HackTalk is a long-running monthly podcast with Sean Bailey and Devin Kropp, co-authors of Hack-Proof Your Life Now, which covers the latest cybersecurity threats and issues advisors need to know to protect themselves and their clients. You can listen to the recorded broadcast above, or get the highlights by reading through its edited contents below.
Sean Bailey: Hi, everyone. Welcome back to HackTalk. I’m Sean Bailey, Editor-in-Chief at Horsesmouth. And I’m here with Devin Kropp, who along with me is the co-creator of Savvy Cybersecurity and co-author of Hack-Proof Your Life Now. So in today’s episode, well, we’re going to talk about something, Devin, that a lot of people are acting like, it’s a big, new, serious threat—this ransomware.
We are all familiar with the Colonial Pipeline thing that happened last week. But I mean, let’s be honest about this. We wrote the book in 2016 and ransomware was a major aspect of the book, and it wasn’t like we were discovering it in 2016. Wish that we had, but it had been around for a long time.
So it continues to be around for a long time, but the media’s in one of these cycles where, oh my gosh, this thing called ransomware exists and it’s dangerous. But well, take it from the top. What did transpire and where do we want to go with this?
Ransonware is, was, and will be here
Devin Kropp: That’s a great point. I will say, the FBI has been issuing guidance on ransomware and that it’s been a growing threat since we wrote the book, maybe even before we wrote the book. It comes up in the news cycle with a school or a hospital being hit with ransomware and everyone talks about it for a day or so, and then it goes. But something that experts have been warning about—and the FBI, in fact, has been warning about too—was exactly what happened with the Colonial Pipeline. That when a major utility or public infrastructure company or government agency is hit with ransomware, it can have really detrimental effects to our entire society.
I think one of the reasons why we’re hearing so much about it right now is because this is something that security experts have been warning about—that our public infrastructure is at risk for these attacks. And this is really the first big incident that we’ve seen that has affected so many people.
Kropp: So just to quickly summarize what happened. Colonial Pipeline, which delivers fuel from, I think, Texas up to New York was hit with a ransomware attack. Their IT system was targeted by it. In response to that, they took most of their networks offline to respond to the attack, meaning that fuel was basically shut down for five or so days going from Texas up the East Coast.
As a result, we saw consumers learning about this, panicking, and there were plenty of states in the southeast that were having gas shortages or lines at the pump. And all because they were worried that if the systems weren’t put back online, if fuel wasn’t able to be delivered, we would have a gas shortage in a huge portion of the United States.
What we found out was that Colonial Pipeline wound up paying ransom to the cyber gang that was behind this. They’re called Dark Side. They’re allegedly based out of Russia, eastern Europe area. They make about 15 million from ransomware annually. They are a big cyber criminal group that goes out and does this.
So the Colonial Pipeline ended up paying a ransom of, I think, five million to the hackers. Usually the FBI says do not pay the hackers because it encourages further attacks. But I think they realized that they didn’t have the backup to not pay the ransom, and that they needed to get their pipeline up and running again before there were serious implications for consumers on the East Coast.
It’s very interesting because, like I said, starting out, this has been kind of a warning for a while that public infrastructure is really vulnerable to these kinds of attacks, and it can affect a lot of people with one bad click of a link. That’s what we’ve seen with it. They’re back up and running now, but I think it’s an important wake-up call for everyone that our infrastructure’s at risk. Individuals are at risk. Businesses are at risk. And there are serious implications from this threat.
Backing up and having a plan
Bailey: Then bring it back to our audience, financial advisors. We know this has happened to some financial advisors, someone in your firm clicks on a link and suddenly your whole firm is being held for ransom. It definitely happens. And it’s why we’re bringing it up again to remind people that this threat continues to be growing and dangerous.
There are things that you can do to minimize this. In addition to the importance of employee training, you should be having some cybersecurity conversations with your staff on a regular basis. Because obviously you folks are dealing with people’s money, and there’s a lot of very important, sensitive, private information on your office networks. Everyone on staff needs an understanding of what you would do in the event that somebody clicked on one of these links and it launched the ransomware attack and suddenly your network is totally frozen solid. What are you going to do?
I think part of the answer is that you and your IT person—whomever that is, whether it’s somebody on staff part-time, full-time, or just an outside consultant—you need to have a good backup plan. I mean, literally, your systems need to be backed up so that if that ever happens, you can just roll back to your backup copy of your network, which presumably is really just a couple of hours old in the worst-case scenario.
