What's behind Buy Now, Pay Later scams?
Jim Ducharme: We try to stay ahead of the curve here and ahead of the fraudsters to make sure that we can prevent that fraud on these new payment methods.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Jim Ducharme. He is the COO of Outseer. We're going to be talking about buy now, pay later scams.
Dave Bittner: All right, Joe, before we jump into our stories, we have some follow-up here. Do you want to lead us into...
Joe Carrigan: Yeah.
Dave Bittner: ...A couple of notes we got from listeners?
Joe Carrigan: The first one comes from Mark, and this one's directed at me. He wrote in with a comment about my story from last week where I remarked that 78% of phishing happens on a weekday, and then Mark correctly pointed out that weekdays make up 71% of the days.
Dave Bittner: (Laughter) OK.
Joe Carrigan: So, yeah.
Dave Bittner: Well, nothing gets by Mark.
Joe Carrigan: Yeah.
Dave Bittner: (Laughter).
Joe Carrigan: That's an astute observation, Mark, and one I completely missed.
Dave Bittner: (Laughter).
Joe Carrigan: These guys don't take holidays.
Dave Bittner: It's like...
Joe Carrigan: They don't take breaks.
Dave Bittner: I spend a third of my life asleep.
Joe Carrigan: Right (laughter).
Dave Bittner: It's just a crazy thing. I don't know what's going on. Yeah. All right, well...
Joe Carrigan: So why don't you read the next one? I have some comments on this one.
Dave Bittner: (Laughter) OK.
Joe Carrigan: They're going to mirror some comments I've already made, but...
Dave Bittner: All right. It says, hi, Dave, Joe and the person monitoring this mailbox - that would be our producer, Jenn.
Joe Carrigan: Right.
Dave Bittner: It says, love the show and listen every week. On this week's episode, Carole was talking about parents tracking their children, and I had to write in with my personal story. When I was a senior in high school back in 2004 or 5, I was dating a girl whose dad worked in the IT industry. I don't recall what specifically. She and I were 16 or 17. We were exploring in ways that teenagers of that age tend to do. But where we really messed up was in that we would talk about it over AOL Instant Messenger, as was the style at the time. What we didn't know was that her dad had installed a RAT keylogger on her computer. In his reviewing of the chat, he saw what we were discussing and had what I would call an overreaction.
(LAUGHTER)
Dave Bittner: Joe, you're a father of daughters.
Joe Carrigan: Yes, I am.
Dave Bittner: (Laughter).
Joe Carrigan: A father of a daughter - but I love her very much and want to do everything I can to protect her.
Dave Bittner: It goes on and says, she and her parents met with me and my parents, and we all had a long, awkward conversation about the birds and the bees and the potential consequences of our actions.
Joe Carrigan: Yeah.
Dave Bittner: She and I did not wind up dating much longer after that.
Joe Carrigan: I wonder why.
Dave Bittner: In the end, I suppose I should thank him as he's the Joe Chill to my Bruce Wayne, and this event is what caused me to go into cybersecurity myself. And that's from John. All right. Yeah.
Joe Carrigan: Dave, I'm going to say this again.
Dave Bittner: Yeah.
Joe Carrigan: I am so glad there was none of this stuff around when I was a kid.
Dave Bittner: Yeah.
Joe Carrigan: Also, I would never install a RAT/keylogger on my kid's computer. I think that is a little bit surreptitious.
Dave Bittner: I agree. I agree. I think there's a certain amount of stuff when it comes to your kids that you're better off not knowing.
Joe Carrigan: Right.
Dave Bittner: Like, there's an amount of - I want to know the general gist of what's going on.
Joe Carrigan: Yeah.
Dave Bittner: I don't need to see the details.
Joe Carrigan: Right. Yeah.
Dave Bittner: I don't need to know how the sausage is made, as it were (laughter).
Joe Carrigan: Yes. Yes. Absolutely. I think that's exactly right. And to pull everybody aside and have a conversation with both sets of parents - no.
Dave Bittner: Yeah.
Joe Carrigan: That - why did this relationship end? I don't know who ended this relationship, but I think I would have been like, you know what? I don't think this is going to work out.
Dave Bittner: Yeah.
Joe Carrigan: And that would have been it.
Dave Bittner: Yeah, yeah. You know, I just keep thinking, our kids are having a healthy, natural, physical relationship, and I'm not OK with that.
Joe Carrigan: Right.
Dave Bittner: (Laughter) Ah, well, we were all young once, right?
Joe Carrigan: Yes.
Dave Bittner: We all went through all those awkward times.
Joe Carrigan: Yeah. If I knew about this, I definitely would have pulled my daughter aside. My wife and I would have had a conversation with my daughter.
Dave Bittner: Yeah.
Joe Carrigan: But there is no way I would have involved the other kid's parents...
Dave Bittner: Right.
Joe Carrigan: ...Because of exactly what you're saying. This is exactly what 16 to - 16-, 17-year-old kids do, right?
Dave Bittner: Yeah.
Joe Carrigan: You know, maybe you don't like it. Maybe - yeah. You want to make sure it's not getting out of hand, of course, right?
Dave Bittner: Right. You just want to make sure that they're - whatever they're up to, that they're doing it safe and responsibly...
Joe Carrigan: Right.
Dave Bittner: ...That they understand the potential consequences.
Joe Carrigan: The risks are enormous.
Dave Bittner: (Laughter) That's right. That's right. Your life could go off on a - in a different direction.
Joe Carrigan: That's correct.
Dave Bittner: But, you know, at the same time, you know, I don't think you want to freak them out or shame them or anything.
Joe Carrigan: Right. Yeah. I think shaming them is the wrong answer. In just about everything, shaming them - shaming someone is the wrong answer.
