Podcasts
Hacking Humans
Ep 102
Hacking Humans 6.11.20
Ep 102 | 6.11.20

Taking a selfie with your ID.

Show Notes
Transcript

Sanjay Gupta: The really hard thing is that these particular synthetic IDs and the fraudsters that are behind them - they are very, very, very patient.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, the phishing schemes, the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me as always is my co-host Joe Carrigan. He is from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week, and later in the show, my conversation with Sanjay Gupta from Mitek. He's going to be sharing a story about how cybercriminals are capitalizing on the recently deceased to create synthetic identities - real interesting one there. 

Dave Bittner: All right. Well, let's kick things off here, Joe. Which story do you have for us this week? 

Joe Carrigan: So, Dave, this week I have a story from the Sloan Review, which is a publication of MIT. And it's from three guys, and one of them is Stephen Wilson. Then you got Dean Hamilton and Scott Stallbaum. And they are all from Wilson Perumal and Company, and Stephen Wilson is one of the co-founders of this. And they're talking about cybersecurity, and one of the big problems in cybersecurity and kind of the subject of this show is that the people are the weakest link. 

Joe Carrigan: And these guys point out that there is a model that we can follow here to try to resolve this, and they call it - it's actually an existing concept in management. It's called the high-reliability organization or the HRO, right? Now, this is a concept - the HRO is a concept that came out of practices originated more than 60 years ago in the United States Navy's nuclear propulsion program. The Navy has a number of nuclear-powered vessels, and they generally come in three classes. They come in - there's aircraft carriers that are nuclear-powered. There's the ballistic missile submarines and the fast attack submarines. All their submarines in the Navy now are nuclear-powered vessels, and all the aircraft carriers are nuclear-powered vessels. 

Dave Bittner: Right. 

Joe Carrigan: We did have nuclear-powered cruisers, but we have since shut that down. We've decided that a cruiser is not worth the risk of a nuclear reactor. But... 

Dave Bittner: I was just thinking about nuclear-powered dinghies. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Ill-advised, yeah. 

Joe Carrigan: In Baltimore, there is a nuclear-powered cruise ship. It's been - it's not a nuclear-powered cruise ship anymore, but it was a nuclear-powered cruise ship at one point in time. And it's just... 

Dave Bittner: Interesting. 

Joe Carrigan: ...Docked there. And I don't know what the nuclear regulations are around it exactly, but they can't scrap this ship because it was a nuclear-powered vessel. 

Dave Bittner: You know, it's funny. I remember back from my days at University of Maryland - and this is back in the late '80s and early '90s - the state was going through some budget challenges. And so they were going through and deciding what departments they could shut down or scale down and so on and so forth. And I remember reading in the school newspaper it turns out we had a nuclear reactor on campus. 

Joe Carrigan: Yes. 

Dave Bittner: And... 

Joe Carrigan: Yeah. 

Dave Bittner: It was not cheap to run, but it was more even more expensive to shut down. 

Joe Carrigan: Yes, they are... 

Dave Bittner: So... 

Joe Carrigan: ...Very expensive to shut down. 

Dave Bittner: (Laughter) So the reactor kept running. 

Joe Carrigan: Yep. There are actually a number of... 

Dave Bittner: Anyway, I digress. 

Joe Carrigan: Yeah, that's a small - probably a small research reactor, and there are... 

Dave Bittner: Yeah. 

Joe Carrigan: ...A surprisingly large number of those around the country. 

Dave Bittner: OK. Yeah. 

Joe Carrigan: It's interesting. The problem of putting a nuclear reactor on a ship for a propulsion system was a new problem, and it was a really interesting problem because this - you know, it's not - a nuclear reactor is not a simple thing, right? And... 

Dave Bittner: Right. 

Joe Carrigan: The boat then has to run - or the ship has to run underwater as well if it's a submarine, and it's going to be operated by people that are 20 to 30 years old. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right, right. 

Joe Carrigan: So you really have to come up with a way to have this operate safely because this is not an environment where things can go wrong - right? - because... 

Dave Bittner: Yeah. 

