On the front lines of fraud protection.
Pete Barker: You know, the fraudsters never stop. Once they find a way in, they just continue to go and go and go.
Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bitner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Pete Barker. He's director of fraud and identity at an organization called SpyCloud.
Dave Bittner: All right, Joe, before we get to our stories this week, we have a couple of items of follow-up here.
Joe Carrigan: We do, indeed.
Dave Bittner: What did our listeners have to share with us this week?
Joe Carrigan: Micah writes in to comment on our Catch of the Day from last week. He says, if I had to guess - now, this is the postcard that came in the mail with the QR code.
Dave Bittner: OK. Yeah.
Joe Carrigan: He said, if I had to guess, this was someone building a database to correlate IP addresses to home addresses. This kind of data is valuable for selling. And one way to test it, he suggests, is to decode the QR code without actually going to the URL and see if there's a unique identifier in there, which is a great suggestion.
Dave Bittner: Right.
Joe Carrigan: He thinks the method of mailing QR codes would be fairly effective but not 100% reliable because people receiving the mail would be at home when they receive it, but they might not be connected to their Wi-Fi yet.
Dave Bittner: Oh, yeah.
Joe Carrigan: But it's pretty - this is still a valid point. I don't think that's what's going on in our Catch of the Day. I think that was just a mass-printed mailer that somebody did on their own. But this is still a good point. For marketing purposes, it would be remarkably simple to mail out unique identifiers and track who you mailed them to. And then - yeah, I mean, you could just put a hash of people's address in there.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: And bam - it's a great idea.
Dave Bittner: Yeah. One of our other listeners wrote in about this as well and remind it - because we had asked it - I think I had wondered, had anyone ever just sent out postcards with just a QR code and nothing else on it?
Joe Carrigan: Right.
Dave Bittner: And someone reminded me that someone did just that thing during the Super Bowl this year. Remember the...
Joe Carrigan: Right. Yes.
Dave Bittner: They did the Super Bowl ad.
Joe Carrigan: I believe that was Coinbase.
Dave Bittner: Yeah, that just had the QR code.
Joe Carrigan: Yes. And I was screaming at my family not to scan it.
Dave Bittner: (Laughter).
Joe Carrigan: Don't do it, I said.
Dave Bittner: It's too late for me. Don't do it. Don't do it.
Joe Carrigan: (Laughter) Right. Micah also says, thanks for making the show, especially to the audio engineers at the CyberWire. They do a terrific job, especially compared to some of the mainstream news podcasts I listen to.
Dave Bittner: Oh, well, that's very nice.
Joe Carrigan: Thank you, Micah.
Dave Bittner: Our editors, as they listen to and edit this episode, will smile to themselves in appreciation.
Joe Carrigan: Yes. They go, ah, here's the one bright spot in me having to edit a podcast with Joe Carrigan on it.
Dave Bittner: (Laughter) There you go. All right. We got some more follow-up here. What else do we have, Joe?
Joe Carrigan: We have Kevin, who writes - he was listening to the podcast, episode 192, which was our last episode. And you said something interesting about a certain person's PII and how it can be used. Your discussion made me reconsider the statement, quote, "this information alone does not constitute PII, but in combination, it can become PII." That's personally identifiable information, if I haven't - I think I may have already said that. Anyway, Kevin says he has a friend who found a service on the dark web that gives a discount if you have partial information, like a Social Security number or a credit card number. Because there are databases out there of all of our information, if you're looking for some portion of that information, you can get the rest of it from some service on the dark web, on these dark markets.
Dave Bittner: So kind of a correlation service that connects the dots between...
Joe Carrigan: It's remarkably simple, Dave. It's just a database search. It's just putting it into a query. And these databases are out there, and they exist.
Dave Bittner: Mmm hmm. Wow. All right, well, thanks to everyone for sending in those comments and questions. We would love to hear from you. You can send us an email. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right. Let's jump into some stories here this week. I'm going to start things off for us. My story comes from BleepingComputer, and it's titled "Android banking malware intercepts calls to customer support." So this is a new one. This is a banking Trojan for Android. Researchers from Kaspersky are calling this fakecalls. And basically what this does is it pretends to be your bank's customer service app.
Joe Carrigan: Right.
Dave Bittner: And when you call your bank - and you can even put in the actual real number for your bank...
Joe Carrigan: In your phone.
Dave Bittner: In your phone - in your mobile device. Right.
Joe Carrigan: In your phone app, because we don't actually have a phone now. We have a computer with a phone app on it.
Dave Bittner: There you go (laughter). So your mobile device - you can put in the phone number for your bank and this app intercepts it and sends it to their own call center. And the folks at the call center even have, you know, phony hold announcements.
Joe Carrigan: (Laughter).
