Is cybercrime getting easier? Cybersecurity expert Ryan Pullen dives into his work investigating massive digital breaches and testing security blindspots — which led to him gaining access to the software controls of a well-known building in London. Learn more about how cybercriminals exploit human vulnerabilities and hear the latest on how to recognize and protect yourself from scams.
Learn more about our flagship conference happening this April at attend.ted.com/podcast
Hosted on Acast. See acast.com/privacy for more information.
[00:00:00] .
[00:00:05] .
[00:00:10] .
[00:00:15] The first time I fell for a scam, it was 8 o'clock at night. I was tired. I had just made it home to my New Jersey apartment after a late class and long train ride out of New York City.
[00:00:27] My phone rang as I was unloading my laptop from my book bag and rummaging through the fridge for a quick dinner. An 800 number glared at me from the screen.
[00:00:36] It looked like it may have been important, especially a call from a corporation after regular business hours.
[00:00:42] The guy on the other end of the phone said he was calling from my bank and needed to verify some information to upgrade my credit card.
[00:00:49] I told him I wasn't interested in another card, but he insisted it was a special promotion. And since the bank was phasing out my existing card, he just needed to verify my birthday.
[00:00:58] Besides, this new card had more perks. After a few minutes of back and forth and a bit of confusion, I relented and verified, confirming my address, age, and the last few charges.
[00:01:11] The guy was polite and friendly, but something still felt off.
[00:01:16] Afterward, I called the bank and they told me they would never call me after hours or pitch me a credit card in that way.
[00:01:23] I asked them to block it immediately, but the damage was done.
[00:01:30] I'm Sherelle Dorsey and this is TED Tech.
[00:01:33] The talk we're going to listen to today is from cybersecurity expert Ryan Pullen, who shares with us that even as the technology behind scams grows more sophisticated,
[00:01:43] it's still human-led behavior that causes us to let down our defenses.
[00:01:48] He goes on to share some simple principles on how we can all stay diligent so that the scammers don't win.
[00:02:07] This show is brought to you by Schwab.
[00:02:10] You're here because you like to keep a pulse on trends in technology.
[00:02:14] Well, now you can invest in what's trending – in artificial intelligence, big data, robotic revolution, and more – with Schwab investing themes.
[00:02:24] It's an easy way to invest in ideas you believe in.
[00:02:28] Schwab's research process uncovers emerging trends, then their technology curates relevant stocks into themes.
[00:02:36] Choose from over 40 themes, buy all the stocks in a theme as-is or customize to better fit your investing goals – all in a few clicks.
[00:02:46] Schwab investing themes is not intended to be investment advice or a recommendation of any stock or investment strategy.
[00:02:55] Learn more at schwab.com slash thematic investing.
[00:03:02] This episode is brought to you by Progressive.
[00:03:04] Most of you aren't just listening right now. You're driving, cleaning and even exercising.
[00:03:09] But what if you could be saving money by switching to Progressive?
[00:03:12] Drivers who save by switching save nearly $750 on average, and auto customers qualify for an average of 7 discounts.
[00:03:20] Multitask right now. Quote today at progressive.com.
[00:03:24] Progressive Casualty Insurance Company and Affiliates.
[00:03:26] National average 12-month savings of $744 by new customers surveyed who saved with Progressive between June 2022 and May 2023.
[00:03:35] Potential savings will vary. Discounts not available in all states and situations.
[00:03:41] Hey listeners, before we kick off today's episode, I want to give a shout out to one of our favorite podcasts, Masters of Scale.
[00:03:48] Every week on Masters of Scale, Reid Hoffman, co-founder of LinkedIn, meets with some of the world's most successful entrepreneurs discussing the strategies that got them to where they are.
[00:03:57] You'll hear from entrepreneurs like former Burberry CEO Angela Arendt, Imagine Entertainment's Ron Howard and Brian Grazer, Airbnb's Brian Chesky and many other iconic founders.
[00:04:08] Be sure to search for Masters of Scale wherever you get your podcasts.
[00:04:12] I received a phone call from somebody who needed my help.
[00:04:16] And they explained to me that this organization had suffered a cyber attack, more specifically a ransomware attack which is designed to both steal your data and make it unusable.
[00:04:29] It replicates itself throughout the business and can drive you down to paper-based controls.
[00:04:36] And this was an opportunity that I saw where I could influence something positively.
[00:04:42] And it was my job to investigate what had happened, how it happened and why.
