Hacking Humans 1.7.21
Ep 129 | 1.7.21

Combating growing online financial fraud.


Carey O’Connor Kolaja: This year the growth in fraud has been tremendous because of each of us living our lives - whether we work, we play, we live - online.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Carey O'Connor Kolaja from AU10TIX on fraud in the financial services and payment industry and how organizations are using emerging technical solutions to help combat it. 

Dave Bittner: All right, Joe, interesting stories we've got to share this week. I'm going to kick things off for us. This is from the National Law Review. And this is usually a story I'd probably share on the "Caveat" show with my pal, Ben Yelin. That's usually where we get things from the National Law Review. 

Joe Carrigan: Right. 

Dave Bittner: But this has a social engineering angle to it... 

Joe Carrigan: Not very good. 

Dave Bittner: ...And a bit of - well, I guess a cautionary tale. So what they're covering here is that someone got scammed in the course of selling a home, in the process of transferring funds with the title company. You know, when you buy or sell a home, there are, of course, large amounts of money that get sent back and forth, and you have a title company who helps you with that real estate transaction. And as we've talked about here, that is an area that scammers have focused on in trying to grab those funds - hundreds of thousands of dollars, quite often. And this is a case where that happened. A mortgage lender got scammed. Someone used an email address that was one letter off from the mortgage lender's actual email address, and the scammers had gotten the funds. It was $520,000. 

Joe Carrigan: Wow. 

Dave Bittner: Yep. 

Joe Carrigan: That's a lot of money, Dave. That's half a million dollars. 

Dave Bittner: (Laughter) Boy, nothing gets by you, Joe. 

Joe Carrigan: No, man, I'm good at this. 


Dave Bittner: So in this case, over half a million dollars was transferred and taken. But what this story is really about is that the title company went to their insurance company... 

Joe Carrigan: Yeah. 

Dave Bittner: ...And then said, hey; we have a little problem here (laughter). 

Joe Carrigan: Right. 

Dave Bittner: We would like to make a claim on our insurance policy. And their insurance policy had an exclusion for theft, stealing, conversion, embezzlement or misappropriation of funds or accounts. It was in their policy, called the theft exclusion. This was their errors and omissions insurance policy, which is a... 

Joe Carrigan: Ah, OK, errors and omissions. All right - funny that you should mention this. 

Dave Bittner: (Laughter). 

Joe Carrigan: You can buy errors and omissions insurance, and that protects you from liability via insurance in the event that - like, let's say this title company made an error in who it assigned the ownership of the house to, right? 

Dave Bittner: Right. 

Joe Carrigan: Now, the person who thinks they're the owner of the house actually isn't the owner of the house, but it's somebody else. This is kind of a bizarre example here that I'm just coming up with off the top of my head. But... 

Dave Bittner: Yeah. 

Joe Carrigan: A better example would be, if you're a tax preparer - right? - and you make an error on the taxes and the person gets audited and the IRS says, OK, now you owe us, you know, $1,000 in extra taxes, and by the way, you also owe us another $1,000 in penalties and interest, the person who owes the taxes could say the penalties and interest are actually the responsibility of my tax preparer, right? So I'm going to go after him for that. And that's the point in which the tax preparer will go, well, OK, I have errors and omission insurance. This is obviously an error. Let me make a claim on my insurance. 

Dave Bittner: Right. Right. So it's protecting you against yourself. 

Joe Carrigan: Exactly. 

Dave Bittner: An insurance company is willing to, for a fee, protect you against any mistakes you might make. And that's a very common thing, as you say. In business - if you're in business, chances are you have an errors and omissions policy. Like, if you're on a board of directors for a nonprofit, you'll have a errors and omissions policy. It's just standard stuff. When the insurance company said, no, no, we're not going to allow this, the title company took them to court. And it was a New Jersey federal court who decided that, no, the theft exclusion stands, and you're not entitled to insurance money for this. But I think the greater lesson here is that you need to be really careful these days more than ever about what you are covered for in your insurance policies. 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: When it comes to a lot of this cyber stuff, it's complex. It's evolving. It's changing. The policies are changing. The fees for things are changing. So it's really important to have a insurance agent that you feel as though you have a good relationship with that you can go through and just ask all those questions. Am I covered for this? Can I get that in writing? Am I covered for this? 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Can I get that in writing? 

