🔍
How hackers take over your accounts using social engineering (Marketplace) - YouTube
Channel: CBC News
[0]
♪ ♪
[3]
-[ Charlsie ] We're about
to test one of Canada's
[5]
largest telcos.
[10]
My name is Charlsie.
[12]
-[ Charlsie ] These two ethical
hackers, Joshua Crumbaugh and
[15]
Alex Heid, are
taking on my identity,
[18]
so they can take
over my account.
[24]
Yeah, it's 1234.
[27]
-[ Charlsie ] What you're
watching is called
[28]
social engineering.
[30]
I wanted to add HBO
to my account.
[33]
-[ Charlsie ] A hack that relies
on charm and persuasion to get
[36]
access to your info,
and even your money.
[41]
[ ♪♪ ]
[44]
-[ Charlsie ] Erynn Tomlinson
never thought she would be
[46]
a victim.
[47]
She's a former cryptocurrency
exec who thought her info was
[50]
secure from hackers.
But that wasn't the case.
[54]
When did you
know you'd been hacked?
[57]
Well, I was out and my service
cut out on my phone.
[60]
I went to a local
cafe that I always go to.
[64]
One of the first things I did
when I got there was check one
[66]
of my financial accounts,
and I saw it was at zero.
[71]
That was the moment that I
realized what was happening.
[75]
I rushed home so that I could
be at my desktop where I had the
[77]
most control.
[79]
And then it was-- it was a race,
[81]
and it was right at the moment
where they took out the last
[84]
transaction that I saw go
through that I effectively
[86]
blocked them.
[88]
You basically watched
yourself get hacked?
[90]
Yes.
[92]
-[ Charlsie ] As
far as she can tell,
[93]
the only information
the hackers had?
[95]
Erynn's name and phone number.
[97]
And that was
enough to take it all.
[99]
It was $30,000
equivalent in crypto.
[102]
I was closing a
mortgage weeks later.
[107]
So, that's-- that's
what that money was for.
[110]
-[ Charlsie ] So how
did it all unfold?
[112]
Someone or someones
contacted Rogers through chat
[116]
message through their
online support system.
[118]
Right.
[119]
And pretending to be
me with very little information,
[122]
they proceeded to ask
Rogers for information about me.
[126]
And each time they got one piece
of information they would say,
[129]
"Thank you, I got
what I needed."
[131]
They would end the chat
get a new agent and start
[133]
all over again.
[135]
-[ Charlsie ] Erynn got
her hands on those chats.
[137]
She couldn't believe how
easily Rogers gave away all
[140]
her information.
[142]
They were given my
account number,
[144]
my email, my credit
card information,
[149]
my birth date, the amount
of data on my account,
[153]
my last bill amount.
[155]
-[ Charlsie ] It takes
8 different chats,
[157]
but eventually the hackers
convince the employee to
[160]
deactivate Erynn's SIM
card and activate a new one.
[165]
It's called a SIM swap and gives
hackers access to all your apps
[170]
and financial accounts.
[172]
I don't know
how to describe it.
[176]
I was sort of in shock
at the whole thing.
[179]
-[ Charlsie ] Erynn's case
might sound extreme,
[181]
but she's not alone.
[186]
In 2017, TELUS gave out one
customer's personal info to her
[191]
stalker, putting her info
and her security at risk.
[196]
Just three months ago, the
government ordered all companies
[198]
to report all hacks to
Canada's privacy commissioner.
[202]
Since then, there have been over
a dozen cases involving social
[205]
engineering in the
telco sector alone.
[209]
And companies around the world
admit social engineering attacks
[213]
are on the rise.
[216]
We're in New York City about
to meet with some cyber security
[220]
pros who are going to tell us
and show us just how hacking can
[224]
hurt us all and what
we can do to stop them.
[228]
[ ♪♪ ]
[233]
One of my email accounts
has been compromised.
[235]
[ ♪♪ ]
[238]
This is what the bad guys do.
[239]
They actually spend time
trying to force errors.
[242]
This is Infosecurity
North America.
[245]
Dozens of experts, hundreds of
enthusiasts finding flaws in
[249]
security systems, and showcasing
solutions all in one place.
