A

If you understand criminal behavior, you will understand how not to be a victim. And you actually know more than you think you know. I promise you, incident response and mitigation of identity theft and breaches of your bank account will take forever. It's expensive and it's very painful and it's horrible to see. And so much of it is preventable.

B

Hi, welcome back to How Much Can I Make? I'm your host, Mira Vozeri. And today we're stepping into the high stakes world of cybersecurity. Our guest is Rivka Tajer, CEO and co founder of ZeroHack. Rivka is a top cybersecurity expert who worked with the White House, major corporations and private individuals to prevent cyber attacks and identity theft. Let's tap into her expertise and find out what we can and should do to protect ourselves in this digital world. Well, Rivka, thanks a lot for willing to participate and giving us your time. I have millions of questions, of course, because that totally concerns me. Security. I was hacked. So let's start by first telling me, how did you get into doing cybersecurity?

A

So first of all, thank you for having me on. And. Well, I started as a journalist in the late 80s, early 90s. I was on the team with the Wall Street Journal, who put the Wall Street Journal online in what we call the OJ years 1994. And then I was covering privacy, security, identity theft, as well as AI, machine learning, data mining and supply chains.

B

Already in 94, you were dealing with AI.

A

Well, AI. A lot of what is called AI now is machine learning.

B

Right?

A

So that was the beginnings in data mining and putting those systems together.

B

Didn't know that. So, okay, so now you are an independent contractor, right, that deals with security. Tell us what you do.

A

So we're actually going to celebrate our 10th anniversary next month of our consultancy. What we do is we protect people specializing in financial protection and secure communication.

B

Okay, what does it mean, financial protection?

A

Protecting the cyber equivalent of putting your banks and brokerage in witness protection. So I also worked in fintech in banking and I was on the White House National Infrastructure Advisory Council for critical infrastructure in the banking industry. Appointed by Obama but worked through Trump administration. So I have specialty in how payments and banking work and I covered it a lot as a journalist. Then I moved to work for fintech and banking companies. So what we do is we investigate. Here you are right, Meerav. You have email addresses, you've been online since we all got this Steve Jobs remote control of our planet in 2008, right. It was free for email. Free. This, you can get everything. And so we ran for convenience. And those email addresses and the telephony side of your phone, which I'll get into, are wide open doors. Okay? Everyone's heard about the terms phishing. Okay? If they hack into your email and can impersonate you, that's called an account takeover. And Then thanks to AT&T and Verizon, last year they breached all of our data and Social Security numbers. I can be miroff. So what we do is we use cyber threat intel systems that are closed systems. We look anonymously in threat intel systems to see what of yours has been exposed. Can someone take your phone and forward authentication codes to another phone? Can someone be you with your email address? And what kinds of cyber criminal groups are targeting you? So first we do that. I'm a data driven person, okay? Okay. So first I get the data, okay? And we need scary little to find this out. Literally your name, middle name helps if you have a common name, birth date, legal address, your IP addresses, phone number and your email addresses. And that's it. And I never look at anyone's financial balance. I don't look at sensitive information. And we can see if your Social Security number has been texted to someone else. But essentially you have to get the data and see where the vulnerabilities are. And if they are into your email or your phone or your systems, how they got in, or once we know how they got in, we can kick them out. And one of the most important, that's the service part. If somebody has your Social Security number, they can't do anything with it or that they can't access your banks and brokerage because we've created a new identity for you with those. Because once data's breached out there, the toothpaste is out of the tube. You are never putting that back. So sometimes it's a pain in the neck, I might tell you. You know that Gmail you've had for 100 years? You got to get rid of it now, okay? And then you have to migrate it. You have to move your contacts, but you need encrypted secure email for your bank and brokerage that never sees the light of day that you never use for anything else.

B

How can I get encrypted email?

A

You can go to Proton me in Switzerland and get a protonmail. Russian oligarchs use it to protect their Swiss bank accounts. And now so can you for $3.99 a month. Think about it. ProtonMail for protecting Swiss bank Accounts. Do you think somebody's using a Gmail to protect a Swiss bank account? Okay, no, actually if somebody tries to crack your password though, the whole inbox turns to some pig Latin version of Cyrillic even for you if you lose it. Okay. It's designed to protect. Other thing that you can do depending on where your email is hosted is things like Spam Assassin, these little add ons that you can put on that really don't allow things into your server. Especially if you're using a Gmail and you haven't gotten an encrypted secure email. Encrypted secure email will throw that stuff and it won't even let it on your server. It's like a big gunk air filter. Every infiltration and the new IBM research reports and the new Verizon reports, read those yearly, you can download them. The FBI ICS unit, the Internet Crimes Unit read their reports. Over 90% no exaggeration happens by human error with their email credentials.

