Ep 322: Path to Lisbon - Frank Abagnale on cybercrime, identity theft and scams

:
As SBC Summit Lisbon draws even closer, attention in terms of the greatest showing gaming is part of a new limited series under the iGaming Daily banner called Path to Lisbon. We will showcase past panel sessions to update and inform listeners ahead of what will be discussed over the course of three days between September 24th to the 26th, which is set to see 25,000 delegates experience around 450 speakers and 600 exhibitors. The first episode of our series will focus on last year's SBC Summit Barcelona keynote from world-renowned cybersecurity expert and fraud prevention specialist, Frank Abagnale. The session goes behind the scenes to reveal how simple strategies can fault today's cybercriminals and emphasise the importance of safeguarding your players in today's ever-increasing fraud landscape. This session also highlights the calibre of speakers listeners can expect. at SBC Summit Lisbon with names like skateboarding icon Tony Hawk and Sir Tim Berners-Lee, inventor of one of the most powerful communication mediums the world has ever known with the World Wide Web. So sit back and be informed as Abagnale explains how identity fees work and why passwords alone won't keep better safe. Morning, it's a pleasure to be here this morning. As mentioned, I've been teaching at the FBI Academy for over 47 years. I've conducted more than 3,000 seminars around the world during my career on check forgery, embezzlement, counterfeiting, identity theft, cybercrime, et cetera. I'm going to take you through a very mini presentation, cover a lot of subjects in a very quick period of time, hopefully give you information to help you in your work, and also help you protect your own personal assets as well. I've lived on my entire 47 years based on three simple philosophies, prevention, verification, education. Prevention, because once you lose your money, you will never get your money back. They may catch the criminal, they may convict them and send them to jail for 10 years, but it is unlikely you'll ever recover your money. At the end of 2022, There was more than $110 billion of court-ordered restitution outstanding in the United States in federal court, state court, city court, and of course, 91% of that will never be collected. Verification, because today anything can be replicated, duplicated, counterfeited, deep, fake, so before you part with any money or part with any information, you absolutely need to know who's on the other end of that device. And finally, education. Education is the most powerful tool to fighting crime. If I can explain to you how the scam works, you understand the scam, you will obviously not fall for that scam. And of course, the billions and billions of dollars that go out around the world come back and boomerang into societies in the form of drug trafficking, child pornography, and terrorism, and many other crimes. So even when we put a small dent in those crimes, We also save a lot of human misery along the way as well. I've written three books on identity theft. I started writing about it in the 1980s when very few people talked about it. And of course today it has become a worldwide crime, a very simple crime. And because of its simplicity, it's become a very, very popular crime as well. So when we look at the stats during the COVID pandemic, there was a 73% increase in identity theft. When COVID was over, it continued to rise to more than an 83% increase in identity theft. So obviously it's not going away. And we have a victim in the United States of identity theft every two seconds. When we go worldwide, there are 2018, there were 3.6 billion identity records that were compromised. And today, as we're sitting here, there are more than 14 billion identity records available today on the dark web. which means everyone in this room, including myself, has already had their identity stolen, their data is out there. The question is will they ever use your data against you? Breaches, if we go back to 2004 and we started looking at breaches in the United States, we see how many companies, corporations, government agencies, financial institutions that were breached. Then we go to the next six years to take us to 2016, we see bigger companies, more breaches, and of course, more access to companies' data and files that are being ripped off by criminals. Which brings us to now Marriott Hotels, Twitter. a Capital One bank. Every day there's another breach at MGM. Every day breaches that we most of the time do not hear about that are not reported, we only know about the ones that are reported. During the pandemic, we saw a huge increase in breaches more than that we had seen over the last previous years prior to that pandemic. Now, I believe that every breach, every single breach, occurs because someone in that company did something they weren't supposed to do, or someone in that company failed to do something they were supposed to do. Hackers do not cause breaches. People do. All hackers do is look for opportunities, open doors, and there are millions of them out there. They get that data and go. Now I make my home in Charleston, South Carolina. A few years ago, someone hacked into our state tax revenue office. They stole 3.8 million tax returns of the citizens