man, you’re so far off the mark. Like, I can smell that’s not Siva from 10 miles away. But to your point, right, like as an organization grows, like it’s more and more difficult because people just aren’t necessarily as close to that or don’t understand the personal [00:53:00] nuances of that.

But, you know, in a small organization, yeah. I mean, even just some of the, the protections that you’ll have from that is literally just, Hey, our staff knows Thomas well enough to know that like, you know, he would’ve sent, uh, if he’d sent that email, he would’ve included a poop emoji, right? And like, no hacker is gonna put that in there.

’cause they’re gonna be like, no, no, no. The CEO would never do that. But your staff is like, oh yeah, yeah, no, our CEO totally would do that. Right? So it just, you know that that in and of itself can help with your security posture in the smaller stages. But you know, I think that’s where, going back to our conversation around policy becomes, is at a certain point you do, you almost have to have a document because it’s not like the staff just talks to Thomas 10 times a day and knows how he communicates.

And if you really wanted them to go buy a bunch of Google Play gift cards for a prospect, like you’d probably just ask ’em in a meeting and they would see you do it and talk about it. Right? You would send ’em an email saying, this is your CEO Thomas and I need you [00:54:00] to do an urgent matter for me. They’re like, no, dude.

No. So obviously, I mean, this is something that you’re super passionate about, so that’s what I think makes it even that much more curious to me that you’ve almost kind of abandoned this personal passion. And what’s been your career passion now to focus in the payments space? Why?

Thomas: Yeah, I think that’s an excellent question. Um, uh, uh, I think you quickly mentioned it in, in, in the intro. Um, well, I, uh, uh, ended up joining a large, uh, payments company, um, here in, in Zurich, Switzerland as their Chief Information security officer. course, they did hire me in order to, uh, improve the security posture. Uh, and I also, uh, I hope that is what I ended up, uh, doing, but what also happened at the same time. Was that I was kind of like, I, I, I got, uh, dragged into the whole domain of payments, especially [00:55:00] consumer, uh, payments. And if you would have asked me, probably after the first few weeks of joining, I would have probably said what most people would say about payments.

That it’s like, kind of like a. Somewhat boring topic and also kind of like, how hard can it be, right? I mean, I use my car, I pay for it. What is the big deal, right?

Josh: Yeah.

Thomas: And so I learned pretty quickly that uh, uh, this couldn’t be further from the truth, but first of

Josh: Hmm.

Thomas: incredibly complex. What really happens behind the scenes if you happen to just tap your card or your Apple Pay or your, uh, Google Pay at the terminal, or you, you paid for something on, on, on online. And, and, and also like, you know, how important, uh, uh, payments are for the lives we all, uh, live, right? Probably doesn’t go a single day where we are not paying for something these

Josh: Yeah.

Thomas: typically, at least, uh, uh, once, probably by the time I arrive at the [00:56:00] office, on a normal day, I have already conducted two transactions, right?

Maybe one at the bakery and another one here in the building to get a coffee from our, uh, from, from the barista next door, right?

Josh: Yep.

Thomas: so, um, and, and that I think really, really got me super excited. About everything payments, and that is the loft part of maybe the loft hate relationship. I then happened to, uh, grew into working for the company.

The more hate part of it was that whenever somebody within the company or then at the later stage also maybe me, because already they are ventured a little bit outside of my core domain of security, more into also the more product related, uh, domain of that company. I always found it extremely

Josh: Yeah.

Thomas: that whenever a good idea was raised, it

Josh: And.

Thomas: immediately shut down, either by kind of like the internal IT that we would be working with or, uh, even more often so by the suppliers that the company, uh, relied [00:57:00] on, right, in order to make that happen. Because like what a lot of people, uh, uh, don’t know about payments. And quite honestly, I also didn’t know that, uh, uh, until I joined, uh, this organization is that a lot of banks that put out a card have fairly little to do with the actual processing of the transaction if you use the card that’s quite often sourced from an entity we usually refer to as a third party issuing process on. Um, and, and these companies or most of those companies in the domain are just incredibly kind of like, they’re kind of like dinosaurs, right? They’re like large and super important. And they certainly do a great shop in terms of kind of like reliability, you know, making sure that this works 24 7 without any downtime.