Joe Carrigan: When they do go wrong, they're going to go wrong in a disastrous consequence - a disastrous manner, rather. This meant actually getting away from the traditional military culture of follow orders, do what you're told, and don't ask questions. And I have this very apocryphal story. This comes from somebody I used to work with years ago. And I'm not entirely sure, but he was a submariner, and he was - which means he worked on a submarine. And he was in the Navy at the time that Adm. Rickover, who's the guy that built all of the nuclear submarine program, was in the Navy. And the culture of this program was that you were in charge of something that was your domain, and you were responsible for the safety of it. 

Joe Carrigan: And the story this guy told me was that he was working with something, and Adm. Rickover came over and started messing with something. And he said, admiral, please do not touch that. That's not something you're supposed to do. And Adm. Rickover said, OK, and then kept touching it. And eventually, what the guy did was he picked up Adm. Rickover and moved him - you know, essentially physically moved Adm. Rickover. This is an enlisted man moving Adm. Rickover out of the compartment that he was in. I don't know if this is true, but that's the kind of culture. And his story was that that was the test that Adm. Rickover was performing - right? - that Adm. Rickover knew that you had to have a culture where people would say, no. Don't do that. That's dangerous, right? And that's one of the features of this high-reliability organization. 

Dave Bittner: I was thinking that guy was going to have an intimate familiarity with the torpedo tubes. 

Joe Carrigan: Right. Well, that's kind of the point. This article outlines some pillars of the HRO organization, and one of them is formality, right? People follow an authorized procedure, and they don't use workarounds. That's one of the big things in a high-reliability organization. And they have a level of knowledge. That's another pillar. So not only are they following the procedure, but they know why they're following the procedure. And then there are other pillars like integrity - that people can be relied upon, a questioning attitude, like in my story. People anticipate problems and are alert to conditions. And they ask, what could go wrong? And why are you doing that? - and those kind of things in an active team backup. These are the five pillars that these guys outlined in the Sloan Review article from MIT. There's some interesting things in here that I think bear well. There's a management policy that people are expected to be results-oriented or do whatever it takes in order to achieve their outcomes - right? - and that there is some kind of reward for this. 

Joe Carrigan: But these are the kind of attitudes and activities that can lead to work-arounds, right? And work-arounds are what cause problems in a lot of these social engineering scams, right? If I get an email from someone who is claiming to be my boss and may actually even be sending the email to me from my boss's email account because their email's been compromised and they're saying, look - I need you to get this done, and this just needs to happen - right? If I work in an organization where when I hear that, I know we're not supposed to do that. We're not supposed to do work-arounds, right? Then I'm less likely to fall for this scam. Superiors who say to their teams - and this is something I've heard a lot of. Bring me solutions, not problems. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: That is a big thing that superiors say. I've often thought that, depending on what level of management you're at - right? - when you're working with people who are individual contributors, all they're ever going to bring you is problems, right? They're never going to bring you solutions. You're - unless - I mean, they're going to bring you the solutions to the problems that you give them. But during the course of that, they're going to come back with problems that are beyond their control. You're going to have to work on these problems, right? It's - that's part of the role of management - in my opinion anyway. Maybe I don't know much about management. Who knows? 

Dave Bittner: (Laughter). 

Joe Carrigan: Anyway, this - I think this article makes some really good points. I really, really, really, really, really think that this is going to be very difficult to turn every organization into a high-reliability organization, right? And I don't think that's the point the article's making. I think the article's saying we can use this as a model. I really think - and I've said this many times before - that the formality is probably the biggest benefit - what they call the formality pillar is probably the biggest benefit to avoiding being scammed out of millions of dollars. 

Joe Carrigan: And that is that we have a process for moving money around our system, our banking accounts and whatever. And here's how that process works. And if someone asks you to deviate from that process then you know that something has gone wrong and that needs to be reported. I don't think there's a problem in doing that, right? But having the attitude, particularly in small companies, where you can't say bring me solutions not problems or do whatever it takes, there's a lot of stuff that has to happen to get these companies off the ground. And in a small company, there's people who have to have almost heroic roles - right? - where they're accomplishing things that - in short amounts of time that could not be accomplished by a large organization... 

Dave Bittner: Right. 

Joe Carrigan: ...Because they're much more nimble as as an organization. And people have this autonomy. So I don't think this is universally applicable. I think it could be applied specifically to financial operations. And with that, you would go a long way to reducing your risk of being scammed out of large amounts of money. 