B

I want to double check something. Yeah, if I email my broker, if I delete it and delete the trash, I'm safe the information.

A

No, no, at Yahoo, they store all that crap on a server that they've long abandoned. If you didn't change over to Outlook mail and get encrypted mail and Outlook, you know, they do offer encrypted email servers or your Hotmail or that prodigy thing that AT&T owns. Okay, anyone with one of those Yahoo accounts that became a Prodigy account that is all subject to the at&t brief.

B

So hold on a second. If I communicate on WhatsApp. WhatsApp is encrypted?

A

No, it's not. Zuckerberg bought it and now everything meta is integrated into it. That's why the whole world moved to Signal.

B

Signal?

A

Yeah. So now, and when that goes to hell, I can come back and tell you what's new. The cyber criminals is what you should be worried about. It's organized crime. It's not a 40 year old guy in his bathrobe still living with his mother. These are well funded. They have the best hackers in the world and they have supercomputers that can run everything about you in social media and in 10 seconds know the password to your email if you have not protected it. Okay, this is very, very sophisticated. So what you're looking at is the cyber criminals and protecting yourself from those criminal gangs. And you know, usually they don't have ideology, they just path of least resistance. Where can I break in and get money? How can I assume someone's identity. There are six attack surfaces. These are the high risk behaviors. Crypto activism and ancestry sites. Get off of them. All right, now, porn, gaming, and dating sites, there are ways to do all of these safely except for ancestry. And it's a shame because when 23andMe was breached. Okay. And they only stole a database of Ashkenazi Jews.

B

Really?

A

Yep. All right, so why do they do that? It could be someone who wants to sell to Pfizer a database so that they can make a drug to prevent Tay Sachs disease. Or. Or it could be someone who hates Ashkenazi Jews. It could be anything on that spectrum. Class action suit. And now 23 and me is gone.

B

Right.

A

But the data's not gone, and it's in junkyards somewhere. And it's a shame because something like 23andMe so many people, if they were adopted because it was medical based.

B

Right?

A

Right. But it's in a magnet for hackers because they know there's all kinds of data in there. The other places to be super careful. You're getting a divorce. What's not in a separation agreement? Be careful how you communicate to your lawyer. Not only do you know how everything's divided, you know who got what and where it is. So think. You got to learn to think like a criminal. And accountants, forensic accounting, they're so good at this. Some of my best sources that I brainstorm with are forensic accountants. They get this immediately once they tune into it because they know how money flows. And the more you know about money flow, about accounting, real estate lawyers are great at this. I have some great sources that I use who are realtors because they know when something looks weird in MLS and MLS was hacked in 2023.

B

Wow.

A

Okay, so if you've ever bought a house or sold a house or rented a house, do you know what is stored in an average real estate office? Printer in the guy. It's stored in the printer because they're like, oh, I have to print out the. This person's whole financial picture. They sent me proof of income.

B

And it's thought. It.

A

It's thought, look at network printers and see how often they're cleared. Medical people know the confluence of data and have great aptitude for this. Okay. And now with telemedicine there, all of that, that's why they keep getting breached. There's juicy information that goes on for years to socially engineer people.

B

What is this dark web? Can you actually see? What's that?

A

That's like a mall. Of course you can see it.

B

So can I Go in and see if my information is in there.

A

Well, you don't want to. You don't want to like be noticed in there. You want to go in anonymously or posing as a fraudster buying stuff because you'll be seen a mile away. You need to be anonymous to go do it and watch what they're doing to do it.

B

Do you do that?

A

Yeah, of course. That's what Threat intel systems do. And we use one that's mirrored the infrastructure of the Dark Web and it's amazing.

B

Oh my God.

A

So we can watch what they're doing and you query it in many languages.

B

You literally see people there buying and selling information.

A

Yes. There are trajectories where you can see, sometimes you can place them by longitude and latitude, trading data. I mean, it's not a little avatar guy, but it's their identity.

B

Wow.

A

The problem with this crime is that it pays. And there's only 0.05% of the time that anyone's ever caught because you don't have to be seen.

B

So you said, secure password. How can I secure my password?

A

Well, first of all, never ever use an automated auto generated password. Two reasons why whoever is offering to auto generate your password is keeping a database of those passwords.

B

Even the very complicated, very long password.

A

It's AI. AI is not good at implementing ideas or being creative, but if it's out there, they can grab it. The other thing is, it's a hacker's dream. So let's say you have automated passwords generated in a password manager. Those are stored in a place because you can't have everybody with the same passwords. Right?

B

Right.

