Beau Friedlander:
Adam.
Adam Levin:
Messieur Beau.
Beau Friedlander:
Travis.
Travis Taylor:
Aiyo.
Beau Friedlander:
Heyo. So I am wondering, do we think that I am very hackable or very hard to hack because I am so awesome?
Travis Taylor:
I would say the former.
Beau Friedlander:
I forget what I said first.
Travis Taylor:
Very hackable.
Adam Levin:
Think of it as that you are irresistible and to a hacker, we are all irresistible. We are all Beyoncé, Jay-Z, Sharon Stone, Adam Levine, all those guys.
Beau Friedlander:
Well, speaking of irresistibility, actually, that makes me think of COVID weirdly, because it does seem increasingly as though it is the most irresistible virus that you must make friends with at some point or another in your life because it is just spreading and spreading and spreading, and with that, I was reading today that a lot of folks now, in addition to having the threat of COVID out there, they don’t have health insurance, and they don’t have health insurance because during COVID they lost their job or they decided life is short, I am going to become a freelancer and they don’t have insurance because they are now freelancing.
Adam Levin:
Which could actually shorten their lives without…
Beau Friedlander:
For sure, but I think also whenever there is a big change, whether you’re moving, whether you’re changing jobs or-
Adam Levin:
Life event.
Beau Friedlander:
A life event, it means that you are vulnerable, and so I would imagine that with COVID rates going up, we are also probably seeing people get scammed and hacked a bit more than usual this during COVID. Anyone have any stats on that?
Adam Levin:
Well, I remember seeing one stat that between February and June of 2020 COVID related scams, but then again, nobody really knew about COVID, but COVID related scams, increased by something like 30000%.
Beau Friedlander:
Oh right, because it was new,
Adam Levin:
New, and scary.
Beau Friedlander:
So people like, “What is this thing?”
Travis Taylor:
And everyone was panicking.
Beau Friedlander:
Ultimate social engineering, but-
Adam Levin:
At first it was, we needed to be updated. So anything that had the words “COVID update,” people maniacally focused on that.
Beau Friedlander:
Then, or news, or just news, just news about it.
Adam Levin:
And then you had the scams where it was COVID tracking because if you had a problem or you became a patient with COVID, they would then try to contact anyone that you came in contact with. So there was contact tracing, then everyone was paying a lot of attention to “When are the vaccines coming? What are the vaccines?” And “Where do I get tested and where do I get the vaccines?”
Beau Friedlander:
Also the contact tracing, I remember when that… That is why I was wondering Travis, if hacks and scams went up during COVID because contact tracings are great example of this new thing. Nobody knows what it is, but obviously it requires some personal information and it could get you hacked.
Travis Taylor:
I mean, hacks and scams definitely increased, obviously the COVID scams increased, but one of the other things too, is that you suddenly had everyone working from home. All of a sudden you had businesses and offices emptying out. So everyone was more aligned, on email, more reliant on zoom, and that just opened up the door for a wide number of other scams.
Beau Friedlander:
Because it put them in the sweet spot.
Adam Levin:
They never let a good crisis go to waste.
Travis Taylor:
This week’s episode is about what happens when you take your eye off the ball in terms of not really paying good attention to your password hygiene. Not paying as much attention to what information you are entering online, and generally just the moral of it is the need to be careful online and the need to act with intentionality.
Adam Levin:
Welcome to What the Hack, a show about hackers, scammers, and the people they go after. I am Adam, cyber hygienic human.
Beau Friedlander:
I’m Beau, cyber slob.
Travis Taylor:
And I’m Travis, cyber snob.
Adam Levin:
And today on the show, we are talking to a man with a cult-like following for his street photography and work in fashion. The roguishly handsome photographer, Daniel Arnold.
Beau Friedlander:
I am sitting at home. It is a Sunday. It is a nice day. I am out in Connecticut. Sun is shining. I don’t know if the sun was shining. Birds are flying around because they are always flying around, Kenneth, the bear, somewhere in the woods, and I am looking at Instagram and my very best friend on Instagram has been hacked, and so I get in touch with him and I am like, “Yo man.” And what did you say?
Daniel Arnold:
I said, “Yo.”
Beau Friedlander:
Yeah. So Daniel Arnold. So photographer, a friend of mine who I met in a weird way.
Adam Levin:
Now was that a deep throated yo or was it a yo or was it a Travis yo?
Daniel Arnold:
I said it with my mouth wide open.
Beau Friedlander:
Travis, show us how yo is done.
Travis Taylor:
Yo.
Beau Friedlander:
Yeah, he’s got the voice. I think I remember that somebody bought something via your PayPal account, and you were having a dispute with PayPal. That is how I entered the story. What happened?
Daniel Arnold:
I feel like you should know that this all happened in the midst of a second identity complication because I was trying to sign up for health insurance, and I went to a site that I thought was the government site typed in my information, and then as soon as I hit enter, I realized it was some spammer hub, and from that moment, for days on end, my phone was ringing like 15 times an hour.
Beau Friedlander:
Whoa, Adam, was it you?
Adam Levin:
Beau, you said you would never talk about this.
