Hacking Humans 6.25.20
Ep 104 | 6.25.20

Close in your pajamas.


Stan Holland: We're really encouraging borrowers to go to that full electronic signature route. You can kind of close in your pajamas if you really want to.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Stan Holland. He is from a company called Atlantic Bay Mortgage. And we're going to be talking about some of the really interesting adjustments they've had to make with COVID-19. So be sure you stick around for that. 

Dave Bittner: All right, let's jump right in with our stories here this week. Joe, why don't you start things off for us? 

Joe Carrigan: Sure. My story comes from Sergiu Gatlan. I hope I'm pronouncing his name right. He is a writer with BleepingComputer, and he has an article on BleepingComputer talking about extortionists who are threatening to destroy sites in fake ransom attacks. So we're all familiar with ransomware, right? 

Dave Bittner: Right. 

Joe Carrigan: And you have to go through all the trouble of getting someone to click on a link, and then actually getting the software, the toolkit to run the software, and that costs money. Well, these guys are looking for a way just to get the money out of the victim without investing anything other than sending an email. 

Dave Bittner: They're cutting out the middleman. 

Joe Carrigan: Cutting out the middleman - that's right, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: And what they're doing is they're targeting websites and they're blackmailing them. And they say, if you don't pay us a ransom between $1,500 and $3,000 - of course that money is going to be in bitcoin - we're going to leak your database 'cause we've already got it. They don't have it, but they say they do. They also make some fake technical claims about how they've exfiltrated the database to their own servers and how they used credential harvesting software to exploit a vulnerability found in the site's software. It's all completely lies. 

Joe Carrigan: Then the next thing they threaten is they say, we're going to use malicious search engine optimization to push your results down in Google searches or in Bing searches, right? So there are companies out there that do search engine optimization because the search engine algorithms, while they're protected, they're still really just functions, right? So I can probe a function and see what gets something higher up on the list, and I can run a bunch of tests. And then I can offer that as a service to people. Presumably, you could also offer a service to push people down in the search results list. In fact, there are even businesses that do that - that they want to push your negative results down. But they're threatening to use that as a means of getting you out of the first page of results. They're not going to do it. I doubt that they have the capability to do it. There are people out there that have the capability of doing it, but that takes a lot of effort. If you pay them the $1,500 to $3,000, they're going to lay off. That's the whole thing. 

Joe Carrigan: There's a letter in here that Sergiu has included here. It's pretty good. It's got very good grammar. It says, we have hacked your website - and it has website URL - and extracted your database. How did this happen? Our team found a vulnerability within your site that we were able to exploit. After finding the vulnerability, we were able to get your database credentials and extract your entire database and move the information to an offshore server. What does this mean? We will systematically go through a series of steps of totally damaging your reputation. And this letter goes on until you get to the point where it says, how will I stop this? We're willing to refrain from this if you just send us money. It's a complete scam. Don't pay the ransom. This is something that's being sent to all these website administrators. 

Joe Carrigan: Now, if you think about the development of websites recently, now there are toolkits out there that you can just go out and start up a website and have it looking really good. This has all been automated to the point where you really don't need web development anymore. 

Dave Bittner: And these types of websites are database-driven. 

Joe Carrigan: Yes. They're all database-driven on the back end. So imagine you're somebody who has a small business - right? - or a medium-sized business. You don't have the money to have somebody run your own website, so you set up a website using one of these services. And then you get this email. You're like, wait; how'd they do this? How did they get in there? You're not really a technical expert. You don't understand what they mean by they found a vulnerability. This is kind of overwhelming people with information they don't understand and just threatening them and trying to shake some money out of them. 

Joe Carrigan: It's a lot like the sextortion scams that we've seen in the past, you know, where they say they've got video of you while you're watching pornography on your computer... 

Dave Bittner: Right. 

Joe Carrigan: ...And they want you to send money to not expose that. This is kind of the same thing, and it kind of requires the same level of sophistication. All I need is a list of email addresses of people that have websites, and I can usually get that off the website itself. So I can write a web scraper that goes out and gets the information, and then another script that sends this email, and step three is profit, right? 

