Hacking Humans 12.3.20
Ep 126 | 12.3.20

Going behind the scenes and preventing social engineering in financial institutions.


Mike Slaugh: Security is a shared responsibility between you and your financial institution.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the scenes of the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Mike Slaugh from USAA on his predictions for 2021 and best practices for organizations to protect themselves and consumers, including creating better means of identity verification. 

Dave Bittner: All right, Joe. Let's start off with some stories here this week. What do you have for us? 

Joe Carrigan: Dave, I have a story from Volexity, who is a security company. They do, like, incident response and stuff, but they also do their own research. And they have identified several Vietnamese-language websites purporting to be news websites. But what is interesting is, for the most part, they actually have news on them - real news. 

Joe Carrigan: Initially, what Volexity was thinking has happened here is that actual news sites were compromised. These were actual news providers that had been compromised by some malicious actor. But now they're saying that's not the case. What they're saying is that these sites - and there's about a dozen of them, or maybe more - are actually the work of OceanLotus, which is what we call in the business an APT, or an advanced persistent threat. 

Joe Carrigan: But these sites have been developed with significant effort. Somebody has gone through the hassle of developing all these websites to do a couple of things. One of them is to track users with some advanced profiling tools that are on these websites. And another one is to deliver some malicious software via means like a fake Flash updater. 

Joe Carrigan: So there's thinking that this is to track people who are interested in government corruption. The news articles that are related to that have this information on it. And some of these webpages have 10,000 articles on them that they have scraped from other sources that have actually gone to the trouble of doing the reporting. So they actually haven't done any reporting, but they've stood up these websites - a lot of them - so that they can get people who might be of interest to the government to log in to them and... 

Dave Bittner: Right. 

Joe Carrigan: ...Either use the web-tracking tools that are well known - and when Volexity says that they're using an advanced profiling tool, they're probably using something along the lines of what is standard out there on the web that tracks us everywhere. There are tools out there that are written in JavaScript that provide an unbelievable amount of information to every website that you visit. And these things can include stuff like knowing the size of your monitor. 

Joe Carrigan: And if you gather enough of this information about an individual user, you can figure out who that user is. It's almost like de-anonymizing location data, although not as simple as that. Location data has essentially two pieces of information that can be used as a primary key on a record in the location data set. But these web-tracking toolkits do kind of the same thing. They just need more information to identify who it is. And that's kind of the thing they're doing. 

Dave Bittner: Yeah. I mean, it's referred to as browser fingerprinting - right? - using the... 

Joe Carrigan: Exactly, yeah. They're just doing browser fingerprinting. 

Dave Bittner: They're just doing the version - yeah, the version of the OS you're using, your monitor size, your screen resolution, your, you know, location. And then you just take a bunch of different things, and chances are that combination of things is unique to you. 

Joe Carrigan: Correct. Correct. 

Dave Bittner: Yeah. 

Joe Carrigan: 'Cause nobody else is going to have exactly your computer. 

Joe Carrigan: They also have this malware kit that is from Cobalt Strike that downloads a product called Beacon that does a whole mess of stuff once it's installed on your computer. Interestingly, when you go to the website on a computer or a device that isn't supported - like, let's say you visit this website on an Android device - it might say, we can't show you this; go look at it on your computer because we have that malware. So they'll direct you to it by telling you to go there with a different device. 

Joe Carrigan: Now, I mean, this only affects people who are Vietnamese-speaking people, right? But these techniques are interesting. They have flooded the market with additional websites. 

Joe Carrigan: This reminds me of when HBO came out with Cinemax, right? HBO was competing with Showtime, and they said, you know what we should do is we should just have another channel that's a premium channel that people pay for, and that way we'll get more market share. That was their thinking behind it originally. They started having more and more of these services out there. 

Joe Carrigan: Well, these guys are doing the same technique - the same business technique. They're just going out there and flooding the market with these sites that are mostly benign. But when they come to an article that's of interest to people who might be of interest to the government, it starts tracking them, finding out who they are. 

Dave Bittner: (Laughter) Right, right. So you're thinking of overthrowing your government. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: A 10-step plan for overthrowing your government, you know (laughter)? 

Joe Carrigan: Right. 

Dave Bittner: Right. That's fascinating. That's fascinating. And the vast majority of the site is legit news scraped from other places. 

Joe Carrigan: Correct, with no malicious software on it. 