[254]
[ ♪♪ ]
[258]
-[ Charlsie ] From videos
that teach you how to avoid
[260]
getting hacked.
[261]
The biggest threat for an
organization is your users.
[263]
We call it the human firewall.
[265]
Instead of a user blindly
clicking on links or opening
[268]
attachments, we want to train
that user to take a moment,
[270]
think about what
they're going to do,
[272]
and then actually
make a decision,
[274]
an informed decision.
[276]
-[ Charlsie ] To interactive
games like squashing bad
[278]
computer bots.
[280]
So we're differentiating
bad bots from humans,
[282]
and so as you play, you'll
see bots light up in random
[286]
locations, and you
have to smash the bots.
[291]
This is so hard!
[293]
It's pretty hard, right?
[294]
Top three!
[297]
-[ Charlsie ] There's even a
security-themed escape room!
[300]
Okay.
[301]
An escape room?
[302]
What does this have to do
with social engineering?
[304]
So we do immersive
security awareness training.
[307]
So the first code for
the routers is B124.
[311]
So in this room, there's a bunch
of puzzles that have to do with
[314]
helping people understand what
social engineering is and how
[317]
they can better
protect themselves.
[320]
-[ Charlsie ] These guys
are at the conference too.
[321]
They're ethical hackers ready
to use their skills on my cable
[325]
provider, Rogers.
[327]
It's just psychology,
so if you understand how
[330]
somebody's going to
react to something,
[331]
you can easily manipulate
somebody into giving them
[336]
information or access to things
that maybe they shouldn't.
[338]
Okay. Let's give it a
go, guys.
[340]
I'm going to
call this number.
[341]
It will look as if
I'm calling from you,
[343]
and I am Matthew,
your personal assistant.
[347]
-[ Charlsie ] Will
the rep fall for it?
[355]
Well, my name is Matthew.
[357]
I'm calling on
behalf of my boss.
[360]
I'm her personal assistant.
[362]
Her name, though,
is Charlsie Agro.
[365]
Basically, she's asked me to
call and get HBO added and also
[372]
just verify a couple
things about her account.
[384]
-[ Charlsie ] First call and
this employee is not buying it.
[388]
If at first you
don't succeed,
[390]
just hack, hack again?
[391]
Think of how many people
work there, though.
[393]
You only need one
out of a group.
[395]
-[ Charlsie ] So Joshua
tests a new Rogers rep.
[402]
-[ Charlsie ] The same
old trick with a twist.
[405]
This time, he's
impersonating me.
[407]
My name is Charlsie.
[410]
Agro.
[413]
I'm doing well.
[417]
Yeah, I wanted to
add HBO to my account.
[424]
Yeah, it's 1234.
[431]
That's normally
the one I use.
[433]
Let's try 0246.
That's the other one
[438]
-[ Charlsie ] Wrong pin but
the rep doesn't flag it.
[441]
Strike one.
[454]
Date of birth is [ Bleep ].
[457]
-[ Charlsie ] After a
quick search online,
[459]
they find a postal code.
[462]
Okay.
[463]
Yeah, there we are.
It's [ Bleep ].
[465]
-[ Charlsie ] They're
off by a digit,
[466]
but the Rogers rep doesn't
catch that mistake either.
[469]
Strike two.
[475]
It should be [ Bleep ]@gmail.
[479]
-[ Charlsie ] And this
is where it gets scary.
[482]
Could we set a passcode,
as long as we're in here?
[493]
Yeah, let's make it 0246.
[500]
You'll want to change
that right away afterwards.
[503]
-[ Charlsie ] Hard to believe,
he actually changes the passcode
[506]
on my account.
[507]
A serious strike 3.
[513]
And the game's
not over yet.
[515]
He even adds his own
security question.
[521]
We'll go with name
of the first pet.
[529]
It was Rufus, R-U-F-U-S.
[533]
-[ Charlsie ] And just when you
think it can't get any worse,
[536]
he adds himself to my account.
[540]
All right.
[541]
And while I'm at it, could I add
my personal assistant as a level
[543]
one user?
[551]
His name is Joshua.
[557]
Last name Crumbaugh.
[562]
-[ Charlsie ] The rep on the
phone even starts volunteering
[565]
information, including the
other name on my account.
