Scams in the media.
Mallory Sofastaii: Find the local community group in your area so that you can do these exchanges in person. If you don't feel safe, do it at a police station. Then you can actually see the formula, get it, inspect the expiration date, see if it's been opened, and then you can do the exchange there.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where, each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan, from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week, and later in the show, we are joined by Mallory Sofastaii. She is a reporter at Baltimore's WMAR 2 News, and she's going to be sharing some of the recent scams that she's been covering.
Dave Bittner: All right, Joe, before we get to our stories this week, we got a little bit of follow-up here. You want to take us through what we got?
Joe Carrigan: Sure. It's some follow-up from Robert (ph), who writes, hi, Dave and Joe. You had some interesting comments regarding mobile phones and technical means to block robocalls. I was interested to hear what you, in the U.S., have at your disposal. Apparently, Robert is not from the U.S. Oh, he says in the next sentence, I'm writing from Canada.
Dave Bittner: There you go. That's - your powers of observation, Joe, are just...
(LAUGHTER)
Joe Carrigan: Right. Woo-hoo. And I'm with one of the big three cell carriers up here. My carrier has a couple of free options that I've implemented on both my phone and my wife's phone and my home phone, which now uses cellular technology. That's interesting. We still use a wired phone. We don't use a cellular phone here, but it's interesting that there could be a home phone with the cellular technology. Why wouldn't that be the case? Interesting. But I digress, as I often do. Mitigation No. 1 - or security feature No. 1 - he enabled port protection. Now, first time I heard this, I'm thinking firewall port - what? But no, there's a note on file with his carrier that any attempt to port our numbers to another carrier or to a SIM - or to do a SIM swap will result in a verification call to the number on file. Porting of the number will not be allowed without explicit authorization from the call from the carrier. So, you have to - in other words the carrier has to receive a yes answer when they make that outbound call.
Dave Bittner: Right.
Joe Carrigan: Yes, if the bad guys have their hands on the physical device, they might be able to bypass this. But if they have their hands on my physical device then I have bigger problems, which is true.
Dave Bittner: Right, right.
Joe Carrigan: That's a good point. It is - there is a way around it, but, you know, there is no such thing as a 100% secure system. The next control is enable call control. I need to sign on to my mobility account and define what numbers, friends and family, can bypass call control. All other calls are intercepted by an authorized service that tells the call that I have call control enabled and they need to press a number on their keypad to allow the call to go through. Interesting. I've never heard this service in the U.S. Have you, Dave?
Dave Bittner: No, I haven't. You know, I - in our last show, we were talking about this. The app that I use has screening.
Joe Carrigan: Right.
Dave Bittner: And I think - so there are a number of things that do that. So this seems like a variant on that.
Joe Carrigan: Yeah, well, this is interesting because the number that the person is asked to enter varies. So it can't be pre-programmed. So it's kind of like a random number. This blocks most robocalls. Unfortunately, we have legislation in place to allow political parties to bypass call control, which is...
Dave Bittner: Yeah.
Joe Carrigan: ...Fantastic, right?
Dave Bittner: I know, right (laughter)?
Joe Carrigan: So there are too many calls during elections, but I can enter numbers I want to bypass the call control as well as numbers I want blocked all the time. Surely, U.S. carriers can implement something like this, which I would agree with. This would be great. Call control would be fantastic. I would enable that right now.
Dave Bittner: Yeah.
Joe Carrigan: Port protection - we have a PIN on our account. The people have to know the PIN, but if there's a data breach from our provider where the PIN is breached, then they have that capability. So I would like the ability to have them make the outbound call as well. That would be nice. Robert says, cheers from the Great White North. You know, every time I hear the phrase Great White North, I hear that in Geddy Lee's voice.
Dave Bittner: I hear Doug and Ray (ph) say, take off, you hoser.
Joe Carrigan: Right?
Dave Bittner: (Laughter) Yes, yes.
Joe Carrigan: And there was that song - that whole song they did with Geddy Lee...
Dave Bittner: Oh, yeah.
Joe Carrigan: ...Doing backing vocals. And that's what I hear.
Dave Bittner: Yes. Yes, I remember it well.
Joe Carrigan: Yeah.
Dave Bittner: All right. Well, thank you to Robert for writing into us. And of course, we would love to hear from you. If you have something you'd like us to address on the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, let's jump into our stories this week. My story - I'm actually tracking as we record this. This is a new phishing scheme that I've seen several high-profile people reporting on Twitter.
Joe Carrigan: Really?
Dave Bittner: Yeah, I saw some reporters, folks in media - the first one that I saw really clearly document it was a gentleman named Brian Jay Jones, who is a bestselling author. He's written a number of biographies. He's written biographies of Jim Henson, of George Lucas and Dr. Seuss. Really good writer, so I highly recommend his books. He's also fun to follow on Twitter. And he writes about how he very - he says, I very nearly had my Twitter account hijacked yesterday by a very convincing phishing scheme. Here's how it worked. He got a DM from a legit Verified account - and he says it was probably another account that had been hijacked - telling me my Verified status had been flagged and that I would lose verification unless I clicked a link to appeal. Now, just - I'll say this is who they seem to be targeting. They're going after people who have those Verified checkmarks on their accounts.
Joe Carrigan: Right.
Dave Bittner: And the direct message says - it says Twitter - from Twitter Verified support. Case number - hello, Brian Jay Jones. Your Verified badge Twitter account has been reviewed as inauthentic by our team. We understand how valuable the Verified blue badge is to you. I think that's an important part of this, Joe, is that the...
