Listen to the podcast here:
About Scott:
Scott Schober is the President and CEO of Berkeley Varitronics Systems, a 49-year-old, New Jersey-based provider of advanced, world-class wireless test and security solutions. He is the author of three best-selling security books: Hacked Again, Cybersecurity is Everybody’s Business, and Senior Cyber. Scott is a highly sought-after author and expert for live security events, media appearances, and commentary on the topics of ransomware, wireless threats, drone surveillance and hacking, cybersecurity for consumers, and small business.
He is often seen on ABC News, Bloomberg TV, Al Jazeera America, CBS This Morning News, CNN, Fox Business, and many more networks. Scott also serves as the CSO and Chief Media Commentator for Cybersecurity Ventures and sits on several cyber advisory boards for various companies.
Watch the episode here:
The War Between Facebook and Apple – Scott Schober | CYBER EDITION
In this episode is a brother of mine in the cybersecurity industry. I’m pretty excited about this because he is the CEO of Berkeley Varitronics Systems or BVS. He is the author of three bestselling security books, Hacked Again, Cybersecurity Is Everybody’s Business and Senior Cyber. He’s seen on ABC, Bloomberg, CBS, CNN and Fox Business. Scott Schober, welcome to the show.
Thanks for having me.
It’s good to have you.
Nice to be here.
What’s your background? I read off a whole bunch of accolades for you which are phenomenal.
I’m running a technical company that focuses a lot on wireless threat detection tools. We sell them to DoD agencies, mainly in Fortune 500 companies. Prior to doing that, I’d go back many years, we’re focused on building wireless propagation tools, test receivers, transmitters, all used to set up cell towers. Over time, the offshoots of all of that, we learned what makes cell phones vulnerable. That got us heavy in security, security tools and hence the tie in with a lot of the cybersecurity. That’s what got me into the book writing, once we get targeted and hacked. It’s certainly an interesting journey. It’s a family business founded by my father who still CTO but he’s retired. It’s interesting because you could see over generations and time how threats have changed drastically to where we are now where all of these different hacking and cyber-criminal activities affect all of our lives.
Wireless phones didn’t exist at that point in time.
There was nothing back then. In fact, the first contracts we got were about the mid-1980s when we designed the first test tools to figure out how in the world to make all of these wireless phones work and where to place the towers. It was a daunting task but it became the mainstay of our business. Even to this day, we’re still building 4G LTE test tools. Everybody hears on the TV that all the carriers are bragging about 5G. That’s a big push, developing tools to test those standards to hopefully make our phones and wireless devices work much better.
I was fairly interested in the tech piece of that. I remember working at RadioShack back then when digital was first coming to be a thing in wireless technology too because everything prior to that was analog. I remember that there was an A and B carrier. Now we have multiple carriers and they’re using different simultaneous airwaves, there’s even spectrum sharing that exists now that our partners across different parts of the industry. It’s been an intriguing evolution because you’re talking about how vulnerable cell phones are. I remember cell phone cloning days when the whole phone would be cloned and with the ESN number. Does something like that still exist now to where a SIM card can be cloned?
There’s certainly SIM jacking but it’s different. You’re talking a lot of the stuff back in the ‘80s and early ‘90s where they would take the MSC and tumble it. That was in the days of cellular analog AMPS and EM. We had some cool security tools back then. We’ve built cellular interceptors for Title III law enforcement agencies where they would listen in on each side of the conversation. When there was a physical handoff from one tower to the other, we would camp onto that. We added automatically-starting tape recorders. It was fun because being younger in the business at that time, I get to listen to these crazy conversations. It was mostly drug-related and nuts. These guys talking on the phones and they were flipping and tumbling all the phones that they could but it was mostly drug stuff that the government agencies were chasing down.
They used our equipment successfully to close a lot of drug rings back then. It was a scary time because it was easy to do for people that had technical knowledge. People are going to RadioShack. You can buy a lot of the common things, make modifications to equipment, you could steal the MCS and do other kinds of things that were not legal. It’s gotten much harder to do but people still utilize wireless as a conduit. Now they do it more for cybercriminal type of things, for stealing credit cards and skimmers. That’s a huge part of our business as well at ATMs and gas pumps where they’re constantly stealing credit cards.
