Acceleration of our digital lives and impacts on cybercrime.
Darren Shou: This year is a particularly interesting year, given of all the changes that happened with COVID-19 and the transformation and acceleration of digital lives.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show, Darren Shou. He is the chief technology officer at NortonLifeLock, and he's bringing us some insights on some of the scams he and his colleagues have been tracking.
Dave Bittner: All right, Joe, before we dig into our stories here, we have a little bit of follow-up. I will go ahead and read it here. It says, (reading) hi, Dave and Joe. I hope you are well.
Dave Bittner: Thank you very much.
Dave Bittner: (Reading) I heard you talking about free learning resources over the past few weeks. I'm a big fan of TryHackMe, which is tryhackme.com. Their site has many free learning paths, and the whole site can be accessed for eight pounds per month or 72 pounds per year.
Dave Bittner: I don't know what that is in real money.
Joe Carrigan: Right (laughter).
Dave Bittner: (Reading) Learning paths (laughter) include a wide variety that cater to all levels and many different disciplines. I think the site is great for anyone looking to start out in the industry. Their subscription also includes access to an attack box if you don't have the resources or knowledge to start up your own virtual machine.
Dave Bittner: Ah, OK. That's cool.
Joe Carrigan: Yeah, that's nice.
Dave Bittner: And the listener says, (reading) I'm an avid user of this site. I have no affiliation with them. In addition, PortSwigger has a free academy for web pen testing, which is very useful for anyone exploring web pen testing. That's portswigger.net/web-security. Hope these are useful to your listeners. All the best, Robert (ph).
Joe Carrigan: Robert, thank you very much. These are great suggestions. I also would like to add one that I'm surprised I hadn't mentioned before. HackerOne has a program called Hacker101. And you can just Google Hacker101 or HackerOne Hacker101. HackerOne is a company that does bug bounties. They manage companies' bug bounties for them. And, of course, anybody can become an affiliate of HackerOne. And in order for them to increase their number of affiliates, they offer a great free training program...
Dave Bittner: Oh, nice.
Joe Carrigan: ...That's available.
Dave Bittner: All right.
Joe Carrigan: So it's totally free, and you can go there. So those resources that Robert listed, as well as Hacker101, is - there are some suggestions for people who are looking for them.
Dave Bittner: All right, terrific. Well, thank you for sending that in. We do appreciate it.
Dave Bittner: Joe, let's move on to our stories this week. Why don't you start things off for us?
Joe Carrigan: Dave, this week, I have a story from a listener...
Dave Bittner: Very good
Joe Carrigan: ...Which is interesting. He reached out to me. His name is Sedric (ph), and he is a real estate investor who is new to the field of real estate investing.
Dave Bittner: OK.
Joe Carrigan: Sedric and his partner were looking to put a contract on a house. And they found one that was a good investment, and then they went looking for the financing so they didn't lose their earnest money. They were looking for something called a hard money loan. Have you ever heard of a hard money loan?
Dave Bittner: No.
Joe Carrigan: New term to me as well. According to Investopedia, it's a loan that is secured by real estate. So kind of like a mortgage, but it's a shorter-term loan. And it's generally offered by individuals or companies, but not by banks. So these are financing people who are looking to make a little bit of money in real estate by offering these loans to people. And the loan is secured with a lien against the house they're buying.
Dave Bittner: I see. So is this for, like, folks who - I could imagine this being useful for someone who is looking to buy a house, renovate it and then turn around and sell it quickly.
Joe Carrigan: Yes.
Dave Bittner: In other words, someone who's not looking to live in the home, but is either going to flip the house or have it as an investment or something like that.
Joe Carrigan: It is almost tailor-made for that use case.
Dave Bittner: I see. OK.
Joe Carrigan: Right. Sedric is in this Facebook group called Hard Money for Real Estate Investors. And someone named Dan (ph) posts that he says he's offering hard money loans. And Sedric reaches out to this guy and knows right away, once this guy starts getting back to him, that it's a scam, right? The guy claims that he can offer a 100% loan-to-value financing. And - in other words, they're going to fund the purchase of the house, which some lenders do, but only if you have experience in flipping houses and you have really good credit.
Dave Bittner: OK.
Joe Carrigan: And Sedric is new to this, so he was a little bit dubious of the claim, right? So then Sedric receives an email from this guy requesting the same personal information that you would provide when you're applying for a mortgage, which I don't know how different that is from when you're applying for a hard money loan. But it seems like it's a lot of information.
Dave Bittner: Yeah (laughter). Like, I was thinking when you said all the information you provide for getting a mortgage, which is basically all of it.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: It's an examination, Dave.
Dave Bittner: Right (laughter).
Joe Carrigan: It's an unpleasant, uncomfortable examination.
Dave Bittner: Yes. Yes (laughter).
Joe Carrigan: You know, when you go to the doctor and get those examinations, at least those are quick, right (laughter)?
