You're Being Robbed $50 at a Time — And You Don't Even Know It, with former CIA hacker Dr. Eric Cole - Afford Anything | Make Smart Money Choices

Summary6 min read

Afford Anything Podcast: "You're Being Robbed $50 at a Time — And You Don't Even Know It" with Dr. Eric Cole

Release Date: June 13, 2025

Introduction

In this compelling episode of the Afford Anything podcast, host Paula Pant delves deep into the often-overlooked intersection of cybersecurity and personal financial security. Joined by Dr. Eric Cole, a former CIA hacker and esteemed cybersecurity expert, they explore the myriad ways digital threats can silently erode an individual's wealth and financial stability.

The Silent Drain: How Cybercriminals Target Everyday People

Dr. Eric Cole opens the discussion by highlighting a startling fact: "If I go in and steal $50 from everybody every month, most people won't notice it" (01:51). Unlike the high-profile targets such as billionaires or large corporations, ordinary individuals often lack robust cybersecurity measures, making them easy prey for cybercriminals. This subtle extraction, termed "death by a thousand cuts," can accumulate to significant financial losses over time—potentially costing individuals $20,000 to $30,000 across several years without their awareness.

Understanding the Vulnerabilities: Types of Cyberattacks

Dr. Cole categorizes various cyber threats that individuals face:

Identity Theft and Account Takeovers: By obtaining minimal personal information—such as through phishing—criminals can open multiple credit lines in an individual's name, severely damaging their credit score. "Your credit can be destroyed by small, unnoticed transactions" (03:19).
Cryptocurrency Exploits: The untraceable nature of cryptocurrencies makes them a favorite for ransomware and theft. Weak passwords or reusing passwords across platforms can lead to devastating losses. "If you don't protect your password, your entire life savings in crypto can be wiped out" (03:19).
Ransomware and Extortion: Beyond individuals, large businesses face ransomware attacks that can cripple operations. Dr. Cole recounts the Colonial Pipeline incident, where a $5 million ransom was paid to restore essential services, emphasizing the cyclical and escalating nature of such extortions (20:14).
Phishing Schemes: These deceptive tactics trick individuals into divulging sensitive information through seemingly legitimate communications. "Do not click on links under any circumstance" (17:12).
Social Engineering: Modern scams blend traditional phishing with social manipulation, making them more sophisticated and harder to detect. Dr. Cole describes how AI can mimic voices, increasing the likelihood of successful deception (27:25).

Impact on Individuals and Families

The ramifications of cyberattacks extend beyond financial loss:

Emotional Toll: Victims often experience significant emotional distress, especially when attacks lead to identity theft or loss of life savings. Dr. Cole shares heartbreaking stories, such as elderly individuals losing their life savings and subsequently facing severe personal consequences (03:19).
Reputational Damage: Cyberbullying and online harassment can lead to mental health crises, particularly among young individuals. Dr. Cole notes a rise in cases where cyberattacks on young people contribute to tragic outcomes (03:19).

Real-Life Case Studies

Ohio Teachers' Farm Scam:
- Story Overview: Two Ohio schoolteachers inherited $1.3 million from their parents, intending to purchase a farm worth $1.2 million. Five days before closing, they received a fraudulent email from a supposedly legitimate closing company, instructing them to transfer funds to a scam account.
- Outcome: After transferring the money, they discovered the scam during the closing process. Legal battles ensued, leaving them without their dream farm and facing prolonged financial and emotional distress (59:40, 60:46).
Shannon Allen's Wire Fraud:
- Overview: Frequent victim of wire fraud during real estate transactions, losing $52,660 by following seemingly legitimate wire instructions sent via email.
- Lessons Learned: Emphasizes the necessity of verifying wire instructions through trusted channels, such as direct phone calls or in-person confirmations, rather than relying solely on email communications (66:16).

Protective Measures and Best Practices

Dr. Cole provides actionable strategies to safeguard against cyber threats:

Implement Two-Factor Authentication (2FA):
- Recommendation: "Turn on two-factor authentication for every account involving money or sensitive information" (78:18).
- Benefit: Adds an additional security layer, making unauthorized access significantly more difficult.
Enable Account Notifications:
- Action: Set up alerts for any financial transactions, allowing for immediate detection and response to unauthorized activities (82:02).
- Example: Receiving text notifications for large withdrawals helps in swiftly addressing fraudulent transfers.
Mind Your Applications:
- Strategy: Limit the number of apps on your devices, especially free ones that may have hidden tracking or security vulnerabilities.
- Tip: Regularly delete unused apps and prefer paid versions when possible to reduce risk exposure (82:02).
Secure Communication Channels:
- Usage: Prefer encrypted apps like Signal over less secure platforms. Avoid clicking on links in unsolicited emails by verifying through official applications or direct communication (17:12).
Device Separation:
- Advice: Use separate devices for different activities. For instance, dedicate an iPad for secure tasks like banking and a separate laptop for more vulnerable activities like web browsing (77:42).
Physical Security Measures:
- Recommendation: Never share or hand over your phone to others. Maintain control over your devices to prevent unauthorized access (35:05).
Regularly Update and Secure Devices:
- Tip: Keep your software updated and limit the permissions granted to various applications to minimize potential exploitation points (36:19).
Backup and Recovery Plans:
- Importance: Regularly back up essential data both locally and securely to ensure recovery in case of data breaches or ransomware attacks (86:02).

Advanced Security Considerations

For those seeking enhanced security:

Endpoint Detection and Response (EDR):
- Overview: Implementing EDR solutions like CrowdStrike or Sophos can provide additional layers of protection across all your devices.
- Advice: "Most people secure their laptops but neglect phones and tablets. Ensure all devices have EDR installed" (85:29).
Biometric Security:
- Pros and Cons: While biometrics offer convenience and an extra security layer, they come with risks if compromised. Dr. Cole discusses the balance between functionality and security, advocating for practical usage without over-reliance on biometrics alone (83:35).
VPN Usage:
- Benefit: Masks your location and encrypts data, particularly useful when accessing sensitive information over public Wi-Fi networks.
- Caution: Understand the differences between VPN types to ensure maximum protection (50:01).

Conclusion

Dr. Eric Cole underscores the urgency of integrating robust cybersecurity practices into personal financial planning. "Be proactive, and you can minimize devastating events from happening" (93:47). By adopting the recommended measures, individuals can shield their financial assets from the pervasive and evolving threats of the digital age.

Key Takeaways

Silent Financial Erosion: Ordinary individuals are prime targets for cybercriminals who siphon small amounts regularly, leading to substantial financial loss over time without detection.
Limited Bank Protection: FDIC insurance safeguards the bank but not individual accounts from cyber theft. Personal responsibility in securing passwords and enabling protective measures is paramount.
Real Estate Vulnerabilities: Cyberattacks frequently target real estate transactions through compromised closing companies, resulting in significant financial and emotional losses for victims.

Further Resources

Dr. Eric Cole’s Platforms:
- Instagram & YouTube: Search for DrEricCole
- Personal Website: drerichcole.org
- Company Website: secure-anchor.com
Afford Anything Community:
- Join the Community: affordanything.com/community
- Subscribe to the Newsletter: affordanything.com/newsletter
Upcoming Courses:
- Real Estate Investing: Course on protecting against fraud and cyber threats during real estate transactions, available in the fall semester.

Final Note: As digital threats continue to evolve, staying informed and adopting comprehensive cybersecurity measures is essential in safeguarding your financial future. This episode serves as a clarion call to prioritize cyber hygiene as a cornerstone of personal financial planning.

