“The way you break something is not the way you fix it.” - Ira Winkler Click To Tweet
Information security is not just technical. There is a human aspect involved and fixing that is more than just identification and awareness. Our guest today is Ira Winkler. Ira is the president of Secure Mentem and the author of the book You Can Stop Stupid. He is referred to as the modern-day James Bond, given his skills both physically and technically in infiltrating organizations.
Today, Ira shares with us many of his personal and professional experiences in the area of cybercrime. His valuable tips and information can change how you look at potential threats and scams. He is an expert in how to make people easy prey and how to prevent people from being easy prey.
- [0:51] – Ira graduated college as a psychology major and the only job he could get at that time was in the National Security Agency. This led him into the computer field within the military.
- [1:31] – He always wound up working on the human side of things.
- [3:03] – Ira shares his background and how he became a world-renowned penetration expert, which is a fancy name for a hacker.
- [5:21] – The way you break something is not the way you fix it. This is an important concept when looking at psychology.
- [7:01] – Psychology helps Ira exploit others but it is also important to understand when helping them.
- [7:55] – Telling someone the problem and then telling them not to fall for a scam doesn’t work.
- [8:50] – Ira and Chris discuss the recent Twitter hacks. Ira says that in this situation, anyone could have done what the hacker did because it was easy. You just have to have the questionable ethics and morals to do it.
- [9:41] – A lot of times, hackers and criminals are hired in various agencies including government and law enforcement because of their skills. Ira says this is very backwards and gives examples why this is “horrendous.”
- [11:58] – How do we get people to not fall for various types of scams? Ira says it is a very multi-layered process and gives a few examples of what can be done.
- [13:02] – Ira uses a comparison with terrorism attacks and how we can use that knowledge to help us protect ourselves, plan for a problem, and how to respond.
- [15:59] – A lot of sites other than banks and credit card companies are putting in security measures to keep people safe. But a lot of people get annoyed by security protection’s inconvenience.
- [17:15] – In general, most people use the same password across multiple accounts. If one user ID and password is compromised then the others are as well.
- [18:32] – Ira uses the real moral of the story of The Wizard of Oz: You have what you are looking for, you just don’t know it or how to use it. This is applicable to security. You have what you are looking for, but you aren’t using it.
- [21:38] – People have to stop being offended when people put security mechanisms in place.
- [23:10] – Something that bothers Ira is when real credit card companies are calling and ask for points of verification like social security numbers. This is exactly what scammers do and when real companies do this, it is hard to tell the difference.
- [25:43] – If somebody is injured, it is the fault of the system where the user exists. Somewhere they enabled the user to put themselves in a situation to allow them to be harmed.
- [27:42] – Sometimes bad grammar and poorly written scams is actually a filtering feature for scammers to filter out the people who are too smart to fall for it. Even a small percentage of people falling for a scam is still money in the criminal’s pocket.
- [28:44] – We need better infrastructure to protect organizations and individuals because these events cause so much money to be lost.
- [29:46] – Anyone who tells you there can be perfect security is either a fool or a liar.
- [30:19] – Anytime you have the option to add two-factor authorization, take it! Yes it is annoying, but the consequences of not utilizing it are far more annoying in the end.
- [32:11] – Ira shares a story about when there was suspicious activity on his bank account. He saw the pattern and told the bank that he would work with them and law enforcement because he does this for a living. They “made a note of it,” and didn’t really do anything to stop the problem.
- [35:14] – Ira references a movie called Focus that is about scams, social engineering, and con-artists.
- [37:21] – You have to admire the minds of these criminals and the lengths they’ll go to manipulate and take advantage.
- [38:10] – You need to respect your potential adversaries.
- [39:00] – Chris and Ira discuss why the United States is different from other countries in regards to using the combination of cards and signatures versus cards and a PIN.
- [40:24] – How much risk can you assume as a culture?
- [42:13] – Chip and PIN is risk mitigation, but how much risk is it actually mitigating?
- [43:10] – You Can Stop Stupid, Ira’s book, is about how stupid is an effect, not a cause. It outlines what you can do now and how you respond to a problem.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Ira Winkler on LinkedIn
- Ira Winkler on Twitter
- Secure Mentem Web Page
- You Can Stop Stupid by Ira Winkler
Can you give me a little background of who you are, what you do?
