Hacking Humans 7.29.21
Ep 158 | 7.29.21

What are our devices doing to our compassion?


Charles Chaffin: All of that time - and, hence, all of that attention - on these devices, on social media, glued to cable news or whatever it might be, comes at the expense of something.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Dr. Charles Chaffin. He is author of the book "Numb: How the Information Age Dulls Our Senses and How We Can Get Them Back." 

Dave Bittner: All right, Joe, before we dig into our stories this week, a little quick bit of follow-up here... 

Joe Carrigan: OK. 

Dave Bittner: ...From a listener named John (ph). He writes in and says, (reading) hey, Dave and Joe - love the show. Thank you very much, John. 

Joe Carrigan: Awesome. 

Dave Bittner: He says, (reading) I thought your other listeners may benefit from a little trick I use when pulling cash from an ATM. These days, most banks allow you to change your ATM or debit PIN via the app on your phone. What a lot of people might not know is that you can use the new PIN almost instantly. Before I pull out cash, I change my pin to a random number, then pull out the cash and then change it back to my normal PIN. This might seem like a lot of work, but I'm like both of you, and I don't pull out a lot of cash all that often. 

Joe Carrigan: Right. 

Dave Bittner: (Reading) So this little trick is worth the effort on my part for a little extra security. Keep up the good work - John. Yeah. I mean, why not? 

Joe Carrigan: Yeah. 

Dave Bittner: Just keep - yeah. I mean, basically, he's creating a temporary PIN. 

Joe Carrigan: Right. 

Dave Bittner: So if that ATM has been compromised or if there's a camera set up that's looking over his shoulder... 

Joe Carrigan: Right. 

Dave Bittner: ...That PIN is only going to be good for the brief period of time that he's standing there at the machine before he changes it back. 

Joe Carrigan: Agreed. 

Dave Bittner: I say, why not? 

Joe Carrigan: I say, why not, too. 

Dave Bittner: It's worth putting in the extra effort. 

Joe Carrigan: If you want to do that, that would be a great idea. It's not something I'm going to do. I don't - first off, I don't use any banking apps on my phone, so... 

Dave Bittner: Oh, OK. 

Joe Carrigan: That's No. 1. I also don't go to the ATM very often at all, you know, like John says. 

Dave Bittner: Yeah. 

Joe Carrigan: So maybe - you know, maybe I would, but I still don't have a banking app on my phone. 

Dave Bittner: Yeah. I guess I would test it first. 

Joe Carrigan: Right. 

Dave Bittner: You know, to be - maybe use it at a time when it's not critical that you get the money... 

Joe Carrigan: Right. 

Dave Bittner: ...Because what if your bank is one of the ones that - it doesn't happen instantaneously? 

Joe Carrigan: Yeah. 

Dave Bittner: You'd be standing there. 

Joe Carrigan: That's a good point. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah, you should definitely test this before you do it. 

Dave Bittner: Right, right. 

Joe Carrigan: But if it works, it works. And, yeah, I have no problem with this. I think it's a great idea. If this is a level of security you want to do, it's not a bad idea. 

Dave Bittner: Yeah. All right. Well, thank you, John, for sending that in. Let's move on to our stories this week. I actually have a twofer this week... 

Joe Carrigan: Oh, OK. 

Dave Bittner: ...Joe, because both of my stories are on the short side. So I thought I'd double them up. The first one is just a link to a service that someone sent us. It's called shouldiclick.org. And this is actually the result of a master's thesis project... 

Joe Carrigan: Really? 

Dave Bittner: ...Of a student. Yeah, I don't recall what university it was. I know it wasn't Hopkins, so, you know... 

Joe Carrigan: Oh, too bad. 

Dave Bittner: (Laughter). 

Joe Carrigan: This would have been a great research project - a capstone project for one of our masters students... 

Dave Bittner: There you go. 

Joe Carrigan: ...In the MSSI program. 

Dave Bittner: So - right, right. Ding, ding, ding, ding, ding. 

Joe Carrigan: Right. 

Dave Bittner: So basically, this is - this website is pretty much what it sounds like it is. You can paste in a URL of something that you think is suspicious, and then it runs it through several different levels of analysis, comes back and shows you what it can gather from remotely scanning the URL, gives you a picture of the website that you would have gone to had you clicked through and basically tells you what percentage of certainty should you or should you not click on this link. I went ahead and tested it with a couple of things. I went through my spam box... 

Joe Carrigan: OK. 

Dave Bittner: ...And found, oh, you know, something for - get a loan, you know, low rates and... 

Joe Carrigan: Viagra. 

Dave Bittner: ...That sort of thing (laughter). I didn't - yeah, I didn't - actually, I didn't see any Viagra stuff... 

Joe Carrigan: Really? 

Dave Bittner: ...In there. That would have been a good one. But - and the first one I put in there came back and said, you should not click on this. There's a 75% chance that this is an evil twin scam... 

Joe Carrigan: Right. 

Dave Bittner: ...Which is where someone's impersonating a legit website to gather your information. The other one I saw was one trying to get people to click through, saying that they've been - that their information has been used to get unemployment benefits from, in my case, the state of Maryland, which is where you and I both live. 

