Hacking Humans 1.28.21
Ep 132 | 1.28.21

Covid has shifted the way we deal with money and increased fraud.


Eric Solis: COVID has just radically shifted the way that the world thinks about contact with money and things that put potential nodes for transferring diseases. And money is one of the filthiest things on planet Earth.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Eric Solis. He's from an organization called MovoCash. And we're going to be talking about the increase of fraud attacks on consumers and businesses and some of the things that are going on in the digital payment world. 

Dave Bittner: All right, Joe. Let's dig into our stories this week. 

Joe Carrigan: OK. 

Dave Bittner: I'm going to kick things off by sharing with you and our listeners that I recently bought a new pillow. 

Joe Carrigan: A new pillow. 

Dave Bittner: I bought a new pillow. 

Joe Carrigan: What kind of pillow is it? 

Dave Bittner: Well, it's a memory foam pillow. 

Joe Carrigan: OK. 

Dave Bittner: Let me just say that I had had an old pillow, of course, as we all do (laughter). And, you know, I think it's a good idea to replace your pillow every now and then because pillows get old and, you know, dirty... 

Joe Carrigan: Gross, yeah. 

Dave Bittner: ...And all that kind of stuff. Yeah. I mean, it's a natural... 

Joe Carrigan: You drool on them all night long. 

Dave Bittner: Yes, I do, certainly. (Laughter) Yes, absolutely, more and more, it seems, as I age. 

Joe Carrigan: Right (laughter). 

Dave Bittner: Got to keep flipping it over to, you know, not have my face in the puddle of drool. 

Joe Carrigan: Not to get to the cool side, to get to the dry side. 

Dave Bittner: (Laughter) Exactly. So - and I was also, I will admit - not to get too political, but I was slightly motivated by the fact that my old pillow came from a company who I no longer wish to support because their CEO is a bit of a wacko. 

Dave Bittner: So (laughter) I decided it was time to get a new pillow. So I did what many people do. And I go on Amazon. And I shopped around for pillows. And as I do when I shop around for anything on Amazon, I looked at the reviews to see what people had to say about this product. And I found a pillow that I thought suited my needs. And so I ordered that pillow. And the next day, the pillow showed up. Amazon did a great job. I'm starting to think, Joe, that there might be an Amazon distribution center in the shrubs out front of my house... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...Because of how quickly they're able to get things to you. 

Joe Carrigan: It is amazing how quickly they get things to you. 

Dave Bittner: Right. I mean, I press the button, and it seems like there's a knock on my door moments later that (laughter) the thing is there. So... 

Joe Carrigan: Hey, what took you so long? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I got caught behind the school bus. 

Dave Bittner: So I get this pillow. And I unpack the pillow and take it out of the box. And it's a memory foam pillow. So it takes about a day to kind of reinflate itself, you know... 

Joe Carrigan: Right. 

Dave Bittner: ...'Cause it's all squished up to fit inside a box. But of interest to us is that along with the pillow in the box were two little postcards. One of the postcards I will read to you. 

Dave Bittner: It says, (reading) congratulation. You are the luckiest one to get the bonus. Review us on Amazon. You will get extra $25. How to get the bonus? Send review link and Amazon Order ID to - and then there's an email address. The bonus will be sent to your order address. Please do not share this card in your review (laughter). 

Dave Bittner: And then there's another one, another card that says, try your luck. Redeem online. And it goes to a website that's vipclub.app. Let me tell you, if you go online and you try searching for information about a company that's called VIP Club, it's strip clubs all the way down, Joe. 


Joe Carrigan: Right. I would imagine. 

Dave Bittner: It's strip clubs all the way down, which is a really good thing to be searching for on your work computer... 

Joe Carrigan: Yes, awesome. 

Dave Bittner: ...Let me just tell you (laughter). 

Joe Carrigan: That's great. Thank you for the warning. 

Dave Bittner: (Laughter). 

Joe Carrigan: I was about to hit club and return and see what happened, and I will not do that now. Let me hit the backspace key and take VIP right out of my Google search bar. 