Beau Friedlander:
Oh yeah. I apologize. It was Adam. Yeah, it was Adam. But no.
Adam Levin:
Daniel, I needed to talk to you. I needed pictures to be taken. I needed this.
Travis Taylor:
Did you happen to catch the URL of the website?
Daniel Arnold:
I do not remember, but I bet if you Google New York State of Health, it is the first entry.
Beau Friedlander:
So it was like one of the ads on top.
Adam Levin:
New York State Department of Health.
Beau Friedlander:
Remember Travis, his Google bubble might be different from yours.
Adam Levin:
Are you implying that all Google bubbles are not alike?
Beau Friedlander:
Listen, if we all were to pull down our Google pants, everyone would have something different.
Adam Levin:
So you’re talking about Google butt.
Beau Friedlander:
I wasn’t actually talking about the butt. So everyone’s Google bubble is different and…
Adam Levin:
I take offense at that.
Beau Friedlander:
No, because our Google bubble is older gentlemen who try to race people in Toyota Corollas with a race car. That’s what we do.
Adam Levin:
For pink slips.
Beau Friedlander:
So Adam and I have a thing where we drive around together in a super fast car and we challenge people in cars that are barely running to races for fun.
Travis Taylor:
You know how to live.
Beau Friedlander:
Yeah. We have a lot of fun together. It is a Saturday Night Live skit without an audience and no laughter. How long after going on that fake health insurance site did this attack on your PayPal happen?
Daniel Arnold:
Okay. Well look since we already have our pants down, I will give you the full. I was maybe 15 minutes out of having made this mistake and my phone had already rung seven or eight times.
Beau Friedlander:
What kind of phone calls?
Daniel Arnold:
It was actual people trying to sign me up for some kind of health insurance.
Beau Friedlander:
Oh no, no, no stop right there. Have you ever signed up for solar power or anything that is subsidized like solar power? I did, and when I put my number into that, I got those phone numbers. I got those phone calls. There’s jobbers out there whose job it is to wait for the lead and then call it’s like a-
Adam Levin:
Glengarry Glen Ross, but for solar.
Beau Friedlander:
A hundred percent. Okay. So you start getting a ton of phone calls from weird guys who you suspect are wearing sweatpants.
Daniel Arnold:
Yeah, and the anxiety drove me straight to the toilet where I was sitting and I got an alert.
Travis Taylor:
Without Google pants.
Daniel Arnold:
With no Google pants on. I got one of those alerts, the two forms of identification alerts, where you get a little code that you are supposed to enter into a site.
Adam Levin:
Oh two factor authentication. There you go.
Daniel Arnold:
Exactly. I didn’t know from where. I don’t think they usually identify themselves. You just get “This is a one time thing, blah, blah, blah,” and I didn’t immediately equate it with any kind of trouble because I don’t know about you guys, but I am always getting emails. Like “You requested a new Facebook password, enter to take care of it,” and it is not me so I delete it. I am like, “Okay, someone’s trying to hack me whatever.” So I didn’t think much of it, except that seconds later I get a purchase confirmation from something called Foot Patrol, which I have never heard of. I’m like, “Oh God, that’s strange.”
Adam Levin:
That is different than Paw Patrol, which my nine and a half year old watches.
Daniel Arnold:
Yeah. It is much worse than the Paw Patrol, the human sized version, and so I race off the toilet, and so I go and I open up my bank history and see that I have made a significant purchase of shoes from this British website that are being delivered to, I looked it up on Google image or whatever the Google maps, and it is straight out of a piracy movie, some aluminum siding warehouse in the middle of nowhere in England.
Adam Levin:
Were they cool shoes at least?
Daniel Arnold:
No, no. They were like $400 really nerdy New Balances.
Adam Levin:
So not Air Jordan. That is for sure.
Beau Friedlander:
There is such a thing as nerd have $400 New Balances?
Daniel Arnold:
Yeah or maybe 300. It was pounds. So you know, I didn’t-
Beau Friedlander:
So you went on Google Earth and you actually looked at the place?
Adam Levin:
There is a place for us.
Beau Friedlander:
And it looks like a Broadway. No, it looked dumb.
Daniel Arnold:
I mean, it looked like a place where someone would end up getting shot in a long chase with the cops.
Adam Levin:
So now we are watching an episode of Law and Order through Google, right?
Daniel Arnold:
Yeah. It reminded me specifically, did you guys watch those Small Axe movies?
Beau Friedlander:
No, I didn’t. No.
Daniel Arnold:
Well there is one Small Axe movie where there is a police chase that leads them to this warehouse and looked just like the warehouse in the Small Axe police episode if that does anything for anybody.
Beau Friedlander:
Travis is diligently looking it up right now.
Travis Taylor:
It’s true.
Daniel Arnold:
Okay. So I am hacked and this has never happened to me before, and so I go into the usual powerless scramble of trying to get in touch with any kind of human to run it by them, and I manage to lodge some kind of robo complaint on PayPal and figure that that is going to be the end of it. I have heard so many stories of “You just get reimbursed and it is not an issue.” And I have had this same PayPal account for literally 20 years, which was one of the scary side discoveries of this whole experience that I am older than I think I am, but PayPal just shut me down. The first round, I got a robo no, and then I requested deeper investigation and talked to somebody through some onsite instant message helper service, and they reviewed the case. I made them do it twice, and both times they came back and said, “No, sorry, you bought those shoes.” As if somehow after all these years I got desperate and needed to steal $200 and get free shoes from PayPal.