[577]
Yeah, yeah, that's her.
[579]
My husband.
[582]
-[ Charlsie ] And just like
that, the damage is done.
[588]
So I'm shocked because
you actually got my
[591]
postal code wrong.
[592]
It was off by a digit, and
they still let you do that.
[597]
So based on-- so again it's
all about the profile of the
[600]
person who picks up.
[601]
I think the biggest
thing is education.
[604]
We have got to do more in making
our people aware that these
[608]
things happen.
[610]
-[ Charlsie ] This
is your "Marketplace".
[613]
-[ Charlsie ] It's
the latest con game.
[615]
Everyone's always
going to get hacked.
[617]
It's just a matter
of when that happens,
[619]
not if that happens.
[620]
Could we set a passcode,
as long as we're in here?
[623]
Yes.
[625]
-[ Charlsie ] We're revealing
how hackers can use their skills
[627]
to con companies into
giving it all away.
[634]
At this security
conference in New York,
[635]
the ultimate headliner is one of
the world's most famous hackers,
[639]
Kevin Mitnick.
[641]
-[ Kevin] I was on a trophy hunt
to see how many companies
[642]
I could hack into.
[645]
-[ Charlsie ] Once a conman and
one of the FBI's most wanted,
[646]
he hacked into 40 big companies,
even went to prison for
[650]
five years.
[651]
Not for their
information, per se.
[654]
It was the challenge of
getting through their security.
[656]
So, for me, it was all about
the pursuit of knowledge and
[659]
the seduction of adventure.
[660]
It was never about
causing any harm,
[662]
never about making any money.
[664]
-[ Charlsie ] Now, he's flipped,
using his hacker skills to train
[667]
companies on how to protect
you from people like him.
[671]
What is it about human
nature and the goals of
[674]
customer service
that make people,
[676]
organizations, vulnerable when
it comes to social engineering?
[679]
Well, customer
service, you know,
[681]
it's all about
customers is the king,
[683]
and customer service is gonna
bend over backwards to make the
[686]
customer happy.
[688]
-[ Charlsie ] Mitnick says part
of the problem is those security
[690]
questions many
companies use to verify you.
[694]
The companies need to have
policies put into place to come
[697]
up with a way to have a very
high confidence that they're
[700]
dealing with the consumer.
[702]
They're the ones that are in
control because they are the
[704]
ones that can effect change.
[705]
The consumer can't.
[707]
The consumer can
only demanded change,
[708]
and if they are
unwilling to do it,
[710]
you go to a different vendor.
[713]
-[ Charlsie ] Social engineering
victim Erynn Tomlinson agrees.
[716]
She says Rogers should have
done more to protect her info.
[720]
What did they offer you?
[721]
They offered me, at first,
three months' free service.
[725]
Sorry.
[726]
Three months of free service?
[728]
After losing...
[730]
$30,000.
[731]
And then they-- you
know, obviously I said,
[733]
"I don't think
that's appropriate."
[735]
They came back to
me, again, and said,
[738]
"Um, okay, you
know, you're right.
[740]
"We're gonna offer you one year
of free service," to which I
[743]
said, "I feel like that is a
joke at my expense."
[746]
-[ Charlsie ]
Erynn's not giving up.
[748]
She's now suing Rogers.
[750]
What I really want to see
is, not just that they give
[753]
platitudes and say, "Oh,
we're sorry this happened" from
[756]
a customer service point of
view, but that they make real
[759]
changes to their policies and
their training internally,
[763]
so that this can't happen.
[765]
Rogers declined to speak
to us about Erynn's case
[768]
as it's before the courts but
argue they're not responsible
[771]
for what happened to her.
[772]
They do say they provide ongoing
training for their staff and
[776]
take their customer's privacy
and security very seriously,
[780]
always improving and updating
their security measures and
[784]
verification processes.
[786]
Rogers does admit those steps
were not followed properly by
[790]
the customer service rep
when my account was hacked.
[796]
Do you think your members
right now are doing a
[798]
good job protecting
customers' privacy?
[801]
I think they are.
[803]
-[ Charlsie ] Meet Robert Ghiz.
[804]
He's the head of the Canadian
Wireless Telecommunications
[807]
Association, an industry group
representing some of the
[810]
big telcos.