Dave Bittner: Yeah, right. Exactly.
Joe Carrigan: The mortgage process takes...
Dave Bittner: And it's just - it's one-on-one.
Joe Carrigan: Right.
Dave Bittner: Yeah. This is a whole lot of people involved (laughter).
Joe Carrigan: Yeah. It's a miserable process. I hate getting mortgages. However, the PDF document had some spelling errors in it. And there were some grammatical mistakes in the email. So Sedric goes, I'm done, and he just walks away, right?
Dave Bittner: OK, good.
Joe Carrigan: So the guy comes back a couple of days later, and Sedric says no. And then the guy says, all I need is a 1% down payment to process this house application, and once approved, the funds will be available for the transaction. Now, this house is on the market, or Sedric has got a contract to buy this house for $170,000.
Dave Bittner: OK.
Joe Carrigan: So that's $1,700 this guy wants.
Dave Bittner: OK.
Joe Carrigan: He's trying to scam people out of $1,700. And Sedric, again, tells him no, I'm done, I'm not doing that, and hangs up.
Dave Bittner: OK.
Joe Carrigan: The guy reaches out a third time on Facebook Messenger, and this time, Sedric says, you know what? This would make a good story for "Hacking Humans." He's thinking of us, Dave.
Dave Bittner: (Laughter) Oh, wow.
Joe Carrigan: (Laughter).
Dave Bittner: Way to go, Sedric (laughter).
Joe Carrigan: So he does a little bit of scam-baiting here, and he says, OK, fine. Send me the instructions and how I get the 1% down payment to you. And the guy says, well, it's a wire transfer, right? And I need you to send it to our notary agent.
Dave Bittner: OK (laughter).
Joe Carrigan: And he provides the - all of the PII, the personally identifiable information, for the notary agent. This is this person's home address, their bank account number, their routing number for the bank, which is actually publicly available, but the account number is private. And Sedric goes, OK. So I know what this is. Let me look up this person. And he finds out this person is an 80-year-old woman that lives in North Carolina, so probably not a notary agent.
Dave Bittner: No. I know where this is going, but go on.
Joe Carrigan: Well, so Sedric knows the scammer has access to this lady's account. So this woman is actually a victim here, probably.
Dave Bittner: And Sedric also has access to that account - right? - I mean, if he has the bank account details.
Joe Carrigan: Right. That's a good point. He has all the information, including the SWIFT number.
Dave Bittner: Right.
Joe Carrigan: It's a lot of information these guys have. Somehow they've compromised this lady, probably through some other social engineering attack.
Dave Bittner: Yeah. I was going to say, it sounds like she's a money mule. She's a - you know, she doesn't know - you know, we've talked about these sorts of scams where people are - they think they're just doing regular little accounting jobs, you know?
Joe Carrigan: Right.
Dave Bittner: And the scammers tell them, oh, the money needs to flow through your account. But don't worry. We'll pay you a cut of it.
Joe Carrigan: Absolutely.
Dave Bittner: Yeah.
Joe Carrigan: Yep, it could be that. It could be that they just have access to her account and just use it as a transfer point.
Dave Bittner: Right.
Joe Carrigan: She could be - or there's the - I think it's unlikely, but she could be in on it. But I think that's kind of unlikely.
Dave Bittner: Probably, yeah.
Joe Carrigan: I'm willing to provide just about everybody the presumption of innocence.
Dave Bittner: She's the matriarch kingpin...
Joe Carrigan: (Laughter).
Dave Bittner: ...Of this entire operation (laughter) running from a retirement home in North Carolina...
Joe Carrigan: Right (laughter).
Dave Bittner: ...All the way to the bank.
(LAUGHTER)
Joe Carrigan: So at this point, Sedric lets the scammer know that the jig is up. He says, you know, I know what's going on here. This is a scam. I know it's a scam. The scammer is, of course, nonplussed, to say the least, right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Very upset.
Dave Bittner: Sure.
Joe Carrigan: But since there was a compromised bank account involved, Sedric does the right thing, and he notifies the FBI as well.
Dave Bittner: Oh, excellent.
Joe Carrigan: So hopefully the account has been secured. The person who was being used as a money mule is hopefully now no longer being used that way, and this guy is no longer available on Facebook to try to scam people out of hard money loans. But don't worry. He'll be back.
Dave Bittner: Yeah.
Joe Carrigan: He doesn't walk away from this.
Dave Bittner: (Laughter) Well, and I would guess, too, that - Sedric doesn't share whether or not this happened. But I'm guessing, based on what we've seen so far from Sedric, that they've informed the rest of the Facebook group.
Joe Carrigan: Yes. Oh, yeah. He did inform the rest of the Facebook group.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Yep. He did tell me that.
Dave Bittner: OK. Well, it's a good lesson for everybody. Yeah. And hats off to Sedric for doing the right thing. And a little bonus is that you saved some of it for us, so (laughter)...