of South Carolina. That was everyone, including myself. They stole the entire tax returns. So they had your social security number, your wife's social security number, your children's social security number, your earnings. When the incident occurred, the state tax revenue office said, We did had nothing to do with that. After an investigation, it turned out a contract employee working for the state took home a laptop they weren't supposed to take home, open in an unsecure environment. The hacker got in, stole 3.8 million tax return. Our governor was Nikki Haley. She ordered that every citizen of the state be provided one year of credit monitoring service. The state would pick up the fee. I didn't know the governor, but I sent her an email telling her that would be a waste of the taxpayers' money and a waste of the taxpayers' time. People who steal mass data warehouse that data for typically three to four years before they ever bring it back into the marketplace. So one year of credit monitoring, two years of credit monitoring, three years of credit monitoring, basically a waste of time and energy. In the case of South Carolina, it was four years later. when we saw those identities be used to bank accounts, get credit cards, file for unemployment insurance, etc. On the dark web today, currently, these are the prices for data. Each piece of information has a set price in US dollars. So when you can compile that data and sell that data, you're talking about billions and billions of dollars in revenue. I don't like to keep old slides in my deck, but I keep this one from back in 2012. This was a study done by Carnegie Mellon, who basically went out and interviewed 40,000 children under the age of 18, through their parent, their guardian, or the child, to ask but one question, have you had your identity stolen? At the end of the study, there were more than 10% of those children whose identity was already stolen. Of course. There is no better victim than a child. So if you go on the dark web and you see they're selling identities and we find a 62-year-old male, he's a multimillionaire, he owns shopping malls, hotels, office complexes, and you have all of his data for sale and you look at the price. Then you scroll over one and we find a 14-year-old boy who's in school and his is double that price. And if you scroll over one more to the infant who came out of the hospital last week with a social security number and a date of birth, three times that price. Because if I can become the 14 year old boy, I can be the 14 year old boy for six, seven, eight years before anyone will ever know I stole that child's identity. And if I can steal the identity of that infant, I can be that infant for the next 18, 20 years or resell that identity over. and over again. In the old days, this crime was a very difficult crime and took a lot of time and a lot of effort to do. Today, it is a very simple, simple crime. And of course, now all of the media publications, Forbes Magazine, the Wall Street Journal, all recognizing that children's identity theft is a huge problem. In the old days in the United States, you had to do a lot of legwork. You read in the newspaper that someone died your age. So you went down to the vital records office and you got a copy of their death certificate. That's public record. Then you cross the hallway to birth certificates and you got a copy of their birth certificate. Then you went down to the motor vehicle department, took the birth certificate, got a driver's license. Then you got the driver's license, went to the bank, opened the bank account. Then you got a credit card. But that took a lot of time, a lot of work, a lot of research, a lot of energy. The difference today is you can do all of that in your apartment with a cup of coffee, a laptop, in your pajamas, in Russia, in China, in Jamaica, all in about three or four minutes. Technology breeds crime. It always has. It always will. And there will always be people willing to use technology in a negative, self-serving way. As far as ransomware goes, ransomware started to decline in 21 and 22. This was 20, but in 23 in the first six months, ransomware has doubled this amount. So, with the last check, 225 cases increased to 66%, $350 million in ransomware paid. Now, the FBI is only notified 20% of the time when ransoms are paid. So we only know 20% where the ransomware has been reported. We have no idea when the company paid the ransomware and didn't report they were paying that ransomware. As long as there is cryptocurrency, there'll be ransomware. You can't have ransomware if cryptocurrency didn't exist. So as long as there's cryptocurrency, we'll continue to see as we are in 23, the increase of ransomware. I probably looked at 15,000 phishing emails in my life, and up until a couple of years ago, they were very easy to spot. Poor grammar, misspelling, misdirection. Not anymore. They're getting extremely sophisticated, so I'd like to share just two with you, actual cases. Ironically, one involves a technology company in Southern California with about 4,000 employees. It is supposedly an email from the CEO of the company to the CFO of the company, and it simply says, good morning Robert, wonderful dinner at your home last night. Please thank your wife Helen for me. My wife Susan and I truly