Joe Carrigan: This is exactly the kind of thing that a cyber policy would cover you against, though. I really don't think this is something that an errors and omissions policy can be reasonably expected to cover. This is not your mistake. This is somebody maliciously going after you. An errors and omission policy is not designed or priced to protect you against that kind of activity. 

Dave Bittner: Right. Right. I mean, this is as if you had handed over the half a million dollars in cash to the title company... 

Joe Carrigan: Right. 

Dave Bittner: ...The title company locked it in a safe on premises and, in the middle of the night, somebody came and broke into the title company and stole all that cash. 

Joe Carrigan: Yep. 

Dave Bittner: That's basically what happened here, so they should have some sort of theft policy. 

Joe Carrigan: Yeah, that's a physical analog. Exactly. You wouldn't expect errors and omission insurance to cover you in that case. 

Dave Bittner: Right. 

Joe Carrigan: Why would you expect it to cover you in a case where someone commits an act of cybertheft? I mean, I guess maybe you're saying we made an error in sending $500,000 to the wrong person... 

Dave Bittner: Right. 

Joe Carrigan: ...Rather than the person we should have. 

Dave Bittner: (Laughter) Just a little goof there, yeah. 

Joe Carrigan: Right. But, I mean - but that's - again, that might not be an error. I mean, you're expecting that to happen. I think I agree with this. I think they should have some cyber policy here that would protect them for this. 

Dave Bittner: Right - so interesting case, touches on a lot of things we've talked about. But, again, the lesson here is, just because you think you may be covered for something, it's worth a second look. Just, you know, maybe as a course of your doing your regular business as we're, you know, heading into this new year, it's a good time to have a conversation with whoever takes care of these things for you and just double-check, make sure that you are indeed covered for the things that you believe you are covered for. 

Joe Carrigan: Right. 

Dave Bittner: All right. Well, that is my story this week. What do you have for us, Joe? 

Joe Carrigan: Dave, my story comes directly from Facebook, from a Facebook blog posting over on their news site. And they took action against two groups of "hackers," in quotes - APT32, which is in Vietnam - that's OceanLotus; we talked about them a couple weeks ago with their inauthentic news sites - and then another group based in Bangladesh. The Bangladeshi group targeted local activists, journalists and religious minorities, including people living abroad, to compromise their accounts, or, in some cases, they had their accounts disabled by Facebook. And they did this by abusing Facebook's policy, right? So they had an orchestrated campaign to say that these people either had some kind of alleged impersonation, intellectual property infringements or nudity or terrorism. 

Dave Bittner: Right (laughter). 

Joe Carrigan: And Facebook - if you get enough people saying that, Facebook will just shut your account down. 

Dave Bittner: Right. 

Joe Carrigan: And these people exploited that and said, well, we don't like what this guy says, so let's just report him a bunch of times. And that's what happened. 

Dave Bittner: Gang up on him - yeah. Yeah. 

Joe Carrigan: Yep. This was done by two organizations in Bangladesh - one organization called Don's Team, also known as Defence of Nations, and the Crime Research and Analysis Foundation, or CRAF. And they appear to be operating across numerous internet services. So they're not just on Facebook. They're using other services as well, maybe LinkedIn or Twitter or just email. These two organizations collaborated on Facebook in order to perform these account takedowns. 

Joe Carrigan: But they also hacked people's accounts and their pages and used some of the compromised accounts for their own purposes, including amplifying their own content. And on at least one occasion, they compromised someone's account who was the administrator of a page that they didn't like. So they - as the administrator, they went in, booted all the other administrators and then disabled the page. 

Dave Bittner: Wow. 

Joe Carrigan: So they shut down some content. One of the things Facebook says in this release that they have here is that their investigation suggests that these targeted hacking attempts were likely carried out through a number of off-platform tactics, including email and device compromise or abuse of the account recovery process. So these organizations know who the people are that they're targeting, and they have a bunch of probably open-source intelligence or maybe even some human intelligence on how to get in touch with these people that they're going to victimize here. So they can send an email impersonating Facebook, and then this is a standard phishing attack where I get your Facebook credentials. And I can log in as you and do all kinds of terrible things. 

