Wendy Battles: Welcome to the Bee Cyber Fit podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyber speak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.
James Tucciarone: And I am James Tucciarone. Together, we're part of Yale University's Information Security Policy and Awareness team. Our department works behind the scenes to support Yale's mission of teaching, learning, and scholarly research.
Wendy Battles: Ready to get cyber fit with us?
Hi, everyone, welcome to another episode of the Bee Cyber Fit podcast. We are so excited that you've joined us today. This is the place to come for information and inspiration about how we can all build our cyber fitness in simple ways to stay out of the clutches of those cybercriminals that are always trying to figure out how to steal our stuff, our information. So, we are really happy that you're here. And, James, I can't believe that we're already on our fourth episode. What's something that you've learned so far?
James Tucciarone: Wendy, I'd have to say that it was during our interview with Jeremy Rosenberg in our last episode, when we asked him, "Why cybercriminals would be interested in us?" And the answer, you know, in case anybody hasn't listened there yet, hopefully, I'm not giving something away. But one of his answers was that cybercriminals aren't just interested in our personal information or financial information. They're also interested in the resources that we might have available to us. And I'd never considered that before and so it was really eye-opening.
Wendy Battles: It really was. I'm always thinking about they want the immediate payoff. They want access to a bank account or something like that. But there are a myriad of ways that they get information and use information. And some of them are not always the obvious things that we might think. So, I'm learning too, James I'm with you. I'm learning a lot of stuff as we're going through and having these really interesting conversations. I do want to tell everyone about our episode today and what's in store. We have two really interesting eye-opening, sometimes shocking stories for you about what not to do, and some things that can keep you safe. I'm looking forward to sharing those. We have a buzzword of the day that's coming and we're going to wrap up today's episode with a very simple call to action, with some helpful resources based on our episode today.
James Tucciarone: What are your favorite websites on the internet? Maybe you go online for research or maybe you go online to shop? Or perhaps it's to play your favorite game? But have you ever wondered where cybercriminals go when they're online? It's called the dark web and it's lurking right in plain sight. Stay tuned to find out more about what the dark web is and how cybercriminals use it to their advantage.
Wendy Battles: So, two stories we're going to share today to bring home the pervasiveness of cyber criminals and the many ways they try to trick us.
James Tucciarone: So, Wendy, I'm going to go ahead and get us started this week and I have a report from The Identity Theft Resource Center or ITRC for short, and it's their 2022 Consumer Impact Report. The report focuses on identity crime victims who contacted the ITRC but it also compares them with general statistics from a national survey. They shared some key findings about financial and emotional impact, the length of time that it took for a victim to resolve the incident, and interestingly whether it was the victim's first incident, but the report focused on a key finding, which is what I really want to talk about with you all today. And it's an identity scam that's grown by more than 1,000% in the last 12 months and its social media account takeovers.
Wendy Battles: Well, that doesn't sound good because I spend a lot of time on social media. So, already without even knowing the details, James I'm like, uh-oh.
James Tucciarone: I hear you, Wendy. So, they talk about a survey of these social media account takeover victims and found that 85% had had their Instagram account compromised and 25% had had their Facebook account compromised.
Wendy Battles: James that's crazy. That's all I can say, it's crazy and it's shocking, 85% of Instagram accounts when people have these takeovers were compromised, that's huge. I mean so many people not only use Instagram, but I don't want to say rely on, it's not like it's needed. But it's an important part of people's lives, social media for so many people. And I'll tell you this one thing, I remember last year there was one day when something happened with Facebook or Meta. There was an outage for Facebook and Instagram for like hours on this particular day and people were like, "Oh, my gosh, I can't access my accounts." They were going crazy. So, you can imagine if this happened, this would be really bad.
James Tucciarone: So, it's interesting that you should say that, Wendy, because the report also found that 70% of these victims were actually permanently locked out of their accounts. But the other thing that I found really interesting is that 48% of the victims had clicked on a link they believed was from a friend and on the flip side, 71% of hijacked accounts were used to contact friends and followers.
Wendy Battles: Wow that's significant. First of all, just the idea that 48%, almost half the people that clicked on a link they thought was from a friend because one of the things I've noticed in my Facebook account is that I will get friend requests from people I'm already friends with, which to me is suspicious. If I'm already friends with them, like, why are you friending me again, you wouldn't be doing that. Unless someone specifically says, "Hey, my account was compromised, I've set up a new account like they've told me this in some way," so this new account is legitimate. I need something like that to know, this seems like an okay thing to do. Because otherwise, it's like, I don't think so.
