At some point in our life we will encounter a cyber intrusion, either through somewhere we have done business or because we are targeted as an individual. It is important to know how to prevent identity theft as well as how to respond if you’ve already been compromised.
Today’s guest is Adam Levin. As a graduate of Stanford University and the University of Michigan School of Law, Adam Levin is a nationally recognized expert on cybersecurity, privacy, identity theft, fraud, and personal finance. He is an author and the former director of the New Jersey Division of Consumer Affairs. Levin is the chairman and founder of Cyber Scout and co-founded Credit.com. He has been featured in the New York TImes, Associated Press, Wall Street Journal, The Los Angeles Times, USA Today, and The Chicago Tribune. In addition to that, he has appeared on The Today Show, Good Morning America, CBS Evening News, CNBC, MSN, and many others.“People were really feeling like they were victims because they did something wrong. But in reality they were just on the database at the wrong time when the wrong person gained access and their credentials happened to be part of… Click To Tweet
- [1:14] – Adam shares his background and education in law and politics.
- [2:29] – In 2003, Adam created an Identity Theft company that later became a global business called Cyber Scout.
- [4:49] – Adam believes that security breaches are a certainty of life these days.
- [6:35] – While hacking has been around for a long time, Adam shares how he got into the business of identity theft protection.
- [8:36] – Over time, insurance companies have come to be support in identity theft.
- [10:01] – Chris shares a scenario of a friend that had their identity stolen.
- [12:23] – Many victims feel like they were in the wrong when in reality they may not have done anything wrong at all.
- [13:56] – In recent years, the IRS has been a lot more proactive.
- [16:02] – What is Adam’s definition of identity theft?
- [19:01] – Adam explains why you should be vetting your vendor as well.
- [21:13] – There are four kinds of threat actors – state sponsored, for-profit, cause-related, and “because I can.”
- [23:29] – Social engineering is the most successful method of identity theft.
- [25:42] – Adam wrote the book Swiped and explains that there needs to be a new framework around mitigating the threat of identity theft.
- [26:32] – How do we minimize your risk of exposure? This is very difficult.
- [27:46] – Two factor authorization is extremely helpful in protection.
- [28:41] – Always verify that the person you’re speaking to is who you think they are.
- [30:12] – How can you monitor everything on your accounts and reports?
- [31:37] – One of the ways credit card numbers are sold on the dark web is by zip code which causes many banks to miss fraudulent use.
- [32:51] – The third “M” is to manage the damage. What can you do after an incident?
- [34:05] – Identity theft protection programs are relatively inexpensive.
- [37:01] – You can set the threshold for when you are notified. But you should choose to be notified of any purchase, even the really small ones.
- [38:50] – How do banks know when there’s a fraudulent charge?
- [40:38] – There are features where you can lock the use of your card before having to change account numbers.
- [42:33] – The best protector of your portfolios, including your identity, is you the consumer.
- [44:37] – Adam describes his new podcast called What the Hack.
- [50:23] – Remember that many people are not who they claim to be.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Adam Levin Web Page
- What the Hack Podcast with Adam Levin
- Adam Levin on Twitter
- Cyber Scout Web Page
- Cyber Scout on Twitter
Can you give the audience and myself a little bit of background about who you are and how you've come to be where you are now?
I went to law school at the University of Michigan, undergrad at Stanford. I was in politics for many years, ran for Congress twice, and was Consumer Affairs Commissioner for the state of New Jersey for five years between 1977 and 1982 several generations ago.
I started a company back in 1994. That was one of the first online credit education advocacy products and service sites, Credit.com. In fact, we were so original to the internet that we managed to get the domain, credit.com, by swapping a hard drive for it.
Wow. And you didn't have to pay $1,000,000.
Only $1800. It was a great moment in history. It grew to be a very large site and we sold it in 2015. In 2003, I started a company called Identity Theft 911, which was really one of the original companies in the identity theft space and one that its core competence was in resolution and remediation.
Then over time, it grew to IDT911 because we were working in the insurance industry—that was one of our big client groups—and some of the insurance companies said, “Identity Theft 911 scares our people. They think they're all victims of identity theft.” So we changed our name to IDT911. We were that for a few years and then people said, “Are you a phone company or an alarm company?”