Joe Carrigan: OceanLotus, however, targeted Vietnamese human rights activists locally and abroad, various foreign governments, including those of Laos and Cambodia, non-governmental organizations, news agencies and a number of businesses across information technology, hospitality, agriculture, hospitals, retail, auto industry and mobile services. That's a broad swath of industries, isn't it? I mean, it's a lot of people. 

Joe Carrigan: Some of the social engineering techniques that OceanLotus used was they created fictitious personas across the internet, not just on Facebook, and they were posing as activists, business entities. And, of course, they used the romantic lures, Dave, because that's really effective. But I think also very effective is posing as an activist. Nothing makes you, as an activist, more susceptible to paying attention to somebody than finding somebody that agrees with you on just about everything. And these business entities, of course - I think that was an opportunity for people to make a profit, or they were presented with what they thought was an opportunity to make a profit. That's another motivation. So all these are really good ways to get into somebody's head and socially engineer them. 

Joe Carrigan: This is probably the most interesting part of the story here. These efforts often involve creating what they call backstops for these fake personas and fake organizations. These guys went out on the internet and set up websites and other information. They put it out there so that it would appear more legitimate under scrutiny. And Facebook said even their security organization found these things and was like, well, maybe these guys are real, but eventually they realized they weren't. Some pages were designed to lure particular followers for later phishing and malware targeting, which we see a lot. 

Joe Carrigan: They did a few things aside from social engineering. They had malicious apps in the Google Play Store so that they could get a wide range of permissions on the user's device and survey people's devices and get information off the devices. We've talked about this before as well - that when there's an app on your phone, the amount of information that app is capable of sending to people is remarkable. And if it's demanding a lot of permissions, you should probably just not install it. Fortunately now with the later versions of Android, Android tells you, hey; here's a list of things this app is going to want access to. That didn't used to be the case, you know, back when they still had those operating system names like Ice Cream Sandwich and all that. 

Dave Bittner: (Laughter). 

Joe Carrigan: I can't stand that, by the way. I just like numbers for my version. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: But they didn't tell you what you were doing. You had to look at the app once you installed it, or I think before you installed it, you could see - you had to actually take the action. Now the operating system tells you what's going on, which is much better. OceanLotus was doing malware propagation. They compromised websites and created their own. And I think that's referring to the story that we talked about a couple weeks ago that obfuscated malicious JavaScript as part of their watering hole attack to target browser information. It's funny that Facebook points this out because this is kind of exactly what they do as well to track people. 

Dave Bittner: (Laughter). 

Joe Carrigan: People that aren't even Facebook users get tracked by Facebook, which is amazing. One of the things they did was they built custom malware capable of detecting the type of operating system that the target was using and then sending a tailored payload that executes malicious code. They also use file-sharing services that hosted malicious files, which was interesting. Most recently, they were using shortened links to deliver malware. We've talked about this technique before as well. I mean, this group is doing it all. And then they were using dynamic link libraries that were side-loaded on Microsoft Windows. I don't know how that happens technically, but I'll have to look into that one. 

Joe Carrigan: I have one closing point about this, Dave. And Facebook says in the article they've been tracking the action against OceanLotus for several years. That means they've been taking these sites down or these accounts down over and over and over again. And Facebook here hasn't really dismantled anything that can't be rebuilt. In fact, these actors are already back on Facebook probably and using the same techniques to do the same thing over and over again. Facebook didn't change anything fundamentally here. The system is still capable of doing exactly what it was doing before. The only difference is now OceanLotus and these Bangladeshi groups have to go out and create new accounts. And that's not that much of a hurdle. 

Dave Bittner: Yeah. Well, it reminds me of something I've wondered about often, particularly when it comes to Facebook, which I am no longer on... 

Joe Carrigan: Right. 

Dave Bittner: ...Because I'm not a fan, which is - you know, it's not just Facebook. But you'll hear these platforms - you'll say, well, why can't you do a better job of policing this? And they'll say, well, we can't do that at scale. And my response is, well, then maybe you shouldn't do that at all. 