Dave Bittner: All right. Well, that's interesting, interesting indeed. We'll have a link to that report, for sure, in the show notes. My story this week comes from NBC News, written by April Glaser. And it's titled "People Who Turned to Upwork to Find Freelance Gigs Say They've Lost Thousands of Dollars to Scams." 

Joe Carrigan: Huh. 

Dave Bittner: So I have to say I have only passing familiarity with UpWork. My understanding - it's one of those online services that connects people with gigs, little jobs and so on and so forth. You know, people who are looking for someone to do - maybe not hire a full-time employee but hire someone to do some stuff for them. Freelancers - it's a freelancing platform. 

Joe Carrigan: Right. 

Dave Bittner: And what they're seeing is that people will reach out to folks on UpWork. And this is a type of scam that we've seen before though. They'll reach out to someone on UpWork. They'll say, I'm going to need you to do some work for me. You'll be working from home. And, for example, I'm going to put some money in your account so that you can set up your home office. 

Joe Carrigan: Right. 

Dave Bittner: And then I'm going to need you to order your home office supplies from this site online. 

Joe Carrigan: Yep. 

Dave Bittner: Or something like that. And so what happens is the victim of this, the person who's just looking for freelance work - they get a notification from the person who's employing them saying, hey, the money's in your account. They do a quick check, maybe with their bank on their app or whatever. And they see the money in their account. And they say aha, the money's in there. They start to spend against that. But it turns out that that's part of the scam. The money gets clawed back by the person who put it in there. 

Joe Carrigan: It was never really put in, right? The check was usually a fraudulent check. 

Dave Bittner: Correct. Correct. So the notification was incomplete. In other words, the money did not go through. The notification was merely that the transaction had been put in place, but the actual money had not been transferred. 

Joe Carrigan: Yeah, I think - I'm not sure about this, but I think there's a law that says when someone makes a deposit via check that that money has to be available to them within two business days. And, sometimes, it takes longer than two business days to actually process a check. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's what these scammers are taking advantage of. 

Dave Bittner: There are rules like that. It's been a while since I've dealt with this, so it's possible that they've changed. But I do remember when I had a small business that it was not unusual for banks to say, oh, it's going to take X number of days for a check to clear. And if it's an out-of-state check, it's going to take even longer to clear. And honestly, we would - (laughter) half the time, we would go to our bank, and we'd say, that's unacceptable. We can't wait a week for a check to clear just because it's out of state. And the bank would say, OK. So... 

(LAUGHTER) 

Dave Bittner: So I think what was happening was that, you know, the bank makes money floating your money. 

Joe Carrigan: Right. 

Dave Bittner: So, you know, that was that. But getting back to this story... 

Joe Carrigan: Right. 

Dave Bittner: ...What happens is these - the victims of this scam - they spend against that money that they think was put in their account. They buy these supplies. And, you know, the supplies never come. Or they - you know, they're making purchases on behalf of the person they think has hired them out of their own money, out of their own account because they think that they have money in their account from their alleged employer. But it all turns out to be a scam. There - that money did not come through. They're spending against their own money. And typically they're using some of these online cash apps, and they can't claw that money back. 

Joe Carrigan: Right. 

Dave Bittner: So the scammers get the money. The victim is out of the money. Another interesting thing that they highlighted in this story is that a consistent step in this is that the scammer wants to get the victim off of the original platform as quickly as possible, get them off of Upwork. So they initiate their communications on Upwork. But as quickly as possible, they want to get off of that platform so that... 

Joe Carrigan: Right, and move it to something like WhatsApp or Telegram, right? 

Dave Bittner: Right, well, somewhere else, or even just the email, you know, somewhere where they take that platform's ability to intercede out of the equation. 

Joe Carrigan: Right. 

Dave Bittner: In other words, none of the financial stuff is happening via Upwork or - so Upwork's lawyers, Upwork's, you know, relationship with law enforcement or any of those types of things, that gets taken out of the equation as quickly as possible. 

Joe Carrigan: Yes. Does Upwork have means of venders getting paid? 

Dave Bittner: I don't know if they have something built into the platform or not. It's a good question. I don't see anything about that in this article. Another thing that this article points out is that, you know, this sort of scam is not that unusual on these platforms. And some folks they talked to in the article are critical of these freelancing platforms of not doing a better job of warning people to be on the lookout for these sorts of things. You know, they have some information about what to do if you've been scammed if you dig through their website and, you know, go to those sorts of pages. But they're making the point that it's probably - in the onboarding process, it would be helpful if they had some information that said, hey, look; keep your eye out for these sorts of things. 