We went global a few years ago and changed our name to CyberScout. We had operations in the US, Canada, the EU, Asia, Malaysia, and we're starting to evolve into Latin America. Our big industry groups were insurance, financial services, employee benefits. For a period of time, we were also involved in election security, which I think is something that many people have heard a great deal about, perhaps too much more than they wanted to hear about.
Our areas were really education, remediation, breach preparedness, breach response, identity management, and forensics. Just this past March, I got an offer that I couldn't refuse, so I sold CyberScout this year, which was unbelievably exciting and completely unexpected.
That's awesome. It's always great for a business owner to receive unsolicited, amazing offers.
I guess they now call me a serial entrepreneur. I'm excited by that. The areas that I was involved with, both with consumer protection and then with identity protection, I think they go hand in hand.
I'm a great believer that we live in a world where breaches have become the third certainty in life, now behind death and taxes, and that it's really critical that government, business, and consumers all work together. Because frankly, I think we can all agree that the government hasn't done enough and business hasn't done enough. Unfortunately, threat actors are running wild. I don't like to use the word hackers because there are a lot of good hackers—the white hat hackers, the good guys.I'm a great believer that we live in a world where breaches have become the third certainty in life, now behind death and taxes. -Adam Levin Click To Tweet
We did write a book back in 2015 called Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. We carefully avoided the word hackers because, again, there are many, many good hackers in this world that perform very important functions for a lot of organizations in order to protect us all against the bad guys.
Hacking is a methodology, not about intent.
Thievery is definitely a specific intent.
Totally. That's why we call them threat actors.
I know that you had—in your political life or your law life—a background in consumer protection. Is that what got you interested in identity theft and identity protection, or was there a specific event in your life?
I was always very interested in the subject area. Of course, identity theft really originated in the 1970s, but it really came to the fore with the hacking of ChoicePoint, which was back in 2005. That was really the first iconic breach.
In 2003, I was approached by some people. They were a legal services organization. They wanted to make a bid on a particular company's credit card portfolio. They felt their bid would be too high, but if they could add some form of identity protection services to it, it might make their bid more palatable. They said, “You're in the credit world—obviously, identity theft is a credit issue too—you must know someone.”
A couple of us looked around for three or four months, and my folks came back to me and said, “Nobody's doing it right. You have a few of the credit reporting agencies that are trying to use this as a revenue stream. You've got insurance brokers, marketing companies, and even had one investigative agency doing it, but nobody is really looking at it from the perspective of putting people back together again after they've been a victim of these incidents.”
You have to remember—and of course, it’s a long time ago—but back in 2002, 2003, and 2004, the consumer wasn't considered the victim. It was the business that was the victim because the bank ended up having issues in terms of the credit cards or whatever it was that the identity theft led to. The bank was the victim.
I remember when we first started going out and talking to insurance companies, their position was, “Why should we be involved in any of this? It has nothing to do with us. It's the financial services industry—in particular, the banks, it's their problem. They don't protect their data well enough.”
Interestingly enough, today, the largest not only beneficiaries but movers in the identity protection space and risk mitigation space are the insurance companies. They've really become the key drivers now in cyber protection and identity protection.
I want to ask you about this. This is going to be a little backwards to the way I was originally going to talk about the identity theft subject. Someone close to me was a victim of identity theft. I think it was probably in the late '90s, early 2000s.
For this individual, it turned out that multiple people had used their Social Security Number and name for their employers. This person had, I think, somewhere between six and 12 people using their identity for employment in a half a dozen different states. Of course, none of them were paying their income tax on that.
They found out through a tax filing at some point, “Hey, you've already filed your taxes.” They were like, “No, I haven’t,” and started to dig into it. They found out that for several years, people have been using their identity for W-2 income. The taxes weren't being paid. The scammers had been served notices that they hadn't paid taxes, charges were brought against them, and they failed to appear in court. Basically, there was a bench warrant out for these individuals in those states. They find out and go through this.