[00:04:50] And I saw something that I hadn't experienced before firsthand.
[00:04:55] In 2017 the NHS suffered something similar and it cost nearly 100 million pounds to recover.
[00:05:03] This incident cost around five million pounds to recover and took 14 months.
[00:05:08] Yet what I saw was the human impact.
[00:05:12] How this happened, a single individual clicked a link and a single individual enabled this unknowingly to happen to an organization.
[00:05:21] Multiple people were signed off sick due to stress and multiple people weren't able to go to work the next day and carry out their job.
[00:05:31] Now for me cyber security is a very technological focused term.
[00:05:37] And yet IBM did a study in 2021 and 95% of cyber attacks used the human element.
[00:05:48] Now that's all well and good, but what does that actually mean?
[00:05:53] It means people can be exploited too.
[00:05:57] There's no lines of code and there's no fancy software.
[00:06:00] Cyber security is, as far as the media is concerned, maybe teenagers in their bedrooms causing trouble, stealing things and learning how to use them.
[00:06:11] Yet what people don't see is the impact and how is day-to-day life.
[00:06:17] And this incident for me made me think slightly differently around cyber security.
[00:06:23] And recently I had an opportunity which presented this thought process.
[00:06:30] I was commissioned to evade security controls for a very well-known building in London.
[00:06:38] That's a snazzy way of saying break in.
[00:06:41] And effectively it was my job to see if I could get past the security controls and get into the building.
[00:06:48] And so for me thinking kind of outside of the box, this building has floor to ceiling doors, 24-7 security team, endless budget for this kind of thing based on where they are.
[00:06:59] And so thinking slightly outside I needed to come up with a different plan.
[00:07:06] And what I did was I tried to go down the social engineering route, which is the art of kind of deception and making people believe something without the full information.
[00:07:19] And what I did was I walked in the front door dressed quite similarly to this and I was greeted by eight people.
[00:07:29] I thought, oh, it's a bit over the top.
[00:07:33] And it's because every single person should have the right information and should know where they're going.
[00:07:41] It's very rare for them to be visitors.
[00:07:43] And this person asked me, why are you here? Who are you here to see?
[00:07:48] And I explained I didn't have an appointment but I was here to see a specific person.
[00:07:52] And they said, yeah, there's no chance of getting in.
[00:07:54] And I thought, oh, goodness, I'll travel this way.
[00:07:58] And yet what I know is people are empathetic and people want to help each other.
[00:08:03] And so I made up a story and I said I was here for a legal matter and I was only able to achieve what I needed to achieve on these premises.
[00:08:11] And they said, yeah, sorry, we're still...
[00:08:14] And I explained the urgency and I made them feel sorry for me.
[00:08:19] And when I was thinking about giving this talk I was going to pause and I was going to pretend that I was struggling.
[00:08:25] And that motion that you would have felt where you wanted to help me or you wanted me to continue is exactly how this person felt.
[00:08:33] They felt they were stopping me from doing my job, which they were, but not for how they expected it.
[00:08:41] And so I pretended to be on the phone in the foyer, pacing up and down, pretending to be aggravated.
[00:08:47] And then the manager came across with a QR code for me and said, so sorry, so sorry for the issues, no problem.
[00:08:53] And they showed me around a side passage away from the two rounds of security.
[00:08:58] So I had my laptop bag with me with the evidence and it wasn't checked and I was able to go in and I was able to go to the floor that I needed to.
[00:09:09] And I was paid as a cyber security expert to evade the controls of this building and all I did was ask for access and make someone feel sorry for me.
[00:09:19] And so that's two very different perspectives.
[00:09:23] One, the five million pound job and took 14 months to recover where I was helping people, but the second I was the aggressor or the person trying to get in.
[00:09:32] Now this is all enabled through the way that humans exist and human behavior.
[00:09:38] And cyber security as a whole doesn't really represent that in a way that is sufficient, I don't think.
[00:09:45] And so I have one more narrative and different perspective to share and it's when I was a victim.
[00:09:52] This happened only a few weeks ago.
[00:09:56] And what happened was I received a phone call.
[00:09:59] It was around 8 p.m. I received a phone call from a phone number.
[00:10:05] And they said, hello is this Mr. Pullen?
[00:10:07] And I said yes.
[00:10:09] And they said, we've seen your bank cards be used in a different part of the country.
[00:10:14] And I thought, oh goodness.