And so it’s important that advisors be totally cognizant of this. And also know that if you don’t have this kind of backup in place, your only other option is going to be to pay ransom. And most everybody pays it, and it’s really the FBI and the government that says don’t pay, don’t pay. But we all know everybody does pay in most cases. There have been one or two documented cases where people have chosen not to pay ransom and it’s cost them days and days, and hundreds of thousands of dollars to reconstitute their networks.
But if you’re totally locked up with ransomware and you don’t have a backup, you don’t have a solution. You’re going to have to pay, and you’re going to have to pay by bitcoin. One bitcoin these days is around $50,000.
I don’t know what the current rate is. I have no idea what the hackers are charging if they go after a smaller firm or individual these days, but it’s not good. And so having that backup and being aware that everybody on your team needs to be sensitive to strange and unusual links.
Which brings me to this question: Devin, what does E.M.A.I.L. stand for?
Kropp: It stands for Examine Message and Inspect Link, and it is the number one thing you need to keep in mind when you’re looking at an email. I will extend that now to text messages, too, because there’s been a lot of text-message scams in the last year.
But make sure you’re really taking a closer look at emails that come in, especially if they’re asking you to do something, to click on a link or open-ended attachment, and it kind of comes out of the blue. These are really sophisticated emails now.
They can spoof who it comes from. So if you don’t look really carefully at the sender email, you might think it’s from somebody legitimate or a company that you regularly do business with. But if you take a closer look by hovering your mouse over it, you’ll see it’s not that email address at all.
Same thing with a URL. They can make any link look like it’s going to your bank or someone that you work with, when in reality, it’s not going there. So you need to be really, really careful with those emails that come in.
I actually was talking to an advisor last week about cybersecurity. He shared with me that he, at work, had fallen victim to a ransomware attack that came in through a phishing link, clicked on it. Luckily he had read our book and had a backup of everything. So he didn’t have to pay the ransom.
He lost about a day’s-worth of work because he hadn’t backed up that day. He has an automatic thing that goes on and it hadn’t backed up. But that was the best-case scenario that he could have asked for. Because, like you said, most people aren’t backing everything up and they end up having to pay the ransom.
He did have to go to a computer specialist to have them wipe the machine for him. But that was nothing compared to what one bitcoin would be to get his data back.
So it is good advice. It does happen. It’s kind of one of those real-life scenarios where you can hear about a big pipeline or a big company falling victim and still think, oh, it’s not going to happen to me. But it happened to this advisor.
We’ve had it happen on staff here at Horsesmouth. It is something that is very likely, actually, to happen to everyone at some point in their life. So making sure that you have that backup and you’re looking really carefully at those emails or text messages is super important.
Bailey: We click on links all day long. If we counted how many links per day we clicked on and then we would realize we’re playing sort of link roulette in a way. But listen, when in doubt, even slight, just leave it. Whatever. If it’s really important, they’ll send you another link or someone will call.
Kropp: They’ll call you, exactly.
Bailey: Just don’t get drawn into clicking before thinking. That is really what it comes down to. Of course, these phishing attacks that lead to the ransomware are designed to hijack your decision-making skills, and sometimes drive you to do things that you wouldn’t normally do, which is all the more reason to be Zen about the whole thing, and not ever get upset by anything that comes flying into your email box or any other sort of text link.
Google and two-factor authentication
Bailey: All right, Devin, let’s move on. What’s going on with Google and two-factor authentication.
Kropp: This is some really good news from a security front. Since we wrote our book in 2016, we have been preaching the importance of two-factor authentication. In the past five years since then, we’ve seen many more companies adopt two-factor authentication, which is great. This is an added security layer where once you enter your username, your password, before you can even access your account, you’re sent a one-time code, either via text message or through an app. And you need to enter those four digits in order to access your account.
It is so important because we know that passwords are stolen at really high rates and most people reuse their passwords. So password security is pretty poor overall, but this layer of security kind of negates the fact that you can have a not-great password because you have that special code that even if someone has your password, they’re not going to be able to get into your account.
Usually in the past you would have to opt-in to this added security, but Google made an announcement this month that they’re going to make two-factor authentication the default for all of their accounts. Meaning that you have to opt-out of it to not be enrolled in the program and to have that added layer of security. This is a really good step because this will make it easier for people to sign up for it and make sure that they have that added security.
Most people aren’t bothered by the two-factor authentication, especially because you can mark a device. This is my home computer, you don’t need to add a code every time. But most people don’t go out of the way to add the two-factor if they already have an account and do that.
So this is really good news. And this kind of goes along with the idea that Google and a lot of tech companies are trying to kind of eliminate the idea of a password; in the future, we wouldn’t even have passwords anymore. It would just be these kinds of two-factor authenticator situations where you would put in your username and then you would get this one-time code to enter. So I think this is the first step in that, but it is being really well received by the security community and hopefully other kinds of big networks will follow their lead and make it kind of the default setting for users.