Dave Bittner: Thank you for calling. We're currently having an unusually large volume of calls - that sort of thing.
Joe Carrigan: Right.
Dave Bittner: And then they connect you with an operator who is pretending to be from the bank and is not from the bank. It's from their - it's the bad guys.
Joe Carrigan: The scam center.
Dave Bittner: The scam center. And then they gather all your information. And you think that you're speaking to the bank and customer service, but you're not. You're talking to the scammers.
Joe Carrigan: Huh.
Dave Bittner: Yeah.
Joe Carrigan: Where are people getting this app?
Dave Bittner: Well, that's the thing, isn't it? Evidently, people are sideloading this. So it's not up on the regular Google Play store, but I suspect what's happening is someone does a Google search and says, you know, bank name customer service.
Joe Carrigan: Right.
Dave Bittner: And these folks are probably running ads that pop up that says, bank name customer support app. You know, don't wait in line for service, fastest way to get service - or something like that, right?
Joe Carrigan: Yes. I'll bet that's exactly right.
Dave Bittner: People go through. They see it. It has all the right logos. The phone numbers match up. Everything looks legit. And who would go to the trouble of building a custom app, right?
Joe Carrigan: Right. Yeah.
Dave Bittner: That's a scam app.
Joe Carrigan: That would be stupid.
Dave Bittner: Yeah. And so here we are.
Joe Carrigan: That's - Brian Brushwood was saying that...
Dave Bittner: Yeah.
Joe Carrigan: ...That his - you know, a lot of times that's how people think these things through to themselves. They think, they could build this custom app, but that would be stupid.
Dave Bittner: Yeah. So, so far, these folks seem to be targeting people in South Korea. It doesn't seem to have made its way over to our part of the world yet, but I suppose that's only a matter of time.
Joe Carrigan: Oh, it will be here.
Dave Bittner: (Laughter).
Joe Carrigan: If this works well in South Korea, if this - South Korea is a test market. That's what this is.
Dave Bittner: Yeah. Yeah. So recommendations here - of course, don't sideload apps.
Joe Carrigan: Don't sideload apps. Never sideload apps. If you're not developing applications, you have no reason in the world to set that little flag in your phone to allow apps from third-party stores.
Dave Bittner: Right.
Joe Carrigan: I mean, there are third-party stores - like, Amazon has an app store that you might want to use, I guess. I don't know. If it's available on Amazon, It's probably also available on the Google Play store...
Dave Bittner: Yeah.
Joe Carrigan: ...Or on the Apple store. I don't know that you...
Dave Bittner: You can't sideload on an iOS device.
Joe Carrigan: Yeah, you can't sideload on iOS.
Dave Bittner: Doesn't mean that - you know, sometimes things get through on on Apple's App Store as well.
Joe Carrigan: Right. Yeah, and they do that with the Google Play store as well.
Dave Bittner: Yeah.
Joe Carrigan: These things - it was just a story you guys were talking about on the CyberWire, where somebody went through and found, like, 10,000 apps...
Dave Bittner: Yeah.
Joe Carrigan: ...That were all carrying banking malware.
Dave Bittner: Yeah. It seems like these folks, I think, tend to go to Android first because it is - I think the bar is lower.
Joe Carrigan: Right.
Dave Bittner: It's easier to get to because you can sideload things, and I think it is a little easier to get things onto the Google Play store than it is on the iOS side.
Joe Carrigan: Right.
Dave Bittner: But yeah...
Joe Carrigan: Well, I'm going to quote Chris Rock here. Just because you can do something doesn't necessarily make it a good idea. I'm sure you can drive a car with your feet, too.
Dave Bittner: (Laughter) Right. So if you're looking for your bank's customer service app, go to the legit app stores.
Joe Carrigan: Right.
Dave Bittner: Make sure it's the real one. But I think this points out that extra vigilance is required...
Joe Carrigan: Yes.
Dave Bittner: ...Because it's getting harder to tell, and the bad guys are upping their game, making custom apps. All right. Again, that's from BleepingComputer. We will have a link to that story in the show notes. Joe, what do you have for us this week?
Joe Carrigan: Dave, my story comes from Bailey Hurley at Valley News, which is a news organization out of North Dakota.
Dave Bittner: OK.
Joe Carrigan: And there's a woman named Angie Olson, who is a teacher who works in Fargo. She is 76 years old.
Dave Bittner: Oh, you betcha.
Joe Carrigan: (Laughter) Right. She had just gotten home from school to find a pop-up message on her laptop telling her that - to call a specific number for help, right?
Dave Bittner: OK.
Joe Carrigan: So when she called the number, a man named Wilbur - and the article puts it in quotes because I'm quite sure his name wasn't Wilbur.
Dave Bittner: Yeah.