Dave Bittner: Yeah. The search engines, you know, catalog all that. 

Joe Carrigan: Absolutely. 

Dave Bittner: And they say, well, there doesn't seem to be anything odd here. The vast majority of what's here seems to be on the up and up. Do they have any recommendations for protecting yourself against this sort of thing? 

Joe Carrigan: They do. Towards the end of the article - and we'll put a link in the show notes - it says, you know, make sure that you're going to a legitimate news source. I mean, that's really the only defense here is that you have some news source you trust that you go to and you don't go to other sites. And when you see news articles being linked to in sites that may or may not be legitimate, if you don't know who that organization is, you don't trust them from their journalistic integrity or standpoint, just don't go there. I don't know how good of a bit of advice that is. I'm not sure that that's very helpful at all. I don't know how you defend against this, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: This is one I'd have to think about a little bit before I... 

Dave Bittner: I mean, I guess if you were - you know, if you were interested in a particular topic, you could do a search within the news site that you trust. For example, you know, let's say I decide I trust The New York Times or The Washington Post or the Washington Examiner, you know, whatever... 

Joe Carrigan: Right. 

Dave Bittner: ...Whatever newspaper I prefer to read. I could go to their site and search on their site for the topic that I'm interested in. 

Joe Carrigan: Yes, you can do that. 

Dave Bittner: You know, I think things like Google allow you to search within a certain site as well. And even just you could say, you know, New York Times, you know, football team winners, you know (laughter)? 

Joe Carrigan: Right. 

Dave Bittner: And I'm likely - that'll likely take me to the place that is a trusted source. 

Joe Carrigan: But don't just type in, say, football team winners 'cause that'll take you to a bunch of different places. 

Joe Carrigan: In fact, I was doing some news searching the other day, and I was presented articles from a bunch of news sources I'd never heard of before. And I look at who they are, and I'm like, I don't know who these people are. 

Dave Bittner: Right. 

Joe Carrigan: I don't know what their agenda is. And so I discount them, and I'm done. I move on. So I think that's generally a good way to go about, you know, how you ingest your news. And that would probably defend you from these kind of attacks. 

Joe Carrigan: But imagine if this had gone on long enough that this OceanLotus group didn't go ahead and start putting malicious stuff on there right away, that they actually built up an entirely - almost a bona fide news organization. 

Dave Bittner: Right. 

Joe Carrigan: They started building the trust of people, and then they started doing the tracking. What would that impact be? I hope I'm not giving any... 

Dave Bittner: Playing the long game (laughter). 

Joe Carrigan: Right. I hope I'm not giving any ideas to any oppressive regimes. 

Dave Bittner: Well, we've heard of, you know, different intelligence organizations playing those sorts of long games... 

Joe Carrigan: Right, absolutely. 

Dave Bittner: ...You know, setting up shell organizations and letting them run for years... 

Joe Carrigan: Yes. 

Dave Bittner: ...To just establish credibility. So, you know, it's a real thing. But I think it's good advice we've got here for just being careful. 

Dave Bittner: It makes me wonder if there's, you know, some sort of parental controls you could put on your website to say, put guardrails on to make sure that I'm only going to legit news sources. I guess it's something you just kind of have to be vigilant about. 

Dave Bittner: All right, well, that's an interesting story for sure. 

Dave Bittner: My story this week comes from Brian Krebs over on Krebs on Security. And it's titled "Be Very Sparing in Allowing Site Notifications." This was sort of new and clever to me. Anybody who's spent time on the internet, you go visit a new site, and I'd say particularly if it's a news type of site, it will usually ask you, hey, is it OK if we show notifications from this site? 

Joe Carrigan: Yeah, that's real annoying. 

Dave Bittner: Yes (laughter), it really is. And I cannot remember a single instance when I've said yes (laughter). 

Joe Carrigan: Yeah, me neither. I mean, Brian is saying be very sparing. How about zero? I mean, that's my level of tolerance for this. I can't stand this. 

Dave Bittner: Right. Yeah, if my web browser had a setting where it automatically said no to all of these, I would enable that. 

Joe Carrigan: Chrome does that, but every time it updates, it resets it. 

Dave Bittner: OK. 

Joe Carrigan: At least that's my experience. 