Joe Carrigan: Right. 

Dave Bittner: I click through on that, and - same thing. It was an evil twin scam website, wasn't a real thing. So... 

Joe Carrigan: You didn't click through. You actually entered... 

Dave Bittner: Yeah, that's correct. 

Joe Carrigan: ...The URL into... 

Dave Bittner: Yes. 

Joe Carrigan: ...Shouldiclick.org. 

Dave Bittner: I put it into shouldiclick, let the - let it do its thing, run it through its analysis and came back. So... 

Joe Carrigan: And said don't click. 

Dave Bittner: Yeah. 

: OK. 

Dave Bittner: So just, you know, anecdotally - I can't say I spent a whole lot of time on this, but it seems to be a legit tool from folks doing legit things. They have an API, and they seem pretty straightforward about what's going on under the hood. So check it out. It's shouldiclick.org - seems like, if nothing else, a fun little tool to play with. 

Joe Carrigan: Right. 

Dave Bittner: My second story this week comes courtesy of Rachel Toback, who we've had on our show many times. She, of course, is a champion social engineer at DefCon. 

Joe Carrigan: Yes, multi-time champion. 

Dave Bittner: That's right. 

Joe Carrigan: Like... 

Dave Bittner: That's right. 

Joe Carrigan: I don't think she even competes anymore because of how good she is. 

Dave Bittner: She's just that good. It's not fair to the other contestants (laughter). 

Joe Carrigan: That's right. 

Dave Bittner: So - and we've had her on this show multiple times, and I'd - safe to say she's one of our favorite guests. 

Joe Carrigan: Yes. 

Dave Bittner: She posted a thing on Twitter. And before I get to this, let me just ask you, Joe. What percentage of Twitter users do you think have enabled multifactor authentication? 

Joe Carrigan: Hmm - of any kind of multifactor authentication? 

Dave Bittner: Any kind of multifactor authentication. 

Joe Carrigan: I'm going to say the number is low and go with 15%. 

Dave Bittner: Fifteen percent - all right. 

Joe Carrigan: That's my guess. 

Dave Bittner: That's a good guess. So listeners out there, come up with a number in your own mind. Twitter actually released a transparency report, a transparency security report, so hats off to them for that. And the actual number of two-factor authentication usage of Twitter users is 2.3%. 

Joe Carrigan: I was way overbidding. 

Dave Bittner: And you thought 15 was low. 

Joe Carrigan: I did. I did. 

Dave Bittner: (Laughter) Right? Right? 

Joe Carrigan: I'm glad to see that I'm in a small minority here. 

Dave Bittner: Yeah. Yeah. So I was a bit surprised by this. 

Joe Carrigan: I am, too. That is very low. 

Dave Bittner: Yeah. Twitter goes on to say that actually that's an increase of just over 9% from the previous year. And they say that of that 2.3%, the majority of them use SMS - about 80%. 

Joe Carrigan: OK. 

Dave Bittner: Thirty percent use an authorization app, and 0.5% use a security key. 

Joe Carrigan: That doesn't surprise me because a security key has a barrier that the other two don't have, and that's an additional cost. 

Dave Bittner: Mmm hmm. That's true. 

Joe Carrigan: When I bought my YubiKeys, I had to pay 50 bucks apiece for them. 

Dave Bittner: Right. 

Joe Carrigan: So, you know, maybe a security app is a better, more cost-effective tool for securing your Twitter account. 

Dave Bittner: Yeah. Well, Rachel goes on - she has a whole thread on Twitter that we'll have a link to here in the show notes. And she goes on to - with her own thoughts and observations and insights on this, but then she goes on to say that you would imagine that for developers themselves, that number would be a lot higher. 

Joe Carrigan: I would hope. 

Dave Bittner: Those of us who are in - so once again, I'm going to ask you to guess. For the de facto JavaScript package manager - it's called NPM; it is the largest package repository on the internet - what percentage of folks who have accounts on NPM, what percentage there do you think are using two-factor? 

Joe Carrigan: Now, before I answer this, are they - are you saying these are - this is like a code - like, something like GitHub for JavaScript? 

Dave Bittner: Yeah, I think so. 

Joe Carrigan: And people can upload their own code to this, right? 

Dave Bittner: Yeah. 

Joe Carrigan: OK, so... 

Dave Bittner: These are developers who are, you know, folks who are actively in the JavaScript development world. 

Joe Carrigan: They're not just using their account download scripts from... 

Dave Bittner: I don't know, Joe. I don't know. 

Joe Carrigan: OK. 

Dave Bittner: But let's just say they have greater - seemingly, you would assume - greater knowledge than your mere mortal out on the street when it comes to security things by the fact that they're interested in... 

Joe Carrigan: I'm overthinking this. 

Dave Bittner: ...A JavaScript package manager. Yes. Imagine that, Joe (laughter). 

Joe Carrigan: (Laughter) Yep. Imagine me overthinking something. I'm going to go with the wisdom of crowds and say they're also at around 2.5%. 

Dave Bittner: OK. All right. 

