Reformed cybercrook hacks his audience at industry event

Register now

CHICAGO — Forget the stereotype that a cybercriminal has to be tech-savvy to get the job done. Their true gift is in social engineering.

Brett Johnson, a former cybercrook whom federal law enforcement officials called the "Original Internet Godfather" and a scammer who moved to the top of the FBI's most wanted list of cybercriminals, has served three prison sentences for his crimes. Today, he works for security agencies and advises major companies and banks about how to protect themselves and their customers from people like him.

"Everyone's information is already out there," Johnson said during his keynote presentation at this week's annual Midwest Acquirers Association conference. "About 6.2 billion records were compromised in the last year."

To the shock of a couple of acquirers at the conference, Johnson showed he had obtained all of their personal information — and displayed it on a screen — even though he had just met them the night before. It was a quick case study in what a hacker can do on social media and other databases, simply by knowing a name and where a person is from.

The skill sets that cybercriminals bring to their trade put nearly every payment cardholder or bank account holder at risk in this era of nonstop breaches, massive data sales on the dark web and relatively easy creation of new accounts with fake identities, Johnson said.

Johnson was convicted as a co-creator of "Shadowcrew," a 2002 website that supported credit card number sales as well as various forums in which the latest information on hacking tricks, card fraud, virus development and phishing could be obtained.

He was well aware of the likes of Albert Gonzalez, one of the chief engineers of Shadowcrew and the person found in possession of the site's server. Gonzalez turned out to be an FBI informant, later admitting to some of the biggest retail card breaches in the country.

Johnson spent more than seven years in federal prison for various crimes, from his involvement with the ShadowCrew site to card-not-present fraud, tax fraud, pirating cable TV signals, creating fake IDs and taking part in the early days of the modern credit card scamming.

He became proficient at the "credit card dump," or the theft of the second data track on a card magstripe, which carried the most important information for duplicating cards.

In 2011, an FBI agent who read about his exploits approached Johnson about helping protect the U.S. financial network. Because Johnson had spent so much time in prison, and he had met a woman who trusted him and wanted a better life for him, Johnson agreed to change.

It ultimately led to an advisory role and numerous presentations to businesses to help merchants, banks and processors protect payment card data.

It turns out that Johnson isn't providing any secret tricks, even though he does explain in detail how certain information is obtained and distributed to vast networks of criminals.

Protection all comes down to the basic fundamentals of monitoring accounts, establishing strong passwords, freezing the credit files of children, and being extremely careful about what kind of information you share online, over the phone or in person. Businesses and merchants have to establish strong security policies that every employee in the company has to follow.

Johnson estimates that 92% of all breaches begin with a phishing attack because "it is easier to ask for access" to a network than it is to try to decipher code, infiltrate with malicious software and hunt through a network for the data hiding places.

"There is no patch for human stupidity," he added.

In many cases, a scammer can purchase a "Fullz" online, which is a complete identity profile of a person. When a "Fullz" is obtained, the criminal can easily open new accounts under the stolen identity.

"The toughest thing to find out is a woman account holder's maiden name," Johnson said. "That takes some extra research, but those who are good at social engineering will just call a bank and give any name in hopes it is the correct one."

When the guess of "Johnson" is not correct, the fraudster will insist that it is correct and provide all of the other information they have on a stolen account, Johnson said. "After a while, the customer service person at the bank will give in and let the account be changed or a new one open without the maiden name given," he said. "That's social engineering at work."

A stolen identity accounts for more than 80% of all new account fraud, with losses of more than $50 billion in the last year, Johnson said.

Various security factors do help, especially using a password manager service, Johnson said. Far too many people, at 82%, use the same password or a simple variation of it on all of their accounts, he added, citing security industry data he has compiled for his presentations.

Acquirers should be diligent in reminding their clients, as well as themselves, to apply all security updates to computers, phones and other devices, Johnson said.

Even though the Payment Card Industry Security Standards Council puts protective guidelines in place and "has a lot of good ideas" for merchants to protect card data, most cybercriminals quickly surmise where the PCI standards are not being properly implemented yet, he said.

"Under 50% of merchants are fully PCI compliant," Johnson said. "You know why? Because it costs money to be compliant."

While cybercrime sounds attractive and can be financially rewarding, almost no one in the trade gets away with it. "It almost always goes south on these guys and they always get arrested," Johnson said.

For reprint and licensing requests for this article, click here.
Acquirers Personally identifiable information