Featuring Dr. Nicole Drumhiller, Dean, School of Security and Global Studies;
Dr. Harry Cooper, director, NSA Cyber Center for Defense;
Dr. Elliott Lynn, director, NSA Cyber Center for Defense; and
Dr. Andre Slonopas, department chair, Cybersecurity
In this episode, APU’s Dr. Nicole Drumhiller talks to Drs. Harry Cooper, Elliott Lynn, and Andre Slonopas about the dangers we face from our consistent cyber presence. Learn more about ways to protect yourself from cybersecurity scams.
Listen to the Episode:
Read the Transcript:
Nicole Drumhiller: Hi, everyone. My name is Nicole Drumhiller and I’m the Dean for the School of Security and Global Studies. With me today are Drs. Harry Cooper and Elliott Lynn, and they are the directors of our NSA Cyber Center for Defense. In addition to them, we have Dr. Andre Slonopas, and he is the chair of the cybersecurity department.
Today we’re going to be discussing the interdisciplinary nature of cybersecurity and global security, but more specifically we’ll be talking about the risks associated with the cyber environment and how to avoid some of the most common scams that are out there. Thank you all for being on the show with me today. I’m really looking forward to our conversation.
Andre Slonopas: Yeah, thank you so much for having us, Nicole, and thank you for yet another podcast on cybersecurity. I think this is really phenomenal and I think it’s a great opportunity to discuss how we got here, and more importantly, the cyber issues that we’re facing today.
Nicole Drumhiller: Yes, and Andre, you’re absolutely correct with that. The university has a rich history and was one of the pioneers of its time, currently accredited by the Higher Learning Commission and the School of Security and Global Studies was actually the flagship school for the university. It was originally founded in 1991 by retired Marine Corps major James P. Etter as American Military University.
In 1993, it launched its first master’s program in military studies and hosted its first graduation in 1995. Then in 1996, it began its first set of bachelor’s programs, which focused on military history, military management, and intelligence operations. Then interestingly in 2002, American Public University was founded to captivate a wider audience. Later on in January 2017, we were very proud as we were able to launch our first set of doctoral programs, including the doctorate of Strategic Intelligence and the doctorate in Global Security.
While our school has about nine departments in it currently, the cybersecurity department is our latest edition, having formally been organized originally under the STEM school. So as a result of that, we also get the opportunity to work closely with the NSA Designated Cyber Defense Center. So, this is very exciting for us. So, Harry, as a director, can you talk a little bit about what that means? What exactly is the NSA Designation and the Cyber Defense Center at the university?
Harry Cooper: Thank you, Nicole. On top of our standard academic credentials and accreditations, we partake in what is called the National Security Agency Center of Academic Excellence. In particular, there are three groups within that center, and we chose to do cyber defense.
What that program does is set a standard for what a solid, government approved curriculum would look like, just making sure we’re covering all the areas. NSA does that in combination with NICE, which is what guides the federal guidelines of training and education in cyber security. So, because we make use of both the NICE framework and the NSACA framework, we’re able to provide a significantly higher quality of lessons.
Nicole Drumhiller: Thanks for that overview. Elliott, as a co-director, can you tell me what the NSA Center of Academic Excellence Designation means to our faculty members?
Elliott Lynn: Certainly it means a lot of things, Nicole, but as a faculty and at the university, I can certainly testify that we strive to provide absolutely amazing experience to our students and being a faculty that is a part of the NSACA Designation is that much better. We strive to provide opportunities like access to CompTIA certifications, micro-credentials that also give an advantage to students as they leave the university. There are a great deal of programs that we have in place to enhance students’ abilities to get their certifications as they pursue their degree.
Nicole Drumhiller: So, while we’re doing some great stuff within the university, one of the things I wonder, and you guys are the experts on this is, are we at greater risk of being targets because we’re an online institution? Or is the playing field somewhat level because you have other institutions, the brick and mortars out there? Just curious, what’s our level of risk when it comes to some of these things? I mean, with all the different advancements going on in technology right now, it kind of feels like the Wild West.
Harry Cooper: There are numerous risks out there for the online environment. It really doesn’t matter if we’re talking a school or something else, that risk is out there because we have things like social media. We even have the old school telephone-based calls as well. Those still remain to this day and are still taking advantage of everybody, of all ages.