Joe Carrigan: Right.
Dave Bittner: ...The folks who have those Verified checkmarks, they love their Verified checkmarks (laughter).
Joe Carrigan: Boy, I wish I could get one, Dave.
Dave Bittner: And I say that with only a hint of bitterness that I haven't been able to get one.
(LAUGHTER)
Dave Bittner: I have tried. I have tried twice and have been turned down both times, even though, by my estimation, I should be eligible. Anyway.
Joe Carrigan: Yes.
Dave Bittner: (Laughter).
Joe Carrigan: Aren't many of our peers in this area verified?
Dave Bittner: That's right. Graham Cluley has a checkmark.
Joe Carrigan: Yeah. What about Jack Rhysider? Does he have a checkmark?
Dave Bittner: He does not. He does not.
Joe Carrigan: OK.
Dave Bittner: No (laughter).
Joe Carrigan: Well, if Jack's not getting one, you're not getting one.
Dave Bittner: I do not, either. But anyway - so the message goes on, and it says, please appeal using the form below. Otherwise, your Verified badge may be deleted. And then there is a link. And of course, it is a link shortening link, so it's a TinyURL, so, you know, at first glance, can't tell who it's from. Brian writes - he says - I didn't even consider it was a scam. I clicked on the sender, and it was a Verified account, which I later saw was a hijacked New York Times reporter account with a profile all about working for Twitter and so on. So I followed the link, which had me re-log in, and submitted a quick appeal. And then Brian goes on to say, it did seem weird enough that I screenshot the message and sent it to my brother - a programmer with a good eye - and said, well, this is weird. He immediately called and texted me to say, the call's coming from inside the house.
Joe Carrigan: Right.
Dave Bittner: And to change his password immediately.
Joe Carrigan: Right.
Dave Bittner: And at this point, Brian had already put his credentials in.
Joe Carrigan: Yeah.
Dave Bittner: So he was worried that his account would be compromised, but fortunately, he had multifactor authentication enabled.
Joe Carrigan: OK, good.
Dave Bittner: And that's what saved the day, ultimately. Because of the multifactor, they weren't able to get in and grab his account.
Joe Carrigan: So here's an example here. This is an exact example of the use case - of the threat model, rather - that we are advising against when we say use multifactor authentication because Brian went to this website, this fake website, entered his username and password, and then was able to enter this fake complaint - or this fake appeal in this fake form.
Dave Bittner: Right.
Joe Carrigan: But these guys were not able to get into his account because he had multifactor authentication on. So they had his username and password, but they couldn't access his account, which is good news for Brian.
Dave Bittner: Yes, absolutely. So a couple, you know, take-homes here - obviously, as you say, multifactor, you know, saved the day here. So we say it (laughter) till we're blue in the face...
Joe Carrigan: Right.
Dave Bittner: ...Blue checkmark in the face - that you should absolutely enable it wherever you can. If it's something that's important to you and it's available, enable the multifactor authentication. But I also thought this was worth highlighting because this seems to be a very active campaign, and they're going after these Verified people who presumably are more high-profile people, more valuable accounts. So if you're in that category in particular, or if you know people who are, try to spread the word about this because this one is going on as we speak.
Joe Carrigan: I just did a little search and found out that Matthew Green is a Verified Twitter account.
Dave Bittner: OK.
Joe Carrigan: The cryptographer that we have at Hopkins.
Dave Bittner: Very good. Very good.
Joe Carrigan: Yeah, Verified Twitter account.
Dave Bittner: Yeah.
Joe Carrigan: But not us, Dave. Not us.
Dave Bittner: Not us. No, no, we're just down...
Joe Carrigan: Anybody at Twitter listening?
Dave Bittner: (Laughter) Right. Well, probably what'll happen now is we'll get a bunch of phishing messages offering to get us Verified.
Joe Carrigan: (Laughter).
Dave Bittner: Right?
Joe Carrigan: Yeah. That's...
Dave Bittner: You can't win, Joe. You just can't win.
Joe Carrigan: No, you can't.
Dave Bittner: But we have multifactor enabled, so...
Joe Carrigan: Yes.
Dave Bittner: (Laughter).
Joe Carrigan: That's right.
Dave Bittner: All right (laughter). That is my story this week, Joe. What do you got for us?
Joe Carrigan: Dave, Robert mentioned that elections are happening soon, right? It's an election year here in the U.S. Do you give money to national political candidates?
Dave Bittner: Rarely.
Joe Carrigan: Rarely.
Dave Bittner: I have, but I wouldn't say it's part of my regular routine.
Joe Carrigan: No, me neither. I don't know that I've ever given money to a presidential candidate or even someone running for a national office. I've given money to people running for local offices.
Dave Bittner: Yes.
Joe Carrigan: But that's about it. What about PACs - political action committees? Do you support PACs?
Dave Bittner: No.
Joe Carrigan: No.
Dave Bittner: (Laughter) No. I find them distasteful, so...
Joe Carrigan: Oh, OK.
Dave Bittner: ...No.
Joe Carrigan: Well, let me give you a little bit of good news. There's a California man by the name of Robert Reyes Jr. who has just pleaded guilty to fraud - wire fraud, specifically - because he was operating two political action committees. One was called the Liberty Action Group PAC, and the other was called the Progressive Priorities PAC. Right? These seem like they are very different-minded PACs, right?
Dave Bittner: Yeah.
Joe Carrigan: On the face of them. They solicited contributions from the public via robocalls and television and radio and internet advertising. This guy was flooding the market with advertising and then robocalling. But the two PACs represented the - that the contributions will be going to support dueling presidential nominees of the two major political parties respectively. But guess what?
