How hackers take over your accounts using social engineering (Marketplace)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

If this submission was flaired inaccurately, click here.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

👍︎︎ 1 👤︎︎ u/AutoModerator 📅︎︎ Feb 11 2019 🗫︎ replies
Captions
♪ ♪ -[ Charlsie ] We're about to test one of Canada's largest telcos. My name is Charlsie. -[ Charlsie ] These two ethical hackers, Joshua Crumbaugh and Alex Heid, are taking on my identity, so they can take over my account. Yeah, it's 1234. -[ Charlsie ] What you're watching is called social engineering. I wanted to add HBO to my account. -[ Charlsie ] A hack that relies on charm and persuasion to get access to your info, and even your money. [ ♪♪ ] -[ Charlsie ] Erynn Tomlinson never thought she would be a victim. She's a former cryptocurrency exec who thought her info was secure from hackers. But that wasn't the case. When did you know you'd been hacked? Well, I was out and my service cut out on my phone. I went to a local cafe that I always go to. One of the first things I did when I got there was check one of my financial accounts, and I saw it was at zero. That was the moment that I realized what was happening. I rushed home so that I could be at my desktop where I had the most control. And then it was-- it was a race, and it was right at the moment where they took out the last transaction that I saw go through that I effectively blocked them. You basically watched yourself get hacked? Yes. -[ Charlsie ] As far as she can tell, the only information the hackers had? Erynn's name and phone number. And that was enough to take it all. It was $30,000 equivalent in crypto. I was closing a mortgage weeks later. So, that's-- that's what that money was for. -[ Charlsie ] So how did it all unfold? Someone or someones contacted Rogers through chat message through their online support system. Right. And pretending to be me with very little information, they proceeded to ask Rogers for information about me. And each time they got one piece of information they would say, "Thank you, I got what I needed." They would end the chat get a new agent and start all over again. -[ Charlsie ] Erynn got her hands on those chats. She couldn't believe how easily Rogers gave away all her information. They were given my account number, my email, my credit card information, my birth date, the amount of data on my account, my last bill amount. -[ Charlsie ] It takes 8 different chats, but eventually the hackers convince the employee to deactivate Erynn's SIM card and activate a new one. It's called a SIM swap and gives hackers access to all your apps and financial accounts. I don't know how to describe it. I was sort of in shock at the whole thing. -[ Charlsie ] Erynn's case might sound extreme, but she's not alone. In 2017, TELUS gave out one customer's personal info to her stalker, putting her info and her security at risk. Just three months ago, the government ordered all companies to report all hacks to Canada's privacy commissioner. Since then, there have been over a dozen cases involving social engineering in the telco sector alone. And companies around the world admit social engineering attacks are on the rise. We're in New York City about to meet with some cyber security pros who are going to tell us and show us just how hacking can hurt us all and what we can do to stop them. [ ♪♪ ] One of my email accounts has been compromised. [ ♪♪ ] This is what the bad guys do. They actually spend time trying to force errors. This is Infosecurity North America. Dozens of experts, hundreds of enthusiasts finding flaws in security systems, and showcasing solutions all in one place. [ ♪♪ ] -[ Charlsie ] From videos that teach you how to avoid getting hacked. The biggest threat for an organization is your users. We call it the human firewall. Instead of a user blindly clicking on links or opening attachments, we want to train that user to take a moment, think about what they're going to do, and then actually make a decision, an informed decision. -[ Charlsie ] To interactive games like squashing bad computer bots. So we're differentiating bad bots from humans, and so as you play, you'll see bots light up in random locations, and you have to smash the bots. This is so hard! It's pretty hard, right? Top three! -[ Charlsie ] There's even a security-themed escape room! Okay. An escape room? What does this have to do with social engineering? So we do immersive security awareness training. So the first code for the routers is B124. So in this room, there's a bunch of puzzles that have to do with helping people understand what social engineering is and how they can better protect themselves. -[ Charlsie ] These guys are at the conference too. They're ethical hackers ready to use their skills on my cable provider, Rogers. It's