Where I'm trying to get to is when they went to try to resolve it, there was no method of resolution for the identity theft. Let's say—I'm going to make up a state and amount—in Arizona, there was $10,000 of state taxes due. Because there had been a court appearance, no one had shown up, and the court case was settled. The only resolution was to pay the back taxes. Then, that will open up the administrative loophole to now request to get your money back. But this individual had to prove that it wasn't them.
It was just this nightmare that went on for years and years because everyone was like, “Identity theft? Why would anyone be using your Social Security Number to work? Why would they not be paying their taxes?” I assume that was probably what it was like around the time that you got involved in it?
Absolutely. In 2002, 2003, 2004, that timeframe and even a couple years after that, the victim was actually guilty until proven innocent. You would get a call from a debt collector and you would say, “I didn't do this.” They would go, “If I had a dime for every person who said to me they didn't do it, I'd be very wealthy.” That's what was happening. That's one of the reasons why we did it our way, which is where the core competence was resolution because it is a scary thing. It is a life-upending situation for a lot of people.
If you talk to our friend Eva Velasquez at the Identity Theft Resource Center, they even do a report called the Aftermath Report. The amount of tumult and emotional upheaval that people go through—feelings of inadequacy, feelings of, “What did I do wrong,” guilt, all of that. People were actually feeling like, “I'm the victim because I did something wrong.”
In many cases, it had nothing to do with them. They just happened to be on the wrong database at the wrong moment when the wrong person gained unauthorized access and their credentials happened to be part of it. That doesn't mean that a lot of people don't click on the wrong link, don't use long and strong passwords, and things like that, but that was the environment that we were facing back in those days.
In particular, when you got involved in anything that's related to the Internal Revenue Service or state taxing authorities, it was terrifying. The refunds were being diverted, or in the case of your friend, it's where Social Security Numbers were being used and people were getting notices that they had paid woefully inadequate taxes because all of these identities had been stolen, and that income information was being reported on that Social Security Number.
It makes me wonder—if this gets into the political realm that you don't want to discuss, feel free to decline to comment. Do you think there's an issue where the IRS is very aware that it's very likely that this person's identity has been compromised? We can see that this person's earning income on multiple W-2s. This is just not consistent. Let's tell this person. But they seem to run with this position of, “Well, as long as we're getting money, we really don't care whether there's fraud happening or not.”
That is not really the issue anymore with the IRS. They have been extremely proactive now. They're issuing PIN numbers now to anyone who wants one and that has to be filed with the tax return. In the old days, you had to prove that you were a victim of identity theft in order to gain access to your PIN number. But now, they're working with state taxing authorities, with tax preparation associations, and tax preparation organizations, so there is a concerted effort. They have a tax summit every year.
In fact, CyberScout was privileged to be part of the educator group that used to teach people at the seminars all over the country—who were tax preparers—things that they needed to do in order to better protect their systems so that threat actors wouldn't be going into those systems and then stealing information.
This has been a persistent problem, but I would certainly say the IRS has made a real concerted effort. Their problem has been because of reconciliation and because of sequestration, which is where their budget was being reduced and reduced and reduced. They were running out of people to help people, and the people they did have weren't as well-trained as they should be. But that has changed over the years when they put far more effort now in working with taxpayers in order to help solve the problem because it's very clear that this is an epidemic in this country and a pandemic worldwide.
What do you see as the biggest source of identity theft? Maybe we should take a step back. How are you defining identity theft? I have people that approached me that have a fairly loose definition of identity theft. Let's go with your definition.
My definition of identity theft is when someone is using your personal identifiable information in order to be involved in account takeover to open new accounts, to use your information in medical environments where they could get access to your medical insurance and run up bills in your name at medical facilities and medical providers.
There have even been instances where the information of the thief has been commingled with the information of the victim. If it happens to be the same facility, your blood type could change and your allergies could disappear. Where information—for instance, your children's information—is used in order to open accounts, commit fraud, get medical treatment, file fake tax returns. Then, there's also the instance where people use the information of victims in order to actually commit crimes and make sure that the trail of breadcrumbs leads back to the victim.
Yeah, that's the scary one. Not that they're all not scary, but that one's particularly scary.