Joe Carrigan: That's my guess. 

Dave Bittner: They're at 9.27%. 

Joe Carrigan: Oh, they're a little bit higher. 

Dave Bittner: Yeah, but still below your original guess of 15%. 

Joe Carrigan: Yep. My 15% was still an overbid. 

Dave Bittner: This is still much lower than I would have thought. 

Joe Carrigan: Four times more likely than the general population to use multifactor authentication. 

Dave Bittner: But still pathetically low. 

Joe Carrigan: But still less than 10. 

Dave Bittner: Right. Right. So the question here, I think, is, why so low? And what do we do to get it higher? What do you think? 

Joe Carrigan: What do we do to get it higher? I mean, you and I have been shouting from the mountaintops that multifactor authentication is the one single thing you can do to protect your accounts and your enterprise and everything from phishing attacks and from credential harvesting attacks. 

Dave Bittner: Right. 

Joe Carrigan: It makes the penetration - even just by adding the SMS feature. If you have an account where the website only offers SMS features, it makes the process of breaking into your account exponentially more difficult. I don't know how else we can say it - I mean, maybe a public education campaign, something. I don't know. 

Dave Bittner: What if the platforms started requiring it? 

Joe Carrigan: If the platforms started requiring it, that would be great. 

Dave Bittner: Yeah. Like, I think Google is starting to require it for some of their developer accounts. 

Joe Carrigan: Oh, good. 

Dave Bittner: I think. Yeah, I'm pretty sure I saw that. I think it was Google. 

Joe Carrigan: You know, I think if you're talking about developer accounts, you're talking about accounts with, like, super-user access, then I see no problem in mandating or requiring multifactor authentication. And if I'm talking about that kind of multifactor - or that kind of access, then I'm going to say, and you can't use SMS. You have to use either an authenticator app or a hardware security token. 

Dave Bittner: Right. Both of which Google offers. 

Joe Carrigan: Right. 

Dave Bittner: So yeah, yeah. Yeah, I mean - well, yeah, it's interesting to think what if more places required it. And we simply said in the same way that, you know, there was a time when having a username wasn't enough. You needed to have a username and a password. 

Joe Carrigan: Right. 

Dave Bittner: Well, now, what if we just said, you know what? A username and password isn't enough. You have to have username, password, second factor. But, of course, that introduces friction. And so the mass market providers don't want to increase friction because that will mean fewer people will use their platform. 

Joe Carrigan: Yes. 

Dave Bittner: Yeah, yeah. All right, well, some surprising numbers there. We'll have a link to both the report from Twitter, that security transparency report, and also this thread from Rachel Tobac. She's @RachelTobac on Twitter. That is definitely worth a read there as well. And again, appreciate Rachel bringing this to everyone's attention and certainly caught my eye. 

Dave Bittner: So that is my story this week. Joe, what do you have for us? 

Joe Carrigan: Dave, my story comes from Mary Jo Schrade. She is the assistant general counsel and regional lead for the Microsoft Digital Crimes Unit, Asia - big name here. 

Dave Bittner: Yeah. 

Joe Carrigan: And Microsoft gets about 6,500 complaints a month about tech support scams. So that's a decrease in tech support scams of about half, right? It's been cut in half. But these scams are adapting. Microsoft actually commissioned a survey, a global survey across 16 countries. And there were some interesting results from this. About 3 out of 5 consumers had encountered a tech support scam in the last 12 months. Dave, have you encountered a tech support scam in the last 12 months? 

Dave Bittner: I don't - not that I specifically can recall, but I would say I probably have above average filtering and shields so that I wouldn't even see something like that. 

Joe Carrigan: Right. Probably true of me as well. 

Dave Bittner: Yeah. 

Joe Carrigan: I haven't been targeted by one of these, or at least I don't think I've been targeted by them. 

Dave Bittner: Right. 

Joe Carrigan: I may have been targeted by them and just ignored them. 

Dave Bittner: I bet you if I went through my parents' email, I bet you I'd find one. 

Joe Carrigan: Right. One out of six consumers was tricked into continuing with the scam. Now, that often led to them losing money. But sometimes they realized, oh, this is a scam, and they terminated it, and they were done. But they did continue with the scam. They engaged with these people. And something bad could have happened, and sometimes it did. Interesting. And we've talked about this before, but millennials and Gen Zers, who are categorized here as 24 to 37 and 18 to 23 respectively, had the highest exposure to tech support scams. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's partly due to the changing way in which they're coming at it, which we'll get to in a minute. 

Dave Bittner: OK. That surprises me. That's not intuitive. That - I wouldn't have expected that. So I'm interested to hear what you have to say about that as we go along here. 

Joe Carrigan: OK. Well, we'll get to that in a minute. I'm just going over the highlights right now. 

Dave Bittner: Yeah. 

Joe Carrigan: But 1 out of 10 millennials and Gen Zers that encountered a scam fell for it and lost money. And that's a lot higher than the older population. And we've talked about this before as well - that when an older person is targeted for a scam, they're less likely to fall for it. A younger person is actually more likely to fall for it. The impact, however, of falling for a scam for an older person is much, much larger. And this study doesn't address that, but we have other sources we've cited before that talk about that. Among those who continue with the scam, the most common issues experienced during the interaction was computer problems. Of course, these guys are just going to - you're giving them access to your computer, so they're going to do all kinds of bad stuff. 

