Cybersecurity Jobs: Understanding Account Takeovers, SIM Swaps, and Email Hacks

If you understand criminal behavior, you will understand how not to be a victim. And you actually know more than you think you know. I promise you, incident response and mitigation of identity theft and breaches of your bank account will take forever, it's expensive and it's very painful and it's horrible to see. And so much of it is preventable. Hi, welcome back to How Much Can I Make? I'm your host, Mirav Ozeri, and today we're stepping into the high-stake world of cybersecurity. Our guest is Rivka Tadjer, CEO and co-founder of ZeroHack. Rivka is a top cybersecurity expert who worked with the White House, major corporations and private individuals to prevent cyber attacks and identity theft. Let's step into her expertise and find out what we can and should do to protect ourselves in this digital world. Well, Rivka, thanks a lot for willing to participate and giving us your time. I have millions of questions, of course, because that totally concerns me, security. I was hacked. So let's start by first telling me, how did you get into doing cybersecurity? So first of all, thank you for having me on. And well, I started as a journalist in the late 80s, early 90s. I was on the team with the Wall Street Journal, who put the Wall Street Journal online in what we call the OJ Years, 1994. And then I was covering privacy security, identity theft, as well as AI, machine learning, data mining and supply chains. Already in 94, you were dealing with AI? Well, AI, a lot of what is called AI now is machine learning. So that was the beginnings in data mining and putting those systems together. Didn't know that. Okay, so now you're an independent contractor, right? That deals with security. Tell us what you do. So we're actually going to celebrate our 10th anniversary next month of our consultancy. What we do is we protect people specializing in financial protection and secure communication. Okay, what does it mean, financial protection? Protecting the cyber equivalent of putting your banks in brokerage and witness protection. So I also worked in fintech in banking, and I was on the White House National Infrastructure Advisory Council for Critical Infrastructure in the banking industry, appointed by Obama, but worked through Trump administration. So I have specialty in how payments and banking work. And I covered it as a lot as a journalist. Then I moved to work for fintech and banking companies. So what we do is we investigate. Here you are, right? Mirav, you have email addresses. You've been online since we all got this Steve Jobs remote control of our planet in 2008, right? Everything was free for email, free this, you can get everything. And so we ran for convenience. And those email addresses and the telephony side of your phone, which I'll get into, are wide open doors. Everyone's heard about the terms fishing. If they hack into your email and can impersonate you, that's called an account takeover. And then thanks to 18 teen Verizon last year, the breach doll of our data and social security numbers, I can be mirrored. So what we do is we use cyber threat intel systems that are closed systems. We look anonymously in threat intel systems to see what of yours has been exposed. Can someone take your phone and forward authentication codes to another phone? Can someone be you with your email address and what kinds of cyber criminal groups are targeting you? So first we do that. I'm a data driven person. So first I get the data. And we need scary little to find this out. Literally your name, middle name helps if you have a common name, birth date, legal address, your IP addresses, phone number and your email addresses. And that's it. And I never look at anyone's financial balance. I don't look at sensitive information and we can see if your social security number has been texted to someone else. But essentially you have to get the data and see where the vulnerabilities are. And if they are into your email or your phone or your systems, how they got in. Once we know how they got in, we can kick them out. And one of the most important, that's the service part. If somebody has your social security number, they can't do anything with it or that they can't access your banks in brokerage because we've created a new identity for you with those. Because once data is breached out there, the toothpaste is out of the tube. You are never putting that back. So sometimes it's a pain in the neck. I might tell you, you know that Gmail you've had for 100 years? You've got to get rid of it now. Okay. And then you have to migrate it. You have to move your contacts. But you need encrypted secure email for your bank in brokerage that never sees the light of day that you never use for anything else. How can I get encrypted email? You can go to proton.me in Switzerland and get a proton mail. Russian oligarchs use it to protect their Swiss bank accounts. And now so can you for $3.99 a month. Think about it, proton mail for protecting Swiss bank accounts. Do you think somebody's using a Gmail to protect a Swiss bank account? No. Actually, if somebody tries to crack your password, the whole inbox turns to some pig Latin version of Cyrillic, even for you if you lose it. Okay. It's designed to protect. Other thing that you can do, depending on where your email is hosted is things like spam assassin, these little add-ons that you can put on that really don't allow things into your server, especially if you're using a Gmail and you haven't gotten an encrypted secure email. Encrypted secure email will throw that