A

So if they get to that attack surface and they say, oh, who has accounts here? Great, let's go get the. That's the first thing they'll go for. Let's go get the database of the auto generated passwords, run it against the accounts and see where we get in. You need a system where you control things where all the locks are yours to put on and take off, like freezing your credit reports. Okay. Once Equifax was hacked, people in my industry, we lobbied. It became ruled that you get to freeze your credit report.

B

Right. I did that.

A

Right. And people are like, well, I don't have account there. I was like, great. Well, they have had a dossier on you for 50 years. So you create that online experience. So you control whether it's frozen or not. You want to go for, apply for a loan, you say, which one are you looking at? And you only unlock that one 24 hours before you let them do it. And then you lock it back up. Okay. And the most important thing about security is don't tell someone what you're doing. Misinformation is a good thing.

B

What do you mean by that?

A

When you create a new Persona for your banks and brokerage and you have an encrypted email, you have two factor authentication, you have good user ID and password, you have excellent hygiene when you do online banking and where you do your online banking and how you delete your browsing data and how you sign out instead of xing out your habits. How you call your bank and brokerage and say, no wires ever go out of my account unless I'm in branch.

B

Hold on a second. You said something important. Deleting your browsing history, you said absolutely. On a daily basis.

A

Absolutely. When you can visualize how cybercriminals see what you're doing, then you really tune in to these principles. And then you just apply the principles in your life once you click into it. And you know, people tell me all the time, you know, I'm not, this is the era of the kids, I'm not good at this. I disagree. I work with seniors, a lot of seniors, mostly because they're hard to protect and they have a lot to lose and they're main targets. Actually, they're much better at this than my 20s, 24 year old daughter. Because you know crime and you know criminals and you know criminal minds, but you have to know what they're seeing and how they follow you. You have to know what a keystroke logger is. That's everywhere you browse on the Internet. Little pieces of malware in that beautiful little Gmail of yours or Yahoo, or a Hotmail or any free mail AOL that sells your email to advertisers.

B

What is a keystroke logger?

A

Exactly what it sounds like. It logs your keystrokes. It's an info stealer. Okay? And you have to find out in all of your settings whether there's anything on there. On a PC, you go into your task manager in your Apple computer, you go to the activity monitor, look at all the crap running in the background in your computer. And if you see anything in Chinese or Russian, you call me. But if you see the words Zendesk M spy like OR numbers with kk.text, those are info stealers.

B

What browser is the best one to use?

A

It doesn't matter. They're all the same. It's how you set them up up that matters. You set them up for zero trust. What do you think that Google and Microsoft and Apple and Firefox are doing with all that data if you don't set it? How do you think they sell advertising? They gather your analytics and they sell it to each other.

B

But how can I set it so they don't do it?

A

It's all in settings. This is what I encourage people to do. Log on to any app that you use and click on that stupid little gear shift or the three dots or the three lines and go through every single setting in there. And anything that looks like share my data, give analytics, personalize, turn it off. Anything that says remember me, say, no. You do not want AI to grab this information and sell it off into the dark web. The more information they have about you, and if you've ever been hacked, you're worth more on the dark web. You go from being worth that 50 cents to marketers to being worth thousands. And the other thing to remember that's super important is everybody looks at their phone. They're like, I either have a Droid or an Apple. Apple will say, nobody can bust our architecture. I was like, who cares? Nobody. You don't have the secret sauce to Coca Cola on your computer. That's not what I want. I want the telephony side. Your phone is Verizon or AT&T or T Mobile. Apple is in the cloud. How are you protecting that Apple ID with a Gmail? All right, if I go and hijack your Apple id, all right, And I change the phone number and I change the email address and I lock you out. I have everything in your cloud. I have the credit card. You have to store apps you call Apple, even with a serial number or an IMEI number on your phone, and they will not help you. So it doesn't matter what the architecture is. Everything we do is online in the cloud. And you have to have the same mantra of protection. You have to protect the credentials that guard the accounts, and then you'll be safe.

B

So, for example, people put credit cards in Apple Wallet. Is that safe?

A

It's as safe as how you guard your account. Look, I am not willing to go live in the woods with a shotgun on my porch, okay? And a roller bills under my mattress, okay? You know, some people are. But I live in this world and I love to shop and do everything else right. You have to protect the sim, which is the telephony side of your phone, so that no one can take those authorization codes to your bank and forward them somewhere else. And no phone company will Ever tell you the piece of advice I'm going to give you right now? You have to protect your Apple ID by not allowing remote access to it. And you have to have a VPN on your phone and you have to secure encrypted emails for any account that you have that does payments. And then you take your Gmail address and you leave your what I call your trash Persona out there. Let them pick at that until it's just bone because it's already out there. You chant, you surgically remove what is financial from your breach data that's out there, you put it under lock and key where it's not going to be sold and that's how you protect yourself.

