Hacking Humans 9.17.20
Ep 116 | 9.17.20

Your information is already on the Dark Web.


Shai Cohen: The assumption is always that your information is already on the dark web.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Shai Cohen. He's from TransUnion. And we're going to be talking about identity fraud and how that has been at the center of many of the digital COVID-19 scams. 

Dave Bittner: All right. Joe, let's start with some quick follow-up here. 

Joe Carrigan: OK. 

Dave Bittner: We had - several listeners wrote in in response to some comments we made about bank apps. 

Joe Carrigan: Right. 

Dave Bittner: And I believe you had mentioned that bank websites are very good about logging you out. 

Joe Carrigan: Yep. 

Dave Bittner: And we heard from several people that said that bank mobile apps do the same... 

Joe Carrigan: OK. Good. 

Dave Bittner: ...That these days - that they don't mess around, that (laughter)... 

Joe Carrigan: Good. 

Dave Bittner: ...If you're inactive, it doesn't take long. And they will log you out. 

Joe Carrigan: I'm glad to know that. My ignorance on that is based solely on the fact that I do not use mobile banking apps. I sit down at my PC. And I use the web interface. 

Dave Bittner: So we had some people write in to say that - in response to our conversation about the Maryland man having his identity stolen, they wanted to remind us that state retirees in Florida are not eligible for unemployment benefits. So they don't have to worry about them being shut off. 

Joe Carrigan: Right. 

Dave Bittner: That makes perfectly good sense. 

Joe Carrigan: Yes, of course. 

Dave Bittner: (Laughter) Yeah. So again, thanks to everybody for writing in. We do appreciate hearing from you. 

Dave Bittner: Let's move on to our stories this week. Mine is not so much a story as it is a website, something that I was not aware of. I found it pretty interesting. This is a website called bitcoinabuse.com. I'm not 100% sure if this is actually run by the folks responsible for Bitcoin or not. It's not clear. It sort of seems like it might be. But I can't say for sure. In the digging around I did on the site, it wasn't really clear. It seems like it is. 

Joe Carrigan: Well, there's nobody really responsible for running Bitcoin. Bitcoin kind of runs itself. It was released into the wild. Now it's just taken off. 

Dave Bittner: Got you. So this organization at bitcoinabuse.com, they have taken it upon themselves to run this database of Bitcoin addresses that are being abused, that are being used for bad things - for crimes, for ransomware, for extortion and so on and so forth. And so what they've got here - they have a system where you can file reports. You can view reports. You can monitor stolen bitcoin. 

Dave Bittner: So if there's a Bitcoin account that you want to keep an eye on, see if someone's been biding their time and try to transfer money out or try to launder some of that money that's in bitcoin, you can basically have it send you an update if anything happens within a certain Bitcoin address. 

Dave Bittner: And it's pretty interesting to sort of page through here. One of the things - in their about, they say Bitcoin is anonymous if used perfectly. Luckily, no one is perfect. 

Joe Carrigan: Right (laughter). 

Dave Bittner: Even hackers make mistakes. And it only takes one mistake to link stolen bitcoin to a hacker's real identity. 

Joe Carrigan: Yeah. I'm going to take issue with that statement, bitcoin is anonymous. It's anonymous if no one can associate you with the public-private key pair. As soon as someone can associate you with that public-private key pair, all anonymity is gone. All anonymity is gone. Every one of your transactions on that public-private key pair is available for scrutiny. The only level of anonymity you have is that disassociation of your actual physical identity with your Bitcoin identity. As soon as that bridge is connected, the game is over. 

Dave Bittner: So just looking at this database, for example, on their home page here, they list 101 reports in the past day, 879 in the last week, over 4,200 in the last month. So this is an active thing. And if you go through and look at the recently reported addresses, there are many of them. And I'll just click on one randomly here. And, of course, Bitcoin addresses are, basically, you know, random strings of characters. I don't... 

Joe Carrigan: Yep. 

Dave Bittner: ...Know how many characters long it is, but it's a lot. For example, here's one that has eight different reports. It's a blackmail scam. And it'll have descriptions. This one, for example, looks like a lot of things in Chinese. A lot of them are, you know, different languages and so on. But it'll tell you what it is. So if it's a - this one's a sextortion scam. It tells you the number of Bitcoin transactions that have taken place under this address, how much they've gathered. 