But they are terrible at innovating

Josh: Mm-hmm.

Thomas: terrible at innovating both in terms of just, you know, proactively innovating. But also they are really, really terrible at providing, uh, uh, you know, the things that their customers asked [00:58:00] for. And I think this was then really me realizing, wait the moment, how can it be that this industry is as a whole successful, even though most of the banks, uh, uh, are so kind of like dependent on those suppliers that very often, from my point of view at least, are not meeting their needs.

And so, uh, uh, that probably combined with being lucky enough and you have to sometimes get lucky in your life of meeting my two, uh, uh, uh, co-founders working at the very same company at the time, and us sharing, I think this love hate relationship, uh, uh, uh, on payments. Then yeah, ultimately led to, uh, uh, the decision of, uh, yeah, just trying to build a company that would, and that is what we now do these days, uh, uh, uh, uh, become a supplier to exactly these issuer banks, but try to do that in a much better way, uh, uh, as we have, [00:59:00] uh, seen that the, these players doing that, uh, basically, um, yeah, to us when we were employed, uh, with that, with that company.

So I would say it is, um, in a way, yeah, also a little bit born, uh, out of the frustration of working, uh, with, uh, so to say the established, uh, suppliers in this space.

Josh: Yeah. Well, I think that’s, uh, kind of a relevant tie too to just how we think about payments in our own personal lives, right? I mean, yeah, to your point, I mean, how many payments and money movements do we make in a day? It’s probably a lot more than people care to admit, but, but it’s also because there’s so many different ways to use and move money.

But it’s because the fact of the matter is, is that, you know, whether we like it or not, the world revolves around money. It does. And so that is how we transact and survive in this modern society. [01:00:00] And you’ve gotta be able to access and move your funds as and when and where needed. And you know, there’s so many different ways to do that anymore, right?

Even just thinking about, um, you know, moving money around accounts that you own, moving money to other people’s accounts, moving money to pay bills, moving money to merchants, to purchase items, to, you know, opening it up to, hey, if you know you and I wanted to send money to each other, how would we do that across borders?

And I mean, the layers of complexity to this thing, to your point, like once you get in and look under the hood, I’m gonna make a little crack at you here on this one. You know, this is like looking under the hood of a, you know, a German sports car. You’re like, goodness gracious, this thing’s complex. Like, who the hell engineered this thing, right?

Like, um. So, you know, as you look [01:01:00] into it, you’re like, oh my gosh, there’s a lot going on under the hood to make this all happen. And to your point, like we just, we expect it to work. I just expect that every single time I go to the coffee shop to buy a coffee that my card works at the point of sale.

Anytime I want to, you know, pay a bill, that that money moves as I told it to. And the only time that we really care is when it doesn’t work.

Thomas: Yeah, exactly. Exactly. Either when it doesn’t work in that very moment if something then actually turned out to be wrong with the transaction. You, you, you did. Right. Um, which I think is another quite important, uh, uh, uh, aspect of, of payments. But of course, you’re right. Like first of all, you care about. it simply, uh, works. And I think people are also internally rather, uh, kind of like unforgiving about that, right? If I trade to pay with a card of one bank and it doesn’t work, I mean, I’m probably immediately going to switch right away to, uh, the [01:02:00] card of, uh, of another bank, right? So you better get this right, uh, the first time around, otherwise you will, uh, yeah, not be the bank, uh, over which this, uh, transaction was conducted.

Josh: Yeah, you know, I, I’ll steal a joke from a, a colleague friend of mine. Um, you know, uh, in, in the world of like payments and money movement, it’s really not that big of a deal to get it wrong. Like most people don’t mind if you run their mortgage payment twice. Said no one ever. Right. And like, um, you know, you think about, um, you know, I’m not sure you know what it’s like in Switzerland, but you know, in the US I mean, I think the statistic is still something like 60% of Americans live paycheck to paycheck, right?

And their mortgage is probably their single greatest single expense in a month. So yeah, you run somebody’s mortgage twice, there’s issues, right? And all of a sudden we’re facing, you know, there could be [01:03:00] zero or negative money in their account. They then default on other bills. They’re not able to purchase the groceries that weekend that they need for that week’s, you know, lunches for their kids at school.

