Site icon Easy Prey Podcast

Protect Your Social Security Number with Kevin Roundy

Easy Prey
You have plenty of options, free and paid, to help you get control over how your social security number is used. - Kevin Roundy Click To Tweet

Once a data breach has taken place, your data can be sold and resold and resold again. It’s important to know how to proactively protect your personal information. Today’s guest is Kevin Roundy. Dr. Roundy received his Ph.D. from the University of Wisconsin where he developed tools by which malware can be analyzed both with detailed statistical analysis techniques and dynamic instrumentation. He has collaboratively developed threat detection tools and has offered several research publications and patents. He also has a background in machine learning and database systems. 

If a company is breached and they lose your information, they are legally required to notify you if there is any risk of financial damage as a result of the breach. - Kevin Roundy Click To Tweet

Show Notes:

Pay close attention to what the lost password process is for any account. - Kevin Roundy Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Kevin, thank you so much for coming on the Easy Prey Podcast today.

Hey, thanks for having me. It's a pleasure to be here, Chris.

Can you give myself and the audience a little background about who you are, what you do, and why you do it?

I'm a researcher at NortonLifeLock. I've been here for 10 years. I'm a father of four daughters, and I really became passionate about protecting people against scams. When I started, it was all malware and computer viruses that I was focused on. But over time you just see scammers shamelessly targeting very vulnerable people. We really need to work on ensuring our defenses and our awareness of these issues, so it's great to be with you, Chris, and help people be more aware of these problems.

Absolutely. To me, it's always interesting because I think there's this initial approach that you can solve all of this with technology. I'm not confident that that's the case.

For sure. As a parent, I think the conversations are super important, but sometimes we worry more about our parents who might be aging and maybe not aware of some of the scams that are targeting very specifically and, I'd say, very shamelessly as well. We need to have conversations with people and really be aware of what's out there.

I totally agree. One of the reasons why this podcast exists is to be able to be a jumping-off point for those conversations. We'll come back to that, as in we'll talk about some lead-ins to those conversations.

I was just kind of curious. You've got 10 years of experience in this space of how scammers and criminal organizations used worldwide events or local events as a jumping-off point for their scams.

I remember when I was a PhD student investigating malware, the big, hot thing was the storm virus, the storm worm. They were leveraging news stories about incoming hurricanes and taking that as a leverage point to get people to install software on their computer that would damage their file system.

They're just trying to leverage topical themes that maybe you could have top of mind that you were very curious about and want to be able to deal with. That was, like, 15 years ago now, maybe.

It's not really a new phenomenon, but they're getting smarter and smarter all the time. Now, they're maybe pivoting into things that are maybe more directly financially related in many cases. You can see that in recent years with scams that came out during the COVID pandemic, and you can see that now as they're pivoting towards things like student loan forgiveness programs that are going to be released in a month.

So student loan forgiveness will be a thing in some form or another. How is someone supposed to identify the difference between, “This is a legitimate government communication. This is a communication or a third party who has some rights or abilities to assist you—if it exists with this program),” versus an entity or an individual, which is just purely doing this to scam you?

It is hard because scammers are very smart. They'll start by emailing you, for example, but they could send you an SMS message. I think a lot of us around the country are getting all sorts of SMS messages of all kinds. Nowadays, people are trying to scam us in a variety of ways.

You also see just a Google search. You think you just search for student loan forgiveness and you might wind up on the wrong site quite easily, so you have to just use some best practices and safety guidelines.

Skip past the search ads that are at the top because scammers pay money to be placed at the top of your search results. -Kevin Roundy Click To Tweet

For example, if you want a student loan forgiveness program, you have to make sure you end up on a .gov site from the federal government. Skip past the search ads that are at the top because scammers pay money to be placed at the top of your search results  and make sure that you're just double checking that you're really on the official government website.

There are a lot of people who try to play middleman like you suggested, like, “We'll give you a better deal than the federal government. Don't go to your bank. Come to us, and we'll help you.” That's generally not a safe thing to do.

In most government programs, you're almost always better off going straight to the government and not getting a third party involved in the process, if they're even legitimate.