Bailey: And of course, it’s so important to have two-factor authentication on your email because we know outside of ransomware, the other devastating attacks typically happen, especially for companies, individuals too, when a hacker gets control of your personal or work email. That gives them one hop to your bank accounts and so on and so forth, so you need to have two-factor authentication on your email.
In addition to having two-factor authentication on any of your banking accounts, your email, and anything that really involves finances, whether it’s brokerage, banking, whatever else falls under that umbrella, that’s part of the core security approach that we teach in Hack-Proof Your Life Now. If you have these things in place, the likelihood of you ever being successfully hacked are just dramatically reduced. So we were talking back at 2016, about how you got to put this on your email, so it’s good to see that Google’s moving forward with elevating it even higher now. I think all advisors who are listening out there ought to be sure they have two-factor authentication on their email accounts.
Kropp: I also want to add, too, we’ve been saying email financial accounts. I would also add social media accounts into there these days just because there is so much activity that occurs on those accounts. Just a personal anecdote. I have two-factor authentication on my Instagram account, meaning, even if anyone had my password or whatever, they wouldn’t be able to get in.
Just last week, I got an email from Instagram that said, “Oh, sorry, you forgot your password. You can use this link to reset it.” And I was like, I didn’t forget my password. At first, I honestly thought that email was a phishing email. I was like looking very closely to make sure that it wasn’t anything like that. Instagram actually has a feature where you can go into the app and see what emails they sent you.
So I went in and checked. They did send me the email and I was like, that’s really odd. So I went in and I double checked that my two-factor authentication was set up. It was. I was like, all right, that’s no problem. And since then, about every three days, I will now get a text message from them saying like, oh again, you forgot your password, click here to reset. Just kind of showing that the two-factor authentication is working because whoever is trying to get in there is not able to do anything, because they have no code.
I would add that now I think hackers realize that our social media accounts, number one, are connected to a lot of other accounts, including our email. And number two, we share so much information on there; one of the main ways that they can deliver malware is through hacking someone’s social media account, posting a link or going to their contacts and all of that. So I think one of the ways that our advice has evolved since the book would be adding social media accounts into those kinds of core accounts that you need to protect with this added layer of security.
Bailey: Good. That Instagram thing sounds to me like it’s probably a robot that’s just out there.
Kropp: I did some research on it and people are saying they’re these bots that go through and hit account after account after account and try to get in. And when they see that there’s an added layer of security, they kind of just move on to the next people, because there’s so many vulnerable accounts out there that there’s no need for them to spend time on ones that are actually protected.
401(k)s and cybersecurity
Bailey: Right. Good. OK. This brings us to our last item, which just recently, we were talking about cybersecurity on 401(k)s. What’s the story there?
Kropp: Last month that we were kind of talking about how these accounts are pretty vulnerable to attack and how the Department of Labor really wants to step up the security of these accounts, because there’s no federal kind of law or mandate for how they need to be protected. So all of the service providers kind of have these different roles that most of them don’t have great security to begin with. And we’ve heard stories of people who kind of lose their whole life retirement savings because someone was able to hack into their 401(k) and distribute that money to their own account.
Kropp: When we spoke last month about it, I had mentioned that the DOL was asking the government accountability office to improve these guidelines for providers. We haven’t seen that yet, but what we have seen is the DOL issued kind of these online security tips for consumers, basically telling consumers that these are the steps you should take to protect yourself until we can figure out how the providers are going to protect you.
So some of the things that they offer, obviously, is kind of scouting out the provider, making sure that they have security in place. Do they have two-factor authentication? Can you make an online account? Obviously, a lot of that is out of the consumer’s hands, if their company chooses a 401k provider that doesn’t have that security, there’s not much you can do other than email them consistently and ask them to improve their security, or ask your HR to move it to a different provider.
It’s good for consumers to be aware, though, of the security that they have, but making sure you’re using a good password, kind of everything that we recommend in Hack-Proof when we’re talking about online security, but making this tip sheet so people can download it. So again, we haven’t seen much change when it comes to what the 401k providers will have to do, but hopefully this is the first step in improved security for these kinds of accounts.
Bailey: All right. Well, good news to see that we’re moving in the right direction there. Well, that does it for this month, everybody. Thanks so much. Send us any questions you have on your cybersecurity issues. Devin, where should they send those questions?
Kropp: They can send it to Hack-Proof at horsesmouth.com
Bailey: Hack Proof at horsesmouth.com. We’ll answer your questions. All right, everybody. Thanks so much. We’ll talk to you next time.
Kropp: Bye everyone.