Elliott Lynn: I’m going to jump in, Harry, as another risk online community faces is from the information that we give. There are so many ways that your information is being offered up and not just because the advertisements are there, but we give it freely. So, every free email service that you sign up for, every free social media platform that you sign up for, you’re providing a great deal of your own information out there to make those cyber bad actors that much better, and the threat’s only been rising in the recent years.
Perfect examples are phishing schemes are at an all-time high because they’re getting that much better. So, they are taking the information that is being provided by the individual. Even things that the most smallest details that some of us provide in basic conversation is being grabbed and used in sophisticated phishing attacks. They can give you everything from your boss to maybe the last company gathering that was had and so many more things out there. Phishing schemes are becoming that much more personalized, that much more effective, and the cyber awareness programs that they have in place just can’t keep up.
Andre Slonopas: That’s a great discussion. I will say also from the users of the Internet, we all know about all of these different threats are out there, but the Internet community continues to grow. Whatever the risks are out there, clearly the benefits of the Internet outweigh them.
I was thinking about this as we were talking about this. The risks are not just for the online university, it’s for any online entity out there really. I mean the risks are even for your conventional brick and mortar type of universities, academia, anything else. The dot edu domain names are the favorite things that a lot of the hacktivists and a lot of the malicious actors use to do the pivot attacks. As we look at the world, our world in data, there’s a lot of really good research projects and a lot of this data is published online, and I encourage everybody to kind of go out and look at it.
In the last 26 years or so, in about 25, maybe a quarter of a century, we went from 2.6, maybe 2 million users in 1990 to 3.41 billion. I mean, that’s enormous growth. It’s a year after year spectacular growth of Internet users. So inevitably you’re going to have the malicious actors we are seeing, the kind of good growth that we’re seeing on the online environment, and they’re also going to be trying to leverage it to their benefit as well. Regardless, I mean the benefits of the Internet clearly outweigh any type of risk that you may not have out there.
Nicole Drumhiller: Well, and it’s interesting, I know that not all Internet threats and scams are created equal. So, I think it’d be fun to get into some of the things that do exist out there, not just for students, but also faculty. Maybe even the discussion will be of value to broader members that interact in a digital community. So, what are you guys observing out there that poses a threat to individuals, whether they be taking or participating in courses in online environments?
Harry Cooper: Any student out there, I’m sure it’s not just all about school. You also have to make sure that you’re considering that going in using an online dating service, online dating profiles, over 53% of Americans fabricate parts of their profiles. We have one out of every 10 dating profiles is a known scam. So, it’s not just schooling, it’s also the ways they can get after you via these various types of websites. Phishing has grown since 2019, 65%. 90% of every data breach out there is because of some form of phishing. So, we really have to understand that we have to be more socially conscious and maybe even a little fearful.
Nicole Drumhiller: Well, Harry, what about some degree of self-awareness? One of the things that you mentioned comes to mind. I’m really a fan of that show Catfish. I don’t know if any of you guys have seen it where somebody is trying to date somebody else or whatever, and the person is not who they say they are, just like you’re talking about in these things. So, what type of self-awareness can help some of these individuals? Elliott, I don’t know if you’re able to speak to that or provide even other examples of threats where these things are just prevalent.
Andre Slonopas: I’m going to jump in here, but I think you really are hitting on this really important point that sometimes we’re not aware of the things that they’re just going on around us. For the most part, people are not… They’re not thinking like malicious actors. They’re not thinking like the hackers or they’re not thinking like the red team or if you will. So sometimes we’re naive in the world of cybersecurity.
One example that comes to mind, there was a professor at, I want to say he was somewhere in San Francisco, maybe Berkeley or Stanford. What he did, he essentially put this Wi-Fi on his, I think he started with a bike, eventually he transitioned to the car, and he would be like, “Free Wi-Fi, San Francisco, hook up for free.” All this stuff. People just hooking up and checking their bank accounts.
Nicole Drumhiller: That’s fantastic. I mean, not fantastic. Moral of the story, kids, do not do this, but seriously.