Joe Carrigan: Right - told her not only had - did her computer have, quote, "loads of child porn" on it, but her phone and her bank were all compromised...
Dave Bittner: OK.
Joe Carrigan: ...OK? Now, I can think of nothing more terrifying to a teacher than to say we found loads - than to lie to them and say we found loads of child porn on your computer.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: All right. That is - this is...
Dave Bittner: It's a career killer.
Joe Carrigan: It's a - well, yeah. Not only that, but it runs the risk of tainting your entire career, especially if it's not true.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: That kind of thing can just - and even the accusation of it can ruin a career.
Dave Bittner: Sure.
Joe Carrigan: But this is this weird confluence where somebody says, hey, we found a bunch of CSAM images on your computer to somebody who works with kids on a daily basis - right? - and is not somebody that does that kind of thing.
Dave Bittner: Right.
Joe Carrigan: Right. So the other thing he said was, one thing I'm going to tell you right now is that you authorized the withdrawal of money from your account last night at 4:30 in the morning. And Ms. Olson is like, what? And he says, yeah, $15,000 is expected to be taken out of your account in 2 hours.
Dave Bittner: OK. So the clock is ticking.
Joe Carrigan: Right, exactly.
Dave Bittner: All right.
Joe Carrigan: All right. So notice how this is working.
Dave Bittner: Yeah.
Joe Carrigan: One, he scares the ever-loving crap out of this woman.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Right. Two...
Dave Bittner: That's a term of art (laughter).
Joe Carrigan: Right. That's right. Two, he puts this two-hour artificial time constraint on her, right? Now she's worried. And he says, I'm going to connect you to your bank, which is Gate City Bank. I don't know how we got the name of her bank. She probably actually told and doesn't recall it from this incident. That's a cold reading technique...
Dave Bittner: Sure.
Joe Carrigan: ...These guys do. You know, like, when a psychic says, I'm getting a name - a name that starts with an M or an N or a K or an L. Larry - yes, Larry. That's right.
Dave Bittner: Right.
Joe Carrigan: You know, it's that kind of thing. So the guy calls up the bank. It's not the bank. But the guy from the customer service organization of the bank says - who says his name is Dave - says you need to go physically to the bank and withdraw the money and then wire it to a new secret account to protect it. They coached this woman on the phone the entire time, including what she should tell employees of the bank so that that didn't raise any red flags.
Dave Bittner: Wow.
Joe Carrigan: Right? She was then instructed to take the cash to a bitcoin ATM.
Dave Bittner: Wait for it.
Joe Carrigan: Right (laughter).
Dave Bittner: OK.
Joe Carrigan: Bitcoin ATM in South Fargo to keep the money safe from scammers.
Dave Bittner: Sure.
Joe Carrigan: OK. Dave and Wilbur promise the money will be returned the next day. Of course, it will not be.
Dave Bittner: Yeah.
Joe Carrigan: A few things I want to talk about here. These scammers have adapted, right? They're getting a lot of their money clawed back from wiring the money out to another account - right? - as a fraudulent transfer. So they've adapted to saying, well, we'll get around that. We'll just have people go buy bitcoin with cash and send us the bitcoin 'cause there's no claw on that bitcoin back unless you physically get access to those keys.
Dave Bittner: Yeah.
Joe Carrigan: Right? If you don't do that, you'll never get the money back.
Dave Bittner: So you can walk up to a bitcoin ATM with $15,000 in cash...
Joe Carrigan: Apparently, yeah.
Dave Bittner: ...And shuffle $20 bills into this machine one at a time...
Joe Carrigan: Right.
Dave Bittner: ...And have it turned into bitcoin?
Joe Carrigan: Yeah. I know that you can do that with $5 bills, Dave. That's the only thing I've ever purchased is - I've purchased litecoin from a bitcoin ATM.
Dave Bittner: OK.
Joe Carrigan: And I'll tell you, it's not a good deal because I pay $5, and I get $3 worth of litecoin.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Whoever is operating that bitcoin ATM is making a lot of money.
Dave Bittner: Yeah. I was thinking - just the way my mind works, I was thinking, set up a fake bitcoin ATM, right? All it does is suck in money...
Joe Carrigan: Right.
Dave Bittner: ...Tells you it's created a bitcoin and then, you know, the next day you collect your ATM full of money.
Joe Carrigan: Right.
Dave Bittner: (Laughter) And off you go.
Joe Carrigan: Yeah.
Dave Bittner: (Laughter).
Joe Carrigan: I don't know. Maybe that would work.
Dave Bittner: Yeah.
Joe Carrigan: There might be a way to make it work.
Dave Bittner: Yeah. OK.
Joe Carrigan: I don't know. It could. I mean, I'll tell you, I only did five bucks 'cause I was afraid of exactly that situation, you know? If I put five bucks in here, what do I lose? Not much. But if I put $15,000 in here, I'm out $15,000.
