A good amount of skepticism helps protect you online.
Blake Hall: The more important behavior is just having a good amount of skepticism when you deal with anybody who calls you or asks you for your information. You need to vet those exchanges before you ever send your social or your driver's license or your Social Security card to a stranger.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Blake Hall is CEO and co-founder of a company called ID.me. We're discussing protecting your identity online.
Dave Bittner: All right, Joe, before we dig into our stories this week, got a little bit of quick follow-up here. Heard from a listener named Rafa (ph), who wrote in and said, for those that don't go into two-factor authentication for fear of losing their phone or don't want to have a separate device such as the YubiKey you mentioned on your podcast, the alternative I'm using is the iOS password app that's inside settings on all iOS devices. It keeps passwords and also generates the temporary 2FA codes for all the logins supported by Google Authenticator.
Dave Bittner: So that was news to me. I was certainly aware of the password manager that's built into iOS.
Joe Carrigan: Right.
Dave Bittner: And it's quite good, and it's quite secure. But I did not know that it had the capability to generate the Google Authenticator codes. So that's news to me, and...
Joe Carrigan: Yeah.
Dave Bittner: That's good.
Joe Carrigan: The Google Authenticator codes are actually - I mean, it's just - it's an open standard. Anybody can implement it.
Dave Bittner: Yeah.
Joe Carrigan: So you can use Google Authenticator or, obviously, the Apple password app or Microsoft Authenticator as well.
Dave Bittner: Yeah, yeah. So Rafa goes on and says, the difference here is that it's linked to your account, not the device in which the app is running.
Joe Carrigan: OK.
Dave Bittner: That way, you don't lose access to your other accounts if you lose the device. You just have to start a new session in another iOS device, and your two-factor is back.
Joe Carrigan: So Apple's backing up seeds in the cloud, maybe?
Dave Bittner: Yeah. That's what it sounds like to me.
Joe Carrigan: OK.
Dave Bittner: It's tied to your iCloud account, I am assuming. I don't actually know that, but that would make the most sense (laughter).
Joe Carrigan: Well, I have both Google and Microsoft Authenticator on my phone. And I'll let you know when it comes time to upgrade my phone, which will be soon, Dave.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Because look at this poor thing.
Dave Bittner: Aw.
Joe Carrigan: It's got - the back is missing.
Dave Bittner: Yeah.
Joe Carrigan: The screen is cracked.
Dave Bittner: Yeah.
Joe Carrigan: It's...
Dave Bittner: Not many people carrying around Motorola flip phones anymore, Joe.
Joe Carrigan: Right (laughter).
Dave Bittner: But for you, I guess if it still works, why replace it (laughter)?
Joe Carrigan: Right. That's right. It's a Google Pixel 3, and I have to replace it because they're ending support on it next - ending security updates in the first quarter of 2002. So if you have a Google Pixel 3, time to get a new phone.
Dave Bittner: Yup, yup.
Joe Carrigan: I'm not explicitly saying go get another Google Pixel. I actually am not very happy with my Pixel 3, but I may very well get the Pixel 6. Who knows?
Dave Bittner: Yeah.
Joe Carrigan: I don't know.
Dave Bittner: All right.
Joe Carrigan: I also wanted to hat-tip to Ben (ph) from Microsoft. My friend Ben, he works in security out there. He listened to us talking about how I've gone to the Microsoft Authenticator for logging into Microsoft. And I may have - I think I bemoaned that I couldn't use my YubiKey, and he said there is a way to use your YubiKey with your Microsoft account.
Dave Bittner: Oh, OK.
Joe Carrigan: So you can do that.
Dave Bittner: All right. Well, good to know.
Joe Carrigan: Yep.
Dave Bittner: Good to know. All right, well, let's jump into some stories this week. I'm going to kick things off for us. My story comes from Motherboard over on the VICE website. This is by Joseph Cox, who we lean on regularly for stories.
(LAUGHTER)
Dave Bittner: He's - I keep saying - especially over on "Caveat"...
Joe Carrigan: Right (laughter).
Dave Bittner: Ben and I really...
Joe Carrigan: You and Ben are frequently...
Dave Bittner: Yeah.
Joe Carrigan: ...Talking about how much you use him.
Dave Bittner: I know. We need to send him a gift basket...
Joe Carrigan: Yes.
Dave Bittner: ...'Cause he really does supply us with lots of good stuff. And he's a, you know, excellent journalist. This article is titled "The Booming Underground Market for Bots That Steal Your 2FA Codes." So, of course, you and I talk all the time about how two-factor is one of the best things you can do to protect yourself.
Joe Carrigan: Yes.
Dave Bittner: So this story is about people who - for example, they're minding their own business, going about their day-to-day life. And they get a phone call from PayPal's fraud prevention system.
Joe Carrigan: Right.
Dave Bittner: And it's an automated call. So it says, hello. You - this is PayPal's call - fraud prevention system. You know, that sort of thing, right?
Joe Carrigan: Right.
Dave Bittner: And in this case, the example they use here, they say someone tried to use a PayPal account to spend about 60 bucks, according to the automated voice, and PayPal needed to verify the identity in order to block the transfer. In other words, this is PayPal calling you in your interest because their system has detected attempted fraud.
Joe Carrigan: Right.
Dave Bittner: And they - the bot says, in order to secure your account, please enter the code we have sent your mobile device now.
Joe Carrigan: Ah, ha, ha.
Dave Bittner: So you get the code as a text message.
Joe Carrigan: Yes.
Dave Bittner: And then the bot says, thank you. Your account has been secured, and this request has been blocked. And then...