Joe Carrigan: Yes, absolutely. Thank you, Sedric.
Dave Bittner: We appreciate that very much. All right. Wow. Interesting story.
Dave Bittner: Well, Joe, I think this week, instead of having a news story, I'm going to continue our conversation about passwords and multifactor authentication.
Joe Carrigan: OK.
Dave Bittner: And one of our listeners reached out to us. It was a Twitter user who goes by @coinsiglieri on Twitter. So I suspect it's some sort of - either someone who's involved with cryptocurrency or perhaps just collecting coins.
Joe Carrigan: Yes.
Dave Bittner: I don't know (laughter). But a clever turn of phrase there.
Joe Carrigan: It is a very clever turn of phrase.
Dave Bittner: Hats off to you for there. And this person reached out after hearing our recent show and said, (reading) you ask what would help people adopt two-factor auth. I say tell folks what they can do once they set up 2FA and lose or change phones. My guess, fear of being locked out of accounts is a main obstacle. Also, provide option other than giving cell number to every website. Thank you. Great show.
Dave Bittner: OK. So this hit home for me because I'm in the midst of this, Joe.
Joe Carrigan: Are you?
Dave Bittner: Yes (laughter).
Joe Carrigan: What has happened, Dave?
Dave Bittner: So as you know, I am a regular over on the "Grumpy Old Geeks" podcast.
Joe Carrigan: Yes.
Dave Bittner: Fun show. If you haven't checked it out, check it out. A little spicy language over there, so be warned.
Joe Carrigan: (Laughter).
Dave Bittner: But the "Grumpy Old Geeks" show has a Discord server - right? - so a Discord chat area where folks who are fans of the show can go and chat about the show. And it's pretty active. And so I thought, oh, this would be great for me to check in here from time to time and interact with the listeners of the show. So I set up a Discord account, which I had not done before. And after - not long after setting up this account - which, being the secure person that I am, I set up multifactor authentication.
Joe Carrigan: OK.
Dave Bittner: And not long after setting up the account, I got a new phone. Guess what happened next, Joe?
Joe Carrigan: Did you hand in your old phone?
Dave Bittner: Well, I passed the phone down to my son, who...
Joe Carrigan: Who did a factory reset on it.
Dave Bittner: Yes. Exactly.
Joe Carrigan: And that immediately deleted the seed that you had for your Discord one-time password time-based authentication.
Dave Bittner: You are on the right track here, Joe.
Joe Carrigan: OK.
Dave Bittner: So ever since then, I have been unable to access my Discord account. And I've come at it a couple times. And here's what happens. I come at it, and part of this is because I forget - it's kind of like how our wives tell us about giving birth. Like, you wouldn't - you - the only way you have a second child is because you forget about what it's like to have the first child.
Joe Carrigan: Yes.
Dave Bittner: You know, it's - so it's been like that, where I come at it. I say, all right, I'm going to try to get back in my Discord account. And I log in, and it says, what's your username? And I give my username. And it says, what's your password? And I say, tell you what, let's reset my password. So I click on reset password. They send me an email. I respond to that. I reset the password. I use my password manager to generate a random password, generates the password, goes in. It says, great, your new password has been accepted. Now, what's your multifactor authentication code? And that sound you hear is me banging my head against the desk.
Joe Carrigan: (Laughter).
Dave Bittner: And that's where it stops because I don't have access to the thing that generates that code.
Joe Carrigan: Did you get backup codes?
Dave Bittner: Joe, I don't know if I got back...
Joe Carrigan: OK.
Dave Bittner: I mean, sure.
Joe Carrigan: Right.
Dave Bittner: Let's say I did (laughter).
Joe Carrigan: But - yeah, but you didn't save them.
Dave Bittner: Well, maybe I did. I don't know.
Joe Carrigan: OK.
Dave Bittner: So shame on me for that. I bet you if I - I don't know - if I went looking through emails or who knows? But - so, yes, part - look; I take full responsibility that part of this is on me. The large - a large part of this is on me for not putting in place all the things to make this easier. But in the meantime, it's been about a year (laughter), and I can't get - and the reason I - so why this is timely is I just came at this the other day, right?
Joe Carrigan: Again.
Dave Bittner: Just a few days ago, I came at it again. And part of it was because I'd forgotten about banging my head against the desk when I came at it the first time.
Joe Carrigan: (Laughter) Right.
Dave Bittner: So a friend of mine said to me, hey, I got this thing on Discord. We can do this thing. I said, oh, that sounds like fun. So - oh, wait a minute. Right?
Joe Carrigan: Yeah.
Dave Bittner: So bottom line is I ended up just creating a new Discord account...
Joe Carrigan: Right.
Dave Bittner: ...Using a different email address.
Joe Carrigan: Yep.
Dave Bittner: But that's not ideal.
Joe Carrigan: It's not ideal.