I graduated college with a psychology major and the only people that hire somebody with a psychology major was the US government, so I ended up taking a few tests, and my first job was at the National Security Agency where I started out as an intelligence analyst. Then I got into the computer field, became a computer systems analyst as well. Then I ended up doing a bunch of work with the US military, US intelligence agencies, traveling around the world in little green trucks for a while. Then I ended up leaving the government. I went to government contracting.
I always ended up on the human aspects of information security—whether it was information systems as a whole, whether it was interface design or working and making things more understandable. One day, somebody came to me and said, “Instead of going down to the Pentagon, can you make a few phone calls?” I'm like, “Sure. What do you want me to do?” “Call this company up and find out who they use as an overnight carrier.” I'm like, “OK….” “Then, call them back and find out what computer systems they have in the library.”
I'm like, “Well, that's kind of stupid.” They're like, “Well, we have a contract to find out as much about the company as possible without breaking into their computer systems.” I'm like, “OK, in that case, who cares who they use as an overnight carrier? Let's get their account numbers. Who cares what systems they have in the library? Let's get user IDs and passwords.” They're like, “That's a good idea.” Anyway, three days later, I had control over one of the world's largest investment banks.
Yeah. I wrote a paper about it that I presented at a professional conference, because my company had a policy that if you had a paper accepted, they have to send you to present it. Okay, I wrote a paper, and it turned out to be, much to my surprise, one of the most esteemed security conferences at the time, and it was called The Seminal Work in Social Engineering. I had to look up what seminal meant and what social engineering meant.
Anyway, I was a world-renowned penetration tester after that and people started coming to me to do weirder and weirder stuff where I would go undercover and get a job inside the company, rob them blind, I would figure out how to hack into computers, which frankly, I didn't even know I knew how to do it. I was just doing it to use computers. All of a sudden, it was called hacking.
I ended up eventually starting my own company. I sold the company to HP. I was chief security strategist for HP consulting for a while. Then I went off on my own and started another company called Secure Mentem, which focused on the human aspects of security. I've pretty much been doing that since. I wrote lots of books. You Can Stop Stupid is my latest book. Everybody go out, stop what you're doing, put this on hold, buy it now. I'll leave it at that.
That's great. I love your background. It’s such a wide narrative of how you've gotten from one place to another. I have one question about the NSA, though. Were you there at the time there was no such agency?
I think I was. I'm dating myself, but at the time, I didn’t even know what NSA was when I was applying. I got the book The Puzzle Palace. It was relatively new at the time. I got that and I'm like, “Oh yeah.” They're like, “What do you know about NSA?” while I was being interviewed. I'm like, “I read The Puzzle Palace.” They go, “Really?” I’m like, “I guess that's the wrong answer.”
Let's talk about the human aspects of information security. I love talking to people, to some doctors, and people in the psychology realm, about why we fall for scams and the psychology of it. It's always really fascinating to me. All the tricks that scammers go through to separate us from our credentials or from our money.
Yeah. Here's an interesting aspect, I hate this cliché, but let me turn the subject on the side of it. Yes, it involves my social engineering aspects. It involves when companies pay me to try to scam them out of information. At the same time, though, it doesn't involve how to fix things, and that's an important factor I want to make sure people understand, because the way you break something is not the way you fix it. If I tell you to break a light bulb, you can break a light bulb with a hammer, by stepping on it, or whatever.The way you break something is not the way you fix it. -Ira Winkler, Security Expert and Author Click To Tweet
Now, I say, “OK, fix it.” You're not going to take your hammer and fix the light bulb. Frankly, it's probably irreparable. You have to go ahead and make a new one. You have to look at people in the same way. Psychology is different in getting somebody to be secure or getting somebody to be secure as opposed to stopping them from exploiting them.