Joe Carrigan: Well, actually, I know what then is (laughter), right?
Dave Bittner: Well, no, but that - there's one more then...
Joe Carrigan: Oh, there's one more then?
Dave Bittner: ...Before I'm going to let you chime in...
Joe Carrigan: OK.
Dave Bittner: Yeah.
Joe Carrigan: All right.
Dave Bittner: ...With what's really going on here. But the - here's the kicker, OK?
Joe Carrigan: The...
Dave Bittner: The bot goes on to say, don't worry if any payment has been charged to your account. We will refund it within 24 to 48 hours.
Joe Carrigan: Ah.
Dave Bittner: Here's your reference ID number. You may now hang up.
Dave Bittner: So what's going on here, Joe (laughter)?
Joe Carrigan: Well, what's happening here is these scammers have got a - have built an automated system...
Dave Bittner: Yeah.
Joe Carrigan: ...That will attempt to log in to your account, your PayPal account. So these guys already have your PayPal account login information.
Dave Bittner: Right, right.
Joe Carrigan: They may have your username and your password. Or maybe they're just going through the password reset algorithm - or workflow, rather.
Dave Bittner: Yeah.
Joe Carrigan: That's probably what they're doing. And they have your cellphone number. So they know your email address and your cellphone number. And that's probably enough information to make this scam work.
Dave Bittner: Yeah.
Joe Carrigan: So I haven't ever done the password reset workflow through PayPal...
Dave Bittner: Yeah.
Joe Carrigan: ...Because I use a password manager and don't have to, right?
Dave Bittner: (Laughter) Right.
Joe Carrigan: So I can easily see PayPal using SMS as a second-factor authentication for when you forget your password. We're going to send you a code. So these guys go to your - go to PayPal. They enter your email address. They already know your phone number. Then before they say reset your password, they start the call. And then they say, reset my password. And then you get the text from PayPal that's actually from PayPal.
Dave Bittner: Right.
Joe Carrigan: And they get - then you give them the code, and they reset your password, log in and transfer money out of your PayPal account.
Dave Bittner: That's right. That's exactly right.
Joe Carrigan: Yep.
Dave Bittner: That's exactly what they're doing here. What's interesting, though, about this particular scheme is that by using these bots, these folks don't really have to have any social engineering skills.
Joe Carrigan: No.
Dave Bittner: Right?
Joe Carrigan: No, they don't.
Dave Bittner: They're playing off of the fact that we are accustomed to interacting with bots.
Joe Carrigan: Right.
Dave Bittner: It is not - it doesn't necessarily raise any red flags to get a call from a bot from a big provider like this. In fact, I would say it legitimizes it.
Joe Carrigan: Right, yeah.
Dave Bittner: Because big organizations like this - banks, credit card companies, whatever - we're dealing with bots with them all the time. You call to get a new credit card. You call in. Who do you talk to? You talk to a bot.
Joe Carrigan: Talk to a bot, that's right.
Dave Bittner: Right (laughter). So it sounds like that. And so these are services that people can buy. So it's scamming as a service. People can buy time on these services. And they make use of a couple of different technologies - you know, the ease of access to phone - you know, phone numbers and that sort of thing, being able to spoof the caller ID, all that sort of thing.
Joe Carrigan: Right.
Dave Bittner: And away they go. So I guess what I'm curious about is how do we prevent this? If you're using multifactor on PayPal and you tell them you don't want to use SMS, that's probably going to go a long way towards protecting you from this - right? - because - if you're using a YubiKey or something like that as your second factor.
Joe Carrigan: Yeah. You know what? I'm going to - I don't know how you do this because I don't know what the password reset workflow looks like...
Dave Bittner: Right.
Joe Carrigan: ...For PayPal. I don't know how - 'cause it could include an email address, right?
Dave Bittner: Yeah.
Joe Carrigan: They could email you something. But then these guys will just ask you for the email code.
Dave Bittner: Right.
Joe Carrigan: They continue to social engineer these codes out of you. And that's one of the weaknesses with these codes, even the one-time passwords that are time-based that you get from a product like we were talking about earlier with the Google Authenticator or those other products.
Dave Bittner: Yeah.
Joe Carrigan: Those are all capable of being asked for. And they're human readable, so you - so there's a human in the loop, so that's vulnerable.
Dave Bittner: Yeah.
Joe Carrigan: If you...
Dave Bittner: The ones I like - for example, with my password manager, one of the second factors there is if I try to log in somewhere, it just buzzes on my phone where the little thing pops up and says, is this you?
Joe Carrigan: Yeah.
Dave Bittner: And I just hit yes.
Joe Carrigan: Yes.
Dave Bittner: And that's it.
Joe Carrigan: Yep.
Dave Bittner: Doesn't ask for a code. It's using the fact that I have my phone in my hand...
Joe Carrigan: Right.
Dave Bittner: ...As the second factor.
Joe Carrigan: Yeah. That - and that's also not perfectly secure as well 'cause that - if somebody did a SIM swap on you, which is labor intensive but not impossible, then they would - and then they installed the app - I'm - well, maybe. I don't know. It depends on how secure you are from the beginning.
Dave Bittner: Yeah, 'cause I don't think the app really has anything to do...
Joe Carrigan: Right.
Dave Bittner: ...With my phone's SIM. I think the app is tied, you know, to my phone's...
Joe Carrigan: Yeah, on the internet.
Dave Bittner: ...Serial number or, yeah, whatever. So yeah.
Joe Carrigan: I don't know.
Dave Bittner: But...
Joe Carrigan: That's a good question.
Dave Bittner: It's tricky (laughter).