Joe Carrigan: I think that's a 100% valid point, that these - all of these platforms should have that is part of their, what you call, an onboarding process here. I mean, because what they are doing is essentially offering this service - while, yes, it has a legitimate use, they are also offering this service out to open up tons of victims to be scammed by scammers on a massive scale. It's not like I'm just starting up a website and saying hey, I'm Joe's Security Business. You know, come talk to me. I think you're right. I think they do bear some responsibility here for that. I also think that the individual freelancers bear a lot of responsibility with this. I would be suspicious of anybody I hadn't met before and - and when they said, I'm going to send you a check, and you need to immediately buy this stuff, I would say, I'm going to buy that stuff as soon as the check clears, right? 

Dave Bittner: Right. 

Joe Carrigan: If you want me to buy it right now, you can wire me the money. I don't even know if that would be good. Would that be good? 

Dave Bittner: Well, I mean, you know, I think there - as with so many of these things, you know, they're preying on people who are both in need of money. 

Joe Carrigan: Right. 

Dave Bittner: So there's - and given the situation we find ourselves in today, that's more true than ever. So they're in need of money. And chances are they're not sophisticated when it comes to their understanding of the details of all of this banking stuff and, you know, high finance and all those sorts of things. So... 

Joe Carrigan: Absolutely. I mean, they see the money show up in their account. They think, I've got the money. What could possibly go wrong? 

Dave Bittner: Right. And the scammers are professional, too. I mean, they're interacting with these folks. They're using Zoom calls. They're Skype-ing to them. So the relationships they're establishing at first blush wouldn't seem to be unusual, you know? And I guess it seems like they're skilled enough scammers that you can understand why people would get drawn in by them. 

Joe Carrigan: Right. 

Dave Bittner: That is my story this week. We will, of course, have links to that in the show notes. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: Our Catch of the Day is courtesy of the Bored Panda site. This is a user who I believe goes by the name jicamarcababy (laughter). 

Joe Carrigan: I hope that's right. 

Dave Bittner: Yeah, so it's sort of a classic situation here of someone trying to get someone to buy some gift cards. But the person who they're trying to scam here knows what's going on and tries to string them out as long as possible. So I tell you what, Joe, I will play the part of the scammer, and you can play the part of the person who's stringing them along. And it starts out like this. Jacob, I'm in a conference meeting right now. Can't talk on the phone, but let me know if you get my text. Thanks. 

Joe Carrigan: Yes, I got your text just fine. 

Dave Bittner: OK, good. I want you to carry out a specific task out for me right now. Will you be able to do that for me now ASAP? 

Joe Carrigan: Yes. I am completely available. 

Dave Bittner: I'm in a conference meeting right now, and I need to provide our clients with some gift cards. Can you confirm if we can get iTunes gift cards from the nearest store to you ASAP? 

Joe Carrigan: Sure. I will go to CVS. It will take about five minutes. 

Dave Bittner: OK. Good. I want you to go there right now and purchase five pieces of iTunes gift cards of $100 face value each, totaling $1,000. 

Joe Carrigan: I'm at the store. I'll find the gift cards. That's a good idea. You can use the gift cards to buy lots of music from great bands, like The Doobie Brothers or Korn. 

Dave Bittner: Text me after you purchase. I'll tell you what to do with them. Let me know when you them. OK, I need you to peel off the back label to reveal the encode and send pictures to me here with receipt ASAP. 

Joe Carrigan: Hmm, looks like they're out of iTunes gift cards. Can we use Olive Garden gift cards instead? That would buy a lot of breadsticks. 

Dave Bittner: Look for eBay gift card, Steam or Sephora gift card. 

Joe Carrigan: So not Olive Garden? 

Dave Bittner: Not. 

Joe Carrigan: OK. I thought it would be nice to buy the whole company breadsticks. I'm buying Steam gift cards. 

Dave Bittner: Purchase five pieces of Steam cards of $100 face value each, totaling $1,000. 

Joe Carrigan: This guy - not only did he do the math wrong, but he did it wrong twice. So they didn't have any $100 gift cards, but I bought you lots of $20 ones. And there's a picture here of a fistful of Steam gift cards (laughter). 

