Frank W. Abagnale Jr. has become a folk hero since the picturisation of his life in Catch Me if You Can. Frank Abagnale was played by Leonardo di Caprio and his captor in the FBI was played by Tom Hanks which has no doubt added to his star appeal.
A reformed poacher turned gamekeeper, Abagnale has been teaching at the FBI Academy for over 46 years and had the opportunity to teach two generations of FBI agents and conducted more than 3000 seminars around the world.
Speaking at Black Hat Middle East and Africa 2022 in Riyadh, last month, Abagnale gave the benefit of his wisdom to the prevention in cybersecurity fraud. Gulf Industry was privileged to witness his insights – here are some excerpts from his presentation:
My philosophy: Prevention, Verification & Education
Prevention, because once you lose your money, you will probably never get your money back. They may arrest the person, they may convict the person, they may send them to jail. But it is not likely you’ll get your money back. If you make it easy for someone to steal from you, it’s unfortunate, but someone will. In the US, we have seen more than $110 billion ordered for restitution that is still outstanding … today 91 per cent of that money will never be collected.
Verification because today anything can be replicated, duplicated, counterfeited. So before you part with any money or with any information you absolutely need to know who’s on the other end of that device.
Education is the most powerful tool to fighting crime.
We have seen a 73 per cent increase in the US in identity theft since the pandemic began. We have a victim in the US every two seconds.
In the world, in 2018, there were 3.6 billion identity records that were compromised, more than 14 billion identity records are available today on the dark web. That means probably everyone in this room, including myself, has already had their identity compromised.
Every breach occurs because someone did something that weren’t supposed to do, or someone failed to do something they were supposed to do. Hackers do not cause breaches. Hackers only look for opportunities and open doors.
In the 2,500 cases of ransomware in the US, more than $350 million was paid out by companies and cryptocurrency for being victims of ransomware. It is very simple as long as there is cryptocurrency, there will be ransomware. You cannot have ransomware if you didn’t have cryptocurrency, so as long as there is cryptocurrency, we will continue to have ransomware.
I have probably looked at over 15,000 phishing emails in my career. And up until a couple of years ago, they were always very easy to spot, not so much anymore.
Here is a real example from a technology company in Southern California with 4,000 employees. It is supposed to be an email from the CEO of the company, to the CFO of the company. And it simply read. Good morning, Jeff. Wonderful dinner at your home last night. Please thank your wife, Helen for me, my wife, Susan, and I truly enjoyed your company. As I mentioned to over dinner, I’m travelling this week to Nashville, Tennessee to attend a conference. So I will be out of the office till next Monday. I forgot to mention to you that I need you to wire these funds this morning for me to our client. Here’s the information – Robert.
How was it created – Well, there’s a picture of the CEO on Facebook picture of his wife and children with their names. There’s a picture of the CFO on Facebook, his wife and children, with their names. And of course, when he said he was going to the conference two months earlier, he said it on Facebook that he would be attending and how long they would be there. They’re taking information from social media in real time and converting it into a phishing email. So exact and so precise and so simple to research.
Phishing emails are nothing more than social engineering. And the fact is, there is no technology, there never will be any technology including AI that can defeat social engineering. You can only defeat social engineering through education.
I could go in any company in the world, any company whether it be a fortune of 100 or 500 or Frank’s plumbing shop with 12 employees and I’ll find the same soft spots. There are soft spots, vulnerabilities, everywhere. Even in your own home, you have a refrigerator tells you how much milk is in it, you have a thermostat you control from 1000s of miles away, you have cameras around your house, and when you leave, you can go on your iPhone and look at your property. You have a device that you can talk to and ask what’s the weather today or order this from Amazon, all of those devices can be hacked, manipulated, they are weak spots.
We develop a lot of technology around the world. But unfortunately, we very rarely vet that technology.
Why use passwords?
I hate passwords, every book I’ve ever written. I said I hate passwords. Passwords are for treehouses. They were invented in 1964, when I was 16 years old before I did any of the things I did. I am 74 years old, and we are still using passwords. How is that possible when we know that 63 per cent of network intrusions are compromised user passwords.
Half of the US was simply closed down by a compromised password. 81 per cent of hacking related breaches are weak or stolen passwords and 579 Password attacks happen every single second of every day, or 18 billion attacks a year.
If we take the three largest banks in the US, just the three largest names, they spend over $100 million a year just resetting passwords in their call centre at a $70 a reset. Why are we still using passwords? Well, I’m glad to say that passwords are going away.
This year, Microsoft, Google and Apple are going to install pass key every Apple phone in the world by the end of this year, that’ll enable people to use the pass key technology and get away people from using the simple password or memorising the passwords.
Millennials are scammed far more often than elderly folks; only elderly folks lose more money because they have more money to lose.
Unfortunately, what I did 50 years ago as a teenage boy, is 4000 times easier today. I didn’t have all the technology we have today. So for me to forge a cheque, I needed a printing press colour, separations, negatives, plates, typesetting, and the skill to operate the press. Today, I open my laptop, I create a cheque in a few minutes, I go to the company’s website, I capture their logo, I put it on the cheque, I make the cheque as fancy as I want as many colours as I want.
Unfortunately, we live in a too much information world which is accessible to all. So if I call that company and ask their bank transfer instructions, they tell me where they bank and give me that information, they even carry this information on their invoices. If I call their corporate communications, they send me a copy of their annual report. And on page three of the signature, the chairman of the board, the CEO and the CFO, the treasure trove of white glossy paper, black ink, I scan it, put it on the document that opens the doors to company. I wouldn’t never believe that 50 years ago, but I can tell you what I did 50 years ago is now 4000 times easier to do today.