Dave Bittner: Yeah. Yeah. So back to Ms. Olson.
Joe Carrigan: Anyway, back to Ms. Olson.
Dave Bittner: OK.
Joe Carrigan: I want to focus on some of the quotes in this article from Ms. Olson.
Dave Bittner: OK.
Joe Carrigan: OK. This is a quote. Once I truly was scared that I was losing my money, I just fell for everything. And I didn't see any red flags. Today, I see them all over the place, right? Very common.
Dave Bittner: Yeah.
Joe Carrigan: Very common thing. What happened to Ms. Olson was she got put into an absolute state of fear where she couldn't think clearly through this thing. An outside influence friendly to Ms. Olson could have been of great help. So if you ever get into this kind of situation where you're having these kind of things happen, if you can reach out to somebody else, even though these guys are telling you not to...
Dave Bittner: Right.
Joe Carrigan: ...Go ahead and do that.
Dave Bittner: Right.
Joe Carrigan: It also helps to be inoculated against these kind of things, to know these kind of scams. Ms. Olson said she had never heard of these scams before, so it was new to her.
Dave Bittner: Yeah.
Joe Carrigan: It's one of the reasons it worked. Another great quote - it feels like my mind was controlled. My choices were taken from me. I had to do this. I lost control of my thinking, which is exactly what these guys do, OK? Today, I think I was stupid, but at the point, I was like, no, they're helping me, right?
Dave Bittner: Right. Right.
Joe Carrigan: These are all telltale signs that you're under the control and influence of another person. And again, I'm going to quote Brian Brushwood again. He says, these scams don't work on us because we're stupid. Ms. Olson is not stupid. She's a schoolteacher. She teaches other children. She fell for the scam because she didn't know it was a scam. And she was scared witless by the accusations these guys made. These accusations are designed to scare you witless.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: And all you are thinking about when someone makes this kind of accusation is, what about all the kids I've educated, right? What about the law enforcement coming to find this out? You know, what's going to happen here? That's pretty much where your focus goes to...
Dave Bittner: Yeah.
Joe Carrigan: ...When these guys make these kind of horrible accusations about it. The last quote from Ms. Olson I want to say - repeat here is, she says, it's a $15,000 lesson that I'm paying forward. OK. Ms. Olson came forward about this - not only came forward but talked about it with a news outlet...
Dave Bittner: Right.
Joe Carrigan: ...And made a report about it. Good for you, Ms. Olson. Thank you very much. I hope that more people read this kind of thing or hear about this thing or watch the article on the - or, you know, the story on the news and just become aware of these things. You know, we have an audience here that's very cybersecurity-focused and aware, and I would like to think that none of our audience would fall for this. But our audience is a small portion of the entire population, so there are people out there who have never heard of scams like this, like Ms. Olson.
Dave Bittner: Yeah.
Joe Carrigan: You know, and we've had stories on here of people like - would you say a person who teaches medicine at Harvard School of Medicine is dumb? No, but we had a story about somebody who got scammed out of hundreds of thousands of dollars...
Dave Bittner: Right.
Joe Carrigan: ...Who worked as a teacher at Harvard School of Medicine. But she did the same thing. She came forward and talked about it...
Dave Bittner: Yeah.
Joe Carrigan: ...Talked about the loss. This is embarrassing for people. But Ms. Olson is doing the exact right thing here and telling people about it.
Dave Bittner: Yeah. It also makes me think that, you know, each of us should have, like, a trusted friend, you know...
Joe Carrigan: Right.
Dave Bittner: ...Like a buddy system where you both agree that even if there's a circumstance where someone is telling you, you can't tell anyone about this.
Joe Carrigan: Right.
Dave Bittner: You know, that...
Joe Carrigan: That should be a big red flag for anything.
Dave Bittner: It should be - but that you've got one person, at least, in your life who you can tell...
Joe Carrigan: Yep.
Dave Bittner: ...Them about this.
Joe Carrigan: Yep.
Dave Bittner: It could be your person that you could just run things by and say, this is what's happening. And this person's saying I shouldn't tell anyone, but you're the person I count on to run by these things. And I think even that would help...
Joe Carrigan: Yeah.
Dave Bittner: ...A lot of these things.
Joe Carrigan: Immensely.
Dave Bittner: Yeah.
Joe Carrigan: Also, if you happen to see someone who is pumping $20 bills into an ATM, a bitcoin ATM, maybe ask them what they're doing, you know?
Dave Bittner: Yeah. Yeah. 'Cause - I mean, we've talked about how - we've already seen that a lot of the cashiers...
Joe Carrigan: Right.