Dave Bittner: Yeah. All right. Well, our thanks to John for writing in to us. We would love to hear from you. You can send us an email to hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, let's jump into some stories this week. I'm going to kick things off for us. My story comes from WIRED. This is written by Lily Hay Newman, who has been a guest on our show before - a good, well-known and respected writer over there at WIRED. And this is titled "A Big Bet To Kill The Password For Good."
Joe Carrigan: Ooh.
Dave Bittner: And this is - what this really gets at is that the FIDO Alliance - Joe, can you say off the top of your head what FIDO stands for without looking it up?
Joe Carrigan: It's - no.
Dave Bittner: (Laughter).
Joe Carrigan: And the funny thing is, I have read what that acronym means within the past two weeks.
Dave Bittner: OK.
Joe Carrigan: And I want to say that the FI means one word, and DO is two. So it's not really an acronym, like...
Dave Bittner: You're close. You're close. So FIDO stands for fast identity online.
Joe Carrigan: OK, so the ID stands for one word. OK.
Dave Bittner: That is correct. That's right.
Joe Carrigan: I knew it was in there somewhere.
Dave Bittner: (Laughter) So FIDO - and they're one of these industry consortiums that...
Joe Carrigan: Yep.
Dave Bittner: ...You know, members of industry get together to try to solve common problems. And that's what the FIDO Alliance is. And I believe they've been at it since 2013 or so.
Joe Carrigan: Yep - been going at it for a long time.
Dave Bittner: Yeah - well-respected. Well, they just published a white paper that really lays out their vision for moving us to the next step, which they think is a passwordless world.
Joe Carrigan: We can hope, Dave.
Dave Bittner: We can hope, yeah. And this article is really interesting. I mean, some of the points that it makes are that in order for this to happen, it needs to be easier than using a password.
Joe Carrigan: Right.
Dave Bittner: And I think one of the things they point out here rightly that we've certainly talked about is that passwords are easy, but good use of passwords is hard (laughter).
Joe Carrigan: Yes, that's correct.
Dave Bittner: If you only had one password, that would be pretty easy. In fact, there's a whole company who's named their company after the notion of one password.
Joe Carrigan: Right.
Dave Bittner: But...
Joe Carrigan: I believe they're called 1Password.
Dave Bittner: Yes, exactly. But having to keep track of multiple passwords and secure passwords and long passwords is difficult, so...
Joe Carrigan: Yes, it is. Without a password manager, it's almost impossible.
Dave Bittner: Yeah. So the FIDO Alliance has come out with this white paper. And basically, what they're saying is that now that we're at the point where pretty much everybody has a mobile device...
Joe Carrigan: Yep.
Dave Bittner: ...That we should be able to move on and use those mobile devices as our authentication mechanism, that we can, you know, sling around cryptographic keys in such a way combined with the capabilities of these devices' biometric sensors. So again, most mobile devices have either a fingerprint sensor or a - some sort of face-scanning sensor...
Joe Carrigan: Yep.
Dave Bittner: ...Or both.
Joe Carrigan: Yep.
Dave Bittner: So a combination of those - the cryptographic capabilities, the secure enclaves, all that kind of stuff - and the fact that these devices are pretty much universal now means that we should be able to get away with passwords. The other point they make here is that by having these things stored in the cloud - and this article references the iCloud Keychain, which is...
Joe Carrigan: Right.
Dave Bittner: ...Apple's system for doing this. And, you know, Google has the same sort of thing in other systems, but this article mentions Apple's version. What's great about this is if you lose your mobile device or get a new one or whatever, it's not a problem...
Joe Carrigan: Right.
Dave Bittner: ...Because you just log into your account in iCloud. All these keys get transferred back in. Everything gets checked and verified and all that sort of stuff, and you're off and running without having to go through the password dance that so many of us have gone through.
Joe Carrigan: Password dance.
Dave Bittner: Yeah.
Joe Carrigan: I'd like to see what that looks like.
Dave Bittner: (Laughter) It's kind of like the way Elaine danced on "Seinfeld."
Joe Carrigan: Right. Yeah.
Dave Bittner: That's the password dance (laughter).
Joe Carrigan: They should also call it the hassle.
Dave Bittner: That's what it looks like. Right. Right.
Joe Carrigan: Right.
Dave Bittner: So that's the upside of this. Before I get your commentary on this, Joe, I want to - I'm going to razz you a little bit...
Joe Carrigan: OK.
Dave Bittner: ...Here because they have a pull quote from Johns Hopkins cryptographer Matthew Green...
Joe Carrigan: Ah, Matt Green, yes.
Dave Bittner: ...One of your colleagues.
Joe Carrigan: Yep.
Dave Bittner: Right?
Joe Carrigan: Yep.
Dave Bittner: And he says schemes like passkey could work and be more secure than passwords as they stand now. But if the user interface for inter-device transfers sucks on some devices, it will suck for all of them, which would continue to discourage use. Boy - just the type of eloquence I come to expect from a Johns Hopkins professor, Joe.
(LAUGHTER)
Joe Carrigan: Well, Matt Green is very good at speaking in plain terms. If you really want to see him explain incredibly complex things in plain terms, check out his blog. It's very well done.
Dave Bittner: Yeah.
Joe Carrigan: And he - right.
Dave Bittner: And he is - he's kind of the go-to guy...
Joe Carrigan: Right.
Dave Bittner: ...For articles like this...
Joe Carrigan: Yep.
Dave Bittner: ...Because of his ability to put these complex cryptographic things into terms that everybody can understand.
Joe Carrigan: Yeah. He's good and as is our other professor, who's currently on sabbatical right now, Abhishek Jain. These guys are - you know, good cryptographers are valuable. Good cryptographers who can explain things to you and how they work - few and far between.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: And we have two of them.
Dave Bittner: Yeah.
Joe Carrigan: (Laughter).
Dave Bittner: So what do you make of this? I mean, do you think - it seems to me like the transitional period is going to be the hardest thing.