Dave Bittner: Yeah. It's kind of a, like, almost like an online protection racket. Like, you know, nice website you got here. It'd be a shame if anything were to happen to it. Yeah. 


Joe Carrigan: Exactly. Moose and Rocco are coming around to help you out. 

Dave Bittner: (Laughter) Right, right. Exactly. To help the judge find his wallet. 

Joe Carrigan: Right. 


Joe Carrigan: I'm glad you got the reference, Dave. 

Dave Bittner: Yeah, yeah, yeah, yeah (laughter). 

Dave Bittner: So any recommendations for folks to protect themselves from this? I guess just awareness that it's a thing and ignore it. 

Joe Carrigan: Yeah. Be aware and don't pay the ransom. 

Dave Bittner: Yeah. 

Joe Carrigan: That's it. You know, just don't - just understand this is probably a scam and - or in all likelihood, it's a scam, you know, especially if you have a computer - or a website, rather, that doesn't really have a lot of customer information on it. It's just a promotional website for you. Don't worry about it. You're fine. 

Dave Bittner: Yeah. I suppose all the old rules apply, too, of, you know, don't reuse passwords, use a unique, strong password on your website. And if they offer it, use multifactor authentication. 

Joe Carrigan: Absolutely. Everywhere you can, use multifactor authentication. 

Dave Bittner: Yeah, yeah. That's interesting. All right, it's a good story. My story this week comes from Motherboard over at Vice. It's written by Joseph Cox, and it's titled "How I Accidentally Hijacked Someone's WhatsApp." Before we dig into this, Joe, are you a WhatsApp user? 

Joe Carrigan: I am not a WhatsApp user. 

Dave Bittner: Me neither (laughter). 

Joe Carrigan: Yeah. That's part of the Facebook family. 

Dave Bittner: Yeah, yeah. I don't even know if I have it on my phone here. So - well, that makes us the perfect people to talk about this issue. 

Joe Carrigan: Right. 


Dave Bittner: Fortunately, Joseph Cox has laid it all out here. Of course, he's a reporter at Motherboard. And he was going through the process of reporting on a story, and he needed a fresh phone number. Sounds like he - maybe he was talking to a source or something like that, and he needed a new phone number, something different than the one he uses day to day. So he bought himself a pay-as-you-go SIM card. And, of course, the SIM card is the thing you put in your phone, and that really establishes the identification of that phone with the mobile service provider. 

Joe Carrigan: Right. 

Dave Bittner: It is the thing your phone number is assigned to is that SIM card. So he bought a pay-as-you-go SIM card, installed WhatsApp and right away noticed that he was starting to get messages on WhatsApp from people he did not know. He was evidently the member of some groups of people that he did not know. A little side note - the messages in the groups were coming through in Spanish, which I don't suspect is Joseph's primary language, but who knows? 

Joe Carrigan: Right. 

Dave Bittner: And what it comes down to is the fact that WhatsApp uses your phone number as your primary source of identification on their service, on their network. He had gotten this SIM card that was assigned a phone number, and it was a phone number that had been recycled. Someone else had had this phone number before. 

Joe Carrigan: Right. 

Dave Bittner: And so when he put this in his phone, whoever had had that phone number before didn't have multifactor authentication on their WhatsApp account. So when he logged in with this phone number, WhatsApp said, ah, welcome back (laughter). 

Joe Carrigan: Right, right. And even if he did - even if the guy did have SMS two-factor authentication, that text message would've come right to his phone. 

Dave Bittner: Yeah. Yeah, that's a good point. 

Joe Carrigan: Yeah. 

Dave Bittner: That's a good point, yeah. Yeah. It's an interesting look inside this whole thing of phone number reuse. I mean, I was thinking about how, you know, when you and I were kids growing up back in the good old days of landlines... 

Joe Carrigan: Yes. 

Dave Bittner: ...You know, pretty much my entire family shared one phone number. 

Joe Carrigan: Right. 

Dave Bittner: You know, that was our home phone number. If you wanted to call me or my sister, my brother, my dad or my mom, you called that number. 