Dave Bittner: ...At prices like convenience stores have been trained when people come in to buy lots of gift cards...
Joe Carrigan: Yep.
Dave Bittner: ...To ask them, what's going on here? And that's great. But if you have an ATM, there's no one monitoring that.
Joe Carrigan: Right.
Dave Bittner: You know, there's - it's not an interaction with a person.
Joe Carrigan: Nope.
Dave Bittner: The machine's not going to care that you're shoveling money into it. That's a good day for the machine, right?
Joe Carrigan: Absolutely.
Dave Bittner: (Laughter).
Joe Carrigan: The machine might even be programmed to be happy about that.
Dave Bittner: That's what the machine was born to do.
Joe Carrigan: Right.
Dave Bittner: So, yeah. All right. Well, good story. We'll have the link to that in the show notes for sure.
Dave Bittner: All right, Joe, those are our stories. It is time to move on to our catch of the day.
Joe Carrigan: Dave, our catch of the day comes from John, who writes, I am not the original poster, but I thought this was hilarious and perfect for a catch of the day. Hope you enjoy it as much as I did. Dave, it's an email. I found the link on Imgur because that's how John sent it to us. Dave, go ahead and read this monstrosity.
Dave Bittner: (Laughter) OK. It says - goes - let's see. This is crazy. So I'm going to do a crazy voice here. All right. And it says, dear costumer, your secret phrase has been incapacitated because of different utilization, a mistaken login - subtleties. For your security, we have impaired your internet-based account to re-establish your record and proceed with the utilization of online record and stop further debilitating of your account. How will I respond? Click on the button beneath and sign me in to your record and update your data. And we are upset for any issue. Much obliged to you. Hope to hear from you soon. Amazon service team.
Joe Carrigan: Dave, call me skeptical, but I don't think this is from the Amazon service team.
Dave Bittner: I don't think it is, no.
Joe Carrigan: (Laughter)
Dave Bittner: I don't know - a couple of things here.
Joe Carrigan: Yeah (laughter). A couple of things.
Dave Bittner: One or two - I mean, it does have the Amazon logo, so...
Joe Carrigan: It sure does.
Dave Bittner: But I like dear costumer. That's...
Joe Carrigan: Right. It's addressed to me for when I dress like a pirate.
Dave Bittner: (Laughter) That's right. Exactly. I'm just thinking about the poor, you know, Broadway costumer who this makes its way to, and they go, oh, they're talking to me.
Dave Bittner: Right. It couldn't be a scam.
Joe Carrigan: Right (laughter). How'd they know I was a costumer?
Dave Bittner: Right, exactly. It can only be for me. It must be real. Yeah.
Joe Carrigan: It's a great one. Thank you, John.
Dave Bittner: It is. Yeah. Thanks, John. And again, we would love to hear from you. If you have something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Pete Barker. He is the director of fraud and identity with an organization called SpyCloud. Here's my conversation with Pete Barker.
Pete Barker: Well, from my past experience previously working at Dick's Sporting Goods, the evolution of fraud has evolved over time, if that kind of makes sense. What I've noticed in my previous role was, you know, the fraudsters never stop. Once they find a way in, they just continue to go and go and go. And a lot of times, what ends up happening is the practitioner doesn't realize right away what's going on. So it's not like, hey, I own a store, and I know I had this box in this certain spot. And you walk by that area, and you go, hey, wait a minute, I didn't sell that. Where did it go? I think somebody took it. Unfortunately, in the e-commerce space, when you have a fraud attack, it happens, and you typically don't find out till after the event has occurred. It could be up to 30, 60, 90 days later, and that really puts the practitioners in a predicament with fraud chargebacks.
Dave Bittner: To what degree does it affect the retailer? Like you said, you know, you used to be at Dick's Sporting Goods. So, you know, if somebody comes in and fraudulently buys a pair of Nike's or a golf club or a lacrosse stick, you know, how does that affect the retailer versus the other people who are a part of that retail chain?
Pete Barker: Well, I will tell you, Dave, in my vast experience with actually over 25 years in retail and e-commerce fraud combined, it affects everything. So, No. 1, when somebody takes something from a store or they fraudulently place an order online, that impacts the retailer, which then, those costs are then passed down to the consumer. So there's never been a time where a retailer says, you know, hey, we're going to just kind of absorb this and we're not going to pass those costs down. Whether it's in a brick-and-mortar situation where somebody takes a pair of shoes, literally, the consumer is going to pay for that in the end.
Dave Bittner: And so as things have moved to the digital realm, there's a little more distance between, you know, the customers and the folks in the store. How has that affected things?