Joe Carrigan: Yeah. Well, the way you do the transition is you make the - this new method of authentication the default and allow people to still use passwords and tell them passwords are going to be phased out over time. So that's how you do it. My concern here is that there's still the single point of failure, and I don't know how we get away from this. You know, I don't want to diminish what's going on here 'cause I agree - this will be much more secure...
Dave Bittner: Yeah.
Joe Carrigan: ...For people because we are notoriously bad at picking passwords.
Dave Bittner: Right.
Joe Carrigan: And if we don't - and very few people use password managers.
Dave Bittner: Right.
Joe Carrigan: Despite the fact that you and I have been screaming from the mountaintops for years and years and years to do this, no one listens to us, Dave.
Dave Bittner: Yeah. Well...
Joe Carrigan: So - right. So, yeah, this is great. But what about the - you know, you said everything's stored in the cloud. If I can get access to your iCloud account or compromise your Google account where all this stuff is backed up and stored, that's the keys to the kingdom now.
Dave Bittner: Well, but - so, yes, that's a good point. And what this article points out is that the way that this is handled, all of that is encrypted. So not even...
Joe Carrigan: Right.
Dave Bittner: So, for example, you put your stuff in iCloud. Apple doesn't have access to it.
Joe Carrigan: Right. But when you go out and get a new phone...
Dave Bittner: Right.
Joe Carrigan: ...Right? - and you have to demonstrate that you are who you say you are...
Dave Bittner: Yeah.
Joe Carrigan: ...When you get a new Apple device - I just got a new Google device, by the way.
Dave Bittner: OK.
Joe Carrigan: I had to reconfigure all of the biometrics on here.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: Somebody else could have reconfigured the biometrics on here under my account.
Dave Bittner: Oh, I see what you're saying. Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: So, you know, I don't know.
Dave Bittner: You ultimately still have to have some way to prove that you are who you are.
Joe Carrigan: Yeah, there still has to be some kind of proof to - yeah, exactly, some kind of identity management product in here or process. But I agree that even just going to this would be a - makes the problem of breaking into someone's account exponentially harder...
Dave Bittner: Yeah.
Joe Carrigan: ...Because now I actually have to physically approach somebody or go through the entire process of impersonating somebody and incur the cost of buying a new device, which means I can't do this en masse anymore.
Dave Bittner: Right.
Joe Carrigan: Right? Particularly if you use Apple, there are no competitor devices out there, right? So for every person I want to - well, if I'm - I guess I can do it with multiple people - right? - or multiple people on one device. But I'm going to have to go out and buy an Apple device...
Dave Bittner: Yeah.
Joe Carrigan: ...And then start using it specifically for impersonating people.
Dave Bittner: Well - and, you know, I think what the - ultimately - and I - the thing about having the FIDO Alliance lead the way with something like this...
Joe Carrigan: Right.
Dave Bittner: ...Is that we can hope for a world where this would be cross-platform, where if I decided that I wanted to switch from an Apple device to an Android device...
Joe Carrigan: Right.
Dave Bittner: ...That everything would still flow through with me.
Joe Carrigan: Yep.
Dave Bittner: Right now, as you point out, you know, you're kind of stuck on an operating system.
Joe Carrigan: Yeah.
Dave Bittner: It's hard to get off of an Apple device if you're - if you want this convenience. So if we could move to a standard like this that was truly a standard and was interoperable between operating systems, to me, that would be the real, you know, fantasy.
Joe Carrigan: Right. I agree with you 100%.
Dave Bittner: And hopefully we'll get there. I mean, you know, FIDO has - many of the big names are part of this alliance, so...
Joe Carrigan: Yep.
Dave Bittner: If it's going to happen - you know, FIDO has Google, Microsoft and Apple, so if it's going to happen, this is probably the shot for happening.
Joe Carrigan: This is where it's going to happen. Right.
Dave Bittner: Yeah. All right. We'll have a link to that article in the show notes. Again, that's over on WIRED, written by Lily Hay Newman. That's my story this week. Joe, what do you have for us?
Joe Carrigan: Dave, my story comes from a website called Bankless Times, which I had never heard of before.
Dave Bittner: (Laughter).
Joe Carrigan: But it's like a cryptocurrency news site.
Dave Bittner: OK.
Joe Carrigan: There is a company called Unchained Capital...
Dave Bittner: All right.
Joe Carrigan: ...Which is a bitcoin financial services provider.
Dave Bittner: OK.
Joe Carrigan: I find it ironic that they call themselves unchained when they are talking about a cryptocurrency based on a blockchain. You are very much chained...
Dave Bittner: (Laughter) OK.
Joe Carrigan: ...To the blockchain.
Dave Bittner: Right.
Joe Carrigan: But I think their business model is collaborative custody of cryptocurrency.
Dave Bittner: OK. What's that?
Joe Carrigan: Now, I'll tell you, it seems antithetical to the idea of cryptocurrencies to me.
Dave Bittner: OK.
Joe Carrigan: But it's essentially - key splitting for wallet access is what it looks like from - I did a cursory view, right?
Dave Bittner: Yeah.
Joe Carrigan: So now in order for you to have your bitcoin moved out of a wallet, then this - not bank, but this - Unchained Capital has to help you with that process. I can see that value as a fraud prevention device.
Dave Bittner: I see.
Joe Carrigan: Right?
Dave Bittner: So it's - is it kind of like - you know, like, I've been involved with some nonprofits who have a system where, you know, if a check is going to be written in more than a certain amount, it requires two signatures.
Joe Carrigan: Right.
Dave Bittner: This is kind of along those lines.
Joe Carrigan: I think so.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, something like that.
Dave Bittner: OK.
Joe Carrigan: But suffice to say, they have a business based on bitcoin.
Dave Bittner: Right.
Joe Carrigan: Like any business, they worked with an email marketing company, and this email marketing company was called ActiveCampaign.
Dave Bittner: OK.
Joe Carrigan: And about a month ago, Unchained decided they were no longer going to do business with ActiveCampaign. I don't know what they - you know, as a business, you switch providers all the time.