Joe Carrigan: (Laughter) Right. Yeah. 

Dave Bittner: You know? I mean, to me, it's like saying to - you know, you have a factory that's dumping toxic waste into the river, and you say, well, why can't you stop dumping waste into the river? And they say, well, we can't do that at scale. Well, then don't do that at all (laughter). 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Anyway, I admit a little personal bias against Facebook. But it's something that leaves me scratching my head. 

Joe Carrigan: Yeah. If I could quit Facebook tomorrow, I would. I've said that many times as well. 

Dave Bittner: (Laughter) Facebook is the Philip Morris of our age. 

Joe Carrigan: Right, exactly. That is an excellent analogy. 

Dave Bittner: (Laughter). 

Joe Carrigan: The only problem is I don't use it a lot. I'm not on there every day. But I do have the Messenger service on my phone, so in case some relatives want to get in touch with me, they can. That's really the only use case I use anymore on Facebook. But, you know, I can't tell my aunt, who is kind of the matriarch of the family, yeah, I'm switching over to Telegram. She'd be like, I don't know how to use Telegram, and I'm not going to learn how to use Telegram. 

Dave Bittner: Sure. 

Joe Carrigan: Stay on Facebook, Joe. OK. 

Dave Bittner: (Laughter) Yes, ma'am. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: All right. Well, interesting story for sure. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, for our first time, we have a Catch of the Day from me. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: I reeled this one in last night on LinkedIn. I got a connection request. We've talked about how I don't scrutinize my connection requests on LinkedIn as much as I do, say, a friend request on Facebook or a follow on Twitter because it's a professional social networking site. But this one looked a little bit weird to me, and it came from somebody named Mike Steve. And (laughter) actually, I'm going to go ahead and read this today, Dave. I'm going to give you the week off. 

Dave Bittner: All right. 

Joe Carrigan: At the top of his profile, it says, (reading) medical doctor at American Hospital Association. Contact me for your cryptocurrency investment for your extra income. 

Dave Bittner: (Laughter) No red flags there. 

Joe Carrigan: Right. Exactly. That was the first. 


Joe Carrigan: I was like, oh, I think I have a Catch of the Day. And the about section is great. It's fantastic. You ready for this? 

Dave Bittner: Yeah. 

Joe Carrigan: (Reading) As you can see in my profile, my interests range from health care to cryptocurrency and other aspects of investment. I am currently working as a doctor and also cryptocurrency guru. As such, am exposed to many different areas within the discipline from being involved in several research projects that have helped shape the current state of health care as well as contributing to some medical writing and cryptocurrency trading. I believe these experiences have given me a very unique skillset that allows me to be adaptable to any situation that is presented to me. In any job, I will always try and make the best out of the situation to achieve the optimal outcome for all involved. 

Dave Bittner: So how much did you invest? 

Joe Carrigan: Millions, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: Put all my retirement savings with this guy, Dr. Mike Steve. The picture on this profile is a very handsome young man, and he has a stethoscope around his neck, which is the telltale sign that the man is actually a doctor, right? 

Dave Bittner: (Laughter) Yeah, of course. How could you - he's legit, of course. 

Joe Carrigan: His shirt even says Dr. Mike on it. 

Dave Bittner: (Laughter). 

Joe Carrigan: And his name is Mike Steve, which - I've met a lot of people with European names, but I've never met anybody with the last name Steve - Steven, Stephens, yes, but Steve, no. Anyway, this stood out as a red flag. If you do a reverse Google image search on him, his image shows up as all kinds of fraudulent - the image is just a stock photo from marketing. And you can find all kinds of other pictures of this guy. He's a model is what he is. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And somebody is using his account here. I'm going to report this account to LinkedIn. And let me do that right now, as a matter of fact. 

Dave Bittner: (Laughter) All right. Well, that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Carey O'Connor Kolaja. She's from an organization called AU10TIX. And our conversation focused on fraud in the financial services and payment industry. Here's my conversation with Carey O'Connor Kolaja. 