I’ve seen videos too with ATMs and also at gas stations where they’ll put a small device almost around the card reader so when they slide the card in and out, the gas pump is still functioning normally but that secondary rear is also reading the card information every time they swipe. Is that what you’re talking about?
There are a couple of different types of it. As technology advances, so do cybercriminals. The typical ones where you take an actual physical bezel, put it over the read head and they embed a tiny skimmer in there, they’re very effective. As people caught on, jiggle the bezel, look with a flashlight, pop it off and see a second skim there, they got leery of it. What happened is cybercriminals said, “Let’s use wireless. Let’s make a Bluetooth skimmer.” Now they have a couple of skimmers which is basically a magnetic read head, a small microchip and a couple of heads to a Bluetooth module and make a tiny little skimmer board. They place that inside the ATM or inside the gas pump. I always wondered when I first started investigating these years ago, “How in the world did they get in?”
That’s where I went. I’m always about the human side of cybersecurity and there has to be a physical person that plants that thing inside a gas pump.
This is the part that blew my mind and not many people talk about it. There are six keys to open up 90% plus of the nation’s gas pumps. You can go on eBay for about $20 to $30 and buy six master keys and now you can open up and get inside any gas pump. Everybody has access to it. The gas attendant, owner, national weights and measures, the guy that’s delivering the gas. It’s generic. It’s almost a joke in the industry. “You go to any pump, you can open it up, look inside.” Cybercriminals realized that so what they do is place the skimmer conveniently on top of where the reader is for the card. There’s a simple Molex connector, they plug in their skimmer, place it inside the rat’s nest, pulls the door. It takes about 15 to 20 seconds for a good cyber thief to place a Bluetooth credit card skimmer.
They never have to go back to the scene of the crime. They could sit 75 feet away which is about the range of Bluetooth maximum. Sit in their car on their computer, can query each pump and get a couple of hundred stolen credit cards each and every day. They go back to their house, burn these credit cards and go shopping. Usually, they will buy gift cards and give a $100 gift card to Victoria’s Secret to their girlfriend in exchange for $50 cash. They launder the money that way. Huge in the enterprise. They do billions of dollars in stolen credit cards each and every day.
Magnetic stripe readers have been around for eons, that was one of the oldest ways in the book to steal a credit card number. We then came out with the chip which the US was way far behind compared to the EU when it came to the chip. Now post-COVID or after the pandemic, you start to see it on gas pumps and literally everywhere because things like Apple Pay and contactless payments were not very prolific prior to the pandemic especially on gas pumps. I still don’t see a lot of gas pumps that have them on and I’m starting to notice them more to where they have the contactless payment. When I’m in Costco, “I still have to put my card to the same screen that touched the card of somebody else that was in their back pocket by their butt.” These are the thoughts that go through my head. “My card has touched the same service that somebody else’s cards touched because it was in their wallet.” Still from a security perspective at these gas pumps, you tap it. Is that more secure than the more traditional methods?
That’s where things are migrating to them and part of the reason they didn’t migrate to it. Why are we many years behind in the United States? I have no idea other than regulations between the petroleum industry, issuing banks and everybody else. Think about it. When credit cards are stolen and gas is pumped, everybody’s still making money in the process. That’s the sad part. The gas station doesn’t lose any money whether it’s a stolen credit card or your credit card. As long as the gas is flowing, they’re happy and they want to stay out of the business of upgrading security because upgrading the security to more secure methods within a gas station is very expensive. The law at the end of October of 2020 mandated that they have to start the process which means it’s going to take 1 or 2 years before we’re going to start seeing security upgrades at all of the gas stations nationwide throughout the United States.
Apple Pay and any type of digital payment that’s using NFC, Near-Field Communication, is extremely secure. Why? Because it’s not taking your credit card data off your card, your card number, CVV, expiration date and name. It’s not transmitting that information. Instead, it’s sending an encrypted token one time through the payment ecosystem and the issuing bank says, “This is Scott Schober. This is his credit card.” They’re holding the private information at the bank. That’s very safe. That’s why we don’t hear about breaches with Apple Pay or Google Wallet or other types of payment methods of that. I always prefer to do that. If you can’t, use cash. It sounds stupid but old school. Cash is king at the gas pump until the security upgrades where you can take actual NFC payment by Apple Pay, Google Wallet or some other form that’s truly secure.