It's basically the unauthorized use of your personal information for the purposes of exploiting you or gaining privileged access to, for instance, the network where you work.
I always say to people, when you look in the mirror, you see you. But when a threat actor looks at you, they see Jay-Z, Beyonce, or Adam Levine. They don't see you. They view you as the tributary to a larger river.
When Target was breached, they didn't go through the front door of Target. They didn't go through the computer system of the target initially. They breached the network of an HVAC contractor that was running the chilling units in the Target stores and maintaining them. They used that access to crow into Target, get into their point of sale system, and then get into their databases. They laterally moved the data and then they moved it out.
More and more, you will hear about people announcing that data involving their customers, clients, and policyholders have been compromised, not because of them but because of some third-party vendor that they have outsourced particular functions to. That data has then been compromised.
There was a case with the Customs and Border Patrol where 100,000 licenses and pictures of people coming across the border—I'm not talking about between the US and Mexico, but regular people, people who should be coming across the border. It was compromised because a subcontractor of a contractor was breached.
That's why it's really, unfortunately, a situation now as an organization where you are breached if your vendor is breached, so you better be vetting your vendor as if you're vetting someone that's working for you as an employee. You need to make sure that they adhere to the same strict security protocols, hopefully, that you do as an organization.
And that they're making sure that their sub-vendors are doing the same thing as well. It could be a very perilous chain.
If you want to look at the environment at the macro level, it's very simply this: we all have day jobs. Whether it's running a business, working for somebody, raising our kids, getting your education, being involved in philanthropic activities—the list goes on and on. That's our day job. But to a threat actor, we are their day job.
Their bread and butter is, “How do I get that personally identifiable information and then how do I use it to my advantage?”
As a perfect example, when we were involved in election security, we would talk to different appointed elected officials in states around the country and say, “It's not a fair fight. You're talking about, in some cases, a rural community in a small state that suddenly finds out that someone clicked on the wrong link and they're facing off against threat actors sponsored by Russia.”
How does the town of 1000 people have the cybersecurity budget to protect against?
That's like bringing a water pistol to a fight against a howitzer. It's just not a fair fight. That's what we're up against. People have to remember, there are four kinds of threat actors. There are state-sponsored. We've certainly known all about that, whether you're talking about SolarWinds, Microsoft Exchange, or Sony, for instance.
State-sponsored actors. You have the for-profit gang, and the list goes on and on. You have the cause-related, which if you remember the incident with Sony and North Korea, and other companies have faced that. Then, you have the because-I-can folks, or as our former president used to refer to them, the 400-pound hackers sitting on a mattress in his mother's basement in New Jersey.
Not that they've been in the news recently, anonymous would be in the cause-related category?
They certainly were. Then you have other actors that are in the ransomware area. Some of them would argue that they're cause-related, but they're certainly for-profit, state-sponsored, or in the case of North Korea, state-sponsored who are also for-profit because that's how North Korea generates revenue to run its different programs.
For some organizations, we're going to do this at the behest of this nation-state. We're going to act as their contractor. We'll pass along a portion of the proceeds to them, we'll keep some for ourselves, and everybody's happy except the victims.
Or you have a situation where a nation-state will say to the people that are doing its intrusions for it, “We've got everything we need for espionage, so if you want to sell it, that's OK.”
That's horrible. What are, in your mind, the primary entry points to identity theft? Is it data breaches, is it things that we do because we're answering Facebook quizzes, or because we're using bad passwords? Where are, in your mind, some of the most prevalent risks?
Social engineering. That's having someone representing themselves to be someone you know, you've heard of, you fear, someone that you do business with, someone that you work for, a friend, or a relative. They get you to click on a link either because they want to get into your life, or they simply want to use the credentials that you use in order to gain access to networks where you work or even your own network and then use that for their benefit.
It really is everything from clicking on the wrong link, opening the wrong attachment, downloading an app that sounds like the newest, shiniest, coolest app—except you didn't get it from a legitimate app store—falling for the sale of the century or some deal that involves a rental property that you're looking at. That's the way they get in.
There's so much information for sale on the dark web-based on all of the breaches and leaks that have occurred over the years. We've had billions of files containing a staggering amount of information about people. They take that information and combine it with anything new that they can get their hands on.