Andre Slonopas: So, he wasn’t doing it for malicious purposes, but he was trying to make the point. It’s like, well, people are just unaware. You put free Wi-Fi San Francisco, please hook up at your convenience. Then people are like, “Oh yeah, let’s do it.” Not only that, nobody ever encrypts their traffic. They’re connecting to this thing and they’re sending all sorts of credential, you name it. I mean, they’re just sending all sorts of information out there. So just being cognizant of the thing. Is it really free Wi-Fi San Francisco? Is it just a malicious actor?
Nicole Drumhiller: Yeah, that’s a great way to think about it. Just because it’s free doesn’t mean it doesn’t come with a cost.
Harry Cooper: Well, exactly. There’s a very famous phrase out there. If you don’t pay for the product, you are the product.
Elliott Lynn: We are professionals. Think about the student or the child that has a limited data plan. So free Wi-Fi is just that. It’s free Wi-Fi. So, the same with the student that is struggling to go through and get through class and then they end up at a coffee shop or go somewhere where the Wi-Fi is free.
How many people read the disclaimers? How many people really take a look and say, “Hey, nothing I have on this laptop really matters, so I don’t care. It’s okay if someone wants to connect and empty out my empty bank account,” but maybe it’s not your empty bank account. Maybe it’s your parents’ bank account or a loved one’s account, or maybe that’s the beginning of a sophisticated phishing scam or any other kind of scam to really draw something out of someone else. So, we always have to keep in mind that as professionals, we know what to look for.
We know how to grab these things, we know where to pull some of these things out that are obvious traps, but we also have to keep in mind free Wi-Fi is a way of life for so many people. Mobile phones and the plans that go along with them are expensive. That precious data that you may have a plan that gives you about 25 gigs can get eaten up in a matter of three or four days if you’re really heavily intensive on watching videos or doing these other things.
So free Wi-Fi is a way of life. So, the awareness that comes along with it, what do we do? How much more can we share that doesn’t turn into legal jargon. If you ask a student before you agree to all of the things with your Gmail account or your Facebook account or your Instagram account, what was in that agreement that you signed up for? They can’t tell you anything that goes along with it.
Nicole Drumhiller: You can ask all my friends that same question, Elliott. They’re not going to be able to answer it either.
Elliott Lynn: Because most of them don’t care because it is free and they don’t feel like I’m going to get taken advantage of or be a part of this scam because I can spot these things a mile away, until they can’t. Then I’ve even heard people go as far as saying, “Well, it’s all insured anyway. Maybe it’s a little inconvenience with the bank, but I’ll get my money back.”
Nicole Drumhiller: Yeah, no, you’re absolutely right. There’s a lot to it, because we’re not just talking about vulnerable populations, but ambivalent populations, the groups that lack self-awareness. It’s the vulnerable ones that I really, really worry about the most.
Elliott Lynn: There’s so many things that… There is the example of what do you do to an unsecured device? Can you plug the rubber ducky device, basically when you do that plant malware on another person’s machine, but that seems sophisticated. It’s even so much easier for someone to key along and just go off some of these external cues or say, “Hey, try this thing. It is awesome.” How many people would just go along and try it?
It doesn’t cost them anything but their time, but all they need to do is hear two people overhearing the conversation about, “Oh my goodness, this just happened. That’s just fantastic.” You’d be surprised at how many people say, “What’s fantastic?” Those are the things that whether you’re doing at a local coffee shop or if you are at a place of business or even at a lounge or a common space at a school, you are that much more vulnerable than just about anybody else out there that has a mobile device or a device that connects to the Internet.
Nicole Drumhiller: Thanks a lot for that, Elliott. I want to be cognizant that we do need to take a break, but you did mention a term the rubber ducky, and I want to make sure that our listeners get some additional detail on what that is. Let’s pick up with that and then we’ll move into some deeper discussion on the frequency of these threats.
Elliott was mentioning this term called a rubber ducky. Can you let me know what that is or let our listeners know what that is, since most people will likely associate that with the floating plastic duck that goes in the bathtub?
Elliott Lynn: Sure. The attacker simply plugs this rubber ducky into a device, and malware can be planted on the student’s machine while they’re doing homework in a local coffee shop or anyone that leaves their equipment unattended. It’s so surprising how often or how easy it is to say, “I’m just going to walk away to this counter and freshen up my drink or grab another coffee.” It’s in eye shot. Nobody’s going to take it and run off, but you’re not looking for that person to plant a device such as a rubber ducky and grab that information.