I mean, we’re talking serious ramifications because again, our lives revolve around money. So yeah, to your point, like as long as my mortgage processes every single month appropriately, um, I don’t really care. But man, I tell you what, I log in one day and I see that somebody just. You know, screwed up no big deal and ran it twice and now I have no money in my account.

Like we’ve got greater issues. And so, um, you know, and then even just talking about the, the whole conversation we’ve had leading up to this, you know, what happens with fraud and, you know, payments fraud is a massive, massive problem today. And, you know, then it’s not even just about the phishing scams, although that’s a big part of it, or the account takeover scams.[01:04:00] 

Um, you know, everything from, you know, somebody putting a, a skimmer on a, you know, ATM or a gas station pump and getting your debit card credentials and you know, then you log in the running joke in my house, Thomas is um, uh, I remember the first time after my wife and I got married and we combined all of our bank accounts and everything and, um, I remember logging in one day and seeing a transaction.

I called her and I was like, Hey, I’m pretty sure I know the answer to this, but we’re nearly married. Like, maybe I’m wrong, but did you buy $400 worth of Crocs online? And she was like, Nope. Definitely did not. Right. Fraudulent charge on the card. So then I have to go through the whole process of, you know, talking to the financial institution saying, Hey, this was a fraudulent charge, neither my wife or I just bought $400 worth of Crocs online, although now I have two kids.

So now actually $400 worth [01:05:00] of Crocs actually probably would be a, a, a charge that you would see on my account now. But, um, you know, and then, you know, canceling that card and, and all of you know, the pain that came through that, and then the inability to access funds because that card had been compromised and all that goes with it, right?

Like those are the types of things that. You know, I don’t think the average consumer really thinks about, and when you were talking about, you know, maybe I can put some words in your mouth, but the love hate relationship of payments is just like, it, it, it’s pretty cool what that actually all does. And it’s pretty cool how these complex systems work, but yeah, when it doesn’t work like the, the pain is really real.

Thomas: Yeah. Absolutely. Absolutely. And it, it’s also, uh, uh, yeah, interesting that kind of like you, you, you, you pick that example, right? Because I, I believe that, um, uh, also, uh, I think a lot of consumers when they then even, you know, make a [01:06:00] choice about maybe the payment method, they actually choose. In that moment, think quite a little about whether the chosen payment method is essentially one, uh, that protects them well, uh, from it.

Right. Um, um, and, and, and then maybe just to, to, to, to to, to to, to, um, make an example. So, so, so whenever basically, you know, I talk to friends and family, of course, now I’m not only like a cybersecurity nerd, but also a payments nerd. So I can’t help myself to try to give people good advice about kind of like how they should pay, right?

And what I keep telling people is, whenever you are in doubt, especially something ever so slightly looks dodgy, always use a card. Always use a card from one of the big brands, you know, your MasterCard, your Visa, your Amex, and ideally use a credit card. And now the reason I, I tell them to do that. It’s not because [01:07:00] the cart is more secure. Funnily enough, the cart is less secure. But because the cart, especially online is less secure, is more, is less, more likely to be compromised, right? You punch in your cart details of a merchant. The merchant has a data breach. Somebody steals your cart, data, sells it, uh, basically in the dark web and somebody uses it, right?

Most of us probably know how, kind of like this. Works all together. Um, but because it is like that, um, these big payment schemes have put in place a lot of consumer protection rules that in the end will lead up to ultimately in the real world, more security for you, right? Because have you ever tried, if you buy a mistake, did a via transfer to a bank account to get your money back, you will suffer, right?

It’s in most cases, most country, most intra banking networks not possible at all. You have to basically ask the person on the other side to be so [01:08:00] kind to via that back to you. But cards have the notion of disputes and chargeback, and so they are of course coming arguably partially out of the fact that, especially when it comes to fraud, the card being less secure, but because the card is less secure, kind of like absurdly makes it a greater choice for you as the consumer, because if something goes wrong. You are incredibly well protected right now. Back to your point, vote banks in general are probably not yet great at, at making that moment and a great customer experience to you to make it super simple for you to claim your money back. Right? And maybe you have to fill out a clunky, uh, dispute form. But nevertheless, already the foundation is super strong because these rules are being put in place and they’re not being put in place by your bank, but by MasterCard and Visa and Amex, right?