Dave Bittner: Right. 

Joe Carrigan: Followed by compromised passwords and then fraudulent use of credit cards or debit cards. 

Dave Bittner: OK. 

Joe Carrigan: Here's the interesting part of this story, I think. The tech support fraud has evolved from being a pure cold-calling technique to more sophisticated infrastructure. And they're using affiliate marketers. And these people develop professional-looking pop-ups to customers, prompting them to contact fraudulent call centers. They're also using email. But one of the other things you're using is search engine optimization. So they're popping up more in search engines, higher up in the results. So you're more likely to click on it. 

Dave Bittner: And what's interesting about that is if I'm someone who's looking - like, I do a Google search for Microsoft tech support because I legitimately have a problem. If these scammers through SEO can get their... 

Joe Carrigan: Right. 

Dave Bittner: ...Fake numbers high enough in the search, that means a certain number of people are likely to believe that that's a legit search result and click through. 

Joe Carrigan: Right. Now, here's what you were looking for. One of the reasons that the younger generations fall for these tech support scams is because they are more likely to engage in risky online behavior. And they're also more likely to overestimate their abilities with respect to using computers and the internet. By engaging in risky activities, we're talking about, like, going to torrent sites, going to file-sharing sites, going to other sites where you can get stuff for free or sideload applications. Those are just bad ideas all around. But as soon as you go there, you're going to hit one of these malicious ad networks that's going to send you to a very professional, good-looking site that's going to say, hey, you have a virus and you should call Microsoft. 

Dave Bittner: Right. 

Joe Carrigan: And you call that number, you're going to be directed directly to a fraudulent call center somewhere. 

Dave Bittner: Yeah. 

Joe Carrigan: Some interesting statistics are in the report, the actual report. This is the - there's a link to the report in the article. We'll put a link to the article in the show notes. The biggest increase, the biggest market share increase for these malicious actors occurred in India, where the percentage of people who continued in lost money went from 14- to 31%... 

Dave Bittner: Wow. 

Joe Carrigan: ...Which is impressive. They doubled their output in India. Other places, they're losing market share. In the U.S., they also increased their go-through time - you know, their go-through success rate, their follow-on success rate, going from 6% to 10%. So they're becoming more convincing. Some countries, they actually lost market share. Like, in Germany, they lost about 20% of their market share. In the U.K., it's really down. They went from 6% to 1%... 

Dave Bittner: Interesting. 

Joe Carrigan: ...Of people who continued and lost money, which is interesting, I think. The U.K. has done a really good job of that. On average, those who fell victim to a scam lost about $200, which is about par for the course, which is something we see. Quite a few victims lost thousands. One of the other things the scammers do is they will also install malware on these people's computer, allowing them to maintain the access. 

Dave Bittner: Right. 

Joe Carrigan: So this is - they're not just getting your credit card number, charging you for fraudulent services and then leaving. They're maintaining their access because that also has value. And if you've given somebody, a malicious actor, access to your computer, why wouldn't they install it? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Why wouldn't they install a back end - a backdoor on this? 

Dave Bittner: Yeah. Yeah. Yeah. They put things like cryptominers on and keyloggers and all sorts of bad things. 

Joe Carrigan: Sure. 

Dave Bittner: Yep. Yep. 

Joe Carrigan: So it's a good report. It's a good article. The article provides a brief overview. The report provides a lot of interesting, in-depth statistics, with a lot of really good-looking graphs. Nice job, Microsoft. Thank you very much. 

Dave Bittner: All right. Well, those are our stories for this week. And we will have links to all of the stories over in our show notes. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from DoNoEvil on Twitter, who tagged us in a post that he made - a tweet, I guess they call it - the kids call it these days. His handle is @DoNoEvilMan. He posted a picture of a scam email he received. Dave, you want to take it? 

Dave Bittner: Sure. It goes like this. Dear beneficiary, I received a transfer instruction from the United Nations bond with the Federal Bureau of Investigation, ordered this office to pay 150 victims of scam 5 million United States dollars each. You are listed and has been approved for this payment as one of the scammed victims to be paid this amount. However, we have received a notice of change of account from your representative, Mr. Julius Fletcher, yesterday. In respect to the account received from him, we wish to confirm with you before we proceed with the transfer of your compensation payment to the new account he provided. Kindly confirm the below new bank account as valid and endorsed by you for the wire transfer. The transfer will take place immediately. You confirm the authenticity of the new bank account information provided by your representative, Mr. Julius Fletcher. Yours truly, Mr. Jerome H. Powell, chairman, Federal Reserve Bank. 

Joe Carrigan: So let me get this straight, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: The Federal Reserve has been tasked with handing out $5 million payments by the FBI. 

Dave Bittner: Right. And you know who at the Federal Reserve is the guy who's actually sending out the emails? 

Joe Carrigan: Who? 