Dave Bittner: What's interesting about that is that I've never really given it much of a second thought other than thinking that this was some sort of benign way for this website owner to pop a little message up in front of you - you know, breaking news or, you know, weather alert or those sorts of things. But it turns out there's more capabilities within these prompts than I had certainly thought about before. 

Dave Bittner: These are a type of push notification. It's built on an internet standard. And within that standard, there is the opportunity to put code in there. And there is a company called Push Welcome, and they advertise to site owners that they can - wait for it - monetize the traffic from their visitors. 


Dave Bittner: Right. And this is why we can't have nice things. 

Joe Carrigan: That's right. 


Dave Bittner: Part of that monetization is that they ask the website owner to put a bit of code on their site. And what that does is it allows them to put ads in these pop-up messages, these push notifications. 

Dave Bittner: Yeah. So I can sense - like, I think we're in agreement here... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That this gets both of our hackles up, that there's nothing... 

Joe Carrigan: Yes, it does. 

Dave Bittner: Nothing good can come of this. But what they - there was analysis that Brian Krebs talks about. It was compiled by a company called Indelible LLC, which is a cybersecurity firm. And they looked through this, and they found that the vast majority of these were scams - you know, the sort of scams we've all seen where someone pops up and says, hey, we just scanned your computer and you have five viruses. 

Joe Carrigan: Oh, yeah. 

Dave Bittner: You know, click here to buy your copy of this amazing, you know, virus software that'll cure all your woes, and it'll even wash your car - you know, that sort of thing. 

Joe Carrigan: So it's another vector for those fake virus companies that will then give you an 800 number to call to get the viruses off your computer and bill you, like, $400 a year for it. 

Dave Bittner: It could be that. I mean, some of them - they end up sort of being affiliate ads for legitimate products. So they may try to sell you a copy of, you know, Norton Security - that sort of thing - you know, a legitimate product. But if you buy it, they get a cut. 

Joe Carrigan: Right. 

Dave Bittner: So it's an ad that way. So it's not necessarily that they're putting something bad on your computer, but certainly the initial notification that, oh, my goodness, we found viruses on your computer - that's a scam (laughter)... 

Joe Carrigan: Right. 

Dave Bittner: ...Because this pop-up is not capable of scanning your computer for viruses. It can't happen. 

Dave Bittner: I don't know. What do you think about this? I was a little surprised that this capability existed. This was not on my radar. 

Joe Carrigan: Yeah, not on mine either because my default action is, go away, right? 

Dave Bittner: Right. 

Joe Carrigan: Don't bother me with this. And I've never looked into it because I've said, I'm sure everybody does this. But you know what? Not everybody's like me, right? Thankfully. 

Dave Bittner: Yeah. 

Joe Carrigan: And I imagine there are people out there who go, well, sure, you can go ahead and send me notifications - which is a bad idea. First off, if you say that to a hundred websites, can you imagine what your web browsing experience would be like every time you opened up Chrome or Firefox... 

Dave Bittner: (Laughter) Yes, yes. 

Joe Carrigan: ...Or whatever browser you use that supports these notifications? 

Dave Bittner: Yes (laughter). 

Joe Carrigan: You would get hundreds of notifications from a hundred websites. I mean, they're not just going to send you one a day. And now that they can monetize this, oh, there's going to be a lot more that come. It's going to be unbearable. I like what you said, Dave - this is why we can't have nice things. 

Dave Bittner: (Laughter). 

Joe Carrigan: You remember when the web was a nice thing? It was great. You'd go out, you'd find what you wanted, and you'd read the article, and it would be fantastic. But now whenever I go to a website, the first thing that happens is I get one of these pop-ups that says, can I send you notifications? I say, no. And then it says - by the way, as I'm reading the article, the entire screen is covered with some other pitch. 

Dave Bittner: Right. Sign up for our newsletter (laughter). 

Joe Carrigan: Sign up for our newsletter, subscribe. 

Dave Bittner: Right, right. Because there's nothing that's going to make me want to subscribe to your newsletter than interrupting me in the middle of reading your article, right? (Laughter). 

Joe Carrigan: Right, exactly. Well, if the experience is like this, no, I don't want to read the article. 

Dave Bittner: Right, right (laughter). 

Joe Carrigan: I don't want to subscribe. I don't want to support you. 

Dave Bittner: Yeah. And yet they - I mean, it must work because it is so ubiquitous. 

Joe Carrigan: Right. 

Dave Bittner: It is so ubiquitous. 