Joe Carrigan: Right. 

Dave Bittner: Well, these days, everybody has their own phone number, and it's likely you have more than one... 

Joe Carrigan: Yes. 

Dave Bittner: ...For a variety of reasons. We have phone numbers. We have - well, we used to have fax numbers. I suppose some people still have those. People have individual numbers at their desks at work. So my point is that we have used up a whole lot of phone numbers, and because of that, those phone numbers get churned, get reused a lot more quickly than they would have in the past. 

Joe Carrigan: That's correct. 

Dave Bittner: WhatsApp says that if an account has been unused for 45 days and then becomes reactivated on a different mobile device, they're going to take that as a sign that the phone number has been recycled and they'll reset the account. 

Joe Carrigan: I'll bet these phone numbers churn faster than 45 days. I'll bet that within a couple of days of a phone number becoming an unused phone number, that phone number is available to anybody to assign to a new phone. 

Dave Bittner: Yeah. Well, I mean, there's memes about this, right? 

Joe Carrigan: Right. 

Dave Bittner: You know, new number, who this, you know? 

Joe Carrigan: Right. Yeah, exactly. 

Dave Bittner: (Laughter) So it seems like in this case, that's what happened. And I suppose the folks who are out there selling burner SIMS - just stuff for quick reuse, disposable phone numbers - you're right. I suspect they get churned really quickly. 

Joe Carrigan: Right, yeah. 

Dave Bittner: So, again, the recommendations are make sure that you're using multifactor on an app like WhatsApp, which I do believe they allow. I believe they can - you can also require a PIN with WhatsApp. So, yeah, enable those extra bits of security so that if you get a new phone number, let's say someone comes along and gets your old phone number, they don't have access to all of your WhatsApp information or any other app that used your phone number as its primary source of identification. 

Joe Carrigan: Yeah. Well, there's got to be some other means of identification in WhatsApp 'cause it's got end-to-end encryption, right? So it has to have some kind of private keys. And if I get a new phone number, then WhatsApp maybe has the public key. They should be able to tell that I don't have the private key, right? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: But then the problem becomes how do you move? Let's say I'm a user who just gets a new phone - right? - like we all do every three to four years, right? We get new phones. How do I move the private key from the old phone to the new phone? 

Dave Bittner: Yeah. 

Joe Carrigan: Because then I don't want to be locked out of my messages, and I don't want to lose everything that's happening. It's an interesting problem, but I'm almost positive there is - in fact, I am positive there is a technological solution to this that WhatsApp has just missed on this. They could be doing a better job here. 

Dave Bittner: Well, it's interesting, too, because, you know, the Signal app, which is a very well-known app for texting, and you can do phone calls and video chats and so on, and its claim to fame is that it is both open-source and end-to-end encrypted... 

Joe Carrigan: Right. 

Dave Bittner: ...So that anybody can look at the code to verify that it's good stuff, and also everything you do on it is encrypted end-to-end. But famously, in the past few weeks, Signal has said that they're going to make it possible that you don't need a phone number in order to sign up for a Signal account. So they were tying the accounts to phone numbers as well. 

Joe Carrigan: Yes, it seems that way. Now they're making the change where you can - apparently, you can not do that. I don't use Signal either... 

Dave Bittner: Yeah. 

Joe Carrigan: ...So I don't know how this works. The one I do use - I do have on my phone is Telegram, and that one seems to also do phone number identification because I get notifications when someone who's in my contact list opens or installs Telegram and starts using it. I get, like, hey, Dave Bittner is now on Telegram. 

Dave Bittner: Yeah, I get the same thing on Signal. I have Signal on my phone, and it does the same thing. Anytime somebody new who's in my contact list joins, I get a notice about it. 

Joe Carrigan: Yeah. 

Dave Bittner: So I suppose - I mean, the big story here, the long-term thing is I suppose it's good to decouple these apps from something like a phone number, something that's not permanent like a phone number. I suppose it's a good thing to at least have the option to not have it tied to that. 

Joe Carrigan: Yes, absolutely. I would agree. 

