Hacking Humans 1.5.23
Ep 226 | 1.5.23

Leveraging credentials online and off isn't going away.


Eric Levine: But I think that the underlying requirement of being able to leverage these highly ubiquitous, highly trusted credentials in order to interact, both online and off, is going to continue to be a need today and going forward.

Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Eric Levine, who is co-founder and CEO at Berbix - we're talking about identity fraud. 

Dave Bittner: All right, Joe, before we jump into our stories this week, we've got a little bit of follow-up here. What do we have? 

Joe Carrigan: Right. This is actually something that was sent in from Chris. It was brought up to me as a Catch of the Day candidate, but I don't think it makes for good mocking. So... 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: But I do think it's an interesting scam, and I wanted to talk about it because I haven't seen it in exactly this form. Chris writes, dear Dave and Joe, I just got a wonderful text message from the least suspicious name of all time - which - he's being sarcastic there... 

Dave Bittner: OK. 

Joe Carrigan: ...If you can't tell. 

Dave Bittner: Yeah. 

Joe Carrigan: When I tried to text back a rather mean response just to see what would happen, I got back a daemon from a different number. A daemon is just an automated tool. 

Dave Bittner: OK. 

Joe Carrigan: So it's a common term in computer science, particularly among us older computer science people. Nowadays, they're called servers. My favorite part of all this is the missing closed parentheses on the first text. Hope you are all doing well. And let me read to you what these look like, or just describe them to you, because they're kind of weird. He has a text that came in that says - from an 866 number - it says card locked with an alert ID after the end of it. And I don't even know what this means. This is obviously designed to scare you. And it's - it is coming from mobile-wellsfarg0 - with a zero - unusual activity. It looks like an email address at c-alert.com, which is - I don't know if that's a legitimate website or not. I haven't done any research on this, but it's coming in from this text. He texts back his mean response, and he gets a response from mailer-daemon that is - that just reads, undelivered mail sent to the sender. This mail was sent at host - so in other words, he tried to respond to this email, and it was already shut down, it looks like... 

Dave Bittner: Oh, OK. 

Joe Carrigan: ...Or this text message. So it looks like it was a scam that had started and then just got shut down pretty quickly. 

Dave Bittner: Things move quickly in the world of scams (laughter). 

Joe Carrigan: They do. They do. But I thought this was interesting that - what happened here is somebody just sent him a text message that was designed to scare him into some action. There may have been a plan for a follow-up call or something like that. Hey, this is Wells Fargo. Did you notice that your card's been locked? It's not Wells Fargo on the other end. This text wasn't sent from Wells Fargo. This is not how this works. 

Dave Bittner: Yeah. OK. 

Joe Carrigan: So thank you for sending that in, Chris. I really appreciate it. 

Dave Bittner: Yeah, interesting. All right. Well, let's jump into our stories here this week. Joe, why don't you start things off for us? 

Joe Carrigan: Dave, my story comes from Shannon Flynn over at tdwi.org. And the story is called "Social Engineering Attacks: Preparing for What's Coming in 2023." So this is - Shannon is doing some Nostradamus-like stuff here. And I will tell you, this is a pretty easy thing to do. But there's - there are five things on this list. They are kind of like predictions of what we're going to see in 2023. 

Dave Bittner: OK. 

Joe Carrigan: And the first one is something we've already seen a lot of, and that's doppelganger websites. It's essentially a clone of a website. So you and I have said many times on this show, but for our newer listeners, the way the web works - everything you need to see the web page has to be presented to you in text. So when you download something from a website - or when you host a website, rather - you have to provide everything to everybody that wants to see the website. So that makes sense, right? But it's not like compiled code, where I just give you a binary. I don't give you the source code. I literally have to give you the code because it's essentially an interpreted text. That's all it is. 

Dave Bittner: That's the HTMLs. 

Joe Carrigan: HTML, the Cascading Style Sheets, the JavaScript, whatever else you have in there, unless you have a compiled app, which most people don't put on their websites anymore because HTML has become very dynamic... 

Dave Bittner: OK. 

Joe Carrigan: ...Especially with HTML5. What this means is, as a bad guy, I can just go out and pull down all the resources from somebody and then put them up on my web server. And, with very little effort, I can have that site, a copy of that site, posted on my server. 

Dave Bittner: And it looks like the real thing. 

Joe Carrigan: And it looks exactly like the real thing. And these things have been out there for years. These are - they're always getting better. That's really the issue, is that they're just getting better and better. There are some ways that you can detect against this, but I don't know that - you know, theoretical ways. But really, the best thing is check the address. Make sure you're at the right site. 

Dave Bittner: I would add a password manager to help here, too, 'cause it'll... 

Joe Carrigan: Password manager can really help. 

Dave Bittner: It'll keep you from logging in if you're not at the actual site. 

Joe Carrigan: The proper site. 

Dave Bittner: Yeah, right, right. 

Joe Carrigan: Yep. And that really works with your password managers that are integrated directly with your web browser. Yeah. So I recommend those. And some of those you pay for, and that's fine. I think paying a couple of bucks a month for a password manager - it's - you know, comes up to, like, less than 40 bucks a year. And I think it's well worth it. 

Dave Bittner: Sure. 

Joe Carrigan: Number two - and this one is absolutely horrifying to me. Shannon lists abuse of law enforcement privileges. Now, when I first read that, I'm like, well, we see that all the time. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's nothing new, right? But she's not talking about police officers abusing their law enforcement privileges. She's talking about business email compromise in a law enforcement setting and getting into the sensitive information that they have access to. So if I'm a bad guy and I really want to get people's attention, if I can compromise their business email, their law enforcement email address, I can really, really get a bunch of stuff on it. There's things in here - in March of 2022, Apple, Meta and Discord announced they had fallen victim to a cyber security scheme that led to users' data being leaked to hackers who abused something known as emergency data request. 