Absolutely.

For those that are not legitimate, what are they trying to do? What are they trying to get at?

It depends on the scam, I think, but a lot of them are just trying to get your financial information. For example, the student loan forgiveness. The most common thing that I'm seeing right now is they'll say, “We've got the service. We can give you better terms than your current creditor would. Don't go to them. Come to us, and we'll find a way to consolidate your debt.”

They convince you that they're going to have low payments and it's going to forgive a lot of the debt. Then they'll say to get you started, “We're just going to charge you a $500 or $699 fee.” From then on, it'll start to pay out at the regular rate. They get a big pay out from you right up front and then they have your information and can keep taking more money from you, and hopefully, it'll be too late before you realize that you've been scammed.

In other cases, it's a little different. For example, during COVID, and still now, you see a lot of unemployment scams. It was like a different problem for people to deal with. What would typically happen is the scammer would have your Social Security number and some of your personal information, maybe from the data breach, and they would just go and apply in your name for unemployment.

You might be working, actually, but then they go and claim the unemployment money for you, thousands and thousands of dollars. They're just receiving actual checks from the federal government. Then all of a sudden, you get a very scary letter from the IRS saying that you're engaged in fraud and that you […] all this money, and then you have to really deal with that whole issue. In that case, it's a little different. You didn't get scammed. They just took your information and went straight to the government.

What can you do to protect yourself from that? It's easy to say, “Hey, look. I'm good about not throwing out paperwork with my Social Security number on it. If my mortgage loan processor's data gets dumped in a breach and my Social Security number and enough information about me is involved in that, how in the world do I prevent someone from using it?”

For the Social Security number, I actually have some really good tools for you. You can go straight to the government websites. You can actually go straight to the credit bureau websites—TransUnion and Equifax, those folks—and set up a credit freeze. You can set up fraud alerts as well. Essentially what you're doing is saying, “You have my Social Security number, but no one gets to use it for any reason.”

Before the Social Security number gets used, there's a credit check, and that basically freezes access to it. There are a lot of great monitoring services, like LifeLock offers a monitoring service, and also makes the process a little bit easier for you by enabling you to do a one-click freeze on all three of the agencies, et cetera. You have plenty of options—free and paid—that can help you to get control over how your S

You have plenty of options—free and paid—that can help you to get control over how your Social Security number is used. -Kevin Roundy Click To Tweet

That's good at preventing people from getting credit in your name, but what about earning unemployment under your name? Do those go through credit bureaus before they issue?

They don't, unfortunately. Those are tricky. Part of the problem was you had 50 states, each one of them administering their own plan. They're all dishing out federal unemployment money, but through each individual state. Now the scammers would just go to whichever state was the easiest to apply in somebody's name, and you'd see a lot of applications for specific states.

The interesting thing there is if you'd actually gone to the unemployment site or government site yourself and set up your own account, now it's backed up and protected by your password and it's protected. It might text you if anyone tries to log in, they would need a message sent to your phone number, et cetera. If they beat you to signing up on the account, then you're in trouble.

I think in general, not a specific case, unfortunately there are too many cases like that. There are just a couple of situations like that. Perhaps a similar situation with the IRS tax refunds. If you have your account set up, it's very hard for them to then breach it. But if you haven't set up an account yet and they have your information, then that's where you're a little bit more vulnerable. You could create the account and then that will safeguard it for you.

It's kind of like create the account yourself, assuming that you're never going to need it, but you want to be the first one to create it so that someone else doesn't create a fake account on your behalf.

Absolutely. I think for the unemployment fraud, fortunately the states have learned from their early mistakes. We're not necessarily advocating that everyone needs to rush out there and create an account right now. Fortunately, the states seem to have figured that out, but it was very bad there for a year or so.

I know this is something similar for the US Postal Service. They had a service for monitoring mail to your account. You could get emails with all your packages being delivered and scans of the fronts of your letters, but anybody could set up one on your address as the first person.

Yeah. It's great to have shows like this where people are made aware of these opportunities because they're great opportunities. You just have to be sure that you try and take advantage of them because it'll protect you, first of all, and get other people to get to it before someone else does.

