Hacking Humans 12.16.21
Ep 176 | 12.16.21

The 3 M's: Minimize, monitor and manage.


Adam Levin: Many times, you can limit the damage that will occur if you move quickly.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with security expert and podcast host Adam Levin. 

Dave Bittner: All right, Joe, before we jump into our stories this week, we've got some quick follow-up here. A listener named David (ph) wrote in, and he said, hi, Dave and Joe. I enjoy listening to the show every week and heard the question for John (ph) regarding 2FA. I like YubiKeys because they protect you from man-in-the-middle attacks but understand why they're not for everyone. John asked about authenticator apps and implied that Authy might be vulnerable to compromise of the associated phone number and/or email address. 

Joe Carrigan: Right. 

Dave Bittner: Before uploading anything to the cloud, Authy encrypts all your 2FA secrets with the key derived from your backup's password, which remains local on your device. New devices can be authorized via email, SMS or an existing device. Whichever way you decide to go, the new device just receives an encrypted blob of 2FA secrets. 

Joe Carrigan: I see. 

Dave Bittner: You need to enter your backup's password on the new device to allow this to be decrypted. So an attacker would need to take control of your phone number and/or email address and brute-force your backup's password before getting access to your 2FA secrets. Use a unique random password for Authy, and no one is getting your 2FA secrets. And cheers, David. 

Dave Bittner: All right. 

Joe Carrigan: Yes. 

Dave Bittner: So good clarification there, Joe? 

Joe Carrigan: Yes, it's - it looks like that Authy encrypts the data and uses something called password-based key derivation. 

Dave Bittner: OK. 

Joe Carrigan: And David is correct. That is subject to a brute force attack. But if you have a sufficiently complex password, they'll never achieve that. 

Dave Bittner: Yeah. Now, it seems as though, you know, these authenticator apps have most of our concerns covered... 

Joe Carrigan: Right. 

Dave Bittner: ...Which I guess is not surprising. 

Joe Carrigan: Yeah. 

Dave Bittner: But it's nice to have these clarifications thanks to... 

Joe Carrigan: And it's nice to understand the inner workings of these things. 

Dave Bittner: Yeah, yeah. Fill in the gaps in our own lack of knowledge about things, which we can always count on our listeners for (laughter). 

Joe Carrigan: Right. Like I said, I've never used Authy. I'm not sure how it works. I'm not familiar with it. 

Dave Bittner: Yeah. 

Joe Carrigan: So thank you for sending this in, David. I appreciate it. 

Dave Bittner: Yeah. All right. Well, let's move on to some stories this week. Joe, why don't you kick things off for us? 

Joe Carrigan: Dave, when you ask a young person in computer science what they want to do after they graduate, they often say they want to work for a video game company. 

Dave Bittner: Oh. 

Joe Carrigan: Right? 

Dave Bittner: Well, why not? Sure. 

Joe Carrigan: It's fun, right? 

Dave Bittner: I would think so. 

Joe Carrigan: It's not fun. 


Joe Carrigan: It's... 


Dave Bittner: So that's how they get you. 

Joe Carrigan: It's not a - it's a lot of work with really hard schedules. 

Dave Bittner: Yeah. 

Joe Carrigan: And these games are not simple things that are just thrown together. They are complex programs that are huge, and there's a lot of work to be done in them. 

Dave Bittner: Right. 

Joe Carrigan: But still, people want to work there because it's something that they've grown up with experiencing. And actually, it's a valid career path, and it can be very rewarding. 

Dave Bittner: Yeah, I guess it's high profile. 

Joe Carrigan: Yep. 

Dave Bittner: My - I remember my youngest son - someone - like, on, you know, bring your dad to work day or something, someone's dad came in who was a game developer for one of the big games that all the kids like to play. I don't remember which one. But the kids were starstruck... 

Joe Carrigan: Right. 

Dave Bittner: ...By this guy. 


Dave Bittner: You know, absolutely starstruck, not the least of which because he had posters to give away of the - this cool video game. 

Joe Carrigan: Awesome. 

Dave Bittner: So yeah (laughter). 

Joe Carrigan: I want a poster now. So it's not just computer science graduates, but also art and design students as well because you need a lot of artists to make a video game good. 

Dave Bittner: Sure. 

Joe Carrigan: You can't employ people like me who might be good developers but terrible artists (laughter). 

Dave Bittner: Right. 

Joe Carrigan: Nobody will buy your game. 

Dave Bittner: Right. 

Joe Carrigan: So these jobs are relatively scarce in the marketplace, and they have kind of this high demand for them. There's a few gaming companies out there but not a lot. You generally don't see these people having a hard time filling their positions. So guess what that creates? It creates an ideal marketplace for scammers... 

Dave Bittner: OK. 

Joe Carrigan: ...To insert themselves. And Nicole Carpenter at Polygon has a story about Riot Games and how they're filing a lawsuit. By the way, I should mention - Nicole's Twitter handle, which is on the top of this article, is sweetpotatoes. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's a pretty O.G. Twitter handle, Nicole. 