Dave Bittner: (Laughter) Right. So I went to this website, this vipclub.app. And it seems like this is some sort of a clearinghouse for gathering up Amazon reviews. So this got me curious because I suspected that this is against Amazon's terms of service, that you're really not supposed to be out there trying to solicit reviews, offering people money (laughter) for reviews, right? 

Joe Carrigan: Right. I think you can ask for a review, but you can't incentivize it, right? 

Dave Bittner: I think that's right. So I did some digging around, and I found an article here from The Verge. They published this back in October of last year. So it's still, you know, pretty, pretty current. And the title of the article is "Amazon is Trying to Crack Down on Fraudulent Reviews. They're Thriving in Facebook Groups." It's written by Joe Schiffer (ph) over at The Verge. And it turns out there's - not surprisingly, there's a whole ecosystem based around getting fake five-star reviews on Amazon. There are a couple of interesting points in this report that might be relevant to our audience. 

Joe Carrigan: The first point is that in these espionage attacks, 93% of the time the attacker is either state affiliated or an actual state actor. That's in comparison to all the other data breaches, where organized crime is responsible for about 58% of the breaches. They have charts in this report. Organized crime is really looking into making money off these breaches, but the state actors are the ones conducting the espionage report or the espionage attacks in this report. 

Dave Bittner: Espionage is defined as... 

Joe Carrigan: They are either stealing intellectual property, or they're stealing intelligence from government organizations... 

Dave Bittner: Right. 

Joe Carrigan: ...And exfiltrating that data... 

Dave Bittner: So they're after information rather than cash. 

Joe Carrigan: Right, exactly. They're going for... 

Dave Bittner: Yeah. 

Joe Carrigan: It can be corporate espionage, or it can be governmental espionage, you know, the typical thing you think of when you think of espionage. One of the interesting things is that social engineering is very heavily relied upon in these espionage attacks. These attackers directly communicate with their targets in these social engineering attacks, much more so than the criminal enterprises do 'cause they have this kind of tradecraft. 

Joe Carrigan: They also spent some time talking about something called a GIF attack. They made mention about the fact that everybody is working remotely right now. This GIF attack is an attack that occurred on Microsoft Teams. And, yeah, don't send your letters telling me how to pronounce GIF. I'm going to pronounce it GIF... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...With a hard G until the day I die. 

Dave Bittner: Because you're not a monster. 

Joe Carrigan: Because I'm not a monster, right, exactly. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: It's not really a social engineering attack. It's actually a vulnerability in software that, in Microsoft Teams, if you send somebody an animated GIF, then you can actually collect their authentication token through a very complex vulnerability that somebody found in this Teams system. But once you collect that, you can start collecting more of them from everybody's contacts. 

Joe Carrigan: But the interesting thing was, this was really only made possible by the fact that we're all working remotely now, right? So it's interesting that there's this social aspect to this attack that isn't really a social engineering attack, but it is made possible by our behavior. 

Dave Bittner: Why is it only enabled by remote work? Is it just being outside of the protection of a corporate environment? 

Joe Carrigan: Because we're all working remotely, we're all using remote communication tools more. So that increases the prevalence of these tools, which makes the attack surface a lot broader. 

Dave Bittner: I see. 

Joe Carrigan: So now when somebody wants to go and start attacking Microsoft Teams users, it's easier to find the targets. And once you can find one target, you can spread throughout that organization very quickly. 

Joe Carrigan: The Cyber-Espionage Report is available online. It's a good report. Take a look at it. And also, you can take a look at this article from CyberArk. It's an interesting article with a good amount of commentary in it. I liked it. 

Dave Bittner: You know, it's interesting to me because I think a lot of folks, when they hear the word espionage, they think, well, I'm not a spy. Why would they be interested in me? 

Joe Carrigan: Oh, right. No. 

Dave Bittner: There's something to that. You work for a company that has trade secrets or, you know, there's all kinds of information probably in your workplace that somebody is interested in, could be a competitor, could be a nation-state. And even if you're not directly involved with that information, you could be the way they get into the company to get to that information. 

