Good Choices / Bad Choices
Every Victim Understands The Role Choices Play In Their Safety & Security – Sadly Governments Do Not Understand This Still To This Day!
In this editorial, Brett Johnson, a member of the SCARS Advisory Board, talks about the choices made by U.S. governments that leave the door wide open for scams A Scam is a confidence trick - a crime - is an attempt to defraud a person or group after first gaining their trust through deception. Scams or confidence tricks exploit victims using their credulity, naïveté, compassion, vanity, irresponsibility, or greed and exploiting that. Researchers have defined confidence tricks as "a distinctive species of fraudulent conduct ... intending to further voluntary exchanges that are not mutually beneficial", as they "benefit con operators ('con men' - criminals) at the expense of their victims (the 'marks')". A scam is a crime even if no money was lost. and fraud In law, fraud is intentional deception to secure unfair or unlawful gain (money or other assets), or to deprive a victim of a legal right. Fraud can violate civil law (e.g., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compensation) or criminal law (e.g., a fraud perpetrator may be prosecuted and imprisoned by governmental authorities), or it may cause no loss of money, property, or legal right but still be an element of another civil or criminal wrong. The purpose of fraud may be monetary gain or other benefits, for example by obtaining a passport, travel document, or driver's license, or mortgage fraud, where the perpetrator may attempt to qualify for a mortgage by way of false statements.
A fraud can also be a hoax, which is a distinct concept that involves deliberate deception without the intention of gain or of materially damaging or depriving a victim..
While this may not seem related to our normal topics, it is essential for victims to understand the poor choices being made in local and regional governments. This places us all at risk, and only through voting can we choose smarter people. Cybercrime is near half of all crime now in places like the U.S., Canada, and the United Kingdom. But governments have done such a poor job in tracking this that only the UK really knows for certain its magnitude.
Elections have consequences and we need to choose smarter and more capable instead of politics. We need people that will uphold their oaths and protect their residents. The current crop is clearly lacking in their commitment and choices. But these are people that were chosen in elections – did you vote emotionally? Or did you vote for people that understand how to keep you safe? Next time we all need to choose better!
It is especially important for scam A Scam is a confidence trick - a crime - is an attempt to defraud a person or group after first gaining their trust through deception. Scams or confidence tricks exploit victims using their credulity, naïveté, compassion, vanity, irresponsibility, or greed and exploiting that. Researchers have defined confidence tricks as "a distinctive species of fraudulent conduct ... intending to further voluntary exchanges that are not mutually beneficial", as they "benefit con operators ('con men' - criminals) at the expense of their victims (the 'marks')". A scam is a crime even if no money was lost. victims to understand their decision-making both before and after their scams. But especially after the scam. Victims continue to make emotion-based decisions which lead to even more problems.
Only by acknowledging our mistakes and honestly assessing our poor choices can we change to make better ones! This is a big part of the reason why we present this. But it is also something that affects not only every American, but these are not unique to the U.S. – politicians around the work keep making bad choices and we keep rewarding them with returning them to office!
We need to make better choices everywhere!
Choices: A Cybersecurity Learning Lesson by Brett Johnson
Published on September 30, 2021, on LinkedIn.com
Fear means inaction. Fear means desperation. Fear means poor choices.
- Like States implementing emergency unemployment funds with literally no security in place.
- Like States giving criminals six months to steal as much money as they could before implementing security on those unemployment funds.
Then more Poor Choices:
Like States hiring a marketing company pretending to be a security company.
Fear caused it. Fear of a collapsing economy. Fear of not being able to get money out to people who needed it. Fear of not being able to stop criminals stealing billions of dollars.
Fear brought desperation. Desperation brought Poor Choices.
Oddly this isn’t another writeup with me slamming Slamming is when a phone company illegally switches you from your existing phone service company to their own service without your permission, then bills you for service you did not request. ID.me According to the company: ID.me simplifies how individuals prove and share their identity online - it provides secure identity proofing, authentication, and group affiliation verification for government and businesses across sectors. The company’s technology meets the highest federal standards for consumer authentication and is approved as a NIST 800-63-3 IAL2 / AAL2 conformant credential service provider by the Kantara Initiative. ID.me is the only provider with video chat and is committed to “No Identity Left Behind” to enable all people to have a secure digital identity.. I could, easily.