stuff and it won't even let it on your server. It's like a big gunk air filter. Every infiltration and the new IBM research reports and the new Verizon reports, read those yearly. You can download them. FBI, ICS unit, the internet crimes unit, read their reports. Over 90% no exaggeration happens by human error with their email credential. I want to double check something. If my email, my broker, if I delete it and delete the trash, I'm safe. They inform it. No. No. Yahoo! They store all that crap on a server that they've long abandoned. If you didn't change over to Outlook mail and get encrypted mail and Outlook, they do offer encrypted email servers or your hotmail or that prodigy thing that AT&T owns. Anyone with one of those Yahoo! accounts that became a prodigy account, that is all subject to the AT&T breach. So hold on a second. If I communicate on WhatsApp, WhatsApp is encrypted. No, it's not. Zuckerberg bought it. And now everything meta is integrated into it. That's why the whole world moved to signal. Signal. Yeah. So now, and when that goes to hell, I can come back and tell you what's new. The cyber criminals is what you should be worried about. It's organized crime. It's not a 40-year-old guy in his bathrobe still living with his mother. These are well-funded. They have the best hackers in the world, and they have supercomputers. They can run everything about you in social media and in 10 seconds, know the password to your email if you have not protected it. This is very, very sophisticated. So what you're looking at is the cyber criminals and protecting yourself from those criminal gangs. And usually they don't have ideology. They just path of least resistance. Where can I break in and get money? How can I assume someone's identity? There are six attack surfaces. These are the high-risk behaviors. Crypto, activism, ancestry sites get off of them all right now. Porn, gaming, and dating sites. There are ways to do all of these safely except for ancestry. And it's a shame because when 23andMe was breached, and they only stole a database of Ashkenazi Jews. Really? Yep. So why do they do that? It could be someone who wants to sell to Pfizer a database so that they can make a drug to prevent Tay-Sachs disease. Or it could be someone who hates Ashkenazi Jews. It could be anything on that spectrum. Class action suit, and now 23andMe is gone. But the data's not gone, and it's in junkyards somewhere. And it's a shame because something like 23andMe, so many people, if they were adopted because it was medical based. Right, right. But it's in the magnet for hackers because they know there's all kinds of data in there. The other place is to be super careful. You're getting a divorce. What's not in a separation agreement? Be careful how you communicate to your lawyer. Not only do you know how everything's divided, you know who got what and where it is. So think, you got to learn to think like a criminal. And accountants, forensic accounting, they're so good at this. Some of my best sources that I brainstorm with are forensic accounts. They get this immediately once they tune into it. Because they know how money flows. And the more you know about money flow, about accounting, real estate lawyers are great at this. I have some great sources that I use who are realtors because they know when something looks weird in MLS, and MLS was hacked in 2023. Wow. Okay, so if you've ever bought a house, or sold a house, or rented a house, do you know what is stored in an average real estate office printer? In the printer it's stored. In the printer. Because they're like, oh, I have to print out this person's whole financial picture. They sent me proof of income. And it's stored? It's stored? Look at network printers and see how often they're cleared. Medical people know the confluence of data and have great aptitude for this. Okay, and now with telemedicine there, all of that, that's why they keep getting breached. There's juicy information that goes on for years to search for the engineer people. What is this dark web? Can you actually see what's there? It's like a mall. Of course you can see it. So can I go in and see if my information is in there? Well, you don't want to be noticed in there. You want to go in anonymously or posing as a fraudster buying stuff because you'll be seen a mile away. You need to be anonymous to go do it and watch what they're doing to do it. Do you do that? Yeah, of course. That's what threat intel systems do. And we use one that's mirrored the infrastructure of the dark web. It's amazing. Oh my God. So we can watch what they're doing and you query it in many languages. You literally see people there buying and selling information? Well, you see, yes, there are trajectories where you can see, sometimes you can place them by longitude and latitude, trading data. Oh my God. I mean, it's not a little avatar guy, but it's their identity. Wow. The problem with this crime is that it pays and there's only 0.05% of the time that anyone's ever caught because you don't have to be seen. So you said secure password. How can I secure my password? Well, first of all, never ever use an automated, auto-generated password. Two reasons why. Whoever is offering to auto-generate your password is keeping a database of those passwords. Even the very complicated, very long password. It's AI. AI is not good at implementing ideas or being creative, but if it's out there, they can grab it. The other thing is it's a hacker's dream. So let's say you have automated passwords generated in a password manager. Those are stored in a place because you can't have everybody