Joe Carrigan: I mean, again, I think it's a numbers game. I think it works like phishing works, right? It might get 0.1% of the people to do it. But that's still profitable, so people do it. But it makes (laughter) - for the other 99.9% of the people that experience it, it just makes it worse. 

Dave Bittner: Well, and, you know, it reminds me - I suppose a person in the family who helps with tech support... 

Joe Carrigan: Right. 

Dave Bittner: ...Which I know you and I both have certainly put in our time. You know, sometimes you'll go and you're helping a friend or relative with their computer and you see what's going on. And, you know, there are all these pop-ups and all these things. And you go, good Lord, how can you live this way? 


Joe Carrigan: What have you been doing? 

Dave Bittner: Like, how - right. How could - this experience is horrible. How - oh, let me just, all right, step away from the computer. 

Dave Bittner: All right. Well, those are our stories. It is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Reddit user Big Willy 311, or William, as he goes by. He got a message phishing attempt from someone claiming to be the boss of the place he works. And it is a gift card scam, but he handles it pretty well. So why don't you play the part of the scammer, and I'll play the part of William. And you can see where this goes. It's pretty good. 

Dave Bittner: All right. Here we go. 

Dave Bittner: Are you free right now, Dale? Thanks. 

Joe Carrigan: I'm a little busy right now. Who is this? 

Dave Bittner: OK. Just text when you're free. 

Joe Carrigan: I'm Dixie. 

Dave Bittner: I know. It's the principle. 

Joe Carrigan: You're the principle? I'm Dixie. My name is Dale, but I go by Dixie. 

Dave Bittner: Sure. 

Joe Carrigan: Great. I'm glad we cleared that up. I'll be free in a few minutes. 

Dave Bittner: I'm in a meeting right now. That's why I'm contacting you through here. I should have called you instead of texting you, but phone calls are not allowed to be used during meeting. I don't know when the meeting will be rounding up, and I want you to help me out on something very important right away. Can you? 

Joe Carrigan: I'll be free in a few minutes. 

Dave Bittner: OK. Let me know when you can help me, when you are done. 

Joe Carrigan: I will be able to help. I am just not able at the current moment. 

Dave Bittner: OK. Can you help me get a Google Play gift card from the store right now? I will surely reimburse you back today once I'm done with the meeting. Are you still busy? Just let me know if you can get the cards if you are done. 

Joe Carrigan: Why can't you do it? 

Dave Bittner: I need a physical cards, which you are get from the store. I unable to get it because I can't leave the meeting right now. Can you please help me get the cards from the store? I will surely reimburse you when I'm done. 

Joe Carrigan: Yeah, I can do it. But I need you to stop rushing me. I'm too busy. 

Dave Bittner: OK, I'm sorry. 

Joe Carrigan: But it's pretty rude to be like, hey, can you do this thing for me as a huge favor because I can't do it myself but also do it right now? What's taking so long? You know what I mean? 

Dave Bittner: Thanks. The amount I want is $100, each in five three pieces so that will make it a total of $300 I'll be reimbursing back to you. I need physical cards, which you are going to get from the store. When you get them, just scratch it, take a picture of them and send it to me here, OK? Let me know if you can help me with that amount right away. Plus, I will get the cards from you after meeting. But I need the pictures first. Can you? 

Joe Carrigan: Yes, I can do it. It's just going to take me a few minutes. 

Dave Bittner: OK. How long should I wait for? 

Joe Carrigan: Well, I'm at school as you know. Maybe 45 minutes? School will be over at that time. Plus, I have to vote. Have you voted? 

Dave Bittner: OK. Thanks. 

Joe Carrigan: Is 45 minutes OK? 

Dave Bittner: Sure. 

Joe Carrigan: OK, great. Thank you. 

Dave Bittner: When you get them, just send the pictures here. Thanks. OK. Hi. Are you there? 

Joe Carrigan: Traffic. 

Dave Bittner: Did you get the cards? 

Joe Carrigan: A couple more minutes. 

Dave Bittner: OK, thanks. 

Joe Carrigan: You're welcome. 

Dave Bittner: Yes. 

Joe Carrigan: I meant you're, with the contraction. OK, man, I'm having a bit of a situation. Can you wait one more hour? I will surely help you, but I can't do it right this minute. 

Dave Bittner: What are you doing? 