Dave Bittner: He's playing both sides.
Joe Carrigan: That's right. He's - why not play both sides?
Dave Bittner: Sure, sure.
Joe Carrigan: Right? If you're going to do this. Well, the total...
Dave Bittner: An equal opportunity scammer.
Joe Carrigan: That's right. The total amount that he donated to legitimate political causes was $19.
Dave Bittner: Oh.
Joe Carrigan: And that's out of $3.5 million in contributions that he raised. So $3.5 million (inaudible).
Dave Bittner: That would be a low percentage (laughter).
Joe Carrigan: Right. Yes, that's right.
Dave Bittner: Those are some high administrative costs, Joe.
Joe Carrigan: There are some high administrative costs associated with this. And this is coming out as a press release from the Justice Department. So I'm looking at justice.gov for this press release. But Politico also has an interesting story about it. It just kind of outlines it. But Reyes pleaded guilty in the western district - or western - district of western Texas - the Western District of Texas. That's how these things are broken up. And he had a couple conspirators along with him, Matt Tunstall and Kyle Davies. And according to the department, Reyes admitted that the two PACs were false and misleading representation and robocalls. One of the things that he did was he pocketed about $714,000, Reyes himself. And then in another event, what he did was he had a company that was doing the robocalls. He sent them too much money for one of their bills. And when - and then asked them - in order to give it back, in order to refund the extra money, put it in these other accounts. They're actually owned by my shell corporations, right?
Dave Bittner: Oh.
Joe Carrigan: So he is - he was sending this money out to be, essentially, laundered back to him. So it looks like, from his PAC, I spent this money on robocalls, and then the robocall company just sends the money back to him in other, hopefully, untraceable amounts. But of course, the Department of Justice found these amounts because...
Dave Bittner: (Laughter) Right, right?
Joe Carrigan: ...One of things you have to...
Dave Bittner: It's what they do.
Joe Carrigan: Right, exactly. The - when I talk to people who are looking for careers in law enforcement and they say they want to work for the FBI, I say you need to get one of two degrees if you want to...
Dave Bittner: Yeah.
Joe Carrigan: ...Work for the FBI tomorrow. You need to get a computer science degree, or you need to get an accounting degree. If you get one of those two degrees, the FBI will hire you tomorrow, so long as you pass the background investigation, no questions asked. They'll be like, OK, well, there - no, there are not no - there are a lot of questions they ask.
(LAUGHTER)
Joe Carrigan: Right?
Dave Bittner: OK. Maybe you move to the front of the line (laughter)?
Joe Carrigan: Right. Yeah, you move to the front of the line. Exactly. That's a better way to put it.
Dave Bittner: OK. There you go (laughter).
Joe Carrigan: There - but there are - they have a lot of questions.
Dave Bittner: Yeah, yeah (laughter).
Joe Carrigan: And they - I - you might have to fill out an SF-86. I don't know. It's not Department of Defense. I know that with Department of Defense, you have to fill out an SF-86, where they also ask a lot of questions. But in Department of Justice and the Federal Bureau of Investigation - I actually called the field office one day and said, you know, I've heard this. I talked to a recruiter there and I said, I've heard this, is this true because I want to be giving a talk? And she said, oh, absolutely. We are looking for people with computer science and accounting degrees. So don't waste your time majoring in criminal justice. Major in...
Dave Bittner: (Laughter).
Joe Carrigan: ...Accounting or computer science because...
Dave Bittner: OK.
Joe Carrigan: ...That's what the FBI wants, is they need forensic accountants. So that's an aside. Federal authorities have yet to schedule a sentencing date, but he could spend up to 20 years in prison, this guy, which is an improvement from the 125 years he could have faced if he went to trial. Now...
Dave Bittner: Wow.
Joe Carrigan: ...It occurs to me, Dave. Here's the thing. These guys probably could have run these PACs legally and still made a ton of money, right? If they didn't - if they gave more than $19 to these legitimate campaigns - right? - to these campaigns, if they didn't do things like try to launder money through their providers, would they have committed a crime if they'd have taken exorbitant salaries? Is that illegal? I mean, you have to report it. I mean, you can just report it. Hey, here's our - we spent most of our money on fundraising and then most of our money on administration.
Dave Bittner: Right.
Joe Carrigan: And we gave a small amount to the candidates. I mean, there are...
Dave Bittner: Yeah.
Joe Carrigan: ...Charities that do this all the time.
Dave Bittner: Yeah.
Joe Carrigan: There are some charities out there with, like, a 75% expense ratio, where 25 cents out of every dollar you give actually goes to those who need it.
Dave Bittner: Right.
Joe Carrigan: And the other 75 cents goes to promoting the charity and paying the people that work at the charity.
Dave Bittner: Yeah.
Joe Carrigan: I - you know, you can investigate these things, but there's nothing illegal about that...
Dave Bittner: Right.
Joe Carrigan: ...As long as you're not fraudulent. So these guys could have been doing this...
Dave Bittner: Yeah.
Joe Carrigan: ...And playing both sides of the field and getting away with tons of money if they just weren't greedy about it.
Dave Bittner: I was going to say, Joe, greed.
Joe Carrigan: Right.
Dave Bittner: Greed (laughter).
Joe Carrigan: That's right.
Dave Bittner: Right?
Joe Carrigan: So, Dave, I, like you, do not give money to PACs either. I just...
Dave Bittner: Yeah.