Dave Bittner: Oh, right, right. 

Joe Carrigan: Or EDR. So these guys impersonated law enforcement and got an EDR and just got a data dump from Apple, Meta and Discord. 

Dave Bittner: So people - they were pretending to be law enforcement... 

Joe Carrigan: Right. 

Dave Bittner: ...In order to get information from some of the big providers. 

Joe Carrigan: Yep. 

Dave Bittner: Yep. 

Joe Carrigan: That's one of the problems with these emergency data requests. You know, they can be abused. 

Dave Bittner: Right. 

Joe Carrigan: It's also one of the systemic problems and the constant push and pull we hear from law enforcement and from cryptographers, right? Law enforcement says, we need a backdoor to get into the device when it's locked because we have urgent needs that need - let us - need to let us in. We need to get in to - for public safety - right? for public safety. Here we see another example of why that's a bad idea. And Matt Green at Hopkins has co-authored a paper, a white paper called "Keys Under Doormats." If you Google that, he makes - they - it's actually a group of people. They make a very good argument about why that's a bad idea. And this, again, is an abuse of a law enforcement tool by malicious actors. 

Dave Bittner: Right. 

Joe Carrigan: Number three - we've seen a lot of this already, but social media social engineering attacks - social social. 

Dave Bittner: (Laughter). 

Joe Carrigan: I can think of no better place for a social engineering attack than something called social media, right? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: This is already on the rise. This is really something that's already happened, I think. We're seeing this all over the place. In fact, our Catch of the Day today comes from WhatsApp. So it's - and it's a good one. So you're going to like it. But it's - there's a couple of issues with social media. The first one is the amount of information that's available about you on social media. When you're talking about companies getting breached, I've said this before, that LinkedIn is a great resource for open-source intelligence gathering. It tells you everybody that works there, tells you everybody you work with, tells you who you should impersonate. If you want to scare this guy, it tells you who his boss is. It's - maybe your boss has written you a recommendation, and that's on there. You can divine that stuff from a lot of different places, but LinkedIn is very helpful. Facebook is no different. If you put too much information out on your Facebook page and it's all public, then anybody can see it. And they can scam you and impersonate somebody else. 

Dave Bittner: Right. Right. In this article here that you've shared, they're also pointing out that there are people who imitate influencers. They pretend to be the famous social media influencers to try to trick you into doing things. 

Joe Carrigan: Yes. 

Dave Bittner: Interesting. 

Joe Carrigan: Yes. Maybe that's where the Tide Pod challenge and whatever other stupid challenge I just saw recently was. 

Dave Bittner: (Laughter). 

Joe Carrigan: Number four here is reputation ransomware. This is, like, an attack on the reputation of a company if you don't pay me a ransom. This is also kind of new but not really because there have been, like, DDoS ransomware - ransom attacks before. You know, pay us a ransom, or we'll DDoS your servers. 

Dave Bittner: Right. 

Joe Carrigan: You know, there's things that help with that now, companies like Cloudflare and other distributed network services that prevent distributed denial-of-service attacks. There's ways to defend against this distributed reputation ransomware. The FBI, of course, strongly discourages victims from paying ransoms... 

Dave Bittner: Right. 

Joe Carrigan: ...On cyberattacks. But - and I would also encourage that because if you pay the ransom of these guys one time, they're just going to threaten to do it again, or they're going to sell your information and threaten - somebody else will threaten to do it again. 

Dave Bittner: Yeah. 

Joe Carrigan: Not a great way to go about running your business, I think. 

Dave Bittner: It's interesting. Again, this article points out that it's the threat of the reputational damage of having a data breach that the scammers are finding works just as well as the data breach. 

Joe Carrigan: Right. 

Dave Bittner: They don't have to do the technical part. 

Joe Carrigan: Nope. 

Dave Bittner: They just threaten you with it and say, you know, nice company you got here. Be a shame if... 

Joe Carrigan: Something happened to it. 

Dave Bittner: ...Something happened to it. Right, right. 

Joe Carrigan: Get a forensic investigation immediately if someone tells you you've been breached. And finally, Dave, your favorite - deepfake attacks. Shannon is saying this is the year of deepfake attacks. I'm not convinced of that, that this is the year of deepfake attacks. What do you think, Dave? 

Dave Bittner: Well, it's funny you say that. I just did a segment earlier this week that has not aired yet, but I was speaking with Malek Ben Salem from Accenture. 

Joe Carrigan: Right. 

Dave Bittner: And she is their head of research. Hard to find a smarter person in the world than Malek (laughter). 

Joe Carrigan: Every time she's on, it's a great interview. 

Dave Bittner: Yeah. Yeah. And we were talking about this very thing, and there's a combination of audio - real-time audio - like, it's combining a chatbot with a automated video system where - these things are at the point where they can respond with video in real time with a fake persona - a made-up person - who can, on video, look like they're chatting with you and, using the chatbot, can respond quickly enough that you can have a conversation with them. And it's - you feel - it feels like you're having a video call with them. 

Joe Carrigan: Huh. 

Dave Bittner: So that's - we're right on the leading edge of that technology. So hold on to the bar, right (laughter)? 

Joe Carrigan: OK. Maybe I'm wrong. Maybe Shannon is right here, that this is the year of the deepfake attack. 

Dave Bittner: Could be. 

Joe Carrigan: Now, is it purely synthetic? Or can you use - could I do something where I impersonate Joe Biden, and I get a model of Joe Biden to be the person sitting there? 

Dave Bittner: Yeah, I would suspect you could probably do that. I think it's probably easier, maybe more effective, to use a synthetic person because there's no expectation. There's no track record of knowing - saying, wait, that doesn't sound like Joe Biden or... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, that doesn't sound like something Joe Biden would say, or whoever you chose to imitate. So I don't think the video part is the hard part. You know, we've had that for quite a while now... 