Think of it as somebody creating a mosaic. Each piece of information is one tile in that mosaic. The more tiles and the more impressive the mosaic, the easier it is for them to convince someone that they're you.
Now that we're thoroughly scared of every action we take in life, I know that we can't entirely eliminate the risk of identity theft. I don't think you can entirely eliminate it. The technology is not there. The behavior is not there. We don't have control over absolutely everything. What can we do to mitigate the risk?
And so we come to the thesis of my book, Swiped. That is that you have to look at this in a new framework. You have to assume that at some point in your life, you are going to become a victim of some form or multiple forms of identity theft or cyber intrusions.The 3 Ms of managing risk: Minimize risk of exposure. Monitor for activity. Manage the damage. -Adam Levin Click To Tweet
On the first M, how do you minimize your risk of exposure? Very difficult in a world where we’re surrounded by billions of Internet of Things devices that are tracking us, eavesdropping, sending our data back to, in some cases, the right people, but in most cases, the wrong people, because we live in a surveillance economy. That's what's happening.
Everything from password protocol—long and strong passwords that are not shared across your universe of websites. Password is not a password, nor is 123456 or 1111. Just like a PIN number that's a good one is not 1111. It should be something that you might be able to remember, but it's something that's not simple. Maybe you take different words that are really disassociated and put them together in an interesting way using symbols, letters, uppercase, lowercase, and punctuation, things like that.
An easier way to do it: get a password manager. Then you only have to remember the password to your password manager, which could be a real problem if you forget that password. Enabling two-factor authentication. Whether it's a retinal scan, a thumbprint, facial recognition, or a code sent to a trusted device, it’s at least some additional form of authentication. People are hoping in the future that blockchain will give us additional authentication procedures that will make it easier for us to be able to specifically identify an individual.
It's not clicking on links or opening attachments because you think that I know this person. I know it's a buzzkill, but oftentimes, I will send a note to somebody who sends me something in a different format and say, “Was this you?” It means not authenticating yourself to anyone who calls you.
The caller ID might look right. They might sound right. They might even sound familiar, but if you're calling them and they ask you to confirm who you are, that's one thing. If they're calling you and asked you, “Oh, by the way, is this your credit card number?” You say, “Why, yes, it is.” “Is this the expiration date?” You say, “Yes,” and they go, “Just to confirm you're you, could you flip the card over and read the security code on the back?” It's like, “No, I can't, but I'll call back the institution.”
It's freezing your credit. It's not the ultimate silver bullet, but it certainly makes it more difficult for anyone to gain access to your credit for the purpose of opening new accounts. It's even something as simple as shredding. By the way, freezing your credit now is free. Based on an amendment to one of the bank reform acts, it's free. You should avail yourself of it for you and for your kids.
That's the one that I often hear people forget. They've gone through the process, they got a Social Security Number for their kids, and they didn't immediately freeze the kid’s account. “They're not going to use it, why should I freeze it?” “Well, because someone else is going to try to use it.”
You should do it. There was a conflict at a time when the bureaus were saying, “Well, there's a certain process you have to use.” At least one of them wasn't willing to at least suppress your child's credit unless you could prove that he or she was a victim of some form of identity theft. That's all changing now. That's the first M.
The second M—monitoring—is much shorter. First, get your credit report and actually read it. You're not only looking for the things you did, but you're specifically looking for the things that you didn't do. If you see a collection account involving an account you'd never heard of, then you want to explore it further. There are mechanisms now that make it so much easier than the credit reporting agencies you're using that you can do it electronically now. You don't have to call the fraud departments, although, in some cases, it's still wiser.
You might want to put a fraud alert on your file depending upon what you find. Also, you’ve got to track your credit scores. Because if your score takes a sudden precipitous drop, it can only be for one of three reasons. You didn't pay a bill—you need to know that. You're using too much of your available credit—you also need to know that because that's lowering your credit score. Or, you're a victim of identity theft—you really need to know that.