Pete Barker: Well, it's made it really difficult, and I can tell you in a couple - for a couple reasons. No. 1, when you're in a brick-and-mortar store, you actually get to physically see somebody. You get to engage them. You get to have a conversation with them. And again, you're engaging them, so you can actually get very comfortable with that person that's in front of you. And you always want to give that highest level of customer service. However, when somebody's online, their identity is neutral. You have no idea who they are. Now, thankfully enough, a lot of companies, just like Dick's Sporting Goods, they have a really good knack of knowing their customers. But over time, as the e-commerce footprint grew, you went from a very small e-commerce footprint to a very large e-commerce footprint. And it's very difficult to identify - hey, is this a good order, or is this not a good order? Is this a fraud, or is this not a fraud situation?
Dave Bittner: How much of this is a collaboration between, you know, the retailer, the folks, like the credit card companies - are they looking out for each other? Is there information sharing going back and forth?
Pete Barker: Boy, that's a really good question, Dave. Unfortunately, there's not. The only information that's being shared is, when you get the bad news, that basically tells you that it's a fraud chargeback. And then it's incumbent upon the retailer, then, to do whatever they can to try to build a case to recoup those funds. When I was in the space just not too long ago, there was about a 40% win rate, meaning that about 40% of the time when you represented that fraud chargeback, you got made whole and you got your money back. But 60% of the time, the retailer ate that chargeback.
Dave Bittner: Can you give us some insights as to what goes into that decision? You know, what has to happen for it to be on the retailer versus being on the credit card company?
Pete Barker: So there's a lot of mystery and magic that goes on behind the curtain here. I can tell you...
(LAUGHTER)
Pete Barker: I can tell you that it's become increasingly difficult for the retailers to win these cases. Now, again, if you put together enough compelling information - meaning, hey, this item was delivered to this address. This is their bill to it. This is their ship to it. Everything matches. By the way, this is their actual email address. If you could put together all that compelling information and then return it back to the banks, you have a pretty good chance of winning that. But again, it's a 60/40 mix. And, you know, the banks aren't giving up the reasons why. They just tell you either you win or lost. They give you a thumbs-up or a thumbs-down. And really, the mystery's in the magic, what's going on behind the scenes.
Dave Bittner: Yeah, that's fascinating. So, I mean, sort of pivoting to the types of things that you and your colleagues are dealing with at SpyCloud, what is on the cutting edge of fraud and identity these days? What sort of things are coming to your attention?
Pete Barker: Well, I think it's incredibly important for organizations to look at their current fraud stack because there is not a silver bullet out there, and it's not a one size that fits all. Where we come into play is we have solutions that could assist the retailers and/or the banks in making good decisions, and the way we do it is like no other. We have data that nobody else in the fraud space has today. And by having this data and being able to recapture it from the criminal underground, we bring in this data and then we turn it back over to the folks that are using our products. And they could then identify. hey, is Pete actually who he says he is? And again, what separates us from the rest of the pack is the fact that we have - we're taking a look at this customer's identity much differently than any other tool that's out there today. And really, we're using the tools that the criminals are using to help in the good and not the bad.
Dave Bittner: How much in the world of fraud prevention is looking at behavioral things - you know, matching patterns and looking for those types of events?
Pete Barker: Well, I think there's a lot of tools out there today that do a really good job at that. But with my vast experience, we have come to the conclusion as, there is no silver bullet. You have to have a layer in your stack. While behavior analytics are great and maybe some identify - you know, third-party ID verification tools are great. When you look at what we have to offer, it's completely different than the rest of the products that are out there, and that's what really makes us so unique. While one of these tools individually are not the silver bullet, when you start layering these all in the stack, it really helps banks and retailers make great decisions.
Dave Bittner: So from a consumer's point of view, are there any tips you have for them in terms of, you know, things they can do on their end to make sure that they don't find themselves victims to this sort of thing?
Pete Barker: Absolutely. No. 1 - change your password. Do not use the same password over and over again. And I know this is easier said than done, and I'm 100% guilty of this. My wife's guilty of it. My daughter's guilty of it. When you look at all the data that's out there, when we look at compromised data, one of the No. 1 ways that the criminals get into your information is bad password hygiene. More importantly, if you've been identified by one of these companies as being part of a data breach, change your password. Ironically enough - which this kills me, Dave - we can see in our data that people were compromised, and then when we run a report again, we can see that they never changed their password. Why would you - once you were identified that you were compromised, why would you not then use a stronger password? Do not recycle your password. But you know what? I understand the challenge out there. We all have multiple things that we have to log into. Most of us don't have password managers. We're writing down things, or we're putting it in our iPhone. And quite frankly, it's a lot easier just to reuse passwords or some variation of it. And the criminals love this.
Dave Bittner: You know, speaking of mobile devices, you know, we've got newer technology available to us through those - things like Apple Pay and Google Pay, you know, those sorts of things. And it's my understanding that there's some additional security involved with those. There's some tokenization of the transactions. To what degree do you think that, you know, that's a good way to go, that that adds an extra layer versus, you know, using your credit card, say, at a gas pump - something like that?