Joe Carrigan: I'm glad to see that a lot of these have gathered no bitcoin. Oh, one has received - here's one. I just clicked on it. And one has received 0.0014 bitcoin. 

Dave Bittner: Yeah. I was looking at one earlier today that had received several bitcoin. So, you know, some - and it was a typical sort of sextortion thing, you know? We've accessed your camera. And we've seen you doing naughty things. And... 

Joe Carrigan: Right. 

Dave Bittner: ...Unless you send us money, we're going to share this with all of your friends and family. And it seemed to be working. They'd gathered, you know, several bitcoin, which is thousands of dollars. It's interesting they have an API. So you can monitor the database that way. So I think it's an interesting tool, you know, valuable. I could see researchers, law enforcement could make good use of this. Of course, to keep this thing running, they take donations in - wait for it... 

Joe Carrigan: Bitcoin. 

Dave Bittner: Bitcoin. 


Dave Bittner: Right, which, I suppose, is fitting. 

Dave Bittner: Overall, you know, it seems like a good effort, one of those things where some folks have gotten together - you know, good guys - and are trying to do some good things to try to cut down on the abuse, or at least document the abuse, of bitcoin. 

Joe Carrigan: Yeah. 

Dave Bittner: What's your take on this? 

Joe Carrigan: Well, I'm looking at one right now, Dave. And (laughter) it says the abuse type is a darknet market. And this person is upset because they paid this Bitcoin address some money. And they did not get provided with a poker cheat. 


Dave Bittner: Aw. 

Joe Carrigan: So - yeah. 


Joe Carrigan: I'm so sorry. Here's one I'm looking at that has a bunch of reports on it. This one has - looks like 13 pages of reports for blackmail scams. And they've actually received two transactions with a net total of 0.18 bitcoin. So this is interesting. I mean, I could get - this is a rabbit hole I could go down all day long. 


Dave Bittner: Well, I think that's an interesting component of it. As you say, you can poke around and look at these reports, and it'll give you a nice sampling of the kinds of scams that are out there. 

Joe Carrigan: Right. 

Dave Bittner: You can also sort of get a sense for what's working and what's not. 

Joe Carrigan: Absolutely. And some of these have even copied the email into the description of the record. This would come in really handy, Dave, for exactly what you're suggesting. 

Dave Bittner: (Laughter) Right. Exactly. Exactly. All right. Well, that's what I have this week. It's bitcoinabuse.com. Interesting to check out and spend a few minutes on there. And perhaps some... 

Joe Carrigan: This is fascinating. 

Dave Bittner: ...Some educational components there as well, if this is something that interests you. 

Dave Bittner: Joe, what do you have for us this week? 

Joe Carrigan: Dave, I have something for Brian Krebs and Krebs on Security, and he talks about the joy of owning an OG email account. And we've talked about this before, but for our listeners who might be new to the show, OG stands for original gangster. And it is a username that you get when you are an early adopter of a platform. 

Dave Bittner: Right. 

Joe Carrigan: For example, the amazing Dave Bittner on Twitter... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Is @bittner - B-I-T-T-N-E-R... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Like your last name. And that's great. 

Dave Bittner: Would you categorize that as an OG account? 

Joe Carrigan: I would. I would say - you know, because you don't have any numbers after that, right? 

Dave Bittner: No. No, just got the whole surname - lock, stock and barrel. 

Joe Carrigan: Just your last name. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: I would love to have at @carrigan, but somebody else already has that. 

Dave Bittner: Right. 

Joe Carrigan: I'd even like to have at @joecarrigan. But I think somebody else already has that. So I had to go with at @jtcarrigan, which was available. 

Dave Bittner: Slumming. Slumming. 