Dave Bittner: And I'm sure I could reach out to Discord and go through whatever hoops I need to jump through, you know, probably send them a copy of my driver's license, my birth certificate and a blood sample...
Joe Carrigan: Right (laughter).
Dave Bittner: ...To get the multifactor either disabled or reset or who knows what. Long story short, I know, too late.
Joe Carrigan: Right.
Dave Bittner: Coinsiglieri is absolutely right that this whole thing of if you get a new phone or you lose your phone or something happens to your phone and you're using multifactor, this can be a royal pain in the butt.
Joe Carrigan: Yes, it can be. You are 100% correct. Now, I have, in the past, experienced something very similar to this.
Dave Bittner: OK.
Joe Carrigan: I accidentally did a hardware reset on my phone as a part of, you know, a support call at one point in time...
Dave Bittner: Yep.
Joe Carrigan: ...Not realizing that I had a bunch of Google authenticator one-time codes on there.
Dave Bittner: Right.
Joe Carrigan: Or actually, it was just one of them at the time for work.
Dave Bittner: Nothing important (laughter).
Joe Carrigan: Right.
Dave Bittner: Just my livelihood (laughter).
Joe Carrigan: But here's the thing. Fortunately for me, I learned this lesson early on. And I could call my office's - JHU's tech support and say I lost my Google authenticator passcode...
Dave Bittner: Right.
Joe Carrigan: ...Because I reset my phone. And they were like, OK, fine. Well, we'll just reset it. They know who I am. They know...
Dave Bittner: Right (laughter).
Joe Carrigan: So that was easy.
Dave Bittner: Did you hang your head in shame being from the computer...
Joe Carrigan: Yes.
Dave Bittner: ...Brainiac part of Johns Hopkins (laughter)?
Joe Carrigan: From the Information Security Institute.
Dave Bittner: Right (laughter).
Joe Carrigan: I have - well, I have security locked myself out of my...
Dave Bittner: Right. So at least the system was working (laughter).
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: That being said, now, since I learned that lesson...
Dave Bittner: Yeah.
Joe Carrigan: ...What I do now is - when you enable two-factor authentication with one of those apps, there is usually a backup way to get in. Like, here are some - give me some codes. Like, I think Google will give you a set of passcodes...
Dave Bittner: Right.
Joe Carrigan: ...That will let you in. And I save those in a text file for the website, and I keep that on an encrypted drive (laughter). And I keep...
Dave Bittner: (Laughter) Locked under - in a Mason jar under Funk & Wagnalls' porch (laughter).
Joe Carrigan: Yes, essentially.
Dave Bittner: OK (laughter).
Joe Carrigan: It's not an encrypted drive that's connected to any computer. It's on a little USB memory stick.
Dave Bittner: Right.
Joe Carrigan: It's backed up on other media as well. So it's a VeraCrypt drive, you know, so...
Dave Bittner: Yeah.
Joe Carrigan: VeraCrypt is a free piece of software you can use to create encrypted volumes if you have data that you want to secure, especially if you're keeping it offline. It's a good tool, but it does take a little bit of expertise. And Coinsiglieri is right. I might not have the same level of empathy for people because I'm willing to do this, the security stuff, you know? I'm willing to set up a VeraCrypt drive. I'm willing to save this information in these text files.
Dave Bittner: Right.
Joe Carrigan: But, you know, you can also print them out as well and keep them in a file somewhere.
Dave Bittner: Yeah, yeah.
Joe Carrigan: That's also a viable solution.
Dave Bittner: Yeah.
Joe Carrigan: Really, your threat model is people attacking you across the internet. People breaking into your house to steal - people are not going to break into your house to steal access codes.
Dave Bittner: Right.
Joe Carrigan: They're going to break into your house to steal your jewelry and your wallet...
Dave Bittner: Right. Exactly. Right.
Joe Carrigan: ...And maybe your documents. So don't keep it with where you keep your birth certificates. Keep it somewhere else. But...
Dave Bittner: Yeah, yeah - a Mason jar under the front porch (laughter).
Joe Carrigan: Right. And remember, you should still use this with your banks because they - banks have a customer service organization, right?
Dave Bittner: Yeah.
Joe Carrigan: If you get locked out of your customer service - or out of your banking account, this wouldn't be a big problem, right?
Dave Bittner: Yeah.
Joe Carrigan: Like, if this should happen with your bank, you'd just go to the branch and get this resolved, right?
Dave Bittner: Yeah.
Joe Carrigan: But when it happens with a nameless - or not nameless, but a faceless monster like Discord, Facebook, Twitter, Google...
Dave Bittner: Right, right.
Joe Carrigan: ...Anything like that, you're hosed. You're essentially hosed because they have no support mechanism to try to do it. And I'm not sure that they can do that at scale...
Dave Bittner: Yeah.
Joe Carrigan: ...Because as soon as you do that, every single fraudster is going to be trying to log in to your - that tries to log in to your account is going to be trying to call them and - or use that system. They'll just clog it.