Dave Bittner: Sure.
Joe Carrigan: Maybe you decide you're going to in-house it. I don't know.
Dave Bittner: Yeah.
Joe Carrigan: They say we're not going to do this anymore. So Unchained says to ActiveCampaign, we're done. Please delete all of our data. That's when the bad guys come in - about a month later, right?
Dave Bittner: OK.
Joe Carrigan: An attacker pretending to be a staff member from Unchained Capital gets on a chat - a webchat with an ActiveCampaign support representative and gets them to reactivate an Unchained Capital account. Next, they convinced another ActiveCampaign support person on the same chat interface to add an administrative user with a username and password without providing any confirming email addresses.
Dave Bittner: OK.
Joe Carrigan: Right? And they gave this information or gave this account access to this attacker.
Dave Bittner: All right.
Joe Carrigan: The attacker was then able to change the password on the original account that had been reactivated and access all of the information that Unchained Capital had provided to ActiveCampaign as part of their marketing campaign. So this is a business relationship between - a business-to-business relationship, right? I say to - I'm Unchained Capital. You're ActiveCampaign. So I say to you, Dave, look, here's a list of all my customers, their usernames, their email addresses.
Dave Bittner: Right.
Joe Carrigan: And I need you to manage sending these people email. And you go, that's fine. I'll do that.
Dave Bittner: Yeah.
Joe Carrigan: And then I say to you, Dave, I'm done doing business with you. Please delete my data. And you go, sure.
Dave Bittner: Yeah.
Joe Carrigan: But you don't delete the data...
Dave Bittner: Oh, OK.
Joe Carrigan: ...Because that's the crux of the point is the data wasn't deleted.
Dave Bittner: Right.
Joe Carrigan: And it was - and these guys were able to access it. I should have made that more clear early on, I guess, but I - that's the major point.
Dave Bittner: Yeah.
Joe Carrigan: So here's what was lost - usernames to the Unchained Capital platform.
Dave Bittner: Yeah.
Joe Carrigan: Right? Email addresses - naturally.
Dave Bittner: Yeah.
Joe Carrigan: Account status...
Dave Bittner: OK.
Joe Carrigan: ...Whether it was open or closed. IP addresses - that makes sense. Whether the client had active multisignature vault, which is the product that they sell...
Dave Bittner: Yeah.
Joe Carrigan: ...Or they had received a loan from Unchained Capital. I don't know what kind of loans they work in. Maybe they do bitcoin loans.
Dave Bittner: Right.
Joe Carrigan: That's a thing.
Dave Bittner: OK.
Joe Carrigan: What was not lost was a lot of PII, right? So...
Dave Bittner: Well, that's good.
Joe Carrigan: Unchained Capital gave some information about customers away but not all of it. I don't know why...
Dave Bittner: Yeah, there's no reason the marketing company would need a lot of the PII.
Joe Carrigan: Right. There is some questions about - in the information that was lost. Why does Unchained Capital need a username for the platform? An email address, I understand 'cause you're going to send them an email, right?
Dave Bittner: Right.
Joe Carrigan: The IP address was probably actually collected by this email company...
Dave Bittner: Yeah.
Joe Carrigan: ...From users that clicked on links. Account status - OK, maybe you want to send emails that - I know you closed your account with us. Please come back - those kind of things. So I get why the rest of the information is in there. But you can easily associate a username with an email address on your own end. You don't need to provide that to somebody. What was not lost was a lot of good personally identifiable information, like dates of birth, bank account numbers, physical addresses, passwords, balances, Social Security numbers, IDs, phone numbers, you know, bitcoin addresses, loan balances...
Dave Bittner: Yeah.
Joe Carrigan: ...And all the statements and everything.
Dave Bittner: OK.
Joe Carrigan: So good division of data for the most part. Like I said, I'm dubious about why you needed to send usernames, but it - what's done is done. So there's risk for customers here, and that's one of the things Unchained Capital is doing with this press release that - they're saying, be careful because now the bad guys have your email address, and they know what kind of customer you are, whether you have a closed account, an open account, maybe a balance - you know, a loan balance. Maybe they're going to harass you or try to convince you that you're going to make your loan payments to a new bitcoin address, right? I can see that as an attack vector. Maybe they're going to say - I don't know how they would scam a dual signature thing - somebody who holds a dual signature wallet to provide their part of the signature if that does any good. I think it's probably going to be mainly with the loan payments.
Joe Carrigan: Anyway, there are lessons I want everyone to take away from this. For consumers, your data is everywhere, and it's provided willy-nilly to other providers who may not keep it as secure as you think they are.
Dave Bittner: Yeah.
Joe Carrigan: Right? Or as the other - as the - even the customer company here - Unchained Capital did a good job. They said, we're done doing business. Please delete it. And this company, ActiveCampaign, just said, oh, sure, we'll delete it - and didn't bother to delete it.
Dave Bittner: Yeah.
Joe Carrigan: Right? So you really have to understand that your data gets passed around and may not be cared for properly. For businesses, limit the data that you share with your partners, particularly where you have any kind of financial responsibility to your customers. I think it's just generally - I know that there are a lot of companies out there whose entire business model is customer data. But when you're talking about your business model being something else, guard that data with great prejudice, I guess.
Dave Bittner: (Laughter).
Joe Carrigan: You know?
Dave Bittner: Yeah. You know, I think one of the challenges I could see here is if you're ActiveCampaign or, you know, a company like them...
Joe Carrigan: Right.
Dave Bittner: ...And somebody comes to you and says, hey, we're done. You know, we want to - please delete all our data.
Joe Carrigan: Right.
Dave Bittner: Right? I suspect it happens from time to time that then, a few days later, a few weeks later, a few months later, they come back in a cold sweat and saying, please tell us you didn't delete all our data.
Joe Carrigan: (Laughter).
Dave Bittner: Right? (Laughter).