Joe Carrigan: Right. 

Dave Bittner: ...Where you can sort of - you can puppet a realistic video representation of someone. So I don't think that's the heavy lift. I think it's the real-time response with the chatbot. And we've seen, you know, just these past couple of weeks, the - with the - what is it? - ChatGPT - the chatbots are getting really impressive. 

Joe Carrigan: Right. 

Dave Bittner: So interesting. 

Joe Carrigan: So the last thing Shannon puts on here - staying safe online. Common sense and constant awareness of potential hazards is everyone's best defense. I say constant awareness. I don't know about common sense because a lot of these things don't occur to people not steeped in technical fields on the regs. So what qualifies as common sense to someone like you and me may not qualify as common sense to someone who's never been - never understood what lies underneath the screen of a computer. 

Dave Bittner: Yeah. That's true. That's true. All right. Well, that's interesting stuff for sure. We will have a link to that in the show notes. 

Dave Bittner: My story this week comes from an organization called restoftheworld.org (ph). It is a nonprofit news organization. And they have a article here written by Kapil Kajal coming out of India. And it's the sextortion scammers of rural India. And this is the story of people who find themselves getting extorted by people who reach out. This article starts out with a gentleman who's a 30-year-old resident in a city in India - got a message on Facebook Messenger from a woman, started up a conversation. And she started being amorous (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Right. Right. And... 

Joe Carrigan: Was a real woman, though. 

Dave Bittner: Well, he thought she was. 

Joe Carrigan: OK. 

Dave Bittner: The profile picture looked real. They started a conversation, and she said, let's take this to another platform. 

Joe Carrigan: Uh-huh. Moving off platform. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Big red flag. 

Dave Bittner: Yep. And she proposed that they have an erotic encounter over a video call. And he couldn't resist. He said to the reporters here, what can I tell you? The other person offered. I agreed to do it. 

Joe Carrigan: Yep. 

Dave Bittner: And you know, Joe, we can tut-tut this poor guy and, you know, raise - sniff and raise our noses but... 

Joe Carrigan: I'm not going to do that to this guy. 

Dave Bittner: You know, particularly, I think, when it comes to this sort of thing, as we talk about all the time here, it short-circuits your critical thinking, right? 

Joe Carrigan: It does. 

Dave Bittner: (Laughter) Right? There's a - you know, there's a beautiful person on the other side of the call here who wants to be intimate with me. 

Joe Carrigan: Right. 

Dave Bittner: That sounds pretty good (laughter). And so... 

Joe Carrigan: What are the odds (laughter)? 

Dave Bittner: Yeah. 

Joe Carrigan: (Laughter) Well, when I - that's the thing I think when - what are the odds? 

Dave Bittner: (Laughter). 

Joe Carrigan: Nobody wants that with me. 

Dave Bittner: So... 

Joe Carrigan: Wow, you're hot. Sure I am. 

Dave Bittner: (Laughter). So this person fell for that. And... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Next thing he knows, he's getting video of his intimate call sent to him by people who are saying, hey, listen, we've got this video. And unless you start sending us money, we're going to share this video with all of your loved ones... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Your wife, your family, your friends, your employer. So pay up. 

Joe Carrigan: Right. 

Dave Bittner: And this person did. He felt like he didn't have any choice but to pay. Now, we've talked about sextortion scams here before... 

Joe Carrigan: Yes, we have. 

Dave Bittner: ...And so nothing particularly interesting or unusual about what's described here. What I found particularly interesting about this article, and why I thought it was worth sharing, is they actually speak with someone who is doing the sextortion. 

Joe Carrigan: Really? 

Dave Bittner: They got in touch with - they found someone. And it is people in rural villages. The person they talked to here was a former truck driver. And he said he was introduced to this sort of scamming by his relatives about four years ago. He said he was surprised to see that his relatives had abandoned their work in the transport business as truck drivers, and they were doing quite well for themselves. 

Joe Carrigan: Right. 

Dave Bittner: They suddenly had - they had a big house, and they had cars. And, you know, these were folks who previously were - had a solid living but weren't living high on the hog or anything... 

Joe Carrigan: Right. 

Dave Bittner: ...Like that. He asked about their sudden rise in wealth, and they taught him all about how to do this sextortion type of thing. 

Joe Carrigan: OK. 

Dave Bittner: So he goes through the process here. He says, first, they create a Facebook account with fake details and photos of a beautiful woman that they've downloaded from the internet or taken from someone else's Facebook profile. He says, then they go on an outreach spree, sending friend requests to anyone they think could give them money. And as soon as the message is accepted, they try to get the target engaged before shifting to WhatsApp - so, as you mentioned, as you noted earlier, shifting platforms. 

Joe Carrigan: Right. 

Dave Bittner: Big red flag. 

Joe Carrigan: Yep. 

Dave Bittner: This particular scammer said that he keeps his bases covered by asking his sister, wife or another local woman to speak to the target to falsely reassure them that the account is authentic - so a short phone call in a woman's voice to just set the hook, right? And then once they get on a video call, the scammer shows the target a pornographic video of a woman in the process of removing her clothes. So pretending to be - so they find some sort of, you know - and, boy, that's hard to find. 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Isn't it, Joe - something - (laughter). 

Joe Carrigan: Where are you going to find that on the internet? 

Dave Bittner: Right. Right. So they find a suitable video that is of, you know, a beautiful woman taking off her clothes. And so the victim thinks, hey; this is - they thinks it's live... 

Joe Carrigan: Right. 