Joe Carrigan: I have no reason to trust them. I'm so distrustful of people because I'm - I guess I'm just old and jaded now, Dave. I don't know.
Dave Bittner: (Laughter) Right? The weight of the world has crushed your spirit, Joe (laughter).
Joe Carrigan: It has. It has crushed my soul.
Dave Bittner: Well (laughter), that's all right, Joe. Later on, I'll give you a big hug, and it'll be all - you'll feel much better (laughter).
Joe Carrigan: OK. Thanks, Dave.
Dave Bittner: Yeah. Well, you know, a couple things here. First of all, I'm happy that Justice is going after these folks and that there is active investigation, scrutiny and oversight of these...
Joe Carrigan: Yes.
Dave Bittner: ...Sorts of things. I think this is - in my mind, if you'd ask me about some of these political action committees, I probably would've, at first glance, thought it was the Wild West out there, that you - 'cause we hear so much about all of this dark money and, you know, companies or people, and there's just so many ways...
Joe Carrigan: Right.
Dave Bittner: ...For people to have their money weave its way through these systems. And, in many ways, it's legitimate and, you know, part of our First Amendment values and all that kind of stuff, but it's just an avenue for bad stuff like this. And so I am - I'm happy, and I guess a little surprised to hear the degree to which justice is going after them. So I'm...
Joe Carrigan: Yeah.
Dave Bittner: ...Happy to recalibrate my expectations based on that.
Joe Carrigan: Did I ever...
Dave Bittner: I don't...
Joe Carrigan: ...Tell you the Joe Carrigan idea for campaign finance reform?
Dave Bittner: No.
Joe Carrigan: It's a very simple law. It just says that if you cannot physically vote for somebody, then you may not contribute to their campaign. That's the law. That way you still get the First Amendment protection - right? - because, you know, your First Amendment right to support your candidate is a guaranteed First Amendment right. But that - I don't think that gives you the right to support somebody else - a candidate you don't have any skin in the game with, right? You know, I don't think it gives you the right to meddle in campaigns outside of the jurisdiction in which you live. Now, that gives you the right to send money to your - people running for your Congress, your House of Representatives seat, any Senate seat because Senate seats are across statewide, and then whatever president you want to vote for - right?
Dave Bittner: Right.
Joe Carrigan: ...Those kind of things. But if you have a PAC, then that PAC has to demonstrate that the money it's giving to that candidate has come from people that can legally vote for that person. I think that's a reasonable requirement.
Dave Bittner: OK.
Joe Carrigan: I don't think that's - but you know what? Like term limits, Dave, that will never get voted in.
(LAUGHTER)
Dave Bittner: I was going to say - I'm going to count on our listeners to write in and tell you why you're wrong.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: Right. It'll never happen. I mean, it would be nice, but...
Dave Bittner: Right.
Joe Carrigan: ...You know, these guys...
Dave Bittner: Right.
Joe Carrigan: ...Are never going to vote themselves less money. That would be stupid.
Dave Bittner: (Laughter) Absolutely. Absolutely.
Joe Carrigan: Yeah. But that's...
Dave Bittner: All right. Well...
Joe Carrigan: Now I'll get off my soapbox.
Dave Bittner: OK, fair enough. All right. Well, we will have links to all of our stories here in the show notes. Joe, it is time to move on to our catch of the day.
Joe Carrigan: Dave, this week we have a stringer. That's where we have a bunch of small catches of the days where I just put them together as a list. Like, first, we have an SMS from Keefe (ph) who writes, it's been a while since I've seen a letter substitution phishing link. So, Dave, why don't you go ahead and read this text message that came through?
Dave Bittner: It says - Woodforest, we couldn't verify a store charge made on your card. Visit https wadfrest1.org (ph) to verify.
Joe Carrigan: Right. So this is Woodforest finance, which is - or a bank - which is a bank out of Texas. I had never heard of it before, but they actually have branches here in Maryland. Did you know that?
Dave Bittner: Really?
Joe Carrigan: Yeah.
Dave Bittner: OK, news to me.
Joe Carrigan: Yup. Me too. And obviously, this is not Woodforest sending you the text message because it's W-0-d-frest 1 (ph).
Dave Bittner: Yeah, yeah.
Joe Carrigan: Again, it's trying to look like a link shortener. And, you know, it's designed to panic you and to get you to click on the link to go enter your banking credentials.
Dave Bittner: Right.
Joe Carrigan: The next one is another SMS that comes from Joseph (ph), who writes Hello, Joe and Dave. This one almost got me.
Dave Bittner: I'm sorry. What? Wait, wait, wait. What was that?
Joe Carrigan: OK. Hello, Dave and Joe.
Dave Bittner: Ah, there it is.
Joe Carrigan: There it is.
Dave Bittner: (Laughter).
Joe Carrigan: And I read it as you wrote it - the listener - look at it. Here it is, Dave. You see this right here on my desk? Another one of those worms from that can I opened months...
Dave Bittner: Right.
Joe Carrigan: ...Ago. He says, this one almost got me. And he has a laughing face, so I don't think it's - it did actually get him. But it comes from an email address, and it's just a random string of characters at hotmail.com. Why don't you go ahead and read this one?
Dave Bittner: It says - 08912, two lines of credit were opened in your name on 08-04, dropping your scores 81 points. And today's the last day to dispute or close.
Joe Carrigan: And then there's a link in there that's just a long string of characters. But credit - my - it - and Joseph points this out. Credit is spelled c-r-e-d-'-t.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: I guess to get by filters that are looking for the word credit.