Joe Carrigan: I imagine that is exactly right.
Dave Bittner: Right?
Joe Carrigan: You know, that's a good point.
Dave Bittner: So if you're ActiveCamp - it seems to me like if you're ActiveCampaign, maybe the thing you do - and I don't know if this is what they did or not - but maybe you say, very well, we will delete your data. Our standard operating procedure is, data gets deleted in X number of days.
Joe Carrigan: Right.
Dave Bittner: And maybe that's 10 days. Maybe that's 60 days. I don't know what it is. But then - you know, then before you actually hit the delete button, you go back to your customer, and you say, OK, today is zero day, right?
Joe Carrigan: Right.
Dave Bittner: Today is the day we're deleting your data. And once it's gone, it's gone for good, and we cannot get it back. We're just calling to verify you really want us to hit the delete button.
Joe Carrigan: Right.
Dave Bittner: And then you do. So, you know, I don't know - who knows to what degree any of that might or might not have been going on behind the scenes.
Joe Carrigan: Right.
Dave Bittner: But I can imagine that that's a thing.
Joe Carrigan: I can imagine that as well.
Dave Bittner: And so I have a little bit of sympathy for ActiveCampaign in that, sometimes, if you don't immediately delete the data, you can be a hero.
Joe Carrigan: Right.
Dave Bittner: Right? In this case, the opposite happened.
Joe Carrigan: You're not, right?
Dave Bittner: Yeah.
Joe Carrigan: In this case, you're the - you look like the - I don't want to say incompetent, but maybe - 'cause your point is valid, right?
Dave Bittner: Yeah.
Joe Carrigan: But you're not the villain. The bad guy is the villain in this one, right?
Dave Bittner: Sure.
Joe Carrigan: ...The guys that broke in. They could have better processes, though.
Dave Bittner: Yeah.
Joe Carrigan: You could have better processes in place.
Dave Bittner: Yeah. Absolutely.
Joe Carrigan: This is not something you do just over a chat interface 'cause that could be anybody talking to you, especially...
Dave Bittner: Right. Right.
Joe Carrigan: ...With no email...
Dave Bittner: That's a good point, too.
Joe Carrigan: ...Coming through.
Dave Bittner: Yeah. Right. To have - to enable an account that had basically - what was it? - admin...
Joe Carrigan: Admin access.
Dave Bittner: ...Access over chat...
Joe Carrigan: Right.
Dave Bittner: ...That seems a little bit willy-nilly to me (laughter).
Joe Carrigan: It does. Yeah. So that's why I err on the side - or that's why if I'm erring, I'm erring on the side of, there's other things in here that point to something not being well-managed, in my opinion.
Dave Bittner: Yeah. Yeah. Yeah. All right. Well, we will have a link to that story in the show notes. Joe, it is time to move onto our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Matt. And Matt writes, hi, Dave and Joe. I'm a longtime listener to the CyberWire podcast. And I especially enjoy "Hacking Humans." I received the email below three times within 15 minutes...
Dave Bittner: (Laughter).
Joe Carrigan: ...Which I thought you might find qualifies as a Catch of the Day. It does. It's definitely a good Catch of the Day.
Dave Bittner: (Laughter).
Joe Carrigan: As soon as I saw it those three times, a field of red flags popped up in my mind - from this Latin American source, but then suddenly multi-jurisdictional, multi-organizational, eminently charitable council union or organization that wanted to give me $20.5 million.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Why don't you read this email, Dave? This is...
Dave Bittner: All right. It goes like this. Hello. My name is Sindy Marisol Benavides, Washington, D.C., currently serving as the national director for Civic Engagement and Mobilization for the League of United Latin American Citizens, the oldest civil rights Hispanic organization in the country. The League of United Latin American Citizens is in conjunction with the global financial integrity in offering temporary relief funds of $572,470,000 to small business owners to address the COVID-19 pandemic - economy, job growth, educational attainment, political influence, real estate, housing, health, civil rights, rents and loan. However, at the International Financial Organization annual meeting in Dubai, United Arab Emirates, which convened world leaders to discuss the global, regional and industrial agendas in the middle of each year.
Joe Carrigan: That's the end of the sentence (laughter)?
Dave Bittner: That's the end of the sentence.
Joe Carrigan: That's not a sentence (laughter).
Dave Bittner: It's just a - all right. It was agreed, among other things, and in with the global financial integrity, that making growth sustainable, making growth inclusive and harnessing technology for good is a priority and must be tackled without delay. The amount which was awarded to you is U.S. $20.5 million. Speaking with the United Nations Association of the USA and with the Council of Europe, adding the Asian Parliamentary Assembly, are all in support of the payoff of beneficiaries from countries in Europe who are under the European Union Organization, also USA and Asia.
Joe Carrigan: So everybody's in, Dave?
Dave Bittner: Everybody.
(LAUGHTER)
Dave Bittner: Yeah. Poor penguins in Antarctica.
Joe Carrigan: Right (laughter).
Dave Bittner: Therefore, the EU parliament, which is headquartered in Strasbourg, France, and has administrative offices in Luxembourg City, initiated an electronic random pick. And through this electronic random pick, your email was chosen for the implementation of making sustainable growth and harnessing technology for good. Funds have been mapped out for those picked in this process. And the disbursement will be monitored by the Global Financial Integrity representative. You are therefore advised to contact Mrs. Jan Schakowsky, who will monitor the release of your funds. Here is her email contact. Note our organization has well-donated over $200 million to the people of Ukraine for the ongoing crisis to help distribute foods, medication and shelter to the 150 million refugees who fled Ukraine to Poland, and to others who has fled to their neighboring countries for safety. We stand with Ukraine. And we work for peace. Best regards, Sindy Marisol Benavides. Whew.
Joe Carrigan: Whew. This is a good one.
Dave Bittner: There's a little bit of everything in here, Joe.
Joe Carrigan: First off, this scammer is one name dropper.