Dave Bittner: Right. Now - so here - this led me to another line of thinking that I want to run by you, which is this. So I'm thinking that YubiKeys might be the best way to go here.
Joe Carrigan: Right.
Dave Bittner: And this is why. Because I was thinking about - we all have car keys, right?
Joe Carrigan: Yes.
Dave Bittner: Those of us who have cars, we have car keys. And our car keys unlock our cars, and they start our cars. And for most of us, our car is probably the second-most valuable thing we have besides our house, which - may I point out? - also has a key (laughter).
Joe Carrigan: Right.
Dave Bittner: Right? A physical key. Now, some of us have digital locks, blah, blah. OK, fine, whatever. But for the most part, most of us have car keys. Car keys have gotten more sophisticated. You know, they have - you know, they have digital car keys and so on and so forth. But the bottom line is we still have a physical object that needs to be in proximity of the vehicle to unlock the car.
Joe Carrigan: Right.
Dave Bittner: Right? And I don't think very many of us are saying, oh, God, this is such a hassle. I really wish - well, my next car isn't going to have a key because this is just too much of a hassle carrying this car key around. No. We've adjusted. We know cars come with keys. It's what we're conditioned to do.
Joe Carrigan: Right.
Dave Bittner: Right? So why not with the things that are valuable to us online have the same sort of thing? You got something valuable that you want to protect? You get a key. It's a physical key. You have it with your car keys. Most of the time, I have my car key nearby, my house key, right?
Joe Carrigan: Right.
Dave Bittner: Why not? What do you think of this, Joe?
Joe Carrigan: I think it's a good idea. I use a YubiKey to secure a lot of my accounts...
Dave Bittner: Yeah.
Joe Carrigan: ...Like my Facebook account and any other account where I can use it. But I use two YubiKeys.
Dave Bittner: OK (laughter). So belt and suspenders (laughter)?
Joe Carrigan: Well, it protects me against the use case where, like, with your phone, if you lose your YubiKey or it gets damaged.
Dave Bittner: Yeah.
Joe Carrigan: Right? So I have two YubiKeys configured to grant me access to these accounts. And you can do that on these accounts. They'll...
Dave Bittner: Oh. Right, right, right.
Joe Carrigan: They'll both do it.
Dave Bittner: I'm with you now. Yes. Yes.
Joe Carrigan: So if the one that I keep with me all the time gets damaged, I still have one at my house in a safe location that grants me access to the accounts.
Dave Bittner: I do exactly the same thing.
Joe Carrigan: Yeah.
Dave Bittner: Exactly the same thing, yup.
Joe Carrigan: So if you're going to use a YubiKey, use two.
Dave Bittner: Yup, yup. Absolutely. All right. Well, again, thank you to our listener Coinsiglieri for sending in this kind note, and I appreciate it. And what can I say? I suppose I'm - I suppose I'm done with my Discord woes by punting and just (laughter)...
Joe Carrigan: Right.
Dave Bittner: ...Starting a new account. Just, you know, fortunately, I didn't have anything really valuable in the other one. But it's less than ideal. And I'm just wondering, you know, from now on, am I - if I have the choice, am I going to go with a YubiKey rather than, you know, an app-based authenticator on my phone because as Coinsiglieri said, this whole thing with if you lose your phone...
Joe Carrigan: Yeah.
Dave Bittner: ...It's a nightmare.
Joe Carrigan: It is. It absolutely is.
Dave Bittner: It's a nightmare, yeah. All right, good points. So thank you for sending that in.
Dave Bittner: We would love to hear from you. If you have something you would like us to discuss on our show, you can email us to hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, we have a couple of short ones today. Because they were short, I chose two of them.
Dave Bittner: All right.
Joe Carrigan: And the first one comes from a listener named Pryce (ph), who received a text message that reads...
Dave Bittner: (Reading) You just sent a payment to Robert Hill of $13.50. If you do not recognize this transaction, please visit the support page.
Joe Carrigan: And then it has a Bitly link right after that.
Dave Bittner: OK.
Joe Carrigan: And I went to Bitly and put a plus after that and found out that that link just links to an IP address...
Dave Bittner: Oh, interesting.
Joe Carrigan: ...Which is interesting, with a tag on the end.
Joe Carrigan: Pryce goes on to say, (reading) I'm unwilling to click the link.
Joe Carrigan: Yeah, I would think so.
Joe Carrigan: (Reading) Random texts are common, but this was a little extra aggressive in the attempt to invoke an emotional response.
Joe Carrigan: I agree. I mean, it's not a - it's - I don't think it's anything out of the ordinary, but, yeah, it is kind of aggressive.
Joe Carrigan: (Reading) I've received at least a few others about insurance or a fake bank notification from someone pretending to be my actual financial institution.
Joe Carrigan: So he has a financial institution, and he says, unfortunately, because mortgage information is publicly available, they can send him these texts pretending to be him...