Joe Carrigan: Probably. Probably.
Dave Bittner: Yeah.
Joe Carrigan: Yep.
Dave Bittner: Yeah. Some kind of natural language processing or something, huh.
Joe Carrigan: Yep. And finally, the last one comes from Chad (ph), super listener Chad, who had some fun with a Facebook scammer. So this is a short one. But you want to do the scammer, and I'll play Chad?
Dave Bittner: Sure. It starts...
Joe Carrigan: OK.
Dave Bittner: ...Out, and it says, congratulation, you were chosen as the winner today. Grab your prize now by confirming the list on the official site in my top post before I declare your prize has expired. Quickly, quickly, get your present now. Reply ready if you are ready.
Joe Carrigan: Yeah. No, thanks. This looks like some kind of scam - better luck with your next victim.
Dave Bittner: This is real. There is no fraud here.
Joe Carrigan: Sure it is. I'm sure. So how come the link on your Facebook doesn't go to your company website?
Dave Bittner: Try to tell the screenshot what you mean.
Joe Carrigan: Pretty sure your translation software just glitched.
Dave Bittner: What?
Joe Carrigan: What does the screenshot want from me?
Dave Bittner: Capture the registration screen.
Joe Carrigan: What if it's running too fast to catch (laughter)?
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: So here's the thing.
Dave Bittner: (Laughter).
Joe Carrigan: One of my favorite things in - you ever pick up a dictionary and just read it?
Dave Bittner: Sure, Joe.
(LAUGHTER)
Joe Carrigan: Back when I was a kid in fourth grade - I still remember this guy, Rob Zahariashevits (ph). He said - he had just picked up the dictionary and was just thumbing through it, and he goes, wow, look at the word run. And we all look - run over to the dictionary and look at it. And the word run has this - like, three pages of definitions or three columns of definitions in it. It's a really long set of definitions. If you ever get the inkling to do it, just go to a standard full dictionary, and look it up. It's amazing how much we use that word in the English language. So you can really jam up somebody's translation software just by using that word somewhere back, which I think is what Chad wound up doing here. I don't know if he did that consciously, but I'll bet that was the effect.
Dave Bittner: All right. Well, those are our Catches of the Day. Again, we would love to hear from you. If you have something you'd like us to consider for the show, you can email us at hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, we got a special treat this week. You took the interviewing duties this week, and you spoke...
Joe Carrigan: I did, indeed.
Dave Bittner: You spoke with Mallory Sofastaii. She is a reporter at Baltimore's WMAR 2 News, and she has a regular segment that she shares with her audience. It's called "Matter for Mallory." And it's really a - I guess it - what - is it fair to say it's a consumer advocacy spot?
Joe Carrigan: Yeah.
Dave Bittner: That sort of thing? Yeah.
Joe Carrigan: It's like, you know, so-and-so on your side, you know?
Dave Bittner: Right, sure.
Joe Carrigan: It's - you know, it's one of those kind of things. But, yeah, it's consumer advocate. You know, a lot of times, when you're a consumer and you're getting absolutely just ignored by a company...
Dave Bittner: Right.
Joe Carrigan: ...The best thing to do is call media attention to it because that immediately gets the issue resolved. And it's a shame...
Dave Bittner: Yeah.
Joe Carrigan: ...That you have to do that. But it's a - I would almost qualify it as a public service that broadcasters offer. And it's a wonderful public service. And I love seeing these people shape up and go, oh, we're very sorry about this.
Dave Bittner: All right. Well, here's Joe's conversation with Mallory Sofastaii.
Mallory Sofastaii: Yeah. For the last several months, we've been focusing a lot on food stamps and temporary cash assistance that's being stolen from customers who benefit from these programs. And what's been happening is that benefits are deposited onto their cards around midnight on the third of the month or so. And by the morning, these victims report that the money was taken. It was withdrawn from an ATM, either locally or across the country. They go to the Department of Human Services. They say, hey, someone took my benefits. My card was at my home with me. It was under my mattress. I have no idea how someone was able to get ahold of these benefits, but they withdrew them, and now I don't have the money that I need to buy food for my children, to pay my rent. And the Department of Human Services basically says, you know, we can't replace that money for you, or - we know that they can, actually. D.C. and California are doing it. But here in Maryland, they say that they don't have funds appropriated to replace these benefits. So these families just have to get by until the next month and then hope it doesn't happen again.
Mallory Sofastaii: And as far as how this is happening, the department believes that thieves are skimming then cloning these cards. They're kind of like debit cards. They require a PIN number. So it would probably be on a terminal that would require a PIN, such as at a grocery store or an ATM, maybe even at the gas station. And that's how they're obtaining these benefits. But it's also happening on a much larger scale. So just to give you an idea, last year in Maryland, food stamps and temporary cash assistance stolen - it was around $92,000. For the first six months of 2022, it's been over $286,000. That's more than triple in just the first six months, so this is obviously happening on a much larger scale now. We know it's a nationwide issue. But the vendor who is supplying these cards - in Maryland, it's a vendor, Conduent - the state is paying them $30 million. They haven't yet added any additional security features, such as card locking or, you know, the ability to call and report this fraud or any suspicious activity and - before it happens. So we haven't...
Joe Carrigan: Is...
Mallory Sofastaii: We haven't seen that happen.
Joe Carrigan: Is there a chip on the card?
Mallory Sofastaii: There is not a chip on this - on these cards, and that's kind of what we saw...
Joe Carrigan: These cards are chipless.
