Good Choices / Bad Choices

Every Victim Understands The Role Choices Play In Their Safety & Security – Sadly Governments Do Not Understand This Still To This Day!

In this editorial, Brett Johnson, a member of the SCARS Advisory Board, talks about the choices made by U.S. governments that leave the door wide open for scams and fraud.

While this may not seem related to our normal topics, it is essential for victims to understand the poor choices being made in local and regional governments. This places us all at risk, and only through voting can we choose smarter people. Cybercrime is near half of all crime now in places like the U.S., Canada, and the United Kingdom. But governments have done such a poor job in tracking this that only the UK really knows for certain its magnitude.

Elections have consequences and we need to choose smarter and more capable instead of politics. We need people that will uphold their oaths and protect their residents. The current crop is clearly lacking in their commitment and choices. But these are people that were chosen in elections – did you vote emotionally? Or did you vote for people that understand how to keep you safe? Next time we all need to choose better!

It is especially important for scam victims to understand their decision-making both before and after their scams. But especially after the scam. Victims continue to make emotion-based decisions which lead to even more problems.

Only by acknowledging our mistakes and honestly assessing our poor choices can we change to make better ones! This is a big part of the reason why we present this. But it is also something that affects not only every American, but these are not unique to the U.S. – politicians around the work keep making bad choices and we keep rewarding them with returning them to office!

We need to make better choices everywhere!

Choices: A Cybersecurity Learning Lesson by Brett Johnson

Published on September 30, 2021, on LinkedIn.com

Fear.

Fear means inaction. Fear means desperation. Fear means poor choices.

Poor Choices:

• Like States implementing emergency unemployment funds with literally no security in place.
• Like States giving criminals six months to steal as much money as they could before implementing security on those unemployment funds.

Then more Poor Choices:

Like States hiring a marketing company pretending to be a security company.

Fear caused it. Fear of a collapsing economy. Fear of not being able to get money out to people who needed it. Fear of not being able to stop criminals stealing billions of dollars.

Fear brought desperation. Desperation brought Poor Choices.

Oddly this isn’t another writeup with me slamming ID.me. I could, easily.

It is that little subconscious editor of mine. Bearded Dude. Chubby. RATM t-shirt and no idea how to use his in-door voice. Yeah, that Dude. He keeps screaming DO IT! ROAST THEM AGAIN! THIS ONE IS EASY!

I refuse. I’ve said all I need to about ID.me. I’ve pointed out the problems. I’ve helped give voice to victims. And I’ve spoken to enough reporters about the matter.

I’m done. No need to continue beating that dead horse.

This piece? This piece is about choices.

Smart Choices or Poor Choices.

Specifically, this is about making the Smart Choice when it comes to cybersecurity.

Paul Eckloff, PR Director at LexisNexis, posted an article published on Tucson.com regarding the unemployment fraud that has been eating the United States alive. Usually, I wouldn’t take the time to read it. I’m aware of the unemployment fraud problem. I know States failed miserably on security. I’m aware many States Chose Poorly when selecting a security company. And I’m more than aware of how much money has been stolen by criminals (which has prompted me to adopt the title of “The Only Fraudster to Go Broke During the Pandemic.”)

So no, Virginia—I usually would not read another Unemployment Fraud article.

But Paul included a quote from Haywood Talcove, CEO LexisNexis Special Services and LexisNexis Risk Solutions Government. Talcove referred to Job Posting Scams and stolen identity fraud:

“There isn’t a bank, a financial institution, a hotel or an e-retailer that hasn’t solved this.”

That got my attention. Because I agreed with it. Talcove was right.

Thing is? Cybercrime isn’t Rocket Science. It isn’t sophisticated. Attackers don’t tend to be computer geniuses or criminal masterminds.

Talcove knows that. His remark shows it.

I read the article.

Inside? A learning lesson. A lesson about the Smart Choices and Poor Choices of Cybersecurity.

Much of the article was about how crooks had defrauded the ID.me system by tricking real people into verifying themselves. I detail such in my Open Letter to ID.me. It’s a Nifty trick. Not complicated. Not difficult. Just a basic Social Engineering Scam. But a very successful basic Social Engineering Scam.

Talcove talks about the scam. Everyone knows it was successful—criminals, security companies, news media, State unemployment offices. Hell, even ID.me knows it was successful. Talcove then says what really needs said:

“There isn’t a bank, a financial institution, a hotel, or an e-retailer that hasn’t solved this. Identity verification tools in the private sector can actually mitigate this…It’s not a hard problem to solve and it’s not an expensive problem to solve.” Talcove goes on to say you can’t eliminate all fraud, but that a 10%-50% fraud rate is unacceptable.

Groovy. The man gets it. He understands. He’s got the experience to realize the Truth of the matter.

But then a curious thing happens.

An ID.me spokesperson, @Madison Pappas, chimes in and says Talcove is being misleading. I take issue with that. He wasn’t. Talcove just said people should already know.

I also take issue with Pappas highlighting the ID.me achievements without discussing their myriad problems. But hey, that’s her job. What else is she gonna do, say things have been a real clusterf__k over there?