Let me give a quick example, because I was talking to people in law enforcement and asking them why people fall for the old Nigerian prince scam, like this prince wants to transfer money to you. They were like, “Most of these people who respond are lonely. These pseudo-Nigerian princes are essentially the only people who interact with them on a regular basis.” In one case, they will have a recording of this Nigerian prince saying, “If you don't give me more money, I'm just going to stop talking to you.” The person gave money not because they actually believe they were a prince, but because they were their only real human connection. It takes a lot to fix problems like this. Anyway, I'll leave it at that. Yes, a little bit, psychology helps me exploit people. I have to use other disciplines to try to protect people from exploitation.
That reminds me of a woman that I had come in contact with and she was trying to find out about someone who had befriended her on Facebook and had scammed some money out of her and then had disappeared. What was interesting to me is she was a little upset about the fact that she had been scammed, but she was more upset about the fact that she wasn't able to get ahold of this person anymore, and she was worried for their safety.
It really goes to that point. For her, it was about the relationship, not necessarily about the money. She was more concerned about, “I just want to make sure this person is alive.” It kind of baffled me. I'm like, “I don't know what I can do to help you.”
Yeah. A lot of time, this is one of the problems that people in the security industry have. Every time you hear about something happening it's like, “OK, we'll tell people what the problem is and then tell them not to do it or not to fall for it.” That doesn't work. We just had, for example, at the time of this recording, whenever people listen, it's about a month after the infamous Twitter hack happened where this 17-year-old “mastermind” engineered manipulating Twitter employees to give up their credentials. I get on LinkedIn and see this fellow security professional say, “Yeah, now we should figure out how to get that person a job at Twitter to figure out how to fix it.” I'm like, “You're so damn clueless. It's unbelievable.”
The fact is, in an organization like Twitter, it's embarrassing a 17-year-old can do this because you have Russians, you have Chinese. Again, with what the kid did, give the kid credit. He went through a lot of effort to figure out how things worked, but anybody could have figured out how that worked and did the same thing if they had the effort, time, motivation, and most importantly, the questionable ethics to let them do that. Anybody could do this. It's just having the lack of ethics and morals to actually do it. That's not a skill you want to embrace.
That’s always questionable—rewarding criminals for committing crimes.
Yeah. It’s more of a misperception. You don't go ahead and find a rapist and say, “That rapist was a really successful rapist. Now, let them join the police department and help stop other rapists.” No, it's not the way it works. It's not the way it ever should work. It's horrendous. Anybody would be shot for suggesting that with a physical crime, but with a computer crime, people have this wrong perception that being able to exploit something simple makes them a genius at it.
It's kind of like, what's the analogy I sometimes use? It's sort of like, to a caveman who barely got fire, a flashlight looks like magic. When you see these corny things of people going back in time with a flashlight, like bad comedy. The person doesn't know how to make the flashlight, they just know one more trick than the other person on the other side did. That shouldn't be rewarded for knowing a parlor trick, for lack of a better term.
Yeah. We definitely have the issue that the things that people fall prey to are one subset of issues and then how to keep them from falling prey is a different set of issues. Let's talk about what things people fall for and then we can talk about what is entirely different about how we address those issues.
We have a variety of different issues. For example, if we're talking about computer-based crimes, some of it, for example, is fairly simple. Phishing messages, where people try to get people to download malware, or they get them to try to divulge credentials on fake websites that are then exploited. It's common for example to go ahead and send somebody a message saying, “Your eBay account has issues, here's your password reset, please confirm your identity.” Then people log in on a malicious website. People will then steal the credentials and immediately go in and try to drain accounts if there's anything to be drained or so on.
I once saw, for example, on eBay, company accounts were compromised for nothing else than to run up auction prices on eBay. That's a rather benign case; it still could have been much worse, but that's one example. How do we get people not to fall prey? That takes a multilayered effort. This is just one type of example that I'm giving. Let's say again, phishing messages. There's different things people should have, like vendors. People who provide email services such as Outlook, Gmail, or whatever, need to have filtering for malicious software just to delete these messages before they even get to the user. At least they should have some sort of verification.
For example, if you go to click on a link, sometimes within Gmail or Yahoo, or whatever other services that are out there, if you try to click on a link, the link will warn you, “This message is not going to where it says it's going.” What we need—a cheap plug I talk about in my book—is the concept of layering the defenses. I use a counterterrorism analogy; maybe this will help people understand this.