Mallory Sofastaii: Yes, that's what we saw with unemployment benefits, where a lot of fraud was happening with those. And we noticed these were Bank of America issued debit cards that did not have chip card technology, compared to if you were a regular bank customer, you would be issued a card with a chip.
Joe Carrigan: So is there a reason that Conduent isn't issuing chips? Have you talked to them?
Mallory Sofastaii: Yes, we've tried talking to Conduent. We've asked to interview them, and they basically keep directing us to the Department of Human Services. They say to direct our questions to them, which we have. And part of our line of questioning has - how do you plan to make these cards more secure? How can you guarantee to these victims that their money isn't going to get stolen again and that you don't even plan to replace it? They have - they've just been vague in their responses and saying that they are working on ideas, and they're, you know, moving forward with some features, but they haven't specifically said what or when.
Joe Carrigan: So if someone is victimized, are they entitled at least to get a new card so the victimization cannot be repeated?
Mallory Sofastaii: Yes. Yes, they are automatically issued a new card. These people are encouraged to create a different PIN, obviously. But we've actually seen this happen to one woman who was issued a brand-new card. It happened to her twice, two months in a row. She has no idea how. She hasn't shared this card with anyone or her PIN number, and yet in two months, she's lost $2,200. And again, this is money she desperately needs to care for herself and her kids.
Joe Carrigan: So you're in contact with this woman who's been victimized twice. Have you asked her if she goes to the same stores?
Mallory Sofastaii: Yeah. So I've asked her, you know, where exactly do you use this card? She says a limited number of places. You know, it might be one grocery store or one ATM, but it's not - it's never just one place in particular. She's gone to different ATMs, different grocery stores. So the fact that this would happen twice is unique. She has her own suspicions that maybe it's someone within the department, which is, you know, a huge allegation. We haven't been able to prove that or substantiate that in any way. For all...
Joe Carrigan: Right.
Mallory Sofastaii: ...We know, again, this is still the product of skimming and cloning. But it is suspicious exactly how many people this has impacted in such a short amount of time.
Joe Carrigan: Do you have any idea of the scope of the number of victims?
Mallory Sofastaii: Yeah, so we know that in the first six months, it's been about almost 400 reports of stolen benefits, whether that's temporary cash assistance or food stamps. It's mostly temporary cash assistance. And again, compared to 2021, it was 137 reports. So it's gone up dramatically.
Mallory Sofastaii: We ask the Department of Human Services and the governor's office why more isn't being done to help these victims, considering this money is being taken, no fault of their own, that they're not involved in this fraud - at least, you know, they file police reports. They go through all the proper channels. And like I said, in California and D.C., they are replacing those benefits. So why aren't they doing that here in Maryland? The response I keep getting is that these are federal funds that supply these programs, so we can't replace them with federal funds. However, they can replace it with state and local money. And there is, in Maryland right now, a $3.6 billion surplus. So why can't they use some of that money to help these victims?
Mallory Sofastaii: We reached out to the governor's office recently, and they said that they are familiar with our reporting on this issue. They keep discussing it with the department and the federal administration and that they will keep us posted on any developments. We have spoken to state senators who are very concerned about this issue. They've discussed maybe putting forth some legislation when they're back in session, but they are not right now. And...
Joe Carrigan: Right.
Mallory Sofastaii: ...Then also, we've been in touch with Congressman Ruppersberger's office, who is working on drafting federal legislation aimed at addressing this issue. However, that can take time as well.
Joe Carrigan: It can. And for those of our listeners who are not from Maryland, the Maryland General Assembly is only in session from, like, January through middle of April, and that's it. So for the rest of the year, they're not even in Annapolis. They're out doing whatever else they do. Does anybody have any plans for a solution to this? Have you heard any ideas from the departments that provide these benefits or from the governor's office about what next? What are we going to do? What's the - what's a plan?
Mallory Sofastaii: Unfortunately, no, we haven't heard what the plan is. Like I mentioned, the Department of Human Services said that they are in discussions with Conduent as far as implementing new security features for these cards. However, you know, as many people in Maryland are aware, we have an outgoing administration with the governor, so there is likely to be turnover with the head of the Department of Human Services. So maybe in November we will see major changes or when the general assembly is back in session. But so far, we haven't seen much action on this issue.
Joe Carrigan: Most unfortunate, I would say. What is going on in the baby formula realm? There's a real shortage on baby formula right now. We have the Biden administration running programs, basically flying in baby formula. I imagine that because there's a shortage, there's a lot of opportunities for scams around this product.
Mallory Sofastaii: Sadly, yes. This is despicable that scammers would be going after moms trying to feed their infants, but scammers have infiltrated these formula-finding groups, and they are going after these moms to try to take what money they can. And another unfortunate aspect of this is a lot of women use WIC - women, infant, children benefits - to buy formula. But when you're buying that from other moms, you can't. So you are using money out of your own pockets, your savings, to try to buy formula, sometimes above market value, in order to get the exact brand that you need to feed your child. These groups are on Facebook. That's where moms are going. They are posting - you know, some of the - these groups have had to implement rules because the scams have gotten so out of control.
Mallory Sofastaii: So these are just supposed to be formula-finding groups. When you see this kind of formula at a store, you post it, and you say the location. Or if you're local, you can maybe agree to meet up. It's not supposed to be a reselling site. But for some of these moms, when they are desperate and they can't find it anywhere close by, that's when they will get in contact with someone who might be in a different state. And that's what happened to Jessica Cassell. She's a mom up in Cecil County. She has a premature baby, and her baby needed a certain kind of formula. She went to eight different stores around her, couldn't find it anywhere. Found a mom on Facebook through one of these formula-finding groups who said she had what she needed, and she would give it to her at a reasonable cost.