Joe Carrigan: That is absolutely correct. This is one of my biggest talking points when I'm delivering talks - is that, yes, you are a target, and you do have something of value. Don't think that you're not of value or that you're insignificant. You are not. You are a meaningful way to access data, if nothing else, which I don't mean... 

Dave Bittner: You're good enough. You're smart enough. And gosh darn it, people want to hack you. 

Joe Carrigan: Right. 


Joe Carrigan: Thank you, Stuart. 

Dave Bittner: (Laughter) All right. It's a good story. As always, we'll have links to it in the show notes there. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes in the form of a letter from a listener named Jim (ph). And he had a recent eBay transaction that didn't go well for him, so he wrote this letter. You want to read it? 

Dave Bittner: Sure. 

Joe Carrigan: OK. 

Dave Bittner: It says, (reading) longtime listener here, but I haven't heard you guys discuss this particular scam I was a victim to recently. I ordered a portable SSD from eBay a couple of weeks back and received a tracking number from the seller via eBay. The tracking number appears legit in the UPS tracking system, albeit way too heavy at 8.3 pounds. 

Dave Bittner: That's a heck of an SSD. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter, reading) But the delivery day, nothing shows up. I receive many packages on a weekly basis, so it would register on my surveillance camera. Of course, UPS only lets the sender file an issue, not me, and the eBay seller does not return emails. So I requested a refund through eBay, and they are indicating the package was delivered. I have appealed this case, but they're saying it's closed. 

Dave Bittner: (Reading) I believe it to be a seller scam because the seller doesn't respond to any email. Initially, the seller had good feedback, then suddenly the frauds came in. The seller feedback indicates this has happened to at least 10 others. See the attached snippets for some of the feedback. 

Dave Bittner: And Jim was courteous enough to send us a screen capture of that. 

Joe Carrigan: Right. 

Dave Bittner: And he says, (reading) please let others know, as eBay has been no help in this manner. Thanks for all your service to the internet community. 

Dave Bittner: Yeah, that's a tough one. 

Joe Carrigan: Yeah, it is. 

Dave Bittner: What do you think about this, Joe? 

Joe Carrigan: Like you said, Jim sent along some screenshots, and he's got these other complaints in there. So there's a bunch of people out there that have fallen victim to this, at least more than 10, he says. And the screenshots he showed us were pretty clear that - what's going on here. 

Joe Carrigan: I don't know, Jim. Maybe if you have the time, you send a letter to their legal department and say, you know, we have a number of people here who have had fraudulent sales on eBay. And you're not helping me, and I'll bet you're not helping more people. So maybe I just round up a couple of these people and we start a class-action suit, or maybe you help me. Companies hate... 

Dave Bittner: Well, yeah. 

Joe Carrigan: ...Class-action suits. They really do. 

Dave Bittner: The thing that puzzles me is the UPS aspect of this. I mean, we've had stories here before where the scammers have sent out something other than what you were buying, you know? So you would - you know, you'd buy an SSD like Jim here did, and a package would show up. And, you know, inside would be a - I don't know - you know, a candy bar or something, something of no value. But what it does is it allows that sender to say, no, I sent it. Look, here's the receipt. The person signed for it. Here's the - it was delivered. I don't know what they're talking about. And there's a component of that here. 

Dave Bittner: But what I'm wondering is in the UPS tracking information, does it say that it was delivered to his house or to his address? That part puzzles me that there was no package. 

Joe Carrigan: The UPS tracking information does have the delivery address on it. So I would imagine it would be there. But you're right. This is puzzling. There is no package. And he has a camera on it, so it's not like the package was delivered and then picked up by some porch pirate. It's a mystery, Dave. 

Dave Bittner: Yeah, it is. Maybe that's a way to go at it is say, hey, UPS, I need proof that this was delivered 'cause a lot of times UPS will take a picture when they deliver something. And they'll send it to you or - you know, they're documenting stuff like that, too. 

Dave Bittner: I'm thinking of the other way, maybe, to help prevent something like this is, you know, as Jim says, the seller had good feedback initially, but then seemed to have, you know, fraud after that. And I could see someone who was looking to do these sorts of frauds would figure out a way to get a bunch of good feedback to put people at ease. Maybe when you look for the feedback, make sure that the feedback is for the thing that you're buying from them or a similar thing to what you're buying for them. In other words, if you're buying something of high value, don't look for the feedback of something of low value. 