Let's go back and talk a little bit more about the data breaches and what not. We all know that there's a chance that, let's say, Target gets breached. We know Capital One got breached. Probably many, many others that have been breached that we don't know about and we may never know about. How are you supposed to monitor what's going on with breaches and knowing what data of yours is actually out and about on the dark web or even publicly available?

Just for starters, if a company is breached and they lose your information, they are legally required to notify you if there's any risk of financial damage to you as a result of the breach. So monitor your email inbox, essentially. You may have signed up for things with an old email you don't check very often. It's important to just be aware of that and sign up for those things.

Then often when there is a breach, the companies will offer you a free subscription to credit monitoring service. We offer LifeLock, which is a credit monitoring service that I use and believe in. They may offer you a license to that or to some other credit monitoring service. Those are great because they'll tell you anytime a new account is opened in your name, they might give you tools again for freezing the accounts so that you can't have these new accounts used with your personal information, particularly your Social Security number without your consent and awareness. All of that helps.

Then, of course, I think you also just need to be aware that with a lot of these breaches, a lot of times your passwords are being lost. I think a lot of us Americans and people worldwide don't always have the best practices in terms of not reusing passwords and things like that.

It's important to know the first thing that people can do when you lose your password. Let's say there's a breach and a hacker gets ahold of the breach. First of all, the hacker is the one who got in there and stole your information. They'll try and use it directly on that service. You mentioned Target. They might try and use it directly on Target if they manage to steal something from Target.

The next thing that they'll do is that they take that same account and password and try it on banks. They'll try it on pretty much any other web store. They'll just try it on as many sites as you can. It's an attack that's called credential stuffing because they're just stuffing that password into every website that they can possibly think of. A lot of the times, they'll get right into accounts that might be much more valuable than the one that they've breached. It's really important to try and use unique passwords.

Honestly, the problem that I think a lot of us have is we try to memorize all of our passwords. It's not possible to have good passwords that you can also memorize. You need some tools that can help you with that.  Password managers are terrific. Norton has a password manager. There are a lot of other great password managers out there. A lot of them are free and there are some paid ones with extra features as well.

Click to tweet: It's not possible to have good passwords that you can also memorize. You need some tools that can help you with that. -Kevin Roundy Click To Tweet

Password managers are great tools for you to be able to have unique passwords and strong passwords. You'd be able to plug them in very conveniently, either on your phone or on your computer, and keep it safe. They're generally very good about keeping them safe, even from other users of the same device.

I suppose for listeners, if you want to be scared, go visit haveibeenpwned.com, enter your email address, and it will tell you everywhere that your email address has been exposed in a data breach.

Yeah, it'll show up there quite a few times very likely, unfortunately. There are fortunately also other paid services in many cases, but also there might be some free services out there like Have I Been Pwned where you can just manually check.

LifeLock has dark web monitoring, so it'll be checking these places like Have I Been Pwned and other online marketplaces where people are buying and selling your usernames and passwords essentially, and they'll notify you if your data is in one of these dumps of usernames and passwords.

That's definitely worth the advantages of not doing it yourself, in a sense, is that you have access to all the emerging dark web markets and awareness of that. As opposed to me having to spend three hours a day checking my identity everywhere I possibly can.

Dark web monitoring is a great tool because it's very fast as well. These things move very quickly. If the hacker who managed to cause the breach will first mine those passwords for everything they can. Then they'll sell them off to third parties and eventually it'll make it onto places like Have I Been Pwned.

If you're monitoring these people trying to sell those accounts, you can get on it quickly. If you subscribe for a dark web monitoring service, you'll be informed right away, as soon as it hits these marketplaces. That way, you can start to very quickly maybe change the passwords that you need to change to protect yourself.

From your experience, are passwords and accounts showing up on the dark web before companies have announced that there's been a breach? Or is it a pretty good lag time?

I think that there were examples of that in the past, but when data breaches were big and newer, just finding out from the dark web markets, and maybe even the companies would themselves not even know there was a breach until it hit the dark web markets. Those are scary situations, obviously.