Adam Levin:
So your first reaction is “You are not my pal anymore.”
Beau Friedlander:
But also in your entire life you would never wear nerdy, expensive, New Balance sneakers. So your Google bubble was also being betrayed here.
Daniel Arnold:
Being the wrong size, they are sent to the middle of nowhere in England, and also I forget this part, but when it happened, I also got one of those alerts saying, “There is suspicious activity on your account. Did you make this purchase?” And I said, “No,” but then somehow-
Beau Friedlander:
From PayPal?
Daniel Arnold:
Yeah.
Beau Friedlander:
Huh.
Daniel Arnold:
But I guess that they changed their minds in the course of me trying to complain.
Beau Friedlander:
So you are told by PayPal, “Sorry buddy. You bought the sneakers.” Yeah. It does not seem like the right answer in this day and age of widespread scams.
Daniel Arnold:
No, I was really surprised. I give up easily. I let it go. I changed my password immediately to something that I am sure will lock me out of PayPal for all time to come. I will need another hacker to get myself back into my account.
Adam Levin:
Travis can help you there.
Travis Taylor:
There you go. I got your back.
Daniel Arnold:
Thank you, and I just accepted the loss and moved on because what tools are left in my arsenal?
Travis Taylor:
Well, the tool that we talk about pretty often is a website called Have I been Pwned? I am not sure if you have heard of it or checked it up.
Daniel Arnold:
Beau introduced me.
Beau Friedlander:
As I recall you went on, Have I Been Pwned? And what was your password hygiene like? Were you using different passwords that were super complicated on every different site that you went to? Or did you have-
Daniel Arnold:
No. I have recurring passwords, for sure.
Beau Friedlander:
Are they like “Daniel Arnold likes to buy things?” Is that your password?
Daniel Arnold:
No. They are not nonsensical strings of numbers and letters, but they are arbitrary and case varied enough that it would not be something that you would guess.
Beau Friedlander:
Okay. But it would be something that Adam, I’m guessing, you are thinking if it is not guessed at it could be discovered.
Adam Levin:
Well, that is the issue is that even if you have the most indecipherable password in the world, if you use it in more than one place and any one of those places suffers a compromise, it is now a discovered password.
Beau Friedlander:
Was it? And was it when you went on Have I Been Pwned? Had it been discovered?
Daniel Arnold:
Yeah.
Adam Levin:
Speaking about discovered, how did you and Beau discover each other?
Beau Friedlander:
Oh, come on. Unfair.
Daniel Arnold:
Can I tell them Beau?
Beau Friedlander:
It is about my secret identity though.
Daniel Arnold:
Yeah. Beau’s secret identity as a fashion model. I photographed him for a holiday fashion campaign.
Beau Friedlander:
Now, I didn’t know, full disclosure, I didn’t know you were the photographer.
Daniel Arnold:
True. That was where we met. You didn’t know I existed.
Adam Levin:
Beau was Zoolander before Zoolander was Zoolander.
Daniel Arnold:
Yeah. My first penetrative impression of Beau was that he was holding this rabbit as it peed all over him, and he said, “If this bunny does not take a break, it is going to have a heart attack and die.” I was like, “Well, here is a guy who knows what he is doing.”
Beau Friedlander:
Hey, and I was right, and that bunny did take a break and he had a much better day after he met me.
Daniel Arnold:
For sure.
Beau Friedlander:
Because that bunny was like, “What the hell is going on here, man? It is a dance party and there is a flood outside, and there is all these weird people,” and you were taking pictures and you came by and I was like, “Hey man.” And you were like, “Hey.” And I was like, “Who are you?” And you were like, “I am the photographer.” I was sort of my big introduction to you, and then I went home and I told my kid who photographed me that day, and she fainted.
Daniel Arnold:
That part I didn’t know.
Beau Friedlander:
Yeah, she did. She was like, “Oh my God. How do you know?” Because I think we followed each other on Instagram and yeah. And Ella immediately was like, “How do you know Daniel Arnold?” And I was like, “I am cool, that is how.” On a scale of one to 10, was I a supermodel?
Daniel Arnold:
Oh yeah. You were the star of the day.
Beau Friedlander:
Hear that Adam, “Star of the day.”
Travis Taylor:
To be fair, he was covered in rabbit urine.
Adam Levin:
Yes. Oh, I am also seeing this chat thing going “Tell them I was the star of the day.”
Beau Friedlander:
Hey, you’re not supposed to read that, Adam.
Adam Levin:
Little did you know, however, the piss-covered man would help save the world from scammers.
Beau Friedlander:
No, it is true. I mean wee-wee pad for bunnies by day, cyber security expert by night. I forgot that the rabbit peed on me.
Daniel Arnold:
Yeah. I am glad I could bring you back in touch with that.