Dave Bittner: ...Even though it's prerecorded and just something that they found. So the victim plays along. And meanwhile, the bad guys are recording the whole thing. A couple interesting notes here - he says if the other person sends money within five to seven minutes, we know they are rich and demand more from them. However, if someone says they're a student and can't pay any money, we let them go. We mostly target rich people. 

Joe Carrigan: Now, OK, so know your - that's a good way to get off the hook. I'm a student, and I can't pay any more. 

Dave Bittner: (Laughter) Know your customer... 

Joe Carrigan: Right. 

Dave Bittner: ...Too. 

Joe Carrigan: Know your scammer. That's it. 

Dave Bittner: Yeah. I mean, I guess it's a funny little bit of honor among thieves. 

Joe Carrigan: I don't... 

Dave Bittner: I mean... 

Joe Carrigan: I doubt that. 

Dave Bittner: It's a low bar. 

Joe Carrigan: Yeah. I think that maybe they hold on to that for a little while. 

Dave Bittner: Yeah. Yeah. And they use an online payment service, and they get their money. This article also touches on law enforcement, which, in these small villages in India, is hard to make work. People live - you know, they have small rural homes. They say the villages themselves - they have video surveillance at the entrances to the videos. And if they see law enforcement coming into the village, the men all run into the woods, and they let the women handle the law enforcement people basically by mobbing them and beating the crap out of them. 

Joe Carrigan: What? 

Dave Bittner: (Laughter) Yeah. Yeah. I shouldn't laugh, but... 

Joe Carrigan: That's bananas. What happens? So wait. The cops show up. 

Dave Bittner: Cops show up. 

Joe Carrigan: The men flee. 

Dave Bittner: Men flee. Yeah. They see them coming. 

Joe Carrigan: And the women take up arms, like, with sticks and stuff. 

Dave Bittner: Who knows? But I think it's just a matter of - there are so many people, you know, yelling. It's a mob. And so you get - let's imagine a single police car coming into a village. 

Joe Carrigan: Oh, yeah. 

Dave Bittner: They're just overwhelmed, and they're not they're not out to use deadly force... 

Joe Carrigan: Right. 

Dave Bittner: ...Against some scammers. You know? 

Joe Carrigan: But the scammers are perfectly willing to beat up police officers... 

Dave Bittner: Right. 

Joe Carrigan: ...To protect their business model. 

Dave Bittner: Right, right - and, you know, let the police officers know perhaps they should go somewhere else and leave them alone and... 

Joe Carrigan: Or come back with more police officers. 

Dave Bittner: Well, there - yeah, could be. 

Joe Carrigan: A lot more police officers. 

Dave Bittner: But it seems like that's not what's happening here. 

Joe Carrigan: Right. 

Dave Bittner: The cops go... 

Joe Carrigan: It's probably not a big priority for law enforcement in India. They probably have other things they need to worry about. 

Dave Bittner: Right. And who knows what the ability - how big the police forces are in... 

Joe Carrigan: Yeah. 

Dave Bittner: ...These small villages? 

Joe Carrigan: Yeah, I don't know. I have no idea. 

Dave Bittner: Yeah. 

Joe Carrigan: I know that if you go to a rural part of America - you go to West Virginia and you look at the number of state police officers they have, it is shockingly low. 

Dave Bittner: Yeah. Yeah. This article points out that the conviction rate in sextortion cases is 1%. 

Joe Carrigan: One percent. 

Dave Bittner: So they say there's an absence of proper cybersecurity laws and a lack of training for police. They say it's a golden age for cyber fraudsters in India. 

Joe Carrigan: Yeah. 

Dave Bittner: And, of course, the victims here are reticent to file a case... 

Joe Carrigan: Sure. 

Dave Bittner: ...'Cause especially... 

Joe Carrigan: It's embarrassing. 

Dave Bittner: It's embarrassing. But also, they - yes. And they don't want their family to find out. So they're afraid that if they file a case, just doing that will - people will find out what they did. 

Joe Carrigan: Right. 

Dave Bittner: And they don't want that to happen. 

Joe Carrigan: Yeah. 

Dave Bittner: So the bad guys get away with it. 

Joe Carrigan: Right. 

Dave Bittner: So we'll have a link to this article in the show notes. It's very interesting. There's more details in this one on the scam side of it than I've seen in a lot of other articles. So I think it's worth a read. So we'll include that in the show notes. We would love to hear from you. If there's something you would like us to discuss on the show, you can email us. It's hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe. It is time to move on to our catch of the day. 

Joe Carrigan: Dave, our catch of the day comes from George, who writes in - hi, Dave and Joe. Love the show and can't believe the emails that people are still sending that are so obviously scams. 

Dave Bittner: (Laughter). 

Joe Carrigan: Well, they still send them, George, because they work. 

Dave Bittner: Right. 

Joe Carrigan: That's why. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: I've noticed a lot now coming in on my phone via WhatsApp and such. So I thought I would play along with the scammer to see how long before they knew I was messing with them. And here are some great photos. Dave, do you want to play the part of the scammer or of George? 

Dave Bittner: I will play the part of the scammer. 

Joe Carrigan: All right. And... 

Dave Bittner: All right. Here we go. 

Joe Carrigan: ...That is in the white bubbles, and George is in the green bubbles. 

Dave Bittner: OK. It starts out, and it says, excuse me, is this Mr. Liam's number? 

Joe Carrigan: Sorry, you have the wrong number. 

Dave Bittner: Oh, I thought this was Liam's number. And I just wrongly sent to you. I'm so sorry. I hope you don't mind. 

Joe Carrigan: No problem. Have a great day. 

Dave Bittner: Thank you. I hope you have a great day. Acquaintance is fate. Where are you from? 