Dave Bittner: OK, good, good, good, good. OK, I need you to peel off the back label to reveal the encode and send pictures to me here with receipt ASAP. 

Joe Carrigan: OK. It's a lot of gift cards, so it will take a few minutes. By the way, I'm really sorry about the other day at work. I didn't mean to cut Jenny with those scissors. 

Dave Bittner: OK, peel them and place the 2/2, and send them. It's OK, Jacob. 

Joe Carrigan: Since this is an extra job, can I have a raise? I really need to buy more butter. Don't ask why. OK, getting the codes. 

Dave Bittner: Yes, but be fast about the codes. 

Joe Carrigan: What are these for, anyway? Is your son having the problems again? Getting in my car now. How much is the raise? 

Dave Bittner: Jacob, I don't have much time. Send the code before you drive. 

Joe Carrigan: OK, I am finishing the pictures. 

Dave Bittner: Good. 

Joe Carrigan: Your secretary, Jenny, told me just to redeem the cards for you, but I wanted to double-check with you because I thought she might be mad about the scissors. 

Dave Bittner: Don't redeem it. Just send the pictures of the code. Follow my instructions, Jacob. I don't have much time. 

Joe Carrigan: Wrong camera. Sorry. That is an old photo. 

Dave Bittner: Send the codes, Jacob. 

Joe Carrigan: How do I turn the camera around? 

Dave Bittner: Yes, the back camera. I don't have much time, Jacob. 

Joe Carrigan: Oh, OK. I understand. So I have a surprise for you. I redeemed all the gift cards. Less work for you. And as a present, I bought the office employees a copy of "Farming Simulator 2020." I know how much you love farms and goats. 

Dave Bittner: I didn't say you should redeem the cards. 

Joe Carrigan: Well, Kristen said that. So you need to talk to her. 

Dave Bittner: Just peel and send me the picture e-codes. 

Joe Carrigan: I can't. I already redeemed all of them and bought Farming Simulator. 

Joe Carrigan: And then there's a picture of "Farming Simulator '20." 

(LAUGHTER) 

Dave Bittner: I'm in a conference meeting right now. I can't talk, Jacob. 

Joe Carrigan: You made everyone very happy with the new farm video game. 

Dave Bittner: Our client are waiting on the cards to confirm it. Are you planning with your job? 

Joe Carrigan: I know, but they will like "Farming Simulator" better. You can grow barley and wheat. I'm planning with my job. I am the company planner. 

Dave Bittner: Are you playing with your job? Our client don't have much time. 

Joe Carrigan: Which client is this again? Because Kristen said to get them the farming simulator. 

Dave Bittner: Where are the cards? 

Joe Carrigan: I redeemed them and bought a lot of copies of the farm video game. Then I put the cards in the microwave because we didn't need them anymore. That's what Kristen said you said. So she should get in trouble, not me. I can buy a different game instead, like goat simulator. Again, your love for goats is very apparent. 

Dave Bittner: You're playing with your job, Jacob. 

Joe Carrigan: Just tell me what game to buy. 

Dave Bittner: Is it Kristen I sent an errand or you? 

Joe Carrigan: I'm not playing with my job. I'm just following instructions. It's me, but you told me yesterday that Kristen would tell me what to do today. 

Dave Bittner: Who is the boss here? You an idiot. 

Dave Bittner: All right. Well, let's go - let's jump to the end here. 

Joe Carrigan: All right, so we're condensing this here. We're going right to the part where he's gotten some eBay cards, and he's bought an eBay card. And he sent the guy - the scammer a picture of a $50 eBay card. And the scammer says... 

Dave Bittner: Yes, so send them. 

Joe Carrigan: Wait. My phone isn't working. Oh, no. 

Dave Bittner: What? Just peel one by one and send it to me. 

Joe Carrigan: Oh, no, no, no. I dropped them in the street drain. Sorry. This isn't worth it anymore. I've had a good time, but I quit. I'm going to Dingle Brothers. They will dingle me far better. 

Dave Bittner: You can't do that. The cards are very important. You know that. 

Joe Carrigan: I already quit, and I took all the drugs from the office already. And I lied. I didn't drop the cards, but I used them to vintage soda and Bibles. Sorry, Brett, but I won this time. 

Dave Bittner: Show me those cards you redeem, Jacob. 

Joe Carrigan: Yes? 

