Listen up, fellow business owners and leaders. Your access to your company’s money and information makes you a target for identity theft. CEOs can be targeted because of their position of power, finance teams can be targeted for their access to financials, HR leaders can be targeted for their access to employee data, PMs can be targeted for their access to proprietary algorithms…the list goes on.
This isn’t meant to instill fear but more to bring to light the importance of taking the proper precautionary measures. Trust us – we were targeted and had we NOT been prepared, it could have spelled trouble for our business and the businesses that we serve. Now we’re sharing with you how you can keep your business secure in the digital world. Learn how to spot the warning signs, what saved us from compromising data, and what resources helped after the hack.
Watch the video, or keep reading. Oh also – towards the end I briefly discuss tips for keeping cryptocurrency secure. Here’s the guide for hot storage and cold storage that I reference. And contact us if you have any questions — we’re happy to chat about them.
Kenji Kuramoto: The topic today is identity theft. And we think about it typically individually, when our identity gets taken. Probably a lot of us have gone through that. But we don’t often think about, too, the impact it may have on our businesses. When you’re either a key executive, an owner, or an accounting or finance team member, is where we’re seeing a lot of this. So, with all that, wanted to go ahead and get the story started. A lot of your expertise, Matthew, comes from what happened to you. So, on Sunday, July the 15th you and I were on a phone call. What happened?
Matthew May: So, I’m talking to Kenji on the phone, and the phone drops.I call back and it says, “No service,” which is kind of a weird…I go upstairs to check, my wife’s phone. And hers is fine, and I think that’s weird, because I have no service and she has full service. Then I started checking the kids’ phones, and their phones were fine, and they’re all on the same service, so something’s off. I go back downstairs, and I’m messing with the apps on my phone, seeing if something else works, and one of the apps says, “You have to log in through Gmail.” So, I try to log in, and it says, “Your password’s incorrect.”
KK: So now it’s getting a little bit… Getting spooked yet?
MM: So I go log on to my computer, and I go straight to that Gmail account, which is my personal Gmail account, and the last six messages are “Password’s been changed.” So something’s wrong. Then I go upstairs and get my son’s phone. I think I called you at that point.
KK: I remember, when we were talking, we were clear at this point it’s no longer an error, it is an identity theft. Which, again, most of us have probably experienced. I think we typically see them in credit cards, things like that. I think all of us had to swap credit cards, because there’ve been fraudulent activity and some form of identity theft.
MM: So I’m calling the fraud center at AT&T. We locked the guy out of my phone. So I’m locked out, he’s locked out. Luckily for me I didn’t have my work emails associated with my AT&T account. Because they were able to breach my AT&T account immediately, and see everything in my AT&T account, which was two personal email addresses. So I get into Gmail, the one email that was compromised with my personal Gmail, and I get them kicked out of that. I get logged in and I looked at the history in Google. Within ten minutes of changing my cell phone number, they were in. They had changed the password to my personal email, and they had done web searches on two client names of mine, the word “password,” the word “1Pass,” all of the cryptocurrency exchanges, so they had searched for Gemini, Coinbase, anything. So they were looking for passwords, they were looking for account information, and they were looking for anything related to two of my particular high-profile clients.
KK: I know we were both kind of freaked out in particular knowing, “You have specifically been targeted.” It wasn’t just like, “Oh, I was part of one large group of people who got their identity stolen.” This was a very, very specific, conscious choice to go after you and look for any place where you may have access to these crypto exchanges, these clients. We mentioned earlier that we work with a lot of entrepreneurs. Matthew in particular works for a lot of cryptocurrency clients. So, there’s some interesting dynamics around that from a fiduciary standpoint. AndI guess to kind of rewind on all this, or just kind of maybe high level, what we ended up finding out was this was kind of referred to as a “SIM swap attack.”
MM: In the postmortem part of this, one of the huge lessons learned…
1) the government has a great site called identitytheft.gov that the FTC runs. So, in hindsight, if I had started there, it would’ve streamlined my prioritization, because it sequences you through, “Have you changed these passwords? Have you looked at this history?” I believe that’s how I figured out how to look for my Google history, because it was one of the steps in there. So that was a really helpful site.
2) with two-factor authentication, a lot of us feel comfortable that we’re really secure. But what we haven’t really thought through a lot of times, and why people are going after the SIM cards, is it turns two-factor authentication into one-factor. And when I say that… So if I need to log into my Gmail account, and I have it set to SMS text, and I need my password and my SMS text. Well, if your password, when you reset it, goes to SMS text, if you have the SMS text, which is the SIM card, you can have full control of that person’s email.
3) if you have your email and your text and your phone all coming to the same device, it really can be a single point of failure.
KK: Yeah. So tracing that through about what that SIM swap attack is, first part, they’re going to go out there and find a way to get that PIN number. And that works at most phone carriers.
MM: So if you’re on T-Mobile or AT&T, you should change your four-digit PIN immediately.So, in the aftermath of this, not just mine, but this has happened to several people now, it’s come out that T-Mobile and AT&T were both compromised through second-party vendors for all their PIN numbers.
KK: Well, what happened on the both, too, though, just so people are aware, when they say they’re compromised by a third party… Actually T-Mobile’s was with Apple, the iTunes store. Not Apple’s fault, but where the security flaw in both cases, from what I understand, with AT&T and T-Mobile, was you could attempt and try to guess that PIN number as many times as you wanted. So right… That’s a bad security protocol.