Carey O’Connor Kolaja: The magnitude of fraud is tremendous. Fraud in general and financial fraud, you know, started almost a thousand-plus years ago, when the first instance was noted of - that someone impersonated somebody else or misbehaved in order to benefit financially from a situation. What we found, Dave, is that in the last, you know, six to nine months, there's been a 300% increase in fraud in general, a majority of that definitely happening in - within the financial sector. And the evidence of that is based on what we're seeing, particularly right now in the U.S. with unemployment fraud, PPP fraud, identity fraud being at the core of all of this. And the growth, you know, is bringing us to a state of where there could be close to $42 billion in fraudulent activity that is committed in 2020. 

Carey O’Connor Kolaja: And one of the big reasons for that is this move to society, and particularly in the COVID age, moving more and more online. And every moment of our lives, whether it's we're looking at our watch or we're logging into our computer or we have a connected appliance in our home, is when we're transferring information. And each time we transfer that information with the endpoint, you know, opens up a potential door for a fraudulent attack. This year the growth in fraud has been tremendous because of each of us living our lives - whether we work, we play, we live - online. 

Dave Bittner: How much of this is opportunistic in terms of coming after folks who may be not their best emotionally? I think we're all feeling a bit frayed around the edges these days from COVID for lots of reasons. And I suspect that makes people more vulnerable, and the bad guys capitalize on that. 

Carey O’Connor Kolaja: It absolutely is the case. You know, as with any human and any of us, we can identify with that. You know, as we have moments of doubt or we're feeling vulnerable or there's a million things in our lives that are created - you know, fragmentation in our mind share - it creates an opportunity to be more vulnerable. And, you know, I can even say is - is myself, when there's a lot of attacks that are happening, you know, within the employer sector. And those of us who use Microsoft-based products, you know, there's, you know, attacks happening where - phishing attempts, where they attempt to be a report from Microsoft of an access to a file that you've gotten. 

Carey O’Connor Kolaja: There's reports of Google even - I just heard this the other day, where people are impersonating that - an individual where they want to share a Google Doc with you on Google Drive, but it's actually not legitimate. And that not being legitimate when you click on it opens up the world to you being attacked. So it absolutely is an issue, and that's one of the reasons why we're seeing an increase in fraud. And it's not just about those people, like you and me, who may be very attuned to being cautious about every keystroke we make as we're online. But there's, you know, a whole population that aren't digitally native, and they're just trying to survive, Dave. And they're trying to figure out a way in which their world can continue to exist in this new normal. 

Dave Bittner: Can you give us some insights on two things? I mean, sort of the - you know, the bread-and-butter fraud prevention that fintech organizations rely on, but then also, where are we in terms of the cutting edge? 

Carey O’Connor Kolaja: Whether it's fintech - I'll say fintech, financial services, within that entire realm - the big trajectory over the last couple years is all around KYC, KYB - so know your customer, know your business. We're now seeing kind of an emergence of know your employee. And the fraud checks that have happened in the past tend to happen up front in the customer journey. So if I want to open up a bank account or I want to open up an account to move money to a friend, a P2P transaction, there is a set of checks and balances that are put in place in order to reassure the institution or that fintech that I am who I say I am. There's been a lot of advances in how do you make that determination - everything from capturing your driver's license or a government-issued ID to checking to see whether you're a live person and if your selfie matches the picture on the ID to triangulating geolocation and behavioral-based data. 

Carey O’Connor Kolaja: But what's really shifted is, you know, these checks don't just need to happen at the beginning of a customer relationship with an entity, whether it's a fintech or any enterprise, but it has to happen in a continuous way. We've seen a lot of childhood identity fraud, where fraudsters will take over an account of someone who's not 18 yet and will exist as that person, and that is not known to that individual until they become 18. And, you know, effectively, they have a whole host of opportunities in front of them and try to go after credit and open up an account. The reality is, is that we've had to now shift and the whole sector has shifted to - how do we ensure the checks and balances throughout an entire customer journey with any company so that the person on the other end of the transaction is really who they say they are? 