Dave Bittner: Yeah.
Joe Carrigan: ...Or pretending to be the institution with whom he actually does business.
Dave Bittner: Right. Right.
Joe Carrigan: It's like those mails you get in your - the physical mail you get all the time telling you to refinance your loan with whatever loan you have - lender you have.
Dave Bittner: Right, or your car warranty's about to expire. Somehow they know what car - or they...
Joe Carrigan: Yeah.
Dave Bittner: Usually with me, it's, like, three cars ago, you know (laughter)?
Joe Carrigan: Right.
Dave Bittner: Right. Right (laughter).
Joe Carrigan: The next one actually comes from a listener named Ronald (ph). He says, (reading) see the attachment I received the other day. At first glance, I said, that's strange. I just paid that subscription. Then I read the whole mail - obviously trying to get me to call the number and give up my PII.
Dave Bittner: (Reading) Dear respected subscriber, your yearly subscription for Norton PC security has been successfully renewed and updated. The debited amount will be reflected within next 24 to 48 hours on your account profile.
Dave Bittner: Then it has a product description.
Dave Bittner: (Reading) If you wish to claim a refund, then please feel free to contact our billing department as soon as possible. You can reach us on - and then there's an 866 number.
Joe Carrigan: Right.
Dave Bittner: (Reading) Regards, billing department.
Joe Carrigan: Now, note, Dave, the 866 number is very oddly spaced, isn't it?
Dave Bittner: It is very odd - yes, very oddly formatted.
Joe Carrigan: I believe that is to get through spam filters.
Dave Bittner: I believe you are correct.
Joe Carrigan: Right.
Dave Bittner: It is conspicuously so.
Joe Carrigan: Right. Also, the price is interesting. It's a - $251.51. Not a round number.
Dave Bittner: No.
Joe Carrigan: I wonder why.
Dave Bittner: I don't know. There's probably some psychological reason for that.
Joe Carrigan: Yep.
Dave Bittner: I don't know. Interesting. Makes it look like they're charging tax or something.
Joe Carrigan: Yes.
Dave Bittner: Interesting.
Joe Carrigan: I think these are both interesting.
Dave Bittner: Yeah.
Joe Carrigan: Good catches. Thank you, Ronald. Thank you, Pryce.
Dave Bittner: And again, if you would like to send us a Catch of the Day, you can do so. The email address is hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Darren Shou. He is the chief technology officer over at NortonLifeLock. And we're discussing some research that they all recently published where they've been tracking some of the scams that Darren and his colleagues have had an eye on lately. Here's my conversation with Darren Shou.
Darren Shou: This is our sixth annual report, and we do it for two purposes. One is you really want to get an understanding of how consumers are feeling about cyber safety and privacy needs and concerns because the cybersecurity landscape is always changing and evolving, right? This year is a particularly interesting year given of all the changes that happened with COVID-19 and the transformation, acceleration of digital lives. And then we can take this work that comes out of the "Cyber Safety Insights Report" and then also combine it with what our protection labs is seeing in our telemetry from our threat telemetry databases.
Dave Bittner: Well, let's dig into that together. I mean, as you mention, I think it's fair to say - and I think all of us understand - that this past year was a bit atypical. But one of the results of that is that people spent a lot more time online.
Darren Shou: In fact, in our cyber safety report, most people - I think it was a little bit over 65% - said they spent more time online than ever before. And, of course, this makes perfect sense. You know, I'm a father working from home for the last year myself. My daughter immediately went to an online learning environment. I mean, it felt like it was overnight.
Darren Shou: And so in my family at least, and maybe for many other people, someone - you know, my child, who I had never thought about really giving her her own screen, her own device, overnight, it was, I have to give it to her so that she can be educated, so that she can engage with people. It became her window into the world. And then for my wife and I both working from home, it became the way that we, you know, interact with our employers and our colleagues. So everybody was doing that online, not to mention the fact of how we got food, especially in the early weeks and months of the pandemic. So really, the device became our life online. I think that's probably true for a lot of people.
Dave Bittner: And so how did that reflect in the findings for this year's report? What sort of things are you tracking?
Darren Shou: Yeah. So you're right. You have a number of people experiencing cybercrime - or now also just experiencing identity theft. So what we saw was there were about 330 million cybercrime victims over the past 12 months that the survey covered and about 55 million identity victims. You know, kind of to put that in perspective, you think about that being, in the United States, two of five people experienced cybercrime as more and more people went online this year.
Darren Shou: I mean, that's a huge amount of folks experiencing kind of a double whammy, right? You've got the physical virus taking over the world and impacting us in unimaginable ways. And then we also have kind of the impacts of cybercrime - right? - whether it be from malware or phishing or fraud, right?
Dave Bittner: Yeah. I was going to ask you to kind of spell out, I mean, what are the spectrum of things that people are experiencing here? What falls into the category of cybercrime as you all tracked it?
