Several years ago, Brett Johnson was unfamiliar to most Card Not Present readers. In an effort to walk a different path, the former hacker and fraudster—a man who not only pioneered many of the fraud techniques merchants still face today, but also was responsible for disseminating criminal knowledge wider than it ever had been before—began to tell his story publicly.
We invited Brett to speak about his experiences at CNP Expo 2017. Since then, he has worked tirelessly to share with e- and m-commerce merchants industry his encyclopedic knowledge of fraud and the mindset of the criminals who make their living stealing from businesses. In addition to a full schedule of consulting gigs and speaking engagements, last summer Brett teamed with e-commerce fraud veteran Karisse Hendrick on a weekly podcast called The Online Fraudcast.
Brett is back at CNP Expo this year. The duo will record an episode of The Online Fraudcast live on our keynote stage to open the first full day of CNP Expo 2019 next month. We caught up with Brett recently to talk about using the Internet for good instead of evil and what has changed in fraud since he put on a white hat.
CNP Editor-in-Chief D.J. Murphy: Consulting with businesses is fairly common for former bad guys. Streaming their story weekly to thousands over the Internet is not. How did The Online Fraudcast originate?
Brett Johnson: Even when I was breaking the law, I’ve always been all about getting information out. I’ve never thought there should be any gates preventing people from getting the information they need. So, whether I’m charging for it or not, I’m all about telling people exactly the information I have and trying to help them. I do a lot of speaking and consulting on fraud issues, but getting word out to everyone is a chore. The biggest issue right now is raising awareness, not just with consumers but with companies. So, I had to ask, what’s the best way to get information out to people to raise awareness about cybercrime, how criminal groups operate and how to protect yourself?
Through CNP, Karisse and I became friends. On a trip to Seattle, I had dinner with her and her husband. As he was listening to us banter together and tell stories about our experiences with fraud, he just said “you ought to do a podcast together.” As someone looking for a platform to share this knowledge, it sounded like a perfect idea. We got lucky with representation and advice and here we are eight months later with 30 episodes in the can.
CNP: Given your very different backgrounds, the two of you are like a fraud “Odd Couple.” But it seems to work well.
BJ: We get along really well. We’re really good friends, but she knows that while I’m not a criminal anymore, deep inside I come from that dark place. She says I’m like a North Korean defector, you can tell us all these secrets but I still have the criminal mindset behind it all. We love each other, we have great rapport and our perspectives complement each other very well. Having those differing perspectives definitely gets the information out more effectively.
CNP: Do you have an episode that has been most memorable for you?
BJ: I’m still the guy that’s trying to reconcile the childhood I had with my choices as an adult and we talk about that occasionally. While I can’t say I like those podcasts, they’re definitely the ones that are the most memorable for me. I’m still coming to terms with my choices as an adult and talking about them is most valuable to me as I try to be a better person.
CNP: In your daily life, is it more difficult to be a good guy or a bad guy?
BJ: On a day-to-day basis it’s much more difficult to be a bad guy, mostly because of the isolation. I didn’t have friends for 30 years. When you’re a criminal you don’t have friends, you have associates. When you leave prison, you’re told to find something you care about and you will have an easier time staying out. It really took until this year for me to understand “find something you care about.” I’ve got a great family now, great friends and all these people that have given me a chance to do good. All this stuff to care about now that I never had before. It’s very humbling and I’m very grateful for it.
CNP: From a tactical perspective, is there anything you’ve learned working on the good side you didn’t know when you were breaking the law?
Books could be written about what I didn’t know. The biggest thing was, I assumed companies shared information with each other. But, I find many times they use fraud as a competitive advantage instead, not sharing with competitors because they believe it makes their competitors more susceptible to fraud than they are. I think that’s incredibly short-sighted. Yeah, right now you’re taking care of the fraud on your platform. But your competitor likely has information you don’t have that could help you. It’s only by sharing information across the board by networking with people and having an understanding of how fraud works across the board that we can see fraud numbers decrease for everyone.
The criminals are all about an open-source environment. Information is shared, exchanged, sold. There’s an open platform on the fraud side of things where criminals network, exchange information and learn to be better criminals. We don’t see that enough on the good side of things. We see the good guys compartmentalize things, hide information. There are a few places to go for this, but we’re not getting better at it fast enough.
CNP: What is the most pernicious fraud trend today?
BJ: There are a couple things going on. Humans are still the greatest weakness in any system. Spearphishing is successful 86 percent of the time. Doesn’t matter the amount of training the recipient has, it’s still that effective. That’s the reason we see more compromises, it’s the reason criminals don’t worry about hacking through an industrial firewall. So that’s number one: understand, as a company and an individual, you’re going to be phished and that the chances of you falling for it are pretty high.
Another thing we’re seeing more and more of is the idea of criminals using merchants’ fraud systems against them. In this type of fraud a criminal goes to a site with stolen account information, buys a small product and ships it to the legitimate owner of the account. Once that product successfully ships, the device he used, his IP number and his geolocation have been whitelisted in the fraud system. Now the criminal can use that device and make changes to the account without flags being raised.
There’s also the idea of using AI. While the good guys are using it, they’re not the only ones. Upper-tier criminal organizations are using machine learning and AI to recognize patterns in what is being used against them and gain entry into different systems.
CNP: How has fraud prevention changed for the better?
BJ: When I first started working for the good guys, there was an essential misunderstanding among them about what the face of fraud was. Companies knew there was a problem, but they simply didn’t understand how organized it was, how simple a lot of these crimes were to commit. We’re seeing businesses come to terms with the fact they are fighting foes that span countries and borders. And that, while the criminal organizations are sophisticated, the frauds being perpetrated are mostly simple. This recognition is helping them in their efforts.
CNP: What can businesses be doing to protect themselves better?
BJ: Get better at sharing information with competitors, get better at training people to live safer online lives (rather than just security awareness training at work) and get rid of passwords.