Mallory Sofastaii: So she reached out to her, and she knew that scammers were infiltrating these groups. So she said, you know, listen, can you send me the shipping and tracking information first, and then I'll send you payment. And the mom came back and said, listen, I'm at the grocery store. I need to buy diapers for my baby. I really need that money now. Being a mom herself, she didn't want her child to go without diapers, so she sent half of the money. Formula is pretty expensive. I think she wanted, like, three cans for $50. So she sent half the money. Then, the woman came back and said, you know, it's an additional $25 for shipping. So she sent that. The woman then sent her tracking information from USPS, which you can do, but she never dropped off the items.
Mallory Sofastaii: So what ended up happening was the mom never received the formula. She sent the money via Cash App, which you have little recourse if you are scammed. So she never got the formula she needed, and she was out this money. And, you know, looking back - $80 - it's not an immense amount of money, but she's heard of other moms losing $300 more than that. And again, you know, this is money they need, plus they need to feed their kids.
Joe Carrigan: Right. Initially, the first thing I think is, you know, don't mail-order formula for other safety and security reasons, right? But it goes back to the - you know, the Maslow's hierarchy of needs. Items lower on that pyramid tend to be something of much higher priority. So if your baby is hungry, you are going to take risks that you wouldn't otherwise take, like perhaps mail-ordering formula from a perfect stranger.
Mallory Sofastaii: Exactly. And that's why people are now encouraging anyone going on these groups - find the local community group in your area so that you can do these exchanges in person. If you don't feel safe, do it at a police station. Then you can actually see the formula, get it, inspect the expiration date, see if it's been opened, and then you can do the exchange there. But to your point, when this formula was so scarce, you'll really go to whatever great lengths you need to to get what you need for your child.
Joe Carrigan: Yeah, the case of Jessica is particularly heartbreaking because she has a premature child, and that child needs special care and needs a particular kind of formula, and substitution is not going to be an option for her.
Mallory Sofastaii: No. And that's what many of these moms are experiencing. Fortunately, this issue has gotten better. Jessica can now find the formula that she needs on shelves, but it hasn't completely gone away, so we are still seeing that thousands of moms are participating in these groups, and they are sharing documents in these groups with hundreds of names of people that they suspect are scammers or have scammed other moms.
Joe Carrigan: Now, have they turned those names over to the social media companies?
Mallory Sofastaii: I have not asked that question. I suspect that the admins would or at least report these accounts, which you should do whenever you are speaking to someone who you believe is a scammer. Flag the account. Report them to the social media platform that it's on. As far as repercussions or what will happen, I mean, there's nothing stopping them from just creating a new account and doing it again, which is why, in these groups, another rule is not to post stock images of formula - that you have to take a picture of the formula with your full name and the state that you're located in in front of the formula, so then, that way, it can't as easily be replicated.
Joe Carrigan: I get the feeling that when these admins report these things - report these users to the platforms - that very little happens. That's my suspicion. I'm not a big fan of social media. I've made no secrets about that on this show. But, yeah, I mean, it's a lot like - my phrase for it is screaming into the void.
Mallory Sofastaii: Yeah. Yeah, you know? They'll just pop up with another account and try it again and keep going, sadly.
Joe Carrigan: Absolutely. Mallory, thank you for coming on. These are some scams that our listeners should be well aware of, as well as everybody. Mallory Sofastaii from WMAR, thank you for joining us.
Mallory Sofastaii: Thanks, Joe.
Dave Bittner: All right, Joe - interesting stuff here.
Joe Carrigan: Yeah.
Dave Bittner: You know, a couple things caught my ear. First of all, my heart goes out to all the people who are having their benefits stolen from them.
Joe Carrigan: Yeah.
Dave Bittner: This whole thing with the ATM cards compromised and their accounts drained - I find - I was surprised to learn and I am angered that these cards have no chips.
Joe Carrigan: Yeah, me too.
Dave Bittner: Right?
Joe Carrigan: That was...
Dave Bittner: How many years have we had chips on all the cards that we have now? It's been years.
Joe Carrigan: At least four years - at least.
Dave Bittner: Yeah.
Joe Carrigan: But why not the benefit cards?
Dave Bittner: Right. So my thought is, you know, being poor shouldn't mean that you lack security protections, right?
Joe Carrigan: Right.
Dave Bittner: Requiring or, you know, taking advantage of public assistance shouldn't mean that you are, comparatively, a sitting duck compared to folks who have just regular debit cards.
Joe Carrigan: Yeah.
Dave Bittner: There's nothing exotic about a debit card with a chip in it anymore. I - how much could these companies possibly be saving? And I'm sure it's a little bit, and that's why they're doing it, you know?
Joe Carrigan: Right.
Dave Bittner: But I - ugh - I'm hot under the collar about it, Joe. It just shouldn't be this way.
Joe Carrigan: I am, too. And I'd like to see some follow-up on this. And actually, Mallory and I talked about that towards the end of the interview, I think...
Dave Bittner: Yeah.
Joe Carrigan: ...Where we talked about following up on this to see what the end result is with this and if the state of Maryland - 'cause these were Maryland residents who were getting benefits from Maryland. If the state of Maryland is going to actually make these people whole, it's going to cost them more money to do that than it would have cost them just to put chips in the card, right?
Dave Bittner: Right.
