Adam Levin:
Beau, didn’t you get vaccinated recently?
Beau Friedlander:
Yes, I did. And you know what? It wasn’t that bad, but here’s the thing, I am so fed up of seeing all of these vaccination cards on social media.
Adam Levin:
Why is that Beau?
Beau Friedlander:
I’ll tell you why. The reason is this. There is a universe of scammers out there. There are people waiting for ways to get you to give them information. And I can use the information on that vaccine card. I could use that card, if I were a bad guy, which I’m not, I could use that information to get you to give me more information. And that’s the problem. So for instance, don’t tell me the truth, Adam, which of the three vaccines did you get?
Adam Levin:
The best.
Beau Friedlander:
Okay. Now I know that you got the best and I happen to know that you got it on such and such a date. And I know your birthday because you’ve put your card on Instagram when you got vaccinated. And now I’m going to call you up if I can figure out what your contact information is and say, “Hey, is this Adam Levin?” And you’ll say, “why, yes.” And then I’ll say, “Hey, is your birthday, January 1st, 1901?” And you will say “yes”, because we all know that’s when you were born. And then I got ya. Cause I’ll say “you got the best vaccine. You got it on this date. And I just need one more piece of information for you. It’s on your insurance card. I just need your account number. And I need this because we’re having a problem with billing.” That’s one of many ways. So here’s the issue Adam, is that there’s enough information there for a good scammer to get a foothold into questions that will cause them to reveal a key. It doesn’t have to be the skeleton key to everything, just a key, and they can get into something. And from there, as you know, once you get into one thing, you can get into a lot of other things.
Adam Levin:
Well, you have to look at your information as assets. Number one, and number two, that it’s a mosaic of your life. And each particular piece of information is another tile in that mosaic. The more tiles they get, the more complete picture they can create of you and they can combine that information with other information that they could buy on the dark web and suddenly they’re you to somebody else. And that’s very dangerous. That could cost you time, money, you could become a victim of identity theft, and you could be a victim of medical related identity theft, where someone takes your information and then uses that for the purpose of accessing your medical insurance, having treatments, exams, and other things. So that’s why you have to be super careful, super careful.
Beau Friedlander:
Now, full disclosure, Adam, you didn’t post your vaccination card online. I know you didn’t because you don’t post anything online, but at any rate, we’re careful. And I think it’s important to remember that people don’t understand how vulnerable they are with the simplest, smallest, most meaningless seeming piece of information.
Adam Levin:
This reminds me of a few years ago at the Democratic National Convention, one of the delegates was so excited about the conversations relative to Medicare, that they took their Medicare card and waved it in front of a national television camera. And those were the days when your Medicare number was your Social Security number. So that was like giving away the house, the farm, the horse, the food, your first born, all that stuff.
Beau Friedlander:
The old LifeLock move.
Adam Levin:
Hi there I’m Adam Levin, founder of CyberScout, author of “Swiped”, former director of the New Jersey Division of Consumer Affairs, co-founder of Credit.com.
Beau Friedlander:
I’m Beau Friedlander, I write about cyber and I also am really, really, really interested in scams fraud, any kind of privacy-related crime.
Travis Taylor:
And I’m Travis Taylor, resident tech guy and occasional voice of God.
Adam Levin:
And we’re all here. And this is What the Hack.
Beau Friedlander:
So who are we talking to today? We are talking to Aunt Sally.
Adam Levin:
Aunt Sally which reminds me of a song when I was young and it was “Sally With a Red Dress.”
But we are certainly thrilled to have you, to have your voice and to hear about your story. So, first question, where do you live?
Aunt Sally:
I live in Olympia, Washington.
Beau Friedlander:
And where are you now Aunt Sally?
Aunt Sally:
I’m in Kauai, Hawaii, with my niece and my sister-in-law.
Adam Levin:
My first honeymoon was in Kauai.
Beau Friedlander:
Oh!
Adam Levin:
So, totally, it’s a lovely place and you are a lovely person and we’re thrilled to have you here today.
Beau Friedlander:
So, Aunt Sally, what are you doing while you’re in Hawaii?