[00:10:17] And what they explained was they explained there's been three different transactions and would they like to block them for me?
[00:10:22] I said, yes, please. That would be really helpful.
[00:10:26] And I Googled the number out of instinct and it was the phone number from the fraud line in the bank.
[00:10:34] And something didn't add up.
[00:10:37] I'm a bit of a pessimist. I don't really trust people.
[00:10:41] And so I was instantly on the back foot and they're saying all of these things and they were confirming my identity.
[00:10:47] They told me where I lived.
[00:10:48] They told me my mother's maiden name.
[00:10:50] And they told me a few other bits of information that a bank would know.
[00:10:54] And all of this is to build a perception of credibility.
[00:10:58] Why shouldn't I trust you?
[00:11:00] And why shouldn't you be phoning me to help me?
[00:11:04] And we go back and forth for around an hour and a half.
[00:11:08] And there was a few things that didn't sit right with me.
[00:11:11] And so when I was a hold when they were blocking my transactions,
[00:11:16] I phoned the actual fraud line and I said, is there a way that I can verify their identity?
[00:11:20] The person on the phone said they sound very professional and legitimate.
[00:11:24] And they were. I asked for their name and they had a fake LinkedIn profile.
[00:11:28] They had a fake crime reference number for me.
[00:11:32] And me experiencing this firsthand, having investigated things like this on a regular basis for mortgages and transactions ending up in the wrong place,
[00:11:43] I knew something wasn't sitting quite right.
[00:11:45] And this the true person put a note on my account and I explained to the person, can you tell me what the note says, please?
[00:11:54] That was the first time they got a little bit flustered.
[00:11:57] And it took them five minutes and they said, yeah, we'll go and check with the accounts team.
[00:12:00] But in the meantime, can you tell me the code that it says in your mobile app?
[00:12:04] At which point I hung up, got my cards replaced and I was okay.
[00:12:08] But these three narratives of cyber crime or scams or criminal behavior are all technology focused with the end goal but are human led.
[00:12:21] And you may ask, how is this possible?
[00:12:25] Why can this be so easy?
[00:12:27] I've literally just walked into a building and asked someone to let me in with a fake story.
[00:12:33] And someone's phoned me up with a small piece of information and built this incredible picture around.
[00:12:38] Okay, yes, I should trust you.
[00:12:41] And it's because data has a value in different pockets.
[00:12:47] And with small bits of information, you can build quite a narrative, as you can see.
[00:12:54] And so today what you would be able to do on the kind of criminal underground, if you like, would be buy a thousand email addresses and passwords for around six US dollars.
[00:13:06] A cup of coffee in some places, right?
[00:13:09] That's a thousand people's account details that you may be able to log into or have tangible information to create a case.
[00:13:17] And that might be pretending to be Amazon for a password reset.
[00:13:20] It might be what location you went on holiday and we're going to do a bit more of a targeted attack that way.
[00:13:27] And this information is available because of vulnerabilities from a technical standpoint, yet this is to exploit the human behaviors.
[00:13:37] Take my parents, for example. I think I'm in cybersecurity because my parents give me a balance.
[00:13:42] My mom is 110 percent optimist. Nothing's going to go wrong.
[00:13:46] Everything's okay. No one's going to hurt my little boy and all of this sort of stuff.
[00:13:50] And my dad's much more on the pessimistic end where why do you want to know me? Why do you want this information?
[00:13:57] And so that balance for me brings kind of both sides of the story.
[00:14:04] And my mom is the sort of person that would have shared the traditional WhatsApp messages, 250 pounds at Christmas,
[00:14:11] how lovely that would be, pay for your Christmas lunch and all those sorts of things.
[00:14:16] And that then becomes a whole different attack vector because it's coming from someone you trust and they're sharing your link
[00:14:23] and they're sharing something you might want to click and you begin to trust even more.
[00:14:28] So my talk is around really focusing on the ways in which human behavior is exploited and how we can benefit and protect each other.
[00:14:38] And it's okay to call these things out.
[00:14:40] And so there's some basic things you can do, such as resetting passwords and making sure you're not using the same password for your accounts.
[00:14:47] Because if one of your passwords did get leaked, you would like to know, okay, it's just this one account.
[00:14:51] And I understand that's the one I need to look after when many people will use the same profile Facebook, their bank, their online banking, sorry,
[00:15:00] and sites that you can purchase things.
[00:15:03] So you might be able to go on Amazon and buy an iPhone with someone's username and password, right?