But I think, generally, companies have gotten better and they also know that they really need to notify their customers quickly as soon as they know there's a breach, because otherwise they're in for some pretty hefty fines. You can count on them to notify you as soon as they know, but it is certainly possible that they might not realize that the breach has happened until your passwords are already out there.

Which is why you never want to use the same password twice.

Absolutely.

Are you a fan of two-factor authentication, either SMS, hardware token, or Authenticator app?

Absolutely, especially if they're being reused, but even if they're not. If someone manages to breach a website, or a bank, or whatever and get your password, immediately they're going to try and use it. You can see this actually in the prices of things on the dark web.

People will sell usernames and passwords, but if they can sell it in a way that they can avoid the two-factor authentication, the price goes from pennies per account to hundreds of dollars per account in some cases. It's very important to have that extra layer of protection because it becomes very hard for the attackers to basically get the text message that's being sent to you.

Authenticator apps are even better because it is possible perhaps for them to manage to convince a phone provider to get the text message that's being sent by basically trying to steal your phone number temporarily. It's hard for them to do that and they generally don't even try unless it's an extremely high-value situation.

I definitely know people have differing perspectives and opinions on two-factor authentication. A lot of people will say if it's SMS, it's basically worthless because someone can port your SIM. If it's not an app on your phone, then it's not two-factor authentication. What's your position on that, out of curiosity?

SIM-porting attacks are scary. Essentially, if it's a very high-value situation—let’s say you have a lot of money and crypto coins, and you have your wallet, and you've got this two-factor authentication set so that it will send a text message to your phone.

If somebody knows that that's your account and that it's tied to that number, they might call Verizon and say, “Hey, I'm Kevin. I'm traveling internationally, and I lost my phone. I dropped it in the river or something like that, and I just can't do any of my business without it. I absolutely need to activate this phone. Here's my phone number. I bought this new SIM card, so please just pass it on to my new phone.”

What Verizon and these phone providers generally try to do is you should be going into the store and, like, visually authenticating that you are who you say you are before they will do this. Some of these sob stories can be pretty persuasive, so occasionally people might bend the rules, and all of a sudden, you've just lost all the money that's in your crypto wallet.

For an attacker to want to target you, it has to be like a big payoff for them in the end. If you're just a regular Joe and you're using SMS authentication, they have to go and actually talk to Verizon and have to have a lot to gain. You're really significantly increasing the cost for them to be able to do that attack.

Also, phone companies, I think, are getting better and better about trying to prevent the SIM swapping or SIM-porting attacks. It offers a very substantial level of protection. Do we love it? Do we love having to type in the number from our text message every time? No, we don't, but it's absolutely worth it to protect your assets.

I think I've taken the perspective of using the most secure method that you're comfortable with. If it's my parents, getting them to use an authenticator app on their phone might be a little bit more difficult than SMS. I've seen people with 15 or 20 hardware tokens on them at any time and that becomes problematic also.

Absolutely. Honestly, though, if you're really trying to go for the most secure solution, you need to pay a pretty close attention to what the lost password process is for the account. For example, there are plenty of accounts that give you an option to use an SMS authenticator, but if you don't have it handy, then you can still do it with an SMS message.

There are still all these other lower-tech options that an attacker can try and use to try and reset your password. Try to pay attention and make sure that you've configured things, not just to use the authenticator, if that's a really high-value asset, but also make sure that there isn't some lower-protection fallback that an attacker could take advantage of.

I hadn't thought about that, is always test the recovery feature and see what data is required, and how easy it is to access that information through the recovery process.

Yeah, because some of the recovery processes are like ask a few questions about your pet's name, your spouse's name, and your mom's name, and a lot of that's just not that hard to find on social media.

Just follow the social media account.

Unfortunately, yeah.

Earlier, we’re talking about having conversations with either our kids or our parents, and maybe our spouses as well our siblings, but kids or parents seem to be these kinds of fundamentally different conversations. How do we have those conversations with our parents about scams and identity theft in a way that's not demeaning to them?