Dave Bittner: That's good, yeah (laughter). 

Joe Carrigan: I'm impressed. 

Dave Bittner: OK, very good (laughter). We know what her favorite side dish at Thanksgiving is. 

Joe Carrigan: Right. 


Dave Bittner: OK. 

Joe Carrigan: So the article says that there are a lot of video gaming companies that have experienced this. Like, Rockstar Games, who makes Grand Theft Auto, that franchise, Manticore Games - I'm not really familiar with them - and Riot Games are the three mentioned in this article. But Riot has actually taken the step of filing a lawsuit against these unnamed people. And they've said that they're suing them for fraud and infringement. 

Joe Carrigan: And it's interesting. In this, they have an Exhibit C, which is a picture of one of these scams. Here's how the scam works. Let me - before I talk about Exhibit C... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Let me tell you how the scam works... 

Dave Bittner: OK. 

Joe Carrigan: ...Because it's detailed in the lawsuit. Applicants are contacted by a recruiter, either on Indeed - like, they post fake apps - fake ads for ads, or they just reach out to people. And once they respond to one of these ads or once they get contacted, these scammers move over to Discord or email or some other chat platform with a person impersonating someone from Riot Games human resources. And depending on the platform, handles would be subject - or changed to match up, right? So it would say, like, Riot Bob or something like that. 

Dave Bittner: OK. 

Joe Carrigan: Right? So it looks like it's from Riot. And the interview would begin, and these people would go through a pretty rigorous interviewing process. And at the end of it, there would be a job offer, and once the job offer had been accepted - right? - they would ask these people for all their banking information and - so that they can set up... 

Dave Bittner: Oh, direct deposit. 

Joe Carrigan: So they could set up direct deposit, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Then applicants would be asked to transfer money for work equipment, which will be refunded via an online check. And when these people go to deposit this online check, which I'm not - I've never heard the term online check. Have you? 

Dave Bittner: Not - no, not specifically, but... 

Joe Carrigan: Right. They would, of course, find out that the check is fraudulent. 

Dave Bittner: Yeah. 

Joe Carrigan: There's a great quote from one of the victims in here that is poignant and - I mean, I wouldn't say - it's actually heartbreaking. 

Dave Bittner: Yeah. 

Joe Carrigan: One victim says, I've been rejected from a lot of jobs. This felt much worse. 

Dave Bittner: Yeah. 

Joe Carrigan: Which I can absolutely imagine. Unfortunately for these folks, there generally is no happy ending for them. They're just out the money, and they don't have a job that they thought they were going to get. I mean, that level of disappointment is... 

Dave Bittner: Yeah. Imagine the excitement of your dream job. 

Joe Carrigan: Right. And the lawyer for Riot has said, this is - we're not going to stand for this. And that's why they're going ahead and they're starting this lawsuit now, even before they identify who these people are. Chances are they won't make much headway, you know, because these are probably international criminals. But I think it's sad. 

Dave Bittner: It is, and yeah, I wonder if it's a shot across the bow or if it's trying to say to these people, we're trying to make this not worth your time. We see what you're doing. 

Joe Carrigan: Yeah. 

Dave Bittner: Move on to some other victim, you know, some other vertical, in other words. 

Joe Carrigan: Right. Yes. 

Dave Bittner: You know what I mean? 

Joe Carrigan: Somebody else in the market? 

Dave Bittner: Yeah. Well, and maybe - I mean, I suppose if the video game folks got together and said, we're going to come after these folks... 

Joe Carrigan: Yeah. 

Dave Bittner: You know, move on to Hollywood or (laughter)... 

Joe Carrigan: Yeah. 

Dave Bittner: Like, just - who do video game people not like? I don't know. But... 


Dave Bittner: But their rivals. 

Joe Carrigan: News organizations. 

Dave Bittner: Yeah. Whatever. 

Joe Carrigan: News organizations used to say video games cause violence. 

Dave Bittner: Sporting goods marketers. 

Joe Carrigan: Right. 

Dave Bittner: People who keep kids away from video games, right? 

Joe Carrigan: Yes. Right. 

Dave Bittner: But - yeah, but I think your point is excellent, though, which is that how are they going to go after these people... 

Joe Carrigan: Right. 

Dave Bittner: ...And have any real meaning if they're overseas, if they're in a place where their governments aren't going to back us up, which chances are they are? 

Joe Carrigan: They're not. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: So it's - I don't know. Is it just demonstrative, I guess, more than anything? 

Joe Carrigan: Yeah, I think it is. The last quote in the article says, 80% or more of what's fueling this problem is that you don't have a physical office, right? This has to do a lot with the pandemic. You can't go to some location and say, oh, here's the office. Here's the logo on the wall. Here is people walking around. There's 40 people in this building that when they answer the phone at the front desk, they say the name of the gaming company, right? We're all doing this remotely, so it makes people more susceptible to this kind of predatory behavior, unfortunately. 

Dave Bittner: Yeah, I guess. But if you're the job applicant, how then do you verify that who you're dealing with is the real deal? 