[00:15:08] Bank account details are stored.
[00:15:11] And that creates a whole different perspective of risk and cybercrime.
[00:15:16] And so for me, I don't believe any generation can avoid this anymore.
[00:15:23] Children are being raised with iPads and older generations are online shopping because of convenience and accessibility to services they may not have had before.
[00:15:32] And so I believe that understanding how these things may happen and putting some light on them
[00:15:40] can really impact the way in which people conduct themselves and challenge when things may not feel quite right.
[00:15:49] And so for me, going through this journey, and there's three different perspectives.
[00:15:54] The one where I was the person helping five million pounds and seeing people really suffer.
[00:16:00] The second one where I was putting people potentially in that position, however, fully ethically, and I was meant to be there for my job.
[00:16:07] And the third where I was the victim.
[00:16:10] It shows that it can take many different shapes based on information and information can come from social media.
[00:16:18] And so if you're going on holidays in Mexico, say for your honeymoon, you've saved up all of this money.
[00:16:24] Wonderful. Have a lovely time.
[00:16:27] Yet someone you know or an acquaintance or you have public visibility of your arrangements
[00:16:36] if someone knows that information and they know the bank you may work with,
[00:16:41] they could phone you whilst you land and say we've seen your card be used in this location.
[00:16:48] Now, how are you going to feel if someone saying your cards being used and it's you?
[00:16:53] You're going to feel, OK, cool. Yeah, this is me. No problem.
[00:16:57] And they say, OK, can you just confirm your identity because we want to make sure this is you.
[00:17:04] Can you just tell me your card number?
[00:17:06] So you do. And then you ask why you're there. I'm on my honeymoon.
[00:17:09] Have a lovely time. All of these social engineering empathetic side of behaviors.
[00:17:16] And then you get down into the more conversational elements.
[00:17:19] OK, can you just confirm your card isn't going to expire? When does it expire, please?
[00:17:23] There's many different ways you can pose questions to make people feel acceptance.
[00:17:28] And then lastly, can you just check the security pin so I know which card I'm going to disable?
[00:17:34] And by that time what you've done is you've told someone you've got money in your bank
[00:17:38] because you've been saving for this wonderful occasion.
[00:17:41] And also you're not going to be in the country to do anything about it.
[00:17:45] And so from a cybersecurity perspective, exploitation can happen in many different ways
[00:17:50] and I don't think it's publicized around the human elements enough.
[00:17:54] And so if you take one thing from today, I ask that you see this as your opportunity
[00:18:00] to make sure that you protect your own information and your loved ones and your identity online.
[00:18:08] There's no problem with using social media.
[00:18:10] All I ask is you consider who you're sharing that information with.
[00:18:14] The reason being that information is valuable even if it's not to you.
[00:18:18] It could build a picture and it could cause you some trouble.
[00:18:23] Consider who you share your information with. Thank you.
[00:18:31] This podcast is supported by Tools and Weapons, the podcast hosted by Microsoft Vice Chair and President Brad Smith.
[00:18:38] Each episode features insight you won't find anywhere else from the center of the conversation surrounding emerging technologies like AI.
[00:18:45] Right now on the podcast you can hear a special episode where Brad Smith lays out Microsoft's vision
[00:18:50] for a vibrant marketplace driving the new AI economy.
[00:18:54] To hear more, follow or subscribe to Tools and Weapons with Brad Smith wherever you get your podcasts.
[00:19:02] You're growing a business and you can't afford to slow down.
[00:19:05] If anything, you could probably use a few more hours in the day.
[00:19:08] That's why the most successful growing businesses are working together in Slack.
[00:19:13] Slack is where work happens with all your people, data, and information in one AI-powered place.
[00:19:19] Start a call instantly in huddles and ditch cumbersome calendar invites.
[00:19:24] Or build an automation with Workflow Builder to take routine tasks off your plate, no coding required.
[00:19:30] Grow your business in Slack. Visit slack.com to get started.
[00:19:43] TED Tech is part of the TED Audio Collective.
[00:19:46] This episode was produced by Nina Lawrence, edited by Alejandro Salazar, and fact-checked by Julia Dickerson.
[00:19:53] Special thanks to Maria Ladias, Ferre de Grange, Corey Hajime, Daniela Valerezo, and Michelle Quint.
[00:20:01] I'm Sherrell Dorsey. Thanks for listening and talk to you again next week.
[00:20:16] you