Nicole Drumhiller: To push you a little bit further on that, Elliott, can you describe visually what the rubber ducky looks like since you just said they plug in a rubber ducky, which now gives me a whole other level of comedic value at a coffee shop.
Elliott Lynn: They vary. So, you could have one that looks as simple as, as small as a USB plug, if you have a remote mouse, they go as that small and they come in a variety of different ways. The idea is to minimize the detection of it. So, there’s no one single way that one may look. It’s supposed to be small, non-intrusive, and something that somebody can easily pull back once they’re done.
Andre Slonopas: Can I bring two examples of the rubber ducky because I think it’s such a phenomenal… There’s just so many phenomenal stories behind it, and sometimes people think they’re not going to be the victims of a rubber ducky type of attack.
You had this thing called the Silk Road. The Silk Road was essentially this dark web Walmart, if you will. People could buy stuff and you could buy anything on there using a cryptocurrency. Well, when the FBI actually caught the guy, Ross Ulbricht was the gentleman’s name who actually started this system, the guy would delete everything he has. So, the FBI actually put a rubber ducky into his system, so it was locked out, so he couldn’t actually delete all of the data from his service. So even the FBI used the rubber ducky to stop this guy from deleting his own data so they could prosecute him.
The other operation this comes to mind is actually when a foreign intelligence entity used a rubber ducky on the US government, the operation was called Buckshot Yankee. To this day, we really don’t have a clue who it was, but we can assume it was a nation state. Essentially the idea was that this country that was producing all these flash drives and they just produced millions and millions and millions of them, just saturate the entire global market of these flash drives.
Well, on the flash drive itself, they actually had some sort of a malware. It was embedded malware in a hardware, and the idea was that eventually somebody from the US government or a soldier or somebody else will actually buy one of those and put it into ideally a classified system. Sure enough, it happened. As a matter of fact, this is why we don’t plug things anymore, especially if it’s made in China. So, because sometimes these are rubber duckies that somebody else could do just and randomly be like, “Hey, it’s a free flash drive.” Think about how often we do that. “Hey, free flash drives, take this, plug it in, give one to your neighbor.”
Nicole Drumhiller: No, you’re absolutely right, Andre. What’s funny to me is that one thing that people don’t really think about is the same companies that are locking employees out of putting flash drives into their work machines are the same companies that are handing out flash drives. So, there’s something counterintuitive here. I mean, I feel like everybody needs to be on the same page. We got to talk to the marketing folks. We got to talk to everybody to say, “All right, if we’re going to ban them, let’s not send mixed messages here.”
Harry Cooper: I also just want to inject in here. It’s not just people that don’t know better. One of the best examples of something along the line of the rubber ducky was a group of university researchers got a list of everybody who attended an information security conference. They sent out… So, this is many years ago, but at that time, the optical mice, our mice still had roller balls inside them.
The optical mice were brand new with these lasers and all that cool stuff. So, what they did was they sent out a thank you gift from the conference to all of these information security people. The vast majority of these InfoSec people plugged in the mouse because it was free, and it came from somebody they knew. So, these are people that should know better and did it anyways.
Nicole Drumhiller: It’s really interesting. Okay, so let’s reframe here. So, we know that these threats are out there. This is not just like a once in a blue moon, “Hey, I’m bored. I’m going to go see what kind of access to information I can get.” What’s the prevalence of this? How interesting is your average student or faculty member or individual in general to somebody that’s trying to access their information nefariously?
Andre Slonopas: So, the one thing that I’ll say is this happens more frequently than we would like to admit. Whether it’s going to happen to a student or not, how interesting these people are who are going to be compromised is also like a question I guess to ask. Think about how many scam calls we get every day. They’re random. I mean, sometimes it’s somebody post-retirement who’s getting these calls. Sometimes it’s just your typical student who’s getting these calls.
There is a reason we’re getting all these scam calls because clearly it’s working somewhere to someone, even if the success rate of the scammer is only like 1%. If you call enough people, then you can still make money out of it. So anyway, so regardless, I mean the financial gain clearly outweighs, it’s motivating enough to actually motivate a lot of people to continue to do this. Even though the student’s not going to possess any information that’s going to be necessarily critical to the hacker, but think about this, the student still has bank accounts, so the student has all sorts of personal information. Even if the student cannot afford a mortgage at the moment, but one day they will. So even if the information is compromised, it could still be leveraged later.