Joe Carrigan: Right? 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: But I do have another username, and I won't tell it publicly here. But I do have a six-character username that's kind of unusual that I kind of consider an OG username, but it really only applies to me. And 80% of the time and 90% of the time, I can get it. In fact, there's only one case where I haven't gotten it, and that's at Twitter. But I had somebody ask me for it on Instagram because this person was a rapper who wanted to buy the name from me. Unfortunately, I said no - for this guy - because it is actually my internet identity. It's, like, my username on everything because nobody else uses it, and I like it. So I don't know if I'd call it OG because it's unique to me. 

Dave Bittner: Right. 

Joe Carrigan: It's not something that everybody wants. But Brian Krebs set up what he called an OG account on Gmail 16 years ago, when you had to be invited to Gmail by another Gmail user. Do you remember that? 

Dave Bittner: I do remember that, yeah. 

Joe Carrigan: If you got invited, you got to send out, like, something like - some number of invitations. I can't remember what it was. 

Dave Bittner: Yeah. 

Joe Carrigan: And I never got any invitations because none of my friends wanted to help me out. But I still got my username. 

Dave Bittner: (Laughter). 

Joe Carrigan: Wisely, he won't publish it here 'cause that would only lead to more things, but he does give a hint as to what it is. It's some kind of hacking term at @gmail.com. So one of the things he always gets is he gets people trying to take over the account, right? And they'll send him phishing emails from services he doesn't use, like H&R Block, Turbo Tax and iTunes, LastPass, Dashlane and Credit Karma. And he gets these because these people are trying to get the account. 

Dave Bittner: Right. They're folks who collect these like trading cards. 

Joe Carrigan: Right. Exactly. And one of things he says is these OG accounts are highly coveted. But what really amazes him and me, too, is that a bunch of people have chosen his account as their backup email recovery address, right? So you go to create a new account somewhere and they say, what's your email address? And they enter this email address from Gmail that Brian Krebs actually controls. 

Joe Carrigan: And in my opinion, if someone does that to me - and they have done that to me on numerous occasions. They've done it with Netflix, and I've just gone in and closed the accounts. Somebody did it with Instagram, set it up with one of my accounts. I can't remember if it was at Gmail or Yahoo. 

Joe Carrigan: But my opinion is that if you use my email address to set up one of these accounts, you have essentially done me the service of creating an account for me, right? 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: In this case, what I've done - in all the cases, what I've done is I go in and either close the account or I change the password and lock the person out of it because I don't want my good name being associated with somebody's nefarious activities because chances are they're creating this - they may be creating this in an attempt to impersonate me. That's one of my first concerns. Or they may be creating this account with the intent of deceiving other people. 

Dave Bittner: Yeah. 

Joe Carrigan: That's why they didn't use their actual email address, so it couldn't be tied back to them. Now, if you're going to use a throwaway account, there are tons of services out there that let you produce a temporary email address. So there's really no reason to use someone's OG or even not an OG, an actual valid email address - there's no reason at all to do this. So I'm always very suspicious when people do it. 

Joe Carrigan: Brian has said he has reached out to some people. He actually had one guy he talks about in this article who was using Brian's email address as his backup email address for his retirement holdings. And he reached out to the guy and said, you shouldn't do this. I mean, if someone was doing this with retirement holdings, I would probably reach out to the person and say, you know, there's a significant amount of money here. At this point in time, this is where I don't go out and just lock somebody out of their account (laughter). 

Dave Bittner: Yeah. 

Joe Carrigan: This is where I actually try to make a good faith effort to get in touch with somebody because this is obviously someone who's made a mistake. They've just put in an email address for the sake of convenience in trying to fill out their retirement holdings. This is not somebody doing something malicious. If I can see that they have gotten - you know, that this is some account where they're holding assets, that's a different question than somebody popping up an Instagram account using my name. 

Joe Carrigan: One of the things - he says if he ever needed to order pet food, he could do it by using one of the accounts created at Chewy or Petco... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Because he has access to these accounts. And if he ever needed a Weber grill part, he's got that ready to go. And the thing it reminds him of is a story he wrote back in - when was it? I can't remember. It may have been the early 2000s or the '90s. But he wrote - I remember this story coming out about the person that went out and bought the domain donotreply.com... 

Dave Bittner: Right. 

Joe Carrigan: ...And then just accepted every email that came into that domain, whatever the address was. 

Dave Bittner: Yeah. 