Beau Friedlander:
I remember though, I do remember distinctly that it was very warm. That pee was very warm and it was everywhere.
Adam Levin:
All right. [crosstalk 00:19:39]
Travis Taylor:
Google pants, rabbit pee pants.
Adam Levin:
Yeah. Travis and I do not want to piss away this opportunity to ask these questions.
Daniel Arnold:
Piss away. Go ahead.
Adam Levin:
So if we go back to the hack for a second, I’m trying to get a picture of the scam. What info did you give to this healthcare site? A password, what?
Daniel Arnold:
Name, address, phone number, and then I would guess like basic economic information, but nothing sensitive.
Beau Friedlander:
Oh, wait a second. You didn’t enter a password to give them to set up an account.
Daniel Arnold:
I may have entered a password. [crosstalk 00:20:17].
Adam Levin:
Interesting. Very interesting.
Beau Friedlander:
Yeah. There is always a way they did it and this was the way they did it.
Daniel Arnold:
Yeah.
Beau Friedlander:
Huh. So you went onto the site and they were like, “Hey, set up an account.” You are like, “Cool. I want insurance.”
Adam Levin:
Absolutely. Here.
Beau Friedlander:
And then you entered in, I assume, did you enter in… Let’s just do this. Okay. What did you put in the login when you registered to get this insurance, did you put in your email address? Probably.
Daniel Arnold:
Definitely.
Beau Friedlander:
And then now it’s time to put in your password. What are you going to put in there? Your password that you always use? The one that you can remember?
Daniel Arnold:
I would probably use like a previous incarnation of the go-to password, something old and flippant because it was not a site that I expected to use with any regularity. So I just used a throw away old password and that way if I come back and have to access it, I can cycle through the catalog of retired passwords and get myself in.
Beau Friedlander:
If Daniel gave his biographical information and his address, basic deets would a hacker be able to use those to reverse engineer, and Travis, you can jump in if you want, his password? They have his email address. They some passwords that he has used, at least one. Was that password the same as your Gmail count password by any chance?
Daniel Arnold:
I doubt it. I don’t think so. My email password is too complicated to use in such a throwaway capacity, but also let’s throw in here because from me, this is a big mystery that I just let go immediately because it is too confounding, but somehow they received that verification number, which was sent as a text message.
Adam Levin:
Oh the plot thickens. Travis, what are you thinking?
Travis Taylor:
That could be SIM swapping, but usually if it is SIM swapping, they don’t give you your phone back. So what they could have done is if you had a compromised account, they could have just swapped out whatever the number was.
Daniel Arnold:
Oh. And you know, there was also something in that first wave of reasonable PayPal fraud notification where they… I don’t know if this is just standard practice because it has not happened to me before, but in the kind of criteria for, “Have you been hacked? Is there fraud?” They also asked me if I had authorized multiple address changes, and I had not done any of them. So I don’t know if that is a red herring where they try to find out if you are a real person or if that is a legit inquiry, but there was-
Beau Friedlander:
Is it possible that they tried to use two factor verification and it didn’t work and you just saw it not working on your phone?
Daniel Arnold:
Well, I don’t know because the successful purchase seemed to register seconds later. So I assume that it worked somehow.
Beau Friedlander:
Do you use two factor authentication on any accounts where you have to get a code from the site that says “Here is your four digits,” and you put them in?
Daniel Arnold:
Yeah. Well, and also PayPal’s got that thing now where they give you the option to put in your password or to have a code sent to you.
Beau Friedlander:
And do you use the code?
Daniel Arnold:
I go both ways.
Beau Friedlander:
When this happened, were you using the code?
Daniel Arnold:
When this happened? I had no part in it.
Beau Friedlander:
Okay.
Daniel Arnold:
So I don’t know. I can only guess what was happening. Honestly this is the first time I have really tried to think that through because it was so-
Beau Friedlander:
Well let’s see. Let’s try. So you were sitting on the toilet?
Daniel Arnold:
Yes.
Beau Friedlander:
Where all great thinking is done. Adam, true or false?
Adam Levin:
All my major decisions are made on the throne.
Beau Friedlander:
Yeah. So you are sitting there and what happens? Let’s just walk ourselves through this.
Daniel Arnold:
I get a two-factor authentication text with a code.
Beau Friedlander:
For what site?
Daniel Arnold:
I don’t know.
Beau Friedlander:
Wait, now that is the thing that bugs me. Adam, don’t you always know where the two factor authentication is coming from?
Adam Levin:
You should know.
Beau Friedlander:
Doesn’t it say, Travis?
Travis Taylor:
Not always.
Beau Friedlander:
Ah shit.
Travis Taylor:
And in some cases, they will just say, “This is your authentication code. Don’t share it with anyone.” And that is really all you see.
Beau Friedlander:
Or you see, also you are right. So it is one thing where you just see like a discrete number, but you recognize it as what PayPal always sends out, but it’s not a phone number and it doesn’t say it is PayPal.
Daniel Arnold:
I figured that was that it was just Phishing spam.
Beau Friedlander:
So mine says PayPal. So when I get one from PayPal, it comes from the number 72975. [crosstalk 00:25:27]
Adam Levin:
Is it always the same number?