Joe Carrigan: That's an excellent question. Well, Indeed actually has a set of do's and don'ts on their website, and we'll put a link in the show notes for this. Since Indeed is listed in this article, they actually said, go check out this list. 

Joe Carrigan: Do's - look for verifiable company email addresses, right? Make sure they're not being smooth - spoofed, rather, 'cause that could be possible. Match the offer to your application. Be cautious when pursuing positions with salaries, perks and flexibility that seem too good to be true. Insist on an in-person or video interview. Right? That's a good one. And always report suspicious communication to Indeed. 

Joe Carrigan: Never send any - these are the don'ts - never send any form of payment to a potential employer to apply on Indeed. 

Dave Bittner: Right. 

Joe Carrigan: Or that you apply to on Indeed. Never - no employer is ever going to need money from you. That's not how the employment relationship works. 

Dave Bittner: Right. 

Joe Carrigan: Right? That should be a big red flag. 

Dave Bittner: Yeah. 

Joe Carrigan: Never agree to perform any financial transaction on behalf of a potential employer. That is another scam that happens where people are being exploited as money mules. So don't do that. You may actually be criminally liable for those. Never agree to a job that involves opening multiple accounts or posting an ad on Indeed or other sites, which is - now you're just helping them further their scam, right? And never accept money upfront for work you have not performed. 

Dave Bittner: Oh. 

Joe Carrigan: They say this is a tactic commonly used in financial scams to put you - and can put you at considerable legal risk. This is, again, using you as a money mule. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah, I don't know. I mean, if you're going to do work that - you know, if you're an artist - right? - and you're going to take work from somebody and you demand 50% upfront, I think that's OK. 

Dave Bittner: Yeah, yeah, a different - yeah. 

Joe Carrigan: If you're doing the work... 

Dave Bittner: If you're an artist, a freelancer, a contractor, that sort of thing, that's reasonable. 

Joe Carrigan: Right. 

Dave Bittner: Sure, sure. 

Joe Carrigan: But if you're an employee - you know, a W-2 employee - no, you should never get money in advance. 

Dave Bittner: Yeah. I also wonder if there's something to letting your first paycheck be a printed check. In other words, before you give them your information for direct deposit, if you - and 'cause there are plenty of conveniences that go along with direct deposit. 

Joe Carrigan: Right. 

Dave Bittner: Right? 

Joe Carrigan: Right. 

Dave Bittner: But if you say to them, you know what? My first check - just cut me a check, and... 

Joe Carrigan: Yeah. 

Dave Bittner: You get that check in hand. You take it. You cash it. There you go (laughter). 

Joe Carrigan: Yeah. I don't know, maybe. Maybe. 

Dave Bittner: I mean, I suppose the scammers could still cut you a fake check, knowing that the price they're paying for that fake check is access to all of your banking stuff, but I don't know. It seems like the longer you string them out, the more likely it is they're going to pull the rip cord and move on to someone who's easier to hit. 

Joe Carrigan: Yeah, I agree. 

Dave Bittner: Yeah. All right, well, an interesting article for sure. Like you said, we'll have a link to that in the show notes. 

Dave Bittner: My story this week - this comes actually from the folks over at NBC News. This is written by David Ingram. Before I dig into this article - this article is called "The Internet is Tricking Our Brains." Joe, how would you rate your own memory? Do you consider yourself someone who has a good memory? 

Joe Carrigan: I used to consider myself someone who had a good memory. 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: But lately, people have been saying some things to me, and I'm like, I have absolutely no recollection of that. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: I think things I want to remember, I'm still good at remembering, but things I filter out, they - those packets get dropped, and I never think of them again. 

Dave Bittner: Yeah. Memory is tricky. I mean, like, you know, I can remember the lyrics to every popular '80s song ever (laughter). 

Joe Carrigan: Yeah. 

Dave Bittner: Right? 

Joe Carrigan: Yeah. 

Dave Bittner: Those are all still in there, but I can't remember what I had for lunch yesterday (laughter). 

Joe Carrigan: And those will never go. Even if you get Alzheimer's, that's one of the last things to go... 

Dave Bittner: Right. 

Joe Carrigan: ...From your memory. 

Dave Bittner: Right, exactly. 

Joe Carrigan: Right. 

Dave Bittner: But similarly, I think I too had a very good memory, especially as a younger man. 

Joe Carrigan: Oh, yeah. 

Dave Bittner: And one thing I remember is back when I was in broadcast TV, like, I knew the model numbers of every piece of broadcast equipment there was out there. I knew the model numbers... 

Joe Carrigan: Yep. 

Dave Bittner: ...The specifications, all that kind of stuff. And now I can't remember any of that, but I think a big part of that is I just don't care. 

Joe Carrigan: Right. 

Dave Bittner: You know, like, let somebody else... 

Joe Carrigan: Yeah. You're dropping those packets. 

Dave Bittner: But that brings me to the point of this article, which is that - the fact that these days, thanks to internet technology, thanks to things like Google and Bing and all the other search engines, DuckDuckGo, we have at our fingertips, thanks to our mobile devices, the ability to look up anything... 