B

I have malware on my computer that doesn't give me really any security except for virus, right?

A

No, no. Anti malware. You mean malwarebytes? Something like that. Okay, so this is a very interesting point. You need a VPN with that. So what malwarebytes does is it looks on your hard drive. Are there viruses or is there malware on your hard drive? Okay, what a VPN does, it does two jobs. One, it monitors your network traffic, the vpn, the mothership. It monitors for keystroke loggers, viruses, malware, ad trackers that track you and then sell all your data. VPNs are very powerful now. It used to be for enterprises. You can click on ad and tracking, blocking, you can click on anti malware. That is not something malwarebytes can do. What that mothership does in a VPN is it prevents you from downloading anything bad. Most malware and stuff either comes through your email that Google sells and promotion people can say they have to read it before they delete it. And reading it can load the malware or they have to read they have to click on it three times or some crap so it stays in your computer. But it also will quarantine any PDF or virus filled document. Okay. And so you can look at it, it keeps it on a server. The other part of a VPN that you embed in your browser and an extension masks your IP address.

B

Is there a particular vpn? Because I looked into it once when I got the paranoid hour and so many to choose from. How do I know what It's a good question.

A

So I just want to preface this by saying I take no referral money, affiliate money, Anyone from anyone I recommend or say is bad because I have to stay clean.

B

Yes, of course.

A

Right now we like NordVPN. We like NordVPN for several reasons. When we look it up on our Threat intel systems, we don't see infant stealers on their domain. We don't see a lot of employee addresses that have account takeover. Okay, what if there's an employee with, you know, they're looking for that access to those accounts? We see very, very few. Their parent company is based in Amsterdam. Probably protecting the De Beers. Okay, right. Remember, the people who really have the most money in the world are not talking about it. Okay? So Europe's privacy laws are way more developed than ours are. They're stronger. So this, this type of application grew up in an environment where it's. It's very, very careful if you keep it updated. They're constantly studying the mutations of malware and then bringing the inoculation that one thing to remember about a VPN is definitely, there's a lot. There's a lot of good ones out there. But test your Internet speed, with or without it. One of the things we like about Nord is it doesn't degrade Internet speed.

B

Okay?

A

So sometimes, like, Proton has a very good sister application. It's a great VPN if you live in Switzerland, but its protocols here, your zooms will freeze. You'll turn it off, it will drive you crazy. So that's a big configuration.

B

It's overwhelming.

A

It is. It's like taking a sip from a fire hose. But the best thing to do is not to think of it all at once. The first thing I do in a house, Go change the WI FI password on your router. Okay. Many, many companies that provide your WI FI service on that router.

B

Right? Spectrum Provide.

A

Okay, so my entire neighborhood, the first two words of the password that's, like, imprinted on the router is the same for everybody. Okay, so if I'm smart enough and I shoulder surf on WI Fi, all I have to do is run algorithms against the last three numbers. I go anywhere, and I can look up WI fi in your neighborhood. And most people have not even changed the name from Spectrum setup. F8. Okay.

B

Oh, you have to change that, too.

A

You can and you should change that router password to something Spectrum doesn't know. Not because Spectrum is evil, but Spectrum is a mobile virtual operator of Verizon. Verizon was breached last year. Okay, what's the first thing they're going to do if they. If they break into Spectrum? Let's go see all the passwords that they have stored, run them against their list of accounts, and see where we can hop in and go take stuff. So you got to reduce your attack Surfaces. And you have to think like you're your own personal corporation and who your third party risk is. That's the first thing you do. And you start here because your IP address on every little device is mapped to where you live. Right? Okay. So it's home invasion. It's protection against home invasion. That router, password and name.

B

But you know what? I was hacked through Chase. I would. They. You know how they have double identification? They never called me or anything. Somebody got.

A

Somebody turned it off. Right.

B

And they took everything I had. The bank gave it back to me because I.

A

Was it a credit card or a bank account?

B

Bank account.

A

Were they. Did they change.

B

They changed my address on my statements.

A

Did they change your account number?

B

No, they didn't change.

A

Bad, bad. They're going to get a call from me tomorrow that's very bad. Chase has particular vulnerabilities to certain organized crime groups that I will not mention on this because we need to protect Chase. That are particularly good at the code that iPhones are written in. And after the AT&T breach, the reason you never got the code is because if you had not protected your SIM card or your E SIM on your phone, SIM swapping is where they help themselves to that account. Probably took your sim, forward that number to somewhere else, and they got protect my sim. Okay, ready?