I use cash. That’s the most safe when it comes to having anything stolen unless you got somebody with a gun standing there. I get too many points on my credit cards. I put everything there. There’s not much cash that I carry or even use it for that much anymore. I appreciate you saying that too because I remember when Apple Pay first came out, you would see almost a virtual card number. There was a completely separate number. It’s a token that is assigned to your device. There’s a matchup that incurs after the encryption takes place between you and then this is the token that matches it. I appreciate the security because my card data is not on my phone.
It’s scary when people realize it but yet they’re still not adopting it. I’m still not sure why. I use Apple Pay. I love it. I am a huge Apple fan. I do the entire ecosystem. The fact is, “Do you pay a premium for it?” Yes. However, you’re also paying for security. That’s part of it. You have to look at the big picture, step outside and say, “Am I going to stay secure?” The answer is yes. In the early days of Apple Pay, there was a lot of talk about its not secure. People were saying, “There was a breach, cards or phones were getting compromised and the accounts.” What happened as they uncovered that it was the fault of the issuing banks. In other words, cybercriminals were smart enough to go and call the bank and pretend they were you. They would fool the banks basically by saying, “Here are the last four digits of my Social Security number, sign me up.” They’d steal an iPhone or get a burner, put an Apple Pay account on it and go shopping on your nickel. They finally got smarter. They’re doing thorough background checks and vetting everybody before they link up the cards to the cybercriminals.
There’s always such a huge human aspect of cybersecurity. It’s people calling and pretending to be you. It’s no digital there, it’s just social engineering and duping gullible people. How do we overcome that?
There is no way other than making people aware. Awareness is important and learning best practices. To your point, it’s good for the human element. That was the theme of the show at RSA when I went out there. A lot of people forget that aspect too much. They’re thinking too much about technology and security coupled with technology. That is important but there’s always something like away or backdoor, there’s a vulnerability that can be exploited. Usually, I’ve seen with about every breach that I’ve analyzed, done research on and wrote about, there’s that human element that people forget about. They’re complacent and lazy, “I don’t want to use multifactor authentication or two-factor authentication. It takes too long.” When they skip a step and they’re not thinking security and get complacent, that human element, that weakness is where the cybercriminals will try to exploit. It’s like social engineering. How do they start any type of attack? You’re going to think about how can they garnish as much information to get into a computer network.
In most cases after trying to get into a law firm, accounting firm or company, they’re going to pull in the parking lot, sit in the car and pick the phone up. I’ve heard when the scammer is done, often they’ll call, the receptionist answers and say, “X, Y, Z law firm. We’ve got an important proposal. It’s got to get over to Mr. Smith immediately. I need to get the password to your WIFI system so I could send that email.” If they talk fast enough and sound convincing the right names, titles and buzzwords, the receptionist frantically goes, “Password123.” “Great. Thanks. I’ll send the proposal right over. Don’t tell Mr. Smith.” They now have a conduit to get into the network, work laterally, start gathering information, compromise the company. Social engineering, even though it’s decades-old for most of the cybercrime that we see.
It’s the most effective. It’s the cheapest from an R&D perspective. I heard somebody say from the NSA one time I was talking with them, it was like, “These zero-day threats that exist, in order to mine those, that takes millions of dollars of research and development in order to develop these bots, to get into whatever system you’re trying to get into. When you invest that much? You want to save that silver bullet for Putin’s laptop.” Those were their words. If you can pick up the phone, call a receptionist and get the password to their Wi-Fi network in 30 seconds flat, that’s so much less time and money that’s invested to still gain the same access.
We were doing an interesting chat. I belong to a group of cybersecurity professionals and we go to Clubhouse usually every Friday afternoon. One of the topics was social engineering. Every guest that we would invite up to the stage, we would ask them something, “What’s your pet’s name? What this? What’s that?” We try to find security challenge questions answers to them. It’s amazing how many people divulge it. They’re like, “My dog is Rocky.” “Thanks.” You see how easy it is once a barrier is broken down. There’s a little bit of pressure when someone’s on the spot on the phone and in front of a microphone, a camera lights in their eyes, they might be thinking about what’s going on around them instead of the question being asked and they innocently share it. That’s how social engineering is so powerful. When you couple that with the human weaknesses of trust and innocence because we always want to trust people, even though we don’t trust people, you can take advantage of that.