Joe Carrigan: Yes. 

Dave Bittner: ...Instantly... 

Joe Carrigan: Agreed. 

Dave Bittner: There are times when - if I'm out to dinner with my family or something, and someone says, what was the name of that movie from such-and-such? One of us will say, to the internet... 


Dave Bittner: ...And pull out their mobile device and start looking. And sure enough, there you go. There it is. 

Dave Bittner: So this article makes the point that because we have that accessible to us, that we are offloading those abilities, that we're sort of letting our memory - certain parts of our memories atrophy because we don't need them anymore. We have instantaneous access to lots of information, so we're lowering the priority of some things we used to memorize because we can access things so easily. 

Dave Bittner: This article points out that there was a study back in 2019 that found that people's spatial memory got worse the more they used GPS devices and mapping apps. 

Joe Carrigan: Really? 

Dave Bittner: Yeah, which is - I mean, not surprising, I suppose. The more you rely on something to help you with something, the less your natural ability to do that will probably be there. 

Joe Carrigan: Yeah. 

Dave Bittner: But interesting nonetheless, right? 

Joe Carrigan: Yeah. Well, our brains are very elastic, right? 

Dave Bittner: Yeah. 

Joe Carrigan: So we continually build new neural pathways whenever we have to do something new or learn something new. And if we don't have to do or learn something, no new neural pathways get built. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: Right? So the computer is doing it for us - you know, the system, whatever it is - so we don't have to do it. But, you know, what does that mean? What does that mean for us? 

Dave Bittner: Yeah. 

Joe Carrigan: Is it bad? Do we use our effort somewhere else, then? Do we - maybe we just become more creative? I don't know. 

Dave Bittner: Well, so a couple of thoughts here. 

Joe Carrigan: OK. 

Dave Bittner: First of all, let me just give a shoutout to the high school math teacher who I have never forgiven for saying, no, you can't use a calculator. You're not always going to have a calculator. No, I don't have a calculator. I have a supercomputer. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: It's in my pocket all the time. Not only is it in my pocket as a supercomputer, but it has access to all the world's knowledge all the time. 

Joe Carrigan: (Laughter). 

Dave Bittner: So, no, you're right, I won't always have a calculator. I will have the greatest supercomputer ever built, and I have access to all the world's information. So, yes, I'm a little bitter about that (laughter). 

Joe Carrigan: Yeah, my - I have a similar story with my fifth grade teacher. 

Dave Bittner: Right. 

Joe Carrigan: I said, I'm really - you know, I don't need to remember how to spell every single word in the English language. By the time I'm in the working world, there will be a machine that if I get close enough, it will know what I mean. You know, fifth grade - this is fifth grade. I'm predicting the existence of spell-checker. 

Dave Bittner: Right. 

Joe Carrigan: And my teacher called me - you know, called me nuts, said, who's filling your head with these lies? 

Dave Bittner: (Laughter) I see. I see. Sure (laughter). 

Joe Carrigan: She was actually a very good teacher, though. I still have a lot of love and respect for the woman. 

Dave Bittner: Yeah. 

Joe Carrigan: And there is value in knowing how to spell things, but... 

Dave Bittner: Yeah. 

Joe Carrigan: You know? 

Dave Bittner: But see - but this point is good, too, because I'm curious, you know, your point of view because you are much closer to academia than I am. 

Joe Carrigan: Right. 

Dave Bittner: And I - there's been a lot of discussion lately about whether or not it makes any sense to have tests where people have to have information memorized because it doesn't reflect the real world. 

Joe Carrigan: Right. 

Dave Bittner: Right? If I'm an architect and I'm designing a building or a bridge or whatever, and I need to know what the formula is for the stress on this sort of thing... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Nobody's relying on me to have that memorized. 

Joe Carrigan: Right. 

Dave Bittner: If I need to look it up, I'll go look it up. 

Joe Carrigan: Yeah, that actually reminds me of another story in college. A friend of mine whose dad was an engineer - at his place of work, they said, we're going to come around and test you for the knowledge that you know. And he said, I'm not taking the test. 

Dave Bittner: Yeah. 

Joe Carrigan: And they said, what? He says, yeah, I refuse to take the test. And they said, well, how do we know you know what's good? He goes, I don't know what's good. You see those reference books along my desk? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: When I don't know something, I go to the reference book. 

Dave Bittner: Yeah. 

Joe Carrigan: Now, if I can take the test with these reference books, I'll take the test. But if not, no. That's not a real-world test for exactly what you're saying. 

Dave Bittner: Well - and so I think part of what I wonder about with this - and this article sparks this question in my mind - is in the modern world in which we live, where we have access to these sorts of tools, is it more advantageous to be someone who's very clever with using these tools than having a good memory? Is that going to serve you well out in the world, to be efficient and good with these sorts of tools, to be able to find the answers quickly, effectively and... 

Joe Carrigan: Right. 

Dave Bittner: ...Accurately rather than having a good memory? In other words, use your limited brain cycles... 