B

Yeah.

A

All right. Take out your phone and go to Settings. Okay, this is what you want to do, folks. All right? If you're on an iPhone, you want to go into Settings, that little gray gear that you're going to get really familiar with. You're going to click on cellular data, right? You're going to scroll down until you see SIM. If you have an iPhone 15 or later, you can put a PIN even on an esim. Okay? Okay, you're gonna click on that. Management of pain.

B

Send pim.

A

Yeah, you're gonna toggle it on right? Now, get this. In their infinite wisdom, ATT and Verizon, and therefore Spectrum, the preset PIN in your phone is 00111.

B

Oh, okay.

A

T Mobile is 1 2-3 4.

B

Okay.

A

Google Pixel is 1111 or 0000. There is not a fraudster on the planet that doesn't know this. Okay? Has anyone ever put in your statement, then maybe you should go ahead and put this PIN on?

B

No, never.

A

Okay, so you're going to enter your current pin.

B

So it would be 111 1, right?

A

Okay. Hit. Done.

B

Yeah.

A

Okay, now does it say change pin?

B

Yes.

A

Click change pin.

B

Change pin.

A

Put in again the current pin. 1111. Hit done. Does it say new pin?

B

Yes.

A

Okay, here's the drill. Do not tell anyone your pin. And by the way, if anybody in security ever asks you for a bank balance or PIN number, show them the door. Security is like a secret. Only one person can keep it. Okay? Write this PIN number down somewhere. Do not make it your cat's birthday, your birthday, your favorite lucky numbers, okay? None of that. Random, random, random. Look around a room, look at the clock, look at a thermostat, random that can't be socially engineered. Put that darn thing on a sticky note, put it in your sock drawer, stick it on the butter dish in your fridge, because you will be going into AT&T or T Mobile or Spectrum to unlock it if you lose it.

B

So it shouldn't be the same PIN that I use for the phone.

A

No. No two pins should ever be the same. Okay? And if you don't want to put in an encrypted password manager, you get yourself an address book that's alphabetized, okay? And create redundancies. And if you keep it on a spreadsheet, you password protect that and you don't keep it in the cloud. So you're going to pick a new PIN that has four numbers, write it down and don't show it to anyone.

B

Done.

A

Okay. This alone has prevented what we call SIM swapping. So that authorization code that you never got because someone else did can't happen anymore.

B

Oh, there was SIM swapping, I'm guessing.

A

Wow. I mean, I'd have to look up your data, but if it's double identification, so that means. So now is this fail safe? No. Does she have to log into her Spectrum account, change the email address you store on that account to a nice encrypted email address? And there are more than Proton. PC Magazine has a great top 10 list of encrypted secure emails. Different uses, business people, you know, it depends on what you do. Log out. Once you put in that encrypted email, log back in, then add your two factor authentication, change your password. And if any account where you store payment or make monthly payments allows you to have a user ID that is not your email address, change it and make it random. No special interest. No cute, you know, art figures. No. No constellations you like, nothing to do with you. Look around the room. Pick random things, all right? And make sure that when it says remember me, you do not. Because all that information stored in your browser, all you need is one little info stealer in there and all of that is theirs. But people forget that Their phone is actually the telephony side. And by the way, if you have a Droid, just click on Settings, go to the search bar and type in sim. Same with Google Pixel phone users. Okay? And then the steps are the same from there. And if you get locked out, if it says one more trying, you're locked out, don't do it. Go to the store where you pay for the telephony side and do it there. It could mean a couple of things. It could mean outdated software. It could be someone snorkeling around your phone in your. Your account already. Okay? But if you are about to get locked out, do not attempt it. You will hate me and this podcast forever because your phone won't work and your texts won't work if you get locked out of your sim, right?

B

You have to remember the code. Once you, you remember the code. You.

A

Once you change your pin, here's the two times that you'll need it. Okay? If you turn off your phone all the way and then turn it back on, it'll say SIM PIN locked. You'll put in the password to your phone and then it will prompt you to enter that simpin. The other time you're going to need to enter that Simpin is after your iOS updates or your Samsung, you know, whatever operating system are on other phones, once it doesn't update, it will prompt you to have it. Those are the only two times.

B

I saw a documentary on HBO about cybersecurity and they recommend to turn off the phone every few days because there are people out there that can get into your phone even when you are out on the street.

A

That's absolutely true. And it depends if you're being targeted and by whom you're being targeted. That's absolutely true. So get yourself a Faraday pouch. What is a Faraday pouch? And don't skimp on it. Get that technology. What is it named after John Faraday. It blocks out all electrical impulses. Okay. So if your phone is off and in a Faraday pouch, it's endless.