Joe Carrigan: It is tricky.
Dave Bittner: So for our listeners...
Joe Carrigan: Support Run-D.M.C.
Dave Bittner: (Laughter) For our listeners, I suppose the take-home advice here is, of course, as always, be skeptical.
Joe Carrigan: Be skeptical.
Dave Bittner: Right? Just because it's a bot...
Joe Carrigan: Right.
Dave Bittner: ...Doesn't mean it's not someone behind that trying to scam you out of something.
Joe Carrigan: The best policy here is not to give out information on inbound calls.
Dave Bittner: Yeah.
Joe Carrigan: You know, hang up and log in to your PayPal account and then - or call PayPal customer support. I don't know. Does that even happen? I mean, I've never had to deal with anything via PayPal before - like anything going wrong and had - never had to call their support people.
Dave Bittner: Yeah. They exist. I don't think they're easy to get through to (laughter).
Joe Carrigan: Right.
Dave Bittner: But they exist.
Joe Carrigan: I had to get - I had a problem with an Amazon order just yesterday.
Dave Bittner: Yeah?
Joe Carrigan: And it took, like, three calls or - the amount of searching I had to do on the website. I mean, these big tech companies, they're great, and they make our lives so much better. But when something goes wrong, it's terrible.
(LAUGHTER)
Dave Bittner: It can be.
Joe Carrigan: Right.
Dave Bittner: That's for sure. That's for sure. All right, well, again, that's a story by Joseph Cox over on Motherboard from VICE. And we will have a link to that in the show notes.
Dave Bittner: Joe, what do you have for us this week?
Joe Carrigan: Dave, my story comes from Ozair Malik over on CoolTechZone, which is a website that has, apparently, cool tech stories.
Dave Bittner: (Laughter).
Joe Carrigan: He's talking about a new warning from Avast about fake sugar daddies.
Dave Bittner: OK.
Joe Carrigan: So the story talks about a young girl in her early 20s and how she almost got scammed while she was scrolling through Instagram. She got a DM that was an older man who said he was looking for a sugar baby to send 1,500 euros per week to, right? And what he - what she does is go, oh, well, that's very interesting. I'd like to receive 1,500 euros a week. And he says, well, I need to find out that you're legit so I can send you these payments via PayPal. So if you could send me some money - here's a fake picture of me, right? It was obviously fake. Here's a picture of me. I need you to send me some money via Google Pay so you can be verified, right?
Joe Carrigan: And, of course, the idea here is - the scam is very simple. Somebody presents a young woman with an opportunity to collect large amounts of money, and all they have to do is verify the fact that they're legit by sending this person some small amount of money.
Dave Bittner: Now, what was this person promising in return? Like...
Joe Carrigan: Fifteen hundred euros a week.
Dave Bittner: But what does he get out of it?
Joe Carrigan: That's a good question. He says he's a widow just looking for someone to talk to.
Dave Bittner: Oh, OK. All right.
Joe Carrigan: So, you know, I don't know about you, Dave, but I think it's kind of unusual for an older man who's widowed to be talking to 20-something-year-old women looking for someone to talk to.
Dave Bittner: I think so. But if I ever find myself in that situation, I'll report back to you.
Joe Carrigan: Right (laughter).
Dave Bittner: Hopefully it'll never come to that.
Joe Carrigan: Hopefully it won't. Yes.
Dave Bittner: (Laughter).
Joe Carrigan: Once she realized - once she heard that this was - that this guy wanted money to send to her, she immediately blocked him. He was fake.
Dave Bittner: Yeah.
Joe Carrigan: But they lure in the victims through DMs, and they gain some trust. So they may start building rapport first. And then they offer free payments, but you have to verify. Once you send them the money, they disappear, and they ghost you. That's the end of it.
Joe Carrigan: This article has the one rule of thumb that we've - we often echo here. If something sounds too good to be true, probably is too good to be true. It's probably a scam.
Dave Bittner: Right.
Joe Carrigan: Ignore the unknown messages when people DM you. You know, I started a Skype account the other day 'cause I needed it more for something 'cause I couldn't get my other Skype accounts to come up. But no sooner did I open that account that somebody messaged me out of the blue - some random person. And I don't know what - it's on my work PC, and I haven't been there in a few days. So I'm interested to see what's going on on that one.
Dave Bittner: Yeah.
Joe Carrigan: The other thing they point out is free money. Nobody really wants to just give away 1,500 euros a week.
Dave Bittner: Right.
Joe Carrigan: Right. It's just not going to happen.
Dave Bittner: Yeah.
Joe Carrigan: If you're going - if you're getting these offers, that should also raise a red flag. And it could also be something more dark and sinister, which I would advise you stay away from under all circumstances.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Dave Bittner: Yeah. You could see, though, how somebody could get drawn in by this because it's a combination of, you know, if you are - I mean, you know, for a lot of people, especially young people...
Joe Carrigan: Right.
Dave Bittner: You know, money's tight.
Joe Carrigan: Right.
Dave Bittner: Times are tough.
Joe Carrigan: Yep.
Dave Bittner: And so you have this...
Joe Carrigan: You hit the right person at the right point in time.
Dave Bittner: Right. And you have this sort of double whammy of someone who's offering to ease your pain financially. But also, they're showering you with compliments, you know? You look like such a kind person.
Joe Carrigan: Right.
Dave Bittner: You look so trustworthy. You know, I'm sure they say, oh, you're beautiful.
Joe Carrigan: Yeah.
Dave Bittner: You're so young. You remind me of my wife when she was young.
Joe Carrigan: Yes.