Dave Bittner: Chairman Powell... 

Joe Carrigan: Right. 

Dave Bittner: ...'Cause what else does he have to do? 

Joe Carrigan: Right. 

Dave Bittner: He's just sitting around in his office all day. 

Joe Carrigan: He doesn't have to, you know, monitor all kinds of financial stuff. 

Dave Bittner: No, he's sitting there twiddling his thumbs, you know? 

Joe Carrigan: Right. 

Dave Bittner: So he's the guy, right? Absolutely, makes total sense. 

Joe Carrigan: Also want to talk about the social engineering aspect of this. 

Dave Bittner: Yeah. 

Joe Carrigan: They're trying to say you're a victim of a scam, and we're trying to refund you your money, right? And then they actually provide you with a set of banking information. I don't know if this is actually Bank of America's routing number, but it's interesting that - it looks to me like they're trying to get you to write back and go, no, no, no, no. Here's my banking information. 

Dave Bittner: Right, right. 

Joe Carrigan: Right. 

Dave Bittner: Don't send it to the wrong place. 

Joe Carrigan: Right. 

Dave Bittner: I want my $5 million. 

Joe Carrigan: Yeah. 

Dave Bittner: 'Cause why not, right? 

Joe Carrigan: Right. 

Dave Bittner: Why not? 

Joe Carrigan: Right. 

Dave Bittner: Roll the dice. Maybe you'll get $5 million. But of course, in this case, the money will be - the money in your bank account will be flowing in one direction and one direction only. 

Joe Carrigan: Yeah. And that is away from you. 

Dave Bittner: That's right. That's right. All right, well, our thanks to @DoNoEvilMan for sending this to us. It's another fun one. We would love to hear from you. If you have an interesting scam that you would like us to include in our Catch of the Day, you can email us. It's hackinghumans@thecyberwire.com. Joe, I recently had the pleasure of speaking with Dr. Charles Chaffin, and he is the author of the new book "Numb: How the Information Age Dulls Our Senses and How We Can Get Them Back." Here's my conversation with Dr. Charles Chaffin. 

Charles Chaffin: My research area is attention. And so I started looking at basically how we teach and process complex tasks. And as time went on and we kind of have gotten deeper and deeper into this information age, I started to get a number of questions relative to attention. So certainly, we're living in an attention economy where our attention is being pushed and pulled in lots of different directions by devices and by this information age. But I also started thinking about one of the probably 12 highlight areas that are part of "Numb," and that was about compassion. And I started thinking about the daily onslaught of breaking news and sensationalism that highlights the suffering of other people. And I started to wonder about how that was impacting me in my own life, in terms of compassion for those closest to me. So, you know, if I'm seeing people suffering on TV all the time and hearing about it on social media or whatnot, is that dulling my senses when it comes to the suffering of people closest to me or the homeless that live - you know, that are nearby and whatnot? And then it's kind of evolved since then in really trying to do an introspection of the information age and how we can manage it without, you know, a dopamine fast or something like that. 

Dave Bittner: Right. Where do you suppose we find ourselves when it comes to people's relationships, I'm thinking particularly with their mobile devices and online platforms like Facebook, like Twitter, like Instagram - you know, the place that those have taken in our lives and how they affect our ability to focus? 

Charles Chaffin: Yeah, it's a serious challenge. You know, and you're looking at, you know, at a 30,000-foot level, if we are on our devices for three, four, five hours a day and we're on social media, a big component of that - you know, given the role of attention in our lives where, you know, we all think we can multitask, but essentially we can't, right? We have - our brains have not had an update for, you know, 10,000 years, right? You know, they're designed for hunting and gathering, right? 

Dave Bittner: Right. 

Charles Chaffin: And so all of that time and, hence, all of that attention on these devices, on social media, glued to cable news or whatever it might be, comes at the expense of something. And I think we're getting to a point now where we're really starting to see these byproducts happen. Surely, we're seeing it when it comes to elements of tribalism and confirmation bias that's happening in our - kind of in our entire political culture. I think we're also seeing it when it comes to things like FOMO. And we're seeing it when it comes to, you know, maybe a realization, maybe not that these experiences that we're having via our devices aren't authentic. They're what a lot of people write as processed experiences, right? And so these byproducts, I think, are becoming a larger and larger and it's becoming a bigger and bigger problem. And I hope that this book will at least offer folks the opportunity to reflect on the time and attention that they're devoting to these devices and say, is this working for me or is it not? And the book is designed to hopefully offer some suggestions to fix it. 

Dave Bittner: You know, it seems to me like one of the issues here is that these companies and I suppose some of the, for example, cable news, you know, they figured out how to press those buttons in our brain. They figured out how to give us that little - that charge of whatever it is that makes us want to stay engaged. And as you say, you know, the FOMO element is there as well. It's - it almost makes me think as though it's not a fair fight. 