Joe Carrigan: Right. 

Dave Bittner: Right? You know, they sent out - again, you know, they sent me a stuffed animal, and it was great, and I loved it. You know? A $5 thing is different from a $500 thing. But even then, I mean, as - you know, as we've said, people have figured out how to game these systems. So... 

Joe Carrigan: Yeah. And... 

Dave Bittner: ...That's a tough one. I wish we had better answers for it, but at least we can help spread the word about it. 

Joe Carrigan: All in all, Jim is probably not out a lot of money. An external SSD is not - you know, maybe a hundred bucks. So maybe it's not worth your time to write the letter. And maybe you let it go, and maybe that's what the scammers are counting on - right? - you know, that as Americans with a relatively high per capita disposable income, that we won't chase these things down. 

Dave Bittner: Right - hundred bucks at a time adds up. Yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: Right. But it might not be worth Jim's time to chase it down. Just write it off and go somewhere else. Yep, yep. Joe, will you send me a hundred bucks? I mean... 

Joe Carrigan: Sure, Dave. 

Dave Bittner: ...It's not that much. 

Joe Carrigan: It's in the mail. 

Dave Bittner: (Laughter) Great. Thanks. I'll look forward to that. 

Dave Bittner: All right. Well, that is our Catch of the Day. Thanks to our listener Jim for sending that in. We would love to hear from you. If you have a Catch of the Day, you can send it to us to hackinghumans@thecyberwire.com 

Dave Bittner: Joe, I recently had the pleasure of speaking with Eric Solis. He's from a company called MovoCash. They are one of many online cash payment systems that are online that are taking advantage of some of the technologies that are available to securely transfer funds from person to person. And so we had an interesting conversation about the types of fraud that are going on in this ecosystem and how people like him and his company and others are trying to help protect people. Here's my conversation with Eric Solis. 

Eric Solis: There has been a seismic shift in the way that people behave with regard to banking. And so where before digital banking was sort of like an interesting evolution of banking, now it's sort of like - you know, you hear about the kraken right? Sort of like the kraken for banking has been unleashed, in part because COVID has just radically shifted the way that the world thinks about contact with money and things that - potential nodes for transferring diseases. And money is one of the filthiest things on planet Earth. 

Dave Bittner: Well, let's explore this notion of people's relationships with their banks. I mean, I'm imagining if I'm someone - you know, a teenager coming up and I'm just starting my relationship with the banking system, it's probably going to be different than someone older, like me, who grew up going to my local neighborhood branch and keeping track of how much I had in my savings account. 

Eric Solis: You know, you'd think that would be true, but the statistics don't necessarily support that. I mean, yes, there's digitally minded people that are, you know, the millennials and the younger generation. But the fastest, probably, on a percentage basis of adoption of digital financial services, let's call it, digital banking is Gen Xers and baby boomers because they've been slow to adapt, and so consequently, they're playing a little bit of catch-up. 

Eric Solis: But the interesting thing about that demographic is that, you know, it's harder and harder for them to get out of the house. So once they get dialed in to digital means, they consume it, and they consume it in large quantities. That's why Facebook - you know, the average age has gone up dramatically at Facebook. And it's in part because older people, especially senior citizens, they're lonely, their knees hurt, their back hurts. You know, there's lots of reasons why for them to be able to do things that they need to do right from their home and sitting on their - in their La-Z-Boy, it makes a lot of sense. 

Dave Bittner: Well, I mean, there's certainly a proliferation of cash apps out there, you know, yours among them. How do you go about establishing trust with folks that when they're using a service like yours or any of the other ones out there, that it's something that's going to be reliable, that they can count on? 

Eric Solis: In today's world - now I'll flip back and talk a little bit more about the younger generation - they trust technology as much and perhaps more than they trust organization. In other words, you know, to trust a group of people at, you know, a particular physical location to walk in and hand them money and for it to be properly accounted for requires a lot of trust, if you stop and think about it. Money that's going direct deposit, digitally, directly from your payroll provider to, you know, your digital bank with tracking functions - you know, people surprisingly trust that sort of mode of operation as much or more than they trust the old mode and operation. 