So your bank has literally no choice other than helping you. [01:09:00] And that’s a great thing and a lot of people are not aware of that. I feel like, especially in Europe, I always was under the impression that maybe in the US people are already a little bit more aware of the protection that they have when they do use card for payments.

But this might now be one of the misconceptions, you know, like from a European to somebody living in the us.

Josh: Yeah, I don’t know. You know, I, I, I’ll be careful to speak as a, an expert on the subject, Thomas. Um, I don’t have the data, but I can tell you just anecdotally, I mean, if I think about just my friends and family and the conversations that I have, I would say no, they’re, they’re not aware of, of most of those protections as well now.

And, you know, I would say it’s a little bit jaded in that, you know, a lot of my friends and, uh, are in this industry. So those ones are right. But, um, just the general public of people that I talk to. And same kind of thing. Like I, I mean, I talk about, uh, you know, if I were to just go ask one of my neighbors who’s, you know, arguably [01:10:00] very, very intelligent in their own right, in their own field, but if I were to ask ’em something like, Hey, if you wanted to do this type of transaction or move money from this place to this place, which would be the best method to use it?

They’d be like, there’s methods. I don’t know. I just, you know what I mean? Like, there’s, there’s options. I don’t know, I just, you know, tell the financial institution, like, I wanna move money from here to here, or I just do this. They don’t really think about, oh, well there’s, you know, wires, there’s a CH, there’s checks, there’s cash, there’s cards, there’s, yeah, there’s fintechs, there’s, they just, whatever is the most convenient method to do it that they stumble across is usually what they do.

Thomas: Hmm.

Josh: But yeah, understanding all of the nuances, um, is challenging, but. Important if, if you want to take a posture of, you know, making the smart decisions. Um, so I’m curious, what are your thoughts on [01:11:00] going back on this whole conversation we’ve had, starting with the cybersecurity side of things? Right. You know, I always wonder at what point do we tell consumers, look, I did everything in my power to help you out.

You just made bad decisions. And there are consequences for bad decisions. Right? And I used the example of, you know, if a, if a person, if I walked up to you, Thomas, on the street, and I just said, Hey, I want you to give me all of your money and I’m a bad guy, but I just, I, I really want you to give it to me.

And you said, you know what, I’m a nice guy, so I guess I will here, walk with me. We’re gonna go over to this ATM. I’m gonna pull out a bunch of cash and I’m gonna hand it to you and I’m gonna let you walk away. And then you called your bank later and you’re like, Hey, so I did this, [01:12:00] but now I’m thinking back on it and that was fraud.

So can you give me my money back? The bank’s gonna be like, Hey, look, Thomas, I don’t know what to tell you, man. You, you were pretty stupid in that moment. Like, that’s on you bud. Um, and as we start to add better cybersecurity, right, and we start to be more intelligent about the ways in which consumers are supposed to use money, movement and payments tools, do you think there’s ever gonna come a point where we’re like, Hey, you know what?

Like you’re on your own bub. Like we, we gave you the tools. You didn’t use ’em, you went to the ATM, you pulled out cash and you handed it to the bad guy.

Thomas: I mean, I, I, I do believe, uh, I do believe so because, well, to a certain degree, uh, we already have that right for certain payment,

Josh: Mm-hmm.

Thomas: methods. I mean, of course, you know, at the end of the day, your bank is always in the position to then make, uh, a [01:13:00] judgment call. based on many things that go beyond their official terms and conditions, right?

If you just happen to be, I don’t know, a longstanding customer with the bank already your dad and granddad have banked with the same, uh, uh, bank, you know, uh, and you are kind of like, I don’t know, you are moving, I don’t know, 20 K over your card every single month and you never laid on your payments.