Beau Friedlander:
Yeah. Look at this. Not that I use it too much.
Adam Levin:
Oh, okay.
Beau Friedlander:
Okay. So it is always the same number and it says, “PayPal, your security code is ‘this,’ it expires in 10 minutes. Don’t share this code with anyone.” So Daniel, if you were to just search, “Don’t share this code with anyone” on your messages?
Daniel Arnold:
You would think, except that I’m super neurotic about deleting those things.
Adam Levin:
I’m with you. Me too.
Daniel Arnold:
I can’t seem to have, I mean, it’s such- [crosstalk 00:26:00]
Beau Friedlander:
You and Adam have so much in common. The throne, the neuroticism yeah.
Daniel Arnold:
Match made in heaven.
Beau Friedlander:
You signed up for this site. You got tons of phone calls. To me that sounds like you went to what is called a jobber, which is a paid for advertisement. You said you were looking for insurance and then every salesman in the world got in touch with you trying to sell it to you. What I am guessing happened is that you don’t have the greatest password hygiene in the world and whatever password you used when you signed up for that account was in there, and one of the salesmen was not a salesman. One of the sales people was a crook.
Travis Taylor:
Seems just as likely as anything else. Yeah.
Beau Friedlander:
You have any other thoughts because that is where I am going with that. I am going with some crooked person who, when I was a kid would have been wearing a plaid polyester suit in a used cars lot, had a side hustle which involved signing up for weird little jobber things and stealing people’s information to use for identity theft.
Travis Taylor:
Yeah. I think one of the other things is from what you were talking about, you saw on, Have I Been Pwned? is a massive archive of previously breached or stole information. So that could have been included in one of those things. Someone could have been on the jobber side, taken a look at that and said, “Okay, I have this information here. I am going to connect it with this information here and then sort of move ahead to compromise your account.”
Daniel Arnold:
Let me ask you this as long as we are here. In the realm of these notifications about stolen passwords, I have found that I will be alerted to a breach about an account where I have changed the password, and so then I just disregard it because I have seen that this is a breach and it doesn’t seem to account for the fact that I have addressed it, which makes it extra confusing to know how to, how did you-
Travis Taylor:
Lot of it will depend on the nature of the data that has been breached. if it is something like LinkedIn or if it is something like Equifax or anything else where there is already a lot of other information on there, even if you have changed your password, it still might have your answers to your security questions. It could have your home address, could have just a whole lot of other information that can be leveraged because especially in the case of PayPal, especially if you’ve had a account for 20 years too, they always have some sort of way of saying like, “I don’t have access to that email address anymore. How can you help me get in?”
Adam Levin:
Since there is really no way to know, there have been so many particular points of vulnerability because of so many breaches that you see yourself on have I Been Pwned? have you changed the way you approach your personal security these days?
Beau Friedlander:
Good question.
Daniel Arnold:
Not terribly meaningfully. I have changed all my passwords and I have succumbed to doing the super complicated stuff that they want me to. I think the reality for most people is you don’t want to make that as difficult as it should be because it is impossible to remember all your passwords and you end up being the one who is locked out.
Adam Levin:
But there’s a way to get around that. A good way.
Beau Friedlander:
Pray tell.
Adam Levin:
Password managers.
Beau Friedlander:
I knew you were going to say that
Daniel Arnold:
Well, right. Which is great, unless it’s the fluke time when the password manager inexplicably doesn’t have the password. That kind of thing falls apart on me all the time. I have systems where, I don’t know if I should say this out loud in public, but I will email myself the new password with a prompt that I try to put myself in my future shoes, like “If I can’t get into credit card, what am I going to search in my email to try to find the password?”
Travis Taylor:
I guess the sorry to interject here with the question is, do you reuse the passwords or are they all unique?
Beau Friedlander:
Yeah. When you changed them, did you make the 20 different passwords or did you get some repeats in there?
Daniel Arnold:
I probably still have some repeats.
Beau Friedlander:
Adam, would you talk to this guy please?
Adam Levin:
Yep. Repeats, no bueno.
Beau Friedlander:
We are thinking maybe you need to up your game a little bit. Can you help somebody who does not want to be helped?
Travis Taylor:
Well, if you don’t really want to mess around with a password manager, the one thing you can do is if you use just Chrome or just Safari or just Firefox, if you stick to one type of browser, you can sync your email out or your passwords across multiple devices. So that’s one nice and easy way to do it, and if you really want the higher level of security, then you can get a full on password manager, and there is some that can be tied if you have an iPhone to your face ID and things like that. It takes a little bit of legwork to get it in place when you get started, but then after it is done, it is pretty seamless.
Beau Friedlander:
But there is also, with the password managers, Daniel, fair enough. Sometimes they don’t record the password that you put in or sometimes the prompt that says, “Would you like to add this password?” It doesn’t pop up because your computer’s having an off day. Maybe it drank too much the night before, and I don’t know why, but it happens.
Adam Levin:
Or maybe it’s on the toilet.