Dave Bittner: All right. Well, that story, again, comes from Motherboard. We'll have a link to that in the show notes, as we do with all of our stories. 

Dave Bittner: It is time to move on to our Catch of the Day. 


Dave Bittner: Our Catch of the Day comes from a Twitter user named Julia Giddens. Her Twitter handle is @deslys4444. And this is a notice that came from British Gas, which sounds like something that you get when you're eating British food. But, no, it is actually the - it is the company that provides natural gas to customers in Britain. And, of course, Joe, because this comes from overseas, what does that mean? 

Joe Carrigan: Accents, Dave. The master of dialects, Mr. Bittner, is going to delight us with his British accent. 

Dave Bittner: All right. Here we go. 

Dave Bittner: A message from British Gas - (reading, imitating British accent) your bill is still overdue and needs paying. Hello, we sent you a gas bill for 21.71 pounds, and we still haven't received payment. If you've paid it in the past five days, please ignore this email. To see if your payment has cleared you can check your account. Next steps - if we do not receive a payment or hear from you in the next two days and we have to contact you again, you will be charged 140 pounds to cover our reasonable costs. If we have to visit your property to collect this debt, you will be charged 540 pounds. If the debt remains unpaid, we plan to obtain a court warrant to visit your home and either replace your gas meter with a pay-as-you-go meter or disconnect your gas supply. This could result in additional charges of up to 402 pounds. If your gas supply is disconnected, we will charge you 750 pounds to reconnect your supply. Pay us online now. 

Joe Carrigan: That's terrifying, isn't it? They're trying to scare... 

Dave Bittner: (Laughter). 

Joe Carrigan: I love the, check your account here. It's got a couple of links. I don't know where those links go because Julia, being very smart, just sent a picture of this message. She didn't actually copy the text of the message and let everybody else click on the links. But, yeah, I mean, here - it's got everything, right? It's got, we're the gas company, and we're going - and you still owe us 21 bucks. By the way, if we have to call you again, it's going to cost you 140 pounds. That's... 

Dave Bittner: Right. 

Joe Carrigan: ...Reasonable cost for a phone call, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: I don't think attorneys will charge you that much for a phone call. 

Dave Bittner: Or barristers, as the case may be. 

Joe Carrigan: Barristers - right. Yes. 

Dave Bittner: (Laughter) Yeah, so they're ratcheting up. They're demanding a response. If you dillydally, the price does nothing but go up. 

Joe Carrigan: That's right. I love the idea of a pay-as-you-go gas meter. I've never heard of such a thing, but I can imagine how that works. 

Dave Bittner: (Laughter). 

Joe Carrigan: You know, brrr (ph), I'm cold. Got to go outside and swipe the credit card gas meter. 

Dave Bittner: Right, or pump quarters into it or... 

Joe Carrigan: Right, pump quarters into it. 


Dave Bittner: Honey, go out and feed the meter. It's your turn. No. 

Joe Carrigan: Right. Yeah, like a parking meter. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's great. 

Dave Bittner: Yeah, yeah. I suspect the link to check your account - I mean, that quite likely would be something where they're trying to harvest your credentials. 

Joe Carrigan: Yeah, this is a phishing email. 

Dave Bittner: Yeah. And then the pay us online now, again, perhaps they try to get you to log in but then also try to grab your credit card or something like that to steal money from you outright. 

Joe Carrigan: Yup, absolutely. British Gas actually did respond to this tweet from Julia and says, hi, Julia. You are, indeed, correct. This is a scam. And they've seen a lot of these going around. And they asked for Julia to forward the email to them, to their phishing team, and provided an email address, which Julia says she did. So good on British Gas for keeping an eye on this. Of course, Julia did tag British Gas in the post, so that's probably what alerted them to the scam. But, Dave, a quick Google search over here in Carrigan technology headquarters... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Has found that there is such a thing as a pay-as-you-go gas meter, that that is a real thing. 

Dave Bittner: Really? 

Joe Carrigan: Yeah. I was dubious, and you and I were dubious, but they have them. 