Aunt Sally:
I’m seeing all the sites, so we had to rent a car. So Sally could go see the canyon and see the lighthouse and all the birds and sit on the beach and do artwork.
Beau Friedlander:
Have you seen any strange birds?
Aunt Sally:
No, but I saw six out of eight birds that are possible to see at that lighthouse.
Beau Friedlander:
Amazing. What are those?
Aunt Sally:
I saw an albatross. I saw a shearwater and I saw the red-footed boobies and I saw a frigate and then I saw a white-tailed tropicbird. It was so much fun.
Adam Levin:
So first of all, in a second, I’d love to know more about birdwatching because I happen to think that it’s fascinating. My son who’s 8 and a half loves birdwatching. And recently, I was watching one of my favorite television shows called Blacklist, starring James Spader. And in these episodes, he goes to Central Park to clear his mind and runs into a woman who is birdwatching and he’s birdwatching with her. So I feel like the spirit of birdwatching has now been with me for several weeks.
Aunt Sally:
Well, that’s good. That’s good.
Adam Levin:
So if someone wants to learn more about birdwatching, are there specific sites that they would go to?
Aunt Sally:
Well, for Kauai, the Audubon Society here has blogs and detailed maps of where the birds are hanging out right now, depending on what kind of birds you want to see. So Hawaii Audubon is really a good source.
Beau Friedlander:
And they update that every day? So you can change your locale, depending on what they say?
Aunt Sally:
I think if something significant happens, they do. But if it’s just kind of a normal day, they just put it on eBird, which is Cornell Labs’ ornithological society. They put it on there so you can check any bird in the world on that site and you can watch the migration of the birds as they go north or south.
Beau Friedlander:
So Aunt Sally, are you on the show today because of something that happened with a bird?
Aunt Sally:
No, not really. It happened with my computer and my credit cards and debit cards and all that kind of stuff.
Adam Levin:
Well what happened?
Aunt Sally:
I wanted to get a COVID shot. So I had a friend who told me about a pharmacy that was close by where I could go get this. Well, somehow in the translation, my friend or me, we transposed the number. So I went to a wrong website.
Speaker 6:
These aren’t the drawings you’re looking for. These aren’t the drawings we’re looking for.
Aunt Sally:
And I went down that rabbit hole. And then they asked me some questions. I thought it was getting weird. I answered it. I gave them my address and I did give them my email number. And then the next thing they asked me, it was something about my bank. And I said, “No, I’m not answering that one.”
Aunt Sally:
And so luckily my son-in-law was home next door and I ran and got him. And he’s a real smart pilot. So the first thing he asked was for the employee number of this guy. And cause he said he was from the Sears computer repair thing, some kind of tech geeks, I think maybe. And he said it was from there, but he couldn’t give Andy an employee number. So the guy hung up. And so then I watched my mouse move on my computer and that’s why I went to get Andy and immediately Andy shut me down. I have a son, I have a grandson, he’s a real computer geek. So I just kept my computer totally unplugged and took it over to his house. Then he went through it and got rid of whatever virus or malware or whatever they put on my computer so I could use it. Cause I had to give a screenshot of a clean computer to my bank before my bank would let me use my banking account again.
Adam Levin:
So Aunt Sally, when you say you entered one digit wrong, how, where, on your computer?
Aunt Sally:
My computer, when I was going to the website, that this friend had given me to go to so I can sign up for a COVID test.
Beau Friedlander:
Now you’re sure that you entered it incorrectly, just by one character?
Aunt Sally:
I don’t know. Yeah. I’m going to say yes. We transposed some letters or numbers. I had a wrong website.
Beau Friedlander:
Was the first strange thing the request for your bank account or was it your mouse moving?
Aunt Sally:
Asking me questions about what was my email address and what was my address. And then he went to my bank and then I looked down at my computer and saw my mouse was moving.
Beau Friedlander:
Oh gosh. That must’ve been really surprising. What was your reaction to your mouse moving by itself?
Aunt Sally:
I picked up my mouse and I went out of my house and I live right next to my daughter and my son-in-law and I knew Andy was home and I went in there and I said, “Andy, my mouse is moving on my computer and I’m not moving it. Please come over.”