B

What we have to do when you.

A

Travel through airports, throw it in that Faraday pouch.

B

Now you told me a while ago that when I'm in airport to turn off Bluetooth.

A

Yes. So here's an airdrop. If you have an iPhone. So here's why Bluetooth and airdrop are close proximity theft mechanisms. It's a backdoor into your phone. So let's say you change your SIM PIN and you've, you've protected your Apple ID and you have a VPN on but your airdrop Bluetooth location services are all on back door. So Bluetooth, I have to be near you to grab it.

B

Okay?

A

But it works just like if you've ever airdropped something. Here, here's the password. Okay? So people. And by airports, I also mean Panera and Starbucks. Okay? It's just airports are yummy and juicy because people who have money to fly have more money than people who don't have money to fly, so they just like it. And you're on public WI fi all the time, and it's just a good environment. But somebody's sitting outside of that Panera parking lot or in that cafe, and anyone who's vulnerable, they're just looking for them.

B

When I'm in the city, all of a sudden I see that I'm on Verizon WI Fi. Should I get off of it?

A

Yeah, make it your option. You don't want anything to just move your phone onto something. It's like on Spectrum routers, there's a little setting that's actually. If you log into your account online and go into a setting, you won't find it in as easily in the app. And you log in, it's actually under security. It's actually under, you know, security shield. But right next to security shield, there's a little toggle switch. And that toggle switch is Spectrum mobile access. That means that anyone with a Spectrum mobile phone can bypass a lot of your security and log on.

B

Oh, my God.

A

So that they can gather data analytics. Okay. I was a marketer for a long time of who has a Spectrum phone in the area. All right? They cluster neighborhoods with IP addresses. They're doing data analysis all the time. And some of it's for good purposes, like outages. You got to turn that thing off and no one's ever going to tell you. And its default is on. So if you enter the city and this default thing is that you're on a Verizon WI fi backbone, don't you have 5G and 4Bars? Turn on your VPN and use it that way. Any WI fi that just automatically happens because you have an account, you want to go into settings and control it. You do not want it to be automated.

B

Is Zelle and PayPal and Venmo all of this, are those secure?

A

Okay, so Zelle is very secure now. But again, the mantra, it is secure as how you have protected your bank account. So when Zell was sued, when Wells Fargo and JPMorgan Chase and Bank of America were sued because of the Zelle scams okay. In December 2024, that lawsuit was dropped. But part of what they did to make it safer is there's no more Zelle app. So you are putting in someone's phone number or an email address to send them Zelle money. And it's going bank to bank. And it's not a wire. It's protected under EFTA electric funds transfer law. So it's much more protected unless you're using a Gmail address for your bank of America account and maybe two factor authentication to a phone that doesn't have a SIM PIN and a crappy password and a user ID that your favorite pet of all time. All right, so it's a secure and you should not have it sent to email when you put that nice secure encrypted email on your bank. You don't use that for Zelle. Nobody knows about that except the bank of record, so.

B

Oh my God.

A

But Zelle is fine. And also PayPal and Venmo, if you secure that account. Well, here's my thought about all of these things. The credit card that's in your Apple ID that you buy apps with, the card that you set up for PayPal, if you're using a card, the credit card that you keep on recording for things like Apple Pay and your Apple ID should be a credit card where you do not have a checking account or brokerage because a fraudster loves nothing more than when they go in, you're like, oh, that's a Citibank card. And they have City checking, they have City brokerage. And off they go to try and get into that account because if they can impersonate you and log in, they have everything. So when you're online, it's the opposite of what were raised. Go get one of those pre approved card offers of yours. Do not have the credit card that you store for payments for highly targeted things have anything to do with your bank and brokerage. You see the pattern here? You're removing it from sight.

B

I have a credit card like that. I'm going to do that.

A

That's what you do. And when you travel, that's the one you bring.

B

Oh, really?

A

Not travel with a credit card that's also tied to your brokerage account. And try not to check bank balances and all that when you're traveling on vacation. And I mentioned this because it's summer now.

B

Why. Yeah, right by white traveling. Is it more? Am I more vulnerable when I travel?

A

Everything you do. Yes, Everything you do is public. You're going from an airport or A train or whatever. That's public WI fi. You're going to a hotel. Another great target. Okay, Sit in a hotel lobby, have a drink, pick out the hacker. Everybody's on public things all the time. All right? Everyone has their geolocation on. The other thing is, you know, here's mantra. Post your pictures of Notre Dame when you're already at the Eiffel Tower. Don't do it in real time, okay? Don't.

B

Why?

