Taking online quizzes can be fun and entertaining. Clicking on links in emails and DMs is just plain convenient. Unfortunately, both of these can put your identity at risk for theft. Today’s guest is Patrick Glennon. Patrick has over 20 years of experience in banking and consumer identity protection with roles at companies including JP Morgan Chase, Core Logic, Arthur Anderson, and eBates. He has built software and infrastructure teams from the ground up, managed not only data center cloud migrations, but also managed transitions from legacy to modern engineering standards.“Distrust every link that is sent to you.” - Patrick Glennon Click To Tweet
- [0:55] – Patrick shares his background and his current role at IdentityIQ.
- [2:15] – We are putting more and more of our personal information online.
- [4:06] – Credit card numbers can be used for more than purchasing things with your funds.
- [6:06] – There is a wide variety of ways people can use your identity and every day there seem to be new ones.
- [8:06] – When something happens once, the same information can be used across platforms and accounts.
- [9:26] – Online quizzes can be used in surprising ways.
- [10:52] – There is some organization to the ways scammers take information.
- [14:56] – There’s nothing we can do to prevent people from trying. But there are many things we can do to help prevent them from being successful.
- [16:08] – Mix it up and use different security questions on different sites.
- [17:48] – Don’t click on links in emails or texts.
- [19:09] – Shred personal mail and credit card offers from the mail.
- [21:44] – Your information is probably out there.
- [23:12] – There are so many ways people can get information and then have full access to tons of things.
- [24:47] – If one thing is compromised, assume that everything is and take the steps to stop access.
- [26:54] – Depending on what happens, it could take weeks or even months to have this resolved.
- [28:57] – Time is a big loss for many victims, but there is also an emotional toll.
- [30:53] – Move to authenticator apps rather than text message two factor authentication.
- [32:12] – Young people will have a harder time recovering from identity theft.
- [33:13] – You don’t just want to be educated for your sake.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- IdentityIQ Website
- IdentityIQ Facebook
- IdentityIQ on Instagram
Patrick, thank you so much for coming on the Easy Prey Podcast today.
It's a pleasure to be here. Thank you for having me.
Can you give myself and the audience a little bit of background about who you are and what you do?
I'm the Chief Technology Officer for IDIQ. We are a company that specializes in providing identity theft prevention and recovery services for our member base, which span across a number of different sorts of areas within that tool set. Personally, I've been involved in a number of different industries that are exposed to this arena in banking, mortgage, and in some other industries.
That kind of exposure and some particular exposures I had within my family brought the subject of identity theft and the growing concern that it is nationally to my attention. Then just through a personal contact at IDIQ, we expanded the conversation and I was fortunate to be able to find a position over here to come and help out.
That's awesome. Let's define a few terms because often I hear things in commercials they say are identity theft and I'm like, “I don't know if that really is identity theft, at least in my mind.” Let's talk about what you consider as the elements of identity theft?
Sure. The real challenge there is that we are putting more and more of our personal information out there online. We're putting our date of birth online. We're putting information that can lead people to figure out where we live. We've got our address information.
As more and more sites that we are subscribing to are containing and hosting this information, we are finding that both publicly acknowledged breaches and breaches that aren't necessarily publicly acknowledged are getting that data into the hands of people who are trying to use it in order to pretend to be you for the purposes of getting access to credit, getting access to loans, getting access to credit cards, or new phones, or other things that they can purchase in your name and leave you exposed.
When we talk about identity theft prevention, what we're really talking about is spotting the scenarios where someone has got ahold of that information and is now using that information to try to obtain for themselves something in your name. Usually, obviously, financial is the key thing that we're trying to get there.
Would you consider someone finding credit card data on the web and using a card that's been issued in my name by me intentionally, but they get the card number and use it as identity theft or is that just kind of credit fraud?
I suppose it could be credit fraud, but it can't be used as a scenario where the credit card number can be used to authenticate you somewhere else. I guess it depends on how it's used. Either way, you're in a scenario where someone has utilized some aspect of your identity to get access to purchase things in your name or to open credit lines in your name. Oftentimes, you can use a credit card number as an identification mechanism, or you can use it to open up another credit card, or you can use it for these other types of things that can secure it.