with the same passwords, right? So if they get to that attack surface and they say, oh, who has accounts here? Great. Let's go get the, that's the first thing they'll go for. Let's go get the database of the auto-generated passwords, run it against the accounts and see where we get in. You need a system where you control things, where all the locks are yours to put on and take off. Like freezing your credit reports. Once Equifax was hacked, people in my industry, we lobbied, it became rule that you get to freeze your credit report. Right, I did that. Yeah. Right. And people are like, well, I don't have an account there. I was like, great. Well, they have that dossier on you for 50 years. So you create that online experience so you control whether it's frozen or not. You want to go for apply for a loan. You say, which one are you looking at? And you only unlock that one 24 hours before. You let them do it and then you lock it back up. And the most important thing about security is don't tell someone what you're doing. Misinformation is a good thing. What do you mean by that? When you create a new persona for your banks and brokerage and you have an encrypted email, you have two-factor authentication, you have good user ID and password, you have excellent hygiene when you do online banking and where you do your online banking and how you delete your browsing data and how you sign out instead of xing out your habits, how you call your bank and brokerage and say, no wires ever go out of my account unless I'm in branch. Hold on a second. You said something important. Deleting your browsing history, you said? Absolutely. On a daily basis? Absolutely. When you can visualize how cyber criminals see what you're doing, then you really tune in to these principles and then you just apply the principles in your life once you click into it. And people tell me all the time, this is the era of the kids. I'm not good at this. I disagree. I work with seniors, a lot of seniors mostly because they're hard to protect and they have a lot to lose and they're main targets. Actually, they're much better at this than my 24-year-old daughter because you know crime and you know criminals and you know criminal minds, but you have to know what they're seeing and how they follow you. You have to know what a keystroke logger is. That's everywhere you browse on the internet. Little pieces of malware in that beautiful little Gmail of yours or Yahoo or Hotmail or any free mail AOL that sells your email to advertisers. What is a keystroke logger? Exactly what it sounds like. It logs your keystrokes. It's an info stealer and you have to find out in all of your settings whether there's anything on there. On a PC, you go to your task manager, in your Apple computer, you go to the activity monitor and look at all the crap running in the background in your computer. If you see anything in Chinese or Russian, you call me. But if you see the words Zendesk, M-Spy, or numbers with KK.tex, those are info stealers. What browser is the best one to use? It doesn't matter. They're all the same. It's how you set them up that matters. You set them up for zero trust. What do you think that Google and Microsoft and Apple and Firefox are doing with all that data if you don't set it? How do you think they sell advertising? They gather your analytics and they sell it to each other. But how can I set it so they don't do it? It's all in settings. This is what I encourage people to do. Log on to any app that you use and click on that stupid little gear shift or the three dots or the three lines and go through every single setting in there. And anything that looks like, share my data, give analytics, personalize, turn it off. Anything that says remember me, say no. You do not want AI to grab this information and sell it off into the dark web. The more information they have about you and if you've ever been hacked, you're worth more on the dark web. You go from being worth that 50 cents to marketers to being worth thousands. And the other thing to remember that's super important is everybody looks at their phone, they're like, I either have a droid or an apple. Apple will say, nobody can bust our architecture. I was like, who cares? Nobody, you don't have the secret sauce to Coca-Cola on your computer. That's not what I want. I want the telephony side. Your phone is Verizon or AT&T or T-Mobile. Apple is in the cloud. How are you protecting that Apple ID? With the Gmail? All right. If I go and hijack your Apple ID, all right, and I change the phone number and I change the email address and I lock you out. I have everything in your cloud. I have the credit card you have to store apps. You call Apple even with a serial number or an MEI number on your phone and they will not help you. So it doesn't matter what the architecture is. Everything we do is online and in the cloud and you have to have the same mantra of protection. You have to protect the credentials that guard the accounts and then you'll be safe. So for example, people put credit card in Apple wallet. Is that safe? It's as safe as how you guard your account. Look, I am not willing to go live in the woods with a shotgun on my porch and a roll of bills under my mattress. Some people are, but I live in this world and I love to shop and do everything else. You have to protect the SIM, which is the telephony side of your phone so that no one can take those authorization codes to your bank and forward them somewhere else and no phone company will ever tell you the piece of advice I'm going to give you right now. You have to protect your Apple ID by not