In the terrorism field, there's the concept of boom. Boom is where the bomb goes off. Then there is left of boom, which is, like, what events led to the bomb going off? And then there's right of boom: how do you respond? Now in terrorism, left of boom involves trying to stop terrorists that exist, trying to harden the defenses. Boom involves trying to, like in an airplane, put containers around, have bomb-resistant containers, so if a luggage blows up, it won't blow up the plane, as an example.
Then right of boom involves how do we know there are enough hospitals in place? How do we go ahead, for example, make sure the first responders know how to respond appropriately in case there were secondary bombs and so forth. There's training, there's also different disciplines along every step. Now in phishing, we have to first figure out how does a phishing message get to the user and where can we filter that out, because there is a lot of harm not just to the user, but to affected entities.
For example, if a credit card’s compromised, financial companies potentially lose money. Like eBay, as the example I was giving. If something happens with eBay, eBay loses money, the bidders lose money. There's an infrastructure that really matters. The infrastructure has to go ahead and say, “Let's try to filter out all the phishing messages first. Then, let's try to build protections in.” That's left of boom. At boom, we can help the user and say, “OK, Mr. User, please respond and know that this message does not link, does not go to where it says it's going and so forth.”s That's one type of filtering.
If the user clicks “yes,” we should have better warnings. I wish we would have public service messages for computer security the same way. Actually, I think we got rid of a lot of public service messages, but I wish people like Gmail and all these other vendors out there would send free security awareness tips and so on. I wish there was this. There's a little bit of it.
But then we have the right of boom where, let's assume something goes wrong. The financial organizations need to start taking responses. For example, I was once contacted by American Express telling me or saying, “Did you make a charge from Greece buying a plane ticket from Belgium to Thailand?” I go, “No, I did not.” That was an easy one to flag since I just used my credit card in San Diego at the time. These financial organizations, likewise, have this ability to try to track. Sites like eBay and everybody else are also trying to put in analytics to see what's unusual activity and stop unusual activity, limit transactions, and so on.
A lot of people, however, get annoyed by security protection and that's unfortunate. There's no way that this happens, but for example, I won't name the retailer, but there was a very, very large retailer that I was once visiting, and they were telling me how every time there is—because another type of crime that occurs where people are impacted is where a website is hacked and somebody steals the user IDs and passwords. Then those user IDs and passwords end up on the dark web.A lot of people get annoyed by security protection, and that’s unfortunate. -Ira Winkler, Security Expert and Author Click To Tweet
What will happen is people reuse their user ID and password across multiple accounts. Let’s, for example, talk about Ring. If you remember the recent incidents where Ring happened. Criminals were taking random user IDs and passwords that were logged or captured on the internet, on the dark web, and then trying to log on to Ring.
If somebody, for example, used the same email address that they would use at a retailer. I won't name a retailer, it would be wrong. Somebody has an account at, let’s just say, CVS, or Walgreens, or whatever competitor it is, and that site gets hacked. Somebody takes the user IDs and passwords, puts it on the internet and then a criminal goes ahead and grabs that and reuses the same user ID and password. That happened on one of the retailer sites for ring.com.s
That's how the criminals were able to log on to ring.com. Look at children in their bedrooms and interact with the children in their bedrooms. It wasn't necessarily a problem with Ring, it was a problem with people reusing their credentials and not enabling some extra security protocols. When I speak at conferences, one of the stories I did is what the Wizard of Oz says about information security. Without going through the presentation of my puppets, the real moral of the Wizard of Oz is not there's no place like home. The real moral, if you actually think about it is, you have what you're looking for, you just don't know it or know how to use it.
Much like Dorothy always had the slippers, which is what she needed to go home. Much like the Tin Man, he wanted a heart but he was the one crying the whole time and expressing emotion. The Scarecrow wanted a brain, but he was the smart one, if you pay attention to the movie. He always had what they were looking for. The Lion who wanted courage, and he really didn't get anything. He just went on a suicide mission with everybody else, so you gotta say you had courage. That was the moral. Likewise, with most tools out there where people get scammed, there is security in place, people are just not using it.