Joe Carrigan: Sorry, I'd love to chat, but I'm spending my time with this guy I met online. He's teaching me all about crypto - really fun. You should do crypto, too. I started with a couple hundred bucks. Now I've remortgaged my house, and I've cashed in all of my investments. I'm killing it here. I've doubled my money in a week. I'm going to stop right here for a minute, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: I want to remind everybody here that George is messing with the scammer and that nobody should ever do this. Just in case anybody thinks remotely that this is a good idea. This is - and George is - knows this is a bad idea. 

Dave Bittner: Yeah. 

Joe Carrigan: That's why he's saying it. 

Dave Bittner: He's turned the tables. 

Joe Carrigan: He's turned the tables. 

Dave Bittner: All right. Well, the scammer goes on and says, you have a nice job, but careful, there is so many scammer. 

Joe Carrigan: Thanks for the warning. 

Dave Bittner: By the way, I'm Rebecca from Miami. Where are you from? 

Joe Carrigan: Nice to meet you, Rebecca. But I've got to leave the house right now. I've got to pop out to CVS to get some gift cards to pay off an outstanding IRS payment. Have a great day. 

Dave Bittner: You, too. I like making new friends. If you wish, we can be friends, LOL. 

Joe Carrigan: Glad to hear you have plenty of friends. Good luck tracking down Liam. 

Dave Bittner: Where are you from? 

Joe Carrigan: Sorry. I'd love to chat, but I'm spending all my time with this guy I met online. He's teaching me all about crypto - really fun. You should do crypto, too. I started with a couple hundred bucks. Now I've remortgaged my house, and I'm cashing in all my investments. I'm killing it here. I've doubled my money in a week. It's just a copy and paste from his previous message. It's great. 

Dave Bittner: OK, so you're doing cryptocurrency? 

Joe Carrigan: Yes. Sorry, I can't continue this conversation. My nephew has just been kidnapped. And I've got to sell my house to pay the taxes on the crypto money so that I can pay the kidnappers. It's turning into a busy day. 

Dave Bittner: Are you telling the truth? Are you really going to sell your house? Hey. What are you doing? Is your house sold? 

Joe Carrigan: Hi. I didn't end up selling my house. A friend warned me that this was probably a scam. Seems pretty obvious when I look back. 

Dave Bittner: (Laughter) And then she responds with a bunch of smiley faces. 

Joe Carrigan: He says, do you keep losing your phone? This is the third phone number you've had in as many days. And it's true. I'm looking at the top of these phone numbers, and they're coming across with three different phone numbers. 

Dave Bittner: Oh, I didn't - yeah, I didn't see that. 

Joe Carrigan: Yeah, it's funny that you didn't see that because most people won't notice that. 

Dave Bittner: That's right. 

Joe Carrigan: What's also interesting is... 

Dave Bittner: With the same picture. 

Joe Carrigan: Right. It's the same picture. But George points out that she changed her name from Rebecca to Lisa on her WhatsApp profile page. 

Dave Bittner: Oh. 

Joe Carrigan: So I mean, it's just constantly rotating. These guys are always trying something new. 

Dave Bittner: One step ahead of the law. All right. Well, that is our catch of the day. And again, we would love to hear from you. Our email address is hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Eric Levine. He is co-founder and CEO at a company called Berbix. And our conversation centers on identity fraud. Here's my conversation with Eric Levine. 

Eric Levine: We're in kind of an interesting inflection point as a society when it comes to identity fraud and fraud in general. Obviously, the digital transformation has been a process that's been ongoing for the past several decades. But over the last two years with COVID, we've seen the extreme proliferation of platforms making more and more services available online, which has opened the door for a lot of potential fraudsters to come in and take advantage of the systems. And so that, combined with the state of the world as it relates to data leakages, you know, like the Equifax breach that happened several years ago, the amount of personal data that's available out there is enormous. And so it's a pretty large, ongoing battle to try to manage the fraud situation as time goes on. And people are having to turn to newer and more advanced methods to detect and deter that fraud population. 

Dave Bittner: You know, I'm reminded of that classic - I think it's a New Yorker cartoon that says, oh, you know, on the internet, nobody knows you're a dog. And I wonder, you know, about where - the reality of that these days. I mean, you know, obviously, anybody can log on to an online platform. You can say you are whoever you are. But in this era of people being able to get so much information about you, is that sort of anonymity or deception really possible these days? 

Eric Levine: It absolutely is. I would say that, by and large, while there are many new tools that have become available to help address that question, that very question - the are-you-who-you-say-you-are, knowing that the person that you're interacting with is not, in fact, a dog - there are a lot of new tools that are available for actually addressing that. But by and large, it's still up to each individual platform to make a decision about what tools they are going to use in order to protect the people in their communities, on their platforms, opening bank accounts, whatever the case may be. And so while there are tools that can quite confidently tell you that someone is who they say they are, those are not, I would say, deployed at the scale that they would need to to really fully, once and for all, answer that question. Fun fact - I think that that comic, the on-the-internet-no-one-knows-you're-a-dog, I believe that that's actually over 30 years old at this point or is close to 30 years old. 

Dave Bittner: Wow (laughter). 

Eric Levine: And it's still very much the case. 

Dave Bittner: Yeah. Well, can you walk us through a little bit of the history here in terms of the various things that people needed to be able to log on to where identity mattered, and then, you know, how we got to where we are today? And what is the state of the art? 

Eric Levine: You know, when the internet was first getting started, you had your - you know, your bulletin boards. You had basically the ability to exchange documents through this hypertext markup language. You know, the need to know someone's identity was pretty limited, and so the tools that were available were pretty limited also, right? The actual ability to embed something like identity verification directly into the actual protocols that are being used to communicate across channels, like the internet, are pretty basic, right? You have password authentication, but even that is, like, not widely used because most websites will opt to handle that on their own - using their own systems and tools rather than leveraging the actual protocols underlying those. 