Loading summary

Transcript213 lines

[00:00]
Paula Pant
What if invisible digital threats are putting your money at risk? Right now, cybersecurity might be the overlooked weak point of your financial plan because getting scammed, getting hacked, these are things that could ruin your retirement and put a serious dent in your net worth. We're going to discuss that and how to protect yourself in today's episode. Welcome to the Afford Anything podcast, the show that understands you can afford anything, but not everything. Choice carries a trade off. This show covers five pillars. Financial psychology, increasing your income, investing, real estate, and entrepreneurship. It's double eye Fire. I'm your host, Paula Pant. I trained in economic reporting at Columbia. Today's episode focuses on protecting your wealth and protecting your business in the digital age. Dr. Cole. Our guest today is a former CIA hacker who is now a cybersecurity expert who has advised multiple major companies. He's been inducted into the Infosec hall of Fame, and he served on President Obama's Commission on cybersecurity. Welcome, Dr. Cole. Why should any ordinary person who's listening to this right now care about cybersecurity? How does it affect their money?
[01:24]
Dr. Eric Cole
The short answer is you're a target. Most people don't realize that because here's the reality. If you go in and look at a $3 billion company, they have a team of 60 people doing cybersecurity. You try hacking them, Good luck. You look at some big names like Bill Gates or those types of folks, they have dedicated people and cybersecurity specialists like me monitoring and tracking their accounts.
[01:51]
Paula Pant
So you're an advisor to Bill Gates, right?
[01:53]
Dr. Eric Cole
Yes, his personal estate. So you go in and look at those types of folks. Good luck. Because most people think cyber attacks are going after $100 million from one individual. The reality is if you go after a small business owner or somebody who owns a dental practice or even a doctor that works at a hospital or a professional in other fields, they probably have nobody guarding their security. They probably have minimal security measures. And here's the thing. If I go in and steal $50 from everybody every month, most people won't notice it. Like, and I'll show you some tricks later, but most people don't check their credit card statements. So if there was a 20, 30, 40, $50 deviation, they wouldn't notice it. So we sort of call it the death by a thousand cuts. So the reality is you could have money being drained from your account that over years could be costing 20, 30,000, but it's done so low and so little, you. You don't even notice it. So it could have a huge impact. Second, if you don't have good cybersecurity, I can trick you to going to a website that you think is legit. And you go in and put in your name, your date of birth, your address and things like that, which is very common. Most people give that out like candy on Halloween. And you do that and you have your identity stolen. Somebody can go in and open credit cards. It's very common at Costco and Target and these other places. Cause when you go in to make a purchase, they say, hey, do you wanna open up a credit car?
[03:19]
Paula Pant
Right.
[03:20]
Dr. Eric Cole
Try doing it once. It's scary. The minimal amount of information you need about somebody. We get this all the time with our clients where they're opening up multiple credit cards. They're spending 500 or $800. So it's below the Ford alert systems. They know how the fraud alert system works. Target fraud alert. If you're under eleven hundred dollars, it won't alert. So they're going to always stay between 7, $800. They know how to bypass the security system. But then here's the reality. They open up four or five credit cards in your name, they run up 8, $900. They go to a bogus address, but they're under your name. It destroys your credit. So now a lot of my clients, they think they have great credit because they're always paying off credit cards. They're always doing good financial things. They go to get a loan or they go to buy a house and they get denied because they have like a 220 credit rating. And they're like, how could this be? And they're like, well, you have five outstanding credit cards with unpaid debt, debt on it. And it destroys your credit. So it can also impact your credit on that front. It could basically take over your identity, your bank accounts. A big area that we see a lot of professionals getting burnt on is cryptocurrency. One of the cool things of cryptocurrency is it's untraceable, right? That's why people like it. That's why it's used for ransomware and other attacks. But the problem is a lot of people have their crypto wallets with a password. And those passwords are known. If you use the same password across multiple sites and you're not using two factor, and they can go in and empty your wallet. And we've seen this all the time where I get these calls from folks like Eric. I put my entire life savings in cryptocurrency and ran it up to 500 or a million dollars. And I woke up this morning and it's empty. What can I do? And the unfortunate sad part is nothing. So it's one of those with cyber, it's prevention and detection and you need to go in and protect that. And then so the last thing is if you have parents or grandparents, they're one of the biggest targets because they have money, they have time and this is not a negative. But they didn't grow up with the technology. They're naive and they trust people. So if they go in and get a message so saying hey, this is from your bank and we're noticing unusual activity, please click on the link and they will and they'll empty out their bank accounts. To me, one of the movies that everybody needs to watch the action is a little questionable, but it's a great movie, is called the Beekeeper with Jason Statham. It's an action flick. But the core message in the movie is there's this wonderful 65 year old lady, she's a mom and I mean she's just the sweetest, kindest person. And she has her life savings of about 800k and she's running a nonprofit to help underprivileged children. And she raised $3 million to invest in a orphanage for these kids. And she gets this scam message that says, hey, you've been hacked, please call us, we'll clean up your system. And it's real, it's a fraud. And within 10 minutes she gives away all her information, they're super good. Wipes out her entire life savings. And then because she's so distraught, she takes her own life. And unfortunately those things happen a lot where we see that with parents and grandparents. And imagine if your parent or grandparent got hacked and they lost everything, that would be devastating. And then the other big area that just I don't even like talking about it because it gets me so angry and frustrated. And you've seen recent stories with these sex torsion with kids where these kids very successful, they're 17, 18, they're real good in sports, they have a scholarship, they're accepted to a college and somebody hacks or does cyberbullying. And a lot of these kids can't handle it. They don't know who to talk to. And we're seeing more and more of these children taking their lives because they just can't handle that reputational damage. So whether you have kids, whether it's you or whether your parent cybersecurity over the next year is going to impact your life. So if you don't start taking it seriously. And the good news is, as we'll talk about, there's lots of easy common sense things you can do. But it's one of those things where every day when I wake up in the morning and throughout the day, I'm getting calls from family members, friends, or people that found me online with these devastating stories. So it's one of those things to the listeners is it's going to happen to you. So the more proactive and you can realize you're a target and cybersecurity is your responsibility, you can save yourself headaches or devastating events happening to your family.
[08:06]
Paula Pant
Wow. One thing that I hear in your answer are a variety of different types of ways that you could get attacked. You mentioned ransomware, you mentioned identity theft. You mentioned. A number of. You mentioned phishing schemes.
[08:22]
Dr. Eric Cole
Phishing schemes are very common, where they'll send you links or text messages. Yeah. Ransomware, or what they call extortion. Going in and stealing your identity, credit. Bank hacking. There's a whole, whole range of attacks.
[08:34]
Paula Pant
Can, can we go through what some of those attacks are? What is bank hacking? Can they literally access your bank account and take money from a bank account?
[08:42]
Dr. Eric Cole
Yes. A lot of people do not realize this, but most of your banks will allow you to do EFTs, electronic fund transfers. And most banks, depending on the size of your account, will let you take at least 50% in an EFT. So if you have 200k in your savings account, they can actually do an EFT for under 100, like 75 or 80k. And you do not get an alert. And all they need is your account number and your password to be able to get in and do those types of attacks. And the reality is you put your account number in a lot of different places.
[09:22]
Paula Pant
Yeah.
[09:22]
Dr. Eric Cole
And one of the things that people don't realize is like, you pay with a check.
[09:27]
Paula Pant
Yeah, yeah. Your bank account number's written at the bottom of the check.
[09:29]
Dr. Eric Cole
Exactly. And those checks sometimes can easily be caught or accessible. And especially when you do online purchases and you go in and put in your checking account number. Like online billing, a whole nother topic. But think of how many different locations, from local municipals to small little places that have your bank information.
[09:51]
Paula Pant
Right.
[09:52]
Dr. Eric Cole
And then, so I get your bank account information, then I can go in and guess your passwords. Because most people have probably had their account and passwords taken in attacks and available on the dark web. And there's actually dictionaries of common passwords that people use. So if you're using dictionary names and numbers, which most people have some sort of predictability around it, those passwords are readily accessible. So now I can go in, get your banking information, get passwords information, and depending on your security settings, that can sometimes be enough to go in and do EFTs. And then here's the problem. If you don't have a learning turn on, which is one of the things we'll talk to later in the show if you don't have that turned on. Most people don't check their bank accounts for multiple days. And the way it works with the fraud based systems is you have 48 hours to report it because there's a 48 hour hold and then they transfer the money and it's too little too late. So if you go check three or four days later, you're pretty much out of the money. And the problem is if it's because of your negligence. And that's a hard pill for people to swallow. But if you had a weak password or you didn't protect the password, or you didn't turn on the security settings, most of the time you're liable, not the bank. So you're actually out that money. And that's sort of the same thing with cryptocurrency. So people don't realize this. And when we talk about the security settings, people always like, oh Eric, that's an inconvenience, like spending five extra seconds logging in. But what I always tell people is okay, five seconds is an inconvenience, but having your entire bank savings or your identity stolen, you're going to be inconvenient for nine months. So which inconvenience do you want to. Right. Do you want a five second or a nine month? So you people just don't think it's going to happen to them. And the reality is it's happening to average people, folks that are business people, small business owners. So Whether you're making 100k or 100 million, it's across the board. Nobody is spared from these attacks.
[11:48]
Paula Pant
Why nine months?
[11:49]
Dr. Eric Cole
Just because if you go in and your identity is stolen or your bank account is wiped out.
[11:55]
Paula Pant
Yeah.
[11:55]
Dr. Eric Cole
If you look at the amount of effort because you're going to have to submit forms, you might have to get attorneys because some of these banks are getting hit so much they can't pay out or go in and give you the $90,000 back. So you have to sometimes fight them, do legal action, put in new security measures and then think about most people, if they lose 90,000. That could impact their lives. They might have to sell their car or sell their house or apartments. So when you look at.
[12:23]
Paula Pant
So you mean many months?
[12:24]
Dr. Eric Cole
Many months?
[12:25]
Paula Pant
Yeah.
[12:25]
Dr. Eric Cole
It's not a set number, but I'm saying it negatively impacts you. If you look at the emotional impact, like your kids going to college, and you saved the money to put them to college, and now your child can't go to college because your money's wiped out, or now you have to get a loan and you have to work a second job. So you look at emotional impact and impact on your family, and it's. Once again, it could be even more, but it's many, many months. And I find on average, when you look at the emotional support, the time, the energy, the effort, that is usually somewhere between six to 12 months, that it negatively impacts you. So that's why I just use 9 as an average.
[13:01]
Paula Pant
Right. Wow. So I think a lot of people understand that cryptocurrency is the wild west, and there's a lack of regulation. And part of the risk that you take if you decide to go into cryptocurrency is that lack of regulation, that lack of rule of law protecting what you're doing. But I think think that most people, myself included, didn't know that or don't know that about bank accounts, because banks are one of the most highly regulated institutions in the United States. Other than pharmaceuticals right there or weaponry, there are very few industries that are more highly regulated than banks and the financial institutions generally. So I think a lot of people would be surprised to learn that even the money in a bank account can be that vulnerable.
[13:43]
Dr. Eric Cole
Yeah. The thing you have to remember is, you're right. It is one of the highly regulated industries, but the regulations are around protecting the bank if they get compromised. So you go to your bank and it says, you mean FDIC insured up to $300,000? That's if the bank gets hacked.
[14:01]
Paula Pant
Yeah. 250, I believe.
[14:02]
Dr. Eric Cole
Or 250. So if the bank gets hacked and the bank goes out of business, you're covered. But what people don't realize is the regulation and. And it's scary because the US Is one of the few countries in the world that doesn't have a unified law on security and privacy that protects citizens. Most of the regulations out there are protecting the entity. Like HIPAA protects hospitals. It doesn't protect individuals. The bank regulation protects the bank. So if the bank goes bankrupt or out of business, you're protected. But if you don't protect your password and somebody gets in and gets your user ID and password. That doesn't protect you from the regulations. You're liable, not the bank. And that's where you have to be real careful there. Because, yeah, we think it's all regulations, but they're not protecting you, they're protecting.