Charles Chaffin: It isn't a fair fight. And it's, you know - and to be clear, you know, there's nothing wrong with cable news, you know, wanting ratings. And there's, you know, in a large part, it's - the whole notion of capitalism and platforms wanting, you know, to deliver as many users to marketers as possible, that's the nature of capitalism. So, you know, I want to be clear that we're not - you know, I'm not railing against that. However, what I hope that people are saying is looking at it, looking at all of this with a more critical eye. So when it comes to breaking news, you know - and there's another area for dopamine, right? I mean, our brains are designed to detect threats - right? - going back to, you know, 10,000 years ago when we saw the lion, right? You know, breaking news - there's a lion 10 yards from you (laughter). 

Dave Bittner: Right. Right. Right (laughter). 

Charles Chaffin: You know what I mean? And so we - basically, it plays on that. And, you know, to say, oh, you know, is the world ending in two hours? Well, come back after this and we'll tell you. You know, and you come back and, you know, they've moved on to something else. But if we can look at it with a critical eye and say, OK, what's the motivation of the information source, whether it's clickbait or breaking news or whatever it might be or it's, you know, push notifications and the dopamine loop that comes from social media or even dating apps like Tinder - if we can look at it with a critical eye and say the motivation that they have is not necessarily to inform us, is not necessarily to be a pathway to authentic experiences, but it's to keep us on. And if we can look at that with a critical eye, hopefully we can manage it without it managing our attention. 

Dave Bittner: Can you differentiate for us what exactly do you mean when you describe an authentic experience? 

Charles Chaffin: So I differentiate in the book between what's processed and what's authentic. So in a processed experience, it's, you know, watching YouTube videos, right? It's an experience that's been captured by someone else. And I'm watching that. And I'm spending - I'm devoting my attention or resources to that. An authentic experience is one where I'm not observing someone else perform it, but I'm actually doing it myself, right? I might be - as something as simple as time with a friend or, you know, walking through a field of clover, if we're going to be so romantic - right? - or something like that. But I'm not living it through the lens of a social media platform or whatnot. But it's sensory, right? It's a sensory experience in and of itself. 

Dave Bittner: What are your recommendations that you make in the book for folks to get a better handle on this, to better, you know, organize their lives, to have more balance? 

Charles Chaffin: Yeah, you know, I interviewed 62 therapists and researchers for this book to answer that question. And I think it comes down to a couple of different things. The first is the question I think all of us have to ask is - and we've kind of alluded to this already is - is the technology that you're using and all the information that goes along with it - is it a pathway to something greater, to authenticity, to productivity, to engagement, or has it evolved into a destination in and of itself for you? You know, is social media just this a destination point where you're spending most of your time or, you know, your attention even when you're with other people, you're, you know, at dinner, but you're looking at notifications on Instagram or whatever it might be. So that's the first element. 

Charles Chaffin: I think the second element really gets into this idea of I think about this attention economy and attentional spending, right? So are we spending our attention on things that are worthwhile to us? You know, are we finding that, you know, in two or three years, you know, our careers haven't evolved the way they wanted, our relationships haven't gone where we would like them to go, whether it's with our families or our partners or our spouses, or we're not having those authentic experiences, or we're altering some of our own experiences for the sake of what I call attention panhandling - right? - meaning, you know, well, I want to do this Instagram - I, you know, want to post things on Instagram that are interesting, so instead of going on this vacation that I really want to go on, I need to go, you know, climb a cliff or something 'cause this will be really good shots for my friends. 

Dave Bittner: (Laughter) Right. Right. It's much more photogenic. Yeah (laughter). 

Charles Chaffin: Exactly. Exactly. 

Dave Bittner: Yeah. I mean, you know, there's this saying that I really like, sort of - I guess it's a cautionary saying, which is that, you know, be careful - be mindful that on social media, it's so easy to compare your behind-the-scenes with someone else's highlights reel. 

Charles Chaffin: Yeah. You know, you've got - you basically have this - it's a - it's the worst-case scenario in a sense that so many of us, you know, curate our lives for the sake of social media. You know, we want to post these great things, and we want to have filtered photos and all those different things. But at the same time, we don't realize that others are curating their lives as well. 

Charles Chaffin: And where this becomes a really serious issue is when we start engaging people on social media that we don't know - right? - because then we start to say, OK, well, you know, it's a rainy Monday morning, and I'm on my way to work, and I go on to Facebook and I see, you know, John Smith. And look at John Smith. He's got, you know, this great vacation. He's always on vacation. He's got this... 

Dave Bittner: Right. 

Charles Chaffin: ...Great rental car, and his, you know, his significant other looks great. And look at me. Look what I'm doing. But they don't know John. Then they start to, you know, start to say, well, you know, it's an element of FOMO, and it's a comparison of - it's a false comparison. But if you know the people that you're engaging - right? - you know, Uncle John - you know, Uncle John posts all these same pictures, but you're like, well, you know, I know Uncle John. I know Uncle John's life, and I know the issues that he has. And so there isn't a false comparison. There's more of a - it's more of a reality check and whatnot. 

Charles Chaffin: And so what tends to happen when it comes to this idea of comparison - you know, we talk a lot about choice architecture, right? You know, we might have 30 or 40 options, but through choice architecture, we can narrow them down. The problem here, when we start engaging in comparing with others we don't know, is actually the opposite. We start questioning our past choices. We start saying, was it the right career decision? Is it the right spouse? Am I living in the right place? Which just - it opens up a can of worms that's really problematic for a lot of us. 