Probably they will, and arguably they should be way more kind of like, you know, understanding if then that one single time you did something that was arguably a little bit, uh, stupid, right? You used your card somewhere where you should have known that this was kind of like, you know, you are going to be tricked into that, but they will give you, uh, uh, the money back nevertheless. But I would say kind of like these scenarios aside, of course in many. Um, cases, especially I would say it’s true for car payments, you have fairly clearly defined rules in the sense of like, [01:14:00] you know, who is liable in what scenario under which, uh, uh, uh, conditions. And I, uh, uh, to get back to your question, and yes, I do believe that maybe these rules will become even more precise and maybe also even more narrow, so to speak, as technology evolves, right?

Because right now, MasterCard and Visa, and therefore also your bank, whenever it comes to e-commerce transactions, there are a lot of scenarios where it’s almost impossible for the bank to tell whether you. Whether this was actually fraud or this is just you pretending it was fraud. And it’s a huge problem for banks,

Josh: Yeah.

Thomas: as then the whole topic of, you know, like authentication, strong customer authentication, multifactor authentication, biometrics, passwordless system and so on will further evolve. I do expect this to shift quite significantly in some years [01:15:00] down the road. Because if then ultimately you have, then the bank will see in their records, well, you have approved this transaction with biometrics and with a crypto cryptographic key that was loaded into your mobile banking app that you use to confirm for this.

Uh, uh, uh, uh, uh, uh, then yeah, probably, and again, unless you are super, you know, VIP, um, to the bank, they will probably just tell you pretty much exactly that. Look, here is the evidence. You wear this, there’s no way, uh, this was kind of like a fraud stone. This might have been somebody in your family that took your device, but that’s something you are liable for, not the bank.

Right. And so

Josh: Yeah.

Thomas: as of today. And so, yeah, I think your intuition is right. I think this will, uh, uh, uh, become, uh, more, uh, in the future.

Josh: Yeah. But kind of to what you were talking about earlier, I mean, just almost short of [01:16:00] which is, I don’t know, it’s technically possible, but it’s, you know, probably a long ways away. I don’t know. I, I don’t have a crystal ball, but unless we all of a sudden move to, there’s only one single way to move money and do payments, and it’s completely locked down in all of this, then there’s just too much nuance to this thing.

Right. Like, I’d be curious to see, I just, I, I don’t know. Maybe you do. Like what, what is a country like, um, you know, China that kind of does, you know, has, this is the forced government issued way to move money?

Thomas: Mm-hmm.

Josh: how I, I wonder what their policies look like around that. I wonder what, uh, if any consumer protection there is.

I, I just don’t know enough to speak intelligently to it. But I mean, the, at least in the US I mean, our systems are just too complex, right? We’re nowhere near being able to say, Hey, a hundred [01:17:00] percent of the time it’s on you. 0% of the time it’s on us. Like you said, it’s kind of a fluctuating scale based on the nuances of each of those things.

And, you know, I didn’t even think about the other thing that you brought into it, which is the whole area of, you know, the problem for the financial institutions is also like Josh could call in and say, this is fraud. Um, you know, I did not spend $27 at Taco Bell, and in all reality I did. I was a little drunk last night and I Uber eats some Taco Bell, and I just don’t want to pay for it.

Thomas: Yeah. this is a real thing, right? I mean, to the extent, uh, that banks, uh, or also in the cult industry, there are even, uh, terms for that. So you call that IDL friendly fraud, which is a bit of a weird term, uh, to come up with, but whenever it’s basically you. Um, basically either willful, knowingly [01:18:00] pretending it wasn’t you, or you simply forgot because you were too drunk or, I don’t know, the merchant name is just kind of like, you know, doesn’t, you know, you don’t remember it.

Josh: Mm-hmm.

Thomas: the industry refers is to friendly fraud or what also happens more and more is that people approach their bank and, you know, claiming a transaction to be fraud, but because somebody in the family, uh, has actually used the card. So we also literally call this family fraud, uh, because I mean, you probably know that, uh, that you probably have your card on file in quite a lot of. Systems, applications, e-commerce platforms, and yeah, you might, you know, I don’t know, maybe your kit is allowed to use like a tablet every now and then. The tablet might have the Google Play Store, uh, uh, on it. And then you might see, you know, your credit card, uh, uh, bill, and it will talk about, I don’t know, uh, candy Crush, uh, in purchase.