Dave Bittner: Well, and I suppose - I mean, it sounds like they're unpopular enough that the threat - the specter of having one installed is a call to action of its own. 

Joe Carrigan: Yeah, absolutely. These guys are terrible people. 

Dave Bittner: (Laughter) Yeah, yeah. All right. Well, our thanks to Julia Giddens for sharing that and sending it our way. That is our Catch of the Day. 

Dave Bittner: Joe, I had the pleasure of speaking with Stan Holland recently. He is from a company called Atlantic Bay Mortgage. And I wanted to talk to him because a mortgage company is a company that deals with a lot of important documents. 

Joe Carrigan: Yes. 

Dave Bittner: And a lot of money changes hand, and a lot of money flows through an organization like that. So, you know, they have a pretty big target on their back when it comes to people trying to scam them, and we've certainly covered stories about those kinds of things here on this show. So I wanted to touch base with Stan about some of the things that they're doing in this shift to have more things happen online and remotely, especially as we're in the midst of COVID-19. Here's my conversation with Stan Holland. 

Stan Holland: We're focused very much on securing, you know, our environment, anything that our borrowers are interacting with. There are certainly times when, you know, borrowers choose to take, you know, actions that aren't always the most secure. But anything that we're doing or asking them to do is incredibly secure, and, you know, we try to find ways to do that. 

Stan Holland: The good news is that over the past probably two to five years, we've seen a real tremendous increase in the amount of digitization in the mortgage industry. Everything from your initial application all the way through even your closing documents at this point can all be done electronically. We're trying to do that. Consumers are slowly kind of moving into that direction. Obviously, the current situation with the virus has made that a little bit more appealing 'cause, you know, you don't necessarily want to come in contact with a lot of people. 

Stan Holland: The electronic interactions, they certainly present a new set of challenges in terms of safety. Well, it is actually pretty typical, I think, in terms of vulnerabilities that we have in the industry. It's what we call the title work, you know, when you go to send a wire to fund the loan, which is kind of the biggest money part of the transaction to hackers and everyone else that's zeroed in on that. And they're really getting good at spoofing emails and trying to get wiring instructions that will go into their account instead of into the account of the escrow person. That wouldn't be held against the borrower. You know, we would be the ones on the hook for that. But that's certainly a big trend in the industry and kind of one of the ways hackers are attacking us. We get thousands of attacks, you know, in different ways, but that's the one that has been successful in the industry a couple of times and really kind of hurt people quite a bit 'cause you're talking about a couple hundred thousand or more in losses just from one email spoof. 

Dave Bittner: Can you take us through some of those scams, some of the ways that folks try to weasel their way into a mortgage transaction? 

Stan Holland: It's similar to the financial industry. So anytime they can see that you've applied for a loan or if you actually get a loan, you know, it becomes public record in most states. So once it becomes public record, you're kind of put on a whole bunch of lists. And we don't do that. We actually send out a letter after the loan is closed just to warn people about all the scams that they're going to see once they close 'cause the number of things they get in the mail is just astounding. So people will try to, like, you know, copy our name since we're the ones who the borrower's making their payment to. They'll try to copy our name on the outside of the envelope or make it seem like us so that people open it. You know, there's all kinds of different tactics that are being used, mostly through the mail, some through email as well. You know, we do electronic payments for servicing, you know, when the borrower's making their payment after they closed the loan. And in those cases, we're seeing some spoofing and other things like that. For the most part, though, it really happens during the transaction, and that's when we're certainly the most vulnerable from a data perspective is during the transaction because there's so much information, like you said, flying back-and-forth in between us and the borrower. You really have to create a very safe environment, you know, to make that work well. That's really the - by far the most dangerous part. 

Dave Bittner: And so what kind of tools do you all put in place to make sure that that safety is there? 

Stan Holland: Well, good question. And it's kind of changed a little bit - not a lot, a little bit - since, you know, all of the virus stuff kicked in. But - so we went, you know, remote, which kind of creates its own set of problems or of challenges. We kind of focused on it in three different ways. One is really in the tech space. The second is in the process space. So we view those two areas as spaces that we're responsible as a company to make sure that the mortgage banker or our client or whoever is interacting with our system - you know, employee, anyone, partner - that they have the most sort of secure environment they can. 