Dave Bittner: Is cold turkey the solution here? I mean, should we dump these apps from our phones? Or is there - do you have tips for folks to moderate their usage of them? 

Charles Chaffin: I think it is about moderation. You know, I know a lot of people have written about dopamine fasting and, you know, cutting off. It's just not realistic. I think that, you know, there are things that we want to share. And there's nothing wrong with sharing if we're using social media, for example, with - to strengthen our existing relationships, right? 

Charles Chaffin: So, you know, there's a phrase called Dunbar's number, which basically says, you know, we have a capacity of about 150 people to have relationships, right? So, you know, we can think about, OK, who are the people we really want to engage on social media, you know, whether it's family or whatnot that are far away and we want to share certain things with them? That's OK, right? And maybe you share things, and then you delete the app and bring it back on when you share things - or not even use the app. Maybe you just use the desktop version a couple of times a week, right? So I think that's one of the elements. 

Charles Chaffin: When it comes to, you know, news and information and whatnot, really, there's an element of transparency that - when we think about the sources of information that we have. You know, is this a viable source? You know, and a lot of people talk about, well, I need to hear from both sides of the political spectrum. Well, if they're both opinion sides, you know, that may or may not be useful for you to be a well-informed individual. But is this a reputable source? What's my diet when it comes to news and information? Or am I just getting it from social media and sources that aren't viable? 

Charles Chaffin: And then finally, I would say there's an element of choice overload that we tend to have with lots of different things - right? - whether it's shopping online or whether it's - you know, I have a chapter on Tinder that looks at, you know, choice overload when it comes to potential mates, right? And if we can begin a process where - you know, there's two different terms that we have in choice, which is, you know, you either are a satisficer or a maximizer. You know, satisficers basically are people who - they say, I need this; here's what I'm willing to spend to get it. And when they find it, they get it, and they move on, right? So if I'm - you know, if I'm shopping for a dishwasher, I have my budget, I know what it needs to have. I go to the store. It has those things, I buy it. I'm done. 

Charles Chaffin: Contrarily, a maximizer basically says, I want to look at all the options. I want to meet all the people on Tinder that could be a potential mate, and then I'll decide, right? 

Dave Bittner: Right, right. 

Charles Chaffin: Which, of course, is a fool's errand in and of itself. And the bigger issue is that, first of all, not all the information we find online is reputable, right? If we're reading comments about a dishwasher, we want to hear what everybody thinks about a dishwasher. Some people write comments that, you know, are erroneous or whatever it might be. But also the maximizers tend to have regrets. So they tend to - after they make the purchase, they say, oh, you know, option 63 - right? - would've been way better. 

Dave Bittner: But at some point, you got to wash dishes. 

Charles Chaffin: At some point, you got to wash dishes. So, you know, the basic idea here, as we talk about in the book, is you set a deadline. You say, you know what? I'm going apartment shopping. I've got till the end of the month. I can look at as many as I'd like, but at the end of the month, I need to make a decision. 

Charles Chaffin: Now, when it comes to Tinder and whatnot, that's a little bit more of a challenge, saying I'm going to - you know, at the end of the month, I'm going to find a date. But you can also say, you know what? I'm not going to meet, you know, two and three people a week off this dating site. I'm going to meet one that I'm interested in and get to know that person and go through that process. So, you know, when it comes to choice overload, there are ways we can manage all of this and hopefully get our lives to move forward a little bit. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Dave, the subject of Dr. Chaffin's research is attention. I got a joke for you. 

Dave Bittner: All right. 

Joe Carrigan: How many people with ADD does it take to change a light bulb? 

Dave Bittner: How many? 

Joe Carrigan: You want to go ride bikes? 

Dave Bittner: (Laughter) Boy, that hits a little close to home, Joe. 

Joe Carrigan: Yeah. Yeah, it does. 

Dave Bittner: (Laughter) Right. Anyway, Dr. Chaffin. 

Joe Carrigan: Right, yes. 

Dave Bittner: What do you think, Joe (laughter)? 

Joe Carrigan: I love that he's clear about the fact - fact, I say - that we cannot multitask. 

Dave Bittner: Yeah. 

Joe Carrigan: That is important. Multitasking is - I think the belief in the ability of humans to multitask is probably one of the most detrimental beliefs in business. When people say, I'm looking for a multitasker, they should not be looking for that. They want somebody who can task switch, not multitask. 

Dave Bittner: OK. 

Joe Carrigan: Multitasking is bad. And it leads to all kinds of mistakes, including you falling for phishing attempts. It's - you should not be reading your email and doing something else at the same time. 

Dave Bittner: Right. 

Joe Carrigan: Right? That's a bad idea. 

Dave Bittner: Right. 

Joe Carrigan: All the attention we spend on these things comes at the expense of something, and it is impacting us. I like the term that Charles uses here - processed experiences. Kind of like processed food, right? Probably not good for you. 

Dave Bittner: Velveeta, yeah. 