[14:49]
Paula Pant
The institution in addition to bank vulnerabilities. Can you go through some of the other ones that you described? So you talked about ransomware, phishing, identity theft. Phishing, I know, is a big one when it comes to closing a mortgage, buying a home.
[15:02]
Dr. Eric Cole
Yeah. So phishing is a. A technique of. It's basically what we call social engineering, which is the most common method of exploitation, where you're tricking or manipulating something to do something they normally wouldn't do. So common phishing techniques. I don't know if you've seen this, but it happens a lot. You get a text message that says you have unpaid tolls in Florida.
[15:23]
Paula Pant
Yeah, I get those messages all the time. And I look at them and I'm like, I don't have a car. I live in Manhattan. I don't have a car. But I get messages almost, probably two, three times a week telling me I have unpaid tolls.
[15:34]
Dr. Eric Cole
And here's the thing. You have to remember, the frequency in which you get them is the frequency in which people are falling vulnerable to it. If they sent out that message and nobody clicked and nobody replied, they'd stop. So when you're getting any of these, like the unpaid tolls or messages from Amazon or your bank or things like that, and it's fraud because you look at the messages or you look at the email and you're like, hey, this doesn't feel right. The frequency in which you're receiving it is the frequency in which people are falling victim to it. So just that Florida toll example, which is like $49, they have made over $3 million on that in six months. And the problem that we have is we know who they are, we know where they're coming from, but they're in countries that don't have extradition treaties and it's not against the law. A lot of these attacks are coming from Russia, and then people are surprised, North Korea, Iran, that those are big scams, because they're easy, they're simple. And we don't have extradition treaties or laws. So the problem is law enforcement and cybersecurity professionals like me, we know where they are, but we can't do anything. So that's why these attacks continue. And then the other thing with phishing is we see these all the time. You get a message that it looks like it comes from Amazon. Nothing against Amazon, just they're the biggest retailer. And it says the recent order you just placed is on backorder. If you want to receive this item within the next 24 to 48 hours, click on this link to reorder and you go, how do they know who ordered it? Here's the reality. Most people are ordering from Amazon.
[17:12]
Paula Pant
Yeah.
[17:13]
Dr. Eric Cole
So if I send it out at 9 in the morning and 3 o' clock, the probability that at least 20 or 30% of the people have probably ordered an Amazon is pretty high. So once again, people think it came from Amazon. They're not checking, they click on the link and then once again, stealing credit cards, stealing bank accounts, stealing money, stealing information along those lines. So that is by far the most common. And one of the tricks we'll talk about later is do not click on links under any circumstance. And you're like, but Eric, how do you then do business? Use the app. So if I get a message from Amazon that says, hey, there's an order that has an issue, I don't click on it, I delete it, I go to the app. So you have to just train yourself on good cyber hygiene. And then the other big attack, it's more business focused, but it happens with individuals, is ransomware, where essentially they go in and it's usually done with a link again where you click on a link and it goes and encrypts your hard drive. Or if you're at a company, it goes to your database of all your clients and encrypts it and then it basically pops up a message saying unless you pay X amount of money, you'll never see the information again. And once again, these are big businesses. One of the big one is there's a company in Russia, company, so it's a actual company called the Cyber Investment Firm. It is a company, it's a building, a three story building. They have 700 employees. These employees get benefits, they get salaries, they get days off in pto, they go into the office, they have badges, they have everything else. And the entire business is going in and doing ransomware.
[18:51]
Paula Pant
Wow.
[18:51]
Dr. Eric Cole
And once again, because in countries like Russia and others, there's tied to government officials, so it's not illegal, there's no extradition treaties. So these are actually running as businesses that are targeting you and your family and they know what your price point is. The average person that has all their family pictures, all their taxes, all their information on their Computer or laptop. If I encrypt it and say, you'll never see the data again, but if you pay $300, you'll get it back. Is your pictures, is your life, is your tax returns worth $300? Absolutely right. So most people will actually pay it. And it's a sad state of affairs. But as security professionals, even law enforcement, because there's nothing else we can do, and the encryption is so good we can't break it, that we unfortunately tell people in most times it's actually better to pay the ransom than to be out and lose all that information and all that data. And now companies, they go in and no other price tags. I don't know if it came all the way up to New York, but if you remember two years ago, the Colonial pipeline, the biggest oil pipeline for gasoline on the east coast, our gas stations were closed for five days. We had no gas. On Monday when it happened, I went to get gas to fill up the car. It was a 30 minute wait at the gas station. And by Tuesday evening, every gas station was out of gas. So, like people were panicking and no.
[20:15]
Paula Pant
You live in the DC area, in.
[20:16]
Dr. Eric Cole
The DC area, in Virginia. And all these security professionals, like, oh, they're not going to pay the ransom, they're not going to pay the ransom. I was one of the few that broke the story on they're going to pay the ransom. Because the reality is if they don't pay the ransom, they're gonna lose 30, 40 million dollars in lost revenue. If they pay 5 million, they'll be up and running within 12 hours. And sure enough, by Thursday, I was right. They paid the $5 million ransom and gas was restored by the weekend. So these are the things with bigger companies. They know the monetary loss and the pressure points. So the ransom demand is going to be low enough that it's actually easier to pay the ransom than suffer the pain of having your systems down and unavailable.
[20:59]
Paula Pant
Wow, there's something that feels very mafia about that someone. It's the cyber equivalent of someone coming to your store with a baseball bat and saying, would be a shame if anything happened.
[21:10]
Dr. Eric Cole
Yep, right. And you just nailed it. Because here's the reality that that is really the, the hard part of why I sometimes tell companies, if you don't pay the ransom, you lose 30 million. But if you pay the ransom, you get your information back. But here's the problem. If you pay the ransom, once you're in the frequent flyer list, it's like New York in the 70s. They would come in the mafia. And they'd be like, if you don't pay protection services, then we're going to trash your store.
[21:37]
Paula Pant
Right?
[21:38]
Dr. Eric Cole
You don't believe them, they trash your store. So then you pay the, whatever it is, 100 couple bucks. But once you do it once, you're going to have to pay every single, single month, non stop. So the same thing, if you pay the ransom and you don't, then fix the problem and hire good security professionals. They're going to come back every quarter and hit you up going, hey, because we're such nice people, right, with such nice evil hackers, instead of 5 million, we're just going to charge you 100k every quarter. So if you play 100k, we'll provide security protection, Right? It's all marketed as a business. It's not evil. It's like we'll provide security protection and monitor your site and we won't hit you with ransomware. But if you don't pay, then you might have to get hit with ransomware every three to four months. So it's actually a mafiosa disguised as sort of being nice, legitimate services, but it's really not. So it's one of those things, you pay once and if you don't fix the problem, you'll keep paying over and over again.
[22:36]
Paula Pant
Wow. And this happens to individuals as well, right?
[22:39]
Dr. Eric Cole
Yes, so the price tag is lower, but it happens to individuals. But here's the problem is you or the average person gets hit with ransomware at their home, it's $300. So unfortunately, if you try reporting it to the police, it's a small amount that, yeah, they'll file a police report. They're not really going to do anything.
[23:01]
Paula Pant
Right.
[23:02]
Dr. Eric Cole
The FBI is not going to be concerned because it's under typically their limits, which is usually 5 or 10,000. And the media doesn't care about $300. So nobody realizes how bad it's happening. Nobody realizes that it's happening to people across America on a regular basis where they're paying anywhere from 100 to 300 because they know what your income is, so they know what you can afford. So they tailor the ransom to that amount. But because no one's socializing it, no one's talking about it, no one's bringing it up, people have no idea how bad it is. But it is really a pandemic that's impacting a large number of people, but nobody's talking about it.
[23:42]
Paula Pant
How are the types of cyber attacks that we're discussing right now, how are these similar to or distinct from scams. Right. So when I think about, for example, someone calling the grandparents scam, someone calling a grandparent and saying, hey, your grandson is in jail, you need to send money for bail, at least send the bail money to this address. Is that a different classification of financial problem or is that how are cybersecurity and financial scams related or different?
[24:13]
Dr. Eric Cole
If you go back sort of four or five years ago, they were sort of different. And then the scams were very targeted on purely monetary and they were really phone driven where they'd call you up and say, hey, your son was arrested or something happened, you need to give us two or three hundred dollars, mail it or eft it. But today, because of the technology and artificial intelligence and all those, they've really sort of merged together where now they're almost one and the same and it's the same entities doing it. So if you go in and think about, it's really just a delivery mechanism. So if I send you an email that says, hey, I've been arrested, or I don't know if you've seen this on social media, where social media attacks will get compromised and then they'll text everybody in your following saying, hey, I'm traveling to Puerto Rico or Mexico and the most unfortunate thing happened. My wallet was stolen, my driver's license was stolen, my credit cards were stolen. I am stuck and I have no way to get home. Can you do me a favor and send me $500 and to this account and I will pay you back when I get home. But otherwise you, you might never see me again because I have no way of getting home. I have no money and no access to anything. Now most people, if you're nice and kind and it's legit, like if my friend legitimately had that issue, I'd send them the money in a second. But so people get emotional about it, they think it's important and they'll send it that message. I could call on the phone, I could do it in social media, I can do it in an email. So it's really the same message of social engineering. It's just done at different levels of delivery. And sort of a funny story with that is one of my friends had his account hacked and he had like 500 people in his contact list and they sent out that scam. And I'm talking to him and he's mad and I'm like, dude, how much did your friends lose? He's like, nothing. I'm like, why are you mad? He's like, Cause none of my friends cared. He goes, here. I'm telling them that I'm stuck in a foreign country and not one of them paid the amount. And I'm like, dude, you're missing the point. Right? But it was funny how people emotionally, personally rack going, nobody cared enough to actually fall victim to the scam. So it's sort of crazy. And then you layer on, like you look at those scams where they call your parents and say, hey, I've been arrested. Or the grandparents, right? They used to just use a voice saying, hey, this is Officer Jones, I just arrested your son and he's at bail for X amount. But now with AI, they're actually mimicking your kid's voice. So now, because think of a lot of kids put videos out. Your child puts a video out. I have their voice, right. I now can train an AI model to mimic their voice. And now I can call their grandparent because guess what? Their grandparents are following them on social, so very easy for me to find the grandparent. A lot of people list their contact information. So now I can call the grandparent with the actual child's voice saying, hey, this is eripa, and it sounds exactly like their voice. And now the probability of people falling for it is much, much higher.
[27:25]
Paula Pant
Exactly. I actually had a conversation with my parents about that because when AI first became ubiquitous, I became really nervous about the fact that as a podcaster, we're at over 600 episodes.
[27:35]
Dr. Eric Cole
Yeah. There's a lot of your voice and video.
[27:37]
Paula Pant
Yeah, exactly, exactly. Right. And each episode is a minimum of an hour, sometimes an hour and a half or longer. There is probably a thousand hours of my voice in the public domain. I'm incredibly easy to mimic.
[27:52]
Dr. Eric Cole
Yes.
[27:53]
Paula Pant
And so to the best of my knowledge, that hasn't happened yet. But what does happen and what's frequently happened with me? Social media, I will have accounts that pretend to be me. There will be these. What's the word for it? Like a spoof account, Right? A spoof account that pretends to be me and that sends out messages to all of my followers. And it's without exaggeration. There have probably been at least 150 spoof accounts that I'm aware of over the years. And what is concerning to me is that on multiple occasions there are people that I know, nobody I know closely, but distant acquaintances who have genuinely believed that they've been having an exchange with me. So one time I went to Greece and I was chatting with a friend of a friend and she started bringing up this conversation that we had had on Instagram, and I was like, what are you talking about? As it turned out, she'd been chatting with the spoof account, believing that it was me and it was only the fact that we happened to meet face to face in Greece that cleared the air. Otherwise she might have believed that forever.
[29:01]
Dr. Eric Cole