Beau Friedlander:
It could be doing some important decision making right on the throne, but it does happen. What I do, I can’t believe I am saying this. I am just going to lie and say that I keep this thing that I am going to tell you about offline on a zip drive that is encrypted and password protected. None of that is true.
Adam Levin:
In a safe at Fort Knox.
Beau Friedlander:
Yeah. It is not true. I ding, ding, ding, ding, ding. It’s we-
Adam Levin:
Just give to Travis.
Beau Friedlander:
It is dinner time. No, Travis loves my password story, which was for years, my password was hahaha.
Travis Taylor:
All lowercase.
Beau Friedlander:
And Travis knew it. Travis knew all my credentials. So it was actually laughable, but now I have, I won’t say what I call the file, but I have a file where I keep all my passwords, and for Apple, for example, I use a variety of apple, not Apple. So let’s just say Pippin, but it is not Pippin, and then I know that is my Apple account. And then I have my password there.
Adam Levin:
Or we will say orange. It’s fruit. [crosstalk 00:32:53]
Beau Friedlander:
But it is that, I can’t believe I am saying this in front of Travis because he is going to make fun of me, but I have a very hackable list with everything on it.
Daniel Arnold:
Got it.
Beau Friedlander:
Travis, do you think I am doing a good job?
Travis Taylor:
No.
Beau Friedlander:
Yeah. But it’s better than Daniel. Not so much, but it’s better than Daniel, and I’m on a show called What the Hack?
Daniel Arnold:
I am so naive and kind of apathetic about all this. I don’t know that there is a third party password manager option. Is that what you are telling me that there’s a certain…?
Beau Friedlander:
Yeah. And on my file that I told you about, that I keep that I should not be keeping in a place where people can hack it. [crosstalk 00:33:36] I do have it though. And on that file, it has the master password, and now I am really ringing the bell, for my password manager.
Adam Levin:
But Daniel, there is another alternative, and that is that you can create a series of disassociated words and use symbols instead of letters, and you can kind of mix the words up or you can have a base, a root password, which has symbols, and then you put things in front of it or behind it to give you an indication of the particular website that you are interested in, but don’t make it super obvious and come up with a really bizarre word, but again we have to remember that even if you have, and it bears repeating over and over and over, that even if you have the most indecipherable password on the planet, if it’s discovered and you use it anywhere else, this is where halo doom.
Beau Friedlander:
But you know, but hold on now, because Travis let’s make Daniel feel better.
Travis Taylor:
Your beard is quite fetching.
Adam Levin:
It is. It is very fetching.
Beau Friedlander:
No, but let’s make him feel better about his password management. What was the most popular password last year?
Adam Levin:
Wasn’t it password or qwerty?
Beau Friedlander:
I don’t know. Travis, do you have a guess?
Travis Taylor:
I’m pretty sure it was password. Password and 1234567 are usually the top two.
Beau Friedlander:
So now you are doing better than that, and that is a start.
Adam Levin:
Well, we think you are doing better than that. You haven’t told us the password, which don’t tell us the password.
Beau Friedlander:
So let’s talk about password managers. You don’t know about these things, Daniel?
Daniel Arnold:
No. I have the one that is built into my browser and my phone.
Beau Friedlander:
No, it is a guy. So in your neighborhood, it may be a guy named Saul and you go up to Saul and you say, “Oh, here is five bucks,” and he manages your passwords for you.
Daniel Arnold:
All right. More personnel.
Adam Levin:
I saw that you had a cat, cats can manage passwords.
Beau Friedlander:
Travis, help this man.
Travis Taylor:
Sure. With password managers, the way that they tend to work is if you are using a web browser, there will be a little browser plugin. That will just, if you are entering in a password, it will say, “Do you want to save this to,” and then whatever the name of the password manager is, and the nice thing about that is most of the major ones will work across multiple devices. You just have to install the app to your computer or to your phone, or what have you. It will work across multiple browsers, and again, with some of them, instead of just needing one master password, so you don’t want to have to be typing in some really long, complicated thing that is the keys to the kingdom, you can just use your face ID. You can use a few things that are easier for you to be able to use to unlock. And then what they do is they generate a really strong password for your other accounts.
Beau Friedlander:
And also they will tell you whether you have questionable passwords and it will actually do a vulnerability test and tell you where you have got some problems and prompt you to make changes.
Adam Levin:
It is like a little thing voice comes and goes, “What were you thinking?”
Beau Friedlander:
But it is all also kind of a pain in the butt because once you get going on that, you can sit there, if you don’t have great password hygiene, which I think nobody has perfect password hygiene when it comes to paying for a parking meter or something, or movie tickets that will sit there with you all night being like, “How about the cinema east? Do you want to change that?” And you’re like, “No, I don’t. I want it to be Daniel Arnold rocks.” And then you just go through.
Travis Taylor:
I think the main thing to keep in mind is that passwords are such an easy vector for breaking into accounts, especially if you have been online for a while. So I try to practice good password hygiene now, but yeah, to your point, I probably have something from 20 years ago or the mid to late nineties or something like that that is floating around there that has whatever the equivalent is of hahaha. I’m like hohoho is the password on it that still could actually have information about me that could be used, especially-
Beau Friedlander:
Are you kidding me? After you have given me all that crap, you have one of these?