You also should sign up for transactional monitoring, which you can get from your financial institutions—your credit card companies—that notifies you anytime there's an activity in your account. The reason is that millions of credit and debit cards are sold on the dark web by all sorts of different categories. One of the categories is by zip code. If the unauthorized access is taking place or account takeover, where you live, you work, you normally shop, your bank might miss it but you won't. You'll say, I wasn't there.
Also, believe it or not, reading explanations of benefits statements that come from your health insurers. We were involved in a case with a 72-year-old grandmother from Upstate New York that on the same day, was billed by two laboratories on opposite sides of the country for a sperm viability test and a pregnancy test. Now, she found it because she was looking, but if people don't look, they would say, “It was a laboratory bill, I guess it's OK.” But you should check that.
You should also look into more sophisticated forms of monitoring that you can get from the reporting agencies as well as from certain third-party vendors like, for instance, Credit Karma, Credit.com, Credit Sesame, and there are many more. Plus the Consumer Financial Protection Bureau has been very, very aggressive in asking institutions to make credit scores more available and credit information more available. That's the second M—monitoring—so you know as quickly as possible.
The third M: manage the damage. Rather than having to take on this burden yourself, a lot of organizations now—your insurance company, some financial institutions, credit unions more than banks, and your employer—have programs that are available now to help you through identity incidents. In some cases, they're either free or deeply discounted as a perk of your relationship with the organization.
What you need to do is contact your insurance agent, your financial services rep, the HR department where you work and say, “Do you have some form of identity or cyber protection services?” Because now personal cyber is becoming a product that's now available. That helps you also deal with intrusions in your computer and things of that nature.
“Do you have a program? Am I in it? If not, what do I need to do to get in it? Is it free, discounted, or what do you need me to pay?” Those are the three Ms.
In general, my understanding is that identity theft insurance is usually fairly inexpensive.
It is fairly inexpensive. It depends, again, upon what are the other items that are part of it? What you want to make sure is whatever program you do get, they have the equivalent of the instant notification also known as me, not me. Which is, “Hey, Chris, someone is attempting to open an account in your name right now. Is it you? Yes or no?” You just have to make sure that it's coming from a legitimate organization that you know you've signed up for because sometimes, the threat actors will send out fake notices in order to get people to click the link.
You want that, you want dark web monitoring, and you want to make sure that they have a robust resolution program where you have real fraud experts that are dedicated to helping you resolve your problem.
I think I heard someone in a commercial refer to it this way: Credit monitoring is the security guard that says, “Hey, you've been broken into.” Identity theft insurance is the one that actually helps you out once you've been broken into.
That is correct. That is great. That was one of, I thought, LifeLock's best commercials. I listen. I think that they've got some fascinating stuff, especially now that they've teamed up with Norton. They're good at this. The reporting agencies now—many of them have excellent programs that include both extensive monitoring, as well as really, really first-class resolution programs.
You just have to do a little research. The important thing is, again, just like with an app, don't just download it because it sounds cool; actually, read reviews. Pay attention to the negative reviews. That's one thing. The second thing is to talk to people you know, see what they've done, what they use if they're satisfied with them.
I know one of the things for me, I was looking to switch to a different financial institution. One of my requirements was what kind of transactional monitoring do they have? How much can they slice and dice what they're doing? Is it just over a certain dollar amount? Can they tell me international versus domestic? Can they split it up by state? What can they offer? That way, I know immediately when a transaction happens. There are some accounts that I have—if there's any transaction on it, I want to be notified.
In most cases, they'll let you set the threshold. Some people say, “I don't want to know if it's under $250.” The answer is, “Oh, no, no, you really do want to know if it's under $250 because oftentimes, that's where they do the test charge.” The test charge could be as little as $1. There have been cases where there have been frauds where they will simply charge $9.84 to millions of accounts, and see what they can get away with. Then they disappear as fast as possible, and the money's gone.
I've always been curious about on the other credit card company's side, how robust their fraudulent transaction department is. There are times that I've been incredibly impressed and also incredibly unimpressed. At one point in my life, there was a charge at a local Lowe's or Home Depot very near me. Of course, I saw it come across and I thought, “Oh, maybe I lost my card because it was in the same city that I live in.” I'm like, “No, I've got the card with me.” I called my wife, she's got her card with her.