Eric Levine: But, you know, the internet today is a very different internet than the one that we had 30 years ago, right? The - in 1992, the needs of any given platform to know that the person who was interacting with them was quite low. But in this day and age, with more tools - like being able to open bank accounts, like being able to arrange a date, like being able to go to someone's house to pick up a couch that you found on Craigslist - right? - there's all these different situations where, all of a sudden, you're a lot more vulnerable - right? - whether you're a business or an individual, to the potential bad actors who we know are on the internet. And so the state of the art has evolved, right? 

Eric Levine: It - when you were opening bank accounts or doing any sort of identity verification, say, in the late 2000s, early 2010s, you would see a lot of these knowledge-based authentication, right? People - they would ask you questions like, what was that make of the car that you bought in 2005? And the thought process there was that this is information that's coming out of your credit file that only you could know. But as we know, with the credit leaks that have happened, all that information is much more widely available, and so the strength of those types of protections have weakened considerably. 

Eric Levine: And so that's where - not to self-promote too much here, but one of the areas that I was quite involved with was the trust and safety efforts at Airbnb. I led the engineering trust and safety team for a number of years, where we were tasked with stopping all bad things from happening on the Airbnb platform... 

Dave Bittner: Oh, that. 

Eric Levine: ...Quite a tall order. 

Dave Bittner: That's a small task, right? 


Eric Levine: Yes. 

Dave Bittner: But I think it's a really interesting point in that - I mean, we're talking about, you know, strangers showing up to another person's property, potentially even, you know, their home that they're renting out. And so there are serious security concerns here. 

Eric Levine: Absolutely. And I - frankly, I think Airbnb was on the bleeding edge of implementing a lot of the protections in order to keep the user base safe. Now, obviously, no system is perfect, and I'm not going to sit here and pretend that it is. But what we found was that most fraudulent behavior, whether that is, like, personal safety fraud or even financial fraud, ultimately comes down to typically people are misrepresenting their identity when they're interacting online - right? - because nobody wants to have to face consequences for doing something fraudulent. And so they are going to misrepresent themselves. And so we did quite a lot of experimentation as it related to sort of identity management. And one tool that we found was quite useful was doing actual government-issued photo ID checks. And so we found that, you know, this is a commonly accepted, ubiquitous token that almost everyone has, that they can carry around with them, that most people trust to say that this is, in fact, Dave Bittner, right? 

Dave Bittner: Right. 

Eric Levine: That people trust that. And so being able to take that trust, that common ubiquity of that particular token, and use that as a way to prove your identity, even in online contexts, felt like the right, natural next step. You know, you don't think twice when you go to a corner store, buy a bottle of wine - they ask to see your ID. You hand it over to them, and they're satisfied, and you can move on, right? 

Dave Bittner: Mmm-hmm. 

Eric Levine: And so how can we take that same level of trust and strength and move it into a digital setting? And there are a lot of companies that have been doing this for quite some time. But we found that there was a gap when it came to the user experience that was provided by the existing verification services just due to the expectations of consumers as it relates to instant gratification and the sort of high-quality type of interfaces that people expect in this day and age. 

Dave Bittner: Right, yeah. I mean, people - particularly, like, for retailers, I suppose - you don't want to add any friction to those transactions. You don't want to - there's nothing more frustrating than hitting roadblocks when you're just trying to get something done online. 

Eric Levine: That's exactly right. You know, people want to finish their purchase and move on with their lives. Nobody wants to wait around for three to five minutes to find out whether or not their ID check was successful. And so that's really where the state of the art has been evolving quite rapidly as it relates to being able to do these types of ID checks online whether it is for opening a bank account or for other types of use cases - like two-sided marketplaces, like if you're getting a babysitter to come over to child-sit your children. You typically want to know who those people are. And so being able to leverage technologies like this can really enhance your trust. Or even with remote employment, right? If you're hiring people remotely, which, of course, is much more common in this day and age post-COVID than it was, you know, in 2019, knowing that the person that you're bringing on board is who they say they are is another critical application of this type of identity verification technology. 

Dave Bittner: Well, I know, you know, the company that you are CEO of, Berbix - I mean, this is your area of expertise. So what is the state of the art these days? 

Eric Levine: Great question. And the state of the art has evolved quite rapidly. You know, everyone - not everyone. But the vast majority of people have high-quality phones with high-quality cameras in their pocket at all times, right? And so the ability to capture high-fidelity images of your IDs in order to process those - the availability is quite wide these days. 

Eric Levine: But when it comes to the state of the art, I think that there are a couple areas that there's been substantial, let's say, evolution over the course of the last few years. No. 1 is speed, right? When it comes to that instant gratification and the expectations of those consumers to be able to complete their transaction successfully, people don't want to wait around. And so now there are services, like Berbix, that allow for that sort of instant validation of the IDs that are being uploaded to those systems. So that's one area. 

Eric Levine: Another would be, frankly, the confidence of the results that are being returned. It's actually - you know, if you think about it - right? If you're someone who's 19 and you want to go to a bar, you can order a fake ID online, and it's going to come to you. And you can take that to a nightclub or a bar, and you can give it to the bouncer. And usually, it'll work, right? If fake IDs didn't work, then there would be no market for them. But they do work. 

Dave Bittner: That's right. 

Eric Levine: Right? 

Dave Bittner: Yeah. You're taking me back to my college days, Eric, but go on. 


Eric Levine: Yeah, I mean, it's hard. It's - this is no disrespect to bouncers. 

Dave Bittner: Right. 

Eric Levine: But I think that it is a really challenging problem. How can you distinguish between a legitimate ID and a fake ID especially when there's no training courses? You know, it's not a skill that there's a whole lot of training available for. And so that said, there are services, like Berbix, that can much more accurately and much more consistently distinguish between legitimate and illegitimate IDs based on the signals that come off of those IDs themselves. 