Joe Carrigan: The amount of information this guy collected was staggering. 

Dave Bittner: There was classified information coming to that address. 

Joe Carrigan: Yeah. Yeah, absolutely. 

Dave Bittner: Right. Right. Yeah. 

Joe Carrigan: Classified information and other kinds of financial records. You know, all kinds of information was just going to that domain because people - instead of saying, do not reply at, like - at thecyberwire.com, they were putting thecyberwire@donotreply.com. That's the wrong way to do this (laughter). 

Dave Bittner: Right. 

Joe Carrigan: I'm sure everybody knows this now, right? 

Dave Bittner: Well, I think it was just sort of a throwaway kind of thing. You know, to try to remind people not to reply to this email address, they just put the return address as donotreply.com. And... 

Joe Carrigan: Right, as if it wouldn't work if somebody registered it, right? 

Dave Bittner: Right. Well, and that's I think - what my recollection of the story, from years ago, was that this person went and thought to himself, well, surely someone has registered this; I wonder where all this goes. And he checked, and no, no one had registered it. So on a whim, he registered it and hilarity ensued. 

Joe Carrigan: Right. 


Joe Carrigan: He tells one story about a lady in Florida who used his Gmail address as a backup for something. And he reached out to her, and she screamed in all caps back at him, saying that my husband's a police officer; you're trying to phish me. And, of course, he just goes, well, OK, fine. But now he still gets a notification any time she logs into her Yahoo account. 


Joe Carrigan: But, you know, what's he going to do, right? This is one of the biggest problems that people are committing themselves to. If you lose access to your email inbox, he says you're opening yourself up to a - what he calls a cascading nightmare of other problems, and then he has a link to his article about this. We've talked about this before as well. One of the reasons email accounts are so valuable is because they are the backup for everything else. 

Dave Bittner: Right. 

Joe Carrigan: If you forget your Facebook password, where does the password reset go? It goes to your email. If you forget your bank password, where does that password reset goes? It goes to your email address. These things are incredibly important, and everybody should be using a very strong password and multifactor authentication on their email addresses that they use for these kind of things, and you should not be just filling out arbitrary email addresses, particularly for other people, right? 


Joe Carrigan: ...That other people may own. Don't use an arbitrary Gmail address to create a throwaway account. Go to something like 10minutemail.com or Google temporary email address and use one of those services. That email address will only exist for about 10 minutes, and then you can create it. They'll actually - you actually can even receive email for about 10 minutes through their interface, click on the link and validate the email address, and then the email address is gone. So if you want to create a throwaway account, that's the way to do it. 

Dave Bittner: Yeah. 

Joe Carrigan: Not by using an actual email service. 

Dave Bittner: Right. All right. Well, it's interesting. Kind of a fun one there with some of the ramifications. Of course, we'll have a link to that in the show notes. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, rather than referring to the Catch of the Day, we might start referring to some of these as the Stringer of the Day 'cause you know when you go fishing and you catch a bunch of fish and you have a stringer full of fish? 

Dave Bittner: I've heard about that; I don't know that it's ever actually happened to me. But... 


Joe Carrigan: Well, I've got... 

Dave Bittner: And I'd just like to point out, I live next to a lake. So... 

Joe Carrigan: Right (laughter). 

Dave Bittner: ...I get to experience many other people's success in fishing and stuff, a success that has so far eluded me. 

Joe Carrigan: Yes. 

Dave Bittner: But go on (laughter). I'm with you in spirit. 

Joe Carrigan: I have a Catch of the Day from multiple sources. There seems to be a Netflix-themed campaign going on out there as we're recording this, and one of them came from my daughter. The sender is Netflix with the diacritic under the N. I don't know how you pronounce that N with the diacritic under it. Maybe it's Nyetflix. But... 

Dave Bittner: What's a diacritic? 

Joe Carrigan: A diacritic is a mark around a letter. You know, like, when you have an accent over an E? 

Dave Bittner: Oh, like an umlaut or something like that? 

Joe Carrigan: An umlaut is a diacritic. Exactly. 

Dave Bittner: OK. 

Joe Carrigan: Like I said, the first one comes from my daughter. So why don't you read the first one here? 