allowing remote access to it and you have to have a VPN on your phone and you have to secure encrypted emails for any account that you have that does payments. And then you take your Gmail address and you leave your, what I call your trash persona out there. Let them pick at that until it's just bone because it's already out there. You surgically remove what is financial from your breach data that's out there. You put it under lock and key where it's not going to be sold and that's how you protect yourself. I have malware on my computer. That doesn't give me really any security except for virus, right? No, no, anti malware. You mean malware bites or something like that? Yes. Okay, so this is a very interesting point. You need a VPN with that. So what malware bites does is it looks on your hard drive. Are there viruses or is there malware on your hard drive? Okay. What a VPN does, it does two jobs. One, it monitors your network traffic. The VPN, the mothership, it monitors for keystro cloggers, viruses, malware, add trackers that track you and then sell all your data. VPNs are very powerful now. It used to be for enterprises. You can click on add and tracking blocking. You can click on anti malware. That is not something malware bites can do. What that mothership does in a VPN is it prevents you from downloading anything bad. Most malware and stuff either comes through your email that Google sells and promotion people can say, they have to read it before they delete it and reading it can load the malware or they have to read it. They have to click on it three times or some crap. So it stays in your computer, but it also will quarantine any PDF or virus filled. Okay. And so you can look at it. It keeps it on a server. The other part of a VPN that you embed in your browser and in extension masks your IP address. Is there a particular VPN because I looked into it once when I got the paranoid hour and there are so many to choose from. How do I know what? It's a good question. So I just want to preface this by saying I take no referral money, affiliate money, anyone from anyone I recommend or say is bad because I have to stay clean. Yes, of course. Okay. Right now we like Nord VPN. We like Nord VPN for several reasons. When we look it up on our threat intel systems, we don't see Infants who stealers on their domain. We don't see a lot of employee addresses that have account takeover. Okay. Whatever is an employee with, you know, they're looking for that access to those accounts. We see very, very few. Their parent company is based in Amsterdam, probably protecting the De Beers. Okay. Right. Remember, the people who really have the most money in the world are not talking about it. Okay. So Europe's privacy laws are way more developed than ours are. They're stronger. So this type of application grew up in an environment where it's very, very careful. If you keep it updated, they're constantly studying the mutations of malware and then bringing the inoculation. One thing to remember about a VPN is definitely there's a lot of good ones out there, but test your internet speed with or without it. One of the things we like about Nord is it doesn't degrade internet speed. Okay. So sometimes like Proton has a very good sister application. It's a great VPN if you live in Switzerland, but it's protocols here. Your zones will freeze. You'll turn it off. It will drive you crazy. So that's a big configuration. It's overwhelming. It is. It's like taking a sip from a fire hose, but the best thing to do is not to think of it all at once. The first thing I do in a house, go change the Wi-Fi password on your router. Okay. Many, many companies that provide your Wi-Fi service on that router. Right. Spectrum provides my... Okay. So my entire neighborhood, the first two words of the password that's like imprinted on the router is the same for everybody. Okay. I'm smart enough and I shoulder surf on Wi-Fi. All I have to do is run algorithms against the last three numbers. I go anywhere and I can look up Wi-Fi in your neighborhood and most people have not even changed the name from Spectrum Setup F8. Okay. Oh, you have to change that too? You can and you should change that router password to something Spectrum doesn't know. Not because Spectrum is evil, but Spectrum is a mobile virtual operator of Verizon. Verizon was breached last year. Okay. What's the first thing that they're going to do if they break into Spectrum? Let's go see all the passwords that they have stored, run them against their list of accounts and see where we can hop in and go take stuff. So you've got to reduce your attack surfaces and you have to think like you're your own personal corporation and who your third party risk is. That's the first thing you do and you start here because your IP address on every little device is mapped to where you live. Right. Okay. So it's home invasion. It's protection against home invasion, that router password and name. But you know what? I was hacked through Chase. You know how they have double identification? They never called me or anything. Somebody got in the back door. Somebody turned it off. Right. And they took everything I had. The bank gave it back to me because I... Was it a credit card or a bank account? Bank account. Did they wire it? They changed my address on my statements. Did they change your account number? No, they didn't change. Bad. Bad. They're going to get a call from me tomorrow. That's very bad. Chase has particular vulnerabilities to certain organized crime groups that I will not mention on this because we need to protect Chase that are particularly