When Fraud Meets Cyber: The Retail Sector’s Expanding Risk Landscape with NRF’s Christian Beckner
Season 2 Episode 20 •Show Notes
In this episode of the Cyber Focus podcast, recorded on April 30 at the RSA Conference in San Francisco, host Frank Cilluffo sits down with Christian Beckner, Vice President of Retail Technology and Cybersecurity at the National Retail Federation. Beckner provides a wide-ranging look at how cybersecurity, fraud, and emerging technologies are reshaping the retail landscape. They discuss how threats have evolved over the past decade, the growing impact of third-party risk, and the rise of fraud tactics such as account takeovers and gift card abuse. Beckner also outlines NRF’s policy work on CIRCIA, the SEC cyber disclosure rule, and the organization’s efforts to build stronger cross-sector collaboration. The conversation offers both a strategic overview and practical insight into one of the nation’s most targeted and complex sectors.
Main Topics Covered:
- The role of NRF and its focus on retail cybersecurity
- How threats to the sector have evolved over the past 7 years
- Growing concerns around third-party and vendor risk
- The surge in fraud, including account takeover and gift card abuse
- NRF’s development of a fraud taxonomy for the industry
- How AI is shaping both threats and defenses
- NRF’s cyber policy priorities and hopes for increased CISA engagement
- Long-term risks and opportunities for strengthening retail cybersecurity
Key Quotes:
“Retail is a huge part of the economy. It’s something that touches every person every day, and that’s what makes it such an important piece of the overall cybersecurity landscape.” — Christian Beckner
“We’re seeing an increase in account takeover fraud, gift card fraud, return fraud… It’s often hard to draw the line between what’s a fraud issue and what’s a cyber issue.” — Christian Beckner
“We’re building a taxonomy for fraud. And that’s critical, because right now, we’re all speaking different languages when we talk about these incidents.” — Christian Beckner
Relevant Links and Resources:
Guest Bio:
Christian Beckner is Vice President of Retail Technology and Cybersecurity at the National Retail Federation and Executive Director of NRF’s Center for Digital Risk & Innovation. He leads the association’s efforts on cybersecurity, fraud prevention, and emerging technologies. Before joining NRF, Beckner was Deputy Director of the Center for Cyber and Homeland Security at George Washington University and served in senior roles on the Senate Homeland Security and Governmental Affairs Committee. He holds degrees from Stanford University and Georgetown University.
Transcript
1
00:00:00,000 –> 00:00:01,000
Christian Beckner [00:00:00]:
We’ve seen examples of criminal groups engaged in human trafficking, ties to organized retail crime. We’ve seen examples of ties to drugs, cross border drug smuggling, and, you know, with some of the gift card fraud investigations. So that’s an area where we’ve had a lot of focus.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:15]:
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with a longtime friend and colleague, Christian Beckner. Christian is a vice president at the National Retail Federation and is responsible for all their work around fraud, cybercrime, emerging technology, and really excited to have Christian join us today. Prior to that, I had the privilege of working very closely with Christian at George Washington University where he was deputy director of the center for Cyber and Homeland Security and prior to that when he worked for Senator Lieberman on Capitol Hill. Christian, thank you so much for joining us today.
3
00:00:02,000 –> 00:00:03,000
Christian Beckner [00:00:59]:
Great to be here, Frank.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:01:00]:
Well, thank you, Christian. So I thought to start with, maybe literally start at the beginning. Where does the National Retail Federation, describe your mission, your members, your focus, and also how you fit into the broader cybersecurity landscape.
5
00:00:04,000 –> 00:00:05,000
Christian Beckner [00:01:16]:
Sure. So the National Retail Federation, we’re a trade association for the retail sector. We represent everybody from the largest US Based retailers down to small businesses around the country in a variety of ways. We, we have a very active advocacy team working on everything from trade issues, tax issues, privacy, payments issues. We put on our own trade shows and events, including the largest retail trade show every year. We do our own research, we do a lot of communications and really just representing the retail sector in every way you could think. My role within the organization is working with our members in technology leadership roles. So the CIOs, the CTOs, the Chief Information security officers on councils that we have for those groups, working with them on best practices and then working also on policy issues in those areas.