And I like, like, I’ve

Josh: Yeah.

Thomas: guess what, maybe someone, like you said earlier, and you know, like [01:19:00] you, you also were not a hundred percent sure whether the Crocs were not actually bought, uh, by uh, uh, uh, your wife, right? And so maybe she actually did, but she told you she didn’t. And now you approach your bank and tell them, you know, look, this was fraud, but it wasn’t.

Right?

Josh: Yeah.

Thomas: uh, uh, an issue for banks. Uh, because, well not all transactions are basically secured, authenticated to a level where a bank really is in the position to push back on that, right? Um, but ultimately, and coming back to a little bit the earlier topic we had, even for the bank or for the whole payment industry, it also then boils down to the whole topic of, you know, security versus convenience versus, uh, frictionless, uh, shopping experience, right?

Because yeah, sure, you can dial up the security of cards. Technically, there are ways to dial it up to the same level as if you would [01:20:00] use a card with the chip and the pin at the natm, right? You could do in e-commerce. The problem would be people would stop using their cards and maybe would just use PayPal,

Josh: Mm-hmm. Mm-hmm.

Thomas: be bothered with, uh, doing that. Right. So you’re kind of like, also as a bank or as a payment network such as MasterCard and Visa, you have to strike this balance, right? Between being a, a payment method that is actually convenient to use, that people want to use, um, and the security that comes along with it.

And I think where the car networks have decided to put a little bit more, the emphasis is like they’re not ultimately technically the most secure ways of payment, but they have by far the strongest consumer protection rules to make up for it. Which is again, why I said earlier, if like a friend or family member would ask me what payment method to use, it’s always the credit card

Josh: Yeah.

Thomas: of that.

Yeah.

Josh: You [01:21:00] know, there’s also, there’s no perfect solution to any of this, right? Especially when you consider like how many billions of people are on this planet. There’s no way we’re gonna create one system that’s gonna work for everybody, for everything. I, I, uh, I reference this episode a lot. It’s actually one of my oldest episodes, um, was with, uh, a PhD student from Warwick, uh, university, uh, mayor l Vanacker.

And she talked about, it was actually more from the personal financial management side of things, Thomas, but she was talking about if we really actually wanted to do people good in budgeting their money, we’d go back to cash or even further, back to like bartering days, right? Because we’re so much more likely, like, just think about the, the psychological element of having like a hundred dollars bill in your, in your wallet and not wanting to break it.

But if you can just pay with Apple pay, ding, [01:22:00] ding, ding, ding, ding, all day long, right? And so similarly, like if we wanted to, to really minimize fraud and payments, you go back for cash, right? But it’s grossly inconvenient. And, you know, we humans are gonna always gravitate towards convenience over pretty much everything else.

Um, and then, you know, going back to there’s gonna be no perfect system, then the fraud we would have is people would literally probably go back to, you know, hitting each other over the head and stealing their cash. So, you know, maybe at least in this scenario, people aren’t getting hit over the head for their cash.

They’re just getting their debit card stolen. Um, so there’s just, there’s no perfect solution to this. I think is, is the, I, I don’t know if that’s like a Debbie Downer way of looking at it, but I think it’s the realistic, it’s just we’re trying to create as efficient of systems to allow people to do the things that they need to do to focus on life, not payments and money movement, cybersecurity, but at the same [01:23:00] time, you know, protect them.

Thomas: Yeah. Yeah. I, I think that sums it up, uh, uh, pretty well. And I, I think in a way, this trade off that I was referring to is also, I would say like, almost as old as the concept of, uh, uh, uh, of money, right? Basically ever, ever since we stopped basically trading kind of like one good for, uh, the other, and we moved to kind of like symbolic representations of like, you know, like, like, how to say value, like when we create a currency. Um, and I think basically crime around currency and transactions is as old as, as debt.

Josh: Yeah.

Thomas: agree cash arguably compared to maybe some, uh, uh, other forms of payments. Has maybe an advantage, but it also has a lot of, uh, uh, disadvantages mean, first of all, you can’t use cash when shopping online. Uh, Lisa would be incredibly inconvenient, right?