[812]
I think they're putting
mechanisms in place,
[814]
that they are training
and educating,
[817]
but the difficulty is staying
ahead of the fraudsters.
[821]
I know they're good.
You know how I know?
[823]
We had two ethical hackers.
They got into my Rogers account.
[829]
They had the wrong PIN number.
[830]
They had the wrong postal code.
[832]
And they still got in, so that's
troubling for me as a consumer.
[836]
But I want to know how
troubling it is for you.
[838]
Well, obviously we
want to protect our members.
[843]
It's something
that's important to them,
[844]
and that's why they will
continue to educate they will
[846]
continue to train.
[847]
But there's always
going to be human error.
[850]
There's always going to
be fraudsters out there.
[852]
It's up to all industries to
ensure that they do the best to
[856]
protect individual security with
a constantly evolving technology
[863]
that is only going to
grow in the future.
[866]
Experts have been
really clear with us.
[867]
We need to move away from
using personal information
[870]
to authenticate or
validate a user.
[874]
When are you going to stand
up to telco companies and say,
[877]
"Let's make a change?
This isn't working?"
[880]
Well, that's only one
portion of what they do,
[883]
whether it's asking
birthday, asking your address,
[887]
that's why they're adding pins,
passwords, security questions.
[891]
Even though these have
these measures in place,
[895]
it doesn't seem to matter.
[898]
They're not working.
[900]
They got in anyway.
[902]
They are working.
[903]
The thing is there's
millions of calls--
[904]
It didn't work for me
[905]
There's millions of calls
that come in every week.
[907]
There's always going to be
some human error that's going to
[911]
exist, but you're right.
[913]
It's gotta be about educating
those front line services and
[915]
training those
front line services,
[918]
and that needs to continue and
needs to be more vigilant in
[921]
the future.
[923]
[ ♪♪ ]
[925]
-[ Charlsie ] Ethical hackers
Joshua and Alex agree.
[927]
Companies shouldn't be asking
for personal information to
[931]
verify us but say we shouldn't
make it too easy for hackers by
[935]
sharing too much ourselves.
[937]
So many people will use their
children's names or birthdates,
[941]
or their animals
names as passwords.
[944]
And then you go onto
their social media,
[946]
and they've posted a million
pictures of the same dog with
[950]
the name of their dog.
[951]
And they're basically putting
their passwords out there for
[953]
everyone to see.
[955]
-[ Charlsie ] Is he right?
[956]
Do we really share too much?
[957]
[ ♪♪ ]
[961]
-[ Charlsie ] We're taking that
question to the streets.
[963]
-[ Charlsie] What kind of
password do you have?
[965]
Like a dog's name, birthdate?
[967]
I do use my dog's name.
[969]
-[ Charlsie] Oh, what kind
of a dog do you have?
[971]
I have a shih-poo.
[973]
-[ Charlsie] Aww.
What's his name?
[975]
[ Bleep ]
[977]
-[ Charlsie] What security
question would you choose?
[978]
My mother's name.
[979]
-[ Charlsie] What's
your mom's name?
[980]
Can I reveal that?
[982]
Okay, my mom's
name is [ Bleep ].
[984]
-[ Charlsie] So your security
answer would be [ Bleep ]?
[987]
Yes.
[989]
-[ Charlsie] How strong do you
think your online password is?
[991]
Very, very strong.
[992]
It's a name that
nobody would guess.
[994]
-[ Charlsie] So, like,
your partner's name?
[997]
Yeah, something like that.
[998]
-[ Charlsie] What's
your partner's name?
[999]
I can't-- I can't say.
[1000]
-[ Charlsie] Why?
[1001]
[ Bleep ]
[1003]
-[ Charlsie] So your password
is [ Bleep ] plus a bunch
[1004]
of numbers?
-Yes, yes, it is.
[1007]
-[ Charlsie] Thank
you very much.
[1008]
Thank you, yeah.
[1010]
-[ Charlsie] Please go
change your password!
[1012]
Have a good one, guys.
Take care.
[1014]
-[ Charlsie ] I've
changed my password.
[1017]
And now it's up to companies
to change their practices.
Most Recent Videos:
You can go back to the homepage right here: Homepage