good at the code that iPhones are written in. And after the AT&T breach, the reason you never got the code is because if you had not protected your SIM card or your eSIM on your phone, SIM swapping is where they help themselves to that account, probably took your SIM forward that number to somewhere else. And they got the authorize subject. How can I protect my SIM? Okay, you ready? Yeah. All right. Take out your phone and go to settings. Okay. This is what you want to do, folks. All right. If you're on an iPhone, you want to go into settings, that little gray gear that you're going to get really familiar with. You're going to click on cellular data. You're going to scroll down until you see SIM. If you have an iPhone 15 or later, you can put a pin even on an eSIM. Okay? You're going to click on that management of pin. Oh, SIM pin. Yeah, you're going to toggle it on. Right. Now, get this. In their infinite wisdom, AT&T and Verizon and therefore Spectrum, the preset pin in your phone is 0111. Oh, okay. T-Bubbles1234. Okay. Google Pixel is 1111 or 0,000. There is not a fraudster on the planet that doesn't know this. Okay? Has anyone ever put in your statement that maybe you should go ahead and put this pin on? No, never. Okay. So you're going to enter your current pin? So it would be 1111. Right. Okay. Hit done. Yeah. Okay. Now, does it say change pin? Yes. Click change pin. Change pin. Put in again the current pin. 1111. Hit done. Does it say new pin? Yes. Okay. Here's the drill. Don't put anyone your pin. And by the way, if anybody in security ever asks you for a bank balance or pin number, show them the door. Security is like a secret. Only one person can keep it. Okay? Write this pin number down somewhere. Do not make it your cat's birthday, your birthday, your favorite lucky numbers. Okay? None of that. Random, random, random. Look around a room. Look at the clock. Look at a thermostat. Random that can't be socially engineered. Put that darn thing on a sticky note. Put it in your sock drawer. Stick it on the butter dish in your fridge because you will be going into 18T or 2Mobile or Spectrum to unlock it if you lose it. So it shouldn't be the same pin that I use for the phone? No. No two pins should ever be the same. Okay? And if you don't want to put in an encrypted password manager, you get yourself an address book that's alphabetized. Okay? And create redundancies. And if you keep it on a spreadsheet, you password protect that. You don't keep it in the cloud. So you're going to pick a new pin that has four numbers, write it down, and don't show it to anyone. Done. Okay. This alone has prevented what we call SIM swapping. So that authorization code that you never got because someone else did can't happen anymore. Oh, there was SIM swapping? I'm guessing. Wow. I mean, I'd have to look up your data, but if there was authorization code. Yeah, because there always ask double identification. Right. So that means, so now, is this fail safe? No. So we have to log into her spectrum account, change the email address you store on that account to a nice encrypted email address. And there are more than proton. PC magazine has a great top 10 list of encrypted secure emails, different uses, business people, you know, it depends on what you do. Log out once you put in that encrypted email, log back in, then add your two factor authentication, change your password. And if any account where you store payment or make monthly payments allows you to have a user ID that is not your email address, change it and make it random. No special interest. No cute, um, you know, art figures, no, no constellations. You like nothing to do with you. Look around the room, pick random things. All right. And make sure that when it says, remember me, you do not because all that information stored in your browser, all you need is one little info stealer in there. And all of that is theirs. But people forget that their phone is actually the telephony side. And by the way, if you have a droid, just click on settings, go to the search bar and type in SIM. Same with Google Pixel phone users. Okay. And then the steps are the same from there. And if you get locked out, if it says one more trying your locked out, don't do it. Go to the store where you pay for the telephony side and do it there. It could mean a couple of things. It could mean outdated software. It could be someone snorkeling around your phone in your, your, um, account already. Okay. But if you were about to get locked out, do not attempt it. You will hate me and this podcast forever, um, because your phone won't work and your texts won't work if you get locked out of your SIM. Right. You have to remember the code. Once you remember the code, you're good. Once you change your pin, here's the two times that you'll need it. Okay. If you turn off your phone all the way and then turn it back on, it will say SIM pin locked. You'll put in the password to your phone and then it will prompt you to enter that SIM pin. The time you're going to need to enter that SIM pin is after your iOS updates or your Samsung, you know, whatever operating system or on other phones. Once it doesn't update, it will prompt you to have it. Now I saw a documentary on HBO about cybersecurity and they recommend to turn off the phone every few days because there are people out there that can get into your phone even when you are on the street. That's absolutely true. And it depends if you're being targeted and by whom you're being targeted. That's absolutely true. So get yourself a Faraday pouch. What is a Faraday pouch? And don't skimp on it. Get that