Dave Bittner: Oh, yeah (laughter)?
Joe Carrigan: Yeah. I did a little bit of research.
Dave Bittner: OK.
Joe Carrigan: Ms. Benavides is, in fact, affiliated with LULAC - L-U-L-A-C - which is - what? Latin - the League of United Latin American Citizens. This is an American organization.
Dave Bittner: OK.
Joe Carrigan: Right?
Dave Bittner: So that organization exists?
Joe Carrigan: It exists. And it Ms. Benavides is the CEO. It says she's the executive director of communication - or of community engagement at the top, right?
Dave Bittner: Yeah.
Joe Carrigan: But, no, she's the CEO. She's the head of this organization. The name that they say, Jan Schakowsky...
Dave Bittner: Yeah.
Joe Carrigan: ...That's the name of a U.S. House of Representatives member.
Dave Bittner: (Laughter).
Joe Carrigan: So not anybody from whatever organization it is. All these organizations that are listed in this email actually exist...
Dave Bittner: OK
Joe Carrigan: ...Right? - which is really interesting. And it looks like somebody just did a Google search and found, oh, like, the EU parliament. Oh, they have - on Wikipedia, it says they meet in France. And they have offices in Luxembourg, right? So it's very interesting. The IFO is not related at all to any of this stuff. That's not what they do.
Dave Bittner: Yeah.
Joe Carrigan: But they're just crammed in here - shoehorned, if you will.
Dave Bittner: I - what caught my eye was how they sort of tacked on the situation in Ukraine...
Joe Carrigan: Yeah.
Dave Bittner: ...Which, of course, is terrible...
Joe Carrigan: Right.
Dave Bittner: ...And heartbreaking and all of those things. But it also struck me that they talk about 150 million refugees who fled Ukraine. I don't think Ukraine has 150 million...
Joe Carrigan: Citizens.
Dave Bittner: ...Citizens (laughter).
Joe Carrigan: I think you're right.
Dave Bittner: I want to say Ukraine has, like, in the 30 million - I think their population is comparable to Canada...
Joe Carrigan: Right.
Dave Bittner: ...Something like that. I don't mean to make light of any of that. But this is...
Joe Carrigan: Right. No. But, I mean, this is another...
Dave Bittner: This number is way off.
Joe Carrigan: Another error, right.
Dave Bittner: Right. Right.
Joe Carrigan: They're off by an order of magnitude.
Dave Bittner: Yeah (laughter). So, all right, well...
Joe Carrigan: Yeah. Do not respond to this email. The...
Dave Bittner: Yeah. I don't think you're going to get your $20.5 million there.
Joe Carrigan: Yeah, the email they have for Jan Schakowsky - first off - and later on, they address Jan as Mr. Schakowsky, right? But the email they have is actually - has a domain that is, like, an impersonation domain with the world integrity - world fund integrity or something like that.
Dave Bittner: I see.
Joe Carrigan: It's interesting.
Dave Bittner: All right. Well, that is a good Catch of the Day.
Joe Carrigan: It is.
Dave Bittner: So thanks to our listener for sending that in to us.
Joe Carrigan: Thank you, Matt.
Dave Bittner: Again, we would love to hear from you. You can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Jim Ducharme. He is COO of a company called Outseer. And what we were discussing was buy now, pay later scams - a real interesting explanation of what those are and why they continue to grow. Here's my conversation with Jim Ducharme.
Jim Ducharme: So BNPL is the latest in some new ways to allow consumers to pay for goods and services. So we're all used to paying online with our credit cards or even in person in credit cards. But buy now, pay later offers another way to pay when you check out. So you may see this in any online store when you go to check out - say, how would you like to pay? You're going to pay credit card. And now you'll see these buy now, pay later - putting it on installment plans. So it really helps people to take large purchases and break them down into sort of installment plans, if you will, and alternative ways to pay for goods and services, as I said.
Dave Bittner: And what's going on behind the scenes here? Is this a third party who provides the financing to the merchant for this, or how does it generally set up?
Jim Ducharme: Yeah, in some cases, it is new payment vendors that are establishing relationships with these merchants. So you're doing business with a whole new entity as opposed to, for example, using your credit card. You know, you may have a Visa, MasterCard, American Express card that you already have an account, and when you shop at a merchant, you just give them the card numbers. In some cases, with the buy now, pay later, you're dealing with an entirely new entity that you can even sign up for as you're checking out. So if you'd like to use some of these buy now, pay later services, they'll actually enroll you in their service, create a buy now, pay later account, and then pay for the goods and services to the merchant. In other cases, there's what we call the retroactive model of buy now, pay later where you still use your credit card like you always would. And then after the purchase, having nothing to do with the merchant, you can go to your respective bank and say, hey, I'd like to put that purchase on an installment plan. So we actually see both models happening today in the space of buy now, pay later.
Jim Ducharme: But mostly, you're seeing the credit card companies do that in response to giving consumers that flexibility of the installment plan. So when you're checking out, consumer's going, hey, you know, I don't want to spend a hundred bucks, but I don't mind spending three payments of $33 a month. So - you know, so the credit card companies start to lose business against these buy now, pay later companies. So they're also starting to offer the same flexibility of easy installment plans.
Dave Bittner: I see. And, of course, anywhere where there's money changing hands, that's an opportunity for fraud. And that's something you and your colleagues have been tracking.
Jim Ducharme: That's exactly right. You know, that's the challenge with - as we innovate all these wonderful new ways to pay, there's great opportunities for fraudsters to find new weak points in these solutions. And that's exactly what we look at. And we try to stay ahead of the curve here and ahead of the fraudsters to make sure that we can prevent that fraud in these new payment methods.
Dave Bittner: Well, take us through some of the things that you all are tracking. How are the frauds being executed?