A

Because you can turn a cyber attack into actual burglary and take off your biometrics. You know when you're sitting here at home and you have your face ID that gets you in your fingers. I don't want someone punching you, putting your face up and taking your phone. And it happens all the time.

B

Yeah, I took it from all the financial. But it opens the phone.

A

Okay, so that's bad when you travel or when you're in the city. Don't you know, if you're in a rural environment, in a low risk environment, it's fine. Especially at home for your convenience. And older people are going to nice hotels. There's nothing a hacker and fraudster loves more. It's like, let's follow them for the airport. They're dressed well, they look nice. They just checked into a four star or five star. Yay, let's go get them. Let's go see what apps they have open. Let's go see how much they're protected. And you can call Apple and they're like, they can't break into their architecture, but they don't care about your architecture. They care about what you have going on in the cloud. Okay. They just want to know where you bank and if they can crack open that Apple id, you know, and understand that you can be watched when you don't think.

B

So what is the biggest cyber attack you worked on?

A

I can't name things.

B

No, not don't name the company.

A

Two things. So in the White House and the National Infrastructure Advisory Council, we do look critical infrastructure.

B

Okay.

A

Okay. So there were things that we looked in there like the grid and transportation and things like that large nonprofit that was breached really badly.

B

So all the donor's information, all the donors information was taken.

A

And yeah, they love donor information. And when you make a donation, please just go to the website, do it there. Don't use the apps, don't do links, even if you're a long standing member. Never use GoFundMe. You know, even who and the Red Cross were cloned during COVID If you think a ransomware Attack is not stealing personal data. You need to watch more gangster movies. They kill the guy and they store him in a junkyard and they go offshore for months until things lay low. There are literally junkyards in the dark web. They're called junkyards. If they steal a lot of data after a ransomware attack, they store it somewhere and they go lay low. And then six weeks to three months later, boom, you're going to see it. And threat intel systems, you can see this stuff happening. The law and its mechanisms are just a little behind the criminals at this point.

B

What's the most common hacking you see for private people, not big organizations.

A

Email. Email account takeover.

B

So they take over the email and then what?

A

91% starts with an email account takeover. And then I go look for all your accounts with that email. And I'm just, you, hi, I forgot my password reset. Okay. I just have the emails. I can just impersonate you email and spoofing on the phone.

B

What is spoofing?

A

That's what you just worked very hard to.

B

Oh, changing the sim, right?

A

Where the authorization code is forwarded to another phone. From sim swapping. Just swap.

B

So that's another common thing.

A

Very, very, very common.

B

Oh my God.

A

And that's why the move you'll see in secure environments, they use an authenticator app instead of text to your phone because an authenticator app does not use SIM technology. Also, while traveling, when you rent a car and you're just like, great, plug in Google Maps. Delete your profile when you get out of that car. Because if I hop into your account, when was the last time you logged out of a Gmail or Yahoo? You just open your computer and there you are. Isn't is that fun? I've seen people go from their Google Maps into their Google account and then they're off to the races. Don't leave that stored in a rent a car. You'll notice that if you download Google Chrome and open up settings. Here's a little test. Okay. After two minutes on your computer with Safari, all of your passwords stored in Safari are magically go to appear in Chrome because they'll make a handshake unless you turn it all off. Export those things out of the browser. That's a public space. It's prevention is what you want. You know, it's really funny, in this culture, black cats are considered bad luck, right? This is totally misunderstanding the black cat.

B

Why you have a black cat.

A

Ancient cultures, the black cat is good luck. Why is that? Because if a black cat cross Your path. It warns you that bad luck is coming. Warnings are good. So it's very interesting. In Japan, when I was in Tokyo, I thought it was so cute. Every security firm's logo, whether it's physical or cyber, is all a black cat. So think like that. You want to be warned. And then go look and shore yourself up. Because I promise you, incident response and mitigation of identity theft and breaches of your bank account will take forever. It's expensive and it's very painful and it's horrible to see. And so much of it is preventable.

B

So much of it mostly via email. You said yes.

A

And your phone.

B

But in order to steal my identity, they need my Social Security. It's not stored on my phone.

A

There's 200 million of them out there, thanks to AT&T and Verizon. Lessons year.

B

Okay, let's talk about money. If somebody just starts in the cybercrime prevention business, how much money can they make?

A

So it would depend on your education. Like anything. If you come into a threat intel company and you're. You just want to get your foot in the door. You haven't studied any of this in college. You know, life doesn't end after college. Who the heck cares? Get in there in some way. Okay. In whatever department, and then learn. Okay. So then you're looking at probably lower end entry level salaries that are, you know, probably between 30 and 50, depending on the company and depending on your.