Joe Carrigan: My dog got bitten by a cat. We have to take him to the vet. He might have gotten rabies. 

Dave Bittner: Oh. 

Joe Carrigan: I know. Crazy, right? 

Dave Bittner: OK. 

Joe Carrigan: We are on our way to the vet right now. Ding Dong says hi. That's the dog. He's going to be OK. But he doesn't look like he's in any pain or anything. I'll let you know when I leave the vet and head for the store. 

Dave Bittner: OK. Hello? Are you there? 

Joe Carrigan: Yes, we're still at the vet. 

Dave Bittner: OK. 

Joe Carrigan: I apologize it's taking so long. 

Dave Bittner: It's fine. 

Joe Carrigan: Thank you. 

Dave Bittner: Are you done? 

Joe Carrigan: No, almost. 

Dave Bittner: OK. 

Joe Carrigan: Do you hate when people say, I've got good news and I've got bad news, as much as I do? I hate it. I always say, I have first news and I have second news. Well, I have first news and I have second news. 

Dave Bittner: What's it? 

Joe Carrigan: First news - we had to put the dog down. Second news - we have to go to the pharmacy. I can get your cards there. 

Dave Bittner: OK. 

Joe Carrigan: It's about 15 minutes away from the vet. 

Dave Bittner: OK. 

Joe Carrigan: I'm almost there. 

Dave Bittner: OK. 

Joe Carrigan: We're heading there right now. You said Google Play, right? 

Dave Bittner: Yes. 

Joe Carrigan: They don't have it. There's lots of eBay or, like, Steam cards and Amazon. Does it have to be Google Play? 

Dave Bittner: You can get a Steam wallet gift card. 

Joe Carrigan: Oh, dang. I was wrong. None of those. I thought I saw them. 

Dave Bittner: Which other cards do they have? 

Joe Carrigan: It's mostly restaurants and stuff and eBay. 

Dave Bittner: Get eBay then. 

Joe Carrigan: OK, eBay looks like the only store. OK, three cards, right? 

Dave Bittner: Yes. 

Joe Carrigan: One hundred dollars each. 

Dave Bittner: Yes. 

Joe Carrigan: OK, I can bring them to you in the morning. 

Dave Bittner: Yes. Just scratch the cards and take a picture of them and send them through first. 

Joe Carrigan: Wouldn't just giving them to you be easier? You can reimburse me at the same time. 

Dave Bittner: Can you please send the pictures first? I will surely reimburse you. 

Joe Carrigan: OK. 

Dave Bittner: Have you gotten the cards? 

Joe Carrigan: Our prescription is ready, so we're going to pay. Then I'll send the pictures. I haven't bought them yet. I just have them in my hand. I just need to pay. 

Dave Bittner: OK, thanks. 

Joe Carrigan: It'll be a couple of minutes. 

Dave Bittner: OK. 

Dave Bittner: Hi. 

Joe Carrigan: Hi. We're still checking out. 

Dave Bittner: OK. 

Joe Carrigan: Bit of a line. 

Dave Bittner: OK. 

Joe Carrigan: The pharmacy appears to be a polling place. Did you vote? 

Dave Bittner: When you get the cards, let me know. 

Joe Carrigan: I will. 

Dave Bittner: OK. 

Dave Bittner: Hi. 

Joe Carrigan: Sorry, I had a bit of a credit card issue. 

Dave Bittner: OK. 

Joe Carrigan: I was declined. I had to use my kid's card. Took some convincing. She's upset about the dog or whatevs. But, oh, get this. 

Dave Bittner: So has your kid's card work? 

Joe Carrigan: The vet was wrong about the dog. He didn't have rabies. So that's good. 

Dave Bittner: So did you get the cards? 

Joe Carrigan: Yes, I got them. 

Dave Bittner: Send the pictures of the cards. Scratch them, and send the pictures of the cards. 

Joe Carrigan: I took the pictures, but I can't find them on my phone. 

Dave Bittner: How come? 

Joe Carrigan: That's weird. 

Dave Bittner: Can you type out the codes? 

Joe Carrigan: That'll take a long time. It'll be easier just to bring you the cards in the morning. 

Dave Bittner: Just scratch the cards and type the codes and send them. 

Joe Carrigan: Man, that'll take a long time. 

Dave Bittner: Oh, no, try it. 

Joe Carrigan: I think I can make this picture thing work. I found them. Let me send them. 