just psychology, so if you understand how somebody's going to react to something, you can easily manipulate somebody into giving them information or access to things that maybe they shouldn't. Okay. Let's give it a go, guys. I'm going to call this number. It will look as if I'm calling from you, and I am Matthew, your personal assistant. -[ Charlsie ] Will the rep fall for it? Well, my name is Matthew. I'm calling on behalf of my boss. I'm her personal assistant. Her name, though, is Charlsie Agro. Basically, she's asked me to call and get HBO added and also just verify a couple things about her account. -[ Charlsie ] First call and this employee is not buying it. If at first you don't succeed, just hack, hack again? Think of how many people work there, though. You only need one out of a group. -[ Charlsie ] So Joshua tests a new Rogers rep. -[ Charlsie ] The same old trick with a twist. This time, he's impersonating me. My name is Charlsie. Agro. I'm doing well. Yeah, I wanted to add HBO to my account. Yeah, it's 1234. That's normally the one I use. Let's try 0246. That's the other one -[ Charlsie ] Wrong pin but the rep doesn't flag it. Strike one. Date of birth is [ Bleep ]. -[ Charlsie ] After a quick search online, they find a postal code. Okay. Yeah, there we are. It's [ Bleep ]. -[ Charlsie ] They're off by a digit, but the Rogers rep doesn't catch that mistake either. Strike two. It should be [ Bleep ]@gmail. -[ Charlsie ] And this is where it gets scary. Could we set a passcode, as long as we're in here? Yeah, let's make it 0246. You'll want to change that right away afterwards. -[ Charlsie ] Hard to believe, he actually changes the passcode on my account. A serious strike 3. And the game's not over yet. He even adds his own security question. We'll go with name of the first pet. It was Rufus, R-U-F-U-S. -[ Charlsie ] And just when you think it can't get any worse, he adds himself to my account. All right. And while I'm at it, could I add my personal assistant as a level one user? His name is Joshua. Last name Crumbaugh. -[ Charlsie ] The rep on the phone even starts volunteering information, including the other name on my account. Yeah, yeah, that's her. My husband. -[ Charlsie ] And just like that, the damage is done. So I'm shocked because you actually got my postal code wrong. It was off by a digit, and they still let you do that. So based on-- so again it's all about the profile of the person who picks up. I think the biggest thing is education. We have got to do more in making our people aware that these things happen. -[ Charlsie ] This is your "Marketplace". -[ Charlsie ] It's the latest con game. Everyone's always going to get hacked. It's just a matter of when that happens, not if that happens. Could we set a passcode, as long as we're in here? Yes. -[ Charlsie ] We're revealing how hackers can use their skills to con companies into giving it all away. At this security conference in New York, the ultimate headliner is one of the world's most famous hackers, Kevin Mitnick. -[ Kevin] I was on a trophy hunt to see how many companies I could hack into. -[ Charlsie ] Once a conman and one of the FBI's most wanted, he hacked into 40 big companies, even went to prison for five years. Not for their information, per se. It was the challenge of getting through their security. So, for me, it was all about the pursuit of knowledge and the seduction of adventure. It was never about causing any harm, never about making any money. -[ Charlsie ] Now, he's flipped, using his hacker skills to train companies on how to protect you from people like him. What is it about human nature and the goals of customer service that make people, organizations, vulnerable when it comes to social engineering? Well, customer service, you know, it's all about customers is the king, and customer service is gonna bend over backwards to make the customer happy. -[ Charlsie ] Mitnick says part of the problem is those security questions many companies use to verify you. The companies need to have policies put into place to come up with a way to have a very high confidence that they're dealing with the consumer. They're the ones that are in control because they are the ones that can effect change. The consumer can't. The consumer can only demanded change, and if they are unwilling to do it, you go to a different vendor. -[ Charlsie ] Social engineering victim Erynn Tomlinson agrees. She says Rogers should have done more to protect her info. What did they offer you? They offered me, at first, three months' free service. Sorry. Three months of free service? After losing... $30,000. And then they-- you know, obviously I said, "I don't think that's appropriate." They came back to me, again, and said, "Um, okay, you know, you're right. "We're gonna offer you one year of free service," to which I said, "I