Carey O’Connor Kolaja: And the cutting edge is multiplefold. When you come into identity fraud, the fastest growing type of fraud in identity fraud is synthetic fraud. And what synthetic fraud is - is that a fraudster will take fake data and real data and pull it together. And they do it in such a sophisticated manner that the human eye or an algorithm can't detect it. However, what the fraudsters do is they take a template - let's just take an ID of a Nevada driver's license. And they may, you know, keep the right document number that's legit, keep the face on an individual picture on there that's legit, but change the address. They'll change something minor, and it may not be detected. There's a high likelihood it won't. But what they'll attempt to continue to do, whether it's with, you know, the same company or across a series of companies, is use that same template. 

Carey O’Connor Kolaja: And so these patterns and abnormalities that can now be detected with machine-learning techniques, we're able to pick up on and then stop that fraud. But the sophistication, Dave, is unbelievable. You know, when I was 16, I remember those days when my friends would have a fake ID and try to pass it off to maybe, you know, get a little bit of alcohol here and there. 

Dave Bittner: Right. 

Carey O’Connor Kolaja: And it worked, unbelievably. 

Dave Bittner: (Laughter). 

Carey O’Connor Kolaja: But it no longer does. And I'm not going to tell my kids that, nor was I that person who did it. 

Dave Bittner: Of course not. Of course not. 

Carey O’Connor Kolaja: I will not admit to that. 


Carey O’Connor Kolaja: So the shift to continuously verifying, the shift to, you know, detecting synthetic fraud. And then the shift, Dave, to looking at layering different type of defense techniques, depending on the risk of a transaction. So, you know, in a world where I'm applying for a PPP loan, it may not be enough to just submit that who I am and some information about me. But I may also need to submit a year's worth of financial information for my business. Maybe I have to do a selfie check. Maybe I have to share something else. And so these different layers of defense are effectively what's becoming the new norm in the world that we live in. 

Dave Bittner: Are we facing a challenge here of making sure that people aren't left behind, that if, you know, if you're someone who doesn't have the latest mobile device or, you know, the highest-speed internet connection, that doesn't mean that you're not entitled to these sort of protections? 

Carey O’Connor Kolaja: You're asking a question that I've pondered for a good part of my career and am very passionate about, which is - how does technology enable inclusion versus being a prohibitor of inclusion? And, you know, since I started 25 years ago, the world looks very, very different. Ninety percent of U.S. citizens now have an internet connection, at least one digital device, and over 80% of them have actually a smartphone. I mean, the cost of technology has gone down. We've also seen behavior around the world where an individual would rather pay for their mobile service rather than potentially paying for food on the table because it's become such an important part of our day-to-day, particularly in some developing countries where the only way in which money moves is through the ISP providers that are out there, whether, you know, it's in Kenya or other places. 

Carey O’Connor Kolaja: So I share this with you because I actually think it can be an enabler for inclusion. When - you know, the years I've spent looking at financial inclusion, yes, one element of that has been - does someone have access to the internet or to some sort of connected device? But more importantly, Dave, it's about - does the individual have an ID? And is the individual registered or, you know, in the digital sphere? And the reality is - is that there's 3.2 billion individuals that don't have a digital trail and a billion people who don't have a government-issued ID. And so the challenge with inclusion is - you know, how do we ensure that those people can be included in our, you know, economy as a whole? And, you know, you don't necessarily have to have a government-issued ID if there's other bits of information that prove who you say you are, although we believe that that is the foundation that really links the physical to the digital individual these days. 

Dave Bittner: Yeah, that's fascinating. I mean, I'm trying to envision, you know, back to your point earlier of, you know, walking up to the entrance of that bar or that nightclub and, you know, holding up my phone rather than handing over my driver's license. 

Carey O’Connor Kolaja: Mmm hmm. There is - another big shift we're seeing is zero-knowledge proof, which is the ability to inform a party that you are - let's say, in this scenario - of an age to get into that bar, so that you are an age of 21. 

Dave Bittner: Right. 

Carey O’Connor Kolaja: But doing that without disclosing, you know, my month, my birth, my year, my name. So when you used to hand over that driver's license in order to get into, you know, a bar, we're handing over a lot of information about who we are. 

Dave Bittner: Right. 

Carey O’Connor Kolaja: And it's not absolutely necessary because all you really need to know is, are you of - in my days, it was 18 versus 21... 