Dave Bittner: All right, it goes like this. 

Dave Bittner: (Reading) Update current billing information. Unfortunately, we are unable to approve your payment for your next subscription cycle. Because financial institutions have rejected monthly charges, Netflix cannot receive payment. To resolve the issue, please update your payment information by pressing the button below. 

Dave Bittner: (Laughter) My favorite part of this is the button is labeled try again payment. 


Dave Bittner: It's the try-again-payment button, Joe. 

Joe Carrigan: Right (laughter). 

Dave Bittner: How many of us - when the payment doesn't go through, well, the first thing you look for is the try-again-payment button, and there it is. 

Joe Carrigan: That's the first thing you look for, Dave. 

Dave Bittner: (Laughter) It says... 

Joe Carrigan: There it is. They deliver it to you in this email. 

Dave Bittner: Yeah. It says, (reading) for more information. Please visit the help center for more info or contact us. 

Joe Carrigan: For more information has a period after it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Like that's a complete sentence. This is obviously someone who is not a native English speaker. Or if they are, they are not a very good native English speaker. 

Dave Bittner: Right (laughter). 

Joe Carrigan: All right, so the second one comes from Twitter user Megan. Her handle is at @meganisaloser. We don't think so, Megan. 

Dave Bittner: (Laughter). 

Joe Carrigan: So this one is a little more obvious. But, Dave, why don't you read this one? 

Dave Bittner: All right. 

Dave Bittner: (Reading) Netflix subscription renewal failed. Hi, there is a trouble to charge your recent membership extension for next period of month. It may appear that the information that you give us is invalid. However, we attempt again in next few days. During this time, you won't be able to enjoy our service as usual. To fix this, simply just update your information below. 

Dave Bittner: Now, this button says update details. So... 

Joe Carrigan: Right. More believable. 

Dave Bittner: All right, that's a legit button. 

Joe Carrigan: Yep. 

Dave Bittner: (Reading) We are sorry for the uncomfortable for you. 

Joe Carrigan: (Laughter). 

Dave Bittner: (Reading) But you can always go back anytime to us by update your details. 

Joe Carrigan: (Laughter) And, finally, this one from Rebecca Vaughan at @beccabloom on Twitter, and it reads like this. 

Dave Bittner: (Reading) Hi. We're having trouble to authorize your payment profile on file, but we're unable to do so. Do not worry. We'll test your payment in the next few days. To keep subscribing to Netflix, you will need to update your payment details. 

Dave Bittner: And then the button is labeled update account security. 

Dave Bittner: (Reading) We will froze your account until you update your payment information. 

Joe Carrigan: So it's obvious to me that there's some kind of campaign going on out there with these, and somebody's just phishing for Netflix accounts. 

Dave Bittner: Yeah. 

Joe Carrigan: And I think that these have some kind of value out there. So they may be trying to get payment information, as well. But I think probably, there's also an attempt here to steal the Netflix account because I think they probably sell these, so people can watch Netflix for little - very little money. 

Dave Bittner: Yeah. I would think also, Netflix is so ubiquitous, especially these days... 

Joe Carrigan: Right. 

Dave Bittner: ...That chances are if you hit someone up, the odds are someone probably has a Netflix account. 

Dave Bittner: All right. Well, that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Shai Cohen. He is from TransUnion. And our conversation focused on identity fraud and how that has been at the center of many of the online COVID-19 scams that they have been tracking. Interesting stuff here from Shai Cohen. 

Shai Cohen: We are all about, you know, providing solutions to detect - prevent and detect fraud while using, you know, all the data assets that we have in place, you know, primarily credit data, personal data and device data that TransUnion had and also using kind of, you know, machine learning and dynamic data models to correlate against any potential fraud when it's come to account origination, account opening, account access, user authentications. And we do all of this with what we call a friction-right, so not to disturb too much the good actors but also be able to detect the bad actors and prevent fraud before it's happening. 

Dave Bittner: And where does that balance land, you know, between not having too much friction but also doing the things that you need to do there to protect your customers? 