On the dark web, I believe the credit cards, the fresher the number of the credit cards are the higher the price and the credit goes down from there. I mean, how often do people change credit cards? Once every couple of years maybe. So, you can still leverage a lot of their information. Sometimes the pen testers or these hackers, they’re not necessarily doing things to be malicious. I remember reading about this one pen tester specifically. He just had really obnoxious neighbors who would just turn up volume. They’re just partying all the time or whatever.
So, he would tell them, ask them nicely, and they never changed their behavior. So eventually he compromised their system. So, if they ever got loud with music, he would just turn it down. He was having a good time with it. He would change channels on their TVs and stuff like that. He said, “I don’t think they ever caught onto it.” They would just get really frustrated with things. He used it to his own benefit, not to be malicious necessarily, but to help himself out. So sometimes we become victims of these things, not because people want to be malicious to us, but sometimes [inaudible 00:22:55].
Nicole Drumhiller: I just recently watched this movie, and it just resonates with me that with all of these digitally connected homes, you could easily haunt someone from across the street and just mess with their systems. Like you said, change the channel, turn the radios on. Whatever the refrigerator’s doing, if it’s connected to the Internet, you could get the refrigerator to probably freak out. So, some of this stuff is just so wild that it can be done.
Elliott Lynn: There was certainly a hacker that was able to utilize somebody’s fish tank controls, and that was the way that they were able to gain entry eventually, because that password was the same password for the thermostat and several other elements. Before you know it, that was their main way in, but they ended up compromising almost everything.
Nicole Drumhiller: Oh man, I hope those fish survived the attack and they didn’t turn it to boiling water or anything like that.
Elliott Lynn: Yeah, hopefully.
Harry Cooper: In the past we were talking about smart fridges. There were actually quite a bit of spam coming out from smart fridges. I just want to address something Andre said though, which is with regards to students are just as susceptible as elderly individuals. Actually, I double checked because I thought I saw this earlier this year.
Last year, people between the age of 20 and 29, 41% of them reported losing money, whereas the individuals 70 to 79 lost only 18% is what they reported. So, it’s actually becoming smarter on the scams so that they’re getting people who are younger and younger to just go ahead and give up that information. So, it’s actually reverse of what most of us would expect. Most of us don’t expect granny or grandpa to be able to identify the bad guys.
Andre Slonopas: That you get wiser I guess with the years, you get wiser with your money.
Nicole Drumhiller: The things that we talk about on these shows always blow my mind. So, we’ve established there’s a lot of nefarious scammers out there who are always looking for ways to trick users into exposing their data. For some people they might accidentally stumble upon something. I know, Andre, in the past we spoke about people discovering gaps in gaming systems, just trying to be helpful since these things also arise. Then there are these nefarious people that are out there.
What do you guys see as some of the more famous scams of the past, or what trends might you be seeing? For me personally, I always like to know what should I be looking out for? Comedic relief also is beneficial too. What are some of the sillier things that you’ve seen happen and ways that people have kind of addressed them?
Elliott Lynn: I’ll certainly jump in here. One of the things that I think we do a great deal and put ourself at risk, it’s for 10%, 15%, 25%, whatever the case, you can get something. If you’re looking to buy something and somebody happens to be able to grab a piece of that data or you end up on a particular list, they can send you something for 20% off. How much information do you give for that 20% off? It’s your personal number, can give your name, in some cases, your address, and you’ll have that 20% off, which is common that you probably could have gotten from everywhere else, but now somebody has all your data.
Nicole Drumhiller: Oh yeah, companies do that all the time. Big sale, 20% off. Give me this information, I’ll give you a card and I’ll save you some money today.
Elliott Lynn: That’s right. To follow on, for example, a popular clothing brand never has sales as well as some food institutions. “Hey, come on in and get 20 pieces of this for $4.99. It’s a limited time coupon.” If you pay attention to how quickly that spread amongst friends, until somebody finally says, “Oh, I finally went down here and there’s nothing real about it, but the part that they leave out is for me to supposedly activate this coupon, I had to fill out all this stuff and it was a scam.”