Dave Bittner: You know, that sort of thing. And so, as you said, they build rapport, and they really wear down your defenses.
Joe Carrigan: Right. And so this is one of the things we talk about is that the younger people are actually more susceptible to being scammed, and it's because of their lack of experience. So imagine you're a young person, and someone has approached you. They say they find you attractive. And they start building this rapport, and they say they want to send you money because you seem so nice or whatever. Maybe they're looking for some sugar babies to send money to.
Dave Bittner: Right - just want to help you out.
Joe Carrigan: They just want to help you out.
Dave Bittner: Yeah.
Joe Carrigan: But they need to verify you. I mean, if you're a young person who's never been exposed to this kind of a scam before, you may very well fall for it.
Dave Bittner: Yeah.
Joe Carrigan: Now, fortunately, these scams are not going to be that damaging for younger people. They're going to lose a small amount of money. They're not going to lose millions of dollars...
Dave Bittner: Right.
Joe Carrigan: ...Mainly 'cause they don't have it.
Dave Bittner: Right.
Joe Carrigan: But they can still lose enough money to not make rent...
Dave Bittner: Yeah.
Joe Carrigan: ...Which would be very impactful.
Dave Bittner: Well, and you could see how somebody could make a living doing this.
Joe Carrigan: Oh, absolutely.
Dave Bittner: If I can make 50 bucks an hour, you know, just churning through this sort of scam, that's a living.
Joe Carrigan: Yeah. One of the things you have to remember is a lot of these scammers live in countries where the average income is thousands of - a couple thousand dollars a year.
Dave Bittner: Yeah.
Joe Carrigan: Right. So if I can scam people out of $50 a day, I'm doing really well there.
Dave Bittner: Yeah. Yeah. All right. Well, a cautionary tale and I suppose particularly worth reminding the younger people in your family...
Joe Carrigan: Right.
Dave Bittner: ...That these things are out there and they just need to be mindful of them so they don't inadvertently get drawn in.
Joe Carrigan: When your kids start getting online, the first thing you have to tell them is not everybody is who they say they are. That's really - that was one of the first things I told my kids. And it's got to be one of the first things you tell your kids. When you - when they get a phone, just say, you know, you verify everybody you're talking to.
Dave Bittner: Yeah, 'cause on the internet, nobody knows you're a dog.
Joe Carrigan: Right.
Dave Bittner: Yeah. All right, Joe, those are our stories. It's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, this week, I actually put together a Stringer of the Day.
Dave Bittner: OK.
Joe Carrigan: It's a fishing metaphor.
Dave Bittner: All right.
Joe Carrigan: Do you get it? Do you ever go fishing? You use a stringer when you catch a bunch of fish.
Dave Bittner: I have - yes, I have gone fishing. I don't know that I've ever used a stringer, but I know what it is.
Joe Carrigan: OK. So it's - a lot of people lately have - I've seen a lot of these in meme form and in picture form on Reddit and places like that. They're impersonating celebrities. And this first one is coming from Lady Gaga.
Dave Bittner: Ooh. I like Lady Gaga. I think she's the real deal.
Joe Carrigan: Oh, yeah. Well, this is not the real Lady Gaga.
Dave Bittner: (Laughter).
Joe Carrigan: Why don't you read this first one?
Dave Bittner: It goes like this (ph).
Joe Carrigan: It's pretty good.
Dave Bittner: (Reading) Hey. It's Lady Gaga. I need $145 to continue working on my new song, "Rah, Rah, Ah, Ah, Ah."
Joe Carrigan: (Laughter) That's awesome, isn't it?
Dave Bittner: Yeah.
Joe Carrigan: Lady Gaga needs $145 to continue working on a song.
Dave Bittner: Yeah.
Joe Carrigan: This is one of the most successful artists in the world.
Dave Bittner: (Laughter) Lady Gaga, A, has $145 in her couch cushions (laughter).
Joe Carrigan: Right. And she needs your help.
Dave Bittner: Yeah. Yeah. OK. Who else?
Joe Carrigan: This is - this one's my favorite. This one's from Jeff Bezos.
Dave Bittner: Oh, OK.
Joe Carrigan: I love it. Read it.
Dave Bittner: (Reading) Hello. It's Jeff Bezos. You win special giveaway for $10 million. All me need it - credit card info, OK?
Joe Carrigan: And the guy responds. He says, hold up. How do I know this is really Jeff Bezos?
(LAUGHTER)
Dave Bittner: He sends back a picture of a guy...
Joe Carrigan: He sends a picture of a bald guy in a tuxedo...
Dave Bittner: Who is not Jeff Bezos.
Joe Carrigan: ...That is not Jeff Bezos.
(LAUGHTER)
Dave Bittner: No. Doesn't - I mean, the only thing he has in common with Jeff Bezos is they're both bald and, I guess, they both probably own tuxedos. But...
Joe Carrigan: Right (laughter)?
Dave Bittner: ...Other than that, anybody who's seen a picture of Jeff Bezos - it's not him (laughter).
Joe Carrigan: That's not Jeff Bezos. It's - I've - I love it. All me need it - credit card (laughter).
Dave Bittner: Yeah. All me...
Joe Carrigan: (Laughter) Right?
Dave Bittner: All right. One more?
Joe Carrigan: One more.
Dave Bittner: OK.
Joe Carrigan: This is from Dominic Monaghan...
Dave Bittner: OK, I'm...
Joe Carrigan: ...Who slides into somebody's Twitter DM.
Dave Bittner: Who's Dominic Monaghan? I'm not familiar.
Joe Carrigan: He's an actor.