6
00:00:05,000 –> 00:00:06,000
Christian Beckner [00:02:05]:
So cybersecurity, fraud, AI any…
7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:02:08]:
Big job.
8
00:00:07,000 –> 00:00:08,000
Christian Beckner [00:02:09]:
Yeah, lots, lots of cover.
9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:02:10]:
And do you, how does the sector fit into the broader cybersecurity landscape?
10
00:00:09,000 –> 00:00:10,000
Christian Beckner [00:02:14]:
So the sector, I mean, it’s one of the largest sectors in the US economy, employing, you know, over, over 20 million people directly. And the economic impact is, you know, a very significant portion of the US economy. So, you know, so, you know, even though, you know, when people talk about different sectors being critical or not critical, you know, sometimes retail is, is seen as less critical, we actually think that’s kind of…
11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:02:41]:
Fuels everything, right?
12
00:00:11,000 –> 00:00:12,000
Christian Beckner [00:02:42]:
Because every, you know, everybody shops, everybody engages in retail. Retailers have a mission to protect your personal information. And so there is a big responsibility that retailers have to ensure trust and take cybersecurity seriously. And we are part of, within the critical infrastructure framework, we are part of the commercial facility sector, one of the sectors defined by the government.
13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:03:05]:
And you personally are also in a leadership role with the Sector Coordinating Council, right?
14
00:00:13,000 –> 00:00:14,000
Christian Beckner [00:03:10]:
Right. So the Sector Coordinating Council includes representatives from different subsectors within commercial facilities. So the sports leagues, the arenas and stadiums, real estate.
15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:03:20]:
You get to any good games?
16
00:00:15,000 –> 00:00:16,000
Christian Beckner [00:03:22]:
Well, I still pay my own way but we, but yeah, it’s good conversations within that group.
17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:03:28]:
Awesome, awesome. And sort of from your vantage point, what do you think the biggest cybersecurity and fraud challenges the sector face today?
18
00:00:17,000 –> 00:00:18,000
Christian Beckner [00:03:38]:
So it’s a couple different things. I think, I guess I would start with the fraud issue. So you know, cybersecurity is an area where there has been significant improvement over 10 plus years now to improve cybersecurity within the sector. Teams that were 10 people 10 years ago are now 100 people. And so that level investment has really brought, at least among the medium and large size retailers, cybersecurity to some level of maturity. Breaches still happen, incidents still happen, but companies are much better situated than they were a decade ago. Where there’s been some of the newer challenges is on the fraud side. So we really saw when the pandemic happened a sort of explosion in fraud, not only in the retail sector, but also in fraud against government benefits, fraud of all types.
19
00:00:18,000 –> 00:00:19,000
Christian Beckner [00:04:27]:
So that’s an area where we see a lot of, still a lot of concern. And even if the retailers aren’t directly impacted by a fraud incident, if it affects consumers, that affects the trust in the retailer. So we’ve been doing a lot, a lot of work in those areas to try to address fraud. And then the second issue I would note in terms of cybersecurity threats, the, the whole third party risk landscape is one where there is still a significant concern. So if you think…
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:04:52]:
I want to talk payment systems, so…
21
00:00:20,000 –> 00:00:21,000
Christian Beckner [00:05:54]:
But even beyond payments, I mean a typical mid sized retailer might have 200 or 300 IT third parties.
22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:05:01]:
Wow.
23
00:00:22,000 –> 00:00:23,000
Christian Beckner [00:05:01]:
So all the systems to manage your warehouses and distribution centers, all the systems in your stores for beyond even payments, just for managing your information, all your online systems because most retailers have an online storefront too. And so being able to sort of keep track of what they’re doing and trying to protect that broad attack surface is a challenge. And we’ve seen a number of cases in the last couple years where you know, some of these third parties have had vulnerabilities and they’ve affected retailers that they’ve affected other sectors.
24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:05:37]:
And I would imagine counterfeiting, that’s still an issue. Right? And theft and what have you. Is there a cyber angle to all of that?