Joe Carrigan: Right. 

Dave Bittner: ...For that rather than memorizing things. 

Joe Carrigan: Yes. 

Dave Bittner: I suspect it will. 

Joe Carrigan: I think it does. I think that - two things. One, being clever and, two, being able to read quickly will help you immensely because when you do a Google search, there's tons of information that comes back. 

Dave Bittner: Yeah. Yeah. Being able to filter that and get to the good stuff. 

Joe Carrigan: Yeah. If you can read through it quickly and filter it, that's great. 

Dave Bittner: Yeah. 

Joe Carrigan: You'll be better off. 

Dave Bittner: Yeah. All right. Well, lots to think about there. (Laughter) This is one of those articles that more just triggered a lot of questions and interesting things to talk about. 

Joe Carrigan: And it seems it also brought up some very painful childhood memories for you, Dave. 


Joe Carrigan: Lie back on this couch over here (laughter). 

Dave Bittner: Yeah, so thanks. Yeah. Exactly. Our 50 minutes are up. 

Joe Carrigan: Right. 

Dave Bittner: So leave your money up front with the receptionist. And I'll see you in - next week. 

Dave Bittner: All right. So the article is "The Internet is Tricking Our Brains." That's over at NBC News. We'll have a link to that in the show notes. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Chris (ph). It's one we've seen a lot lately. And I wouldn't have used it, but Chris sent it along with a story that tells you what happens next, OK? So Chris' father received an email that looks like this. Dave, why don't you read the email in that image there? 

Dave Bittner: All right. It says, order confirmation. Thank you for your recent purchase with Lanford LLC by Amazon. Your account has been set for auto debit from your saved billing on the account in the next 24 hours. The items will be shipped in 48 hours, and you will receive a confirmation email once they are shipped. You will receive another email with the tracking number. We hope you shop with us again soon, Amazon Inc. 

Dave Bittner: And there's a bunch of information about what was purchased. The order is for a Sony Bravia, 47-inch, Ultra HD television. And the amount paid is listed as being $1,376. And the balance to be paid is $902. 

Joe Carrigan: Right, lot of money. 

Dave Bittner: Yeah. 

Joe Carrigan: OK? Now, we've seen these before. 

Dave Bittner: Yeah. 

Joe Carrigan: This is nothing new. We've seen this a bunch of times. But here's the story. Chris doesn't know at this point in time in the story that his father has received this email. And he overhears his dad raising his voice to someone on the phone. And Chris says he didn't think too much about that because his dad will often raise his voice on a regular basis. 

Dave Bittner: (Laughter) Ah, family. 

Joe Carrigan: Right? To salespeople he wants to never call back. And I got to tell you, Chris, I can 100% relate to that. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: I'm in your dad's camp there. 

Dave Bittner: OK. 

Joe Carrigan: But he knew this call was different when his dad walked past him and out of the house still on the phone. So Chris says to his mom, what's going on here? And his mom says, he's been on the phone all night because, somehow, someone got ahold of his Amazon account and bought a $2,200 TV. He's been trying to cancel the order. And then Chris says, well, why is he going outside to cancel the order? And his mom says, he needs to go to Food Lion, which is a grocery store here in the United States, with two forms of identification. 

Joe Carrigan: And now Chris is like, oh, no, right? 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: So he questions her a little bit further to confirm the suspicions. And he learns that he received this email from "Amazon" - in quotes, right... 

Dave Bittner: Yeah. 

Joe Carrigan: ...For the order of a 47-inch television, which, by the way, should not cost $2,200, right? 

Dave Bittner: Not anymore. No (laughter). 

Joe Carrigan: Yeah. He got the customer service number from the email and called them to cancel immediately. Now, Chris says one of his red flags is that Amazon doesn't make it easy to contact customer service (laughter). 

Dave Bittner: No. Amazon doesn't have a phone number. Are you kidding me (laughter)? 

Joe Carrigan: Right, which is 100% correct. 

Dave Bittner: Right. Right. 

Joe Carrigan: Right? And they sure don't put it into your confirmation emails. 

Dave Bittner: No. No, no, no. 

Joe Carrigan: Hey. You want to cancel the order you just made? Call us up. 

Dave Bittner: No. 

Joe Carrigan: No. That's bad for business. Jeff Bezos knows what he's doing. 

Dave Bittner: No. No. You're more likely being able to call Jeff Bezos on his little, private rocket than you are to reach someone at Amazon customer support. 

Joe Carrigan: Right (laughter). So he tries texting and calling his dad to see what he's doing, but he couldn't get him to respond. And he didn't know why he was going to the grocery store. 

Joe Carrigan: So Chris realizes the urgency of this. He throws his coat on, and he heads off to the Food Lion parking lot. And it turns out his dad started having doubts. And when he gets there, his dad was in the parking lot and said, hey, Chris. I'm over here. And he hasn't gone in because he realized something was up. So they hang up the phone. And they're done with the scam, right? 

Dave Bittner: OK. 