Stan Holland: So we have a lot of different tools that we use. We have everything from securing our AWS and Azure environments. We use all kinds of different tools with filtering, you know, down to the actual client level. So we're using Cisco Umbrella, you know, to filter things on the client level in terms of, you know, trying to get down to that actual web filtering for whoever is using the computer. 

Stan Holland: We really like this new product on the email side, and that seems to be one of the vulnerabilities that's really hard to fix from a people perspective. We've really enjoyed using Barracuda Sentinel, where it's got AI baked into it. And it's trying to find, you know, emails that may not have been written in the same style, et cetera, and trying to find the style that you write in and trying to find emails that may not be. We've actually found a few and prevented a few that were incredibly close to being clicked on, but the system was able to find them. And people would've definitely clicked on them if they had seen them. 

Stan Holland: So there's a host of tools. There's a bunch of other names I have here of tools that we use. But, you know, there's a difference. Obviously, securing our environment and people who are working onsite is kind of a different conversation to some extent than securing our environment once you kind of distribute it to 700 people's homes. You know, it's quite a bit different in terms of scope. And certainly, as you've been talking about on your show recently, from what I've listened to, you know, I think your phrasing is it increases how many different places can be attacked, or the vulnerability. 

Dave Bittner: Yeah. We often talk about the surface area. 

Stan Holland: Yeah, surface area - exactly. Yeah. 

Dave Bittner: How do you balance the need for security with not being weighed down in so many steps that it just becomes a burden to be able to just get the business done? 

Stan Holland: It's hard. It's all about finding the smart tools. You know, we definitely try to find really smart tools that are going to, you know, sort of be worth it. One of the things I ask a lot - and it's probably, you know, not a great phrase in today's world, but sort of is it worth it? You know, is the juice worth the squeeze is what I say. But is it worth the effort? So some of the tools that, you know, you look at, it sounds great until you actually put them into practice. And they really don't make that much of a difference when you look at control monitoring reports or whatever. And then other tools you don't have high hopes for, and you put them in place and they really - you know, they really do a lot. 

Stan Holland: So we always try to weigh the - sort of the security gains against the process losses, and thus far, we feel like we've reached a decent level with that. We're probably leaning a little bit more toward the conservative side of that just to really be protecting everyone's data. And we take that responsibility very seriously because we do get almost everything except for a blood sample and, you know, a urine sample - whatever - to get a loan. I mean, at this point, we - you know, we ask for almost everything else. So securing that data is our No. 1 concern once it gets in our environment. 

Dave Bittner: And how do you deal with the challenge that we're facing now, where people don't necessarily want to get together face-to-face? How do you - how can you verify things when you can't have those face-to-face meetings? 

Stan Holland: We've had to get creative on the application side. Of course, we allow borrowers to, like, take a picture of their license or whatever. But we still are trying to do Zoom or Zoom-style - you know, fill in the blank with all the different videoconferencing systems people use - but Zoom-style interactions. We've seen a real uptick in Zoom and other types of videoconferencing for closings as well. Because you can sign all the documents electronically now, we're really encouraging borrowers to go to that full electronic signature route. You can kind of close in your pajamas if you really want to, and there's no reason not to. 

Stan Holland: But a lot of people still like the idea of going to a place to close a loan and, you know, meeting an attorney and all that kind of stuff, which I totally understand. It's a big - as you said, it's a huge transaction and probably one of the largest transactions in most borrowers' lives. So they want to - you know, want to have somebody there. In this point in time, though, we can still be there virtually with the person and kind of talking them through everything and letting them ask whatever questions they have without having to physically be near them when they can be at home, you know, in front of their computer and signing the documents as we go. 

Stan Holland: So e-mortgage has been around since 2000, but they really haven't caught on yet. And we're very much hoping that this situation helps really spur the adoption of e-mortgages 'cause it'll help the industry and our consumers and bring down costs for consumers as well. 