Dave Bittner: OK. 

Dave Bittner: I haven't gotten the pictures. 

Joe Carrigan: I sent them. Let me try again. 

Dave Bittner: Send the pictures to this number. 

Joe Carrigan: I'm trying. 

Dave Bittner: OK, LOL. 

Joe Carrigan: I'm going to restart my phone. It should just take a minute. I'll try after that. 

Dave Bittner: OK. 

Joe Carrigan: I'll be right back. 

Dave Bittner: Where are you going? 

Joe Carrigan: Notification - the number you are trying to reach is not available. To receive messages at this point in time, please try again in a moment. 

Dave Bittner: Really? 

Joe Carrigan: Notification - the number you are trying to reach is not available. To receive messages at this point in time, please try again in a moment. 

Dave Bittner: Hmm. 

Joe Carrigan: Hmm what? 

Dave Bittner: I haven't gotten the pictures. 

Joe Carrigan: Oh, did you try to text me while my phone was off? Yeah, it does that. I haven't found the setting that turns that off yet. Annoying. 

Dave Bittner: OK. Are you there? 

Joe Carrigan: It didn't send? 

Dave Bittner: Type out the codes, weary (ph). 

Joe Carrigan: OK, I'll try. 

Dave Bittner: Thanks. 

Joe Carrigan: And he sends a fake code that's already been used, and he says, oh, I think I typed that wrong. And then he sends a code again, and he says, I think that one is an I as in igloo. I don't know. Try both of them. I can't tell on the card. Which one was it? 

Dave Bittner: (Grunting). 

Joe Carrigan: What? 

Dave Bittner: That card has been used. 

Joe Carrigan: I think it's that one digit. I can't tell if it's a 1 or an I as in ice, lowercase L as in lettuce. There's no reason to be rude. I got my pictures to work. Do you want me to send it? 

Dave Bittner: Yes. 

Joe Carrigan: I'm good. OK, I'm going to send all three cards in one pic. That way, if my phone freaks out again, you'll have them. It's worth $100 for one, $100 and also worth $100. And then he sends - this is the greatest part. He sends a picture of three Post-it notes that say - just say written across them, eBay gift card, $100. 

Dave Bittner: (Laughter). 

Joe Carrigan: And that's pretty much the end of the conversation. 


Dave Bittner: Right. So a nice job stringing along the scammer there and wasting their time. 

Joe Carrigan: Yes, wasting a lot of their time. That was a pretty good one. Thank you very much, William. 

Dave Bittner: All right. Well, thanks for sending that in. We love to get these from you all. If you have an interesting one you'd like us to consider to use on the air, please send it to us. You can send it to us at hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Mike Slaugh from USAA. We spoke about some of his predictions for 2021. We also touched on some of the best practices for organizations to protect themselves, including better means of identity verification. Here's my conversation with Mike Slaugh. 

Mike Slaugh: 2020 has been a very unique year when it comes to fraud. The year started out pretty traditionally with, you know, a lot of your common fraud trends that we've always seen throughout the industry. And then the pandemic hits. And then once the pandemic hit, you saw fraud really take a major shift going through there. So I think what you had was a set of government programs that were designed to get money to people as quickly and as easily as possible. And naturally, those programs became a magnet for fraud. So we saw fraudsters kind of shift over to these Paycheck Protection Program, you know, fraud schemes and things like that. And that persisted through, you know, most of the summer. And now what we've seen in the last couple of months is we've seen fraudsters kind of returning to more traditional ways of committing fraud. 

Mike Slaugh: Our biggest trend we see right now is around impersonation. It's a social engineering scam where a fraudster will call an unsuspecting victim, and they will impersonate a person from an institution that they trust - so your bank, your insurance company or something like that. And then once they gain your trust, they will socially engineer certain authentication information out of you. And so that, we've seen, has been a big trend in that, especially as banks go to multifactor authentication and other traditional, stronger forms of authentication designed to keep fraudsters out of your accounts. 

Dave Bittner: Can you give us some insights in terms of the things that you all are doing at USAA to specifically help protect the folks that you work with? 