Darren Shou: Right. So, I mean, this covers quite a bit from malicious software to, you know, disruptions from the network access. You know, maybe it is even, as you're working from home, having your personal Wi-Fi network attacked or unauthorized access on a smart device that maybe had a web camera or takeover of a social media account or a gaming account as people went online.
Darren Shou: You know, one thing that was really personal for me was seeing that - you know, having my child being online, but also having her experience a little bit of bullying as she was engaging in chat rooms, which was a brand-new experience for her - to go online, see her teacher, see her colleagues and even do kind of what I would call, I guess, a cyber play date and yet experience maybe some unwanted, you know, interactions as people are getting used to this entire new way of living.
Dave Bittner: Wow, yeah. What are you seeing sort of from the other side of it? How are people responding? Is there recognition among folks out there that they had to up their game in terms of protecting themselves?
Darren Shou: Yeah, absolutely. We - you know, in a survey, we saw that more than two-thirds - I think the exact number's 77% - of people surveyed said they're taking more precautions to be safer online. The flipside of that, though, is still a significant portion - more than, you know, two out of five - really need more help in knowing what to do. And the key to this is kind of two things, I think.
Darren Shou: One, when I think about the problem, this is natural. In the physical world, it's pretty understood that the presence of light and the absence of darkness makes us feel safe. And the majority of people, almost two-thirds of people, will change their behaviors and their habits after dark. I think what happened in this last year with COVID, but also, you know, a huge rise in cybercrime against consumers, is that people realized they need to change their habits online.
Darren Shou: Now, the other thing I was going to mention about that is, OK, so how do you give people back that control? And I think it's two things. It's education, and then you've got to empower them with the tools and the habits that are going to give back that ability to understand what's a threat online and what isn't. And when you do that, you not only regain control but regain that sense of safety - right? - that feeling of the absence of harm, which is really - I don't know if we really think about it that way often enough. But if you talk about cybersecurity, I often feel we think security, OK - barbed wire, concrete fences - right? - locks on doors. But what is cyber safety? And I think the answer to that is, well, what makes us feel safe online? And that's a very interesting way...
Dave Bittner: Right.
Darren Shou: ...To approach it. I think that's the way a lot of consumers think about it.
Dave Bittner: Right. What is the cyber equivalent of turning on that front porch light?
Darren Shou: That's right. And when you have that front porch light on, in this case, you know, oftentimes we are the light, right? We're that spotlight for people, and we're able to discern, hey, is this a virus or not? Is this a phishing attack or not? Or as you're going online to get news, is this misinformation or disinformation, or is this trusted information? How do we empower people to make those decisions in their best interests?
Darren Shou: In fact, one of the things we saw a lot of during COVID-19 is everybody kind of rushed to have more devices and use them more ways. Unfortunately, so cybercriminals increased tech support scams. It's an old scam. But in our telemetry and from our support contacts, we saw up to an 1,800% increase year over year.
Dave Bittner: Wow. For those of us who have the responsibility, you know, for our families, for - and I'm thinking particularly for, you know, maybe elderly parents, what sort of suggestions do you have for ways that we can do our part to help make them safer?
Darren Shou: So that's an interesting question. And when we look at vulnerable populations - you mentioned one. OK, so how can we take care of our parents? I think there's a few things that are happening already that we have to just have the context for. One is with so much change happening in the physical world of, you know, dealing with COVID and in changes to our routines, there is basically a body budget when we think about our stress. And everybody has had some kind of depletion of their energy and increase of stress, I would imagine.
Darren Shou: And then you've got, lay it on top of that, the changes to routines - how we shop, how we deal with things online. Then you combine that with the fact that we have these assistance programs that are coming out from governments, from others. And everybody's reaching out and saying, OK, here's what you need to do. And you haven't maybe done this before. So you combine an increase of stress, change to routines and the availability of new assistance, but all of these things are really happening also through the channel of online.
Darren Shou: So when you take that context, how can we help anybody, whether it's our children or whether it's someone we're taking care of, our family member, understand how to operate in that environment? And I think the first piece of advice I would say is we got to slow down and really have a critical eye to what we're doing. Otherwise, the brain's natural operating system will encounter the equivalent of a human zero-day - right? - where the prediction errors lead us into some bad places. And that's where you click on a phishing email. Or that's where you fall victim to a scam. Or that's where, you know, you can leak information that can be used against you, right? You cause all sorts of problems, or you fall victim to these attackers.
Darren Shou: And that's, of course, on top of the regular cyber hygiene that we would traditionally recommend, right? Keep your software updated. You're using it more. If you were driving your car more, you would check your tires more often. Maybe - I was going to say you also have to fill up the gas, but in an electric car world, what would be the equivalent of - check your brakes often. And if you're driving the car more, you're going to wear through your tires and your brakes. It's the same thing.
Dave Bittner: Right.