There are so many things that are a hunger for discounts and the increased online shopping that we’ve done since COVID, we are a lot more at risk finding a bargain than we are doing anything else. Reputable vendors have reputable ways of making sure that they market to their customers. It’s when we jump outside of that to get a little bit of common sense of why would this be 30 bucks as opposed to 300 everywhere else is where I see us getting caught all the time.
Harry Cooper: Let’s be truthful here, I think every single one of us on this podcast today all signed up for a credit card to get the free t-shirt when we were in college. I did it and I’m sure every one of you did it.
Nicole Drumhiller: What else, guys? What are some other notable scams that come to mind?
Andre Slonopas: At 2021 alone, according to statistics, the online fraud increased by 285%. So just imagine having your business triple in size in one year. I mean, that’s absolutely phenomenal. I’m sure there’s a lot of small business owners out there who would love that type of a growth. That is a reality for a lot of nefarious actors. Clearly, there’s a market that they’re filling, and the demand is there.
A lot of these scammers are actually becoming a lot more technical, a lot more conniving, if you will, a lot of the technology that they’re using. So, one of the great examples is, you have the Team Viewer. Now they’re trying to connect through a remote RDP, like a remote desktop, some sort of a protocol to your system. So, Team Viewer was actually one of the more popular ones out there.
The interesting thing is, people actually let scammers, somebody on the opposite side of the Internet just connect to their system. Now a lot of these malicious actors will actually change the HTML code. So then on your screen, it looks like if you’re in your bank account or whatever you may be, you actually have more money or less money or whatever the case, the data will actually change. If you drop the cache and then actually reload your page, everything will go back to normal.
At least while that malicious actor is connected to you, they’re able to change the HTML code so that at least the data being output to you, it looks different. So now they’ll say like, “Oh wow, you have too much money. We’re from Bank of America,” or whatever bank, “We sent you too much money,” or too little money, whatever, “You have to wire some money back,” or whatever. So now they’re getting a little bit more technical like that.
Then on the flip side, now you have these blue teamers who sort of caught onto what the scammers are doing. Now they’re standing up these virtual machines, but they’ll play jokes on these scammers, so they’ll scatter their keyboard. So, when you press W, will actually give you a K, and if you press B, it’ll give you an X or something. So, when the malicious actor tries to change the HTML code when they type 10,000, they’ll actually type bad data or something, you know what I mean? They’ll have to play with this new scattered keyboard, and then they’ll just struggle for hours. It’s really entertaining as well.
We have to take into account the scammers are getting smarter, but also the blue teams. That’s why it’s so important for cybersecurity professionals to get more proficient on it and also cognizant of everything that’s going on out there.
Harry Cooper: Yeah, I saw that there’s a really famous guy that does that on YouTube and the software that the company makes use of to get into his machine, he actually uses it to get back into the attacker’s machine. He ends up wiping out the drive, deleting all the data, the whole nine yards. So, he kind of gets it back on the scammer.
So do understand that there are… Let’s just say, they say you got to give me a hundred bucks. It’s not a ton of money per se, but all of that money adds up. There was an apartment that was found by an anti-corruption unit that was aimed at Internet scams, and there was nobody living in the apartment. It was just used to store the cash. $43 million on pallets in this apartment. That was all that was in the apartment was just pallets and pallets of cash.
Elliott Lynn: To add to that, one of the things that… One of the most popular commercials during the Super Bowl was a barcode bouncing around on the screen. Millions and millions of people pulled out their phones and attempted to scan this barcode in a matter of 30 seconds plus. Millions did do it. Directly as a result, there was an article that was out within the next three weeks that these barcodes or various barcodes were popping up everywhere.
People were spending a good deal of money just to get barcode posters made with malicious attempt, basically just collecting data from those users that scan that barcode. For some that go a bit further in an attempt to get something again for free or anything else were really getting scammed, but it was willingly. Not willingly getting scammed, but basically putting their information out there, by a barcode.