Use it. Turn on multi-factor authentication on your Twitter accounts, on your eBay account, on whatever accounts you have, and that'll stop a lot of the online scamming.
I know you talked about financial institutions needing to have better systems in place and processes in place. I ran across a situation where I was actually impressed with the financial institution and the way that they were handling what very likely could have been a fraud situation.
I was sending money to a family member overseas. Legitimately, I know who they were. It wasn't a Nigerian scam and it was the first time I had used this particular account for an international wire. I set it up and went on my merry way. The following morning, I get a phone call from the bank saying, “Hey, we noticed that you set up an international wire to someone that you haven't sent money to in the past.” I got the third degree from this person. “How do you know this person? Where did you meet them? Are you sure that you're sending it to your relative and not somebody else? How do you know that it's not somebody else?” I was kind of annoyed with the security process, but on the inside I was like, “Dude, this is awesome. The bank is watching out for my best interest and they're really doing their due diligence.”
I told the woman, “Thank you for doing this.” I hear way too many times where this didn't happen and people lost money, but the fact that they did it was like, OK, some institutions really are starting to take this sort of thing seriously.
It's sort of like when I went to Las Vegas, and this was the first time it really happened prominently. I went to use my credit card and when I wanted to use my credit card they said, “Could we see your ID?” I'm like, “Yes you may.” Because a lot of people are like, “This is Las Vegas where people get drunk and leave their wallet around and somebody runs out.” I was just buying my $3.50 diet Mountain Dew, which is a crime in and of itself that they were charging that much.
The reality, though, is there are people who try to charge much more. They run into Gucci and try to get something on a credit card. People have to stop being offended when people put security mechanisms in place. Frankly, in many cases, I'm kind of less wary or more wary to shop at stores that don't implement good security practices. It's like, yes, I know I'm me, but at the same time, I really wish they would question other people. The reality is, prices go up when other people are scammed. We need to do that.People have to stop being offended when people put security mechanisms in place -Ira Winkler, Security Expert Click To Tweet
Like with the credit card I used to for a long time, I would not sign the credit card and I would put “see ID” on the back of the credit card. I did that for years and I think only half-a-dozen times did someone actually look at the back of the card and read that it said “see ID” on it and actually asked me for my ID. The rest of the time, they turn the card around, pretend that they're looking at it and then go ahead and swipe it. The whole concept of having a signature on the card was pointless.
Right. It's a risk-based thing for you. Again for this time, it's like what are you gonna say? “I'm not buying this thing now because you did not ask me for my ID.” That’s not going to happen. Some stores don't have this motivation. The thing honestly that bothers me most now that we start talking about it is when you have credit card companies calling people up and asking to speak with you and want you to say, “OK, what is the last four digits of your Social Security Number? I'm like, “Are you out of your mind?”
I mean, literally, I was 100% sure that really was the credit card company, but they are going ahead and asking me for all points of verification that I'm thinking if I was a social engineering somebody, that's what I would do.
Yeah. I would do the same thing.
They're actually training people to an insecure behavior, and that's horrendous on the part of the credit card companies. They should say, “Hey, here's the thing. There's a problem with your credit card. Don't take my word for it. I need you to get out your credit card, do you have that? Look at the number on the back of your card and call back that.”
That's what I do. Anytime I've gotten a phone call from the credit card company, the person will say, “Hey, we think there's fraudulent activity on your card.” I'm like, “OK, thank you very much. I’ll call you back at the number on the card.” The real bank will say, “That's a good idea. Anyone who answers will be able to help you.” The scammers are going to say, “Oh no, I can help you.”
Well, there are sometimes where they're like, “Well, if you really want to, you can go ahead and call back.” Let me be honest with you, as a social engineering trick, if somebody expresses hesitance, I would say, “OK look, here's the thing. There's a big problem with your credit card. I appreciate you want to do that. You can get out your credit card, go ahead and call up the number, wait on line to get it. Feel free to do that, but I'm here now if you want to go ahead and take care of that.”