Dave Bittner: Well, walk me through how something like this works. I mean, is this a matter of, you know, me setting up an account and doing the work of verifying? And then, once I've done that, I'm good to go? Or how does it generally work? 

Eric Levine: Yeah. So in our case, the way it works is our customers are platforms that need to perform identity verification. So whether that is a two-sided marketplace or an e-commerce platform or whatever the case may be - a bank - and so what they will do is they will integrate our software into, typically, their onboarding flow. And then, when you go to create an account, to open your bank account, whatever the case may be, they'll ask you to go through the verification process. And this will typically be - take a picture of the front of your ID, take a picture of the back of your ID and scan your face to do the automated facial comparison between the face that's on the ID and the face of the person going through the verification process to ensure that it's actually your ID. Then once you've completed that, it's instantly available to - for our customers to be able to say, yes, this is a legitimate ID. Yes, this is Dave Bittner. Yes, the face of the ID matches the person who went through the process. Let's go ahead and let them through or perform the additional downstream checks that we might need to do from a compliance perspective. 

Dave Bittner: And then does the system automatically have things in place that if it senses any red flags, there's more scrutiny? 

Eric Levine: Yes. So that's a key part of any legitimate verification process, is that you need to be able to distinguish between legitimate and illegitimate IDs. And this is not necessarily just fake IDs, right? Someone, let's say - a very common pattern that we see if someone wants to get through this type of process in order to commit fraud, they'll just Google California driver license. And then they'll take a picture of the first item that comes up and try to get through that process. And so we have basic protections for different common fraud vectors like that. But any of those will be flagged to our customer so that they can either automatically accept the user if they deem that it is low risk, reject them if they are deemed to be too risky or there are actual specific fraud vectors that they're seeing. Or at least in Berbix's case, we have the option for our customers to decide that they want to manually review and take a look at those to give additional scrutiny before they let that user through or reject them. 

Dave Bittner: Where do you suppose we're headed with this? I mean, what is the future in a perfect world of online ID verification? 

Eric Levine: Yeah. You know, I would say we are in a very rapidly evolving space, right? There are new programs that are starting to be piloted by a number of the states, at least domestically here, for digital IDs - right? - to actually be able to have a copy of your driver's license on your phone. I believe Colorado is one of the states that's been pioneering this. And so that is one big advance that's happening today and is really starting to pick up steam where I'm sitting. Additionally, you know, there's a lot of additional work that's been done by Apple to allow you to import your identity information into your Apple wallet in order to be able to use that rather than getting your ID out when you go through TSA. Now, it's only available in a handful of airports in a handful of states, but that is starting to happen. And so things are evolving pretty quickly here. But I think that the underlying requirement of being able to leverage these highly ubiquitous, highly trusted credentials in order to interact both online and off is going to continue to be a need today and going forward. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Dave, the state of the market is vastly different than it was 10 years ago - I mean, the identity theft market, right? There are many more services that are available online. And, like, you can now open bank accounts online. I don't remember if you could do that 10 years ago, but maybe you could. But I mean, it's a fairly recent thing. Up until recently, you've had to go into a bank to do that. 

Dave Bittner: Right (laughter). How quaint. 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter). 

Joe Carrigan: One of the things that Eric... 

Dave Bittner: It hasn't been that long, as if you were a woman, you had to take your husband with you. 

Joe Carrigan: (Laughter). 

Dave Bittner: So... 

Joe Carrigan: That's a good point. 

Dave Bittner: ...Things - yeah, things keep moving, the march of progress. 

Joe Carrigan: When was that? That was... 

Dave Bittner: Early '70s. I mean, within our lifetime... 

Joe Carrigan: Right. 

Dave Bittner: ...A married woman could not open a bank account without her husband's permission. Yeah, it's bonkers. It's just bonkers. 

Joe Carrigan: That is bonkers. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: I'll have to ask my mom about that, if she ever encountered that. One of the things that he talks about here is the amount of data that's then breached about everybody. And Eric makes a good point, like with the Equifax breach. Just assume your data has been breached. Don't assume that it's been - that your data is secure. Even if it's aged, just assume your data is breached. And if you live with that assumption, then you can behave in a way that protects you a little bit better. Maybe you get a credit monitoring service, or maybe you put a credit freeze on all your credit reports, which stops people from opening new accounts in your name. 

Dave Bittner: Right. 

Joe Carrigan: That's a great idea. Eric talks a lot about what was going on 30 years ago. Thirty years ago, Dave, was that 1992? I was still using - well, I guess now it's 1993. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: But in 1992 and 1993, I was still using Telnet. 

Dave Bittner: Yeah. 

Joe Carrigan: You remember using Telnet? 

Dave Bittner: I do. 

Joe Carrigan: Yeah. 

Dave Bittner: I do. 

Joe Carrigan: Like, unencrypted, straight across the internet, plain text Telnet. 

Dave Bittner: Right. There was no YouTube. There was no Facebook. There was no... 

Joe Carrigan: There was no web, Dave. The web didn't come out till 1993. 

Dave Bittner: Is that right? 

Joe Carrigan: Yeah. That's when that launched. 

Dave Bittner: Wow. OK. 

Joe Carrigan: So, you know, the web is... 

Dave Bittner: We all know how that ended. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Still a miserable fireball of death. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: The web - oftentimes people mistake the web for the internet. It's not. The web is just a service that's on the internet. 

Dave Bittner: OK. 

Joe Carrigan: So - and it's what most users wind up using when they're on the internet. 

Dave Bittner: Yeah. 

Joe Carrigan: But there are tons of other things you can do on the internet that don't necessarily use the web. In fact, everything that runs behind the scenes doesn't use the web. Some of it does, but a lot of it doesn't. 

Dave Bittner: Yeah. And we used to - this was the nerdy way we used to bop around the internet. 