Mike Slagh: There's a lot, and we have a multipronged strategy. You know, part of the strategy is on our side, you know, with producing authentication solutions that are not only secure, but are easy to use for members. And so we understand that using multifactor authentication, specifically the one-time code sent via text message multifactor authentication, is a big hinderance to adoption. It's clunky; not a lot of people know how to navigate that. And so our responsibility is to get solutions into our members' hands that are easy to use, that are secure - things like device recognition, things like biometrics. And these types of solutions will allow us to adopt stronger security but then allow our members to have the convenience that they're looking for to get into their accounts. So that's our first prong of our strategy, is looking for solutions that will enable this. 

Mike Slagh: The second part of our strategy is around member awareness and customer awareness. I often look back at, you know, when phishing started to become a big thing back in the late '90s and early 2000s. It was very effective, and it took a lot of awareness and campaigns out there to educate consumers that - you know what? - we're never going to ask for that information in an email. And I see this as a very similar approach where we have to go out and educate our customers and our members at USAA to understand that we'll never call you and ask you for your password, your PIN, your one-time code. And that takes time because we have to ultimately get to each one of our consumers, have them understand the risk and understand what we will and what we won't do. 

Dave Bittner: What sort of things go on behind the scenes? I suspect you all have technology running on-site that's looking out for fraudulent behavior to kind of detect these sorts of things on the fly. 

Mike Slagh: Yeah, absolutely. So we have a very robust system of controls internally that continually monitor logon activity, transaction history. And what it does is it attempts to form a pattern of behavior where it looks out and it says, well, you're logging in from this computer, and you've always logged in from this computer, but now we have something that's anomalous, that you're now logging in from a computer that is not in your profile, that has not been part of your historical activity. Well, that might be a little bit suspicious. Now, if we have that computer and it's now logging into other accounts, then that is even more of an indicator for us that something might not be right with your account. 

Mike Slagh: And the same thing with transactions, you know? If your purchase history is reflective of one set of behaviors and now we start to see behaviors that are outside of that norm, that might be a little bit suspicious to us. And so we won't necessarily block the transactions, but we will reach out to you and say, hey, did you mean to make this purchase in this city at this place? Text us a yes or a no if that was you. 

Dave Bittner: Where do you suppose we're headed as we are heading into 2021 here? What's your outlook? 

Mike Slagh: Well, looking at 2021, I think we're going to see a lot of the same that we've been seeing before. You know, we're going to see a lot of this impersonation scam that I mentioned before. But we're also going to see some new things. We're also going to see fraudsters increasing their level of sophistication. 

Mike Slagh: So it used to be, back in the day, to set up a phishing site, you had to have some technology know-how. You had to have a way and an understanding of how this thing works. Now what we're seeing is that there's tools within this fraudster ecosystem that allows them to set up a phishing site with just a few clicks of a button. Anybody can do it. And so you're going to see a lot of these phishing sites that are just kind of cookie-cutter, two clicks and you're ready to go get set up. And so you're going to see a larger volume of these fraudulent attacks that are attacking consumers. 

Mike Slagh: And why do they attack consumers? It's because that's, right now, where the vulnerability in this whole - in the whole supply chain is. You know, I can't go to a vendor and download a patch to fix the consumer and to get them to do what they need to do. 

Dave Bittner: Do you suppose that it's going to become a competitive advantage, that consumers are going to be looking for organizations like yours who are out there being proactive about this stuff, that this is really part of a basic toolkit that people are going to demand from the financial institutions they're doing business with? 

Mike Slagh: Absolutely. At USAA, we've always taken a very strong stand when it comes to protecting our members. And securing their login is the first step which we take to do this. So we've been on a journey for the last couple years to move as many of our members over to multifactor authentication as we can. And so as new members join our association or as existing members continue to do business with us, we will transition their accounts over to our highest level of security. And what we find as we do that - the adoption rate and the sustainment rate has been very, very good for us. 

Mike Slagh: So when we move an account over to multifactor authentication, we will let the consumer go back and reverse that if it doesn't work for them and for whatever reason. We find that that reversal rate is extremely low for that. And so that tells us that consumers are looking for this level of security, especially from their bank. Their financial accounts are some of the most important assets for them to protect. And so while we as the industry have not gotten authentication perfect from an experience standpoint, we find that consumers are generally more willing to accept a little bit of friction when it comes to protecting their most important assets. 

Dave Bittner: Yeah, and it seems like the word is out now. You know, people understand that this is important. It's not so mysterious anymore. 

