• Brett Johnson

To Be or Not To Be: Commenting on Specific Company Problems

Recently I was presenting at a conference and said a bank name during the presentation.  OK, more than that.  I said I hated the bank and then called them assholes.  Poor choice of words.  Calling a bank an asshole—and yes, they were in the audience—is not productive.  The idea is to generate conversation and incite change, not act in an adversarial way which shuts down communication.  I screwed up, bad.  For that I apologize.

Of course, the bank was lined up after the presentation.  The banking guy was dead last in line and he got to hear a few merchants telling me they appreciated my honesty.  Then he got to hear an NPR reporter say how great the presentation was and how my honesty toward that bank was a breath of fresh air.  Then the bank guys steps up to say, “I’m with that bank, Brett.”

Well, shit.

I stand by what I say.  And I say things for a reason.  I just don’t pull comments out of my ass.  I apologized to the gentlemen for the way I said it and defended my comment about really not liking the bank.  Reasons? 

The bank is one of the prime sources organized cybercriminals use to commit synthetic fraud. 

The bank is—based on darkweb chatter and my own testing— a prime target for New Account Fraud.

Based on my personal experience the bank has a culture unwilling to listen to outside information causing me to think it possible they don’t listen to inside information or to their customers. 

The bank’s relationship with merchant clients has often been negative:

Contracts sent to some merchants are such that it only benefits the bank.

The bank has been known to practice questionable methods when taking money back from merchants.

The bank has in the past blamed merchants for its own failures:  Approving fraudulent new accounts and then faulting the merchant for accepting those accounts.

I laid those reasons out to the bank guy.  He was not happy.  His response was there were people in the audience that were his customers. 

My thought was, If they are customers they probably already know it.

I said I understood.  I was sorry for making a poor word choice in calling them assholes.  I went on to offer to use my next breakout session to discuss my thoughts toward the bank.  He and I could have a beneficial conversation publicly if he wanted.  No.  I then offered to sit down and write a joint article with him addressing my concerns and how this bank was addressing those.  Likely a no.  I finally said I was willing to work with him in a beneficial way to address his issues and to also help address the problems inherent in the bank itself. 

Finally, I agreed to have the mention of that bank edited from the recording of the presentation.

I wasn’t happy with editing.  But considering I called them assholes?  I figured it was something which should be done. 

I’ve been weighing that conversation and my action on stage.  No doubt I stepped over the line.  What I did was wrong.  I know that and it won’t happen again.   

The bigger question and something I’ve discussed with friends and contacts is whether it’s proper to mention a specific company name to an audience? Does mentioning a name only bring harm?  Harm not only to the organization named, but to other companies who focus only on the named group and not their own problems.

I’ve named groups before, but not often.  In almost three years of keynote speaking, media interviews, and podcasts I’ve publicly mentioned 6-7 specific organizations in a negative manner:

Facebook.  Why?  Because they allow criminal content on their platform.  Because their privacy initiative is, in my opinion, a façade.  Because Facebook is one of the most important companies in the world not to be protecting people.

Stripe.  Because Crooks set up fake stores and launder stolen credit cards through them.  Previously one of the most popular targets for fraudsters.

Capital One.  Because it is a first stop for many Synthetic Fraudsters. 

Amazon.  Because the refunding scams at Amazon literally redefined the dynamic of organized cybercrime. 

BeenVerified and other similar background lookup sites.  Because criminals REGULARLY use those services to help steal identities.

Synchrony.  Because of darkweb criminal chatter concerning synthetic fraud and new account fraud.  Because of my perception of them having an environment of non-communication.  Because of complaints of customers too scared to voice concerns themselves.

LifeLock.  Is a reason even needed? 

I’m Probably leaving one or two out.  Plus, sometimes I gotta mention Equifax and laugh manically.  Others may pop up depending on the news cycle or whatever company is the victim of a cyberattack that week.

Of those companies mentioned several have taken steps to address problems. 

CapOne is doing amazing work fighting fraud.

Synchrony is getting better.  They are concerned about the security of their organization and of their customers.  They’ve made strides in bettering relationships with merchants.

Amazon has made significant progress in battling the refunding fraud.

Facebook, BeenVerified, LifeLock?  Don’t get me started.  I think Facebook needs to be broken up.  Services like BeenVerified need to be highly regulated.  LifeLock just needs to vanish from the planet.

I mention many groups in a positive light and praise the work they do:  CBTx, Neustar, Sift, Ativo, Braintrace, Digital Shadows, CapOne, Amex, Discover, Visa, Arkose, Looking Glass, Emailage, Identity Guard, Microsoft, Newegg, BHPhoto, Radial, ThreatMetrix, Elavon, Splunk, and countless more.