Dave Bittner: Show me the ones you redeem. 

Joe Carrigan: OK. 

Dave Bittner: And then there's a picture of an eBay - the back of an eBay card with the redemption code, where you scratch off, is photoshopped to read go away, scammer. 

Joe Carrigan: Peel them and send them to me. 

Joe Carrigan: According to all I know of laws of aviation, there is no way a bee should be able to fly. Its wings are too small to get its fat little body off the ground. The bee, of course, flies anyway because the bee doesn't care what human thinks is impossible. 

(LAUGHTER) 

Dave Bittner: OK. 

Joe Carrigan: And he - I mean, that's great. So according to this post, Jacob wasted about three to four hours of this guy's time, and that's three to four hours he wasn't scamming somebody else. 

Dave Bittner: Right. 

Joe Carrigan: Jacob did say it earlier in the article that he used a burner phone to do this, which is probably a good idea because he probably really got this guy angry (laughter). 

Dave Bittner: Yeah. It's interesting, too, to note as you read through this that - and, unsurprisingly, I suppose - that the scammer was doing a lot of sort of cutting and pasting. Like, the scammer had a lot of prebuilt responses to things that popped up over and over again to - I'm picturing this scammer with multiple people on the line at the same time... 

Joe Carrigan: Oh, absolutely. 

Dave Bittner: ...You know, just... 

Joe Carrigan: Absolutely. This guy has probably got three or four people going at the same time. 

Dave Bittner: Yeah. Yeah. Well, there's a lot more to it. It's a pretty funny one. So as always, we'll have a link to that in the show notes. And that is our Catch of the Day. 

Dave Bittner: All right. Joe, I recently had the pleasure of speaking with Sanjay Gupta from Mitek, and he was sharing information that they've been tracking. This is about how cybercriminals are capitalizing on the recently deceased and creating synthetic identities. Really interesting stuff here. Here's my conversation with Sanjay Gupta. 

Sanjay Gupta: I think people know there's been a lot of data breaches over the last few years, so there's probably hundreds of millions of records that exist out there. But additionally, as people, you know, they die and their data still available, these fraudsters, they've kind of gotten onto this. So in the previous days, the idea was called ghosting, where you would just steal information from a recently deceased person and maybe look at their bank account, et cetera. But recently, what's been happening is that they've been using these individuals' Social Security numbers and then tying it to the data that's been stolen to create a synthetic ID. So they would basically take a Social Security number, come up with a name, and address, use a date of birth. With the recent technology around deepfakes, you can also attach a photo to it. And so all of that would be used to create, let's say, an ID. And that ID would be used for very nefarious purposes. 

Dave Bittner: And what sort of stuff would they use it for? 

Sanjay Gupta: So typically where we're seeing it now is in the financial institutions, where individuals - these fraudsters would use these IDs to start to open up bank accounts or try to get loans or credit. And what typically happens is that as this fraudulent ID is used for this purpose, the best thing that happens is that the ID gets rejected, not on the basis that it's a fake but it's never been seen before. So it looks like what's referred to as a thin-file client, meaning that an individual doesn't have a credit history - so if you were a recent graduate person or if you're an immigrant. And then the data bureaus actually will now create a file on this person to make them look like a real person. 

Dave Bittner: Now, what typically happens - when someone passes away, is there a process by which their - for example, their Social Security number gets flagged as belonging to someone who's deceased? 

Sanjay Gupta: So you actually have to file separate forms. Typically it's done through the mortuaries. So you file the forms and let all of the financial institutions - let them know that this person has just recently deceased. And there's a secondary or, you know, maybe the spouse is now the caretaker of the account or there's a trust fund, et cetera. 

Sanjay Gupta: So typically - sometimes that doesn't - people forget or they take too long. But even then, these records still get filed, and these Social Security numbers are still valid sometimes, and they can still be used. So it doesn't even matter if they were recently deceased. Sometimes these things are existing for quite some time. 

Dave Bittner: And so what are your recommendations for folks to protect themselves against this? 

Sanjay Gupta: So first of all, like, if you - the second area where they get - where these fraudsters get Social Security numbers are from recently born kids. So you know, you have a kid who just got born, they have a Social Security attached to it. What I would recommend there is actually set up a bank account for these kids upfront. So soon as they have a bank account, then they become part of the system, whereas for recently deceased, you should really look at just filing all the paperwork that are relevant and making sure that, you know - notifying all of the different companies that may be utilizing that particular individual's assets. 