James Tucciarone: Right. And Wendy the report also had a bunch of quotes from the victims, and there was one that really stood out for me that I wanted to wrap up with, and that's-- I've been homeless over 19 months because my identity was stolen.
Wendy Battles: That's devastating. I can't even imagine the effect of identity theft to that level where you are homeless for 19 months.
James Tucciarone: I know.
Wendy Battles: That is just so disturbing and I mean talk about devastating someone's life.
James Tucciarone: No kidding.
Wendy Battles: Because I think we think identity theft, it's like, okay, well someone filed a return in my name which is already a hassle to try to unwind all that and go through the process with the IRS, that alone is a nightmare. But to have something like this happen is just almost beyond words.
James Tucciarone: It really is. I will say I do believe this is probably far from the usual outcome but it is pretty impactful because even for the small number of people this might happen to, as you said, that's really devastating.
Wendy Battles: Yeah, it is truly devastating. It's hard to recover from something like that, of course, people can, but it's difficult, we hope that we can prevent some of these things from ever happening to you, or people you love, or your colleagues, or friends. We just hope we can prevent some of these things from happening to you.
James Tucciarone: Exactly. And I will say, Wendy, there was lots of information in the report. It was pretty user-friendly, and formatted in a nice way. So, if anybody's interested in seeing some more of those numbers or reading a bit more, of course, we'll have a link to that in the show notes.
Wendy Battles: It's great, thank you so much, James. And let me share a little bit about my story. And I'm going to actually start it by asking you, have you ever been on a trip and you realize your battery was getting kind of low and you saw a charging station? And you said, "Oh, I could plug into that and get a little juice?"
James Tucciarone: Of course, yeah. I'm usually a bit wary about using public charging ports, but I've certainly done it many times before.
Wendy Battles: Yeah, I have too. I remember a couple of years ago I was getting ready to go on a trip and I saw the charging station. And I thought, well, this seems like a good idea to get a little extra charge, like who wouldn't want to do that. But there's a reason why we shouldn't and there is a trend going on called juice jacking. Juice jacking happens when you plug into some kind of a public charging station where quite honestly all kinds of not-good things can happen to us. So, we want to be on the lookout for that and I'm bringing this up because we're traveling more. The pandemic is not what it was, things are returning to more normalcy, more people are getting out and about, and one of the places we can find them is when we're traveling and we'll tell you more about some of the specific places a little bit later. But let me tell you a little bit about what happens with the juice jacking.
It is when cybercriminals load malware onto a USB charging station. So, let's imagine that you see something, for example, in an airport, you see this charging station, you plug into it. Well, with this malware they load, they could lock your device, they can export data or your passwords. And of course, you can imagine, they could then use that information to access your accounts. So, it could be your bank account or some other kind of account that has really personal or confidential or financial information. That could be very problematic. And often they will install tracking programs, or they'll be able to mirror your screen. So, you plug into the station, they can then see exactly what's on your screen. And I'm going to tell you a story to bring this home. A TV station in California did a story where they went to a park and they had a cybersecurity expert join them. And they set up a portable USB charging station. So first, the reporter hooked up to the charging station and the cybersecurity expert was able to show her what was happening in real-time as she did something, he could see it on his screen. She called her spouse and he could see in real-time what was going on. She logged into certain accounts, she typed in a password, she sent text messages that were all obvious to him. And she was really shocked when she found out. So, then what they did is they had the station and people were just coming up to it. And they were plugging into it with their phones and then she would stop them and say could I talk to you about this and she'd explain what was going on. And so many people had no idea. It was younger people, it was middle-aged people, it was people that were like, ‘this seems so convenient and I'd like to charge my phone’, so they weren't really thinking about it. Can you see how easily that might happen, James, if it's something that's free?
James Tucciarone: Absolutely and this story really was a compelling video and I think it's because it showed one of the scariest ways that hijacking our charging stations or our charging cables can be used. And that was, as you mentioned, through mirroring our device, and the cybersecurity expert acting as a cybercriminal showed that they were able to see exactly what was happening on a person's screen and I know I would feel pretty violated if that happened to me.
Wendy Battles: Yeah, absolutely. And I also think it is the time for us to think about, is this something that your young adult children or high school kids would know about? If they came upon a charging station? Would they impetuously just plug in because they want to keep playing their games with their friends? Or what about your parents that have phones or your grandparents? Is this something that they would be aware of as they're waiting in an airport for example? So, those are some questions for you to think about. I will mention that we have a link to this story in the show notes, we encourage you to go watch it yourself and see just how compelling it is and how easily this can happen. Because we don't want this happening to your family. And I want to mention a few places where you might find these, additional places you might find these charging stations that we mentioned airports, but also it could be hotels, it could be some shopping centers. James, have you seen these other places?