In general, we think of someone who's got your credit card and is spending money as being just credit card fraud, and Visa and Mastercard have programs for that. There is some crossover in there, and there could be some bleeding.
I always cringe a little bit when I hear credit card fraud being considered identity theft because that's opportunistic. They don't really know who I am or know anything about me. It's just a credit card number that they're just trying to use and that sort of thing. Let's kind of cover the basics here. How does identity theft actually happen? What are the elements of that?
Every day there's more kinds of approaches and different mechanisms people are using. We find everything from somebody getting hold of your name and address, and then submitting a change of address in your names, and redirecting credit offers to a PO box, and using those credit card offers to open a credit card in your name and get approval.
We see things like SIM swap. Somebody gets access to information that maybe you use to your security questions that you put on Facebook. Somebody gets ahold of that, or gets into your Instagram account and gets those, and maybe then calls your phone provider and say, “Hey, I want you to switch my phone over to this other SIM card.” Now they've got text messages coming in that they can use to authenticate themselves at your bank or at your credit card company.
We see things like getting enough basic information about your Social Security number, name, address, and date of birth. Getting those types of pieces of information can enable someone to open loans in your name, to apply for credit in your name, to buy a car, buy a phone, things like that. There's just a wide variety of different approaches and tactics that people are using, and every day there seems to be a new one.
Speaking of new ones, what are some of those emerging trends? Where do you see things becoming less common and where do you kind of see things going?
SIM swap is a new, fun one. I've had a family member very recently get exposed to this, and that's what I mentioned before. Somebody managed to convince the phone company to change your phone number to redirect to a different SIM card. As I said, as more and more of us are using multi-factor authentication in our lives, text messages are a common mechanism for that.
PayPal now has a one-time code that they'll send you via text message. I don't even have to know the password, or you have any clue what the password is to PayPal. I had your phone number redirected to my SIM card. I can login and start purchasing things via PayPal in your name.
Things like that are kind of emerging out and there's all the traditional ones that we know about on lists. I'm sure you talk about this on your podcast all the time. There's dark web lists that go around—some hacks that were 10 years old where your information is out there. If you're not one of those people who changes your password, changes your usernames often, those can still be kind of recycled.
It's a challenge to keep up with them, but it's something that's kind of fascinating and something that's kind of rewarding to be able to kind of go out and be able to provide a service out there that's helping people be aware of when this is happening to them, and in the worst-case scenario where someone is successful, we can see a cascade happens sometimes.
Once those things start happening, once the first one falls, you can use those same techniques across multiple different exploits to get more and more data. Being able to provide a service where we can help people navigate through that, get recovered, get things locked down so that their exposure is minimized, and then help them work with those credit bureaus, their financial institutions—in some cases, big-box vendors like BestBuy, and things like calling people like that and saying, “Hey, this is a fraudulent scenario”—those are things that we're excited about helping with.
Do you see more criminal organizations getting more sophisticated in terms of merging data? We got a little bit of data from here, a little bit of data from here, a little bit of data from there. Alone they're not particularly personally identifiable or they're not particularly alarming, but once you start patching them all together, you've got something.
We talk a little bit about the security questions. That's another big one: making sure that people are using different security questions on different sites. Again, you've got somebody who's got a phishing email that's going around that says, “Hey, your buddy wants you to fill out some information on the survey.” Then that clicks in and suddenly they're in your Instagram account.
From there, they've got access to these three questions and they take those three questions and merge them with some other information that maybe they got and that they're able to do a merge on through some older dark website that gets an email address and some other information. Maybe it pulls in a parent's maiden name and then they're on the phone again redirecting SIMs.
It's absolutely the case where there are scenarios where these kinds of mergers of different information sources are proving vital. The fact that it's so easy for us to go out and do these dark web scans and tell you your name, email address, address—these things are all out there. They're being handed around lists right now.