Joe Carrigan: It would probably cost them more money to secure the benefits of these people for one week than it would - that would probably cost many times more than just putting the chips in the card because those are done en masse. That is a mass-production process.
Dave Bittner: Yeah.
Joe Carrigan: It is not something that's individually done.
Dave Bittner: Yeah.
Joe Carrigan: It's already a solved problem. Why don't they have it?
Dave Bittner: I didn't - if you'd asked me, I wouldn't have thought you could get a card without a chip, but...
Joe Carrigan: Yeah.
Dave Bittner: ...I guess you can.
Joe Carrigan: You - well, you know how you do it, Dave? You be poor. That's how you get it.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: And then you apply for a benefit - a state-provided benefit - and the state goes, oh, here's your completely unprotected pin - chipless card.
Dave Bittner: Right.
Joe Carrigan: Thank you.
Dave Bittner: No, it's sad. And, like I said, it's frustrating. And I say - my heart goes out to the people who've fallen victim to this. It's the - you know, it's the people who can least afford to...
Joe Carrigan: Right.
Dave Bittner: ...Have this happen to them.
Joe Carrigan: Yeah. It's the most vulnerable population.
Dave Bittner: Right. Right.
Joe Carrigan: And it's a waste of a valuable tax dollars as well.
Dave Bittner: Yeah.
Joe Carrigan: These tax dollars are going to some scammer.
Dave Bittner: Yeah.
Joe Carrigan: And, you know - and these people probably didn't do anything wrong. They probably went to some store that had a skimmer on the - on top of the payment system, and totally - they probably did nothing malicious here.
Dave Bittner: Yeah.
Joe Carrigan: I can absolutely see how this is something where they are just probably going through their daily process of buying food one time and got their benefit card skimmed. And now those guys are up at midnight, as soon as those benefits are deposited into their accounts, and they're transferring the money out.
Dave Bittner: Yeah. I wonder also - are there other technological solutions to this - or at least ways to slow it down? You know, could there be something where if someone goes in and tries to drain the account - tries to get everything out of it all at once...
Joe Carrigan: Right.
Dave Bittner: Does that throw up a flag or put up a roadblock or some kind of extra layer of verification - something like that - to just keep these folks from being victimized this way?
Joe Carrigan: Yeah. I mean, that's...
Dave Bittner: I don't know.
Joe Carrigan: That might be good. But if you've got somebody who is relying on cash assistance to pay rent, that might be exactly what they do.
Dave Bittner: Yeah, true.
Joe Carrigan: So that may be counter to the actual use case for the benefit.
Dave Bittner: Right. Right.
Joe Carrigan: So it's a tough problem.
Dave Bittner: The other thing that you all - it absolutely is. The other thing that you all discussed were these baby formula scams on Facebook groups.
Joe Carrigan: Yeah.
Dave Bittner: You know, I - hopefully, my sense is that the baby formula situation is easing up some, and that it's not as dire as it was.
Joe Carrigan: Right.
Dave Bittner: But it really is - it's another example of just playing on people's desperation. I can't imagine a more desperate situation than having a hungry child...
Joe Carrigan: Yeah, we were...
Dave Bittner: ...You know?
Joe Carrigan: Mallory and I were talking about one mom who has a premature baby and needs a specific kind of baby formula, and I can't think of a worse situation to be in. That is one that - I should say, I can't think of a worse situation than needing a specific kind of formula and not having it available.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: And then making yourself - that alone - the fact that that situation exists opens you up to these kind of attacks - terrible.
Dave Bittner: Yeah. The other thing that I wanted to highlight here was just - I think this really points out the importance of local news. You know, Mallory works at Baltimore's WMAR-2, local affiliate. You know, they've been...
Joe Carrigan: Right.
Dave Bittner: ...In the community - gosh - probably close to a hundred years now, but...
Joe Carrigan: Yeah - long time.
Dave Bittner: Yeah. And the media has undergone a lot of changes. Local newspapers have been devastated, and the local affiliates don't have the funds that they used to have. They don't have the - you know, the influence, the viewership, all that kind of stuff, and that makes it harder for local news organizations to do the work they do. And I would just put this out there - as members of your community, please support these folks, you know?
Joe Carrigan: Right.
Dave Bittner: You, as a - your local community needs local news. You need people keeping an eye on this. You need - there's - you know, there's a reason why our media has the powers that they have, you know, via our Constitution. We need people keeping an eye on all levels of government and all levels of community just to make sure that we know what's going on. And, you know, Mallory is one of those folks who are out there doing that every day, and my take is they really deserve our support.
Joe Carrigan: I agree. I like the - I don't - I'm going to say this word, but I don't mean it in a negative way. I like the adversarial nature of a lot of the reporting. Like, here - I mean, it's adversarial in that it's - Mallory is working against - you know, going - this is something that needs to be brought to light.
Dave Bittner: Right.
Joe Carrigan: This needs to be reported on. And I'm sure there are people in the state government who would just - they would just be happy if this was just - please don't bother me with this...
Dave Bittner: Right. Right.
Joe Carrigan: ...You know?
Dave Bittner: Right.
Joe Carrigan: I've got millions of other things I'm working on. But, no, this is an important issue.
Dave Bittner: Yeah. And that's how change happens.
Joe Carrigan: Right, exactly. So, you know, when I see other people challenging elected officials on TV, I'm always very happy with that. I love seeing that in local news.
Dave Bittner: (Laughter) Right. Right. All right. Well, again, our appreciation to Mallory Sofastaii from Baltimore's WMAR-2 News for joining us. We always appreciate her taking the time for us.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