Joe Carrigan: Later, Chris finds out that they told him to go pick up a few cards, gift cards, specifically Target gift cards in the amount of $500 apiece. 

Dave Bittner: OK. 

Joe Carrigan: And they were on the phone with him the entire five-minute ride it takes to get to Food Lion. Apparently, they live very close to a Food Lion. But they said, we're not going to be able to be speaking when you approach customer service - right? - so customer service doesn't see you on the phone with somebody buying gift cards, right? 

Joe Carrigan: Here is the explanation the scammers used to convince Chris' father to buy the cards. He was transferred to the, quote, "Amazon fraud department." Again, this is not Amazon. This is a bunch of scammers... 

Dave Bittner: Right. 

Joe Carrigan: ...Where they agreed to help him with his account. To do this, they needed special blocking codes. These blocking codes can be found on the back of specific gift cards - Target gift cards. Apparently, these Target - or these locking codes only protect about $500 of value, so you need to buy four of them in order to protect your entire purchase and lock your entire account. 

Dave Bittner: Yeah. 

Joe Carrigan: Chris says he realizes there are holes in the reasoning, and he tried pressing his father further about this, but his father just says, nope, I'm done talking about this and doesn't want to talk about it. 

Dave Bittner: Yeah. 

Joe Carrigan: Which is a very common reaction. 

Dave Bittner: Right. 

Joe Carrigan: So I understand. Thankfully, Chris, you were able to stop your father from making a $2,000 mistake, or he - and he - or he came to his conclusion, and then you confirmed it. 

Joe Carrigan: The only thing that I would say if you're in this kind of a situation that might've helped get to this quicker - you can't get to the store fast enough and somebody's on their way there, maybe call the store or call the police and have a uniformed police officer waiting there to talk to - to stop somebody from buying the gift cards. 

Dave Bittner: Right, right. 

Joe Carrigan: That might've helped. I don't know if you're going to get the store to answer. You know, say, hey, my dad's on the way in there to buy some gift cards. He's being scammed. Don't sell him gift cards. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? But what you did is also very good. I would've called them on the way - you know, gotten in the car and gone myself and then called them on the way, maybe called the store or maybe called the police. 

Dave Bittner: Call the dad, too. 

Joe Carrigan: Call - well, the dad wasn't answering. They were trying to call the dad. 

Dave Bittner: Oh, I see. 

Joe Carrigan: But he's on the phone with the scammers. 

Dave Bittner: Right. The scammers probably convinced him that he needed to stay on the line. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: Absolutely. 

Dave Bittner: Oh, boy. 

Joe Carrigan: But it's a good... 

Dave Bittner: Yeah. 

Joe Carrigan: Good, happy ending on this one. 

Dave Bittner: Yeah, yeah. I mean, good on - who is it? - Chris. 

Joe Carrigan: Chris, yeah. 

Dave Bittner: Yeah, good on Chris for following through on - and being in the right place at the right time. 

Joe Carrigan: Yeah, absolutely. 

Dave Bittner: This happened with me and my mom one time where I was visiting them, and I walked into the kitchen, and my mom was on a call with someone. 

Joe Carrigan: Right. 

Dave Bittner: And she was very agitated. And I said, Mom, hang up the phone. But they want to - hang up the phone, Mom. But they're telling me - hang up the phone. She hung up the phone. It was a scam. 

Joe Carrigan: Right. 

Dave Bittner: You know, but these folks - like you and I have said many times, these guys do this all day. 

Joe Carrigan: Right. 

Dave Bittner: Right? You are not - I mean, they - they're much better at this than you are at blocking it. 

Joe Carrigan: Yup. 

Dave Bittner: So just hang up the phone. Hang up the phone. Good on you, Chris. Wow. 

Dave Bittner: All right. Well, that is our Catch of the Day. 

Dave Bittner: We would love to hear from you. If you have something you would like us to share on the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Adam Levin. He is the host of the podcast "What the Hack with Adam Levin." 

Joe Carrigan: Right. 

Dave Bittner: Show deals with many similar things to what we deal with here. Adam is also a cybersecurity expert. And interesting conversation here with Adam Levin. 

Adam Levin: We describe it as a shame-free zone. It's about hackers, scammers, phishers and people who have become unfortunate victims of scams, cyber incidents, identity theft. 

Dave Bittner: Are there any particular stories that come to mind as highlights, as representative examples of the types of things you have on the show? 

Adam Levin: Oh, sure. We've had stories of everything from a radio personality who was catfished, but she was clever enough to sort of catch him in the act and then turn it on him. We've had somebody who was trolling QAnon sites, and suddenly he received a communication including a picture of him - not a compromising picture, but a picture that had never been posted on social media or anywhere before that his wife had taken of him - to send a message to him. We had a journalist who was a victim of a sextortion scam. 

Adam Levin: We've had - in line especially with social engineering, we had a woman who's a host of a podcast called "ScamWow." It's terrific. And she's also a well-known speaker on the issue of double mastectomies because of hereditary cancer issues. And she was contacted by someone from a very legitimate university in England, and they offered her a speaking engagement and fees. And, of course, she was going through a rough time, as many people were in the pandemic, and she was very excited to accept it. And then she noticed in the communication that something didn't seem right. And luckily, she stopped herself before she provided too much personal information to them. 