MM: So anyway we think the criminals themselves were a team. So, from my Google searches and the information I’ve been able to gather, I know that the SIM card was taken in Birmingham. And then that from Birmingham, was not where the Gmail was accessed from. So somebody was hired that either had a fake ID that had my name or something like that. And then somebody else accessed from a different part of the country. It was in the United States. It was a U.S. attack. Some of these aren’t U.S. attacks, in general. But they knew enough about me, they did search everybody on my LinkedIn profile at the time. So it was disconcerting.
KK: Any time your privacy, whether, I think, it’s digital or physical, is violated, it certainly is. So just, again, maybe give background on what happened. Why did you get picked on?
MM: Well, one client in particular had a very successful eight-figure token sale. So, they knew that there’s lots of press about them having eight figures in the bank, and eight to nine figures in cryptocurrency on top of that. So I think there’s some assumptions there that I have access to those, being in the CFO role at those companies. I think other people… Most of the other people that have been attacked have been in… It has actually been in the CEO role. So that makes me think that they had done more due diligence. It was well-researched. They definitely were running a playbook. It was “get the SIM card, notify me, I’m going to run these Google searches. I’m going to see what I can get out of the Google searches, and go from there.”
KK: Now this next part will be a little relevant to those who are in the crypto space. So kind of hang with us, we’ll circle back to other things. But on the crypto space, what are you seeing?
MM: Well, anybody who even wants to dabble in crypto, I mean…if you’re going to have a thousand bucks in crypto, and you’re not going to be a big trader, I think you should buy a Trezor, or some kind of hardware device to keep it.
KK: Talk about what a Trezor is, or what these devices do.
MM: Yeah. So, we’ve just actually came out with our cold and hot storage guide. So, people have been asking us, “What do we do to hold our cryptocurrency? How do you hold your cryptocurrency in the most secure way possible?” There’ve been tons of exchange hacks, Mt. Gox, a couple of the other ones, this one with the guy that lost 24 million that’s suing AT&T because of the SIM card breach. The difference between exchanges and what we refer to as cold storage, where you have either a USB device or a USB-like device like a Trezor or a Ledger that plugs into your computer, is where you’re holding your private key. Basically, your private key is basically your signature that you can send, like if you were signing a check in the cash world. So, the SIM card attacks were designed to get to the exchanges, because at the exchanges, if you take over the account, you have signing authority. The nice thing about the cold storage is that you have a physical thing with you that requires another password to be able to sign or transfer any funds. So, luckily for us, in my situation, everything that we had was in cold storage. We, as a company, for the two clients that they were targeting, for us personally (me and my wife) everything in cryptocurrency we keep offline in cold storage. We’ve just followed that best practice.
KK: Yeah, check the guide out…if you’re even dabbling in it as an investor, whatever it might be, take a look at it.
MM: We designed it before the identity theft, because we’ve been working with people about it, but people have been asking us about it a lot, like how they should store their crypto, and things like that. So we finally came up with a little pretty document. It was intended for people with more than a million dollars in crypto, but you can just scale it down if you have less. And what to keep offline, what to keep online, what to keep in hot and cold, and what to have multisig.
KK: If you ever want to talk crypto, this is the guy. If you’re going through any of these, take a look at the guide and connect with Matthew, because he’s got a lot of experience in crypto. Now, jumping out of crypto and back to regular businesses, you mentioned the awareness of, like, “Listen, you were targeted because you’re an executive, you’re a CFO for companies.” In our company, Acuity, I’d say our staff probably get at least an email a week from someone purporting to be us, asking people to transfer funds, right? And so, we can get pretty good about sniffing that out, but that happens all of the time now. I think the challenge is, they’re probably a little more sophisticated than people think, and they send them out to lots of people with the titles that we may have, of CEOs or founders. And what they’re looking for is an executive in authority, not hard to spoof, which just means making your email account look like mine or Matthew’s. And then the other thing I don’t think people realize they’re doing, too, is they are targeting times of day when they know that staff are typically very busy, right? They’re hoping that someone maybe gets it and goes, “Oh, Matthew asked me to transfer some funds real quick.” And they’re kind of in the middle of things, and working fast, and maybe, “Okay, fine, I’ll just do it, I’ve got a bunch of other stuff I have to get back to.” I think, an awareness that if you’re an executive, especially if you’re in the financial capacity like we are at Acuity, like many of our other peers are, have to just be extra diligent, because people are going to try to find a way, whether it’s very, very crafty like with Matthew’s situation on the SIM card attack, or it’s just in using these business email compromise attacks.
MM: Yeah, and we’re moving more and more, to more of our clients, to a verbal verify, a verbal video, an encrypted text, some second form of verification. We’ve moved to that on almost all… I know all of the cryptocurrency clients do that, where they do some kind of second verification. But even in the cash world, that’s a huge thing…like, an email should not be able to send a wire.
KK: What do you think about password vaults? What are your thoughts on-
MM: So, most people are using 1Pass, or LastPass, or one of the other main encryption vaults, right? I’m not aware of any massive breaches at any of those. But when you talk about single points of failure, you probably have to be pretty sensitive that that is a single point of failure if you’re keeping all your passwords at those places. I guess my opinion on them is…with the number of passwords we have to maintain, they’re a necessary evil, and I’m hoping that their security is high.
KK: I think the same goes to say for these dual-factor authentication SMSs. I mean, I don’t mean to say that these things are terrible and they’re bad. They’ve got vulnerabilities like anything does. Rarely is there anything that’s going to be perfect. I would say that like a password vault, or even using dual authentication with SMS, is probably better to do that than not do it.
MM: What else, man?
KK: That’s it. It was crazy.