#32: Policy Shifts, Platform Vulnerabilities, and a Reminder That No One’s Immune

This week, we’re tracking Visa’s latest VAMP update, which raises dispute thresholds and adjusts how chargebacks are counted. Meanwhile, the hacker behind the SEC’s fake Bitcoin ETF tweet gets sentenced, and a critical Chrome flaw was being used in the wild to bypass MFA and take over accounts.

The throughline? Even with tools, teams, and policies in place, fraud still finds cracks. Let’s dig in.

NATE'S TAKE - MAY 20, 2025

Top Three This Week

1. Visa Updates VAMP Program With Higher Thresholds and Adjusted Fees
2. Hacker Who Compromised SEC’s Twitter Gets 14 Months
3. Chrome Flaw Let Attackers Bypass MFA and Hijack Accounts

1. Visa Updates VAMP Program With Higher Thresholds and Adjusted Fees

In a recent LinkedIn post, fraud fighter Tarun Singh broke down Visa’s latest updates to its Visa Acquirer Monitoring Program (VAMP). It’s a mix of higher thresholds, adjusted fees, and some relief for merchants using pre-chargeback alerts.

Here’s what’s changed:

• The dispute ratio formula now includes all chargebacks, not just fraud-related ones, along with fraud reports (TC40s).
• Thresholds are increasing. The “Excessive” tier now starts at 70 bps, up from 50. The “Merchant Excessive” tier starts at 220 bps, dropping to 150 bps in April 2026 for most regions.
• To qualify for VAMP, merchants must now have at least 1,500 disputes, up from 1,000—including both fraud and non-fraud.
• Fees have been reduced slightly, from $5/$10/$10 to $4/$8/$8, with no fees for merchants in the Early Warning tier.
• Pre-chargeback alerts (like RDR, CD RN, and Ethoca) now count toward dispute reduction, but they only reduce chargebacks—not TC40 fraud reports. Their impact depends on merchants issuing refunds and issuers choosing not to follow through with a chargeback or fraud report.

While these changes may offer some relief on the fee front, Singh notes a clear challenge: alerts alone won’t help with TC40 volume, which is still a core part of VAMP’s fraud calculation.

2. Hacker Who Compromised SEC’s Twitter Gets 14 Months

In January 2024, the SEC’s official X (formerly Twitter) account posted that Bitcoin ETFs had been approved—a false statement that caused chaos in crypto markets before being quickly deleted.

The hacker behind the breach, Eric Council Jr., was sentenced to 14 months in prison after pleading guilty to SIM-swapping and cyber fraud-related charges.

O’Connor accessed the SEC’s account using credentials from a compromised employee and a SIM-swapping attack to intercept the two-factor authentication. This wasn’t his first high-profile hit. He was previously tied to the 2020 Twitter breach that compromised accounts belonging to Elon Musk, Barack Obama, and others.

This is another example of how high-value targets are increasingly compromised through low-friction social engineering and credential-based attacks. It doesn’t matter how big your brand is. If your 2FA isn’t secure, neither are you.

3. Chrome Flaw Let Attackers Bypass MFA and Hijack Accounts

Google recently patched a zero-day Chrome vulnerability (tracked as CVE-2024-4671) that was actively being exploited in the wild to enable account takeovers and bypass MFA protections.

The flaw allowed attackers to intercept authenticated sessions, giving them access to web apps and user accounts even when MFA was enabled.

While Google hasn’t disclosed the full list of platforms affected, they did confirm the issue was actively exploited, and pushed out emergency updates to patch it in Chrome 124.0.6367.207 and higher.

This is a stark reminder of what we’ve covered previously: browser-level fraud is no longer theoretical—it’s live, growing, and frequently harder to detect. Even with strong authentication, fraudsters can exploit browser flaws to hijack trust from the inside out.

If your fraud detection doesn’t include browser context and session security, you’re likely missing the next wave of ATO tactics.