Yeah, and your prime example is influencers or people that are on social media. The more influential you get, the bigger your target. And I hate to say this because you're growing rapidly. So unfortunately, it's going to happen where somebody is going to start putting out videos with AI that look like you, but they're going to have discriminatory messages or negative publicity trying to go in and hurt your brand or hurt your reputation. And then the other thing that you've been lucky so far because it sounds like you must have good security on your prime account. But the other scam is they set up all these bogus accounts for you and then they take over your prime account and they say, unless you hire and notice how they do it, they don't say ransomware. Now, because that could be illegal. Because some of the laws, they go in and say, unless you hire us for security protection. Right, the Mafiosa model. And unless we hire you for security protection, you'll never get it back. But guess what? If you hire us and we do reputational improvement and monitoring, so it sounds really legit and we'll make sure this doesn't happen in the future. And because you're such a great, wonderful person with such a great message, Paula, we're going to go in and charge you $39 a month. Now, once again, you don't like it, but $39 a month to get your account back and to be able to talk to your audience and not have it hijacked with bogus accounts is probably worth it. Then they'll go in and say, hey, for an upcharge of $29 a month, we'll remove all the bogus accounts. So now when people search on your name, they only get your account and nobody else. And once again, for most people, the discomfort is so hard that the money is worth it. And they're now spending 60, $70 a month, so less than $1,000 a year on so called fake cyber protection. But to stop your account from being hacked and stop the rogue accounts from being set up, we get contacted by influencers all the time that are just like, I'm losing hundreds of thousands of dollars because my account's been hijacked and I can't communicate and bogus accounts are putting out false information. So now my user base is getting corrupt, frustrated, and biased, and I'm losing followers, I'm losing money. How do I get it back? And unfortunately, a lot of cases it's if you didn't prevent it in the first place, it's very hard to get it back after the fact.
[31:30]
Paula Pant
And, you know, and one of my big fears is that someone will scam a fan of mine who will pay money, believing that I have asked them to do so.
[31:39]
Dr. Eric Cole
Yes.
[31:40]
Paula Pant
So I know there's a guy who's in our space named Mr. Money Mustache, and he has publicly written about how someone spoofed his account, sent out messages to a bunch of his followers, and one of his followers paid $1,500 for some quote unquote investing course because they believed that it was coming from him, because that person trusted him as the person, as the recipient of that trust. That is such a responsibility. Right. So that's a huge, huge fear of mine. I know that many of the spoof accounts that have pretended to be me have sent messages out to my followers asking, either talking about some quote unquote investing course or asking if they invest in crypto. Over and over and over in my Instagram stories, I will create videos, you know, of myself saying, hey, it's. It's me. Like, just to reaffirm. I will never, ever, ever, ever, ever in my life will never initiate a DM to anybody, you know, B. I will never DM any, any one of my fans to ever ask for a sale of any sort. Not even for a course that I actually run. Right. Just never going to do that by dm. But when I tell my audience that, I know that it's only a small fraction of them who are actually hearing that. Right. And statistically speaking, the overwhelming majority of people are not going to hear those messages.
[33:00]
Dr. Eric Cole
Yep, exactly. And then this is a hard part is like with your friend, if somebody does that, where they create a fraudulent account.
[33:08]
Paula Pant
Yeah.
[33:09]
Dr. Eric Cole
And a lot of people don't understand it. So now they think you took $1,500 from them. So now the question is, what do you do? Do you tell them, well, listen, that wasn't me, and sort of stinks to be you. And then they're going to be annoyed at you because they're going to think you ripped them off. Or in a lot of cases, these folks, if they're making enough, they'll actually be kind enough to refund the person or give them a free course or give them Something else. But then you have a financial impact because somebody else created fraud. So, yeah, you're on the right thing putting messages. But the other big thing is to really tell everyone, this is my only account. I do not text from any other account. This is my only Instagram account. So if you're getting messages from anybody else, don't click on it, don't go there, don't post it. Or the other thing is, you got to be a little tricky is you then hire somebody to go to all those bogus accounts, and when they post articles or comments, you put a comment in, basically saying, this is not me. This is a fraudulent account. Don't click on it. And because most of them are run by bots and not humans, they don't catch that. So then you can at least be proactive. But then here's the question. Do you really want to spend and should you be spending 15 or $20,000 on hiring a person to solely protect yourself against trollers and cyber criminals out there? But unfortunately, as you grow as an influencer, you. It's a necessary evil because there's people that are going to be targeting you.
[34:37]
Paula Pant
Yeah, I've seen it on Instagram and Facebook so many times. I am not exaggerating when I say a minimum of 150 that I know of. And I only know about it because some one of my fans will contact me and say, hey, is this you? Or hey, this does. I think this is a fake account. And my team can tell you, like, you know, we get that all the time.
[34:57]
Dr. Eric Cole
You've been lucky because it sounds like you have really good security. And they haven't been able to hijack your primary account. But I can guarantee you they've tried.
[35:05]
Paula Pant
Wow.
[35:06]
Dr. Eric Cole
And you've just had good security, but a lot of them don't. And I get called all the time from. And I won't mention some of the big names out there. And they're like, eric, my account's been taken over. What do I do?
[35:16]
Paula Pant
Wow.
[35:17]
Dr. Eric Cole
And there's not a whole lot we can do after the fact, except pay to get it back. And then we'll really roll up really good security so it doesn't happen in the future.
[35:26]
Paula Pant
Well, on that note, I'm going to hand you my phone.
[35:29]
Dr. Eric Cole
Okay.
[35:29]
Paula Pant
All right. And so tell me, what am I doing wrong? Here's my phone. It's unlocked. Go wild.
[35:35]
Dr. Eric Cole
Okay. So first thing you did wrong is hand me your phone. You never, ever want to give your phone to anybody else. You never want to give it to a child. You never want to give it to a kid. Like, I see parents in restaurants where they have younger kids and the kid is crying or screaming and they hand them their phone because kids just click anything. Kids go on anything. My family knows, none of them in my pocket. But nobody knows my passwords. Nobody gets access to it. Like, this is like a body part. Like, you try to take this, it's like cutting off my arm. Right. You are not getting access to my phone. That's sort of the first thing is you want to control it. And then if we just go through. So first thing is way too many apps.
[36:20]
Paula Pant
Yeah.
[36:21]
Dr. Eric Cole
So I'm guessing if I go in, I don't want to be too intrusive. But if I look at usage, you probably haven't.
[36:27]
Paula Pant
Feel free.
[36:27]
Dr. Eric Cole
Okay.
[36:28]
Paula Pant
You probably intrusive.
[36:28]
Dr. Eric Cole
Yeah. You probably haven't. So you can actually see what I'm doing. So I'm just going in and looking at your usage data. Looks like about 60% you haven't used in 45 days. So if you're not using those apps, you definitely want to go in and turn that off. And then one of the big things, let me go into your. Find where your settings is. So if we go under settings and then we go under your security, and what I'm looking at there is the tracking of the data. So to see if you have tracking for which apps. So we'll put in your location. See, one of the things you are doing good is you have small print. So for people like me that can't type, you go in. So I'm looking under location services. Do you realize that you have all these different apps are tracking your location. Wow. So, like Bereal Passing, there's a compass that tracks your location. Which if we go in and we look at the compass app, which my guess is it's actually made in China. So, like, you talk about TikTok as an issue. So you actually have a Chinese company that's tracking your location because you have a compass app on your phone. We then go in and. And Instagram's tracking your location. Mighty's tracking location, PayPal and like, it's about 70 different apps. And the good news is you're like most people.
[37:49]
Paula Pant
Yeah.
[37:50]
Dr. Eric Cole
And people don't realize one of the most dangerous things is free apps, because free isn't free because it basically means that whenever you download it, they're putting on location and monitoring your camera on your device. So then if we go in and I also look at access to your photos, that's also similar. So These are all the apps that can actually access your camera without you knowing about it.
[38:14]
Paula Pant
Wow. So there's a list of like, how Many is that?
[38:17]
Dr. Eric Cole
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 20. It's about 35.
[38:21]
Paula Pant
35.
[38:22]
Dr. Eric Cole
There's 35 apps that whenever you use them, they can technically turn on your camera without you knowing about it. And then the other one, that always shocks people because, oh, you're actually doing really good on microphone. Wow. The other two, I'll maybe give you a C minus, but microphone, you'll get an A. You only have a few.
[38:41]
Paula Pant
Ooh, look at that.
[38:43]
Dr. Eric Cole
Yeah. But if you want to go in and be scared because this happens, one of the ones we always see is Chrome. And if you do this, where we start talking about, let's start talking about painkillers and medicine and Ibuprofen.
[38:58]
Paula Pant
Ibuprofen, yes, we'll talk. Ibuprofen, Aleve, naproxen, acetaminophen.
[39:04]
Dr. Eric Cole
So you go into Chrome now and, and you type in ho and it will auto fill in how much ibuprofen to take.
[39:11]
Paula Pant
Wow.
[39:12]
Dr. Eric Cole
Because Siri is actually listening all the time. Let me check that on your phone. Yeah, you have Siri turned on. So Siri's listening and that's what most people don't realize. They're not recording what we're doing. I'm like, how would Siri answer unless it's recording everything you're doing? So those would be one thing. The other big thing, let me check on your. I won't read your text messages. Your text has auto archive to the cloud, which means even if you delete a message or remove a message from your phone, it's still on your device and it's still getting backed up to the cloud and we can recover it. So we work on a lot of these. I don't like them because it's an evil part of society, but these super high profile, like Hollywood stars, when they get divorced and there's hundreds of millions at stake, we get involved and we can get their phone and, and we can find deleted messages of inappropriate pictures, communications with people that they shouldn't be communicating with and other factors along those lines. So, so that would probably be okay. Personal hotspots turned off. Good job on that. That's when we check, we look at Bluetooth. Actually, once again, I'm impressed most people with Bluetooth and I'm victim to this because I have so many devices actually have auto discovery. So you have about 30 or 40. You don't have Auto discovery on, which is very good. You only have a few, few devices there. So good job on the Bluetooth. But that's something users want to check of how many different Bluetooth devices. Because that's the scary thing is a lot of people, because they like convenience, they have auto connect Bluetooth. So now, like if you go to somebody's house or location, Right. I want to call a play phone and a real phone.
[40:48]
Paula Pant
Yeah.
[40:49]
Dr. Eric Cole
So a play phone is just so I can mess with my friends and I have auto discovery and I go to their house and I'm like, oh, I just connected to your fridge, your thing. Or I only do this with friends. I really know. But most people have smart thermostats in their house or smart ovens, smart fridges. So I'll go in with only people I really know. And they know. What I do is I'll go in and all of a sudden they're like, why is it so hot in here?
[41:12]
Paula Pant
You just start messing with the settings.
[41:13]
Dr. Eric Cole
I turn the thermostat up to 85 degrees. Or I want to make sure I'm careful with this because we don't want to cause problems. All of a sudden I'll turn on their oven or their stove and they're like, what's going on? And they just don't realize how open the different technology is.
[41:26]
Paula Pant
Right.
[41:27]
Dr. Eric Cole
So I would say I could keep going. But those are probably some of the big things that I always look at on people's phones. This number of app, free apps, location services, tracking pictures, camera. I mean, those are really the big things you want to look at.
[41:41]
Paula Pant
Microphone and Bluetooth also.
[41:43]
Dr. Eric Cole
Right. The other one I'll look at real quick. Okay, once again, you're pretty good here. I look at subscriptions. Most people, they don't realize it, but they get these apps that are free, but if you read the fine print, it says in 30 days you'll be charged 1999. And then they go in and they don't realize it, but they have like almost seven or $800 a year worth of subscriptions that they're paying and they have no clue.
[42:11]
Paula Pant
Ah, I watch my paid subscriptions like a hawk.
[42:14]
Dr. Eric Cole
Yeah, I was going to say you're actually doing really. You're actually sort of, I would say in the upper tier of people that have security aware. Because most of the time, the big gotchas. You're actually doing really good here. Yeah, I mean, you have the legitimate ones like Instagram chatgpt. Those are pretty valid ones. So you're actually doing Pretty good on the subscription side, so. So I would say overall, you're actually doing pretty good. Oh, but yeah, those are the big things that for the users is number of apps, usage of apps, free apps, subscriptions, then look at location services, look at camera, look at phone, and then look at those key areas. And then also look at cloud backup and permanent delete for texting and others because the default settings are not secure. And people don't realize this, but once you hit send, save, or post, it lives forever. I didn't bring my forensic tools, but if I did a forensic analysis, and I wouldn't do this to you because it's personal, but I could pull up any deleted text messages, any deleted information or pictures or anything like that. So people that are doing questionable things or texting or sexting or stuff like that, where they don't think it's there because they delete it, it's still there and it can still be recovered.
[43:35]
Paula Pant
How secure is WhatsApp? I ask because I recently had a bunch of friends, we were all talking on WhatsApp, and everyone was like, you know what, let's move to signal. And they're like, we don't trust Meta. Meta owns WhatsApp. And I was like, oh, I don't want to move to another.
[43:51]
Dr. Eric Cole
Yes, I know.
[43:52]
Paula Pant
I'm so burned out on various messaging platforms, I don't want to adopt yet another one.