If it's that easy for us to be able to kind of go out and spot these things, it's really easy for other organizations to go out there and do that and things. You've got organizations that have sprung up that are kind of like customer service, if you will, for people who are running larger-scale phishing attempts or running larger-scale scams across broader audiences. We'll do things like trying to arrange extortion payments through a sort of third-party entity that acts like a malware or ransomware type of event.
There's absolutely coordination going on. There's absolutely little weird cottage industry springing up to service folks who have been exploited and the folks who are exploiting them. It's an interesting space.
Criminal syndicates as a service.
Yeah. The NSA just shut down a big one awhile back that was involved in some ransomware activities, and they shut down that middleware company that was arranging bitcoin payments out to the actual exploit syndicate, if you will. It's a fascinating space. It's kind of terrifying to watch it all go down and knowing that everyone's getting targeted.
Your age doesn't matter—whether you're a private citizen or a company, whether you're part of a utility creator, or whether you're part of a bank—everyone’s getting targeted. The methods are getting more sophisticated.
I think that's hard for some people. Some people who have contacted me about, “Hey, I think so-and-so are trying to grab my identity. They’re trying to hack me, whatever.” They very much think it's about them in the terms of someone intentionally targeting Patrick. I'm pretty sure they're targeting everybody, it's just that Patrick happened to be the one who picked up the phone or read the email, so it appears like they're targeting us individually, but they're just going after everybody.
I got a call from my wife that she had an email out that there's a new recurring charge that was going to get ripped for $400 for some antivirus malware provider from Best Buy. I'm like, “That can't be right.” She said, “I'm busy,” and she's running around, and so she's forwarding this thing off. She gets me on the phone with the person that she called from the email and he's like, “Yeah, I just need you to download this. I'm going to take you to this.” I'm like, “Why am I going to use remote control software?” Then I'm just talking because now I'm curious how the scripts kind of go. “OK, I got that downloaded. Now what do I do?”
My wife and I kind of have this game. Just before we started recording, she's like, “Oh, hey, honey. I got an email saying I need to reset the password to my PayPal account.” She's like, “I don't have a PayPal account. What should I do?”
Definitely do not click here.
I'm like, “Absolutely. Click on the link and then tell them, ‘Hey, I've already gotten locked out of my account. What do I do?’”
A friend of mine's mother had a hacker, called him up and was again following the script, trying to get her to download software on her computer. She's not very computer-savvy so they spent about two-and-a-half hours before they finally gave up because she couldn't get the software installed. I was just thinking that's one of the few times where you almost kind of feel sorry for the guy at that point. He put in his time and he didn't walk away with anything, through no fault of his own.
It's one of those times where it was advantageous that the person was not mediocrely computer-savvy because that is kind of their target audience. They don't want people so non-computer-savvy that they can't install something, but they don't want someone computer-savvy enough to know to get a refund on your credit card. They don't need to access your computer. You don't need to download any software.
Yeah, that is right.
Earlier we talked about different answers to security questions, and it makes me think—I can think of a bunch of them—what are some of the things that we should be doing to reduce the potential risk for identity theft? I don't think that there's anything that we can do to entirely prevent people from trying, but what are the things that we should be using to at least try to reduce the likelihood? Obviously, you're talking about different answers to different security questions.
Whenever I see those go by, they're always like, “Hey, what sign are you? What month were you born? If you were born in this month, put your date in.” Some are like, “Hey, what are the last four digits of your Social Security number?”
People will get in a comfort zone and start handing out information online pretty quickly. I think that's something to be very careful of. I think when you do have scenarios where you want recovery questions and you want security answers that you can use, you want to use different ones on different sites. You want to have a scenario where you're not using your father's middle name or your mother's maiden name for every single thing that you have out there, because once that piece gets out there, then everything is exposed.
Often, when our parents are older, they may be using their maiden name on their Facebook account. If you look at my Facebook account, there's my mom and she doesn't use her maiden name on her Facebook account, but I've definitely seen that. You don't even have to figure that out. It's already given to you.