Dave Bittner: He's an actor?
Joe Carrigan: Yes.
Dave Bittner: Ah, all right.
Dave Bittner: (Reading) Hi. Thanks for your likes and comments on my official page. You are welcome to my private page where you can chat with me for free. You can me personally on Hangouts. Please don't share my private Gmail with anyone. This should confidential. Dom - and it has the email address at Gmail.
Joe Carrigan: Right. That's the whole scam.
Dave Bittner: Yeah, OK.
Joe Carrigan: It's - the person replies, is this for real because I've had a lot of fake celebrity accounts contact me to last a lifetime?
Joe Carrigan: So obviously, this person is suspicious. But it's obviously not for real.
Dave Bittner: Yeah.
Joe Carrigan: These are great.
Dave Bittner: Yeah.
Joe Carrigan: But...
Dave Bittner: I can imagine someone who, you know - have you ever had an interaction online with one of your favorite celebrities?
Joe Carrigan: One of my favorite celebrities?
Dave Bittner: Or just some celebrity that you admire or, you know, that you - have you ever had the delight of having some sort of interaction with a celebrity you admire who you never thought you would have the opportunity to interact with? I have, and it's thrilling.
Joe Carrigan: I have had some interactions with some music acts.
Dave Bittner: Yeah.
Joe Carrigan: But they're not that big.
Dave Bittner: OK, yeah.
Joe Carrigan: So they use social media to interact with their fans.
Dave Bittner: Right.
Joe Carrigan: So, yes, I have had that, but not with anybody major.
Dave Bittner: Yeah. Well, it's thrilling.
Joe Carrigan: Yeah.
Dave Bittner: And because of that, that's - again, that's where you get your - your defenses get short-circuited 'cause it can make...
Joe Carrigan: Oh, I did have Kevin Smith like one of my tweets once.
Dave Bittner: There you go. See? Exact - there you go. OK.
Joe Carrigan: That was the highlight...
Dave Bittner: That was thrilling, right?
Joe Carrigan: ...Of my entire career.
Dave Bittner: Yeah, you were walking on air...
Joe Carrigan: I was.
Dave Bittner: ...For the next couple days, yeah.
Joe Carrigan: Of course, I mentioned him in the tweet, though.
Dave Bittner: (Laughter).
Joe Carrigan: And it was about something he had written in a comic book trade I had. It was quoted as - the comic book being one of the most important comics of all time. And he liked the tweet. And I was like, oh, Kevin Smith liked it.
Dave Bittner: Yeah. Well, there you go.
Joe Carrigan: You're right. It was - the star power was...
Dave Bittner: Yeah.
Joe Carrigan: ...Mesmerizing.
Dave Bittner: And that's what these people are taking advantage of.
Joe Carrigan: That's right.
Dave Bittner: All right. Well, that is our Catch of the Day. We would love to hear from you. If you have something you'd like for us to cover on the show, you can send us an email. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Blake Hall. He is the CEO and co-founder of a company called ID.me. And we covered various bits of ground on protecting your identity online. Here's my conversation with Blake Hall.
Blake Hall: Last June, we worked with zero states. And today, we verify identity for 27 states that represent over 80% of America's population. And that's what my company, ID.me, does, is we verify that somebody is who they're claiming to be. And the reason why we were adopted so quickly was just because there was an overwhelming amount of fraud related to the stimulus aid. And I'm happy to talk about how some of the CARES Act stimulus changed the way that unemployment benefits are distributed in the United States.
Dave Bittner: Yeah. Can we dig into that? I mean, what makes this a particular target? Why is this so attractive to the bad guys out there?
Blake Hall: Sure. So in traditional unemployment insurance, you have an employer who can work with the state workforce agency to adjudicate an employee's claims. So usually, traditional unemployment fraud is eligibility fraud, where an employee and an employer might disagree on the circumstances that led that person to leave the company. And then depending on what's actually true - or they could corroborate it - benefits are paid out. So there's a natural control against fraud, if you will, in that the employer is involved in the process as well.
Blake Hall: When the stimulus hit and as part of the CARES Act, there was a new program that was created for unemployment benefits called the Pandemic Unemployment Assistance program, or PUA for short. And what PUA was designed to do is to help self-employed workers, members of the gig economy who drive for Lyft and Uber and Instacart. And what that meant was any identity, any person could simply claim that they were self-employed or a driver for a sharing economy app, and they could immediately begin to receive benefits to the tune of 500, $600 a week.
Blake Hall: And, of course, if you stack the weeks from, like, March out till October or November, 'cause you can backdate claims, you start talking about debit cards that are being mailed out with $20,000 on it. And criminals have never had an opportunity to just take one stolen identity and turn it into 20 grand. And it became their Super Bowl for organized crime around the world and also here domestically.
Dave Bittner: I'm intrigued by the history of people being able to identify themselves for these sorts of things. It seems to me like the Social Security number itself has kind of - you know, it's not the secret it used to be, right?
Blake Hall: Yeah. Well, I think the way that we think about name, date of birth and Social Security number is like an address in the yellow pages. It is useful to uniquely identify one person. If you have, you know, a common name like John Smith, you know, or Sally Jones or something like that, there's going to be a lot of Americans who share the same name and date of birth. And so the Social Security number is useful to say whose unique identity is being claimed - like, which John Smith, which Sally Jones. And that's a term, an identity that's called identity resolution - resolving one identity and separating it from all others.
Blake Hall: The problem is, like, just knowing somebody's sort of legal identity address doesn't mean that you're them. And that's where - it sounds simple, but that's where a lot of organizations get it wrong. That just because you know somebody's information and they're - and that they're unique, that doesn't mean the person who knows that information is that person.