Then I might have also done some pre-solicitation, or I might have done some research to find out a few more pieces of information that make it sound that much legitimate, but if I give people the option, I gave them just enough information, if I'm a criminal, I’ll provide them with motivation. I'll provide him with an unattractive alternative and 90% of the time, they'll give me the information I want.
Scary. I guess that prompts the question, how do you stop stupid?
There's a combination of stopping stupid from start to finish, because here's the thing. Taking the whole issue of counterterrorism, and frankly, a lot of it is safety science more than counterterrorism. But in the safety science field, if somebody is injured, it is a mistake. It is not the user's fault, it is the fault of the entire system where the user exists. In other words, somewhere, they enable the user to put themselves in a position where they could be injured. They, for whatever reason, allow the user to be injured. The user did something for whatever reason and then the response did not lend itself to a satisfactory result.
When you look at the same thing, like I mentioned before, what we have to do is, if I'm a vendor, if I'm a credit card company, I would love to put myself in the position of each and every consumer out there. I hate to say this, but most of the time, 90% of consumers are not going to fall for this scam or any given scam. Most people like you and I were talking about before we started recording a little bit, when somebody gets a call from, “Hi, we're your credit card company, and we have a new great offer for you.” That doesn't sound right. They didn’t mention which bank, they didn’t mention MasterCard, Visa, American Express, Discover, or whatever. They just had a vague description. Ninety percent of people will automatically have that as a red flag and hang up.
It automatically sounds like a recorded call. Frankly, most of the time when you look at the Nigerian scams, like the Nigerian prince scam, and somebody says, “Who would ever fall for this?” I once spoke to an FBI agent and they're like, “In some cases, bad grammar is a feature because they want to weed out the intelligent people they don't want to interact with.” Anybody who is stupid enough to fall prey, even when they know they're going to get less than 1% of people, if they send out 100,000 messages, that is still, like, .1% is still 1000 people that might respond, so they want to filter out.
Anyway, coming back to this, it's great that people in the back of their mind, and we should promote this as much, there are scammers out there and be aware. If something doesn't sound right, if something is out of the ordinary, stop, go back, hang up, and call the number in question directly. If it's a website, you get an email that could be critical, you don't click on the email message. You go ahead and you log directly on to the website in question as an example.If something doesn't sound right, stop, go back, hang up, and call the number in question directly. -Ira Winkler, Security Expert and Author Click To Tweet
At the same time, we do need a better infrastructure. We need an infrastructure that says, “Look, it is costly for organizations to allow their consumers to fall prey. As an organization, we want to start filtering things out. We want to work with the ISPs, the email providers, and start filtering out attacks as best we can. Then we want to go ahead and put in the user experience. We want to put in warnings.” For example, if you're a bank, or a financial, or a retailer, you want to put some verification on your website. You want to encourage people to implement multi-factor authentication. If somebody does give away their password, it's useless without the two-factor authentication, like a text message. I know some people say text messages are compromised sometimes. It doesn't matter. It’s still exponentially stronger than not having it.
Here's the big thing, I need to step back. Anybody whoever tells you there could be perfect security is a fool or a liar. That is a given. There's always going to be elements of risk. There's not going to be perfect security. Even the smartest person in the world will make a mistake regarding what we're talking about at some point.
Our goal is to try to make it as resilient as possible so that we put protections in place that if you're a consumer and you are offered the opportunity for multi-factor authentication, take it. Yes, it can be annoying but the consequences of not doing it are infinitely more annoying.Multi-factor authentication can be annoying, but the consequences of not doing it are infinitely more annoying. -Ira Winkler Click To Tweet
Yeah, losing your life savings is a huge negative cost.
Exactly. Too many people are going, “It's death by 1000 cuts.” You think, I don't want to do this. It's like, “OK, you think it's a slight annoyance. That slight annoyance can save you a limb.” Then you do that, but then simultaneously, we need the vendors and the infrastructure to put in place checks and verification much like we were talking about, limitations on taking out money, a whole bunch of other stuff. Again, I must admit I was once personally really annoyed because I was trying to take out cash because I needed $350 in cash for something, and I plugged in $350 and the bank refused my transaction.