Mike Slaugh: Yeah, absolutely. We're getting on our feedback channels around - do you support this? You know, do you support FIDO authentication? And just a level of discussion around that that we'd never have seen, you know, five years ago, where people are looking out and finding new ways to authenticate and then coming to us and saying, when are you going to support this authentication method? Security is a shared responsibility between you and your financial institution. So we do all the steps that we can to make sure your account's secure, and we ask our members and consumers in general to make sure that they're doing everything they can to make sure their accounts are secure as well. And that includes adopting multifactor authentication, not just at your bank but in other accounts that you may have. Don't reuse passwords and just practice, you know, basic security hygiene. And you will be much safer than you would if you didn't. 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: That was a great interview. I'm really pleased to have a practitioner from the financial sector on the show. That's really good to have. It's interesting how he says the tide has turned from the pandemic-related stuff back to the usual stuff. Initially, we saw the spike in pandemic-related scams, and now we're going back to the regular scams. Now that the election is over, we're going to start seeing holiday-related scams, and that's going to be the next big thing. Although for banking, it's pretty much always going to be the same thing. Impersonation is becoming a big part of the social engineering game. And I like the stories he tells here about people calling up and pretending to be from his organization and using that tool to get people to enter their multifactor form of authentication. 

Joe Carrigan: Now, we've talked at length about multifactor authentication on this show, and the one weakness about any of those codes, be it the code that gets texted to you or be it the code that you get from a time-based password system, is that those can be socially engineered out of you. And that game is getting a lot better. And he's absolutely right. These people are getting more and more skillful at this. I'm a bigger fan of educating the consumer than making it more convenient for them. I think that we as a society need to have a higher tolerance for the friction of securing our accounts, especially when it comes to our financial accounts and financial institutions. I would recommend that everybody use the most secure form of multifactor authentication that the organization you're doing business with offers, whether that is simply an SMS code - which is actually not the best kind - all the way up to some kind of FIDO system, which is much better, and, actually, as of right now, I don't know of any way to get around that system. 

Joe Carrigan: I like the pattern analysis that USAA is doing. And they're not unique in this, but it's really interesting to hear how they think about it. First off, they have logins. The problem for that is - for people like me, I use a VPN, right? So every time I log in, I'm coming in from a different IP address or possibly from an IP address that might be on an abuse list somewhere because people use VPNs for a lot of malicious stuff. But what's more helpful for me is the transactions, right? I lead a fairly routine life. There are things that I do every month, and then there are things I don't do every month. When something I don't do every month occurs and haven't done in a while, it's easy to spot. It should stand out like a red flag, and that should be a way for the company to reach out to me and say, hey, Joe, did you just buy $200 worth of groceries in California? No, that's not me. I never do that. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: When I go to California, I don't spend $200 on groceries. It just doesn't happen. We've talked about these tools that help people set up phishing sites. And Mike is right - this used to be something that was kind of hard. But now for about $30 bucks, you too can become an expert phisher (laughter), right? 

Dave Bittner: Right, right. 

Joe Carrigan: And have - send out emails, get the landing pages that look exactly like the company that you're targeting - right? - be it USAA or Wells Fargo or whatever. And then these phishing kits go so far as to tell you how to launder the money that you've made. So it's a turnkey solution for cybercrime for $30 bucks. 

Dave Bittner: Yeah. 

Joe Carrigan: This is only going to become more and more prevalent. I mean, $30 bucks is not a lot of money. 

Dave Bittner: Nope. 

Joe Carrigan: Eventually, security will become a market discriminator. And I'm glad to hear of two things - one, that the reversal rate for multifactor authentication is low. So in other words, when people activate multifactor authentication, they go, I can live with this - because it's actually not that hard. I mean, it's only daunting from the first time you do it. Once you go through the workflow once, it's easy. And the other thing is, I love that people are asking about FIDO authentication. The customers are starting to say, you know what? I need a better form of multifactor authentication from you. And the FIDO Alliance is a great forum and a great method. There's also Sqrrl out there, which is another way of doing it, built on zero-knowledge proofs. These are very difficult, if not impossible, to intercept and can't be socially engineered. I'm not going to get into the technical details, but there is a secure channel between you and the organization that even if someone is being fraudulent with you, that they can't intercept and understand what's going on. 

Dave Bittner: All right. Well, again, thanks to Mike Slaugh from USAA for joining us. Really interesting conversation. We appreciate him taking the time for us. 

Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.