Let’s talk about trust and innocence here because one of your books is Senior Cyber. How or why even our seniors in the elderly are often targeted by cybercriminals and scammers?
In a lot of my research before writing the book and even during, I talked to a lot of seniors. One common fundamental is a lot of seniors worked hard all their life, have savings, care, they want to communicate with people so they tend to have that innocence, trust with people and they’re lonely oftentimes. Especially in the latter part of their life, if they go to assisted living or nursing homes, they’re willing to talk to anybody. If that phone rings, they’re going to pick it up. They’re more innocent, trusting and more likely to hold a conversation and giveaway information. If you call my house phone, my teenagers don’t even pick it up. Nobody answers the phone in my house. “Let it go to voicemail. Text me if it’s important.”
Do you still have a house phone?
I still don’t know why. We don’t use it. It makes no sense. Everybody lives on a mobile phone these days. Not seniors, necessarily. A lot of seniors still have a good old house phone. As they grew up through technology, when you first got a house phone, what happened? It was on the wall. It was an old rotary dial. When that phone rang within two rings, it was very polite to race over the phone and say, “Hello, the Schober residence. Can I help you?” They’re used to that and trained to do that. That’s one of the biggest reasons though, trust and innocence. Having some assets in the latter part of your life, your life savings. There’s something there to target for hackers and cybercriminals. They want to go and see if they could steal some of that.
The combination of social engineering, phone scams and phishing scams is popular with seniors. Every senior that I talked to had some scam. Either they fell for it or a part of it and gave away some information, their caregiver, son, daughter stopped them in the process. That’s important to realize. If we’re supporting a senior, we have older parents, take the time to talk to them, review the basics, that human element, communication. They will share with you if they got a scan, call, email or something else before they click it, before they give away the credit card or whatever it is.
In Senior Cyber, I share a couple of actual scams that happened to my grandfather. He was 99 years old before he passed. His background, he worked at Bell Labs. He was an engineer and worked on the first Telstar satellites that went to space. He was a smart man. Yet he too in his later years fell for scammers from the stock market to a scam on sending them gas. They need his credit card for the processing fee. They used his innocence and trust against him to give in because they built up his ego and made him feel good. Seniors need to be on guard. I step through the processes and some of the emotions that seniors need to realize in the senior side so they can be prepared how to respond or how not to respond if they’re a victim of cybercrime.
I know even post-COVID with the pandemic too senior cyberattacks are on the rise especially with everything that’s been going on. Even along those same lines, there’s also a new movement work from home. There are so many more remote workers that exist now. How has security changed or even become more important with that movement that we have that’s been multiplying exponentially?
That allowed cybercriminals to pivot to other targets going for your home office, working remotely and people set up overnight. It seemed to have happened because they’re on their computers and mixing their work laptop with their home smartphone. They’re using their personal Wi-Fi that may not be secured that they’ve given the password out to their buddy that came over to watch the football game because he wanted to check his email. What happens is all these layers of security that are good in our office all goes out the window almost overnight as everybody migrated to the remote office. Furthermore, people are connecting remotely. That opens again the conduit to connect into the work network. Are they using a strong password? Are they using multi-factor authentication?
A lot of times the time element isn’t there and they’re rushing, logging on and off and doing different things like that, sharing documents, keeping it up in the cloud. All of these things open up that window of vulnerabilities that hackers and cybercriminals can try to exploit. It’s been a mess needless to say. Some companies have got it right that said, “Slow down. Let’s stage this out and follow a procedure to make sure we have security at the top of the list.” The companies that didn’t turned the switch, sent everybody home and said, “You got to work from home. Figure it out.” They’re having nothing but problems. They’re having phishing attacks, ransomware and a whole host of problems.
They opened the front door to their castle by sending everybody out with everything. I do know that because I’m in the same industry and I see a lot of this misconception that you have to spend a lot of money or you have to be very technically savvy in order to have the proper security. What are your thoughts on that? It’s too much money.