Are you going to put that [01:24:00] $100 bill into the mail and send it to the merchant? And then the merchant only starts sending you the product once they have received that, uh, a hundred dollars in, in the mail, right? Doesn’t really work well. And, and, and, and, and scale. And like you said, I mean, whatever you have in cash on you or under your mattress at home, um, also can be stolen.

And guess what your bank will tell you? Coming back to your earlier example, if you withdrew 10,000, uh, dollar in order to put them under the pillow at your house, and then somebody breaks in and, and steals it, guess who is uh, liable for that? But

Josh: Yeah.

Thomas: managed to steal your cart, uh, details and they conducted online fraud, uh, worth, uh, 10,000, uh, uh, dollars. Quite likely you will get that money back quite quickly.

Josh: Mm-hmm. Yeah. Yeah. I mean it, yeah. Again, it just as you create complexities to the system. There’s gonna be [01:25:00] scenarios where, you know, different, different parties are quote unquote the winning party in that from both the security and convenience standpoint. You know, I, I wish I’d had time to actually read the whole thing.

I, I only read a couple of snippets of it. Um, I saved it for some later reading, but, uh, apparently I, I, and I don’t know how old the study is, but it seems like it’s fairly recent. There was a study that came out where they taught a group of monkeys how to use currency and then they observed the Society of Monkeys and how they then learned how to use currency.

And apparently it was like fascinating how quickly they resorted to things like learning how to hoard it, learning how to steal it, learning how to barter different acts for it, all sorts of things, and how quickly they became like a human society. With how we treat money. Uh, so I, I’m really curious to go back and look at that, but [01:26:00] that’s just, it, it’s like,

Thomas: please, please send it over to me. Actually, I’m now very, uh, uh, very curious to read that as well. That sounds like, uh, well, almost sounds like, uh, ultimately, you know, it’s in the nature of, uh, uh, uh,

Josh: yeah, that’s just it. And that, so that kind of goes back to even again, where we started around cybersecurity and everything too. Like, there’s a certain part of this where it’s like, this is just human nature, right? And, and again, there’s, you’re never gonna create a process or, you know, a document that’s gonna solve for all of it.

But it’s kind of, I, and I think this is where, you know, you see some of the passion in you. Like the, the excitement is trying, it’s trying to figure this all out, right? And to, to create systems that work.

Thomas: Yeah, exactly. Because, because I mean, ultimately, uh, uh, ultimately, and you can say that applies now both to the field of cybersecurity, but also the field of payment. I think ultimately, in least in my case, a lot of fascination [01:27:00] also comes from, I would say, kind of like the complexity and imperfection of those systems.

Josh: Yeah.

Thomas: insecurity, it’s always, and it will probably always be for the foreseeable future, kind of like a cat and mouse game,

Josh: Mm-hmm.

Thomas: and, and, and I would say generally speaking, quite often, uh, the, the, the fraudster holds onto the longer, uh, uh, uh, end of, uh, the stick. I’m not sure if the saying goes really like that, but, uh, uh, I hope it, you, you, you understand what I, what I, what, what, what I meant.

Um, um, um, and, and, and, and, and I think this will keep evolving, right? Of course, now we’ve. 50, uh, you know, uh, with AI becoming more and more relevant to all kinds of different areas, of course we will see AI being used on both sides of

Josh: Yeah, totally.

Thomas: will create way better. campaigns will create way more convi con convincing ways for social engineering. Um, but so [01:28:00] will other companies emerge that will use AI to help you maybe as a somewhat, you know, less of a person or as an elderly person to not be tricked into a certain scam? Right. I envision a world where, as an elderly person, uh, whenever I pick up the phone, I have an AI listen in. Right? And whenever the other end of the telephone tries to scam me into something, the thing you know, will alert me and will warn me.

Josh: Hmm.

Thomas: And so AI can be incredibly powerful, especially if somebody tries to go after, you know, the, the kids, the elderly, you, you name it. But, uh, uh, uh, uh. So, but I will, I think for, for, for, for as far as I can look into the future, it’ll always be a, a cat and mouse game,

Josh: Yeah.

Thomas: will be able to use a technology to kind of like either solve the problem of scams and fraud forever, or to [01:29:00] basically just, uh, the whole, system turning into we have more fraud than we have legitimate, uh, uh, things happening, right?