Sanjay Gupta: And for companies that are trying to onboard individuals that look like fraudsters, you typically want to ask for their ID to kind of look at. So at Mitek, what we do is, you know, we have the capability of reading an identity card or a driver's license and tell you, to a certain extent, if it's fake or not. But then also asking for their selfie - and the selfie brings two pieces of the puzzle. The first one is we can actually check to see if the person's alive at the time when they're enrolling for a new account, but also, after the selfie's taken, match the photo to the actual selfie that was just recently taken before you set up the account. So those are kind of the things that I would recommend. 

Dave Bittner: So in matching that selfie - I mean, is there - so you're matching a current photo with a photo that's on an existing ID, for example. 

Sanjay Gupta: That's exactly right. You would take a current selfie of Dave who's just, you know, applying for a new account. So most fraudsters don't want to use their real faces, right? They're going to hide behind a veil. So a lot of the companies that we deal with aren't asking for the biometric, you know, for various reasons. But just that one step is a fairly large deterrent. 

Dave Bittner: Now, what happens to the families of these deceased people who get their identities taken over? Can the spending sprees of these crooks come back to haunt them? 

Sanjay Gupta: So typically, in the synthetic world - now we're dealing strictly in the synthetic identities - It's really victimless crime 'cause they've taken stolen information from various disparate parties and even made some stuff up. So really, the victims are going to be, first of all, you know if you are a, let's say, just a recent grad or an immigrant, then potentially you may be asked to provide extra documentation and/or you may be given a loan but at a higher interest rate amount. Typically, these cases last - you know, they're not done overnight. You're taking 12 to 15 to two years. They're very craftily done by, you know, very, very hardened criminals. And they're going to wait the long game to kind of take advantage of this. 

Dave Bittner: Where do you suppose we're headed in the future? In other words, do you see identification systems coming down the line that'll help prevent these sorts of things? 

Sanjay Gupta: Currently, this is a new type of fraud that's coming into the kind of, you know, the financial institution and marketplaces. Previously, it was more related to just real individuals trying to commit fraud or, you know, somebody stole my ID and they were trying to commit fraud. So what's going to happen is that we're going to start to see a lot more sharing of the data between different companies to say - oh, you know, we saw this activity or we saw this activity - and then being able to correlate and do what's called link analysis, or clustering, to determine what's really happening. 

Sanjay Gupta: Because the really hard thing is that these particular synthetic IDs and the fraudsters that are behind them, they're very, very, very patient. And they create the synthetic ID where they have real, you know, e-world - let's say email or a LinkedIn profile. Anything that - they'll leave a digital trail, what we call a breadcrumb - a digital breadcrumb of these individuals. So they feel and look and behave like real individuals. In fact, sometimes they will even take out loans and pay them back slowly. So what they're trying to do is get as much loans and, you know, credit that they can get and then, after 18 months, do a massive bust-out. 

Dave Bittner: I see. That's interesting. Yeah. Wow. So they'll establish credit, if you will - establish their presence and a little bit of credit, and then they get that offer for more credit. And that's when they go and just take advantage of it and, I suppose, disappear after that. 

Sanjay Gupta: That's exactly what happens. So I think, you know, this is a fairly new type of crime that's happening. So I think the jury's still out on how to actually figure out from the perspective of the behavior of the patterns that are occurring. Those techniques are going to come in the future. So one thing the audience should realize is that these are things that a lot of companies are working on. So if you do the right thing upfront when you have somebody with a disease or if you have a new child that is born in your family, take the steps to kind of protect yourself. 

Dave Bittner: All right, Joe, what do you think? Interesting, huh? 

Joe Carrigan: Yeah. When that interview started and he starts talking about the thin client file for a credit report, I thought, is this an opportunity for a long scam? And at the end of the article, he shows yes, it is, exactly. These guys will wait anywhere from a year to two years to take a big payout. You know, if you think about that, you open up a credit card, and you maybe make a couple of charges on it, and you pay it off. Maybe you do a cash withdrawal and then turn around and just give that money right back to them. And that essentially builds your credit. 