That’s certainly a misnomer. If people and companies, small businesses up to the Fortune 500 companies can step back from it, if they’re not objective enough to do it, I always encourage them to bring in an expert. Hire a third-party to come in that could be a little bit more objective and even get a vulnerability assessment. Get a penetration test so you could identify clearly where you are within an organization so you can shore up all those little weaknesses. Otherwise, if you don’t know what you’re protecting, it’s hard to know, “Where do I spend my money?” It can be daunting. You say, “I’m a small business. I can’t spend $100,000 dollars on cybersecurity tools.” You don’t have to. Maybe it’s a combination of some very focused spending on things where you’re lax and other areas you buy a good shredder. Do you have a good shredder? Are you shredding personal information? Most people are.
It works. A good micro cross-cut shredder is $200 to $300. If you got the little $19.95 one at Staples that aren’t going to cut it, no pun intended because it gives long strips. You could lay that out on the floor, put a camera over it, press the button and the algorithm can repiece the shred together so you’ve got an actual digital document. It didn’t serve its purpose. Years ago, I had a credit card. It was expired. I had a new one issued and I simply cut it up on my desk with scissors, threw it in the garbage can. That was Friday. Came in Monday morning, our building maintenance guy says, “Scott, you got to come outside and look at this.” I went out where all the garbage cans are. My credit card was pieced together on the curb. I’m sitting there looking going, “What the heck is that?” Somebody went through our garbage, dumped it all out, pulled all the credit card pieces, took a picture and ran before the cops came.
Fortunately, the card was already expired and they weren’t smart enough to realize that. It told me right away that I’m wearing a corporate park. They’ll probably go around somebody that’s bored or stupid and looking to prey upon what people throw out in the garbage that they don’t shred. Credit card numbers, cut up credit cards, Social Security, perform identity theft. After that happened, I got paranoid. I said, “We’re buying the best shredder. We’re doing this. We’re going to have a mandate and I’m going to shred everything.”
I toured a recycling facility. This was several years back. When I was walking in, it was cool seeing all the huge scales that they have but everybody at least in my neighborhood has a recycling trash bin. All the recycling goes in there, paper and plastics. When it gets to the recycling plant, I saw so many pieces of intact personal mail. I’m talking from the Social Security Administration, credit card statements that have the full number that is on them from Chase or American Express. They’re laying all over the floor. The biggest thought I had was, “This is a cybercriminal’s heyday. They don’t have to spend the R&D thing or millions of dollars to get your info, all they have to do is walk in here because all your crap is sitting around right on the floor perfectly readable.” Even at home buy a $99 shredder. Go to Amazon.
The same holds true about the next level of things that people don’t think about. Hard drives. Everybody’s got old computers lying around with hard drives and cameras with all the old memory sticks in them. Anything like that, a printer, fax machine, scanner all have memory. Flash memory where our digital documents and private information still sit. People put them out at the curb free. If you’re a cybercriminal, you could drive around a neighborhood on a junk day or recycling day. It’s a ton of information that you could gain in one day that’s worth tens of thousands of dollars if you go and sell that on the dark web. If you’ve got nothing else, if you don’t have a way to shred a hard drive properly and decal sit and everything else, that’s okay, a big hammer works really well.
It can be a good stress relief too.
If it doesn’t make you feel better, use a company that you can try. ERI is one of the biggest recyclers that handle eWaste. We recycle our batteries through that. You’re keeping things safe from a cybersecurity perspective but you’re also doing good hopefully for the environment. Having that nice combination makes you feel good and you’re contributing towards something but keeping yourself or your company safe.
You’re big into wireless security too. Apple released an update. There’s a stage talk that I have when I’m presenting in front of crowds of people the difference between security and privacy because they’re very two distinct things. They can go hand in hand in some ways but they perform different functions for you. Apple released iOS 14.5. This was the whole reason, for anybody reading, the news why Apple and Facebook have been going to war with each other. I’m going to ask you to weigh in your thoughts on this because Apple is somehow becoming huge. Maybe they got caught too many times because they were capturing Siri in plain audio and reviewing exactly what people were saying to try to make Siri better. They became more transparent about that to ask you if you want to send that data. Now iOS 14.5, Facebook and Google hate it because you now have the choice because Apple is making completely transparent what data these big tech companies are starting to track on you. Where do you see something like that going in the next couple of years?