Eric Solis: So things like FDIC insurance and making sure that if, in fact, you're offering FDIC insurance, that you communicate that properly, that the app itself is structured in accordance with PCI and DSS and making that known and clear. 

Eric Solis: But, you know, I think that your point is one that is well-taken. And, you know, I sort of liken it to there was a time when people didn't trust ATM machines. They're like, I'm not using an ATM machine. I mean, they were considered to be these highly unsecure, bizarre machines that were performing work of the teller. But now people think of an ATM as just a normal part of their everyday banking life. And I think we're seeing that same sort of adaption and adoption of digital banking. 

Dave Bittner: But what about protecting people from online fraud, you know, the ability if someone falls victim to something and - the ability to kind of, you know, claw back a payment, if you will. You know, we've heard - on this show, we've talked about, certainly, many people who find themselves just out of luck when something like that happens, that, you know, many of these services, when you're transferring money, when it's gone, it's gone. 

Eric Solis: I think that that's a really great point, that there's a difference between a ledger transaction and a bank transaction. And, you know, whether we're talking about Bitcoin, Ethereum or some other cryptocurrency or Venmo or PayPal or Zelle, there are unique differences, and they all rely on underpinnings for their offering. 

Eric Solis: So, for example, if you're going to go into the crypto space, they're relying on the distributed ledger to make sure that what belongs to you remains your asset and is immutable, given the blockchain technology and the distributed ledger aspect of how that works. If you're dealing in Venmo or those types of ledger technologies, you know, they flat-out tell you, only deal with people you know, family and friends. You know, this is not designed for commercial use. 

Eric Solis: And then there are ledgers that are actually inside of a bank and operating like a bank product. That's what Movo does. Movo has instantaneous settlement in a bank environment, much more like a Zelle transaction. And in that case, then you, again, are relying upon that bank and that Federal Deposit Insurance Corporation to protect the soundness of your money. And if it goes missing, you have recourse back with your bank and if it's covered under a BZ (ph) guarantee or something of that nature. 

Eric Solis: So it's important to understand what, you know, guarantee are you relying on. And some people trust cryptographic money more than they trust fiat currency. And that's their tilt and view of the world, and so you just have to decide, what do you believe, and how do you want to protect yourself? 

Dave Bittner: I suppose, too, I mean, it's probably a red flag if someone that you're dealing with is really trying to push you toward one payment mode or another. You know, if I'm comfortable using a service like yours or one of the others and someone is insisting, no, no, we must use this one, maybe that's a reason to put the brakes on a little bit. 

Eric Solis: Yeah, I think that that's a good call-out. I would encourage your listeners to pay attention to and at least explore and understand what we in the industry call interoperability. And it's not a very consumer-friendly-sounding word. Nonetheless, it's important to understand because, you know, the financial system's much like an interstate highway system. And if you're going to travel from point A to point B, understanding the connectivity of those systems that you need to use to get there - 405 to 5 to 90, 91, east, west, whatever - you know, understanding how you're going to get there makes really good sense. 

Eric Solis: In today's world, there's a lot of that, you know? And the more that you understand the underground infrastructure that you're using to move your money from one place to another, the better protection you'll have because that interoperability is becoming a bigger and bigger force that all of us are contending with to make sure that money is secure, safe and that it gets to its intended destination and without a lot of friction and silos for the consumer. 

Dave Bittner: What are your recommendations for those of us who kind of had that role in the family of looking out for our family, our loved ones, you know, our parents, perhaps? What sort of things should be on our radar in terms of helping them make these sort of transactions safe and secure? 

Eric Solis: I think - and in some ways, tried-and-true - right? - relationships. It's interesting. It connects perfectly to the question that you just asked in terms of if somebody's forcing you to go, you know, one direction or another. If you have a comfort and you've got a relationship with a financial institution, whether it be a brick-and-mortar sort of legacy system or whether you're really comfortable with digital systems and you have a relationship, then rely on that relationship to help you understand the lay of the land, right? Like, pick up the phone. 