And so Andy right away puts on that hat of his and what he’s very authoritarian. And he came over and ask one question, didn’t get the right answer and cut me off and from everything.
Beau Friedlander:
So Sally, that is pretty terrifying. I think we should toss this to Travis, who we lovingly referred to as the voice of God. Travis, what happened here?
Travis Taylor:
That sounds an awful lot like what’s called an RDP attack or, Remote Desktop Protocol. So there’s something that they put in computers that can help one person take over someone else’s computer. That’s originally made for something like tech support. So, you have a relative needs some help installing something, you can just jump on their computer remotely and either install software or do whatever repairs, anything like that. That has been, for obvious reasons, a favorite for hackers because all you need to do, once you’re able to get onto someone’s computer through remote desktop protocol, you can go through all their files. You can install more malware, but perhaps even most importantly, you can disable their antivirus or anti-malware software on there. So they can just take complete control.
Aunt Sally:
I was scared not to understand that I have some definite trouble and I needed to get some help and get it taken care of. It wasn’t anything to play around with. And I’m still dealing with the ramifications.
Adam Levin:
So your son-in-law shut down your computer. What happened next?
Aunt Sally:
I called the banks, got everything stopped, put a hold on my bank account. I didn’t want to put a freeze on it. I didn’t want to close it because everything in my life is attached to that account. And then I went through, it took me 17 days to get a new debit card. I couldn’t write checks because I had my driver’s license said it was expired, but the DMV had extended everybody till June. So it wasn’t expired, but it didn’t matter. I couldn’t use it at Fred Meyers. So I’ve got that taken care of. So when I got hacked again in beginning of this month, not hacked, somebody used my debit card. I had a brand new debit card from the one in January. I’ve been so careful about using it, but I made a mistake and I bought something online using my debit card, not using my credit card, but using my debit card. And I think that was a bad idea.
Beau Friedlander:
Oh, Adam, you have trained me. Oh boy, have you trained me. Let’s talk about debit cards.
Adam Levin:
So many people go, “The only way that I can control my spending is I use a debit card. So then I never spend more than is in my bank account.”
Adam Levin:
But I tell them, this is now an adult moment, which is if you’re going to purchase anything online, don’t do it with a debit card, do it with a credit card. Because a credit card, it’s their money. A debit card is your money. That a debit card is the pathway straight into your bank account. It’s one that has generally less protections, though they’re getting better, than credit cards and credit cards just give you more time. And the issue is once someone crawls into your bank account and takes money out of your bank account, even though the bank may agree that it was fraudulent, it may take a while for that money to come back. And that could be money that you need for groceries, mortgage, car payment, you named down the list of the things that you need cash for. And it can be a very dangerous thing. So I always say to people use your credit card, not your debit card when you’re purchasing anything online.
Beau Friedlander:
And not to mention the fact, Adam, that your credit card gives you rewards and your debit card generally doesn’t. I know there are rewards with debit cards, but a credit card is like a win on every level. So, Aunt Sally, you said that you made a mistake. Do you not usually use your debit card?
Aunt Sally:
No, I’ve gotten much more conscientious about where I use it and forever, I’ve tried not to use it online because I’ve always known that was not safe, but I was really tired. I can remember now. I was really tired, didn’t want to get out of my chair, card was right there. It was to, to fabric stores, one in England and one someplace else here in the States. And I thought, “these people are going to be sending me linen. Is this really going to be a scam.?” So anyway, I ordered the two things and I got one order very quickly, within like five days because they processed. The second lady did not. And I filed a complaint against her and she got real pissy. I got my fabric finally, but it took her like 11 days to mail it back. So she didn’t plan on mailing it. I think she planned on playing. She was in Moscow and getting some money.
Adam Levin:
Stiffing you on the card. Yep. They like to do that.
Aunt Sally:
I’m trying to get smarter, but I’m 74. And I sometimes push buttons, [inaudible 00:14:55].
Beau Friedlander:
Well we all push buttons sometimes.