[43:57]
Dr. Eric Cole
Yeah, WhatsApp fame to claim is when you're traveling internationally, you don't get text charges for normal text messaging.
[44:07]
Paula Pant
Yeah.
[44:07]
Dr. Eric Cole
So really WI Fi. Yeah, it's really the WI Fi texting ability, so you don't get charged. So it's really much more popular internationally because, like, in Europe, people travel across countries and their cell charges over there are so much more than the U.S. right. So, like, most people in Europe are all about WhatsApp for texting because it saves them all this money and cell charges and it's so much cheaper and valid. So it's really good for going out of the country.
[44:35]
Paula Pant
Well, I should say I have a lot of international friends.
[44:37]
Dr. Eric Cole
Yeah. So for international friends, it's a very good tool. But the reality is, and there's a reason why it's out for free. Free isn't free. Cause think about this. How in the world can meta run WhatsApp? It's a lot of servers, it costs them. I think the last numbers I saw was about 55 million a year to run WhatsApp. And they're not charging you a penny.
[45:00]
Paula Pant
Right.
[45:00]
Dr. Eric Cole
How can they do that? That's a bad business model. Except think of all the data they get. Think of all the information. So the good news is they're not tracking you specifically because that actually would be against the law, but they're tracking your behavior based on your profile. So they're going in and saying, okay, we have all this communication about a female in New York City in this age bracket and group and they're building profiles so they can do target marketing for all their other apps and all their other profiles. So yes, they are listening and monitoring. Now they're going in and filtering the data so they don't know it's you. But do you really want all your communications monitor and attract. And that's really where Signal comes in. Signal, you have to get verified contacts and it's point to point encryption so nobody can read the messages. Now I know if you watch the news, Signal has sort of gotten a little negative press because of some of the people in the White House. But that had nothing to do with Signal. That just had to do with bad user hygiene. That's not a single issue. That's a user issue. Right. And one of the things I always jokingly say is you can have the best security and best encryption in the world, but no matter what you do, you can't secure stupid. They're just doing silly. I'm not trying to insult anyone, but the stuff they did with Signal is just ridiculous and simple. So if you and your friends are really concerned about security, like you're doing national secrets and things like that, then Signal is most secure. I'll be honest with you with most of my friends and most of my communication. Cause I don't like a lot of apps is we use WhatsApp just because I'm the same way. I have international friends, I travel internationally and to me we're not having any top secret conversations that would get anybody arrested or any issue. So I sort of just accept the risk that they're doing general profiling on us, but there's nothing specific that can actually be used against me. So it's one of those. If you're aware and accept the risk, I would say it's okay if you really start getting into very confidential type discussions. Like sometimes when we're working merger and acquisition deals because the SEC requires a security review. So if we're doing like high end merger deals or acquisitions where we're going to China or Australia and we're negotiating a $300 million deal and I'm part of the advisory team, we use Signal for all of that, because, like, you use texting or WhatsApp or anything else, they will be able to monitor and see your discussions. And we actually had that where we had executives using standard texting and communication while they're in China negotiating a $300 million deal. And we go into the negotiations the first day, and we're really close. They're saying, hey, we want 350. The Chinese company is saying 280. And we're like, okay, we're super close. So then that evening, I didn't realize it, but the executives and vice president were starting to text each other, going, this is awesome, because we would went as low as 200. But if they're coming in at 280, let's just go at 285 and get the deal done. They come in the next day into the boardroom. I didn't know this happened, but I'm there with them, and they go, okay, 285. And the Chinese company goes 200. And they're like, what's. What are you doing? They're like, we know. Last night you discussed it and you said you'd go as low as 200. So now it's 200 or we walk away. And then they're sort of stuck. So people just don't realize how vulnerable these apps are. And when you talk about corporate espionage and assets and intellectual property, it is very, very active in China, Russia, even Australia. So you just got to be super careful of the type and level of communication. And for super sensitive, you go signal. For friendly communication, WhatsApp is acceptable.
[48:52]
Paula Pant
You said signal is point to point encrypted, and WhatsApp is end to end encrypted. What is the difference?
[48:59]
Dr. Eric Cole
Okay, so WhatsApp, when I say end to end, it means from you to the meta server is encrypted. But then they decrypt, and then they re encrypt to your friends. So they're seeing your communication with signal. If I encrypt the data, signal at their servers, don't decrypt it. And then you decrypt it at your point. So. So point to point means we're the only ones that are seeing the data. The servers are only seeing encrypted data. As with meta and others, the servers are seeing unencrypted data.
[49:31]
Paula Pant
Oh, okay. So with WhatsApp, there's really three parties involved, whereas with Signal, there's kind of two parties involved.
[49:39]
Dr. Eric Cole
Exactly. But the benefit of WhatsApp is if you're at a coffee shop or you're On a wireless network, at a hotel or an airplane, Anybody else can't sniff or see your communication. So it is protected from local sniffing, but it's not protected from server level attacks.
[49:55]
Paula Pant
Eric, you were the commissioner of cybersecurity for President Barack Obama. Tell us about what happened when he wanted a smartphone.
[50:02]
Dr. Eric Cole
So as you can imagine, Presidents of the United States are people and they're really running a business, just a very large business, the country, and they want to communicate. So you think it's simple, hey, you just go to the store and you buy a smartphone. But the problem is, and what most people don't remember is a smartphone is a tracking device. So do we really want the President of the United States to be able to be tracked anywhere he goes? Any location, any spot in the White House? So we sort of have a challenge where if the President says he wants a smartphone, you can't tell him no, you have to tell him how to do it in a creative manner. So at the time, one of the most secure devices was actually a BlackBerry. So we actually went in and configured the BlackBerry to connect to alternative cell towers. So now if he was, say, in the Oval Office, it would actually show up that he was across the street and vice versa. And then we also went in, which is a key aspect that I do with my phone with high profile individuals, is when he's in the White House or other locations, you turn off cellular and you connect to wireless, because wireless doesn't have the same accuracy of geolocation as cellular does. So we basically went in and I gave him a device so he can still communicate and make phone calls, but he couldn't be tracked or located or present any threats to himself or his family.
[51:22]
Paula Pant
And turning off cellular and just going on wireless, I mean, what that makes me think of is anytime that staying in a hostel in Costa Rica, right? That's exactly what I do, just because I don't want to replace my SIM card. So it's funny to hear that high profile individuals do that as well.
[51:38]
Dr. Eric Cole
The trick though, and this is the magical trick, you have to use something called a VPN or a virtual private network that actually not only encrypts your data, but also masks your location. I always joke, if you're bored and you just want to have a good time in Vegas, don't go to the clubs, just go in and turn on a wireless sniffer because it's technically legal at a big hotel in Vegas. And most people don't realize text messages and pictures are sent plain text over the wire. So you can get some very interesting and unusual and let's say spicy information from individuals and they don't realize that. So if you're going to be texting over wireless at hotels or coffee shops or anything else, it's super simple. You just go to the App Store and put in VPN virtual private network. And there's free apps, commercial apps. And then not only is the data encrypted, but you can mask your location. So now it's even better. So for example, with Barack Obama, we set up his VPN that it can look like he's in Chicago or Nebraska or the location. So now if somebody's actually tracking his device and his IP address, he shows up in an alternative location than where he's really located. So it also provides a level of obfuscation in terms of tracking and monitoring.
[52:56]
Paula Pant
I mean, VPNs have been around for so long that I feel like don't understand exactly how. But there seem to the powers that be seem to understand when you're using a vpn. I say that from the perspective of someone who will sometimes try. I'll be in a foreign country, I'll use a VPN to try to access HBO Max, right? To make it look as though I'm in the United States. And I still get the message that says, sorry, this is not available in your area.
[53:20]
Dr. Eric Cole
So what's happening there is direct VPNs where you're actually basically just encrypting to the local ISP in that country. So in those cases you're still going to be blocked because you're showing up as a foreign IP address. But if you get some of the commercial VPN products, you can actually change your location. So it can actually tunnel to a location in New York. So for example, when I'm in some countries like Saudi Arabia, which are very restrictive, like they're super restrictive on what you can do. But if I go in and have my commercial VPN set up to New York, then I can still access US sites in English as opposed to if I go to Google in Saudi Arabia without the vpn, it's all in Saudi Arabia, I can't read it. So if I go in and change my location. But that's one of the key things we're going to talk about a lot today is these products have great security, but it's turned off. So you need to know to go in and reset the settings. So like if you're using a standard vpn, it'll still be in country, but if you go under Settings, security, and location, and you change your location, then you can actually appear in the US and bypass those filtering controls.
[54:28]
Paula Pant
We talked about WhatsApp and we talked about Signal. What about TikTok? Is TikTok Chinese spyware? If you download TikTok, does that mean that the Chinese government could subpoena the company that owns TikTok to get access to your photos? Are we at risk if we have TikTok on our phones, or is that all just a bunch of hype?
[54:52]
Dr. Eric Cole
So, yes, no, maybe, and I'll just go and take you back to sort of a story to lay the context, because I think it's important. So in 2000, I'm part of this different government task force. I think if you read my bio, I worked at the CIA as a professional hacker, so I'm often brought in on these scenarios. And so in 2000, I was part of a unclassified task force, so I can talk about it. And they said, okay, Eric, if you were China and you wanted to launch a cyber attack against the U.S. how would you do it? And I went in and researched and everything else. And I came back with my report. And what I basically said in the report is I would create an app that's targeted at 16 to 20 year olds in the United States because they're the future generation. And I would make this the coolest app on the planet. I would make it like social media on steroids, so you can actually do pictures, text, video, interact and make it so much better than anything that's available at the time. And then I would market the heck out of it to get everybody hooked on it. And then we would monitor and track all their activity for eight to 10 years. And once again, as far as I know, it wasn't publicly published. Then you look at TikTok, and I took out the paper. It was almost an exact blueprint where TikTok is an application focused on 16 to 20. Now adults are using it too, and it's monitoring and tracking everything we're doing. And here's the reality. All of that data on our activities, our behavior, and everything else is stored on Chinese servers that the Chinese government does have access to. So when I said, yes, no, maybe it isn't active malware. So, like, one of the mistakes that Congress has made, where they're like, it's spyware, where it's gathering and blah, blah, no, no, no, it doesn't install anything on your computer. We've reverse engineered the TikTok agents and it doesn't put any malware on your system. So it's not locally monitoring or tracking. But here's the reality. TikTok turns on location services. So you're allowing it to track your location with your data and information. So now if you're voluntarily putting information on TikTok about your behavior, your activity, your videos and everything else, and they're monitoring it, that's not technically spyware, that's user cooperation. So everything you post, everywhere you go, everything you do now, good on you. Because you did not have location services turned on for TikTok. So gold star. But most people do. Most people, if I look at their phone, they absolutely do. So we're giving all this information to TikTok, where there's a company that's run in China and tightly connected to the People's Republic, so they're monitoring and tracking. I think TikTok's been in business eight or nine years. The eight years of data of U.S. people that are stored on Chinese servers, we're not talking about that. That's going to stay in China and they're going to be able to have that for the next 20 or 30 years. So they already have predictive analysis on US citizens, how we work and how we operate.
[57:56]
Paula Pant
In the worst case scenario, that data could be used for blackmail. We talked earlier about ransomware.
[58:00]
Dr. Eric Cole
Yes. It can be used not only for blackmail and ransomware, it can also be used for target marketing. It could also be used for, for tracking and espionage purposes. So for example, if I see somebody on TikTok and a lot of people say where they work and they work at say IBM or a large research entity that's doing high end chip design or high end technology, China can do that and now use that to go in and do target phishing attacks to break into their systems or servers to be able to steal large amounts of intellectual property from the systems. Or you look at what happened with Aldrich Ames at the CIA. He was one of the people that was converted by Russia. What they basically did is the, the way they converted Aldrich James is they basically got blackmail data on him and said, unless you steal information for us, we're going to ruin your life. Well, guess what, A lot of people are posting some questionable things or areas on TikTok that they don't think anyone else is seeing. Well, what if they get access to that and they can do the same thing saying unless you spy for us, we're going to use that against you. So there's so many different avenues that an advanced technology company like China could use to Target Americans. The list is so long, it gets.