enjoyed your company. As I mentioned to you over dinner, I'm traveling this week to Nashville, Tennessee to attend a conference. I will not be back in the office till next Monday. I wanted to remind you to wire these funds out this morning. Here's the information for our client. by 11 o'clock. Well, if you go to Facebook, there's a picture of the CEO, his wife, his children, their names. There's a picture of the CFO, his wife, children, their names. When he registered to attend that conference in Nashville three months earlier, he said on Facebook, I'm going to the conference. This is how long I'll be there. They're taking information in real time from social media and converting that into a phishing email. The other one was just an employee in Washington, DC, a young lady, went to lunch with her friend. An hour later, she gets an email. Barbara, great having lunch with you today. We need to do that more often. I hope you, Randy, and the kids have a great time at Disney World this week. When you get back, give me a call. We'll do lunch again. By the way, I saw this on YouTube. Thought you'd enjoy it. Here's the link. Sign Joan. Well, there's already told on Facebook that she was going to lunch with her friend. She has a picture of a husband and children. They said three weeks earlier, they were going to Disney World. Again, they're taking information from social media in real time and converting that into a real time email. For those of you in the back, I brought this piece of paper just to read this because this is a 23-step on business email compromises, and so if you're in the back, you can't see it. 28% of BEC attacks are opened by employee. Only 2.1% of known attacks are reported to the security team by employee. read and reply to text-based BEC attacks 78% of the time. And between H1 and H2 of 2022, there was an 81% increase in the number of BEC attacks. Kind of amazing. Phishing, emails, social engineering. I did it when I was 16 years old, so I didn't know what social engineering was, and I was also limited to one form of communication, the telephone. Today we have the internet, emails, and many other forms of communication. There is no technology. There never will be any technology, including AI, that can defeat social engineering. It's been around for over 200 years. You can only defeat social engineering through education. You have to educate that employee that they're being socially engineered. So that when I call the bank's call center, it is easy for me to turn the conversation to where I'm gathering data, not giving information. If that person in the call center has not been educated, people are basically honest. They don't have a deceptive mind. so they don't understand they're being turned in social media and being used by social media, unless someone has actually taught them that technology and understand it. I could go in any Fortune 500, Fortune 100, Frank's Plumbing Shop in Barcelona with five employees, I'll find the same weak spots. That's all hackers do. They look for the weak spots. I can go in any building in Barcelona or any building in the world, no matter how big or small and on every floor, I'll find an access point, a weak spot. That's all hackers do, is look for those weak spots. And what about your home? You have a device, you pick it up and you say, go to channel five. You have a device you talk to in the morning, order me this from Amazon, what's the weather today? You have cameras around your house. You go away, you take your iPhone out, you're gonna look at your property. You have, God forbid, cameras in your house. You have a refrigerator that tells you how much milk is in it. A thermostat you control from thousands of miles away. All those are access points. Every one of those are access points. I can flip that, hear everything you say in your house, flip that camera, see everything you say in your house. You see, we develop a lot of technology around the world, both in the commercial space and the consumer space, but we never vet that technology. We're so quick to get it out to the marketplace because of return on investment or because it has to be out by Christmas that no one ever says, whoa, how could someone misuse this technology? That is never asked. We're gonna have to do a much better job of building security into our technology. Now, there is no foolproof system. If you believe there is a foolproof system and you have a foolproof system, then you have failed to take into consideration the creativity of fool. But I can make something so difficult that I'd say to you, this would be like asking you to move the Empire State Building over two blocks in two days. And when we build good technology... That's exactly what we do. And we constantly go back on that technology to make sure it's as good as it is today as it was yesterday. As it is now, we do a horrible job of doing that. Hate passwords, I hate passwords. Passwords are for tree houses. They were invented in 1964 when I was 16 years old. I am now 75 years old. and we are still using password. How is that possible when we know for a fact statistically that 63% of network intrusions are a compromised user password? MGM, just a couple of days, password. The Colonial Pipeline shutting down half of the Northeast America, pipe, password, compromise. are the result of a weak or stolen password. Why would we still be using password? Well, the good news is we're getting away from passwords. As you know, we're moving to passkey. And passkeys now is on every Apple phone, every Android phone, available by Microsoft on your PC. And of course, Apple has it on their Apple devices. 