I went to a different bank and did it, it refused it. I finally went to my personal bank and took it and it allowed it. Why? Because the bank had limitations on other banks to what you can put out but not on your—I didn't know that. Banks have got to go ahead and let people know what their policies are.
One time, I logged on to my bank account—and luckily I check it on a regular basis—and I saw that for the last three days in a row, there were withdrawals of $200 and $100 around the Los Angeles area, up around North Hollywood area. Not North Hollywood, but somewhere in that vicinity, not one of the better areas, somewhere up Sunset.
What happened was I looked at that. It was the same thing for three days in a row, a $200 transaction and a $100 transaction from 711-type places. Of course, I called up the bank and I worked with the bank. I go, “OK, now here's the thing. This is clearly a scam. Those people are going to go back tomorrow. You should alert the police. They go there between 1 o’clock and 3 o’clock; odds are going to be really good that it's not just my one card, that there's a lot of other cards that they have that they’ve cloned and so on because I had the card in my wallet.”
Anyway, I went ahead. I was willing to work with them. I was like, “I’ll investigate this. I'm happy to help.” They're like, “OK we'll make a note of it.” “You're making a note?” They’re like, “Yeah, we're giving you your money back.” I’m like, “OK, but I want to stop these people.” They're like, “We'll make a note that you're willing to help.” And then the guy goes, “OK, here's the actual situation. In the first place, you go ahead, you get your money back. We then go to the people who own the cash machine and we take our money back from them.” I'm like, “OK, give me their contact information.” And then they said, “They have insurance that pays for this.” “Give me the insurance company.” And they're like, “We don't know who that is.” I figured out where this was, and the only place I figured out this could have come from was a month before that because that was a card I rarely… What happened was, the last place I used that card was in Singapore on Universal Studio Walk on Sentosa Island. I'm sitting there thinking somebody had to have a camera and a skimmer at that system there and then figured out it was a US-based card and gave it to people in Los Angeles to go ahead and skim out.
Again, the only places I used that was at my bank, literally at the bank location, which I would like to assume wasn't compromised, or you can potentially assume something on a very public walk in the middle of a public place, and Singapore was the more likely place.
Those are the types of places that are targeted by skimmers, with lots of tourists coming by, people that are not paying attention to what's going on, not familiar with what the ATM machines in that country look like.
Yeah. I'll tell you, it looked pretty good. I don't know if you ever saw the movie was Focus. In the movie Focus, there was one scene where they were talking about different types of criminals around the New Orleans area. Focus was a movie about scams, social engineering, and con artists. They showed somebody putting up a complete overlay of a cash machine perfectly fit and perfectly sized. It's the same thing where I've seen these types of things, for example skimmers at Target. There are actual things where there's a perfectly sized skimmer that you put the card in, it swipes, it steals all the information as you put in and that you need.
Even when you look at it, you really can't tell it's a fake. You have to look really, really carefully and try to remove the outside cover to know that's the scam.
I've heard of those situations where people put out entire fake ATM machines that distribute money in order to basically skim the card. You put your card in and you say, “I want $200.” It gives you the $200 and gives you your card back, because you're no more the wiser. If you put your card in there and there's a problem, you're more inclined to be suspicious about something weird’s going on here. They were actually putting ATM machines on corners that were spitting out cash just so there was less of a concern that there was something wrong.
Right, you have no idea. It was a completely legitimate cash machine from all appearances, from every fake part you can. Really, all it was, it was a standalone computer that gave you the cash you asked for while capturing your information. You’ve got to give these people credit. I shouldn’t say give them credit, you have to admire the taking advantage of the system in a way that they were able to figure out how to compromise. I'm not saying that's a good thing, it's just a fact.
I’ll use a thing. Like, one of my books I wrote was Through the Eyes of the Enemy, which was in the autobiography of a colonel from Russia’s GRU. He was like a spy master for them. He was very distinct to use, not enemy, but adversary. He's like we must use the word adversary because when you use the word enemy, it leads to disdain, it leads to disrespect. You must always respect your potential adversaries because you never know their capability, you never know when they'll get lucky, it leads you to making mistakes. You need to respect your potential adversaries in this case.