[59:15]
Paula Pant
Scary to take this conversation back to money. There are, as you've elaborated on throughout this conversation, there are so many nefarious things that entities can do with our data. But as ordinary individuals, as investors, one of our chief concerns is protecting the net worth that we've worked so hard to build. The portfolio, balance the income, the legacy that we want to pass on. Can you share some examples of times when it's gone wrong?
[59:41]
Dr. Eric Cole
Absolutely. And one of the biggest areas that we see all the time, and I know I've seen a lot of your episodes, and you're very big on real estate. Real estate's a great investment. And I know you have many properties. I have a lot of properties. And we go in and we buy real estate. Well, very often we're going to go in and get mortgages or closing or we're going to even pay cash. And we're using a reputable bank. So I'm using a really good bank. And we're like, okay, the bank's secure. But we failed to realize is a lot of these closing companies and a lot of these smaller entities that get involved are small businesses. They don't have really good security, and they can often be hacked or spoofed. So I see it all the time. But I'll give a specific example. It's a family that was in Ohio, and, I mean, they were doing okay, but they were two school teachers, and they always dreamed of going in and having a farm. Like, they just wanted to have a nice farm, like a nice farmhouse and tractors and things like that. And one of their parents, they were the only child, and their parents actually did pretty good investment and had good amount of money.
[60:46]
Paula Pant
And.
[60:47]
Dr. Eric Cole
And the dad passed away a couple of years, and then the mom passed away, and they inherited $1.3 million. The farm they wanted was 1.2. Their dream is going to come true. They go to the bank and they don't really need a loan because they're going to pay cash for it. And they get everything arranged and they get the closing company. They put an offer on the farm, it gets approved. They're going to close in 45 days. And five days before closing, they get the message that they're expecting from the closing company that basically says, here's the account information that you need to transfer the money to in order to go in and buy the house. Their real estate broker said, you're going to be getting the message three to five days. It was on the legitimate letterhead. The email Looked okay. It came from one of the brokers there. And so they said, great. So they go to the bank, they do the eft, they transfer it to that account, and then they show up at closing and they're all excited and happy. And the other side goes, do you have a check? And they go, what do you mean? Well, how are you going to pay for the house? You said you offered to sell 1.2 million. And they're looking at each other going, we transferred the money according to the closing company to your account five days ago. And they go, we didn't send any email. And it turns out it was a scam. And we got involved because there was sort of lawsuits of who's liable in this case. And the email for any average person looked legitimate, it looked valid, it had all the proper authentication methods. And it turned out that the closing company servers were hacked and they were sending emails out to select individuals that were cash based deals. Because here's the reality, there's very few cash based deals. So if you're going in and you get a loan and you're only putting $80,000 down, an attacker doesn't want that. So they broke into those servers for three months and they were waiting for a big cash deal. And once they saw this $1.2 million cash deal, they then targeted them only. And because it was only a one and done, nobody knew about it. And because it was, there was a reason why they did five days. Remember I said earlier, you typically have 48 to 72 hours, you have two to three days. So by doing five days, the money was gone. And now the question is, who's liable? The banks were saying that they weren't. The closing company was like, well, you clicked on the link, that's your fault. And we're saying, well, no, you didn't have proper security and you were compromised for three months. So it's your fault. And then it gets into legal litigation. But here's the part that's heartbreaking. They lost the farm. And it's being fought in the courts. And it's been a year and a half because civil cases in the courts are so backlogged. And if you don't know the court system, criminal cases take precedence. And because the courts are so backlogged because of COVID if you file a civil case today, an individual, it could take two to three years to get through the courts. And then even if you get a successful verdict from the jury, they could be appealed. So this couple might not see their money for three to Four years, they're heartbroken, right? They lost their farm and now they're spending a lot of the money on legal costs to try to get that money back. And unfortunately this is not isolated story like we see these types of instances all the time with large amounts. And you're like, well, what could you do? So a couple of things. One is if you're buying any real estate or any large purchase, don't trust email. So what we do with all of our purchases is I go in and I call the actual closing company and say, is this legit? Like did you actually send this email? And then what we'll actually do is. And I know people say it's crazy and it's old school, but I still go to a bank and get certified checks. Because me bringing in a physical piece of paper, sitting in the room with somebody who's bought their driver's license ID with a notary public and having witnesses in the room that I handed them to check is a much safer and better mechanism than trusting online. So even though I'm a cyber guy, I'm an Internet guy, a futuristic, I don't trust a lot of those traditional systems. So when I'm buying my real estate or I'm doing my investments, it's all paper checks that I'm bringing with me that's assigned to the person certified so it's valid and they'll do it. And then I hand that over. Or whenever I do mortgages, I actually make the mortgage broker come to my house or I go to a bank. We don't communicate email. I tell them that when I'm buying real estate or I'm doing any large purchases, we talk phone or in person. We do not use email, we do not use communication. I do not use websites because they can be so easily spoofed and modified. I know it's convenient, I know we like it. But sometimes going old school, face to face paper checks and phone is going to be so much better and safer.
[65:53]
Paula Pant
Right? The last house that I bought, I paid in cash. I remember getting the email with the wire instructions and being so scared. Instead of relying on what was in the email, I went to the entity's website, looked up the phone number on the website, called that phone number and then verified the information. But to your point, I mean, as I talk through that, the weakness in that is that that website could have been spoofed.
[66:17]
Dr. Eric Cole
Exactly. Yeah. But at least credit to you, you took an extra step. Unfortunately, most people are in tech savvy like you and you would not believe how many people trust that email and would just blindly transfer the money based on an email. And I mean that's something if I thought of I could have done before our interview is I could have sent you an email from a closing company that you would have thought were legitimate. And when you clicked on the link it would have said Eric says hi, we do that exercise with people all the time just to show how easy it is to spoof email and how you look at these emails and you look at the legitimate email and the email I'll send you, they look identical. There's nothing that you can visibly tell. So I mean the name of the game is for anything sensitive, anything involving money, anything involving your life, anything involving no emails, no links, no clicking.
[67:04]
Paula Pant
Right. Oh, you should rickroll people rather than the Eric says hi. Yeah, that would be, that's true.
[67:09]
Dr. Eric Cole
That would be fun.
[67:10]
Paula Pant
That would be a fun one.
[67:11]
Dr. Eric Cole
I like how you think so.
[67:25]
Paula Pant
So in terms of what we can do, if you're buying real estate, go in person, on phone or in person. Ideally in person, yes. Meet at a bank, meet face to face at a bank for any type of transfer. Use cashier's checks, don't click on links. That's no particular order number two.
[67:41]
Dr. Eric Cole
The other thing I'd add is sort of a 1A or a 1B is if you're investing in real estate, use known trusted entities and always go in person. So like I know a lot of times if you buy in real estate the seller wants to pick a closing agent or pick sometimes out of state and entities because they're a little cheaper, they get better deals. And I'm like no, if I'm buying your real estate and I do a lot of real estate investing, I'm using my trusted folks. So I have offices that are 15 minutes from my house, closing companies and loan agents and attorneys that I know and trust. And I'm like, we use these are no deal. And I know them, I trust them and I go to their office all the time. So if you're doing a large amount of real estate, get some known trusted entities and, and always meet in person. Don't get me wrong, there's some really good small one offs and if you're buying a house once on a big mortgage, that's okay. But if you're doing cash deals, real estate trust and control who the people are that you're working with.
[68:36]
Paula Pant
Right, but what happens if one of your trusted entities gets if their servers get hacked?
[68:41]
Dr. Eric Cole
So I'm in person, so the chances of me getting rogue emails or anything like that are super slim, right? But if they get hacked, they don't have any of my money or anything else. I'm bringing the money in a check. So. So even if they get hacked and they try spoofing me or they get some details on the property, or they try sending me eft, none of that matters. And because they're not ever touching my money, the money goes from my hand to the seller's hand. So when I bring that check, I have my fingerprints on it, and I'm not handing it to anybody else but the person selling the house. And I'm having that monitored and tracked. And sometimes if they allow it, and big deals, I actually have a video because I want to have proof that they got the check. So now if they lose the check or they say something happened, I have actual evidence to show that I handed them and paid the money. And I know people are like, you're paranoid. I'm paranoid, I'm crazy, I'm insane. But guess what? I'm safe, I'm secure, and my money's protected. So sometimes online, it's so wild, wild west that having a little sense of paranoia and a little craziness and a little sort of over the top being paranoid is going to go a long, long way to protect yourself, right?
[69:55]
Paula Pant
What would you do? So if you're buying out of state real estate, you say, you say you want that check to go to the seller, if the seller is out of state, the piece of real estate is out of state, your closing agent can be local, right? What video are you taking? Who are you handing that check to?
[70:09]
Dr. Eric Cole
So in that case, as if, if you're actually doing pure out of state, where you're not actually meeting, right. With them, whoever their local representative is, then I will go in and hand them the check. Or in some cases where that's not practical, because unfortunately, there are some real estate deals, like we do some condos and some renovations, and it's all done online, right? In those cases, I will then have a zoom video call that I record where on the call they authenticate and verify who they are. So they're going to show me their driver's license, I'm going to show their driver's license, we're going to verify and validate, and they're going to tell me their banking information on the call recorded with evidence and validation, and then I will wire to that bank, but I'm getting the validation directly from them. It's as if it's face to face. That's what's great with zoom technology is is it's like a face to face meeting and you can record zoom. And here's the cool part. It's a social thing, but it's bizarre. If we're in a conference room meeting personal and I want to video it, it freaks people out, right? It really bugs them out. Like this is the weirdest thing on the planet of you videoing me. It freaks people out. But zoom is so common, right? Recording a zoom call doesn't freak people out. So in some cases if they don't want to meet face to face or they won't agree to video, I'll jump on a zoom and record it. And it's much safer and protected. You now have evidence. I get the banking from them. I never trust email. And then we do EFT is bank to bank.
[71:39]
Paula Pant
That makes a lot of sense.
[71:40]
Dr. Eric Cole
And it's one of those where like people like okay Eric, that's a little more inconvenient. It takes a little more time. But as I said before is wouldn't you rather take 10 extra minutes on a zoom call recorded than lose a million dollars?
[71:53]
Paula Pant
Right. Yeah.
[71:55]
Dr. Eric Cole