25
00:00:24,000 –> 00:00:25,000
Christian Beckner [00:05:44]:
I mean, so there’s the, yeah, there’s definitely the issue with counterfeits being sold, you know, online and in various ways and what companies can do with that. There’s also just the broader retail crime challenge. So that’s been a big focus for NRF over the past few years with organized retail crime which blends into cybercrime and blends into fraud. It’s not, you know, what you see in the store is not isolated to the store. It ties into what’s going on in the online domain. And if you look at some of these criminal groups engaged in this, they’re not, you know, they’re engaged in broader types of organized crime. You know, we’ve seen examples of criminal groups engaged in human trafficking ties to organized retail crime. We’ve seen examples of ties to drugs, cross border drug smuggling and you know, with some of the gift card fraud investigations.
26
00:00:25,000 –> 00:00:26,000
Christian Beckner [00:06:28]:
So there’s a lot, money laundering, so there’s a lot to unpack in that. And that’s an area where we’ve had a lot of focus with trying to pass some legislation to give, you know, federal government more, more resources and have more coordination on those issues to help state and local law enforcement.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:06:42]:
There’s an actual bill?
28
00:00:27,000 –> 00:00:28,000
Christian Beckner [00:06:44]:
It’s a Combating Organized Retail Crime Act. It was just reintroduced by, in the Senate by Senator Grassley. Senator Cordes Masto has bipartisan support in the House as well. So something we’re, you know, we’re had over 160 co sponsors in the last Congress about even Democratic Republicans. So we’re, we’re working to try to get away.
29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:07:01]:
This isn’t a red or blue issue. Right? I mean it’s literally red, white and blue. It’s Main Street America.
30
00:00:29,000 –> 00:00:30,000
Christian Beckner [00:07:06]:
Yeah. And it affects small businesses as much as it affects, you know, the big, large businesses.
31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:07:10]:
Absolutely. And to build on some of the third party risk. So is the sector speaking as one voice and finally getting to, because it’s hard to demand change with third party vendors. But are they starting to speak as one voice in terms of how they can raise the bar from a cyber perspective on some of their many venues in?
32
00:00:31,000 –> 00:00:32,000
Christian Beckner [00:07:34]:
I mean we’re making progress on that. I mean we’ve been following, engaged with some of the secure by design Work. Which I think is a critical, has been a critical initiative led by CISA but with broader industry support over the last year. And where I think there’s an opportunity is, you know, I’m worried less about the large enterprise IT companies and more about, you know, in every sector there are specific companies who are really niche to that sector, but have in many cases 40%, 50%, 60% market share for different things that they do. And so trying to educate and get those companies more engaged on cybersecurity and even though they may not be household names, you know, they’re pretty critical in terms of…
33
00:00:32,000 –> 00:00:33,000
Frank Cilluffo [00:08:17]:
Not only critical, but if you look at the landscape writ large, small, medium sized businesses, firstly it is the engine of our economy to a large extent and secondly, cybercrime, ransomware democratized cybercrime. So everyone is a target now.
34
00:00:33,000 –> 00:00:34,000
Christian Beckner [00:08:33]:
Yeah. And then that’s, you know, and that’s, that’s another where we’ve tried to sort of, you know, help educate smaller retailers. You know, as I said, as the, as the larger companies have matured their efforts, we’ve shifted more of our focus to trying to provide resources for small and medium sized retailers on cybersecurity and now increasingly on fraud as well.
35
00:00:34,000 –> 00:00:35,000
Frank Cilluffo [00:08:53]:
That’s awesome. No, I’m glad to hear that. And payment systems. So where do you see the biggest concerns there? And I mean they’re proliferating. You blink and, my kids try to ask me to send money one way or another every day, but behind that are not always my kids.
36
00:00:35,000 –> 00:00:36,000
Christian Beckner [00:09:10]:
So some of the risk compared to seven or eight years ago has gone down in that area. As technology has shifted from the old sort of swipe technology which was insecure to the PIN in your card and now contactless, that has reduced some of the card present risks that existed and were the sources of cyber incidents five, 10 years ago. Where I think there’s still concern is some, is more in the online domain. So we’ve seen a number of these, you know, credential stuffing or some of the magecart attacks where you know, where, where you basically, where code is being introduced onto websites for, you know, different online websites and that code is, is sort of exploiting and stealing information. So that’s where there still comes concerns. Again there’s been a good progress on, on those sorts of issues. But, but that’s where from the payment side we’ve seen it. But most of the incidents in retail, you know, we’ll see compromise of other types of PI, but, but the number of incidents where payment information has been stolen is actually dramatically…
37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo [00:10:17]:
Dramatically dropped, right? Yeah. But credentials are out there ad nauseam, right? That, that becomes the issue.