By the time I got done with her, I got a call from the bank saying, “Hey, we detected a fraudulent transaction at Lowe’s,” let's say. “We stopped it, and we're issuing you a new card.” I was like, “How did they know that that transaction was not legitimate?” It was within the range of purchases I would normally make, but somehow, magically, that transaction got stopped.
Remember that they are also working with services that provide them information on billions of transactions. When any red flag goes up on a series of transactions at a particular store, that's when they send out the alert to the financial institutions as well. They know, they're all looking. Let's face it, it saves them money. Especially if it's a credit card, they pretty much cover you.
The issue with debit cards is, remember, with a debit card, it's your money. With a credit card, it's their money. Even though debit cards are getting much more robust in terms of the protection they offer, that doesn't mean that you're instantly going to get your money back. It could take a few days, they could put a hold on your account. If that's money that you need—let's say it's because it's tied into your bank account for groceries, an education bill, a mortgage, an auto payment—that could really create a problem for you.
Yeah, that is one advice I've always given people. Your debit card is the last resort piece of plastic that you have. I don't even carry a debit card with me purely for that reason. I just don't want to risk like, “Hey, if your account gets compromised, can you afford to have no access to your bank for a week?” If you can afford to have no access to your bank for a week, fine, use your debit card. But if that's going to cause you to miss a car payment, not pay your mortgage, not pay your rent, or not be able to buy groceries, then you shouldn’t be using your debit card.
There are features now where you can lock your cards. You say, “Wait a minute, I can't find my card,” and you can lock it immediately. You don't have to kill it immediately. You just lock it and you may find it because, as you know, it's really a pain in the butt, especially if you have a number of vendors or creditors that are debiting accounts. Now you’ve got to tell them you have a new number and you have to go through the whole process again.
If you can lock it and find it, that's a good thing. Really, always use a credit card when you can. I have people that go, “Well, I don't trust myself, and at least with a debit card, I'm not going to spend more. It's in my account.” My response is, “It's time for an adult moment. Pretend your credit card is a debit card.” But how many people don't even remember the transactions they do?
That's why it's so important to have online access and transactional monitoring. You know what, take a few minutes out of your day, think about all the time people spend on social media and doing email, and just dedicate a small percentage of that to just making sure that you're financially OK. You'll be better off for it.
When people talk about portfolios and they talk about—the Pavlovian response, you say portfolio, they say investments. The truth is, we all have other portfolios that we don't automatically think about—our credit and our identity. Just as where we would hope that someone would be the professional manager of our financial portfolios, our investments, we need to be the professional managers of our credit and our identity. We have to build it, nurture it, manage it, and protect it. -Adam Levin Remember that the ultimate guardian of the consumer always has been, is, and always will be the consumer.
Yeah, you are responsible for yourself.We need to be the professional managers of our credit and identity. We have to build it, nurture it, manage it, and protect it. -Adam Levin Click To Tweet
We now have a shared responsibility because, again, business, government—not doing enough. The truth is that a business can do everything right. But if one person clicks on the wrong link, a business that was completely secure at 9:00 AM can become compromised at 9:01 AM.
Yeah. It's that rationale: the business has to get it right 100% of the time; the threat actor only needs to get it right once.The ultimate guardian of the consumer always has been, is, and always will be the consumer. -Adam Levin Click To Tweet
That's it. Now we have zero trust environments, which is very important because it's not like the moat is going to keep them out. You have to protect the data at the endpoints, including the person who's using it. People have to understand also, you don't mix your work device with stuff you do at home.
You do not give your children access to your work device. Because children—God love them, I have a nine-year-old—can become weapons of mass destruction both within the household and to your business. Simply because they're browsing, it looks good, they click on the link, or, “Wow, that's a cool headline about Disney,” or something else. It turns out not to be Disney; it turns out to be the bad guys.
Your kid should never have your password for your work.
There are some people who treat passwords as if they are kids.
Yeah. That's true. As we wrap up here, I know that you have spun your experiences at Credit.com, CyberScout, and other interests into a podcast. Can you tell the audience about that?