It’s going to be an all-out war. By no means is Apple 100% innocent. They’ve had their hiccups with privacy, mistakes, bugs and they’ve had to address them. The good news is most of the stuff they have addressed and they’re selling, if you buy into the Apple ecosystem, you’re buying in part because of the security. You feel more secure and hopefully, your devices are more secure. That’s an important piece of the equation.
You’re talking compared to Android phones?
Contrast that from the worlds of advertising where Facebook, unfortunately, has done some things that I would equate to the more criminal type of activity with what they’ve shared with people and sold as far as their information, browsing habits and likes. Whereas Apple, it’s not their core business model. It is easy for Apple to point their finger at Facebook or Google. It’s not easy now for Google or Facebook to get out of this one because if you think about it with the growing share of the iPhone researched again, a lot of people are going to be opting out when it comes to it. They’re going to be like, “I don’t want all this collected information sold and I don’t need to be pushed all these ads from Facebook, Google and the likes.
The battle is going to rage on and on. They’re going to be counter striking against Apple trying to make it very hard for them. The problem is once one company makes a booboo, there is a privacy breach and public trust is lost. They got to all be very careful going forward because there’s a line in the sand where things are. I look at the AirTag. if you’re familiar with that, it’s a little tiny Bluetooth low-energy tag. They’re selling them for about $25 each. I start thinking about the power of what you could potentially do with that. The good news, Apple put into what they baked in security into it as well. There’s some ultra-wideband that they’re using on the latest iPhone with the latest iOS which is important. They’ve got some anti-spying or stalking means in there so people can’t track other people, drop one in your kid’s bag and start following because that could be scary.
There are some scary implications with some modifications that somebody could do if they want to take down a terrorist, use a drone with a missile strike, follow somebody and knock them out. It’s a low-cost GPS tracker. The ultra-wideband gives them accuracy to about 0.5 inch. That’s ludicrous. It’s unbelievable that they can do things like that and that’s indoors. Amazing technology. There are going to be a lot of battles ahead between the tech giants coming out. A lot of it’s going to be predicated upon what federal laws come out, what you can and can’t do. That’s going to affect a lot of things with technology but they’re all going to be making a lot of money off of it because we, as consumers, keep opting into this world of IoT and sensors that are waiving our rights when we download apps.
The famous stat I loved that I share with everyone. “The average smartphone user has over 50 apps downloaded, most of them freebie ones. It would take you three months just to read all the terms and conditions that you’ve already agreed to.” Who read all that? Nobody did. It’s a joke. It’s written illegally. We have to realize that what we’re buying into and what we’re trading or giving away in return for playing Candy Crush or whatever game we want to play on our phones.
Jeff Bezos was hacked a couple of years ago via the WhatsApp app. To that point, the terms and conditions and we’ll end the show with this. I don’t necessarily agree with the form of the humor but what was sent to him and caused him to click on the link to where his iPhone was hacked. You remember the EULA, End User License Agreement, that’s what terms and conditions are for these apps. The joke which caused him to tap was, “The EULA is like women. At the end of the day, you just scroll through, don’t read anything and hit I agree.” That’s what caught him. That’s why he tapped on the link and got hacked. Saudi Arabia injected the code because he tapped on the link. Even Jeff Bezos was duped by social engineering and the human factor. Scott, where can we find you?
Certainly on my website, ScottSchober.com. I’m busy on Twitter, LinkedIn, Instagram and Facebook.
Thank you for bringing your expertise and also for having some fun with me.
Thanks for having me on. Greatly appreciate it. Stay safe.
Important Links:
- Berkeley Varitronics Systems
- Hacked Again
- Cybersecurity Is Everybody’s Business
- Senior Cyber
- RSA
- ScottSchober.com
- Twitter – Scott Schober
- LinkedIn – Scott Schober
- Instagram – Scott Schober
- Facebook – Scott Schober
- https://www.RSAConference.com/experts/rsac-editorial-team – RSAC – The human Element –
- https://TinyURL.com/jz9eut3r – Hacked Again
- https://TinyURL.com/2zefn8pz – Cybersecurity is Everybody’s Business
- https://TinyURL.com/mx26z66p – Senior Cyber