Pete Barker: Well, I can tell you, Dave, I think if you're in a situation and if there's a step-up authentication or if there's another level of security provided, whether it's Apple Pay or Google Pay, it can't hurt. There's no doubt about it. I think, you know, companies today are trying to do the best, especially the big ones - the Apples of the world and the Googles of the world. They're trying to grab a piece of the market share, and they're trying to do it in a way that's safe for everyone to operate 'cause at the end of the day, they want you to be able to swipe your card and buy stuff. So I think it can't hurt. But again, when you look at it holistically, there are no silver bullets because as good as some of these big tech companies are, the fraudsters are that much better.
Dave Bittner: Where do you suppose we're headed here? I mean, when you look at the history of this cat-and-mouse game, any idea what the future holds for us?
Pete Barker: You know, I think there's going to be challenges no matter what's in play. As difficult or as challenging it is - and we saw this during COVID with the amount of volumes - e-commerce has exploded over the last two years. And I think it's just going to continue to get bigger and bigger. I don't think they'll ever be a situation where brick and mortars go away. I do believe there's going to be a need for someone to go in and try something on, for somebody to go in and swing that golf club or try on their skis because they just don't want to make that investment and have a bad experience and have to ship all that stuff back. I do think, though, it's going to continue to be the challenge for everyone with fraud because as companies continue to pivot and they put in more friction - I hate using that F-word - whether it's multifactor or step up - and you know what? It's proven that those could even be beaten. I think this is going to be a cat-and-mouse game for quite some time, to be honest with you. I don't think it goes away. While it might get better, I still don't think it's going to go away.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: First thing I want to say is once these guys get in, once they find a fraud that works, they're going to keep doing it. They're going to stay there for as long as they can.
Dave Bittner: Yeah.
Joe Carrigan: You know, Dave, when I was a little kid...
Dave Bittner: Yeah.
Joe Carrigan: ...You know, under the age of 10...
Dave Bittner: Right.
Joe Carrigan: There was a gumball machine outside of a hardware store.
Dave Bittner: Oh, yeah. Sure.
Joe Carrigan: And a buddy of mine and I figured out that you could crank the gumball machine a little bit forward.
Dave Bittner: Yeah.
Joe Carrigan: And then crank it back, take the coin out and then go ahead and crank it all the way forward again.
Dave Bittner: Oh.
Joe Carrigan: We went over there with a paper bag.
Dave Bittner: (Laughter) Not satisfied with one free gumball.
Joe Carrigan: Not satisfied with one free gumball.
Dave Bittner: You had to empty the entire machine.
Joe Carrigan: Right. A guy came out of the hardware store and said, don't you kids think you've stolen enough from that machine?
Dave Bittner: Ooh, nice.
Joe Carrigan: We were like, oh, yeah, I guess.
Dave Bittner: (Laughter).
Joe Carrigan: And he just sent us off. You know, the machine was damaged, right?
Dave Bittner: Yeah.
Joe Carrigan: It's not supposed to work that way. But we took full advantage of it, just like any scammers would.
Dave Bittner: Yeah.
Joe Carrigan: When they find a flaw in the system, they're going to exploit it - right? - because essentially, they're, you know, 7-year-old kids, right?
Dave Bittner: Right.
Joe Carrigan: ...Who don't have real jobs. These online fraud cases are just like shoplifting. It is a cost for these business. Higher costs drive up prices. That means the better a company is at preventing fraud, the more competitive they can be on price. You know, it's like shoplifting. The more shoplifting you can prevent, the better off you're going to be. I mean, have you ever walked into a Best Buy?
Dave Bittner: Yeah.
Joe Carrigan: You know the people in the yellow shirts are the people that prevent shoplifting, right?
Dave Bittner: I did not know that.
Joe Carrigan: Ah. I did know that.
Dave Bittner: (Laughter) Avoid people in yellow shirts.
Joe Carrigan: When you walk in, there's two colored shirts in a Best Buy - blue shirts...
Dave Bittner: Yeah.
Joe Carrigan: ...And yellow shirts.
Dave Bittner: OK.
Joe Carrigan: The yellow shirts are the inventory control.
Dave Bittner: Ah - loss prevention.
Joe Carrigan: Loss prevention.
Dave Bittner: OK.
Joe Carrigan: Exactly.
Dave Bittner: OK.
Joe Carrigan: And the blue shirts are customer service.
Dave Bittner: OK.
Joe Carrigan: No red shirts, though.
Dave Bittner: So you create a disturbance to distract the yellow shirts.
Joe Carrigan: Right.
Dave Bittner: I'll run out with the 55-inch plasma TV.