Joe Carrigan: Right. That's right. We used to go to things like IRC channels or bulletin board services that were connected. 

Dave Bittner: Yeah. 

Joe Carrigan: And the point is you didn't really need to identify yourself. If you had a cool handle - right? 

Dave Bittner: Yeah. 

Joe Carrigan: Like, you wanted to - oh, here's a book I read recently. I'm going to take the name of this vampire from this book. 

Dave Bittner: Right. Right. 

Joe Carrigan: I don't know anybody that did that. 

Dave Bittner: I'm ZiggyStardust... 

Joe Carrigan: Right. 

Dave Bittner: ...Eighty-three or whatever (laughter), you know? 

Joe Carrigan: Yeah. Right. You didn't - you probably didn't even need 83 'cause there were so few users. 

Dave Bittner: Yeah, it's true. 

Joe Carrigan: You were just out there. 

Dave Bittner: Yeah. 

Joe Carrigan: But the need to identify yourself didn't exist. There were services that were happy to let them use you - let you use them anonymously. 

Dave Bittner: Well, and that was a feature, not a bug... 

Joe Carrigan: Right. 

Dave Bittner: ...Back then. 

Joe Carrigan: Yeah. 

Dave Bittner: And I mean, to me, I think cybersecurity - InfoSec is one of the few places where there's a handful of old-timers who are still going by their old handles. 

Joe Carrigan: Yeah. 

Dave Bittner: Right? 

Joe Carrigan: That's probably correct. 

Dave Bittner: Yeah, they are. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: Eric talks about knowledge-based authentication, and that is of very little use because all that information is available to you at any point in time. If you remember when Sarah Palin had her Yahoo account breached, somebody hacked into her personal Yahoo account by just looking on Wikipedia to find all the answers to the knowledge-based authentication questions for the password reset algorithm. 

Dave Bittner: (Laughter) Right, right, right. 

Joe Carrigan: And this was back before multi-factor authentication was commonplace. 

Dave Bittner: Yeah. 

Joe Carrigan: So you really can't blame the user here. This is something that has to be - well, maybe. I don't know. I don't like blaming the victim. 

Dave Bittner: Yeah. 

Joe Carrigan: But I'll tell you what I do. When they ask me a question like what high school did you go to, I don't tell them I went to Paint Branch. I don't say that at all 'cause that's available on my Facebook page if you look that up. 

Dave Bittner: Right. 

Joe Carrigan: Oh, look. Look where he went. I tell them I went to, like - I just pull something out of my head. Like, what just popped in my head now was, like, Goofy Goober University or something like that... 

Dave Bittner: Right, right. 

Joe Carrigan: ...From "SpongeBob." I just pull something completely unrelated out of my head... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And put that down. And I make a note of that in my password manager. 

Dave Bittner: Yeah. 

Joe Carrigan: I've never had to use that information. Actually, I've seldom had to use that information. I do - I have had to use it in, like - when I log in from a new place and they're saying, oh, let's use a knowledge-based authentication to verify that this is actually you... 

Dave Bittner: Right. 

Joe Carrigan: ...Which is kind of a bad idea for exactly the reasons I've just explained. But then I have to go to my password manager, look at my notes and say, OK, I went to Goofy Goober University for high school. 

Dave Bittner: Right. 

Joe Carrigan: Fraud comes down to misrepresenting your identity when you're online. 

Dave Bittner: Yeah. 

Joe Carrigan: That's really the basics of it. I mean, it's a fundamental thing. It's the same crime that - if you were misrepresenting your identity walking into a bank 40 years ago, 50 years ago. 

Dave Bittner: Right. 

Joe Carrigan: It's - there's nothing different. You're just doing it with a different means. 

Dave Bittner: Nobody can tell online that you're sweating bullets (laughter). 

Joe Carrigan: Right. Yep. As you said in the video or in the interview, nobody knows that you're a dog. 

Dave Bittner: Right (laughter). 

Joe Carrigan: People want to get stuff now. And merchants don't want to introduce friction to that process - right? - because the vast majority of your sales are going to be legitimate sales. But every now and then, you're going to have some portion of your business that is fraudulent sales. 

Dave Bittner: Yeah. 

Joe Carrigan: And... 

Dave Bittner: The cost of doing business. 

Joe Carrigan: It is the cost of doing business. And depending on what that percentage is, if that percentage is low - like, less than 1% of the sales that you make are fraudulent sales, that might not impact your bottom line very much. 

Dave Bittner: Yeah. 

Joe Carrigan: You may be perfectly willing to let that go. And whenever you see a problem crop up, terminate that account and, you know, keep playing the game of whack-a-mole because that's more profitable than telling the user, stop. Stop. Stop. We need you to upload a photo ID. We're going to send it to Berbix or a company like them, to have them identify it. Then we're going to need you to get online and have a video chat with somebody for a second, and, you know, then maybe we'll have to have some human involvement. They don't want to do that. 

Dave Bittner: Yeah. 

Joe Carrigan: They don't want do that because that makes the user go, I'm not giving you my ID, right? What are you going to do with that data? Maybe it does. Maybe it doesn't. Who knows? But it does introduce friction. It does slow down the sales process. In online marketplaces, online sales, you don't want to do that. 

Dave Bittner: Right. 

Joe Carrigan: I like the system that Eric describes at Berbix. It sounds like it's pretty good, and it's pretty automated, so it's pretty quick. 

Dave Bittner: Yeah. 

Joe Carrigan: But if there's something that is flagged as, this is suspicious, then you can get humans involved and have them do it. This was a pretty good interview. I enjoyed listening to it. 

Dave Bittner: Yeah, absolutely. I appreciate Eric spending the time with us. Again, he is from Berbix, and we appreciate him sharing his expertise. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.