38
00:00:37,000 –> 00:00:38,000
Christian Beckner [00:10:24]:
And then if you have a loyalty program, you know, you, you know, hopefully the payment information there is encrypted or tokenized and so then that’s less vulnerable. But there’s other information on the customer side that you’re concerned with there.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:10:40]:
We can’t have a discussion here at RSA without bringing up artificial intelligence, and artificial intelligence, and we’ve had a lot of arguments. Most of my national security guests say AI benefits the attacker. Most of my commercial guests say AI benefits the defender. Truth is, it’s both, it’s a double edged sword. But I’d be curious what your thoughts are there. And in particular from a fraud perspective, you must be seeing a whole lot in terms of account takeovers, gift card fraud and the like. What are your thoughts there?
40
00:00:39,000 –> 00:00:40,000
Christian Beckner [00:11:14]:
So it’s definitely a double edged sword. So on the one hand, AI is a tremendous opportunity for retailers from a just a general business standpoint. You know, investing in better chatbots, investing in new ways to market to people, improving your supply chain. By some accounts, retail is actually one of the top sectors investing in AI. And when we had our trade show in January, I think we had 50 sessions on AI. Every time we get our CIOs together, they want to talk about what use cases are working, where are the opportunities to sort of be more efficient, deliver better value to customers. And so that’s part of the picture. But the other thing you mentioned, in terms of the risks, obviously the adversaries are using these tools.
41
00:00:40,000 –> 00:00:41,000
Christian Beckner [00:11:56]:
We’ve seen a lot of concern about where before you might have had brand impersonation with fake websites and fake advertisements that were very obviously fake in many cases. Now with some of these AI tools, some of the ad fraud that we’re seeing is much more plausible to people when they click on a link, you know, either from an email or on a social media site. So being able to sort of combat that, work with partners to do that and help educate consumers that you know different ways to sort of make sure you’re, you know, looking at the URL and looking at other things beyond just what appears to be the website that you think you’ve, you usually shop at.
42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:12:37]:
The bar was already low for cybercrime. It’s just gotten down to the floor though. That is one of the challenges. The flip side though is for a lot of our cyber hygiene, you can start using AI tools to at least address the common controls or the top controls and security measures.
43
00:00:42,000 –> 00:00:43,000
Christian Beckner [00:12:54]:
Yeah, and then as you said, the third stool on AI for retail is enhancing cybersecurity and fraud prevention tools. And if you think about traditional fraud prevention tools, even 10, 15 years ago, they were already using AI. So finding ways…
44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:13:09]:
Doing it forever, right. ML was literally, machine learning, was something that…
45
00:00:44,000 –> 00:00:45,000
Christian Beckner [00:13:13]:
So finding ways to improve those and make those systems work better.
46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:13:16]:
Awesome. Anything else on AI you want to touch on that could be of interest to our audience?
47
00:00:46,000 –> 00:00:47,000
Christian Beckner [00:13:21]:
Yeah, I mean, the other big development really over the last three or four months around AI has been agentic AI, you know, obviously generative is still a focus too, but that’s something to think of. Like, I think companies need to be thinking about too, from a cybersecurity standpoint. Because if you’re empowering AI agents in ways that will now have operational roles, operational responsibilities within your companies, think in a warehouse context or even a store context, what are the cybersecurity risks associated with that? How do you sort of mitigate those up front? So that’s a, that’s going to be another interesting issue. I think we’re still really early on that journey, but it’s, it’s happening faster than people think. And then something that’s going to be really transformative for a lot of industries.
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:14:03]:
It is, and we’ve heard a lot about that the past couple days, at least I have. So the, the second thing, and sort of last bit of questions around policy, and what are NRF’s big cyber priorities right now? And how do you see the public private partnership? We’ve talked about this, you and I, for many, many, many, many years. How do we make sure that these nouns are translated into verbs and getting done.