Eric Solis: You know, we have what we call MoPros. And our MoPros are really gifted professionals to understanding digital payments, so they can help you unravel or understand what, you know, risks that you might have in a particular transaction and how best to make that transaction end up the way you want it to end up. And they can help you sniff out, at times, some of the areas of potential fraud that you want - may want to watch for. 

Eric Solis: So rely on relationships, seek advice from trusted sources and document. I mean, documentation is a really important part of today's world because a lot of what we're doing happens digitally. It happens behind the scenes. Once you sort of hit the button, all the information is lost into the ether of the internet. So keep good notes. Paper and pencil, you know, still have their place in the world. And document, document, document. 

Eric Solis: And that way, you know, if something does - I'll tell you, when we get called by people that have been defrauded or - I mean, I can think of one guy in particular. I won't go through the whole story. But this guy had the best documentation. He was able to send me documentation, and that guy was protected - bam - and quickly. In other words, he took what could've otherwise taken, you know, us two weeks to unravel, and we did it in 15 minutes 'cause he just documented everything. So that's what I would strongly encourage. 

Eric Solis: And, you know, if you think about it at the corporate level, we tell our people the same thing - document, document, document. You know, make sure that you're - you were tracking everything, you know? And so at the individual level, people need to apply almost a development-type process to their day-to-day lives. And really, at the end of the day, developers like to document. Keep good notes so you know what in the world - why you coded it up the way you coded it up (laughter). 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: That was a good interview, Dave. I enjoyed it a lot. Eric made a couple of good points here. One is that we're not going to our branches anymore. Yeah, I'm not going to my bank right now, Dave. I'm using a lot more of the online features. And people like us are moving more towards the online adoption of these services. And Eric makes a great... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Point - is that the younger generation really doesn't have that much more market growth to do. But our generation, we have a lot of it to do because I've generally been resistant to the idea of online banking for a very long time. But over time, I've kind of moved on, and now I do it. 

Dave Bittner: Right. But for our kids, it's reflexive. 

Joe Carrigan: Right, exactly. I don't know about you, but I was taught at a very young age that physical money is filthy. 


Dave Bittner: Yes, I think I... 

Joe Carrigan: To wash your hands after handling it, all that stuff. 

Dave Bittner: Yeah, I think my - I don't know. I probably had a mouthful of quarters or something and... 

Joe Carrigan: Right. 

Dave Bittner: ...One of my parents said, spit that out. 

Joe Carrigan: Everybody in your house goes, oh, get that out of your mouth. 

Dave Bittner: Oh, spit that out. You don't know where those coins have been. 

Joe Carrigan: Younger people trust technology more than they trust institutions or organizations, and I think that's interesting. I don't really trust either any more than the other, one more than the other. I check everything when I do this. I have little faith in technology that people develop, and I have little faith in people's actions. So... 

Dave Bittner: (Laughter). 

Joe Carrigan: Maybe I'm just a, you know, a grumpy old man, but I'm always surprised when one of these mobile payment systems actually works, right? 

Dave Bittner: Right, right, right. 

Joe Carrigan: Like, I have a - I have somebody I send money to via PayPal from time to time. And when I send the money to him, I always say, let me know when you got that money (laughter). 

Dave Bittner: Yeah. 

Joe Carrigan: And they send me back, hey, thanks. I got it. 

Joe Carrigan: Eric was talking about faith in cryptocurrencies versus fiat currencies. I don't know which one I have more faith in. I think both of them have value. The IRS' stand on this in cryptocurrency is that cryptocurrency is not currency. It's just an asset. That's how the federal government's looking at it. They're not really looking at it as money. They're looking at it as a digital asset that you either receive or give. There is a distinction here. Like you like to say from time to time, this is almost a distinction without a difference, right? If we were paying each other in gold or silver, would that be different? I don't know. 

Dave Bittner: Fiat money and all the cryptocurrencies - it's a shared illusion. It's something we all agree on that have... 

Joe Carrigan: Right. 