Jim Ducharme: Yeah. So in some cases, you know, it's really what's old is new. Attackers are using a lot of the same techniques they used before of either account takeover or, in some cases, a new type of fraud called synthetic identity fraud. And what that really is is when - in synthetic identity fraud, when a fraudster goes to check out, they'll use social engineering or other means to basically steal somebody's identity and pretend to be you and just have the merchandise shipped to them. So we see this quite a bit where, you know, somebody creates an identity or uses a synthetic identity to pretend to be somebody, get that installment plan, purchase the goods and services, and then by the time fraud is detected, the rip-off has already happened, if you will. In the case of account takeover, you know, again, a similar sort of thing where people are stealing credentials or ways to get into an account so that they can again enable this new way to pay and basically steal those goods and services using somebody else's account or identity.
Dave Bittner: So when fraud occurs in a case like this, who ultimately is on the hook? Is it the consumer, is it the merchant or is it the BNPL provider?
Jim Ducharme: Yeah, great question. So again, as we introduce these new payment methods, that's always one of the challenges of where - you know, where is the liability? With your credit card, as you probably know, the consumer is typically not responsible for the fraud, and the credit card company's responsible for that. And so they've put a number of controls in place to help prevent fraud and mitigate that risk. And so what we're seeing is in - you know, with these new buy-now, pay-later methods, you know, we have to look at those same things. And in these cases, these buy-now, pay-later companies are typically going to be held liable to that fraud. But, again, some of the newer companies don't necessarily have the decades of fraud prevention capabilities in place or even the sophistication of the new attack patterns of, you know, fraud at the point of an account enrollment versus what we're typically - you know, what we've traditionally done for fraud prevention at the point of a transaction.
Jim Ducharme: Now with buy-now, pay-later, you've got both things happening at the same time. You both sign up for an account - much the same way you would, you know, apply for a credit card - but seconds after your application, you're also making that purchase. So that's where some of those complications come in - is the enrollment is happening really at the same time as the transaction and the purchase. So that liability comes in of, you know, who's actually making - who's actually completing that purchase? And in this case, it's the - you know, the buy-now, pay-later vendor if you're using them directly, or it falls back on - you know, again, in the retroactive model, will fall back on your credit card company as well.
Dave Bittner: Are we seeing circumstances where someone will, for example, make the first payment of a multipayment agreement and then, you know, fall off the face of the earth that way so - you know, buy some high-price item and only pay a little bit for it?
Jim Ducharme: Yeah. I mean, you know, and that's a different type of fraud - we call it first-party fraud - where, you know, they make the purchase. They've only paid a portion of that. But, you know, that presents a different type of risk, which is really the credit risk, right? And really not much different than if you - you know, you get a credit card, they give you a $10,000 limit, and you rack up a charge on it. You know, you rack up $10,000 in balance, and then you just don't pay the balance. So in that respect, it's still a - you know, that's still a credit risk sort of thing - or what we call first-party fraud, where people are just not paying their agreement, right?
Dave Bittner: Yeah.
Jim Ducharme: But when we talk about fraud, it's typically somebody else using your account or, you know, taking something that's not theirs, if you will.
Dave Bittner: I see. So are - is buy-now, pay-later something that is best avoided, or is it a legitimate tool when done right that is good news for consumers?
Jim Ducharme: Well, I think for the consumers, I think it's a great - it's yet another convenient way to pay for goods and services. But again, much like any new payment method, it's not without its risks of fraud, et cetera. I don't think we should shy away from it from a consumer perspective, but understand that there are new risk areas where you have to protect your identity. In much the same way, you know, we've tried to teach consumers to protect their credit card numbers, protect their identity, it's even more important now with these buy-now, pay-later approaches because now with simple, you know, identity information, somebody can go into a merchant and say, hey, I'm Jim Ducharme. I'm from southern Maine. Here's my address. Here's my phone number. I'd like to buy this. Oh, by the way, ship it to my house in New Jersey. And now, you know, they've put the real Jim Ducharme on a payment plan for merchandise they didn't even order.
Jim Ducharme: Consumers have to be more aware that there are new types of ways that fraud can be committed against them other than just somebody stealing their credit card number. But I would encourage, you know, consumers to look at whatever methods of payment will work best for them, but be diligent about protecting their identity, protecting - you know, protecting all the information that fraudsters can use to impersonate them.
Dave Bittner: What about on the merchant side? Any extra things that they need to be on the lookout for if they engage with one of these providers of BNPL?
Jim Ducharme: Sure. On the merchant side, if there's new providers - right? - you know, they've got to look at where that liability does lie. What's their responsibility in protecting that transaction, protecting the consumer? Working with the BNPL providers to understand what controls they've put into place to prevent fraud - because at the end of the day, even if the merchant isn't held liable for the fraud itself - i.e. the financial damages - there certainly can be reputational damages if a merchant, you know, uses a payment method that fraudsters love to take advantage of. And, you know, this is another type of thing that we track, where we see certain merchants that are more susceptible to fraud than others. That results in a - and because they don't have the necessary controls to prevent fraud, so it results in reputational damage of, you know, that merchant has a lot of fraud happening - results in reputational damage on the merchant.
Jim Ducharme: So I would encourage them to look at, you know, do the providers that they work with have the sufficient controls in place to prevent fraud? What is the liability put on them? And what is the impact to the end user, right? What is that ultimate customer experience, their checkout experience? Because the No. 1 thing merchants are going to care about is making sure they get the transaction. What is that - what is the ease of doing business with the merchant? And now they're handing over a lot of that experience to a new type of payment provider.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: You know, Dave, I have noticed my credit card provider is offering this kind of service. Like, I'll get text messages going, hey, do you want to put that on a payment plan?
Dave Bittner: Yeah.
Joe Carrigan: I just ignore them. But when I purchase my new phones, I use the Google Store's interest-free promotion, right?
Dave Bittner: Oh, I see. Sure, sure.
Joe Carrigan: Which is run through Synchrony Bank, which is, I guess, kind of like a buy-now, pay-later.