It is that little subconscious editor of mine. Bearded Dude. Chubby. RATM t-shirt and no idea how to use his in-door voice. Yeah, that Dude. He keeps screaming DO IT! ROAST THEM AGAIN! THIS ONE IS EASY!
I refuse. I’ve said all I need to about ID.me. I’ve pointed out the problems. I’ve helped give voice to victims. And I’ve spoken to enough reporters about the matter.
I’m done. No need to continue beating that dead horse.
This piece? This piece is about choices.
Smart Choices or Poor Choices.
Specifically, this is about making the Smart Choice when it comes to cybersecurity.
Paul Eckloff, PR Director at LexisNexis, posted an article published on Tucson.com regarding the unemployment fraud that has been eating the United States alive. Usually, I wouldn’t take the time to read it. I’m aware of the unemployment fraud problem. I know States failed miserably on security. I’m aware many States Chose Poorly when selecting a security company. And I’m more than aware of how much money has been stolen by criminals (which has prompted me to adopt the title of “The Only Fraudster A Scammer or Fraudster is someone that engages in deception to obtain money or achieve another objective. They are criminals that attempt to deceive a victim into sending more or performing some other activity that benefits the scammer. to Go Broke During the Pandemic.”)
So no, Virginia—I usually would not read another Unemployment Fraud article.
But Paul included a quote from Haywood Talcove, CEO LexisNexis Special Services and LexisNexis Risk Solutions Government. Talcove referred to Job Posting Scams and stolen identity fraud:
“There isn’t a bank, a financial institution, a hotel or an e-retailer that hasn’t solved this.”
That got my attention. Because I agreed with it. Talcove was right.
Thing is? Cybercrime isn’t Rocket Science. It isn’t sophisticated. Attackers don’t tend to be computer geniuses or criminal A criminal is any person who through a decision or act engages in a crime. This can be complicated, as many people break laws unknowingly, however, in our context, it is a person who makes a decision to engage in unlawful acts or to place themselves with others who do this. A criminal always has the ability to decide not to break the law, or if they initially engage in crime to stop doing it, but instead continues. masterminds.
Talcove knows that. His remark shows it.
I read the article.
Inside? A learning lesson. A lesson about the Smart Choices and Poor Choices of Cybersecurity.
Much of the article was about how crooks had defrauded the ID.me system by tricking real people into verifying themselves. I detail such in my Open Letter to ID.me. It’s a Nifty trick. Not complicated. Not difficult. Just a basic Social Engineering Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It is used as a type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
It has also been defined as "any act that influences a person to take any action that may or may not be in their best interests." Scam. But a very successful basic Social Engineering Scam.
Talcove talks about the scam. Everyone knows it was successful—criminals, security companies, news media, State unemployment offices. Hell, even ID.me knows it was successful. Talcove then says what really needs said:
“There isn’t a bank, a financial institution, a hotel, or an e-retailer that hasn’t solved this. Identity verification tools in the private sector can actually mitigate this…It’s not a hard problem to solve and it’s not an expensive problem to solve.” Talcove goes on to say you can’t eliminate all fraud, but that a 10%-50% fraud rate is unacceptable.
Groovy. The man gets it. He understands. He’s got the experience to realize the Truth of the matter.
But then a curious thing happens.
An ID.me spokesperson, @Madison Pappas, chimes in and says Talcove is being misleading. I take issue with that. He wasn’t. Talcove just said people should already know.
I also take issue with Pappas highlighting the ID.me achievements without discussing their myriad problems. But hey, that’s her job. What else is she gonna do, say things have been a real clusterf__k over there?
Sorry, got off topic a second. Had to step away from the PC. Subcon Editor Dude started screaming NOW! NOW! I almost went there, too. I really wanted to dissect what Pappas said and tear it apart. But I didn’t. It would have been fun. I would have had a blast. But I didn’t. I chose the Nobler Path—The Learning Lesson. The Subcon Editor Dude slunk away.
So let me get back on topic:
The Learning Lesson of Smart Cybersecurity Choices
I read the article. Then I sat on it. An idea was forming in my head and I wanted to give it time to ferment. See if it would turn into Whiskey or Rotgut. I gave it time.
We have a situation where the security provider did not fully understand the threat landscape. Bluntly put–They didn’t know how much fraud was coming their way or the types that were going to be perpetrated.