technology. What is it? Named after John Faraday, it blocks out all electrical impulses. Okay. So if your phone is off and in a Faraday pouch, it's endless. What we have to do. But when you travel through airports, throw it in that Faraday pouch. Now you told me a while ago that when I'm in airport to turn off Bluetooth. Yes. So here's an airdrop if you have an iPhone. So here's why. Bluetooth and airdrop are close proximity theft mechanisms. It's a backdoor into your phone. So let's say you've changed your SIM pin and you've protected your Apple ID and you have a VPN on, but your airdrop, Bluetooth, location services are all on. Backdoor. So with Bluetooth, I have to be near you to grab it. But it works just like if you've ever airdropped something. Here's the password. So people and by airports, I also mean Panera and Starbucks. It's just airports are yummy and juicy because people have money to fly, have more money than people who don't have money to fly. So they just like it and you're on public Wi-Fi all the time and it's just a good environment. But somebody's sitting outside of that Panera parking lot or in that cafe and anyone who's vulnerable, they're just looking for them. When I'm in the city, all of a sudden I see that I'm on Verizon Wi-Fi. Should I get off of it? Yeah. Make it your option. You don't want anything to just move your phone onto something. It's like on spectrum routers. There's a little setting that's actually, if you log into your account online and go into a send, you won't find it as easily in the app and you log in, it's actually under security. It's actually under security shield. But right next to security shield, there's a little toggle switch and that toggle switch is spectrum mobile access. That means that anyone with a spectrum mobile phone can bypass a lot of your security and log on. Oh my God. So that they can gather data analytics. Okay. So this is a marketer for a long time of who has a spectrum phone in the area. All right. They cluster neighborhoods with IP addresses. They're doing data analysis all the time and some of it's for good purposes like outages. You got to turn that thing off and no one's ever going to tell you and its default is on. So if you enter the city and this default thing is that you're on a Verizon Wi-Fi backbone, don't you have 5G and four bars, turn on your VPN and use it that way. Any Wi-Fi that just automatically happens because you have an account, you want to go into settings and control it. You do not want it to be automated. Is Zell and PayPal and Venmo all of this, are those secure? Okay. So Zell is very secure now, but I'm again the mantra. It is secure as how you have protected your bank account. So when Zell was sued, when Wells Fargo and JP Morgan Chase and Bank of America were sued because of the Zell scams, okay, in December 2024, that lawsuit was dropped. But part of what they did to make it safer is there's no more Zell app. So you are putting in someone's phone number or an email address to send them Zell money and it's going bank to bank and it's not a wire. It's protected under EFTA, Electric Fund Transfer Law. So it's much more protected unless you're using a Gmail address for your Bank of America account and maybe two-bacter authentication to a phone that doesn't have a SIM pin and a crappy password and a user ID that's your favorite pet of all time. All right? So it's a secure and you should not have it sent to email. When you put that nice secure encrypted email on your bank, you don't use that for Zell. Nobody knows about that except the bank of record. So you- Oh my God. But Zell is fine and also PayPal and Venmo if you secure that account. Here's my thought about all of these things. The credit card that's in your Apple ID that you buy apps with, the card that you set up for PayPal if you're using a card, the credit card that you keep on record for things like Apple Pay and your Apple ID should be a credit card where you do not have a checking account or brokerage because a fraudster loves nothing more than when they go in and you're like, oh, that's a city bank card and they have city checking, they have city brokerage and off they go to try and get into that account because if they can impersonate you and log in, they have everything. So when you're online, it's the opposite of what we're raised. Go get one of those pre-approved card offers of yours. Do not have the credit card that you store for payments for highly targeted things. Have anything to do with your bank and brokerage. You see the pattern here. I have a credit card like this. I'm going to do that. That's what you do. And when you travel, that's the one you bring. Oh, really? Do not travel with a credit card that's also tied to your brokerage account and try not to check bank balances and all that when you're traveling on vacation. And I mentioned this because it's summer now. Why, yeah, right. By why traveling, is it more, am I more vulnerable when I travel? Because everything you do, yes. Everything you do is public. You're going from an airport or a train or whatever that's public Wi-Fi. You're going to a hotel, another great target. Okay? Sitting on a hotel lobby, have a drink, pick out the hacker. Everybody's on public things all the time. All right? Everyone has their geo location on. The other thing is, here's mantra. Post your pictures of Notre Dame when you're already at the Eiffel Tower. Don't do it in real time. Okay? Don't. Why? Because you can turn a cyber attack into actual burglary and take off your biometrics. You know, when you're sitting here at home and you have your face ID