Adam Levin: We've also had a number of people who were celebrities who have been locked out of their Instagram accounts because they were hacked and then stolen from them. And in some cases, these are folks who were using it as their modeling book or a place where they could show certain acting profiles, and they were suddenly not able to. So as more and more people are using Instagram not just for social engagements, but also as ways to promote their business or their careers, and when you get cut off from something like that. 

Adam Levin: And we've had people also talking about the fact that they were CIOs with companies that were hit with ransomware attacks and how they did - how they dealt with it. 

Dave Bittner: Based on all of these interviews that you've done and these people who you've spoken to, what are the take-homes? I mean, what sort of advice do you put out there for people to best protect themselves? 

Adam Levin: Well, we created a framework in the book "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves" and call it the Three Ms. 

Adam Levin: And it's how do you minimize your risk of exposure or reduce your attackable surface, especially in a world where you have billions of Internet of Things devices that are tracking you, eavesdropping, sending information back to, presumably, the manufacturers and, in some cases, many cases, they become hacked, and as a result, you don't know where your information is going? 

Adam Levin: The second M is how do you effectively monitor so that you know you have a problem as quickly as possible? 

Adam Levin: And the third M is how do you manage the damage? 

Adam Levin: And so the real takeaways are everything from strict password protocols - not sharing passwords across your universe of websites, two-factor authentication so that it makes it easier for you to find out that someone is attempting to get into your accounts and then giving you an opportunity to stop them - to never authenticating yourself to anyone who contacts you for any reason. It's another thing if you contact them and they ask you to authenticate yourself because they're trying to protect you. But when you get calls from people who are imposters creating the impression they were at the Internal Revenue Service or a financial institution or a health agency and start asking you for too much information, that's when the warning flag should go up. Things like don't download apps unless they come from legitimate app stores, and even then, it's best to read reviews and understand what you're doing. Simple things such as shredding in order to protect your data, freezing your credit. 

Adam Levin: The second M - how do you monitor? That means getting your credit report, reviewing your credit report, have - monitoring your credit scores for sudden precipitous, unexplained drops, signing up for transactional alerts from institutions notifying you any time there's activity in your credit or bank or credit union accounts. More sophisticated forms of monitoring are also a good idea. 

Adam Levin: And then the third M, the big one is that a lot of people don't realize - and I'm now talking consumers. There's another part for businesses. But for consumers, they don't understand that many institutions now - financial institutions, insurance companies, HR departments at work - offer identity protection programs and cyber protection programs. And in some cases, it's free or deeply discounted. So it's - find out. But do you have a program to protect me if I have an incident? Am I in it? What do I need to do to get in it? What is it going to cost? 

Adam Levin: Those are kind of the things that people need to think about. 

Dave Bittner: You know, I think a lot of folks find all of this overwhelming. Any thoughts on how to get started? How do you, you know, chip away at it and not feel like you're being, you know, flooded with things you got to do? 

Adam Levin: Well, step No. 1 is think about all the different accounts you have and say, am I using the same password or a similar password on every one of them? And maybe that's not a good idea. So instead of trying to reinvent the wheel or going back and then coming up with 40 or 50 different passwords, get a password manager. Many, many of them are secure. They're respected - the companies that provide them, things like LastPass, 1Pass, Dashlane - those kinds of password managers. And let them do the work for you. They'll come up with long or strong passwords. 

Adam Levin: Or if you've decided that you have special passwords that you love, then just enter those into the password management system. And then from that point on, especially since most of them are multiplatform, you just simply go to them, pull down or click the link, and you'll get the right password. So that's an easy one. 

Adam Levin: Two-factor authentication - very simple to enable. 

Adam Levin: Not giving away too much information to anyone who contacts you - not really super difficult there - as well as not simply clicking on a link and opening an attachment because it came from someone you think you know. 

Adam Levin: So these are kinds of simple things that you can do to start. And think of it as a health checkup, right? You go - every six months, you go to your dentist, your doctor or other forms of medical treatment that you would be getting, and all in the way of hygiene. So think of this as cyber hygiene. 

Dave Bittner: You know, you mentioned at the outset that your podcast, "What the Hack," is a shame-free zone, and I think that's a really important point here that - you know, particularly, I think about our friends and family. And we've heard stories on our show about relatives, you know, usually elderly people, who find themselves victim of something, and they're embarrassed to tell their family. So I think you make an important point that it's up to us to create that environment where they feel as though they can come to us with these problems. 

Adam Levin: No, it's very important. Listen; the only way we're going to get a handle on this is by cooperation, collaboration and communication. And I'm talking about - if you want to look at it at the macro level, you're talking about government, business, consumers, media all working together because you have to understand the threat, you have to find ways that you can solve the problem. Sometimes it's going to a professional organization that'll help you. Sometimes it's just talking to your family members and talking it through before you do something or even right after you do something. Many times, you can limit the damage that will occur if you move quickly. 