Social engineering wise, it's one of the easiest things to get out of people. You walk down the street and say, “Hey, I'm from your bank. What is your mother's maiden name to verify your identity?” Some will probably tell you because you're so used to getting those questions asked, and you're so used to giving the same answer.
I think people even inadvertently, even aside from the quizzes—gosh, I've seen the quizzes. “What was your first school you went to? What was the name of your first pet? What was your first car?”
“What are the last four digits to your Social Security number?”
Those are sometimes things that people share inadvertently outside of the quiz. They're just reminiscing about their first car. It's like, “Oh, no. Don’t do that. Don't do that.”
You're on a forum here with 100 people looking at this. Most people aren't super strict around locking down who has access to their posts and who can see them. You're absolutely right. People will routinely and casually hand out very sensitive pieces of information without giving it much thought, unfortunately. That can be, again, combined with other bits of information to really get relatively unfettered access to your identity and use it to do all sorts of things.
We talked about security questions. Another one is just the obvious one that we all talk about all the time, which is don't click on something that gets texted to you. Don't click on something out of an email. If you get an email from your bank that says, “Click here to change your password,” don't click on it. Go to your bank website directly.
If someone is asking you to take a quiz, don't click on the link out of the text message if you don’t know the number it’s coming in from. Just distrust every link that is sent to you all the time. It just needs to get ingrained into people's bones until we stop sending people links to click on.
I know that one of the things that I tell people is, if you're in the US, make sure that you have the US Postal Service informed delivery turned on. That's where the US Postal Service will scan your mail—the outside of it, not the inside—on a daily basis and tell you what's getting delivered. I've heard of scammers setting that up for houses that they're targeting so that they can get the list of what's being delivered. That way, they know the day to go in to steal the credit card offer or the billing statements.
It's one of the reasons that our company and some others do also provide the NCOA, the National Change of Address lists out as well, so that we can give you an alert if someone's trying to change your address. It's one of those things that's relatively easy to do without causing any undue attention is to change.
Put a change of address in for Patrick. I used to live at this address; now I live at this address. Now all the credit cards are over there. It's super easy to do, to get these things done in bulk again by groups that are just seeing what they can do to try to change these things and get something out there. The boxes get shut down and all that stuff, but it's just a cyclic pattern of one particular attack profile or vector.
Once someone has collected the personally identifiable information from us, whether they've gone on the dark web or they've dumpster-dived through our trash.
Treasures are really important. Don't just throw them out. People just take the credit card offer without even opening it and tuck it into the trash. That's a great way for someone to go get a really nice credit card offer.
I'm a big fan of shredding anything that has the name of a company that I do business with or my name on it.
Which means I pretty much shred everything that comes in.
Yeah, it's good practice.
Once someone has gotten that personal identifiable information—name, address, phone number, maybe they've gotten our Social Security number, or mother's maiden name—what can they do with that information?
Like I said, there's a number of different paths they can take with that. With just a few pieces of this information, we can open a credit card in your name. We can go out and obtain a loan in your name. If you can guess at a couple of security questions and have a little bit of address or personal information, there's a SIM swap thing where, again, we can get access to your cell phone and authenticate your text message authentications.
The reason that most people in this industry look at credit alerts and credit scores as a means of doing this is because people's information is floating around in giant buckets of information from the big Yahoo! hike of the early 2000s to the credit bureau itself, […]. Your information is probably out there. It's probably sitting in a list somewhere. It's probably getting handed around and it's probably getting resold.
When we say we're preventing it, what we're really doing is we're making sure that you know the minute someone tries to do something with that information—that’s the key bit. That's the point at which your information being out there actually means something and it's actually dangerous to you in terms of your time, your finances, and your reputation. All those types of things can be hijacked in a number of ways.
Creating Facebook profiles as a means to go and do social engineering on your friends. Creating Instagram profiles to go out. The one I was just seeing the other day was one where people get access to one person's Instagram account, do a slight rename on it, start messaging all their friends. Something I was hinting at earlier where someone says, “Hey. I want you to answer a survey about me. I'm going to send you a text message in a few minutes.”