Joe Carrigan: What these guys are doing is they're hacking the FICO score - right? - because your FICO score is your measure of how good of a debtor you are. And the higher your FICO score, the more likely you are to pay back your stuff. So these guys get their FICO score. I bet they're watching what the FICO scores are because there are services that let you do that, like Credit Karma. When they see they get to a certain point, when they got that score up to a certain point, that's when they go for the payout. Maybe there's something that can be done to defend against that, that you watch the FICO score over time, and you see that, you know, this FICO score didn't exist two years ago, and now it exists and has done nothing but go up for two years or for 18 months, and it's gotten to a point where you see the risk factor for big payouts going high, then you say OK, we're going to wait a couple of months before this. And at least, if nothing else, that delays your impact as a financial institution. 

Dave Bittner: Yeah. 

Joe Carrigan: It's interesting that they're looking for the recently deceased or the recently born. And Sanjay says a good way to defend against having your kids' identity stolen is to open a bank account for them as soon as they're born. So that gets them in the system so that somebody else can't create a credit profile for them already. It already exists. And then on that, I guess you can use credit monitoring services to know what's going on with your kid's account. 

Joe Carrigan: You know, the reason that kids are targeted is due to a change in the tax code that went into effect in 1987. Before 1987, if you wanted to declare your children as a dependent, you only needed to provide their names. There's a great section in the book "Freakonomics," which was written by Dubner and Levitt, about the day when 7 million American children simply disappeared. And that's because when you had to file your taxes, now you had to provide a Social Security number for your kids. So there were people that didn't have Social Security numbers for their imaginary children and weren't willing to commit the act of a fraud of applying for a fake Social Security number, so they just stopped declaring them on their taxes. 

Dave Bittner: Interesting. Yeah. 

Joe Carrigan: That requirement has made it so that when my children were born, I went out and applied for a Social Security number for them immediately so that I could declare them on my taxes as dependents. In 1987, the law was that if they were younger than 5, you didn't need a Social Security number. But I don't know if that's still the case. I do know that when my children were born, I got them Social Security numbers immediately. 

Dave Bittner: Yeah. Yeah. Me too. 

Joe Carrigan: Yep. Getting a selfie with your ID, that's interesting. I know of at least one company that requires you to send them a picture of you holding your ID with the photo on your ID clearly visible so that they can see it's you. And Sanjay points out why this is the case. Fraudsters do not want to show their faces. I keep thinking about, what stops me from doing this? If I'm going to assume somebody's identity, what's wrong with me showing my face? But these guys are not looking to assume someone's identity. They're looking to exploit it in the short term. They're looking to make a big payout. And then whoever borrowed the money from them is going to be looking for them. So these guys aren't trying to have an alternate identity. They're just trying to make money. For some reason when I think of stealing someone's identity, I still think about assuming that identity and living as a different person. I don't know, maybe there's something deeply psychologically wrong with me. 

Dave Bittner: But you know what? I mean, to that point, I have to admit, it reminds me of the original "Highlander" movie... 

Joe Carrigan: Right. Yeah. 

Dave Bittner: ...Which is how, you know, the - for those who are unfamiliar, there was a race of immortals. And one of the plot points is that that's how one of the immortals establishes new identities. He looks for the recently - children who died in childbirth and then assumes the identity of someone like that. That's I suppose - the first time I saw that movie was the first time I considered that as being a possibility. I hadn't really thought about it before. 

Joe Carrigan: I always think of Pete Hornberger from "30 Rock," who, as the season goes on, becomes more and more desperate to get away from his family. 

Dave Bittner: (Laughter). 

Joe Carrigan: And at the end of the season, he is telling Liz how he's going to disappear (laughter). 

Dave Bittner: Right. 

Joe Carrigan: It's - I don't know. I love that show. It's very funny show. That small story arc is one of my favorites. I disagree that this is a victimless crime. Sanjay kind of said this is a victimless crime. This is not really a victimless crime. We're all the victims because, you know, us - customers of these banking institutions are the victims because the cost of this crime is spread out over our interest rates and our fees. And the banks really aren't the victims because they're still going to make their money, right? They're going to pass that cost on to you. That's how we are all the victims. And yeah, it's a small impact to us in terms of maybe a couple extra dollars a year in fees, but it would be nice to have that money back, wouldn't it, Dave? 

Dave Bittner: Yes. Sure would. (Laughter). All right, well, our thanks to Sanjay Gupta from Mitek for joining us. That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.