Shai Cohen: It's all about, you know, the data that we have and our ability to really have a predictive and adaptive models that know how to differentiate between when we see kind of bad actors coming into place. And we have, you know, very - you know, all variety of data elements that we kind of correlate and compare against and using models to be able to do that. So it's all really about kind of the data assets and the machine learning capabilities that let us kind of excelling in that area. 

Dave Bittner: And where do we stand today? Are we winning this battle? I mean, in general, are organizations able to do a good job protecting themselves? 

Shai Cohen: Generally speaking, yes. But the fraudsters - it's kind of a ongoing battle. You know, fraudsters getting much more sophisticated, and the attack front is getting more complicated. Especially with the new COVID-19 pandemic, we see a lot of new methods that kind of fraudsters are starting to employ in order to attack organizations, financial organizations and consumers obviously. And the methods keep evolving in a way that we need to ongoing find solutions against. 

Shai Cohen: The key is for organization to really kind of advance the digital play because the surface has become, you know, as we expect, especially in today's environment, more and more digitally. And as we see new methods, we kind of add more solutions that can help, you know, continue and prevent any kind of fraud issues, you know, account takeover, phishing, stealing, you know, personal data and use it in a bad way, create things like synthetic identity. All these type of methods we require us to kind of stay on our toes and keep evolving our solutions. 

Dave Bittner: Now, one thing that caught my eye - you recently released some information about some capabilities of one of your document verification solutions. And it involved customers being able to take a selfie and using that to compare with a photo on their identification documents. 

Shai Cohen: Yes, exactly. So when you provide kind of government issue documentations, it can contain - it's the original data that we have as TransUnion. But when a fraudster come, it can actually, you know, manipulate the document in a few different way. One is kind of, you know, the expiration date for example, some fake information on the documents and the picture. 

Shai Cohen: So while we have kind of the original data and the right data, by loading selfies for example, we can actually compare, you know, that the pictures that you just put in when you apply for something or when you try to open an account against the original documentations. And because we have, you know, all the genuine data about the identity and we know also that device information - if the device information is good or not so good, we are, again, using all this information to be able to correlate and link the data that - the good data that we have against what is kind of put as part of the application. 

Dave Bittner: So I guess, like, with everything, I mean, there's no way to be 100% sure, but this is yet another layer that you can use to build up that level of confidence or not to decide whether or not someone who's trying to do something is legitimate. 

Shai Cohen: Correct. As I said before, it's all about, you know, the different data type and data elements and seeing what we can do in order to protect. 

Shai Cohen: You know, document verification is, you know, additional element that we are using and starting to use recently in addition to all the personal information that we already have as part of TransUnion, all the device information that we have, you know, more than 7 billion devices that we kind of have across the world that we have history about coming from the Iovation acquisition. And all this - you know, once we acquire more and more data and are able to use it for link and to assess the validity of a transaction, it gives us, you know, what we call full detection rate much higher and also as a result a less false positive - right? Because that's another thing - that you don't want to block a good actor. So you need to reduce the false positive. 

Shai Cohen: And, again, once you have, you know, more elements that you know to compare against, then - and your algorithm is better, then you have the ability to, again, increasing fraud rates and decreased false positives. 

Dave Bittner: For our listeners who are looking to do a better job of protecting their own financial information and the interactions they have with the various financial services organizations that they may deal with, do you have any advice for them, any words of wisdom? 

Shai Cohen: Yes. So first of all, the assumption is always that your information is already on the dark web, right? And the fraudsters possess your information. So because of all of these threats, the consumer needs to kind of always make sure that they check twice before pressing on an email link and make sure that all the information that they have is being used safely, not do anything that - especially with phishing attack, right? Phishing is all about, you know, send you a text, emails, phone calls trying to get your personal data. Be very careful when opening anything, any communication from someone that you don't really know. 

Shai Cohen: And also, when you work with, for example, financial institutions or your provider, make sure that their level in digitally protecting your data is there and they pay a lot of attention to that - right? - because consumers expect their financial institutions, anyone that they do business with, to have sufficient - to be advanced digitally and especially in protecting their information. So check also with your provider. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Good interview with Shai. I have some real appreciation for what they do there at TransUnion. One of the biggest things I like that he said is some of the document verification techniques that he mentions. I'm glad to hear that this is happening at TransUnion. It keeps the general population a little more protected. 