There are all sorts of fantastic programs for older adults to help them not fall prey to scams and things like that. There are some organizations here in the Los Angeles area that we do volunteer work with, that have that calling to protect older adults from things that really affect them, like Medicare payments and other types of frauds that target them specifically.

You have a lot of widows and widowers among the older population as well. A lot of them are very lonely and they can fall prey to romance scams. I think it can be a challenge, but I think it's helpful to have resources that you can point them at. You can look for resources on government sites and also organizations like Wise, which has all these great flyers and information about different types of scams. You can use that as a conversation starter.

I think whether it's with your parents or your kids, just the conversations are really helpful. Like you said, you can't just rely on technology, like, “I've got AV on my parents' computer.” You have to talk to them about these things because they're going to be targeted by very persuasive people who are trying to scam them out of their whole life savings in some cases.

I think you really have to adapt to where they're at, what their situation is, and talk about the things that are most relevant to them.

You had mentioned earlier the father of four daughters.

Yeah, I did. This span ranges. I've got one who just started college and I've got an elementary school daughter as well. They're all in ages in between. Again, you want to tailor the conversation to their age and what they're doing. I think in general, starting early is good.

I remember we helped develop this framework for these conversations with our kids with the National PTA that’s called the Smart Talk. It basically gives you like a guide of all sorts of different types of activities your kids are going to want to engage in online in their digital life, and a framework for you to talk about best practices, how to keep their passwords safe, how to be aware of privacy risks when they're using social media and things like that.

Maybe I didn't learn my lesson with my oldest, but by the time the youngest came around, we were working with the National PTA, and I went through this whole exercise with my daughter who was eight at the time, and it was fantastic. She was excited about it. She's like, “Oh, that's cool.”

In retrospect, I think when your kid's about to get their first device, it's like, “OK, here are the rules of engagement for this thing. Here's how you use it safely” before you just hand it over. That's a great time to have a conversation, but it's never too early and never too late. You just have to tailor the conversations to the things that are most relevant.

Your kids will surprise you with the stuff they do. I remember Snapchat was new and one of my daughters—there’s this feature on Snapchat, like these streaks of conversations, like how many days in a row if I texted my friend?

You can't let that go back down to zero. We've gone up to like 300 days by now. We've got to make it to a year. Kids will do the darndest things. They're like, “My family's going on a week-long camping trip. I'm not going to have access to wifi, so let me just send my password over to my friend and she'll keep my streaks alive.”

That's a really bad idea. Your friends might not be their friend in a year or something and now they can spy on everything that your kid's doing. They may not be as good a friend as they thought. The kids probably use that same password for absolutely everything they do online. They just gave their friend the keys to the kingdom.

It's really important to have these conversations and keep having them, sometimes over and over. My kids don't listen to me as much as I wish they did sometimes. I think it's really valuable to just keep those lines of communication open. Don't feel afraid to talk about these things, and you've got to be on top of it because they do the darndest things.

I can imagine that, “Oh, dad. You don't know what you're talking about. I know way more about this stuff than you do.”

Absolutely. They're born that way. Actually when they're young, they're pretty receptive and open, but some of the things are hard to convince them to do, maybe because they think of me as too nerdy to follow some of my advice.

“I can't use a password manager, that would be ridiculous.” You’ve got to explain to them why and help them, and eventually they start to listen to you. You’ve got to have those conversations for sure.

The unfortunate thing about some of these apps and things, while they're designed to retain attention and things like that of rewarding user behavior for continuing to use the application, it also unfortunately rewards sharing your password with somebody when you're on vacation and have no internet access.

Yeah, that's a very unfortunate side effect. It makes sense that they're going to try and make these apps as addictive as possible, so your kids need to maybe understand these risks. If you know your kids are likely to do this, when you go on your next camping trip, just tell them, “Hey, you can use my hotspot while we're up there. Don't share your password. We'll find another solution for you,” because it can be surprising.

To me, I couldn't grasp how important that really was to my 12-year-old daughter at the time. It was really important to her and it would've been tragic to lose it. “OK, fine. For this reason, I'll let you have a few minutes of wifi at some point. We’ll find a way to make it work. Please don't share your password.”