Then you get that through your Instagram messenger and then a few minutes later you see a text message, but it's not from your friends, just from someone. You're like, “OK, there's my survey link,” and you go click it, and then your Instagram profile is compromised. Now, the jumping off point for the next set of compromises are you've got security questions, you've got other things that can be then used and collated with other bits of information.
There's so many different ways that somebody can take minimal amounts of information and gain access to credit, to cash, to phones, to cars, to loans, to all sorts of things that can be done in your name and sometimes even just reputational. If you are a media person just like the Twitter CEO, he got SIM swapped, and they basically got into his Twitter account using his two-factor authentication on his SIM and started posting just the most vile, racist, misogynist stuff on there. There's a lot of reputational damage that comes. It wasn't financial, but it's also harmful.
How hard is it to unravel identity theft damage? I know I was telling you before we started recording that a relative of mine was a victim of identity theft. This is probably 25 years ago now and it took years and lawyers to unravel each element. It took years to unravel. How much of a hassle is it? How much time does it take to unravel these sorts of things?
It takes a lot of time. If you think about it, once this has happened again, you want to not just be mindful of the specific exposure that you've noticed. You want to assume that all your other things are compromised as well so you want to immediately lock down all your banking cards and freeze your credit. Once you freeze your credit, you've got a problem there, because once your credit is frozen, you can't open up a new line of credit. You can't get a new cell phone. You probably can't upgrade your cell phone. Anything that's going to go off into even a soft credit pull is going to fail.
While you've got your credit frozen, while you're trying to keep this exposure from happening, you're shut out. Then you want to go to all your financial institutions, your banks, your credit cards, and your retirement savings accounts. You want to change all your passwords. You want to change your username if you have access to a username that's not your email address. You want to change your security questions. You want to go through all these things.
Recovering from a SIM swap, that's at the front of my mind because I mentioned a relative of mine recently was a victim of that, we spent two days just getting the SIM reassigned to his card and to his phone. That's the very first thing that we needed to do in order to start recovering from the theft of that identity and the exploitation of a couple of financial accounts.
Depending on what's been done, if you're doing it on your own, you can be looking at a lot of time to get everything on. It's difficult on your own to think of every single thing out there that you might want to go through. We have, and not just us and there's other folks in our space, credit bureau certified, credit recovery specialists. Their job is to be trained to help you think through these things, identify what kind of next steps need to be taken, and help you through. We have a million dollar policy for helping people recover cost-wise from this sort of thing if there's attorneys needed, if there's other fees needed to come back from this.
You can be looking at weeks, you can be looking at months, depending on what specific things have been done. These things can happen so fast.
During that time you may not have access to credit cards and bank accounts.
With your credit frozen, you can't get new ones. The things that you want to do to stop the bleeding will leave you a little shy on cash and credit in the short term. Hopefully you've got some folks around you that can help you through that. It can be challenging to do that, to recover from that on your own, and as I said, that's assuming from the beginning that you were alerted in a reasonable amount of time that this was happening and that you responded in a way that was swift and efficient in terms of doing things in the right order that would help you lock them down.
Start off with your financial institutions. Lock everything down there. Lock your cards down, then go into a credit freeze. Then you start to go and try to recover all your accounts. If you leave one of those open and you don't get to it fast enough, it will do a lot of damage in a very short amount of time.
I assume it's just as difficult if someone has taken out loans, credit cards.
The process of trying to convince those entities, “No, it wasn't me. I'm a victim of identity theft.” “What department do I talk to? What information do I need to provide them?”
Yeah, and they're going to be looking at you because there are people who go and try to get out of loans and try to get out of home purchases and try to get out of auto loans and set you up with the same sort of thing. They're going to want to be like, “We sent you a multi-factor authentication. You responded. We sent you this kind of confirmation to your email and you responded. This was you,” and you're like, “No.” It can take some time and it can take some support.
Where you and your competitors come in is the know-how of who to contact, where to contact, what the processes are, and it's your time as opposed to my time.