Blake Hall: And that's the difference between validation and verification. Validation is saying, we're talking about this specific John Smith. Verification is saying, OK, John, show me proof that you are this John Smith - a phone with tenure, a government ID. Does your face match the photo on the government ID? Has that been altered? Does the address history for this person match, and does that also tie back to the address tied to the phone and tie back to records?
Blake Hall: And so that was the piece that was missing with this program initially in that states were largely just taking it on an honor system that if you knew the name, date of birth, social, you were that person. And they were distributing aid because they're running on 1980s technology, and none of them were nearly equipped to do any kind of remote digital identity verification.
Blake Hall: And once fraudsters realized that and once the weeks began to stack - $600, $600, $600 - you had an amazing profit opportunity from their point of view with virtually no security to stop it because you can buy all these breached identities, you know, from all the various breaches in the dark web for pennies or dollars.
Dave Bittner: Well, help me understand what an organization like yours brings to the table here. Why a third party to help manage this sort of thing?
Blake Hall: What's different about us - and I'd really, you know, give credit where credit is due - is there are a lot of subject matter experts on security and privacy at the National Institute of Standards and Technology, NIST. It's an agency of the Department of Commerce. And these people are super smart. I mean, they do everything from, like, the strength of the laser on your DVD player to make sure that it's strong enough to read the content but not too strong that, you know, it would punch through the disc - truly, like, super-smart people.
Blake Hall: And so NIST publishes standards that say, here's the right level of confidence for verifying a consumer's identity when interacting with the government for government benefits. And they lay out these technical and policy controls that you should meet before you say, yes, like, this person is John Smith and is, therefore, eligible, you know, for unemployment if they're claiming that they're self-employed.
Blake Hall: And what we really proved is that those standards are effective. A lot of states were using either just validation, or they were using a process known as knowledge-based authentication, a question-and-answer process. And unfortunately, there have been so many data breaches that bad guys can answer those questions faster than humans can, and they'll launch bot attacks.
Blake Hall: I mean, they can not only answer them faster; they can literally, like, load up, like, an ammunition in a clip all these stolen identities. They have bots that can solve for the interactive question-and-answer process, so they can just defraud these government agencies at scale. And we certainly saw that in many states that suffered from bot attacks as criminals patterned what the application process was.
Blake Hall: And so NIST, several years ago, back in 2017, said, hey, this question-and-answer process is no longer an effective tool. It's hard for legitimate users to pass. It's easy for bad guys to pass. But a lot of organizations still use it.
Blake Hall: What we've done differently is two things. We meet those standards. The standards are effective. And then we also offered a relief valve - a video chat solution that lives on top of our self-serve process so that if you moved, which a lot of people do during a pandemic - if you lose your job, you're much more likely to leave home and to go back home with family. And when that happens, your address changes, a lot of the traditional records validation sources will be out of date 'cause you don't live there anymore.
Blake Hall: And so video chat, which just virtualizes what an in-person interaction with an ID card would be, was an incredibly important tool for access to help people get through that maybe don't have credit history or moved recently or changed their name, where their information is listed inaccurately in records. And because of those access to security capabilities, we had states tell us that as soon as we went live, neighboring states that didn't use us saw their fraud rates double literally overnight. And that's how you go from zero states to 27 in about 10 months.
Dave Bittner: And so the way that this works is the state works with you to sort of handle that part of it. They say to the folks who are applying to these things, if you come through this third-party provider, then, you know, it's going to streamline things, and we will know that you are who you say you are. Do I have that basically right?
Blake Hall: Yeah, that's right. They were running 1980s, you know, COBOL technology. They don't - they didn't stand, you know, a chance - any one of the states - at building their own technology stack with machine vision and face biometrics and telecom and device verification and fraud and device intelligence and multifactor authentication. That's just all a SaaS solution.
Blake Hall: And we are in the era, you know, of SpaceX and NASA, these great public-private partnerships. So we're a federally certified identity provider. They plugged us in and said, yes, you can apply for this program, but first we need to verify that you are who you're claiming to be. And a number of states did that in September and October. And then the federal government actually required it by law in December of last year during the second round of the CARES Act stimulus.
Dave Bittner: And how do we be sure that we're not dividing folks into the haves and the have-nots - that, you know, having this additional step isn't some sort of, you know, burden that folks who already might be in a position of need - might be an extra step that makes it harder for them?
Blake Hall: Well, the reason these standards exist in the first place is that if you want access and equity, there has to be harmony between security and access upfront because the long-term effects of saying, hey, we want to distribute the aid, and we just want to get it out the door; we're not going to verify identity at all - that actually dramatically decreased access over the long term because criminals were just filing in mass in these other people's identities. And when that actual person needed the aid themselves, they would often go to file - and there's a lot of stories about this - and find out that the criminal had already registered their own identity before them.
Blake Hall: And when that happens, they are completely blocked from their benefits. And these call centers are overwhelmed. And they could go, you know, days or weeks without even getting through to somebody at the call center. And even when they get through to the call center, a human being isn't able to, like, effectively adjudicate which application is the criminal's and which application is the real person's 'cause criminals will also use these member support channels and use a technique called social engineering to trick state employees and target them that way.
Blake Hall: So if you don't get the security right upfront, you actually reduce equity in access because criminals are able to claim your identity before you are. And if they're being paid out in a state, and the states talk to each other, they'll say, sorry, Dave, out of luck.
Dave Bittner: Yeah.