Dave Bittner: Yeah.
Joe Carrigan: You got to be careful with these. One of the things I'll tell you is they have these retroactive interest clauses...
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: ...That are usurious, if you will.
Dave Bittner: Right. Right.
Joe Carrigan: So you know, they're perfectly fine with you not paying everything as you agree to pay over time, you know, making smaller payments. Or, you know, if anything goes wrong during the course of you making these payments, they tack on all the interest...
Dave Bittner: Yeah.
Joe Carrigan: ...That you would have accrued.
Dave Bittner: Right, retroactively.
Joe Carrigan: Retroactively.
Dave Bittner: And it's a big number. Yeah.
Joe Carrigan: Right, it is a big - I don't know how this is legal in the United States, but...
Dave Bittner: (Laughter).
Joe Carrigan: I don't know. It's interesting that it's the same scam that we've always seen, the synthetic the synthetic ID, ID fraud. I think about when I was setting up my Google account because I actually used the same promotion to purchase my last Google phone...
Dave Bittner: OK.
Joe Carrigan: ...The Pixel 3.
Dave Bittner: Yeah.
Joe Carrigan: And it was pretty easy for me to set that up. I imagine it would be pretty easy for someone to set up a fraudulent one as well.
Dave Bittner: Oh.
Joe Carrigan: Right? So what was also interesting was it was weeks before I had to make a payment to this thing. So if somebody else set up a fraudulent account like this and then ordered some stuff and had it shipped, there would be a long period of time where they would have to get these products in the mail. And a payment would be due before anybody would realize anything was wrong. I think with a phone, there's a lot more recourse, right? Like, you can put the unique equipment ID, whatever that number is - I can't remember what it is off the top of my head.
Dave Bittner: Right.
Joe Carrigan: But you can put that in a global database. There's actually a global database of invalid phones...
Dave Bittner: Yeah.
Joe Carrigan: ...Out there.
Dave Bittner: OK.
Joe Carrigan: And some carriers won't even let you put them on their network because they're stolen phones.
Dave Bittner: OK.
Joe Carrigan: And they might be bricked. You can - I don't know if suppliers can brick the phones remotely. I have no idea.
Dave Bittner: Yeah.
Joe Carrigan: But other goods, they're gone, right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: And they're still useful to people.
Dave Bittner: Right.
Joe Carrigan: If someone uses your name to do this, make sure that every conversation that you have with whoever is trying to collect on it indicates that you - that this is a fraudulent transaction and you owe them nothing. Make sure you say that. Never say - you know, and some of these guys will try to - you know, unethical collection officers will try to say, well, just tell me that this is a debt that you think you really owe, right?
Dave Bittner: Yeah. Right.
Joe Carrigan: You say that and they have you.
Dave Bittner: Yeah.
Joe Carrigan: Now they can take you to court and say, this person owes me this money because here he admitted to owing it. Never even do that. Say, no. I don't owe you this money. This is wrong. This is fraudulent. You're on the hook for the money. Don't bother me anymore.
Dave Bittner: Right. Right.
Joe Carrigan: As far as account takeover goes, same thing I say every time, Dave - multi-factor authentication, multi-factor authentication, multi-factor authentication.
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: Right? It's an interesting question, who's on the hook. I don't care who's on the hook as long as it's not the consumer.
Dave Bittner: Yeah.
Joe Carrigan: Right? I don't care if it's the manufacturer company or the buy now, pay later company. I don't want the consumer being on the hook or being harassed for it. This is a business risk that you're taking. You're going out on a limb here. You're offering this finance service. You're - whenever money is offered in a finance service, that money is at risk. And it's a business decision that you're making. So if you get scammed out of the money because somebody sets up a fraudulent account, don't harass the consumer. So this buy now, pay later thing kind of is a relatively new experience for consumers, right? Have you done any of these?
Dave Bittner: No. I mean, I've taken advantage of some - you know, like you say, where somebody says, you know, interest-free payments over X number of months.
Joe Carrigan: Right.
Dave Bittner: And kind of my standard for that is if I can set up some sort of autopay...
Joe Carrigan: Right.
Dave Bittner: ...Then I'll do it.
Joe Carrigan: Yep.
Dave Bittner: And, you know, it just makes my cash flow a little bit easier. But I'm not at risk of falling into the thing you described...
Joe Carrigan: Right.
Dave Bittner: ...Where I'm going to be hit with some kind of big interest fee or something like that.
Joe Carrigan: I do it for things like phones. I think I've done it for furniture. But those were managed through - the furniture one was actually through a Wells Fargo organization. And the phones are through Synchrony Bank. So...
Dave Bittner: Yeah.
Joe Carrigan: ...Which is - that's also who does the Amazon financing, the Amazon card financing.
Dave Bittner: Yeah.
Joe Carrigan: And their rates are ridiculously high. So make sure you're paying those off every month if you have an Amazon card or if you have your phone. Don't get caught back with those.
Dave Bittner: Yeah.
Joe Carrigan: It's a new vector for customers to be aware of. And if you're a merchant, when you're thinking about your customers and how you're going to offer this kind of service to them, do your due diligence on that finance company. Make sure that they're, you know, a bona fide company. Like, you know, Wells Fargo, I think, OK, good. Wells Fargo is a big company. They've been around for hundreds of years.
Dave Bittner: Yeah.
Joe Carrigan: Maybe we use them. Synchrony Bank, I think they do a pretty good job of this.
Dave Bittner: Yeah.
Joe Carrigan: You know, they're a large company that probably has a good security posture. But...
Dave Bittner: Right.
Joe Carrigan: But ask about that.
Dave Bittner: Joe's Finance Emporium? Maybe not so much.
Joe Carrigan: Right. Yeah. Exactly.
(LAUGHTER)
Dave Bittner: All right. Well, interesting conversation for sure. And again, thanks to Jim Ducharme from Outseer for taking the time to speak with us. We do appreciate it. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