Darren Shou: Use your computer more? Let's make sure that you keep your software updated, right? And, of course, then you have all the other things you need to think about. You're online more. If you're using a home Wi-Fi network, maybe you need to be thinking about how you check the security of that device 'cause it has its own password. It has its own operating system that needs to be kept up to date. But you might also, you know, want to use a virtual private network, or a VPN, to maintain that kind of secure communication 'cause you're doing banking at home, you're doing your work at home, right?
Dave Bittner: Yeah.
Darren Shou: And, of course, I think the most important thing is talk about it, right? Maybe you're talking to your parents about what the use should be like and what to experience and what to do if they're seeing any kind of scams, maybe just reach out and phone you and talk to you about it.
Dave Bittner: Yeah, keep those lines of communication open also, I suppose, so that they are able to inform you if they feel like something is unusual.
Darren Shou: Absolutely, right? I think what you want to do, and it kind of goes to that slow down and think about it, is you have to turn a critical eye to a lot of these scams, right? It's worth doing that.
Darren Shou: Sometimes I think about the way the human brain works 'cause security often - when we talk about cybersecurity professionals, we often talk about device security or network security. What I'm really focused on is individual security, right? How do we protect that human operating system? And one of the things we have to be really careful of is we all actively participate in determining what we perceive. And by slowing down, we really bring more awareness to what we're doing and how we're creating - and how our mind is creating explanations of things, right?
Darren Shou: So an example of this would be, oh, I need to apply for, you know, a stimulus, maybe PPP loan. Maybe I need to apply for unemployment. How do I do that? And so how do you think about making sure that with all these other disruptions I mentioned, you build in that ability to critically create the right constructions to examine it and make sure that it's being safe and that it's legitimate - right? - or get the tools and education that will help you do that?
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Good interview, Dave. The - some interesting takeaways from this. In the past year, nearly 330 million people across 10 countries were victims of cybercrime.
Dave Bittner: Wow.
Joe Carrigan: Three hundred thirty million people. That is almost the population of the United States, which is the third most populous country in the world.
Joe Carrigan: Fifty-five million people had been victims of identity theft. Again, that's a lot of people. Business in the cybercriminal market is booming, Dave.
Dave Bittner: (Laughter) Right.
Joe Carrigan: It's very good. Seventy-seven percent of people said they're taking more precautions but need more help in knowing what to do. I say do these two things. No. 1, use multifactor authentication despite our complaints earlier in the show about it (laughter).
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: Still, it's worth it, particularly if you - if it's with some financial institution where you hold money. Very, very important if it's with your work - very, very important. And those things are very easy to recover from in the event you lose your multifactor authentication methodology.
Joe Carrigan: The second thing I always recommend is use a password manager and let that password manager pick random passwords for every single site that you visit.
Dave Bittner: Right.
Joe Carrigan: It goes a long way to protecting you. It protects you. Some of them, if they're browser-integrated, can protect you from phishing attacks. These two things - multifactor authentication, a password manager - are still the two best things you can do to protect yourself.
Joe Carrigan: I like Darren's analogy about changing your behavior after dark, right? We all change our behavior after dark. We're a little more wary 'cause that's where bad things happen. But...
Dave Bittner: Right. It's when the monsters come out.
Joe Carrigan: That's right (laughter). It's always nighttime on the internet, though, Dave.
Dave Bittner: Yeah.
Joe Carrigan: And a lot of people are just standing around with handfuls of cash on the internet.
Dave Bittner: The entire internet is a bad neighborhood.
Joe Carrigan: Right, exactly.
(LAUGHTER)
Dave Bittner: Right.
Joe Carrigan: You don't want to be walking through there...
Dave Bittner: Yeah.
Joe Carrigan: ...Unprotected.
Dave Bittner: Sure.
Joe Carrigan: You know, think of it that way. Think of the entire internet as a bad neighborhood. It's a great way to do it because you never know when someone's going to approach you that they are who they say they are. They have really good disguises in this bad neighborhood, you know? It's like the old detective shows where the guy would rip off the mask, and one actor would become another actor.
Dave Bittner: Yeah.
Joe Carrigan: You know? But it's very much like that anywhere on the internet. Since the dawn of the pandemic, Dave, there's been a ton of stuff that we're doing online that we've never done before, and a lot more people are spending a lot more time online. And Darren says what we have heard many times before, and we've also said this as well. Slow down.
Dave Bittner: Right.
Joe Carrigan: That brings more - bring - it helps you bring more awareness to the situation. Just be mindful of what you're doing.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Be aware.
Dave Bittner: Yeah.
Joe Carrigan: Talk about this stuff with your family. And again, we hear somebody saying think critically about everything online.
Dave Bittner: Yeah.
Joe Carrigan: Every single thing you see online, think critically about it.
Dave Bittner: Yeah, absolutely. All right. Well, again, our thanks to Darren Shou from NortonLifeLock for joining us. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening.
Dave Bittner: And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