Blake Hall: You know, to put that in context, when we went into, like, California on October 1, California's agency was completely shut down at the end of September due to fraud for two weeks. Virginia had to shut down in April of this year due to fraud prior to our introduction. Arizona had 570,400 new pandemic unemployment assistance claims in a week - this is a state with a population of 7.2 million - the week before our introduction. The week after our introduction - 6,700.
Blake Hall: And as these fraudsters learned the system and they moved horizontally, they began to attack traditional unemployment insurance and just flood the zone and overwhelm these, like, small-business owners with paperwork that they could never hope to respond to - like, 200, 300 employees at, like, a five-person pizza shop - and then knowing that the states would pay out claims before letting a backlog grew. And so the fraud metastasized to even, you know, the traditional UI programs and outside of the new stimulus program.
Blake Hall: So it's a new persistent threat that's not going to go away. But it's important to put in context many of the agencies we work with had completely shut down. They were not functioning at all prior to our introduction because the fraud was so overwhelming they couldn't distinguish fraudulent applicants from legitimate applicants. So, you know, in those states - and the timeline's, like, right there - we were the critical tool that allowed them to open back up in the first place. And that's the reason why.
Dave Bittner: And what happens when a fraudster tries to make their way through your system? I'm sure you've experienced that.
Blake Hall: Yeah. Yeah, no, this last, you know, 15 months or so - it's been unbelievable. I've never seen fraud anywhere like this. I mean, even right now, the raids targeting some California, Arizona, Nevada, some West Coast states - they're 15 times the rate of fraud that we see at the Internal Revenue Service, to put it in perspective, in terms of fake IDs and everything else.
Blake Hall: There are three types of fraud. There's first-party fraud, and that's you are who you're claiming to be, but you're clearly not eligible for something. And these are folks who will, like, get packages from Amazon, and then they'll say, I never received the package. I want my refund. And they try to keep whatever they ordered plus get their money back.
Blake Hall: You have second-party fraud. And second-party fraud is somebody who's in a position of trust or agency that abuses that position of trust. It could be a spouse. It could be a doctor. It could be an orderly who works at a nursing home. And in fact, we saw that as well earlier on. And this is actually, I think, an investigation that's happening right now in Pennsylvania. You had orderlies taking mentally challenged people into the bathroom and attempting to speak for them off camera and to use their identity documents to file for unemployment...
Dave Bittner: Wow.
Blake Hall: ...To - you know, just really, really awful stuff.
Blake Hall: And then you've got third-party fraud. And so third-party fraud is, you know, somebody, you know, taking stolen personal data and then claiming to be, you know, somebody else. And yeah, we saw a ton of that. A full - you know, anywhere from, like, 20 to 30% of the people that were actually trying to verify their identity was just pure third-party fraud.
Blake Hall: And then we see about 10% of the attacks - probably more now, actually, because we've shut off the third-party fraud, so they're moving to, like, trying to scam victims to helping them - something called social engineering, where they'll tell somebody that they've won, you know, prize money or they're going to get a job.
Blake Hall: And this is almost the convergence of third-party and first-party fraud, where criminals - once they're not able to use, like, stolen data to verify identity anymore, they'll engage in these elaborate cons and scams where they literally have scripts, and it's, like, a boiler room where they convince different folks that they won prize money or a romance scam or that they're going to get a job. And they harvest their personal data, and they collect their government IDs, and they convince them to click links and take selfies.
Blake Hall: And that's kind of where the fight is at right now, that we are extremely effective at preventing folks from identity theft but protecting, you know, you from yourself is a pretty tall order. Although we have a lot of controls in there that we've built in, it's cat-and-mouse to pierce the scam to let these folks understand that they're being tricked.
Blake Hall: So we'll send text messages during the verification to say, you know, hey, this verification is for Indiana DWD, or this is for Georgia DOL. So that really disrupted, like, prize money scams because it'd be like, well, you know - or romance scams because it'd be like, well, why am I verifying, you know, for a state workforce agency? That's dissonant with whatever the attacker is telling them.
Blake Hall: So then the attackers change their methods, and they move heavily towards, like, job scams, which could have some plausible relationship to a state workforce agency. Then what we do is after the identity has been used, similar to how a bank will notify you of suspicious activity on your credit card, we'll text you and say your identity was used at this government agency for this purpose. Here's the email tied to your account.
Blake Hall: And so now victims have the opportunity to say, no, I don't recognize that email. No, I didn't authorize that use. And a lot of the same tactics you see in payments are there, but that's a different ballgame because the actual owner of the identity is taking the verification steps. They've just been tricked into cooperating with the attackers.
Dave Bittner: So what are your recommendations here? I mean, for folks who want to do a better job of protecting their own identities and try to, you know, prevent these fraudsters from borrowing their identities, what are some of the steps they can take?
Blake Hall: Sure. So, you know, the first thing - you can do credit monitoring and things like that. There's some identity theft protection services that are out there. That's certainly something that everyone can do if they just want to kind of understand what's going on and get alerts if their identity is being used in a particular way.
Blake Hall: The more important behavior is just having a good amount of skepticism when you deal with anybody who calls you or asks you for your information through social media. You need to vet those exchanges before you ever send your social or your driver's license or your Social Security card to a stranger.
Blake Hall: And some of the ways that you can do that - I mean, one, no legitimate organization will ever ask you for, like, the six-digit code that's texted to your phone or for your sensitive information over, you know, Telegram or WhatsApp or even, like, Google Chat or whatever.
Blake Hall: And if you are, you know, in the process of getting a job, if you think that's true, you should validate that directly with the official business line of the business and their HR department to make sure that you're actually engaging with an authorized representative of the company and that they're aware of it 'cause these criminals are exploiting all this move to remote work and hiring where the in-person interactions are less frequent.