Dave Bittner: Right. 

Carey O’Connor Kolaja: ...In order to proceed. And so there are technologies now that are enabling, you know, privacy - so data privacy and consumer privacy - while also enabling access. And the challenge for all of us in the space of fighting fraud and protecting individuals' identities in order to ensure that people can experience and enjoy safer business services, is that we find ways to do that together, which is, you know, all about how do we bring and we unify the sector to fight against fraud because that's exactly how they create vulnerabilities with all of us. 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: Interesting interview, Dave. I liked it a lot. One of my favorite things that Carey talks about up front is fraud with a financial motivation is at least a thousand years old, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: I think that that's the oldest evidence we have of it. I'm sure it's older than that, right? 

Dave Bittner: Right. The second-oldest profession. 


Joe Carrigan: Right, exactly. You know, it's just now, instead of looking at it from, you know, me forging documents to say I'm noble or whatever, we're now looking at the same thing but with the Paycheck Protection Program, and people are scamming that rather than trying to scam some lord out of his sack of gold, right? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Forty-two billion dollars in fraud in 2020 - that's a lot of fraud, Dave. That's... 

Dave Bittner: Yeah. Pretty soon you're talking about real money. 

Joe Carrigan: Yeah, exactly. Dave, good question on the increase of our susceptibility to these kind of attacks because of the fact that we're all isolated in this pandemic and the mental strain that puts on us. I think that's a good observation. The phishing lure has access to an MS document and Google Cloud Services documents - we've seen this a lot. In fact, we've even seen things where the document itself isn't malicious; it just contains a link to a website, and people for some reason click on it, and that link is malicious. So Google can't even do much outside of maybe examining the link. I mean, then you run into the question of - do I want them doing that to all the documents, right? Maybe I do. I don't know. That's just a question that people have to answer for themselves. Fraud checks happen up front in the customer relationship at banks, right? You know that when you go into a bank, you have to set up an account. 

Dave Bittner: Right. 

Joe Carrigan: And you have to bring in all kinds of documents and everything. I think that Carey is absolutely onto something here when she says, this needs to become something more continuous. It does need to become more continuous. We need to do this on a more constant basis, if not regular. We are hearing again that synthetic fraud is the fastest-growing kind of fraud, and I like how she breaks it down. It's really interesting for me to listen to talk of synthetic fraud. I think it's absolutely fascinating that people can just make people up and play that game for a little while, even getting credit cards and paying off balances, and then trying to get more and more loans and then, eventually, just disappearing with a large sack of cash. 

Dave Bittner: Right. 

Joe Carrigan: And finally, the last thing - she was talking about zero-knowledge proofs. The example she cites here for zero-knowledge proofs are exactly the same example I use when I'm describing zero-knowledge proofs to somebody. The math behind the zero-logic proof is remarkably complicated. And I've actually sat in Matt Green's office and had him explain it to me and walked out of there going, I lack the fundamental understanding - the fundamental information to understand what goes on here. 


Joe Carrigan: I'm not a cryptographer. 

Dave Bittner: Right. Which is what Matthew Green does best. 

Joe Carrigan: Right. 


Joe Carrigan: And it's a really great idea because you can verify information, and you know the information is verified, but you may not even know what the information is, right? And the case in point that Carey makes here is buying alcohol. You need to be 21, but when they say, prove to me you're 21, they say, give me your driver's license, right? 

Dave Bittner: Right. 

Joe Carrigan: Which has so much more information on it that you shouldn't be giving away to everybody. You just need to demonstrate that you're 21, and that's all the person behind the counter needs to know. 

Dave Bittner: Right. 

Joe Carrigan: Anyway, that's also my favorite example for describing zero-knowledge proofs to people. And I think that that's going to have to come up more in banking, where we're saying, yes, this is me, and here's a way for me to mathematically prove it's me without giving you too much more information. 

Dave Bittner: Yeah. All right. Well, our thanks to Carey for joining us. Again, the organization that she represents is called AU10TIX. Check that out if you'd like more information about the things that she and her team are up to. 

Dave Bittner: We want to thank all of you for listening. That is our show. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.