that gets you in your fingers, I don't want someone punching you, putting your face up and taking your phone in. It happens all the time. Yeah. I took it from all the financial, but it opens the phone. Okay. So that's bad when you travel or when you're in the city. Don't. You know, if you're in a rural environment and a low risk environment, it's fine, especially at home for your convenience. And older people who are going to nice hotels, there's nothing a hacker in Frazier loves more is like, let's follow them for the airport. They're dressed well. They look nice. They just checked into a four star or five star. Yay. Let's go get them. Let's go see what apps they have open. Let's go see how much they're protected. And you can call Apple and they're like, they can't break into their architecture, but they don't care about your architecture. They care about what you have going on in the cloud. Okay. They just want to know where you bank and if they can crack open that Apple ID, you know, and understand that you can be watched when you don't think so. What is the biggest cyber attack you worked on? I can't name things. No, not the name the company. Two things. So in the White House and the National Infrastructure Advisory Council, we do look critical infrastructure. Okay. Okay. So there were things that we looked in there like the grid and transportation and things like that. Large nonprofit that was breached really badly. So all the donors information, all the donors information was taken and. Yeah. They love donor information. And when you make a donation, please just go to the website, do it there. Don't use the apps. Don't do links. Even if you're a long standing member, never use GoFundMe. You know, even who and the Red Cross were cloned during COVID. If you think a ransomware attack is not stealing personal data, you need to watch more gangster movies. They kill the guy and they storm in a junkyard and they go offshore for months until things lay low. There are literally junkyards in the dark web. They're called junkyards. If they steal a lot of data after a ransomware attack, they store it somewhere and they go lay low. And then six weeks to three months later, boom, you're going to see it. And threat intel systems, you can see this stuff happening. The law and its mechanisms are just a little behind the criminals at this point. What's the most common hacking you see for private people? Not big organizations. Email. Email account takeover. So they take over the email and then what? About 1% starts with an email account takeover. And then I go look for all your accounts with that email and I'm just you. Hi, I forgot my password. Reset. Okay. I just have the emails that I can just impersonate you. Email and spoofing on the phone. What is spoofing? That's what you just worked very hard to change. Changing the eSIM. Right. Where the authorization code is forwarded to another phone from SIM swapping. Just swapping out for another SIM. So that's a common thing? Very very common. Oh my God. And that's why the move you'll see in secure environments they use an authenticator app instead of text to your phone because an authenticator app does not use SIM technology. Also while traveling when you rent a car and it's like great plug in Google Maps, delete your profile when you get out of that car. Because if I hop into your account, when was the last time you logged out of a Gmail or Yahoo you just open your computer and there you are isn't it? Is that fun? I've seen people go from their Google Maps into their Google account and then they're off to the races. Don't leave that stored in a rent-a-car. You'll notice that if you download Google Chrome and open up settings, here's a little test, okay after two minutes on your computer with Safari, all of your passwords stored in Safari are magically go to appearing Chrome because they'll make a handshake unless you turn it all off. Export those things out of the browser. That's a public space. It's prevention is what you want. You know it's really funny, in this culture black cats are considered bad luck. This is totally misunderstanding the black cat. Why you have a black cat? You go into ancient cultures, the black cat is good luck. Why is that? Because if a black cat crosses your path, it warns you that bad luck is coming. Warnings are good. So it's very interesting in Japan when I was in Tokyo, I thought it was so cute. Every security firm's logo, whether it's physical or cyber, is all a black cat. So think like that. You want to be warned and then go look and shore yourself up because I promise you incident respond and mitigation of identity theft and breaches of your bank account will take forever. It's expensive and it's very painful and it's horrible to see. And so much of it is preventable. So much of it. Mostly via email you said. Yes, and your phone. But in order to steal my identity, they need my social security. It's not stored on my phone. There's 200 million of them out there, thanks to AT&T and Verizon last year. Okay, let's talk about money. If somebody just starts in the cyber crime prevention business, how much money can they make? So it would depend on your education like anything. If you come into a threat intel company and you just want to get your foot in the door, you haven't studied any of this in college, life doesn't end after college, who the heck cares? Get in there in some way. In whatever department and then learn. So then you're looking at probably lower end entry level salaries that are probably between 30 and 50 depending on the company and depending on your thing. If you have