Joe Carrigan: Yes.
Dave Bittner: OK (laughter).
Joe Carrigan: Does anybody even make plasma TVs anymore?
Dave Bittner: They do not, no.
Joe Carrigan: OK.
Dave Bittner: They're hard to come by. I still have one, but they're hard to come by.
Joe Carrigan: I have one, too. It's getting old. That thing sucks a lot of power.
Dave Bittner: They do. They are not terribly efficient.
Joe Carrigan: No.
Dave Bittner: But boy, those deep blacks are...
Joe Carrigan: They are...
Dave Bittner: ...A pleasure to look at.
Joe Carrigan: Yes.
Dave Bittner: (Laughter) But we digress.
Joe Carrigan: Right - as we normally do.
Dave Bittner: Yeah.
Joe Carrigan: There is no information sharing. And this is a common theme that we're getting here. You know, there is no - the credit card companies don't communicate with the merchants. I mean, but how does that happen? How would - what does that look like? You know, I'm not shocked by that because you think about the credit card companies. How many merchants do they have? How would they communicate this information? That hasn't been thought about yet. I mean, it needs to be thought about.
Dave Bittner: Yeah.
Joe Carrigan: And it needs to be done. And I think that, eventually, it will be. But we're nowhere near ready for that yet. One of the things I think that's going to play into that is the consolidation of the merchants. For example, like, companies like Square and Shopify and all those companies are essentially big front ends that provide credit card services to individual merchants.
Dave Bittner: Right.
Joe Carrigan: Right? But they're actually the people that talk to the credit card companies. So, you know, from the credit card companies' perspective, thousands of vendors can be represented by one vendor - one big aggregate vendor, right? Or actually, it's not Square anymore. We said last week it's now called Block.
Dave Bittner: Right.
Joe Carrigan: Right. Yeah. Thank you, everybody, for changing the names of your companies. Looking at you, Meta. I found it interesting that disputing a chargeback is essentially a black box from the merchant point of view, right? There's no - I think it just seems like it's capricious. You know, maybe we'll let it go, and maybe we won't.
Dave Bittner: Yeah.
Joe Carrigan: You know, I don't know what you do as a merchant. I also find it interesting that SpyCloud is using the tools that the criminals use to commit the fraud as something for fraud prevention. You know, like I say often, these tools are just tools, right?
Dave Bittner: Yeah.
Joe Carrigan: And if you've built a tool to defraud people, people can also use that tool to detect the fraud, right? I think that's a brilliant implementation of that - I don't know - axiom or truth, you know?
Dave Bittner: Yeah.
Joe Carrigan: That piece of information...
Dave Bittner: Yeah.
Joe Carrigan: ...That tools are just tools, and they can be used for good or evil.
Dave Bittner: Yeah.
Joe Carrigan: Here, once again - and finally, this is the last thing I'm going to say about this. We hear once again about how bad password reuse is for you.
Dave Bittner: Yeah.
Joe Carrigan: Pete is talking about, even when people know that they've been part of a breach, they don't go in and change their passwords.
Dave Bittner: Yeah.
Joe Carrigan: I can't say enough how much that frustrates me.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: But really, it is easy if you use a password manager. It's just easy. Just change your password. It takes a couple seconds. Use a password manager so that even if your password is breached and, if it's been hashed and not stored in plain text, that you still have a really good chance of having a complex password, thanks to your password manager, that may never get broken. Your account may never be compromised, even if the information is breached.
Dave Bittner: Yeah.
Joe Carrigan: Use a password manager. There's so many reasons to do it.
Dave Bittner: Yeah. I was talking to someone recently in an interview. I was speaking with someone, and they were - we were kind of using the analogy about, you know, a crook walking around a neighborhood and checking car doors...
Joe Carrigan: Right.
Dave Bittner: ...You know, to see if any cars are unlocked - go in and grab loose change or whatever. And this person made the point that where that analogy breaks down with computers is that computers don't care. Computers have all the time in the world to check every single door.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: Yep.
Dave Bittner: They don't - they're not on some - there's no value proposition of having to make my way through this neighborhood, and there's only so many cars, and I have only so much time.
Joe Carrigan: Right.
Dave Bittner: They'll bang away at every car in the neighborhood as long as it takes.
Joe Carrigan: Right.
Dave Bittner: Right. And so the notion that, oh, I can keep my password because they're probably not going to get to me...
Joe Carrigan: No, they're going to get to you.
Dave Bittner: ...That's not how it works.
Joe Carrigan: Yeah.
Dave Bittner: Right.
(LAUGHTER)
Joe Carrigan: That is going to happen.
Dave Bittner: Right. Yeah. All right. Well, again, our thanks to Pete Barker from SpyCloud for joining us. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