Travis Taylor:
Yeah.
Beau Friedlander:
You really just went down 18,000 notches in my esteem.
Travis Taylor:
I don’t use hahaha, but I can promise you that when I was like 13 or 14, it wasn’t something where great password hygiene was front and center.
Adam Levin:
So hey Daniel, listen, before we go, I got to ask this question. You still getting a million calls a day?
Daniel Arnold:
I blocked a ton of numbers and that surprisingly did a pretty good job of shutting it down. There are still a few that get through once in a while. But at this point, it is not the nuisance that it was.
Adam Levin:
Well, do you have a thing like robo blocker on your phone?
Daniel Arnold:
Never heard of it.
Adam Levin:
Yeah. It is an app, and there are a few different ones and I think, Travis, you can back me up on this, but what it does is if something calls from a phone call that your phone doesn’t understand, it is like, “This is a new number.” What it will do is it will force the person making the call to actually explain what the call is about. So most people hang up and only those… Now it creates a little bit of a problem because if it is somebody you know calling from a different number that they have never called from before, it makes it a little bit more cumbersome for the caller, but it is more protective for the person who they are calling.
Travis Taylor:
And there is always within these apps… Be careful if you do install something like that, be careful which one you install, never do a free one because what you are doing is you are giving them access to your call history.
Beau Friedlander:
And that includes your password manager. For sure.
Adam Levin:
So you become the product.
Daniel Arnold:
Yeah. Right.
Beau Friedlander:
Yeah. All right. It doesn’t sound like we solved your problem, did PayPal ever give you back the money for the sneakers?
Daniel Arnold:
No. No. They just dismissed me.
Beau Friedlander:
Yeah, no, that’s not an answer. Adam, hiss all you want. What can we do for this guy?
Adam Levin:
Well, Beau, you could write him a check if you feel badly.
Beau Friedlander:
I could send him gift cards.
Adam Levin:
You could.
Beau Friedlander:
Travis, any thoughts here?
Travis Taylor:
Main thing I have seen is that if you just keep on bugging them and bugging them and bugging them, you may, at some point, get someone sympathetic to you.
Adam Levin:
Well, sometimes if you go to an organization, and now a lot of insurance companies, financial institutions and employers, but again, you are a freelancer, but they have programs available to help people through identity incidents and the people who work for these organizations, they have protocols they use with a number of these financial sites. So when they call, they know the right person to call, the right number to call, they can get you some form of resolution to the problem that would be more effective than you would because they do this every day and they know people.
Daniel Arnold:
Yeah.
Beau Friedlander:
So do you belong to a union or to any kind of insurance now?
Adam Levin:
Your insurance? Yeah. Home insurance, auto insurance.
Daniel Arnold:
I have health insurance.
Adam Levin:
Self insurance. Yeah. Health insurance.
Beau Friedlander:
Health insurance, probably not.
Adam Levin:
Probably not health insurers do not do that yet, but there is also renter’s insurance that makes it available, but you should definitely look into that because they really can be very helpful. We had a guest just the other day that went on LinkedIn because normally people who are on LinkedIn that are part of an organization, that LinkedIn will have a list of other people that work at the organization. So what he did is he went to LinkedIn and he looked for anyone that had either fraud department, resolution, anything like that in front as part of their title.
Daniel Arnold:
That is smart.
Adam Levin:
So what you might want to do is see if you can find people who work at PayPal and works in the fraud department of PayPal that you might be able to communicate with.
Daniel Arnold:
I will try that.
Adam Levin:
Or you can say, “Dude, if you want to really be my pal, help me here.”
Beau Friedlander:
Then you could pay him. I think that’s interesting, Adam. That is a pretty good idea. Maybe.
Adam Levin:
Yeah. So for those people who work for PayPal, it would do a wonderful thing for our ratings and our friends.
Daniel Arnold:
Yeah.
Adam Levin:
If you might help us get this $400, I mean, what is $400 to PayPal? We are talking about couch change, lint. That is it, but it is meaningful for human beings. Anyway, look Daniel, thanks for sharing your story.
Daniel Arnold:
My pleasure.
Adam Levin:
I am sorry that it took something that sucked for us to meet, but hopefully we can have-
Daniel Arnold:
Honestly, anything to get in this room I would do again.
Beau Friedlander:
Huh? Well go outside and put your social security number in the bathroom wall of a bar.
Adam Levin:
Yeah.
Daniel Arnold:
It has been great to meet you guys.
Adam Levin:
So if we go back to the beginning of Daniel’s story, how did this all happen? The way it happened was he was searching for health insurance. A lot of people don’t realize that when you go on Google and you are searching that the first result could actually be an ad.
Beau Friedlander:
Yeah. Often.
Adam Levin:
You think “Wow, this is really relevant.” Because a lot of people go and it is the real deal, but it could be an ad, and as Daniel’s story started, he was searching for health insurance and it could well have been a totally legitimate site that a criminal signed up to sell for, and was using that site as a way of gathering information about people and then using it to either sell other things or steal their identity, and it is despicable, especially when you are thinking about this is health insurance.