I like that perspective because then you're on your kid's side. You're not being the one like, “I'm here to prevent you from having any fun in your life, but let's figure out how to do this in a way that doesn't put your privacy and security at risk.”

Yeah, you don't want to be a Doctor No. I think it's really important to keep these communication lines open with your kids. For example, one of the things that got me really passionate about security is one of my sisters actually went through a really difficult relationship. There are a lot of abusive relationships out there and people will start to use spying apps on each other and people will use spying apps on their kids. Parental apps, a lot of them are designed for spying essentially.

I think you have great tools even built into Apple for monitoring your kids and starting conversations, but I think you need to use them as conversation starters. If you're going to use one of these parental supervision apps with your kids, it's got to be like, “Hey, I'm buying you a phone. Just so you know, I'm going to be monitoring this and that and that.” Be totally honest. Tell them exactly what you're going to be looking at. They know. It's not a secret.

If you do it in secret, then you can't talk about it. You have to have these conversations. You'd see all of a sudden like, “Oh no. My kid’s being bullied, but I found out by spying on him without their knowledge and consent.” Now you're going to have a very difficult conversation or no conversation at all, which would be even worse.

As long as they know that their phone comes with strings attached, mom and dad need to know you're safe, and these things aren't secret, it could be a very valuable tool, but the conversation is if you do just one thing, it has to be the conversations.

Then if you're going to use tools, then you have to be way upfront with them and talk to them about it. Say, “This is exactly what it does. I can show you what I see.” I think it's even better just with your kids. What we try to do, my wife and I, is, “Hey, you have a phone. We're going to check on it once in a while. You have to tell us what the password to unlock it, and we're going to occasionally ask you to hand over the phone, and we're going to take a look and make sure that everything's OK.”

They don't love those conversations, but as long as you are upfront about why it matters and you talk to them about the kinds of threats that you're worried about and do it in a loving way, then they'll accept it.

It's a little challenging. For you and I, the mistakes that we made in our youth, there's no evidence of it or hopefully there's no evidence of it. But these days when kids make mistakes, it's online. It's permanent. It goes with them, and it exists out there in the ether.

The stakes are really high and a lot of our kids grew up on social media. They admire all these influencers that are just posting every detail of their whole life for everyone to observe, and they're trying to make a little bit of money by just sharing their ups and downs and all these things.

These influencers are open to a lot of abuse and your kids don't realize that. They want to mimic them. They're like, “Oh, I'm going to be like them, and I'm going to post all this stuff and anyone who wants to follow me, the higher my follower account is, the better a person I am in this life.”

They need to understand that you need to have conversations about that with them. Social media is a great tool for communicating and staying in touch with friends who love them, and who are supportive, and that are going to help them feel connected and be happy.

There's no reason why your 10-year-old needs to start posting all the stuff to the whole wide world and letting anybody and anyone follow them online. They're just going to be open to torrents of abuse. All kinds of things that they wouldn't think of and that you wouldn't think of. It's really important to just have those conversations with them and be aware that once you've put something out there, it's there forever.

There are people who are not as friendly as they seem. There are all sorts of catfishing going on where people will pretend to be a kid your age, but actually it could be an old man in Minnesota just preying on somebody. It's very difficult for your kids to be aware of things like that.

Kids are good and bad and very trusting, and as parents, it's our responsibility to guide them in that trust.

Absolutely.

Before we wrap up here, are there any other specific resources that you'd like to mention?

I'll just reiterate. If your identity's been breached, you really need to sign up for a credit-monitoring solution. There are great tools out there for you. Obviously, I'm a fan of LifeLock. I've contributed to it and done everything I can to make it the best product I can, but there are a lot of great tools and resources for you as a parent, as you try to talk to your kids. Again, the National PTA's Smart Talk is a great framework for those kinds of conversations. In general, just stay safe out there and have conversations with your kids. I think it's really important.

Awesome. We'll make sure to link to each of those resources in the show notes so people don't have to figure out the long www-dot-waytoomanycharacters.

Absolutely. Thanks, Chris.

Kevin, thank you so much for coming on the Easy Prey Podcast today.

 

Exit mobile version