a law degree and you want to take a left, lawyers are very useful because they know how to use threat intel data on both sides. It's on the prosecution and defense. Anyone who took accounting, be great at this. Get extra fraud certificates and then you're in six figures. Wow. It's a six figure industry because there's a shortage of people who know how to do these thing and you don't have to look twice to see the need. The need will always be there. What kind of skill do you need to have in order to be a good cybersecurity person? You need to be a good data analyst. So you can take data analytics too. What does the data mean? How do you map it? How do you see the matrix? That definitely ends psychology, criminal psychology. Yeah, you said that. Go get a criminal justice degree and learn how criminals behave because there is no physical crime that happens anymore without intel. This is a lot to know. I mean my head is blowing up already. Well I've also been doing it for many, many years. So what is very important is you study banking and payments. I worked in both of those fields. Study how money moves. And it's fascinating. It's super fun if you're interested in research and stuff. It's really fun. And then how it dovetails with the criminal mind. Learn about white collar crime. Learn about the psychology of deviance. Take psychology, take sociology, take pathology, accounting, and your cybersecurity and know how things work. Not just not to click on something. So you take those things but you focus really on the human behavior part. If you understand criminal behavior you will understand how not to be a victim. And you actually know more than you think you know. You don't have to be math oriented as much as you think. A very good like investigative reporting is very good to study as well. Because there aren't a lot of people who do it. It's a great field. It's completely understaffed and there's a lot of employment in it. So you don't really need to have a tech background. It's very good to have a tech background. It's good. And hands on tech. Okay. So you need to know how to code also? Coding is very easy. So when you learn threat intel systems you will have to learn some coding languages. There are also some great tools where you can go and learn to be an analyst and take these online quizzes like here's a malware thing, here's the problem, and you can work it out on these little modules. Learn what malware is and how it works. I hear that seniors in particular are vulnerable to attacks. Why is that? When you are below the age, this is why seniors are in danger. When you are below the age to collect Social Security or when your IRA is locked up, right? Like you have to have a penalty and all the banks protect it and there's a lot of things and there's forms to fill out and all that. All that gets taken down when you're 59 and a half. You can just go remove money like it's a checking account. Easier to hack into when people collect Social Security. That's why there's so much emphasis on Social Security fraud. This is what happened during COVID is people use those numbers to go collect unemployment or to divert Social Security. Then you have retirees, people who are over 60 have more money than people who are 20. If you have your mortgage paid off, you're more vulnerable. Yeah, because they can take your property. Yeah, I heard that. Totally. But there's things that you can do from all of it. The vigilance there and the senior attacks really make me mad. We focus a lot of our business on making sure that doesn't happen. Then they sit around waiting for trusts and wills and financial transfers. Those are important to put in place. Most of the stuff that you deal with, is it preventing hacking or is it repairing? Well, unfortunately, we get a lot of incident response and mitigation, which is really painful and expensive. People have been on their phones since 2008 and have never gone through what we call Breach Day to Cleanup. We highly advise it. We do run cyber crime boot camps at theaters and synagogues and other places to show people what they need to do and if they need our help, we help them. Because if you don't prevent now, it's kind of inevitable. COVID overworked a lot of networks. So the IRS. What do you mean by that? So when we were all in COVID and everybody's online all the time. There were vulnerabilities and the hackers got a lot more sophisticated and the systems were burdened. So the IRS had breaches, the MLS system in real estate, the DMV, even who and the Red Cross were cloned because it's just so much traffic and there were opportunists. So those things and you coupled with huge telephony breaches from AT&T and Verizon last year. There's a lot of stuff out there and whatever your politics are, I would highly recommend watching the 60 minutes segment on cyber crime and the dark web that aired in May last month. It explains a lot about cyber criminals. And you can also go to my website at zero hack secure.com and hit play on the short video that explains it. Riftka, thank you so much. This is wealth of information. I have to listen to the whole thing again because I got a headache from all the vulnerability I'm exposed to. But it's an exciting field and it's there's a lot of opportunity. Okay, that's a wrap for today. If you have a comment or question or would like us to cover a certain job, please let us know. Visit our website at how much can I make that info. We would love to hear from you. And on your way out, don't forget to subscribe and share this episode with anyone who is curious about their next job. See you next time.