Is it wrong to mention a specific organization negatively?  It might cause other organizations to focus on the company named and not the lesson to be learned about their own group.  It might cause the named company to completely shut down any beneficial lines of communication which might bring change.  It might cause the employees of the named company to feel that their efforts toward doing the right thing aren’t appreciated.  It might cause other companies to fear being named in the future.

All valid concerns.

I think naming a group depends.  If it’s an organization that doesn’t “Get It”, I think yes.  If an organization is seriously screwing things up or is mistreating its customers, I say yes.  If the organization is experiencing an attack or fraud which is endangering its customers or is likely to endanger other organizations, I say yes.  If not discussing it specifically means further harm will happen, I say yes.

That doesn’t mean you throw every group under the bus.  I’ve publicly mentioned very few.  I tend not to mention specific companies where the attacks or types of fraud are present across a variety of groups.  No need to finger a specific organization if many groups are experiencing the same.  And I don’t mention organizations who I feel are trying to do the right thing, except to give them credit.  All groups have security and fraud problems.  How an organization is handling those problems should always be considered.

I’ve been told mentioning specific names could damage my speaking and consulting career.

I don’t expect Facebook to ever bring me in to speak.  My feelings toward them are well documented.  The same goes for LifeLock.  I’m sure they can guess what I would say. 

Or maybe they would bring me in.  Capital One booked me knowing I was critical of their synthetic fraud problem.  We had a conversation prior to speaking.  I made it clear I wasn’t coming to hammer or to fight.  I wanted a beneficial conversation.  That is exactly what happened.  The work they are doing at CapOne is impressive.

Not everyone is CapOne.  I likely will lose potential clients along the way.

I’m finding out there are things more important than money.  Strange for a former criminal to say, but true.  Family and friends are more important.  Honesty and Integrity are more important.  I was a liar for many years.  I lied to family, friends.  I lied to people I didn’t know.  I don’t do that anymore.  I work to tell the truth.  I’m not always right.  When I screw up, I address it as soon as possible--as in the case of me calling a bank a bunch of assholes. 

Telling the Truth is important to me.  For me, it is part of continuing my journey toward becoming a healthy, productive person.  For me telling the Truth means if you know something which can help others and you don’t share it, you are being dishonest.  It means lies also happen by omission.

By not mentioning something a specific organization is doing wrong means customers and potential customers might be ignorant of what’s happening.  It means members of that organization might be unaware of what’s going on.  It means by not sharing information people are at risk. 

Since I started this career, I’ve preached the necessity of sharing information.  If organizations shared information regarding cyber attacks and the way they were being defrauded other groups would know what to expect and what to look for from attackers.  Not sharing information means a criminal continues to have easy targets to exploit.  Not sharing information means the bad guys continue to win. 

Take Amazon.  Amazon started getting hit with refunding fraud on a large scale around 2013.  Simple:

Sign on for a Prime Free Trial.  Order a Macbook Pro using your card, your name, your address.  The Macbook arrives two days later.  Contact Amazon and tell them you didn’t receive it.  Amazon sends out another.  Contact Amazon and tell them you didn’t get that one either.  Amazon gives a full refund.  It was called “Double-Dipping”.  It worked like that for three years.  Laptops, 65” TVs, living room sofas.  The crime was so popular and profitable it redefined the way beginning cybercriminals operate.  Before, a new guy would buy stolen credit card details and try to defraud a merchant with varying degrees of success.  Because of Amazon refunding new criminals now start with refunding fraud, profit always, and then learn other crimes while profiting.

Amazon locked down the refunding fraud problem after several years.  It’s still possible to defraud Amazon with refunding, but much harder.  A huge problem was Amazon never shared any information with any other company about the fraud and how fraudsters were operating.  Lack of information meant fraudsters were then successful at Apple, Microsoft, and countless other merchants.  Not sharing information meant criminals were better able to attack other victims. 

I preach about exchanging information.  Telling others about vulnerabilities and attack methods means precautions can be taken and a criminal is less likely to succeed.  I believe sharing information is one of the only ways we combat the security and online crime problems which are so prevalent today.  Only by raising awareness and educating everyone across the board do we combat this problem.  I don’t believe hiding in the shadows of talking around specific vulnerabilities at organizations is effective to anyone but criminals.

Mentioning specific names?  My opinion is yes, but with consideration.  And never to do it as I erred a few days ago.  Always do it in a constructive manner.  Or at least try.  Some organizations you just can’t be nice to, like Facebook and LifeLock.  (Please note, I’m aware there are many fine people at both of those companies.  You do a good job.  I’m not fingering you.  I’m fingering the Mark Zuckerbergs and Todd Davis’ of the world.) 

99 views0 comments