feel like that is a joke at my expense." -[ Charlsie ] Erynn's not giving up. She's now suing Rogers. What I really want to see is, not just that they give platitudes and say, "Oh, we're sorry this happened" from a customer service point of view, but that they make real changes to their policies and their training internally, so that this can't happen. Rogers declined to speak to us about Erynn's case as it's before the courts but argue they're not responsible for what happened to her. They do say they provide ongoing training for their staff and take their customer's privacy and security very seriously, always improving and updating their security measures and verification processes. Rogers does admit those steps were not followed properly by the customer service rep when my account was hacked. Do you think your members right now are doing a good job protecting customers' privacy? I think they are. -[ Charlsie ] Meet Robert Ghiz. He's the head of the Canadian Wireless Telecommunications Association, an industry group representing some of the big telcos. I think they're putting mechanisms in place, that they are training and educating, but the difficulty is staying ahead of the fraudsters. I know they're good. You know how I know? We had two ethical hackers. They got into my Rogers account. They had the wrong PIN number. They had the wrong postal code. And they still got in, so that's troubling for me as a consumer. But I want to know how troubling it is for you. Well, obviously we want to protect our members. It's something that's important to them, and that's why they will continue to educate they will continue to train. But there's always going to be human error. There's always going to be fraudsters out there. It's up to all industries to ensure that they do the best to protect individual security with a constantly evolving technology that is only going to grow in the future. Experts have been really clear with us. We need to move away from using personal information to authenticate or validate a user. When are you going to stand up to telco companies and say, "Let's make a change? This isn't working?" Well, that's only one portion of what they do, whether it's asking birthday, asking your address, that's why they're adding pins, passwords, security questions. Even though these have these measures in place, it doesn't seem to matter. They're not working. They got in anyway. They are working. The thing is there's millions of calls-- It didn't work for me There's millions of calls that come in every week. There's always going to be some human error that's going to exist, but you're right. It's gotta be about educating those front line services and training those front line services, and that needs to continue and needs to be more vigilant in the future. [ ♪♪ ] -[ Charlsie ] Ethical hackers Joshua and Alex agree. Companies shouldn't be asking for personal information to verify us but say we shouldn't make it too easy for hackers by sharing too much ourselves. So many people will use their children's names or birthdates, or their animals names as passwords. And then you go onto their social media, and they've posted a million pictures of the same dog with the name of their dog. And they're basically putting their passwords out there for everyone to see. -[ Charlsie ] Is he right? Do we really share too much? [ ♪♪ ] -[ Charlsie ] We're taking that question to the streets. -[ Charlsie] What kind of password do you have? Like a dog's name, birthdate? I do use my dog's name. -[ Charlsie] Oh, what kind of a dog do you have? I have a shih-poo. -[ Charlsie] Aww. What's his name? [ Bleep ] -[ Charlsie] What security question would you choose? My mother's name. -[ Charlsie] What's your mom's name? Can I reveal that? Okay, my mom's name is [ Bleep ]. -[ Charlsie] So your security answer would be [ Bleep ]? Yes. -[ Charlsie] How strong do you think your online password is? Very, very strong. It's a name that nobody would guess. -[ Charlsie] So, like, your partner's name? Yeah, something like that. -[ Charlsie] What's your partner's name? I can't-- I can't say. -[ Charlsie] Why? [ Bleep ] -[ Charlsie] So your password is [ Bleep ] plus a bunch of numbers? -Yes, yes, it is. -[ Charlsie] Thank you very much. Thank you, yeah. -[ Charlsie] Please go change your password! Have a good one, guys. Take care. -[ Charlsie ] I've changed my password. And now it's up to companies to change their practices.
Info
Channel: CBC News
Views: 1,383,150
Rating: 4.8658061 out of 5
Keywords: hackers, hacking, social engineering, telco, telecom, rogers, telus, bell, account information, privacy, identiy theft, wireless service, marketplace, cbc marketplace, cbc news
Id: Ck_r2GYLdCI
Channel Id: undefined
Length: 17min 3sec (1023 seconds)
Published: Fri Feb 08 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.