And then to your other question. So what else can we do? Because I sort of hijacked it. So here's my rules. First, every account from E commerce to banking to health care, you have to use two factor like passwords. I joke passwords are so 1980. If you're going to use passwords you might as well listen to the Bee Gees and wear bell bottom pants. Right? It's so out of sync is you got to turn on two factor authentication. And then this is one of the things I hinted at but we're now getting to this part we're talking about Solutions is every type of service I know of from Amazon to AWS to Instagram to banks to healthcare, they all have two factor but it's turned off by default because we're at this interesting stage where they don't think the public is fully acceptance and if they turn on too many security and it inconvenience people, people won't use their service. So I think we're getting close. I'm lobbying. I go to these companies, I brief their boards and we're very to having security turned on. But right now it's not. It's super easy. Go into your account under settings, under security, under authentication and just turn on two factor. It's either two FA or MFA two factor multifactor. And I think most people know what that is. It's where you log in with a username password and then you get texted a one time code, right, that you log in each time. Now I know people go, it's an inconvenience. So here's the middle ground is once you two factor, you can have it remember your device and it will actually remember your IP address and place a cookie which is a unique cryptographic string on your computer. So now whenever you're coming from that location, you don't have to two factor, you can just log in with a password. And now when you travel like you go to a new hotel, it's going to say this is a new location and you two factor again. I was just in San Diego for 10 days for a trial. I logged in the first day it asked for two factor, but then it remembered my location and IP address and I don't have to do it for the rest of the trip. So there is a balance there. But you can't trust passwords, right? Almost all of the bank money transfers and all of the crypto wallets that have been stolen, I would say 95% of them were passwords. Only very few are two factor. Two factors really hard to spoof. I mean there's advanced attacks where they can take over your cell, but it's so hard and difficult. It's almost all password. So if you turn on two factor, that's going to go a long way. Second, anything sensitive or involving money put on account notification. So with my banks, if anyone's withdrawing money, efting or even deposits, I get a text notification that basically says somebody's trying to eft $35,000 out of your account. Is this authorized? Yes or no? And if I'm doing the transfer, I know I'm doing it. So I have my phone ready and you have five minutes to reply. So basically I get the text message and I reply yes in five minutes. Now if it's fraudulent and it's the middle of the night and somebody does it, I don't see it till the morning. But guess what, five minutes times out and automatically declines it. So now, and I know once again, people like Eric, that's annoying to get text messages all the time. But as I always say, you know, it's annoying to wake up in the morning and have your bank account wiped out. So it's one of those, you're going to have a little bit of pain, you're going to have a little bit of inconvenience. I'd rather the extra security and not having any fraud committed so account notification is another great mechanism. The next thing which we talked about is if in doubt, buy the app. Don't do free. Like when I go in, if there's a free version and a 999 version, I always pay because the paid version doesn't monitor your location, camera or microphone, and free always does. So minimize free applications then my rule is any app you haven't used in 45 days, delete, get off the phone. And I actually do the 10 app challenge for an entire month. You only use 10 apps, be really selective on the apps and use only 10 apps. And then try to remove or get rid of because any free app that's on your phone as a point of exploitation. So you really want to reduce those apps. Then as we talked about, don't click on links, use apps. So if I get an email that says, hey, there's unusual activity with your bank, or hey, your Amazon order's been discredited, I immediately go into the app and I check the app. Apps are safe, email is not. So don't trust email. Don't use links, always use the apps. And then the last one, which is sort of a little bit of a curveball for most people, is most of the attacks and most of the exploits are written for Windows. Not that Windows is more vulnerable, but Windows is one of the most popular operating systems on the planet. So most of these exploits where you click on links or you get hacked are all Windows based exploits. So I basically, if you look at my little backpack, I only use an iPad because most of the exploits, most of the links, most the of most of the compromises won't work on an iPad. So when I surf the web, when I check email, I basically only travel with iPads because not that they're more secure, but they are simpler and less targeted. So the probability of compromise is a lot less.
[77:11]
Paula Pant
Wait, so I'm hearing two different things in there. One is the Windows versus Mac. The other is laptop versus iPad.
[77:17]
Dr. Eric Cole
Right. So Windows versus Mac, if you're talking about a full MacBook, are about the same.
[77:22]
Paula Pant
Yeah.
[77:22]
Dr. Eric Cole
So the Mac OS, the full Mac OS and the Windows OS are both vulnerable. So those, be careful, like when you're using those. No links, minimize web surfing, minimize email because they're highly targeted and there's lots of vulnerabilities. Then an iPad, which is actually a completely different operating system than the macOS, it's much simpler.
[77:43]
Paula Pant
Right.
[77:43]
Dr. Eric Cole
The iPad has very few attacks, so I use the iPad for email and web surfing. So when I work on client reports, I'm doing large data processing. I use my Windows system, but when I check email or I surf the web, I always use my iPad because it's a much simpler device and less probability of compromise.
[78:03]
Paula Pant
Oh, that's interesting. So I could shift to only using my Mac for when I'm doing audio recording, when I'm doing video editing, things like that. But then shift to an iPad for banking using Google spreadsheets.
[78:19]
Dr. Eric Cole
Exactly. Email, web surfing, all that stuff, that.
[78:22]
Paula Pant
Really basic stuff, and then get rid of most of the apps on there.
[78:26]
Dr. Eric Cole
Bingo.
[78:27]
Paula Pant
Wow. All right. I've got my homework cut out for me.
[78:29]
Dr. Eric Cole
Yeah. Just to tie it all together, basically. Most people, in my opinion, should have three devices. So you have your Windows or Mac for your power user, like for doing video recording, video editing, working on large client deliverables, all that kind of stuff.
[78:47]
Paula Pant
Yeah, you have your desktop or laptop.
[78:48]
Dr. Eric Cole
Exactly. You then have your iPad, which is really going to be for your email, your web surfing, sort of the more risky stuff. And then you have your phone that has most of the apps for doing banking, healthcare and others. But you don't have many apps. You only have the most secure ones. And then you use that for like WhatsApp, texting signal and then your phone calls.
[79:14]
Paula Pant
Hmm, that makes sense.
[79:15]
Dr. Eric Cole
Separation. Yeah. You have you sort of three critical devices, so.
[79:19]
Paula Pant
Right, that makes sense. How do we protect our security when we're getting rid of an old device?
[79:24]
Dr. Eric Cole
Shred it, burn it. Explosive? No, pretty much if you're using like Windows Phones and things like that, you want to secure, wipe it. So like if you go to the Apple Store and you're getting a new phone and you transfer everything over to your. A new phone, and then you go into the old phone and you say delete and it securely deletes it. That's actually really good. Like that. They have good encryption, good wiping on it, and it removes everything. If you're super paranoid like me, I don't ever trade in old devices. I keep them, I lock them in a safe. Or there are companies that will physically destroy them. Like they will come. And like some of my real old. I got to the point where I had like 10 phones and. And I didn't have room in my safe anymore to keep all of them. So there's actually companies, and it sounds crazy that companies will come and you go to their truck and they actually have this tub and they actually acid bath it and it basically eats the phone. So the phone is destroyed completely. And I know that's paranoid.
[80:31]
Paula Pant
What a cool job.
[80:32]
Dr. Eric Cole
Yeah. But here's the thing. My stock information and my bank, there's millions upon millions of dollars on there that spending $50 to destroy it is so much safer than even though the encryption destruction is secure. I'm super paranoid. And then with like laptops or MacBooks, what you want to do is remove the hard drives because you're not going to. These are small things. You're not going to asset bet the whole laptop. Plus it's not really good because of all the electronics and glass. So you actually want to remove the hard drives and. And physically destroy them if it's super sensitive. Now for some of your listeners, they're like, okay, Eric is off his rocker and nuts. So for those that don't want to do acid baths, other devices, there are secure delete programs that you can actually go in and will encrypt your entire drive five times and the probability of recovery is almost nil. So if you want to go in and use the secure delete programs like an Apple Phones, that's good for the average user if it's super sensitive, millions worth of dollars of investments go in and do the physical destruction.
[81:37]
Paula Pant
Biometric data. When we give access to our biometrics to, let's say something like Clear.
[81:43]
Dr. Eric Cole
Yep.
[81:44]
Paula Pant
Are we. How safe is that? Is that something that you would do?
[81:47]
Dr. Eric Cole
So you asked the right question, which is what? I do it right. So here's how I make security decisions and here's how I recommend people making security decisions. It's never yes or no.
[81:58]
Paula Pant
Mm.
[81:58]
Dr. Eric Cole
It's two questions. First, what is the value and benefit?
[82:02]
Paula Pant
Yeah.
[82:03]
Dr. Eric Cole
Versus what is the risk and exposure? And then if the value and benefit is worth the risk, I do it. So to answer your question, I use Clear. Because here's the reality. What clear does is it has my biometric data, but it has a small sample set that's unique to Clear. So if you look at facial recognition and not to geek out on you too much, there's actually around 80,000 different unique points about your face, which I know is crazy. If you look at the mirror go, there's 80,000, but there's 80,000 unique features. You only need 4,000 to get an accurate reading. And one of the reasons I use them and I research them is they don't go in and take all 80,000. That would be dangerous. They only take 4,000. So now even if somebody compromise Clear and they only got 4,000, every other biometric system you're using are using different data points. So they wouldn't be able to replicate or steal Your face. It would only be a one time usage. Now, could somebody go into clear, get my biometric representation, make an actual mask and wear it in the airport and try to pretend me? Yeah, but here's the thing. The probability and difficulty is so hard to do that that I'm willing to accept that risk. I travel all the time getting through an airport 30 minutes quicker every time I travel. If you look at my billable rate, that's well worth the risk of somebody potentially stealing a very limited subset of my mask. So to me, the benefit outweighs the risk. And I use clear.
[83:36]
Paula Pant
Right. They might not make a mask and use it to try to get through an airport, but could they make a mask and use it to try to face ID into your phone?
[83:43]
Dr. Eric Cole
No, because the phone uses a different 4,000. So everyone has a unique algorithm where they use different data points to get in and then you have the phone. I use biometric data. I love it. Because it can unlock and so quick. And everyone's like, oh, Eric, that's such a big risk. Because they're like, if somebody gets your face and get your phone, they can log in. Well, here's my response back. If somebody has access to my face physically and they have my phone and they're forcing me, they probably have a gun to my head.
[84:11]
Paula Pant
Yeah.
[84:12]
Dr. Eric Cole
And guess what? I have bigger problems. Because guess what? If I didn't use biometric and I only use passwords and somebody has a gun to my head or a gun to my children's head, I'm giving them the information. So it's one of those where sometimes security professionals get too crazy with the hypotheticals going, oh, I would never, ever use biometrics. Because if somebody got this, this and this, I'm like, yeah, but if you got in that situation, you have a bigger problem at that point. Now, could somebody break into my house when I'm sleeping, try to go in and unlock my phone? No one hears why your eyes have to be open. And now they go, oh, Eric, what if somebody breaks into your house, gets you while you're sleeping, opens your eyelid and does it? Once again, I have bigger problems at that point. Right. So you gotta be practical about it. Where, yeah, there's a risk, but the probability is so low I'm willing to accept the risk.
[85:01]
Paula Pant
Right. What is a. I have a friend who keeps talking about the Yubikey. Can you explain? What is that?
[85:07]
Dr. Eric Cole
That's a device that you plug in to your phone or your computer that basically auto authenticates you to allow you to Go in. So if you don't have the Yubikey, you can't access the device. So it's basically like a key to your house.
[85:23]
Paula Pant
Okay. Is something like that beneficial? Is that something that you would recommend to the average Joe or Jane who's listening to this?
[85:30]
Dr. Eric Cole
No. Here's why. Two reasons. One, it's something for you to lose. Think of how many times people forget things at home, forget their car keys. I've had friends that use it and they go in and they're at the office, or they go on a trip and they forget it at home. And now their phone is bricked, they can't access it. And also to me, it's an additional point of failure. And then here's the other reason why I don't recommend it for the average person. Where are they going to keep their Yubikey with their phone? I noticed you have the little wallet on the back.
[86:03]
Paula Pant
Yeah.
[86:03]
Dr. Eric Cole
So guess what? They keep their Yubikey in the little wallet. Well, that sort of defeats the purpose because now if you lose your phone or somebody gets your phone, they're going to have a Yubikey. So unless you have like really high end security practices where you're going to have a separation and you're going to have somebody with you that has the Yubikey that they can give you to plug in like national secrets, like I would recommend the Secretary of Defense do that because he always has a cadre of people with him. So now he has his phone, somebody else. And when he's gonna transfer secrets about a war strike in Yemen, he gets the Yubikey and plugs it in. So for that type of very high end information, I recommend it, but I don't use one because it's just the risk factor of being locked out versus the benefit isn't worth it to me. I have other security measures in place and that's probably one of the other things I wanna make recommend really quick endpoint security like EDR is called endpoint A. Detection and response companies like CrowdStrike, Sophos, McAfee, Symantec, you want to have the Endpoint security on every one of your devices. So we said three devices. You want Endpoint security on your laptop, on your iPad, on your phone. Most people do it on their laptop, but they don't do it on their phone and iPad. Once again, it's $59 a year for three to five devices. And having extra level of protection is going to help protect. To me, spending $59 on an EDR for your device is much better than having a Yubikey where you have to remember it and plug it in each time.
[87:36]
Paula Pant
And that's for Mac users as well.
[87:37]
Dr. Eric Cole
Exactly. Pretty much every operating system has EDR Endpoint Security.
[87:42]
Paula Pant
I remember in the days, in the old days, seemed as though that was primarily. Well, I'm thinking about Norton Antivirus for Windows.
[87:48]
Dr. Eric Cole
It was only Windows.
[87:49]
Paula Pant
Yeah, right. Yeah. And Norton Antivirus was often so slow that I like. This program itself is the virus.
[87:56]
Dr. Eric Cole
Yes. You know, so 15 years ago, you're right. The endpoint was so terrible and it was so limited, people didn't use it. Today, it's so much more optimized in advance. You wouldn't even know it's there unless there's a problem.
[88:08]
Paula Pant