Beau Friedlander:
Totally. Well, I mentioned it earlier. I was looking for something also beneficial, this time for the environment. I was looking for solar power panel. So solar panels online, and I know that the first result is often an ad and I still, because I was really excited about saving the planet, I clicked the first link and I put in my information and just like Daniel, my phone did not stop ringing for a week because it was a jobber site where it was just going out… And I didn’t get hacked, but that is 101 when it comes to what we are supposed to be doing when we are online, which is like, “Stop, pause, look at it. Is it real? Are we sure that’s the site we want to go to?” I don’t do it all the time. Do you Adam?
Adam Levin:
Travis, are we sure this is a real story or an illustrative story?
Beau Friedlander:
Wait, did you just accuse me of lying? It is a true story. I really did sign up for solar power. No seriously.
Adam Levin:
You have been fetching about your roof story for a while. No, I know it’s a real story. I love you. Just a little kid.
Beau Friedlander:
I am fine with it. Sort of. Except my ego is completely crushed.
Travis Taylor:
Mm. Well it is definitely a real story that the top most Google search result is almost always an ad and that those are usually set up in such a way as to be as enticing as possible, but one little tech thing here is that with Google ads, if you have an account with that, it will tell you how often people are going, seeing your ad and how often they’re clicking through to your website. So that actually helps them say like, “Okay, 5% of people are clicking on this one. Ooh, what if I retool the ad? Now 10% of people are working on that.” That really helps them sharpen their approach and sharpen their tactics.
Adam Levin:
That is why we would love people to come and rate our show. So it can sharpen our approach and five stars are not a bad thing either, but oh, sorry. Didn’t mean to promote.
Beau Friedlander:
Wow. Really you are just like those sites that call you and you don’t realize that you have clicked the link.
Adam Levin:
Absolutely.
Beau Friedlander:
But you know, this episode for me was just about, I don’t know, the word that comes to mind is intentional. Being more intentional when you are online. In other words, like I intend to go to adamlevin.com and when I type in Adam Levin, the first result is almost always going to be the guy from Maroon Five. So I have to-
Adam Levin:
God that is such a buzz kill.
Beau Friedlander:
I am sorry buddy, but it is true, or Kenneth the bear, but then the bottom line is I would have to make sure that I am going to adamlevin.com, and if I am looking for something I am not always so intentional, I am not always looking at the URL.
Adam Levin:
No, and Travis and I want you to go to adamlevin.com. We all work hard including you to create a cool site for people.
Beau Friedlander:
I do. It is true, but there’s also-
Adam Levin:
While they are at, if they can come and listen to What the Hack and give us five star, sorry. Wow.
Beau Friedlander:
Or passwords. Can we talk about passwords?
Adam Levin:
Passwords. Yes. Passwords with passwords. Yeah. Passwords
Travis Taylor:
With passwords, it is such an easy way for you to get your accounts compromised. It is the equivalent of leaving your keys in the ignition of your car and the door wide open.
Beau Friedlander:
That is quite a metaphor. Wait, there’s a car or a house?
Travis Taylor:
House.
Beau Friedlander:
Wait, there’s two things here. I am not going to drive your house away.
Travis Taylor:
That is true, but you can break in and take your stuff.
Adam Levin:
And you can live in your car.
Beau Friedlander:
But I could also just break into his house, steal his car keys and put all the stuff I like in his house into the car and drive away.
Adam Levin:
They can do that too.
Travis Taylor:
It is all about access though. A weakly secured account with a weak password is giving people access. Especially if it is something you use on multiple accounts, especially if it’s something you have not updated in a while or that you have not checked to see if it has been in a breach or anything like that. So if you do that just can give people the key to your house and your car.
Adam Levin:
Listen, we are all targets. All of us. Much as we would like to think we are not, breaches have become the third certainty in life behind death and taxes. It is no longer a question of if, but when, and as we like to say, and it is true, there are so many people who have had their information exposed. That it is the only reason why you may not have been hit so far is because you did not click on the wrong link or they just never got around to you.
Travis Taylor:
Well, I think one of the things that he brought up as well though, is having the same PayPal account for 20 years, and that is one of the things that does keep me up at night. I know I alluded to this earlier, but just this sheer number of accounts we have set up. I don’t know if you remember Friendster or MySpace, which if you are on social media, a lot of people don’t really use anymore. That can be breached and that is a sitting target. So if you had something-
Adam Levin:
Isn’t that how we all met on Friendster?
Travis Taylor:
Yeah, there you go. But if you set something up like that, those can still be a fount of good information about you, and it is really easy to lose track of. It is easy just to say, “I haven’t logged into Friendster since 2003,” and then if you think about it, does that have your friends and family on there? Is that a password that you were reusing at the time? Does that have pictures of where you were living or other personal identifiable information? It might. Thanks to everyone for listening and hope you had a good time. We certainly did.
Beau Friedlander:
What the Hack with Adam Levin is a production of Loud Tree Media.
Adam Levin:
It is produced by Andrew Steven, the man with two first names.
Travis Taylor:
You can find us online at loudtreemedia.com and on Instagram, Twitter, and Facebook at Adam K Levin.