Dave Bittner: What are your recommendations for someone who is heading down this path? They're getting ready to either get a new mortgage or refinance or something like that. What are some of the things they can do in preparation to make sure that they're going to be doing it in a safe and secure way? 

Stan Holland: The first thing to do is to not just accept your mother's, brother's, sister's referral to John Smith or whoever who is a random mortgage person. You really want to kind of do a little bit of research online ahead of time and figure out what you're looking for, which most consumers do nowadays. It depends on what you're looking for. You know, if you're looking for an all-electronic experience, there are different places to go. If you're looking for sort of a hybrid, where you have people who can guide you but you still want electronic interaction, a place like us - you know, we kind of do both. And then some people are - you know, don't have a lot of technology. 

Stan Holland: So you kind of want to know what you're getting into 'cause you are getting into a 30- or 45-day process with a company, and you're going to probably talk to them at least once a week. Realistically, you're going to send, you know, 30-plus documents to them before it's all said and done or something like that. You're going to sign a ton of documents. So it's really important that, you know, you kind of know who you're getting into the relationship with. 

Stan Holland: And people shop mostly on price, which is obviously a very important thing 'cause you're paying that mortgage for a long, long time. But I would just encourage people - there is more to price when you're thinking about shopping for a mortgage. I would look at the tools that people offer, the reputation they have. Do they really deliver, and are they able to really close on time? Just do some of that due diligence that you would do on any product. If you were buying a set of pans for your kitchen, you'd probably do more research than a lot of people do before they agree to sign up for a mortgage. So I would just encourage people to really do their due diligence and feel comfortable with the company that they're going to work with. 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: That's a good interview, Dave. I like hearing what Stan had to say. Stan talks about the transfer of borrowed money. If that gets redirected - and he says he's seen that a couple of times - that doesn't affect the borrower directly. I'll bet it slows the process down. 


Dave Bittner: Yeah. 

Joe Carrigan: I'll bet that if you go to closing and they say, our money got redirected, that you don't go to closing that day... 

Dave Bittner: No. 

Joe Carrigan: ...That it's going to be at least a couple of days before you get your house. 

Dave Bittner: Yeah, I'll bet that makes a bad day for everybody. 

Joe Carrigan: Yeah, it does. It does. And if you think about - you're the seller in that situation and that happens - when I bought my current house, I had to sell another house. And I had to go from one settlement in the morning to the next settlement in the afternoon, right? 

Dave Bittner: Right, right. 

Joe Carrigan: So if I was selling my house and the nice people who bought my house had their mortgage redirected to some scammer and that held up the closing of my - the sale of my first house, I would not be able to close on the second house because I wouldn't have the money for closing. 

Dave Bittner: Right. You can trigger the sort of cascading set of events... 

Joe Carrigan: Exactly. 

Dave Bittner: ...Just by one going astray. 

Joe Carrigan: Yeah. I like that Stan says that Atlantic Bay Mortgage will send out a letter after closing to help people stay aware of all the scams they're going to be up against. One of the biggest things you're going to have to start doing as soon as you - you know, when you get into a house, there's, like, about a month or a two-month delay before you have to start making mortgage payments because, usually, you make a partial mortgage payment at closing that will cover everything from the settlement date to the end of that month. And then you don't have to make a payment again till the beginning of the following month because... 

Dave Bittner: Right. 

Joe Carrigan: ...Your mortgage interest is paid in arrears. That's the difference between mortgage and rent. Rent is paid upfront. Mortgage interest is paid in arrears. And - at least that's the way it was explained to me when I was selling real estate during my brief and failed sales career. 

Dave Bittner: (Laughter). 

Joe Carrigan: But... 

Dave Bittner: You shouldn't be considered an expert because of the level of success you had in that career (laughter)? 

Joe Carrigan: Actually, I did OK. I did better than average. It just wasn't enough to live on. 

Dave Bittner: I see (laughter). 

Joe Carrigan: The interesting thing is that's a significant time lag. It's almost July. So let's say you're going to settlement on July 7, right? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: You're going to make a partial payment for that mortgage in July. Then you're not going to have a mortgage payment again until September, right? September 1 is when your first mortgage payment's probably going to be due. That is a long period of time for this information to be published and then for scammers to come out and go, hey, here's how you make your mortgage payments, and send you to a scamming website, where they redirect your money to them. 