49
00:00:48,000 –> 00:00:49,000
Christian Beckner [00:14:32]:
Yeah. So on cybersecurity, we have a few priorities right now. The first one, probably the most near term, is just making sure the Cyber Information Sharing act gets reauthorized. That was passed 10 years ago, is due to expire at the end of September. So working together just to make sure there’s a reauthorization of that. The other area where less about sort of legislation but more about regulation, as you alluded to. You have the SEC cybersecurity rule now in effect. You have CIRCIA, which was passed a couple years ago and is due to, you know, go to its next two stages and sort of the regulatory process over the next, you know, over, over the course of this year and into next year.
50
00:00:49,000 –> 00:00:50,000
Christian Beckner [00:15:17]:
So, you know, making sure we’re engaged, continue to be engaged in that process. And on both of those, we filed comments, we’ve been working with our members on the SEC rule to implement that and prepare for the CIRCIA rule. We had some concerns that the initial response to the, the initial proposal for the CIRCIA rule was too broad. We articulated that in our response. So we’re, you know, so we’re, you know, still going to make sure. We’re engaged to sort of make sure that the intent of that legislation, even the legislators who wrote that legislation have said their initial version was that was too broad.
51
00:00:50,000 –> 00:00:51,000
Christian Beckner [00:15:48]:
So trying to sort of really focus that on the, on the most critical infrastructure versus companies where you don’t have that broader systemic risk.
52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:15:55]:
And is NRF engaged in a lot of the regulatory harmonization discussion? Is that something of interest to your, to your members?
53
00:00:52,000 –> 00:00:53,000
Christian Beckner [00:16:03]:
We’ve had some dialogue around that, but it also, compared to the financial sector, the health sector, it’s less regulated, so it’s less of an issue than it is for some other sectors.
54
00:00:53,000 –> 00:00:54,000
Frank Cilluffo [00:16:11]:
Awesome. And looking out to the future a little bit, what keeps you up at night? What are you excited about?
55
00:00:54,000 –> 00:00:55,000
Christian Beckner [00:16:18]:
I mean, I’m definitely excited about all the opportunity around AI in the sector and just the way that that is transformative to the sector. I think the, you know, the thing that concerns me is the, you know, some of the things I mentioned with respect to, you know, just the pervasiveness of some of these fraud and cybercrime activities and…
56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo [00:16:42]:
And they are organized, right? This is not disorganized.
57
00:00:56,000 –> 00:00:57,000
Christian Beckner [00:16:45]:
Yeah, this is all organized. This is all tied in and, you know, and finding ways to make sure we sort of, you know, get all the different parties to work together to address these issues. Getting, you know, and getting, you know, getting law enforcement, international coordination, you know, technology companies all work together on this issue. Because I just worry that if we don’t take a broader approach to this, it’s going to undermine just trust in society, trust in the economy and, and, you know, in ways that will be…
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:17:11]:
Trust is the coin of the realm.
59
00:00:58,000 –> 00:00:59,000
Christian Beckner [00:17:13]:
Yeah. And it really is for retail, too. And so that’s where, that’s probably my greatest concern right now. We’ve been engaged. The Aspen Institute is a project on fraud and scams that we’ve been part of with a number of, and so, you know, but engaging through a variety of different fora to try to make progress on that issue.
60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo [00:17:28]:
Before I let you escape, what questions didn’t I ask that I should have?
61
00:01:00,000 –> 00:01:01,000
Christian Beckner [00:17:34]:
I think you covered some of the main ones. I mean, it’s, it’s always just great to catch up with you and, and see you after all, you know, the years we work together and, and you know, and even back when I worked on the Hill, like…
62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo [00:17:46]:
Absolutely. You’ve been a leader on these issues for a long time. Thank you for your leadership today. Thank you for all the work you brought getting into all of this and thank you for bringing these issues to light. And I think it’s a significant sector not only to our economy but to American society. So thank you, Christian, for all your hard work and joining us today.
63
00:01:02,000 –> 00:01:03,000
Christian Beckner [00:18:06]:
Yeah. Thank you, Frank. And thanks to the whole McCrary team.
64
00:01:03,000 –> 00:01:04,000
Frank Cilluffo [00:18:08]:
Thank you.
65
00:01:04,000 –> 00:01:05,000
Christian Beckner [00:18:09]:
Thanks.
66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:18:09]:
Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.