We become so familiar with these things, touchless this and touchless that. No menu, scan for your menu, if you want to order something scan here, scan there. Sometimes just general curiosity in a city or a downtown somewhere and you see a barcode attached to a very nice poster or flyer, people are going to scan it and now they’re finding that this is a new tactic that they’re using and dressing it up, especially for and geared towards the younger, I guess, mobile users or device users. Some have marketing campaigns for teens and some young adults, but in almost all of the cases that they found it was nothing to do more than to collect the data and get as much information as they can gather.
It’s still going on out there today. There really hasn’t been much discussion over it or talk about it because it’s now an industry standard. It’s almost like somebody handing out flyers and say, “Hey, come on in here to this restaurant and try this food.” It’s just a common practice that we’ve grown post- COVID to adopt, and it’s one that has become incredibly lucrative for bad actors as of now.
Andre Slonopas: Yeah, and that’s really interesting. This is the first time I’m hearing about this one, Elliott, but this was so interesting. I mean, how many of us go to a football game or something and they were like, “Hey, scan this for parking,” or scan this for, I don’t know, free whatever that is offered. People often do, unless you’re actually cognizant of this, then unfortunately going to fall for this.
I’ll admit, one time I got this email, I think it was from Google, but I didn’t actually check the domain name. It was like, “Your password is expired,” or whatever. I was like, oh, okay. I got to reset it and I clicked on it, but then I looked, and it was like, your password is expired. It was like Google help at gmail.com, which so clearly it was not coming from Google. I had to go back and basically reset my password again just to… Because what I just did inadvertently is I told them what my new password is. It happens.
Sometimes we’re just careless. Sometimes we don’t pay attention. You think about the phishing scams, or not phishing scams, but the phishing testing that our organization will do to its own populace, to its own employee, the workforce, and a certain percentage inadvertently always clicks. Kind of happens unfortunately because the human factor is always there.
Nicole Drumhiller: I think we could definitely do a podcast all on that and whether or not that there’s agreement, because I think that that’s a pretty controversial topic on whether or not that’s effective means of testing. Like I said, that’s a conversation for another day. Elliott, were you going to say something?
Elliott Lynn: Well, I think they’re certainly getting better, but we’re getting worse. I think that cyber professionals know what to look for, but organizations themselves, if you think about a concert event, the temporary help that’s used to get people through parking, how seriously are they really vetted? Almost never. Or the people that are hired just for these events and they take your tickets, and they scan your tickets, or it’s supposed to scan your tickets.
What if they’re scanning something else? Or if you think you’re just showing them your ticket, but right then they have that interaction with your phone, it has become commonplace even in some places for someone to say, “Oh, this is not scanning. Let me see your phone for a second.” How many times have you either seen or guilty of handing the person your phone so you can hear that scan or that beep and maybe it beeps twice and maybe it does the first time what it’s supposed to do, but maybe the second time it grabs your information.
There’s so many things that we are getting worse at because it’s a convenience. Right along with that, the human element is certainly there, but organizations, especially when they’re hiring temporary help for temporary events, concerts, festivals, things like that, that require some kind of scanning for entry. Someone that may be approached to say, “I’m going to give you $500 and I’m going to give you another $10 for every other one that you can get to scan this code as they enter.” They can do it very easily. Most of us wouldn’t even pay attention.
Nicole Drumhiller: Elliott, you raise a great point because you say that we’re getting worse. So then how do we protect ourselves? What are some things that we can be doing to really be on better guard moving forward?
Elliott Lynn: Awareness is an everyday thing. It’s just like a fad diet. For some people that go on fad diets, they may last a week, maybe two weeks, and then you know what? If they really want a piece of bread, they’re going to have that bread. Or if their weakness is sweets, eventually they’re going to do it because it’s not sustainable.
A lifestyle change is certainly sustainable. A lifestyle change means that your phone isn’t in everybody’s view. If somebody says, “Hey, let me see your phone,” you immediately know or have a red flag that, no, I’m not going to give you my phone, never mind the germs. I really have no idea of what’s on the other side of what you’re doing. It becomes a mindset that everything that you have that ties to your information should be kept private. It’s almost like we have to teach ourselves, again, almost from infancy on bad habits and what to do and what not to do.
It’s that much more difficult to do for our young adults or even our children to say, “No, it’s not okay to let someone see your phone,” or “Cover this or cover that and don’t share this and don’t necessarily share that. I know you think they’re your friends and all.” So, when it becomes a part of an adaptation of your lifestyle, then it’s something that you’re mindful of through and through.