What? You mentioned that you have a safe. What else is in your safe? Or what should we all put in our safes?
[88:12]
Dr. Eric Cole
I work on very high profile litigation cases. I've had multiple billion dollar verdicts. So when you're working on a $800 million lawsuit against a very large company and you have access to their trade secrets or their source code, that's worth hundreds of millions of dollars, I'm under protective orders that if I don't protect that information and secure it, that I could be liable. So I'm required in those cases with a PO to lock up any of that sensitive data in a safe. So that's one of the first things I have a safe for is critical client information and client data. I also, when I'm not traveling, I store my passports in the safe. I also have my birth certificate and like documents like that. Any investments like bonds and stocks, I keep in my safe. I'll also be a little careful here because I don't want to be targeted. But I'm also a big believer in having cash on hand. So I have not. Not crazy amounts that somebody would want to break in, but. But I have a certain amount of cash in that safe just for protection reasons. I then also back up my devices locally. So my laptop, my phone, my iPad. I don't always trust the cloud. I have local backups every month that I also keep that in my safe to be able to keep that protected. And then I'll usually go in because my iPad I use so much for business. I have a backup that's imaged and replicated so it has an exact duplicate copy of all the data, all the information, all the apps. I keep that in my safe. And then the last thing that shocks people, but I believe in redundancy and backup is my passwords. I know everyone says don't write passwords down. I'm a practical security practitioner. I write them down and I put it in the safe. Because now if something does happen and I forget a password or something occurs and I need to get in or something happens to me and a family member needs to get in, they also could have access to it. So I do keep that in my safe. So those are usually the fundamental things. And then my safe is not only fireproof, that's very important because if there's a fire, you want to make sure that nothing burns inside of it. And then I use a two factor component is I use a combination and a biometric. So now in order to get into my safe, you have to go in and have my biometrics and you have to know the combination. So once again, for somebody to get in my safe, they pretty much have to have a gun to my head or a family member in order to get in or access it.
[90:50]
Paula Pant
Right.
[90:51]
Dr. Eric Cole
And then the last thing is you actually want to keep the safe in a non discreet location. Like you want to put it either sort of in a closet or in a certain areas. I and once again freak people out. But, but I have a spot in my house where it looks like it's just a panel. You know how you have the grade for H Vac? Yeah, is it looks like a panel but it actually just has two spin crews and we open it up and the safe is back there. So it's a little non discreet and where I keep it. And then last thing, because I'm, I'm always going to be honest with you and once again, I wasn't going to say it but I always like being honest and complete. I also keep a weapon, a sidearm in the safe. I believe in weapons and sidearms, but I also believe there can be too many accidents and in a lot of cases people have weapons for protection and the criminal can use it against you. So I believe in weapons, but I believe in securing them and keeping them safe. So I keep that in a safe too.
[91:42]
Paula Pant
How large is your safe?
[91:44]
Dr. Eric Cole
Yes, it's about this high and then this wide. And it actually, you see how paranoid it is. It's actually a two cabinets, so there's actually a cavity. So there's two different. So all of my business stuff for my clients I keep in one portion of it, which is the bigger portion. And then my personal items, which I know it sounds like a lot, but they're all pretty small, I keep in the bottom portion. So there's actually Two different combinations with two different biometrics.
[92:09]
Paula Pant
Thank you for sharing all of this with us. It paints a real picture about what we need to do in order to protect our investments, our money. I certainly have my list of homework assignments that have come from this. Where can people find you if they'd like to learn more?
[92:25]
Dr. Eric Cole
You can find me online. I use doctorericcole D R E R I C C O L E for my Instagram, for my YouTube. I put a lot of videos out there. My personal website is drerichcole.org. my company website is secure-anchor.com and I just want to really thank you for having me on the show because my mission is to secure cyberspace, and many people don't know the dangers. So the fact that you have me here so I can share the message with your listeners, I really thank you for doing that.
[92:53]
Paula Pant
Of course. Of course. Thank you for coming. And, you know, I think this is one of those topics that's incredibly important but often not talked about because it falls under the category of important but not urgent.
[93:05]
Dr. Eric Cole
Boom. You know, until something happens, then it becomes urgent. Yeah, exactly.
[93:10]
Paula Pant
Exactly. So it's. It's just one of those things that. Lingering in the back of your mind, it's like creating an estate plan, right?
[93:17]
Dr. Eric Cole
Bingo.
[93:17]
Paula Pant
Like lingering in the back of your mind, you're like, I really should probably be doing something about this someday. But there's never any triggering event that causes you to take it seriously, and then it only becomes a problem. Like getting flood insurance. Right. No one thinks about it until your house gets flooded.
[93:36]
Dr. Eric Cole
Like alarms.
[93:38]
Paula Pant
Right.
[93:38]
Dr. Eric Cole
Nobody gets an alarm until you're broken into. And that's why I love you asking me about the stories, because we can make it real. It's going to happen to you. Be proactive, and you can minimize it from happening.
[93:47]
Paula Pant
Exactly. Well, thank you for spending this time with us.
[93:50]
Dr. Eric Cole
My pleasure. And thank you for having me.
[93:56]
Paula Pant
Thank you to Dr. Eric Cole, former CIA hacker advisor to Bill Gates, and former cybersecurity commissioner under President Obama. What are three key takeaways that we got from this conversation? Key takeaway number one, you may already be being robbed and you don't even know it. Because cybercriminals don't just target billionaires or big companies. They figured out that it's easier to steal small amounts from millions of regular, ordinary, everyday people because we don't have the same level of protection that billionaires and big companies have. And so a lot of cybercriminals might be draining $20, $30, or $50 from your accounts every month. A lot of people never check their statements carefully enough to be able to catch that. And so over the span of years, this death by a thousand paper cuts approach can ultimately cost you thousands or even tens of thousands of dollars.
[94:52]
Dr. Eric Cole
If I go in and steal $50 from everybody every month, most people won't notice it. Most people don't check their credit card statements. So if there was a 20, 30, 40, $50 deviation, they wouldn't notice it. So we sort of call it the death by a thousand cuts. So the reality is you could have money being drained from your account that over years could be costing 20, 30,000, but it's done so low and so little, you don't even notice it.
[95:18]
Paula Pant
That is the first key takeaway. Key takeaway number two. Your bank won't save you. You're on your own. FDIC insurance does not protect you from cybercrime. There are regulations, yes, but those regulations protect the bank if they get hacked, not you personally if you get hacked. So if criminals access your account using your own login credentials, you're the one who's liable for the loss, not the bank. And if they have just your account number and your password, they can transfer up to half your savings from without triggering any alerts.
[95:53]
Dr. Eric Cole
The thing you have to remember is you're right. It is one of the highly regulated industries. But the regulations are around protecting the bank if they get compromised. So you go to your bank and it says, you mean FDIC insured up to $300,000? That's if the bank gets hacked.
[96:11]
Paula Pant
Yeah. 250, I believe.
[96:12]
Dr. Eric Cole
Or 250 if the bank gets hacked and the bank goes out of business. You're covered. But what people don't realize is the regulation. And it's scary because the US is one of the few countries in the world that doesn't have a unified law on security and privacy that protects citizens. Most of the regulations out there are protecting the entity. Like HIPAA protects hospitals. It doesn't protect individuals. The bank regulation protects the bank. So if the bank goes bankrupt or out of business, you're protected. But if you don't protect your password and somebody gets in and gets your user ID and password, that doesn't protect you from the regulations. You're liable, not the bank.
[96:53]
Paula Pant
This makes it all the more critical to have good security practices in place. That is key takeaway number two. Finally, key takeaway number three. Be particularly careful when you're making a real estate transaction, because real estate deals have become cybercriminals. Favorite target. They break into the servers of closing companies and they wait for months for the quote, unquote, perfect victim, which is typically somebody who's making a large cash purchase, and then just a few days before closing, they send fake wire instructions that look completely legitimate. Dr. Cole tells the story of two Ohio teachers who lost their entire $1.3 million inheritance, which was meant for their dream farm. And it was all because they got an email that looked legit.
[97:44]
Dr. Eric Cole
And it turns out it was a scam. We got involved because there was sort of lawsuits of who's liable in this case. And the email for any average person looked legitimate, it looked valid, it had all the proper authentication methods. And it turned out that the closing company servers were hacked and they were sending emails out to select individuals that were cash based deals. Because here's the reality, there's very few cash based deals. So if you're going in and you get a loan and you're only putting $80,000 down, an attacker doesn't want that. So they broke into those servers for three months and they were waiting for a big cash deal.
[98:26]
Paula Pant
I actually know another person that this happened to as well. She's public about the story, so I'll say her name, Shannon Allen. She used to be a personal finance blogger back in the early days of personal finance blogging. She at the time wrote a blog on frugality, which is how we knew each other. She also fell victim to wire fraud during the closing of a real estate transaction. She lost $52,660 to wire fraud from scammers. This happens to ordinary people. It could happen to you, it could happen to your friends. I'm not trying to be alarmist, but ever since I heard Shannon's story, I have developed a paranoia around wiring money during real estate transactions. In fact, last year I needed to send $100,000 to a closing attorney as part of a real estate deal. The most reasonable thing to do would have been to send a wire. I actually physically showed up in person at a bank branch and had a cashier's check made, which I then went and hand delivered. Even the people at the bank were like, you know, you could just wire this. And I'm like, I was thinking about Shannon Allen at the time. I even told them about Shannon's story. And I said, no, no, no, I'm insisting on doing this by cashier's check. Now, of course, that's not always possible because many closings are out of town or out of state. But there are still a variety of Good practices that you can put into place to protect yourself from wire fraud and from scammers generally. Not just in real estate transactions, but at all times. Because you heard Dr. Cole talk about the phishing scams that are out there, the grandparent scams that are out there. People calling a grandparent and saying, hey, your, your grandson's in jail. You need to send bail money in jail on a dui, you know, you need to send bail money to get them out. You know, then grandma panics and sends over money like this. This stuff happens all the time. And you and your family and your friends don't have the protections that big institutions have, which is why this matters so much. We have a course on real estate investing. It's called you'd first rental property. We're building a new lesson in that course on how to protect yourself from fraud, how to protect yourself from wire fraud, how to protect yourself from scammers, how to protect yourself from phishing attacks. So that new lesson will be ready by the time that we reopen the course for our next cohort. Because it's a cohort based course that we open twice a year. We run a spring semester and a fall semester. So that next lesson is going to be ready in time for the fall semester. But now more than ever, in the age of AI, this stuff matters. And when it comes to our money, I mean, we can get caught up in like tweaking around the edges, you know, optimizing around the edges of our asset allocation. And that part's fun because it's so full of possibility, but it's, you know, in any sport you play offense and defense and the, the defense side, the protection side, the asset protection side, if you don't have a strong, strong defense in place, then all of the optimizing around the edges is meaningless if you don't have that strong defense in place. So I encourage you to take the subject seriously. Thank you for being part of the afforder community. If you want to talk to other members of the community, you can do so for free@affordanything.com community. It's a great place to hang out with like minded people and discuss whatever's on your mind. Again, affordanything.com community we have a newsletter. It's also free. We elaborate sometimes on what we talk about on the show and sometimes we talk about completely different things. You can subscribe to it@affordanything.com Newsletter. If you enjoyed today's episode, please do three things. First, share it with the people in your life. Share it with your friends, your family, the wire transfer guy at the bank, the person who makes your cashier's checks, the new guy in your signal chat. Share this with all the people that you know. That's how you spread the message of FI r e. Number two Open up your favorite podcast playing app and make sure you've hit the follow button so that you don't miss any of our amazing upcoming episodes. And while you're there, please write a few words. Tell us what you enjoy about the show. Leave us up to a five star review. If you're on Spotify, you can also leave a comment on the episode on the specific episode. We read every single one and love hearing from the community. And number three, head to YouTube YouTube.com afford anything subscribe to our channel. Hit the bell to get notifications. Watch these interviews. It comes to life when you see it on a screen, so join us on YouTube, YouTube.com affordanything thank you so much for being an afforder. This is the Afford Anything podcast. I'm Paula Pant and I'll meet you in the next episode.