That's a very good distinction to make. One more question before we close out. We're talking about systems that need to change. I like to travel internationally, and one of the things that’s perplexed me here in the States is that on credit cards, we don't use chip and PIN. For those that don't know what that is, in the US, most credit cards are chip and signature. There's a chip on the card and then they just ask you to sign. In a lot of other countries, you actually have to enter a PIN code in addition to entering your credit card. What are your thoughts on why that hasn't been adopted in the United States?
Well, here's the thing. With all authentications, there is the concept of multi-factor authentication, which always comes around to what you know, what you have, what you are. Those are the three types of authentication. Now, the thing is people say, “Let's look at the signature.” Having the card with the chip is what you have. The chip is frankly pretty strong, it’s not impossible, but it's not trivial to try to figure out how to get a fake credit card in. That's one thing. It's not likely.
Now, the problem is in these types of cards where you have this, somebody could theoretically clone the chip these days which is not as easy…
Let's just go to the assumption that I just dropped my credit card on the ground.
…right, I'm getting to that. We're on the same track. Now, the thing, though, is we have a PIN. Now the PIN accounts for a certain amount of risk that your credit card was just stolen. Now that your credit card was just stolen, how hard is it to compromise? That comes up to the fact of how much risk are we willing to assume as a culture. In Europe, there’s pretty much very little risk people want to assume as a culture. Europe and frankly—I don't think Asia when I was there a few months ago happened. But, in Europe, they bring all the credit card machines directly over to you. They bring it over. The card never leaves your hands. The transaction always happens in front of you, and they ask you to put the card in and enter the PIN. That's the chip and PIN.
Now again, is that a perfect thing? Theoretically, you could put a camera over and still steal it. Like I said, there's nothing that's perfect. Theoretically, it's a risk reduction tool. How important is it? Frankly, I don't think the risk reduction you get from it is overly important. It’s overly critical. Is it nice to have? Sure, it's nice to have. I must admit, I did not look up the amount of fraud that would prevent, like how many chip cards are stolen and used before they could be cancelled. It doesn't seem to be like it's that much of a threat in the US that I'm going to say stop everything for. These days, there’s cameras and people hide cameras all over the place.
The PINs are not as perfect as they ever should be. Frankly, how hard is it for the waiters for example in Europe to watch you push in your PIN number?
Yeah, that makes a lot of sense. Chip and PIN is risk mitigation, but how much risk does it really mitigate?
Right, because every time you put in a little bit of this, it’s like what is the convenience factor? It’s not really that inconvenient to enter your PIN every time you put a chip in a machine. It does require a different infrastructure. For example, like I mentioned, in restaurants it requires portable terminals as an example. It might be realistic to say at gas pumps for example to use PIN and chip, when you're at a point-of-sale system. But again it's a combination of risk, how much does it really mitigate, whether or not it's worth it.
That makes a lot of sense. Can you give us an overview of your book You Can Stop Stupid? We’ll make sure to put a link to it in the show notes.
Awesome. Anyway, my book, You Can Stop Stupid, is frankly based upon a lot of what we spoke about. Literally, I will phrase it this way: Stupid is an effect, it's not a cause. When I refer to stupid, I'm not referring to the end user as an example. I'm referring specifically to the people who are—stupid is in the people who designed the systems that allow people to be exploited. It talks about the science and the process behind how do you go ahead and put an infrastructure and how do you protect yourself in advance before an attack reaches you. How do you react when the attack is in front of you? What can you do to potentially mitigate losses as quick as possible?
I introduced the concept of user-initiated loss where the issue is that a user doesn't create a loss but a user is the pivotal point where a loss is initiated. Once a user initiates a loss, the reality is that you need to be able to mitigate it before the loss is realized. That's probably as important as preventing the initiation, to mitigate the loss before it’s realized. Just because you make a mistake, it doesn't mean it should actually result in damage. I'll leave it at that.
That's great. If people want to follow you on social media, how can they get ahold of you?
There's not that many Ira Winkler's in the world, literally not that many, but if you go to Twitter, @irawinkler, just one word. LinkedIn is also Ira Winkler, and you'll find me. On Facebook, Ira Winkler. My website is under construction at the moment, but irawinkler.com as well would be awesome.