Dave Bittner: You and I are going to agree that this piece of paper that has 20 on it is worth... 

Joe Carrigan: Right. 

Dave Bittner: ...$20. 

Joe Carrigan: Right. 

Dave Bittner: And the reason it works is we all agree on it, and there are ways to enforce it to keep you and me from printing new ones on our home Inkjet printer. 

Joe Carrigan: Right. 

Dave Bittner: But ultimately, we all just agree to it 'cause it's convenient and it helps make the world move a little easier. 

Joe Carrigan: By the way, you mentioned this, and I don't know that we've ever mentioned this before on this show or even on the CyberWire. But do you know every single Inkjet - every single color printer that is available now and has been for a while prints an almost invisible set of dots on every document that it prints that identifies... 

Dave Bittner: Yep. 

Joe Carrigan: ...The make, model and serial number of the printer. 

Dave Bittner: Right. 

Joe Carrigan: It also puts a time stamp in there. They are done with yellow ink, and that's how they can tie somebody printing counterfeit $20 bills, like you were saying. They know exactly which printer printed these things. 

Dave Bittner: Yep, yep. 

Joe Carrigan: So don't print counterfeit money out of your color printer... 


Joe Carrigan: ...For a number of reasons. One, it's wrong. It's illegal. And No. 2, you're probably going to get caught. 

Joe Carrigan: Eric makes an excellent point here about understanding the underlying system of the banking infrastructure that we have. Eric says that from a banking perspective, and that's where he comes from, but I, think this has a much broader application in just about everything we do. And my favorite analogy is a car, right? They always say you don't need to know how a car works to drive a car. 

Dave Bittner: OK. 

Joe Carrigan: But my comeback to that is, if you understand the inner workings of a car, it makes you a much better driver. And the same is true for computer systems, for networks - and Eric makes an excellent point here - for banking systems. If you understand how the banking system works, you're in a much better position to protect yourself. And I think that's incumbent upon all of us to learn how this works. 

Dave Bittner: If it gives you that kind of Spidey sense that something might not be right, if someone is trying to take advantage of you. 

Joe Carrigan: One of the things that Eric also touches on in this interview is FDIC insurance. You know that PayPal is not FDIC insured? They're not a bank. They're a payment system. So if you're holding a balance in PayPal, which right now, I think I might have, like, $3 or $4 up there. But you can be holding a lot of money in PayPal or Venmo. And I don't know if Venmo is FDIC insured or not. I didn't look into that. But if PayPal tomorrow becomes insolvent, there is no protection you have about getting your money back like you do with the bank. 

Joe Carrigan: And Movo, which is our guest company - MovoCash is FDIC insured. There are other money transfer apps like Chime that are also FDIC insured. There are actually banks on the back end. And I think Movo may also be a bank on the back end. That offers you much more protection. Now, if this company becomes insolvent and you can't get access to your money, you can file a claim with the Federal Deposit Insurance Corporation and say, that was my money, and they'll pay you back. 

Dave Bittner: One of those things that's worth checking just to... 

Joe Carrigan: Right. 

Dave Bittner: ...Have that extra bit of security. 

Joe Carrigan: Exactly. I mean, PayPal's really convenient, but it is not a bank. It is not FDIC insured. 

Dave Bittner: Right. Interesting. 

Joe Carrigan: Finally, the last thing that Eric says I really liked was rely on relationships, seek advice from trusted resources and document everything. Document, document, document. I would like to hear more about the story that he referenced in here with the fraud on the guy who documented everything. I mean, I'm sure he can't tell us because of the nature of the fraud, but I would love to know that story. I'd love to be a fly on the wall... 

Dave Bittner: Yeah. 

Joe Carrigan: ...In that room. Document everything is a great suggestion. If I ever go back into development, I want to work with the developers that Eric worked with who like documenting their code. 

Dave Bittner: (Laughter). 

Joe Carrigan: You know, sometimes you just look at code, and you're like, what does this do? And then there's absolutely no comments in the code. Just like, I just want to find who wrote this and strangle them (laughter). 

Dave Bittner: Right. Well, our thanks to Eric Solis from MovoCash for joining us. We appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.