Adam Levin: And think about the fact that, for example, identity theft - a significant percentage of identity theft occurs within the family unit. And the reason why that it's able to persist is because children don't want to report their parents. Parents don't want to report their children. Siblings feel funny about talking about it with anyone else. 

Adam Levin: When senior citizens become victims of catfishing or investment scams, if they say nothing, no one is going to know that they have a problem and be in a position to help them. So talking about it is not only cathartic and it can be - help you to heal, but in addition to which, you might end up talking to someone who would be helpful to you and can solve the problem for you, as opposed to letting it fester and then feeling just terrible about it and having your life turned upside down. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: It's good to hear there are more podcasts like ours out there. 

Dave Bittner: Yeah. Yeah, absolutely. 

Joe Carrigan: You know, the more coverage we get on this subject, the better off we all are. 

Joe Carrigan: I like the idea of being shame-free. You know, if you go back to our Catch of the Day, Chris' dad was embarrassed by this. But, you know, he shouldn't be embarrassed by it. He... 

Dave Bittner: Yeah. 

Joe Carrigan: This is a scammer, a criminal who took - I mean, are you embarrassed when your house gets robbed? You know, you shouldn't be shamed when your house gets robbed. You shouldn't be shamed when these kind of things happen. 

Dave Bittner: Right. 

Joe Carrigan: It happens to a lot of people. 

Joe Carrigan: I like his Three Ms. Minimize your risk. And, of course, he says, to minimize your risk, use a password manager and multifactor authentication. 

Dave Bittner: Right. 

Joe Carrigan: Never authenticate yourself to someone who contacts you, right? When you contact someone else through a known good phone number, it's fine to authenticate yourself, but never authenticate yourself on an inbound phone call. 

Joe Carrigan: Monitor - this is kind of the hardest part. This is our - as users and end users are just regular people, that's probably where we have the most difficulty is in monitoring and making sure that things are going well. Often, we don't know things are about to go south until it's too late. 

Dave Bittner: Yeah, I think it was the famous scientist Richard Feynman who said, first, you must not fool yourself, and you are the easiest person for you to fool. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. And manage - how do you manage the damage of one of these attacks? And ID theft insurance goes a long way to doing that 'cause, No. 1, it puts - when you file a claim against that, you have a certain amount of money that you can use to pay attorneys and things like that to make it a lot easier. 

Joe Carrigan: When your identity has been stolen and someone's opened a fraudulent account in your name, you're not really liable for that money. But a lot of times it's really good to have somebody that you can say, you know what? Just call my attorney. 

Dave Bittner: Yeah. 

Joe Carrigan: And you have an attorney that you paid through this ID protection or, you know, identity theft insurance policy. 

Dave Bittner: Yeah. 

Joe Carrigan: You say, call my attorney. This is their number. They will tell you everything you need to know. And please don't call me again. 

Dave Bittner: Right. 

Joe Carrigan: If you're handling this yourself, you're going to have to deal with this yourself. 

Dave Bittner: Yeah, and just keep it from being a time suck, right? 

Joe Carrigan: Right, exactly. 

Dave Bittner: It's such a time suck. 

Joe Carrigan: It is a time suck. It's a huge, huge time suck. I mean, it's not really a money suck. You're not going to lose any money. You know, these guys are going to - these guys may even go through the process of trying to get you to pay for an account they fraudulently open with somebody else using your identity. 

Dave Bittner: Right, right. 

Joe Carrigan: I don't know how I'd respond to that. But, you know, their interest is in getting the things resolved. 

Dave Bittner: Yeah. 

Joe Carrigan: One of the things that Adam says that we've said a lot here is that if you're not doing anything, doing the basics goes a long way, right? Using a password manager and using multifactor authentication - just doing those two things can move you really far down the security continuum to the more secure direction than you are currently. 

Dave Bittner: Yeah. 

Joe Carrigan: Reusing passwords is very, very, very, very bad... 

Dave Bittner: That's right. 

Joe Carrigan: ...Especially if they're easy-to-guess passwords or they're passwords that have ever been breached. 

Dave Bittner: Right. 

Joe Carrigan: You know, it's essentially just opening yourself up on the internet to all these people out there. 

Dave Bittner: Yeah. 

Joe Carrigan: And using permutations is only slightly more secure than using a reused password. It's - there are password crackers out there that have rules that look for these permutations. And a password cracker is just a brute force tool that tries a bunch of different passwords until it finds a match. 

Dave Bittner: Yeah. Yeah, absolutely. Let your password manager generate completely random passwords. 

Joe Carrigan: Yup, it's great. 

Dave Bittner: Way to go. 

Joe Carrigan: It's wonderful. 

Dave Bittner: All right. Well, our thanks to Adam Levin for joining us. Again, the name of his show is "What the Hack with Adam Levin." Do check that out. 

Dave Bittner: All right. That is our show. We want to thank all of you for listening. 

Dave Bittner: Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. 

Dave Bittner: I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.