Everybody knows don’t go with strangers. You can almost ask anybody that, but is it okay to let a stranger scan your phone if it’s not scanning right at the self-checkout? Absolutely. So, these are the things that I think awareness, mindfulness, not only taught in school, but all the way through and through. We can’t leave it up to corporations to do it because productivity and speed of doing so yields profits. So, you can’t expect an organization to keep you safe, even though cybersecurity is a shared responsibility.
Maximization of shareholders’ wealth is the first rule of business. So, everything that we are gearing up for in the next 10 years is about convenience, touchless, and access to information. So, as we do that, I think the main thing that we will need to do is to revise what we teach that are dangerous, not just stealing your data, but also other topics such as human trafficking or ending up in situations where you have absolutely no idea how you got there. It could be as simple as some of the bad practices that we’ve grown and adapt to grow.
Harry Cooper: I would just love to interject into here that it’s not just us. We are not the average person out there. It’s not just us that fall for these scams. About seven years ago, there was an Austrian aerospace company that lost over $47 million to a spearfishing campaign. Also, even when you try and do the right things, you might go up to an ATM and put your card in, or you might be at a gas station and slide your card.
I don’t know about anybody else in this call, but I always grab a hold of where you’re supposed to slide your card. I always grab a hold of it and try and pull on it because it’s something just as simple as sliding a card into the gas pump. You can actually have somebody scanning your credit card as it goes in. So, boom, they got your credit card right there. Credit cards, they sell for not a ton of money online. I think most times it’s like 30 bucks or something like that, but the damage that it does is a whole lot more expensive.
Andre Slonopas: That’s a great point. Harry, actually, as a matter of fact, I remember coming through the articles maybe about a year ago or two years ago, the scammer started coming around to United States, and so I got to do the same thing. Especially at the gas stations. I’ll kind of pull on the thing. I’m also reading this book, it’s called Irresistible by Adam Alter, and it is a phenomenal book, but he mainly talks about the technology being developed in such a way that becomes addictive. He talks about these large corporations, but really within the book, he also talks about these other things that are actually happening.
What is actually happening is sort of what, Elliott, what you were saying, we’re hooked on technology and it’s for a purpose actually. As a matter of fact, these technology companies are developing the technology to make us hooked on it. Well, what ends up happening is essentially it’s exposing us to a lot of different things that are really deleterious to us, and how do you do actually protect yourself from that? So, I think for me personally, what I’m taking from the book and in general, it was sort of setting boundaries.
Just because somebody is asking you for a phone because they got an emergency, maybe they do, but okay, let’s go to the local store and let’s ask them for a landline. You know what I mean? There’s ways that you could actually go around these things where you could still be philanthropic and altruistic and humane, but without exposing yourself to various malicious schemes that might be going on out there.
I think drawing these boundaries becomes extremely important, especially as we become so unbelievably interconnected. Like leaving your laptop at a coffee shop, maybe 90% of the time nothing’s going to happen, but there is a 10% chance that somebody is in a coffee shop looking for opportunities like that. They can put a rubber ducky or maybe collect your information through whatever wireless connection or whatever may be the case. Just setting these boundaries, being cognizant that unfortunately there are bad actors out there, whether we like it or not. Then protecting yourself that way.
Harry Cooper: Make sure that we understand that it’s not just bad actors. If we’re talking about our data, our personal data, all that fun stuff, we have to understand every time we sign up for something. I said it much earlier, if you are not paying for the product, you are the product. Your information is being got by all these companies. They’re selling that information along.
There’s a nice little industry hanging out in the background called data brokers. It is one of the fastest growing type of companies out there. So not only don’t protect your money and protect your credit card and all of that, but also protect your data. Make sure that you are considering, “Hey, if I share this piece of information online, what do I expose about myself?” Because if you expose enough, one, somebody’s going to take it and try to sell it, and two, someone might try to take advantage of it.
Nicole Drumhiller: Thank you guys so much for that. You really provided a lot of food for thought, and there’s all kinds of different topics that we can really dive into in greater detail at a later date. I do want to be respectful of everybody’s time. So, thank you guys all, Elliott, Harry, and Andre for your time today. This was such a great chat and I look forward to doing more of these with you in the future.