Dave Bittner: Right, right. 

Joe Carrigan: And... 

Dave Bittner: Here's your coupon book (laughter). 

Joe Carrigan: Right, here's your coupon book. And the fact that this information is all public knowledge and gets published pretty quickly, you know, maybe there should be some kind of delay in releasing of that knowledge. There is a bureaucratic delay, that it takes some period of time for that information to get out, but that's just because of the inertia of the process in publishing the information, right? 

Dave Bittner: Sure, yeah. 

Joe Carrigan: Then maybe there should be, like, a 90-day delay that we - you know, this information is public record, and everybody has a right to see it, but maybe everybody doesn't have the right to see it for security's sake until 90 days after the settlement. Maybe that should be a new regulation that happens. I think that would be... 

Dave Bittner: Interesting. 

Joe Carrigan: ...A good idea. Maybe there's somebody out there who has an idea why that wouldn't be a good idea, and I'm sure they will let us know if they do. 

Dave Bittner: (Laughter) Count on it. 

Joe Carrigan: Yeah. I like that Stan talks about three ways that they protect their people with tech, process and people. It's very important to understand that you're going to have to use all three of those. You're going to have to educate your people. You're going to have to have good processes in place. And you're going to have to have technology. Technology is never going to be the panacea for these kind of problems. It's just not going to be the case. I like Stan's attitude toward managing risk. You cannot cover everything that's going to happen to you. You cannot be perfectly secure. That's just not possible. But you can look at what works and use it and look at what doesn't work and get rid of it. And it seems to me that Stan is doing that. 

Joe Carrigan: And he talks about - a lot about remote closing. Personally, Dave, I don't know about you, but I would still want to go to a place and meet people and see checks changing hands for settlement on a house. Something as big as that, I think that's worth me taking the time off work and going to a lawyer's office and having that happen. 

Dave Bittner: Yeah. I tend to agree with you. And I have to say, you know, (laughter) this interview got me thinking about all of the kind of hand-waving we do right now when it comes to digital signatures. And by digital signatures, I mean replacing your written signature with a digital version of that, you know, because... 

Joe Carrigan: Right, with an image, which is not what digital signatures are. 

Dave Bittner: Right. And, like, I've had situations where, you know, I'm signing up for something, and I have to sign. It's a contract, and I'm doing everything online. And they've - a window pops up and it says, choose the font that most resembles your handwriting... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...And sign your name in that font. 

Joe Carrigan: Yeah. 

Dave Bittner: And I'm like, well, OK, but that's not - it's not my signature. But... 

Joe Carrigan: No, it's not. 

Dave Bittner: ...We all kind of... 

Joe Carrigan: I don't know how these are binding. 

Dave Bittner: Right, right. And I... 

Joe Carrigan: I'd like to see... 

Dave Bittner: And there must be a way. Maybe it's just not an issue. I mean, you know, in the old days, someone who was illiterate could just, you know, sign an X. 

Joe Carrigan: Right, yup. 

Dave Bittner: And that was that. So maybe it's - maybe there's enough legacy from those days that still carries through, and it's all workable. It makes me raise my eyebrows. 

Joe Carrigan: Yeah. If nothing else, I want to see at least somebody put pen to paper and then scan that and send it over and then send the originals to follow up. There's always been a lot of confusion around digital signatures. When you say digital signatures, a lot of times, people think of just a digitized image of their signature. And when I hear digital signature, I think that I'm cryptographically signing something with my private keys. 

Dave Bittner: Right. 

Joe Carrigan: And it's demonstrable that, since I have control of my private keys, that anybody with my public key can say, yup, that's Joe's signature - digital signature. 

Dave Bittner: Yeah. All right. Well, thank you to Stan Holland from Atlantic Bay Mortgage for joining us. Lots of good information there. We do appreciate it. And, of course, we want to thank all of you for listening. That is our show. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.