B

Okay.

A

If you have a law degree and you want to take a left. Lawyers are very useful because they know how to use threat intel data on both sides. It's on the prosecution and defense. Anyone who took accounting be great at this. You know, get extra fraud certificates and you, you know, then you're. And then you're in six figures. Wow. It's a six figure industry because there's a shortage of people who know how to do these things. And you don't have to look twice to see the need.

B

The need will always be there.

A

Yeah.

B

And what kind of skill do you need to have in order to be able to be a good cybersecurity person?

A

You need to be a good data analyst so you can take data analytics too. What does the data mean? How do you map it? How do you see the matrix? Okay, that definitely. And psychology. Criminal psychology.

B

Yeah, you said that.

A

Go get a criminal justice degree and learn how criminals behave because there is no physical crime that happens anymore without intel.

B

This is a lot to know.

A

I've also been doing it for many, many years. So what is Very important is you study banking and payments. Okay. I worked in both of those fields. Okay. Study how money moves. And it's fascinating. It's a super fun. If you are interested in research and stuff, it's really fun. And then how it dovetails with the criminal mind. Learn about white collar crime. Learn about the psychology of deviance. Take psychology, take sociology, take pathology, accounting and your. And your cybersecurity. And know how things work. Not just not to click on something so you take those things. But you focus really on the human behavior part. If you understand criminal behavior, you will understand how not to be a victim. And you actually know more than you think you know. You don't have to be math oriented as much as you think. A very good like investigative reporting is very good to study as well because there aren't a lot of people who do it. It's a great field. It's completely understaffed and there's a lot of employment in it.

B

So you don't really need to have a tech background.

A

It's very good to have a tech background.

B

It's good.

A

And hands on tech.

B

Okay.

A

Yeah. And go.

B

Do you need to know how to code?

A

Also coding is very easy. So when you learn threat intel systems you will have to learn some coding languages. There are also some great tools where you can go and learn to be an analyst. And take these online quizzes like here's a malware thing. Here's the problem. And you can work it out on these little modules. Learn what malware is and how it works.

B

I hear that seniors in particular are vulnerable to attacks. Why is that?

A

When you are below the age. This is why seniors are in danger when you are below the age to collect Social Security or when your IRA is locked up. Right, right. Like you have to have a penalty. All the banks protected and there's things and there's forms to fill out and all that. All that gets taken down. When you're 59 and a half, you can just go remove money like it's a checking account. Easier to hack into when people collect Social Security. That's why there's so much emphasis on Social Security fraud. This is what happened during COVID is people use those numbers to go collect unemployment or to divert Social Security. And then you have retirees, people who are over 60 have more money than people who are 20.

B

Right.

A

If you have your mortgage paid off, you're more vulnerable.

B

Yeah. Because they can take your property. Yeah, I heard that.

A

Yeah, totally. But there's things that you can do from all of it you just the vigilance there and that senior attacks really make me mad. We focus a lot of our business on making sure that doesn't happen. And then they sit around waiting for trusts and wills and financial transfers. So those are important to put in place.

B

So most of the stuff that you deal with, is it preventing hacking or is it repairing damage?

A

Well, unfortunately, we get a lot of incident response and mitigation, which is really painful and expensive. If people have been on their phone since 2008 and have never gone through what we call breach data cleanup, we highly advise it. We do run cybercrime boot camps at theaters and synagogues and other places to show people what they need to do. And if they need our help, we help them. Because if you don't prevent now, it's kind of inevitable. Covid overworked a lot of networks, so the.

B

What do you mean by that?

A

So when. When we were all in Covid and everybody's online all the time. Yes, there were vulnerabilities and the hackers got a lot more sophisticated and the systems were burdened. Okay, so the IRS had breaches, the MLS system in real estate, the dmv, even WHO and the Red Cross were cloned because it's just so much traffic. And there were opportunists. So those things and you coupled with huge telephony breaches from AT&T and Verizon last year, there's a lot of stuff out there. And whatever your politics are, I would highly Recommend watching the 60 minute segment on cyber crime and the dark web that aired in May last month. It explains a lot about cybercriminals. And you can also go to my website@zerohacksecure.com and hit play on the short video that explains it.

B

Rivka, thank you so much. This is wealth of information. I have to listen to the whole thing again because I got a headache from all the vulnerability I'm exposed to.

A

But it's an exciting field and there's a lot of opportunity in it.

B

Okay, that's a wrap for today. If you have a comment or question or would like us to cover a certain job, please let us know. Visit our website@howmuchcanimake.info we would love to hear from you. And on your way out, don't forget to subscribe and share this episode with anyone who is curious about their next job. See you next time.