Sorry, got off topic a second. Had to step away from the PC. Subcon Editor Dude started screaming NOW! NOW! I almost went there, too. I really wanted to dissect what Pappas said and tear it apart. But I didn’t. It would have been fun. I would have had a blast. But I didn’t. I chose the Nobler Path—The Learning Lesson. The Subcon Editor Dude slunk away.

So let me get back on topic:

The Learning Lesson of Smart Cybersecurity Choices

I read the article. Then I sat on it. An idea was forming in my head and I wanted to give it time to ferment. See if it would turn into Whiskey or Rotgut. I gave it time.

Whiskey appeared.

We have a situation where the security provider did not fully understand the threat landscape. Bluntly put–They didn’t know how much fraud was coming their way or the types that were going to be perpetrated.

That is not uncommon. Many a new business opened or product launched doesn’t anticipate how fraud might hit. Then fraud comes knocking. The company or product team then adjusts and learns what they need to do to combat the problem. Not uncommon. Chalk it up to inexperience.

But that same type of inexperience when dealing with a security company? Not acceptable. Especially when dealing with multi-billion dollar fraud that redefined cybercrime.

The Takeaway?

The primary problem was States chose a security company too inexperienced and ill-prepared to combat the crime coming their way. ID.me would slowly learn as any business or product provider would when first encountering fraud. They would adjust and learn how to fix the problems. But since it was a security company? The problems would be exacerbated.

ID.me certainly stopped some fraud. No question in that. But their inexperience resulted in criminals using known techniques to defraud their system. Their ill-preparedness resulted in countless Americans in need being denied the funds to which they were entitled. Their business model resulted in serious privacy concern questions.

To me that boils down to inexperience. ID.me didn’t know what was coming and then had to learn how to handle it. They are still learning. That’s a problem only made worse as ID.me struggles with being both a marketing company and security company, as well as dealing with a CEO who likes to victim blame.

There he goes again. Subcon Editor Dude saw what I just typed and started screaming NOW! But there was faint hope in that scream. Ah! He just bowed his head in defeat and whispered, “now?” I pity Subconscious Editor Dude. I admit to him it is a struggle to keep from bringing the hammer out. Yes, the struggle is real.

Anyway…

Talcove’s remarks show a person and a company with a degree of experience and an understanding of a threat only years of experience can give.

The Pappas remarks and the actions of ID.me show a company which simply hasn’t reached that level yet.

Herein lies the lesson.

Smart Choices versus Poor Choices.

No one remembers the smart decisions which are made. No one remembers those people or the good they brought by making a Smart Choice.

Everyone remembers the Poor Choices. Everyone remembers who made that decision. And everyone talks about them constantly.

For those States which chose an inexperienced company to provide security? It was a Poor Choice. Look at the criminals hitting the system. Look at the legitimate people denied benefits because of the friction the system created and because of the lack of proper customer service. Look at the privacy concerns.

Look at the problems.

Those things will be remembered. At some point a reckoning will take place. That’s the way the universe works. Poor Choices are remembered. See? That’s me being an optimist. I’m a guy who sees the donut, not the hole. Mmm, Donuts. Maybe a delicious glazed one will get Editor Dude smiling? I ask him. His frown grudgingly turns upside down.

Anyway–

Look at the problems. Then ask if those things would have happened with an experienced group.

• Certainly the friction caused legitimate benefit seekers would not have happened.
• Certainly known techniques criminals used to defraud the system would not have worked.
• Certainly an experienced security company would not have had those privacy issue concerns.

And the Big Question? Would an experienced security company have stopped the same amount of fraud that ID.me did?

More. An experienced security company would have stopped more. Why? Because ID.me had to learn the landscape. They had to learn the lessons of true fraud. They had to learn how to deal with the fraud. All lessons which an experienced company would have already learned.

An experienced company would not have had the issues seen and would have stopped more fraud as a result. As Talcove indicated—It isn’t complicated. And it isn’t expensive.

Experience matters. A lot.

Those 33 States were basically Beta Testers for the ID.me product. States used the product and let those problems occur while ID.me learned some real lessons of fraud and gained some experience.

Problem is? When it comes to stuff like this—You don’t want to be a Beta Tester. You want the finished product.

Time to say that I’m not plugging LexisNexis. I like LexisNexis, but there are many companies providing exceptional services. All it takes is some basic research to find one.

And I am not saying start-ups are bad. There are many Start-Ups offering very promising technology and products. Those Start-Ups have some extremely good, experienced people steering the company.  I am all for Start-Ups.

I am saying that experience matters. Especially when signing on a security company. Think before you hire. Don’t just swallow the Cybersecurity Pillow Talk. Do some research. Is the company experienced? Are the people in the company experienced? Can the company handle the problems your organization has. Does your decision have an element of desperation attached? If so?

Poor Choices.

References:

• Changes in store for Arizona’s unemployment insurance program in wake of massive fraud
• SentiLink Highlights Fraud in the US Government’s Pandemic Response