James Tucciarone: Definitely, I've seen them on trains quite a few times and I imagine they'd be pretty popular in metropolitan and tourist areas. This video in particular actually showed just in a busy public park or it might have been a marina.
Wendy Battles: Yeah absolutely. So, the kind of place where a lot of people gather. Have you ever noticed too that you look over you say, "Oh, what are they doing over there? Let me go check that out and then you're like, oh, they're charging up their phone? Well, that's cool. Let me do that, too."
James Tucciarone: Right.
Wendy Battles: You know, we don't always stop and think?
James Tucciarone: Let me just top off.
Wendy Battles: Yeah, let me top off. I think it's so easy for that to happen. So, here are a couple of tips to help keep your data safe. First of all, don't use those USB charging stations in public locations. That's the single most important thing, just don't do it. And the second thing I want to mention is if you happen upon one of the charging stations and you see a cord that's like sticking out of it, especially don't just plug in with the cord that's already there. That's a no-no. What else would you say?
James Tucciarone: So, Wendy, I think those are two great points because certainly the USB station itself could be compromised or a power cord could be compromised. And I think one of the great ways that we can combat that is by using what's called a data blocker or USB condom, which is an adapter that you plug onto the end of the cord and it basically blocks the data pins in that cord so that you're only transmitting power and not transmitting data. Another option is to make sure that you carry your adapter for plugging into an outlet, an actual power outlet. And plug-in that way because you're not able to transmit data when plugged in using a standard power adapter and a standard outlet. And I would say, it's probably a better idea to just carry around a portable charger or a power bank because it's something that you own that you know is safe and that you can just plug into. But I will say that the cybersecurity expert in this story actually gave some great advice. And that was, if anything's out of the norm, just stop and unplug immediately.
Wendy Battles: That's great advice. And it goes back to what we said in one of the prior episodes about being a little skeptical. Some healthy skepticism is really important when it comes to protecting ourselves and building our cyber fitness. To question something, to see if this seems too good to be true, did I get free charging in the middle of some park that seems like an odd place to find that. So, it can help us think about some of these things, so just be aware, be more aware of your surroundings, and what's going on and thinking about is this actually a good idea? Hopefully, those two stories have been helpful, provided some insights, have gotten you thinking about yourself, your own behavior, but also thinking about people you care about your family, and friends, and colleagues, and how could you make them more aware of this, both are cautionary tales that we hope you've taken note of.
[theme music]
Here's the buzz on what's commonly called the dark web. Imagine the internet is made up of three parts. The first we'll call the surface web. This contains all of our common and publicly available websites and it's really just the tip of the iceberg. The second and largest part we'll call the deep web. Here we have our nonpublic and internal web pages that typically can't be indexed by a search engine. Think about the private web-based resources you use at work or even the secure pages of a public website. And finally, we have the dark web, a subset of the deep web, it's a concealed part of the internet only accessible using special web browsers. These browsers are designed to protect against surveillance and make browsing virtually impossible to trace. Websites that require this concealment are what make up the dark web. And while the dark web may have legitimate and legal uses, cybercriminals leverage it for far more nefarious purposes. Commonplace is the trading of personal information including usernames, passwords, credit card numbers, and entire stolen identities. Among the many illicit goods and services, there are even cybercriminals for hire. To help keep your personal information off the dark web, use secure passwords and don't reuse similar passwords across accounts. Keep your devices and software up to date and enroll in automatic updates wherever possible. And keep listening to the Bee Cyber Fit Podcast. For tips to stay ahead of bad actors and to strengthen your cyber muscles.
Wendy Battles: We have a simple call to action today to put into practice what we talked about through these two stories. And that is about knowing how to report a cybercrime. We've collected some useful links for identifying different reporting channels. Some of them are local and some of them might be national. If you are affiliated with Yale, we've got information about what to do on campus. It's a checklist we have in the show notes, and we encourage you to download it, use it, and also share it with others in your life.
James Tucciarone: Thanks, Wendy. That's fantastic and all the time we have for today. So be sure to join us for the next episode of the Bee Cyber Fit podcast. And as always, until next time, I'm here with Wendy Battles. And I'm James Tucciarone, we'd like to thank everyone who helps make this podcast possible and we'd also like to thank Yale University where this podcast is produced and recorded.
Wendy Battles: Thanks everyone, we really appreciate you listening and learning with us. And remember, it only takes simple steps to be cyber fit.
[Transcript provided by SpeechDocs Podcast Transcription]