Adam Levin:
There are many people out there who collect addresses, internet addresses, that are one letter off. And that’s for the purpose of scamming people. Just like for years, what they would do is, let’s say it was www.microsoft.com, but someone would type “Microsoft” with two Os or they would do it “.cm” and that’s why a lot of companies had to go out and basically buy any URL that even vaguely sounded like, looked like what their web address was just to protect themselves against people who would try to buy these addresses just for the purpose of people, making a mistake, clicking on the wrong link, going to the wrong address, and then opening themselves up to be victims of scams and identity theft.
Beau Friedlander:
Hey Travis, how prevalent is that kind of squatting?
Travis Taylor:
That’s extremely prevalent, to the point that places like Microsoft, to Adam’s point, have actually gone out of their way to try to get as many domain names and lookalike domain names as possible. One big one though, is the “.cm” because that is, instead of being a “.com” domain name, it’s actually the country code for the nation of Cameroon. So that’s a really, really easy typo to make. And not a lot of companies are going to actually take the extra initiative to try to acquire a domain name in Cameroon.
Beau Friedlander:
Adam, I’m so sad.
Adam Levin:
All right, Beau, why are you sad?
Beau Friedlander:
I’m wishing that there was an “m” in here. You know the 3 M’s.
Adam Levin:
Well, the 3 M’s, and this is basically the framework that people should use when they’re thinking about doing anything, is how do you minimize your risk of exposure or reduce your attackable surface? How do you monitor so you know as quickly as possible that you have a problem? And how do you manage the damage?
Beau Friedlander:
Aha! Wait, wait, then you solved my problem, because I was sad about this URL squatting, not being an “M” word, but it falls under monitoring. Because really what you need to do now, when you’re navigating to a website, is you do have to look at the URL and you really have to look at it because it might be Google spelled with 3 O’s, well it won’t be now, but it could be something like that, right?
Adam Levin:
You know, one of the ways to protect yourself against misspellings or typographical errors, when you enter a URL on your browser is to, once you’ve found a site that you know and you know you’re going to come back to it ,is save it in your favorites.
Beau Friedlander:
Oh, that makes sense.
Adam Levin:
Don’t necessarily rely on history because oftentimes when you update things, it sometimes will kill your history. So, save it in favorites. So then when you want to go to it, you just go to favorites, you find it, you click on it and it’s a method to protect yourself.
Beau Friedlander:
And Travis, is there anything else we need to know about with regard to the device takeover protocol that you described earlier?
Travis Taylor:
A big one is to always keep some sort of security software on your computer. Even though an RDP takeover can sometimes disable that, it’s still better than nothing.
There are a lot of types of malware out there that what they’ll do is open up new ports on your computer to that type of attack and then just let it wait. So a hacker can just say, “Hey, I don’t need this right now, but if the system is compromised so I can come back in a month, six months or a year. So definitely keep your security software up to date and do what Aunt Sally did too, which is, if you see something strange act quickly. Unplug your computer, go get help. Don’t just sit there and stare at your screen while someone is invading it, ultimately invading your computer.
Adam Levin:
And you were very wise to do that. And that is something that everyone should take away from this. Is that be alert, be thoughtful. And if anything doesn’t seem right, assume it’s not right. Don’t assume it’s just, you saw something that didn’t really happen. And with that, and Sally, we really want to thank you for joining us. I know Beau’s going to run out and buy you a red dress now.
Aunt Sally:
I like the song, “Sneakin’ Sally Through the Alley” better than the red dress one.
Beau Friedlander:
Okay.
Aunt Sally:
Well then when you’re, when you’re back in the States, we’ll have to sneak you down an alley somewhere.
Adam Levin:
That’s right. Just let us know which alley and we’ll sneak you down it. Anyway. Thank you so much. And thank you, Beau. Thank you, Travis. Thank you Aunt Sally and thanks everybody for listening to this episode of What The Hack!?.
Adam Levin:
What The Hack Is a Loud Tree Media production in partnership with Larj Media, that’s L-a-r-j media. You can find What The Hack!?, Wherever you get your podcasts. Be sure to follow us on social media and find additional information at adamlevin.com.