Joe Carrigan: Right, yeah. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's right. Facebook is the Velveeta of life, right? 

Dave Bittner: Of online experiences (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Right, OK (laughter). 

Joe Carrigan: Think critically about every piece of information you receive and the channel through which you are receiving it. Ask yourself, why am I seeing it or why is this person saying this, right? You've really got to think that way about everything, including when people are talking to you. 

Joe Carrigan: Charles goes on to say, think about the tools you use. And I love this, what he says. He says, are we using these tools to make our lives better or are these tools becoming the destination, right? Is social media the tool you use to get together with friends, or is it the way you get together with friends, right? It's better to actually get together with friends. It's even better, I'd say, to have a phone call than to interact with somebody on a social media platform. I like his terms of attention economy, attention spending and attention panhandling. 


Dave Bittner: Yeah. 

Dave Bittner And Joe Carrigan: That's a good one. 

Joe Carrigan: (Laughter). 

Dave Bittner: It is a good one. Yeah, yeah. 

Joe Carrigan: Look at me. I'm climbing this cliff. 

Dave Bittner: (Laughter). 

Joe Carrigan: Charles makes a great point about news outlets and picking your source for the news. He said this explicitly - they can't be opinion piece - opinion sources, right? A lot of these news channels, these 24-hour news channels, have segments of their time that is just essentially commentary. That's not news. That is vastly different from news. 

Dave Bittner: Sure. 

Joe Carrigan: Right? It's important not to let other people do your thinking for you. You have to ingest the news from a news organization and not from that news' commentary. Now, I'm not saying the commentary is worthless because the commentary may present to you a side you didn't consider. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: But don't consider it to be news. It's... 

Joe Carrigan: But don't consider it to be news. 

Dave Bittner: Yeah. 

Joe Carrigan: And don't consider yourself to be informed... 

Dave Bittner: Right. 

Joe Carrigan: ...Because of it. 

Dave Bittner: OK. 

Joe Carrigan: So Dave, let me ask you. Are you a satisficers or a maximizer? 

Dave Bittner: It's a good question. I don't - I - if I'm - I suppose I fall somewhere in the middle because I do do a lot of research before I buy most things. It depends on what the thing - like, I guess the more expensive the thing is, the more impact the thing will have on my life, the more amount of time I will spend researching it just to make sure that it's going to meet my needs. 

Joe Carrigan: OK. 

Dave Bittner: Yeah? Is that fair? 

Joe Carrigan: Yeah, I think that's fair. I am definitely more on the satisficer side of this spectrum, you know? I have the requirements in mind. I go out looking for it. When I find it, I buy it. 

Dave Bittner: OK. 

Joe Carrigan: And funny enough, the example that he cites - dishwasher purchasing, right? - that's - sometimes I have regrets, but most of the time I don't. And the dishwasher is one point where I have regrets. 

Dave Bittner: (Laughter) OK. Uh oh. 

Joe Carrigan: Because I went out and I bought a dishwasher that I thought met my needs, brought it home, and it didn't. But now I have new requirements for the next dishwasher I buy. 

Dave Bittner: OK. 

Joe Carrigan: But... 

Dave Bittner: So you're beating up your dishwasher so that you get to the next one more quickly. 

Joe Carrigan: Right, exactly. 

Dave Bittner: (Laughter). 

Joe Carrigan: But the other thing that came to mind with this was when I built my computer a couple years ago. I rebuilt my computer and was looking around for motherboards, processors and RAM. 

Dave Bittner: Yeah. 

Joe Carrigan: And I didn't look at all the options, right? I just looked around for performance and price and made a decision. And I have no regrets about my computer. My computer is great. I spent, you know, maybe an hour putting - selecting the parts and putting it together, which is also part of the fun. But I didn't do all the research, you know? I didn't read hundreds of articles on which processor I should buy and why I should buy this one and - I just found something that was adequate and bought it. 

Dave Bittner: But what if it was an area that you did not have that latent area of expertise on? Like, you have a lifetime of experience... 

Joe Carrigan: Yes. 

Dave Bittner: ...With computers... 

Joe Carrigan: Correct. 

Dave Bittner: ...So you come into that knowing a lot. And I - like, something like dishwashers is different. Did you do more initial research with your dishwasher than you did with your computer just because you didn't know as much? 

Joe Carrigan: I did less initial research. 

Dave Bittner: Really? 

Joe Carrigan: Yeah, I went in to... 

Dave Bittner: Well, but interestingly, you regret that purchase. 

Joe Carrigan: Interesting. Yeah, it is interesting. 

Dave Bittner: Yeah (laughter). Perhaps we've all learned a little lesson here today, Joe. 

Joe Carrigan: Yeah, just a little bit of introspection for Joe today on the show. 

Dave Bittner: (Laughter) All right. Well, let's wrap things up here. Again, we want to thank Dr. Charles Chaffin for joining us. The book is "Numb: How the Information Age Dulls Our Senses and How We Can Get Them Back." Definitely worth your time. It's a really interesting read. We certainly want to thank him for joining our show. 

Dave Bittner: And we want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.