Absolutely, yeah. Time is a big factor of it, too. Even if you manage and if you're lucky enough to get off without much financial exposure, just the amount of time it's going to take out of your life to get back on the stable round. As I mentioned, helping my own relative, it took two days just to get the phone number back and prevent further damage, and then we had to go back through and do all the other items to recover. It is a challenge, it is a time-suck, it's a financial expense, it's a reputational problem. All these things. It's why we're here while we're in this business.
It's all the heartache and all the emotional drama—the feeling of someone's been in my accounts, messing with my stuff.
What have they said to my family and friends? What have they done to me financially? What other things have they gotten into with the bits of information that came from the things that they were able to get access to? As I said, once they're in, they'll go through things fast.
It's got to be a challenge trying to figure out if they've used your identity to create non-credit profiles out there. Opening up social media accounts, using your credentials, and names, and information. It may be awhile before you notice that sort of stuff surface.
Indeed, and again, creating new mechanisms to authenticate themselves outside of the ones that are your normal ones is another way to kind of to lock the back door once you've snuck in. The SIM swap is a great example that once they're in on that, they've got your preferred authentication method there with multi-factor authentication.
We're putting out stories on our own sites that are telling people it's time to move into authentication apps and not a text message two-factor authentication requests because if you get SIM swapped there, or if somebody manages that, at least it's going to your authenticator app, it's not going to just a random text message. There's things that as these things evolve, you need somewhere to go to get information like your podcast, or blogs, and stories. You need to be able to stay on top of these things and make sure that it's not just you.
For me, it's like we all have family members, both elderly and young. Both of them can be vulnerable to campaigns that are unfamiliar to them in terms of SIM swaps or fake credit offers, in terms of other things that people say, “Oh, this is great. I've got a credit offer here that's going to turn my life around.” And it's not a credit offer and it's tricking people into giving out the kind of information you would need to get a credit offer but really you're just handing your information off to somebody. Young people get very susceptible to that as they're trying to build their credit and trying to build their own financial life going forward.
Unfortunately, those that are most vulnerable and precariously on the edge are the most impacted by identity theft. Their ability to be able to recover and to freeze all my accounts. I've got these other accounts that I can live off while we sort this out. Most people don't have the buffer to live for a few months where their credit gets sorted out, and unfortunately, that's not the case. I guess that would be one of those things that you can do to mitigate the risk to make sure that you have money set aside not necessarily all in one place.
Different parts of the mattress?
Not just under the mattress. Put some in the closet, put some in the kitchen, some in the freezer. Are there any other parting wisdom that you want to share before we wrap up today?
I guess that just following up on that last thing too, is that you not only want to be educated for your own sake and for your spouse's sake, you want to be educated for your parents’ sake and you want to be educated for your children's sake. I've got a 21-year-old and a 16-year-old, so I've got somebody who is brand new to the credit world, and I've got somebody who's about to enter into it. I've got elderly parents. My wife's got elderly parents.
We've got scenarios there where we've got folks who are at risk. We want to be educated to make sure that we're helping them and that we're able to provide them with some level of protection too, whether that's through a family plan, or through something like what we offer, or whether or not it's getting account, or through some of the things our competitors are offering as well.
You want to make sure that you put your own mask on first on the plane, but definitely help the little ones out, and help your parents out, and any other relatives you have in your sphere that you want to make sure are protected from this.
Awesome. How can people find out more about the company and the blog?
Sure. IDIQ.com is our website, and if you go directly to the www site, there's places we can enroll, but there's also just sort of articles and things that are visible there. That's probably the best place to go and get some information about what kind of plans we offer, what kind of services we offer, as well as just a sort of a view of the kinds of things that you're telling your audience as well. What new things are popping up, how do we protect ourselves from it, how do we recover from it, and what kind of tools do we look at to do so.
Yeah, that's a challenge. Even if you've listened to the podcast today, the attack vectors will have changed since we recorded this. There'll be some new threat that you need to be aware of.
Patrick, thank you so much for coming on the Easy Prey Podcast today.
Great pleasure. Thanks for having me.