4 billion people have passkey access on their phone. There's a television ad going on in the United States. Sabrina Williams is running through a marketplace in her jogging outfit. She has no pockets. She only has her phone. You see the necklace she wants to buy. So she goes over to a Chase Bank ATM, takes her phone, presses an app, pulls it up to her face, gets her money. No card, no password, and she physically never touched the screen. That's the passkey. So to make it easy, on my website at abignale.com and I sell no products, I sell no services, it has always been an educational site, it's for education purposes, you'll find on my homepage, I've written a one page sheet explaining the Paski, how it works, how simple it is. Then I gave you a link in that one sheet to Apple's engineers that show you a 30 minute video. The first 10 minutes are how you put the passkey on your phone. The other 20 minutes is how your company installs the passkey. Amazon will go to passkeys in less than 60 days. They'll no longer sign in. It'll be very simple if I go to that website. Right now we have 579 password attacks every second, or about 18 billion attacks every year. But we have got to get rid of passwords. In the next two years, I think you will see passwords completely gone worldwide, not just in the United States. If you were to look at the three largest banks in the United States, just the three largest banks, those three banks spend over $100 million every year resetting passwords in their call center. $100 million just resetting passwords at $70 a reset. The state of Maryland, the state of Florida have people on unemployment. Every week they have to sign in. and said I went out and applied for a job, I didn't get it, I got the job, I didn't get the job. They had to have a password. 90% of them forgot the password. Costing those states millions of dollars resetting their passwords. So those two states last month moved to no password technology. That person on unemployment doesn't need to remember a password. They're identified by their device. At the end of that one page I gave you a reference to Truth-Thona, which basically has a website. They developed the no-password technology. And at the bottom, if you go to their website to have a Q&A, if you are the most sophisticated IT guy in the world, they've answered your question. If you're somebody who just said, I left this on the table and walked away, someone picked it up, they have answered that question. I was very happy to see that we're removing ourselves from passwords. It's way past overdue. My last book that I've written is called Scam Me If You Can. I wrote that book and gave all the proceeds as I do with my books to the AARB, that's the American Society of Retired People, so they could help educate their 38 million members. They got all the royalties in advance. But I wrote that book 400 pages. of every single scam there is. Scams against millennials, scams against senior, Bitcoin scams, currency scams, crypto scams, investment scam, bank scam. When I finished that book, I realized very quickly that millennials are scammed far more often than seniors, but seniors lose more money because they have more money to lose. And I also found when I was done, I realized there were two red flags, and for any one of those scams to work, one of those red flags had to pop up. Some of the scams I wrote about were extremely sophisticated. Some were very amateur. But whatever they were, the red flag had to pop up. And the first red flag is that I'm going to ask you for money, but it has to be right now over the phone, over the internet. Give me a bank account number. Give me your credit card number. Go down to Walmart. Get a green dot card. Stay on the phone with me and then read me the number on the back of the card. Has to be right now. That's a red flag. And the other red flag is at some point I'm going to ask you for information. Bank, where do you bank? What's your account number? What's your credit card number? Etc. If you remember those red flags that will stop any scam because eventually that red flag will have to show up. I'm gonna be in Trusona's booth there at SB 78. They bought a hundred books of Scam Me if you can. And I'll sign those books for people who come over to the booth. Be happy to sign the book and personalize it for you. My website is just mylastname.com. It is an educational site. So whatever subject matter you're interested in, you'll find it in my website. Every interview I do in a Q and A, whether it's with Wired Magazine, the Wall Street Journal. Fortune magazine, they're posted up on my website under publications and interviews. Whether I'm talking about consumer crime, cyber crime, embezzlement, identity theft, fraud, you can see the Q&A. Your questions probably will be answered by looking at those. It's been a pleasure being here this morning. Thank you for your time.

Ep 322: Path to Lisbon - Frank Abagnale on cybercrime, identity theft and scams
Broadcast by