Joe Carrigan: Unfortunately for the rest of us, we don't really get to the opportunity to do this because we don't have access to the kind of information that TransUnion does. But I'm glad that TransUnion is doing this. They're utilizing the information that's at their disposal to verify people. Good move. Good move. 

Joe Carrigan: One of the things he said is that this is an ongoing battle. And we in the security field have been saying this for years, that this is an arms race. And as time has gone on, we've seen that arms race move from the technical area to the human area of security because as the technology gets better and as the software gets better to the point where it becomes much more difficult for attackers to find vulnerabilities and exploit them, then they have shifted the focus to the humans because those are a lot slower to update, I guess. 

Dave Bittner: (Laughter). 

Joe Carrigan: But one of the things that Shai said - he said the methods of fraud will keep evolving. But I would assert that the underlying concepts are not really going to change that much in terms of social engineering. We're still looking at the same kinds of scams that we've been seeing literally for centuries, that these - we're trying to scare you; we're trying to appeal to your greed; we're going to get you to do something that's not in your best interest. 

Joe Carrigan: And the upside of that is that if you train yourself, you can become aware of what those things are and, thus, less likely to fall for these. You can kind of inoculate yourself against these social engineering attacks. 

Joe Carrigan: But he's right. These things are going to change. Their hooks are going to change all the time. Like, right now, the big hook is COVID, right? 

Dave Bittner: Sure. 

Joe Carrigan: What happens in about a month, Dave, or two months? The hook is going to change to elections in the U.S. That's what's going to happen. 

Dave Bittner: And then it'll be the holiday season. 

Joe Carrigan: It'll be the holiday season. 

Dave Bittner: It'll be tax season (laughter). 

Joe Carrigan: Exactly. And that's just how this goes. This is always going to be changing, and you always have to keep your guard up. And just - you always have to consider what is going on in the world, and why have you received this email? Chances are that this is probably a scam. 

Dave Bittner: Yeah. 

Joe Carrigan: That's my thinking on it. Or if you approach all these emails with chances are, this is a scam, then you're going to be better off. 

Joe Carrigan: Shai talked about synthetic identities. He mentioned it very briefly and in passing. And that term fascinated me, and I hadn't heard that before. So I looked that up, and that is essentially where you create an identity. An attacker - a malicious actor creates an identity that is not really associated with another person. 

Joe Carrigan: So we hear about people who have their identity stolen and then accounts opened in their name. If I can create a synthetic person - a completely synthetic identity - then go out and start utilizing that identity and establishing credit and getting access to credit, there is nobody on the other end of that that's ever going to alert the institutions to the fact that somebody is opening a fraudulent account. 

Joe Carrigan: And in fact, not only that, but I actually will have access to all those backends, like credit monitoring services and things of that nature, so I can control that. It's a great way - from a criminal perspective, it's a great way to increase your throughput, although it probably is more difficult to do. And it takes time to establish these synthetic identities because these synthetic identities have to have a credit report associated with them, and you have to build that up. So it actually probably takes money, as well, to do this. Like I said, the upshot is there is nobody on the other end of it. You, as the attacker - or the malicious person - are in complete control of it. 

Joe Carrigan: And finally, the last thing that Shai said that I 100% agree with is, assume that your information is already leaked. That is a good assumption because chances are, your information is already leaked thanks to companies like a competitor to TransUnion, Equifax. We heard about their data breach a couple of years ago. That was great. 

Dave Bittner: Right. 

Joe Carrigan: There are other breaches out there that have resulted in huge amounts of data being lost to these dark markets where you can buy and trade this information. It's out there. Your information is probably out there. 

Dave Bittner: Yeah. And so you have to take additional precautions, like multifactor authentication. 

Joe Carrigan: Absolutely - multifactor authentication; be suspicious of every single email you receive. Multifactor authentication actually goes a long way in helping you prevent yourself from being abused, prevent yourself from losing access to your accounts. It is very important. 

Dave Bittner: Yeah. All right. Well, our thanks to Shai Cohen for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.