Blake Hall: And so there just needs to be a little bit of vetting and validation, ironically, that folks do on these offers before they just blindly start to send out their information 'cause some of these con artists are really, really good and persuasive. But at the end of the day, if you just go back to the source and the business itself, you can find out whether it's legitimate or not.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Our response to the pandemic changed so much of our daily lives. First off, whether you agree with the lockdown or not, you cannot argue with its impact on the economy and on the situation. We had a huge unemployment issue.
Dave Bittner: Right.
Joe Carrigan: And that opportunity for unemployment insurance fraud that was presented was massive.
Dave Bittner: Yeah.
Joe Carrigan: Blake says bad guys could turn one stolen identity into $20,000. That's a lot of money. Of course, it's delivered via debit card, right?
Dave Bittner: Right.
Joe Carrigan: And you could just go and take the money out of an ATM and walk away with cash.
Dave Bittner: Yeah, yeah. We had - several of my co-workers got - you know, their identities got hit with this.
Joe Carrigan: Right.
Dave Bittner: In other words, we got a notice from the state of Maryland, where we live, saying, is this person unemployed? And, you know, our HR folks were like, no. They're employed.
Joe Carrigan: Right.
Dave Bittner: This is a scam.
Joe Carrigan: Right.
Dave Bittner: And - but, you know, you've got to fill out paperwork and all that kind of stuff, so - but I guess it was impressive with how many - how much the state was getting hammered by...
Joe Carrigan: Right.
Dave Bittner: ...These applications.
Joe Carrigan: And what Blake says is interesting about this - the impact this has on the individual people who - let's say that you don't lose your job until a couple months into the pandemic, right?
Dave Bittner: Right.
Joe Carrigan: Now you go to apply for benefits, and somebody has already been collecting benefits on your behalf for the past six months...
Dave Bittner: Yeah.
Joe Carrigan: ...Or three months or whatever. So you're out a specific amount of benefit, and now you have to go through the unimaginable nightmare of calling into your department - state's department of labor or whatever the equivalent is - and not having your call answered because they cannot answer all those calls.
Dave Bittner: Right. Yeah, they're overwhelmed as well.
Joe Carrigan: They're overwhelmed as well.
Dave Bittner: Yep.
Joe Carrigan: You know, when we talk about these guys getting $20,000 for one identity, sometimes I feel like a chump for not doing these kind of things, Dave.
Dave Bittner: (Laughter) It's so - it's really tough having ethics, isn't it, Joe?
Joe Carrigan: Right. Yeah. It is. It's tough being a morally upstanding guy.
Dave Bittner: Yeah (laughter).
Joe Carrigan: Watching these guys walk away with the money - I think that's one of the reasons that this makes us angry - right? - is that we're like, these guys are actually getting away with this money, and...
Dave Bittner: Yeah.
Joe Carrigan: I mean, not only do we feel wronged by it. We also feel like we missed an opportunity. I don't know. Maybe.
Dave Bittner: Oh, to be a sociopath (laughter).
Joe Carrigan: Right? Oh, to be a - if only I had no conscience.
Dave Bittner: Right. Right.
Joe Carrigan: Blake makes a great point about validation and verification. They are two different things, much like - I draw an immediate connection in my mind between authorization and authentication, right? Are you who you say you are, and are you allowed to do this? That's authorization and authentication. And I'm mixing those up backwards, but validation is, is this information correct? Verification is, is this person the person I should be speaking to?
Joe Carrigan: I want to touch on something - we already talked about this a little bit, but Blake says that a lot of these states were ill-equipped for handling this situation. They're running on technology from the '80s, and he used the term honor system for applying for these benefits. What do you do then? Paying the fraudulent claims so that legit claims are not unduly delayed may be a valid decision, right?
Dave Bittner: Yeah.
Joe Carrigan: I mean, it's wasteful, right?
Dave Bittner: Yeah.
Joe Carrigan: But the - what are the consequences if you don't do that?
Dave Bittner: Right.
Joe Carrigan: It's an unfortunate decision we all had to be put in, all these state governments had to be put in recently.
Dave Bittner: Yeah. Yeah, in the midst of a public health emergency.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Knowledge-based authentication has never really been a good solution. As Blake points out, it can be hard for legitimate people to verify the information, but thanks to the massive amount of data breaches we've all experienced, it's not only easy for these bad guys to get the information and pass these tests. They can now automate it, which is amazing to me.
Dave Bittner: Yeah.
Joe Carrigan: Interesting artifact of using a service like ID.me - that Blake is the CEO of - is that that pushes the fraud out into neighboring states, right? These criminals are not going to walk away from the money.
Dave Bittner: Right. Yeah, and I guess, ultimately, it gets everybody to up their game.
Joe Carrigan: Right.
Dave Bittner: But it's not all going to happen at once.
Joe Carrigan: Right, especially when you're talking about state governments in a country like the United States, where the federal government doesn't do - you know, you think of smaller countries...
Dave Bittner: Yeah.
Joe Carrigan: ...And their federal government can handle a lot more because they don't have to take care of the world's third-largest population, right?
Dave Bittner: Right.
Joe Carrigan: So we rely heavily on our state governments to do this. Well, that's a very disparate system.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, there are certainly advantages to it, but because of the nature of our system of government, it makes this kind of thing possible, you know, where one state has a system and another state doesn't.
Dave Bittner: Yeah, absolutely. All right, well, our thanks to Blake Hall for joining us. Again, the company is ID.me, and we do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.