Yes. We have a new podcast called What the Hack with Adam Levin. I am with two of my compatriots, Beau Friedlander, who worked with me on writing the book, Swiped. We've worked together doing articles and white papers for about 11 years now. And Travis Taylor, who is our technology wizard. Of course, Travis has a very deep voice. He is referred to as the voice of God. Every time he speaks, you hear angels singing in the background.
The point of the podcast is, look, this is a no-shame zone, because so many people have fallen for scams or just had their information stolen as a result of breaches and leaks through no fault of their own. Whether someone falls for a catfishing scam or someone goes after a senior citizen and does the 419 scam, which is, “I'm your grandchild, I'm traveling in Europe, I've lost my data.” You get a phone call from someone that sounds like they're calling from Apple or Microsoft, but they're not, and the whole point is to gain access to your computer, or you get an email from someone that sounds like your boss.
One of the craziest stories was that a CEO of a portfolio company gets a call from the CEO of the parent company from Europe and asks this particular individual to arrange for a $200,000 wire transfer to be made to an account supposedly for the co-op of the portfolio companies in this particular company. He is absolutely convinced the person he's talking to is his boss, wires the money, and then finds out a day or two later it wasn't his boss.
We've had companies as big as Facebook and Microsoft where people have fallen for that kind of stuff. Luckily, they are Facebook and Microsoft and, as a result, they get their money back. But an awful lot of other organizations—some in the millions—don't get the money back because deep fakes have become so good—at least deep fake audio.
Our point is to come to our show, talk to us about it. We've had one fellow who was trolling QAnon sites and ends up being contacted by someone who presents him with a picture that he knows has never been published. It wasn't a compromising picture, but it was a personal picture between him and his wife.
There was no way they could have done that without finding a way to crawl into his network and get that picture of him. Someone else who was a journalist who was hacked by the Iranians had nothing to do with the fact that he fell for a sextortion scam. A woman was notified by two different states that unemployment compensation was being collected by her when she was not unemployed. Or an older woman who got a phone call and fell for something that really, the majority of people would fall for because it was so believable.
You look at all these different things, even a young person who's a gamer who thought he was doing something with a gaming site, turned out to be the wrong site, a wrong situation. The list goes on and on. There are different ways that people can be compromised. Our point is to come and talk to us about it.
“What did you do?” “How did you feel?” “What do you do in life, generally?” “How can we help you?” “What did you do after you found out you had the problem?” Then we talk about different ways that people can protect themselves.
It's a fun show looking at a serious issue, but telling people that while you need to take it seriously, we're going to take a light-hearted look at it. Make it as accessible as possible so you understand the fact that, don't be ashamed, don't be embarrassed. Because the only way that we help everybody is by everybody talking about it. You'd be surprised at how many people find out about threats they didn't even know existed—different kinds of ransomware attacks, different kinds of phishing attacks. It's done in a light-hearted way. It's What the Hack with Adam Levin, available wherever people get their podcasts.
Awesome. In light of that and the no-shame zone, have you ever been a victim of hacking, fraud, or scam?
I have clicked, on occasion, on the wrong link. Luckily, I have a lot of security software surrounding me that, all of a sudden, the alarms go off, the lights flashed, things are screaming, and I have access to a lot of people that can help me do it. I used to kid with Todd Davis who was LifeLock. His point was, “Yes, I'm going to publish my Social Security Number because I know I have a huge company standing behind me. People that are going to take care of it and I'm going to show you how you can protect yourself.”
That was my life with CyberScout. I always said to them, “You have to protect us against me.” We worked together, and it worked out very well. You always have to remember the fact that people aren't what they appear to be. People are going to send you things. You're going to really, really think that it's the right person, but in many cases, the wrong person with the right pitch. You have to be really careful about it.
Exactly. As we wrap up here, if people want to find you online, where can they find you? Where do you want them to find you?
Yes, I want them to find me. Adamlevin.com or What the Hack with Adam Levin. You can come and you'll learn a lot. You'll see a lot and you'll feel better about a lot of things. Always remember, our slogan is “Scaring is caring.”
I like that, “Scaring is caring.” We'll end with that and we'll link to all that in the show notes.
Terrific. I appreciate that. This was great fun.