Josh: Yeah.

Thomas: yeah. But yeah, like I said, ultimately, I think that is really also kind of like where the fascination comes from for a lot of, uh, people in the space.

Josh: Well, it’s been a lot of fun chatting with you about it today, um, and definitely gave me some different, different things to think about and perspectives on it. Um, but hey, listen, before I let you go, I got two final questions for you, Thomas. So, wow. First, you know, where do you go to get information? Like how do you stay up to date on what’s happening both in, you know, payments and cybersecurity maybe.

Thomas: Yeah. So I mean, these days I, uh, unfortunately I don’t have, uh, too much, uh, uh, time anymore to, to dig into a lot of, uh, stuff related to cybersecurity. I mean, I do still have a lot of people, uh, that I used to work with in the past, and whenever I meet with them, of course we talk about it. Or they [01:30:00] would also send me, you know, some interesting things to, to, to, to, to articles, um, in general, more but more related to the payment industry.

I try to, uh, read, uh, uh, whenever I find some time, uh, or, or listen. Uh, to, to podcasts, right? For example, 11 Fs is probably one

Josh: Hmm.

Thomas: you’re quite fa familiar

Josh: Yeah.

Thomas: uh, uh, uh, that I, that I, uh, listen to, uh, every now and then. I think another one is the FinTech blueprint, uh, that I listen

Josh: Hmm.

Thomas: uh, uh, uh, uh, every, every now and then. And I think then when it comes to kind of like, you know, new sites or, or blocks and stuff, there’s quite a lot out there. Sometimes also hard to keep up, uh, with things. But, uh, FINRA is one that I read on a, on a somewhat, uh, regular basis or, uh, and, um, uh, how is it called? Um. Um, uh, the finance seal. So that’s Chris Skinners [01:31:00] block.

He’s also quite, uh, known in the, in the industry. But, uh, but yeah, quite, quite frankly, I unfortunately don’t have as much time as I would like to have, right with my day job,

Josh: The whole running a company thing.

Thomas: often also rely on, uh, you know, other people digging up Interesting, uh, things. What we have done is we have created on our company, internal lack, a bunch of, uh, uh, channels, right, where people then actively share interesting news out of the payments of FinTech space.

And, um, probably these days, most of the stuff I read is by, uh, uh, yeah, so to say following our own internal channel.

Josh: Uh, and then last but not least, if people want to connect with you or if they wanna learn more about your company, how can they do that

Thomas: Um, yeah, probably the best, um, is, uh, to start by, uh, going to our website. So that’s, uh, uh, revealable, uh, uh, [01:32:00] tech, tech as in TECH. Uh, uh, uh, uh, so that’s, uh, uh, where, uh, to, to, uh, to, to find us as a company. Now, of course, uh, also please feel free to connect me with me on LinkedIn, but as you mentioned earlier,

Josh: with the 10,000 other Germans named?

Thomas: name. Exactly. So if you go to LinkedIn and just type, uh, Thomas Müller as a fairly high chance, you won’t find me, but if also LinkedIn, you go for Thomas Müller and, uh, uh, Rivero. Uh, then you will certainly, uh, uh, uh, see me there. and yeah, uh, uh, you can, uh, connect with me and, uh, uh, reach out to me. And I probably also, uh, assume like in the show notes.

Uh,

Josh: Yeah. We’ll have everything.

Thomas: some pointers to our, to our, uh, website and, and, and some of the channels.

Josh: Well, I really appreciated getting connected to you and, uh, the conversations we’ve been able to have and yeah, thank you so much for, uh, kind of talking me through and, [01:33:00] uh, just yeah, hearing somebody else’s perspective, um, on all things payments and cybersecurity and yeah. Thanks for coming to being a guest on the Digital Banking podcast.

Thomas: Yeah, it was great. Uh, I had a blast. Uh, thank you so much, Josh again for, for having me as a guest and, um, looking forward, uh, to doing the next one, uh, on that, uh, uh, uh, Swiss Mountain. Uh,

Josh: Now we’re talking.

Thomas: you.

Josh: Ah, thanks again, Thomas.