That is not uncommon. Many a new business opened or product launched doesn’t anticipate how fraud might hit. Then fraud comes knocking. The company or product team then adjusts and learns what they need to do to combat the problem. Not uncommon. Chalk it up to inexperience.
But that same type of inexperience when dealing with a security company? Not acceptable. Especially when dealing with multi-billion dollar fraud that redefined cybercrime.
The primary problem was States chose a security company too inexperienced and ill-prepared to combat the crime coming their way. ID.me would slowly learn as any business or product provider would when first encountering fraud. They would adjust and learn how to fix the problems. But since it was a security company? The problems would be exacerbated.
ID.me certainly stopped some fraud. No question in that. But their inexperience resulted in criminals using known techniques to defraud their system. Their ill-preparedness resulted in countless Americans in need being denied the funds to which they were entitled. Their business model resulted in serious privacy concern questions.
To me that boils down to inexperience. ID.me didn’t know what was coming and then had to learn how to handle it. They are still learning. That’s a problem only made worse as ID.me struggles with being both a marketing company and security company, as well as dealing with a CEO who likes to victim blame Blame or Blaming is the act of censuring, holding responsible, making negative statements about an individual or group that their action or actions are socially or morally irresponsible, the opposite of praise. When someone is morally responsible for doing something wrong, their action is blameworthy. By contrast, when someone is morally responsible for doing something right, we may say that his or her action is praiseworthy. Blame imparts responsibility for an action or act, as in that they made a choice to perform that act or action..
There he goes again. Subcon Editor Dude saw what I just typed and started screaming NOW! But there was faint hope in that scream. Ah! He just bowed his head in defeat and whispered, “now?” I pity Subconscious Editor Dude. I admit to him it is a struggle to keep from bringing the hammer out. Yes, the struggle is real.
Talcove’s remarks show a person and a company with a degree of experience and an understanding of a threat only years of experience can give.
The Pappas remarks and the actions of ID.me show a company which simply hasn’t reached that level yet.
Herein lies the lesson.
Smart Choices versus Poor Choices.
No one remembers the smart decisions which are made. No one remembers those people or the good they brought by making a Smart Choice.
Everyone remembers the Poor Choices. Everyone remembers who made that decision. And everyone talks about them constantly.
For those States which chose an inexperienced company to provide security? It was a Poor Choice. Look at the criminals hitting the system. Look at the legitimate people denied benefits because of the friction the system created and because of the lack of proper customer service. Look at the privacy concerns.
Look at the problems.
Those things will be remembered. At some point a reckoning will take place. That’s the way the universe works. Poor Choices are remembered. See? That’s me being an optimist. I’m a guy who sees the donut, not the hole. Mmm, Donuts. Maybe a delicious glazed one will get Editor Dude smiling? I ask him. His frown grudgingly turns upside down.
Look at the problems. Then ask if those things would have happened with an experienced group.
- Certainly the friction caused legitimate benefit seekers would not have happened.
- Certainly known techniques criminals used to defraud the system would not have worked.
- Certainly an experienced security company would not have had those privacy issue concerns.
And the Big Question? Would an experienced security company have stopped the same amount of fraud that ID.me did?
More. An experienced security company would have stopped more. Why? Because ID.me had to learn the landscape. They had to learn the lessons of true fraud. They had to learn how to deal with the fraud. All lessons which an experienced company would have already learned.
An experienced company would not have had the issues seen and would have stopped more fraud as a result. As Talcove indicated—It isn’t complicated. And it isn’t expensive.
Experience matters. A lot.
Those 33 States were basically Beta Testers for the ID.me product. States used the product and let those problems occur while ID.me learned some real lessons of fraud and gained some experience.
Problem is? When it comes to stuff like this—You don’t want to be a Beta Tester. You want the finished product.
Time to say that I’m not plugging LexisNexis. I like LexisNexis, but there are many companies providing exceptional services. All it takes is some basic research to find one.
And I am not saying start-ups are bad. There are many Start-Ups offering very promising technology and products. Those Start-Ups have some extremely good, experienced people steering the company. I am all for Start-Ups.
I am saying that experience matters. Especially when signing on a security company. Think before you hire. Don’t just swallow the Cybersecurity Pillow Talk. Do some research. Is the company experienced? Are the people in the company experienced? Can the company handle the problems your organization has. Does your decision have an element of desperation attached? If so?