Fast fact, human error accounts for 95% of cyber-attacks, which makes them preventable. I'm Drew Thomas, and you're listening to Bank Chats.
Welcome to the next episode of AmeriServ Presents: Bank Chats, I am Drew Thomas and today we are going to be talking about cybersecurity. And, in this episode, we are not going to delve super deep into any one particular aspect of cybersecurity. But I want you to know before we even get started that what we're going to talk about today is high level. And quite frankly, we are we have plans to be able to go much much deeper into a lot of these sub sections of cybersecurity, but we want to, especially this being Cybersecurity Awareness Month, we're releasing this in October of 2023, for those of you that may be listening at a different time. It's really, really important to start to understand what cybersecurity is and how that relates to your financial health and education. So with that in mind, I want to introduce our guests for the topic today. We have Kevin Slonka, and Michaels Zambotti from Saint Francis University in Loretto, and welcome gentlemen, we really appreciate you being here today.
Thank you. Glad to be here. Thank you.
Yeah, absolutely. Thanks for having us. So I'm just going to randomly pick somebody because I don't want to play favorites, so Kevin, we'll start with you. Clearly favorite. Yeah, just give us maybe a little bit of background about your education and your history.
Sure. So I have been in academia since 2007, currently teaching at Saint Francis University, I teach computer science and cybersecurity. I've also worked in industry since around 1999 for various government contractors around the area. Let's see, got my doctorate at Robert Morris, various IT certifications, you know, not going to bore anybody with with that whole list. But uh, my focus in cybersecurity is kind of more on the the offensive side, what most people would call hacking.
Oh, okay. Excellent. And, Mike, did you want to go ahead and give us some background about yourself as well?
Sure, absolutely. I went to Penn State University, graduated from Penn State, and graduated with a degree in finance. And I worked in in the financial sector as a financial advisor for about 10 years. And then I went back to school, got my Master's in cybersecurity, and I've been teaching and working in cybersecurity for about the past five or six years. So, where my focus is, is a blend between the financial sector and cybersecurity where they intersect, and also looking at cybersecurity as a business problem. Not necessarily just a technology problem, but a business problem. This is something that impacts companies across the board, from profits to their customers to their potential customer, so looking at it, in that respect.
I was reading something in, and I may be misquoting myself because I'm doing this from memory. But the the total number of fraud related events in businesses last year was in the in the billions for the United States alone, I believe.
No, absolutely. And look no further than the newspaper. You know, if anybody's reading the newspaper or whatever, news website, you read, the casinos MGM and Caesars recently have been in the news, both had had cyber incidents. And you know, it looks like Caesars paid out about $30 million in ransom. Clorox, which is a company that you wouldn't think maybe is a big cyber target. They had an attack back in August, and it's going to impact their supply chain out to next March. Wow. After the news came out, you know, they have to, they're required to file to the SEC, and the stock fell several percent, so there was definitely a business impact. You know, it's not just a technology thing where they say, hey, you know, we had a ransomware attack, and our technology doesn't work. It's impacting the shareholders, it's impacting people that want to buy Clorox wipes. You might go to the store, and you know, not see so many Clorox products and because they're having a supply chain issue, so there's a real-world impact to what we see in the cyber world.
So, before we get too deep in any one particular example, or any of it, let's, let's talk about just what is cybersecurity? I mean, that's a term that is thrown around a lot. You hear it on the news, you know, but what exactly does that entail?
Yeah, I mean, for most people, you probably know what security is right? Like locking your house, you know, keeping your person safe, things like that. This is really the same thing. It's just you know, the combination of two words, cyberspace and security. So, it's doing all those same things, but to your online presence. So, we all, I'm sure that we all if you're listening to this podcast, access our bank, online, we have an app on our phone, everybody probably shops online. So, you know one way or another you have personal information, online credit card address, social security number in some places like your bank's website. So just being able to protect that, you know, that's generally what we're talking about when we talk about cybersecurity. It's protecting the data that we deemed sensitive.
And it's not exclusively, I think that, you know, there are a number of people who think that if they're, if they're not particularly active online, I know that like my, I'll just use an example from my personal life. My dad is not a technology guy. He got his first iPhone last year, and it was mostly because his flip phone broke, and I had one sitting in a drawer, and I said, you're getting a smartphone. But even if you're not particularly active online, or in cyberspace, like that, you still should be concerned about cybersecurity.
Oh, absolutely. I like to always tell people, you know, you can never have touched a computer ever, but do you have a house with a mortgage? All of that information that you filled out and wrote on those papers are stored on your bank's servers, which are connected to the internet. So, if your bank got hacked, all of your information goes with it. So, you could be living out in the middle of nowhere. But if you're a human being with a social security number, your data is on the internet somewhere for somebody to be able to steal.
And I think you made a good point like is, okay, so using a mortgage as an example, since you said about filling out mortgage papers. If you bought your house 30 years ago, is that still something to be worried about? Like, do you how long did your bank keep that information, and would it have been transferred from paper to digital whenever they moved their servers and created new things?
I mean, that's a that's a good question for you. Just, you know, from personal experience, I know like in the medical field, with doctors’ offices, you know, some of them are very slow to convert their own paper records to digital records. But, my assumption would be that every company will, at some point, do that. So eventually, if you bought a house in the 50s, your data is going to be on a server somewhere. Yeah.
And banks are pushing people toward, not, not pushing people, but strongly recommending people look at the app, you know, look at the ways to, you know, don't just wait for your monthly statement to come in. Yeah. So, so you're seeing more people adopt that technology, even people that are older, you know, and, you know, sometimes we think, oh, older people, they don't use technology. Well, I look at my father, he's in his 70s, he uses technology every day, my grandmother is in her 90s, she does online banking. So, people in that age group, I think, are still using the technology and sure, there's some people that don't use it. But, like Kevin said, even if you don't use the technology, whoever you're interacting with does. So, your information is digitized, it's computerized. It is possibly available to somebody who would like to see it that might have malicious intentions.
Yeah, and you're absolutely right. I mean, I use my dad as an example of the of the of the group that does not generally use technology. My mother is the same age and she has a laptop, she's online every day, she's doing stuff on her phone, she's taking pictures, she's doing everything that you would you might expect of someone younger. So, you're absolutely right, it's not just an age group thing. You know, older people might use technology, younger people might shun technology to a certain degree. But that doesn't mean that it's not, that cybersecurity isn't something that you should be concerned with either way.
Right? Even things like email, emails, a very large attack vector. You see a lot of scams come in over email, they're called phishing scams, I'm sure we'll go into that in detail how they work and, and how the attackers might operate. But, even people maybe that don't use online banking, might use email, and might have a situation where they get an email that says, hey, something happened to your bank account. And the attacker tries to get you know, activate your brain in a in a fear, uncertainty and doubt and get you to act before you have a chance to think about it. And hey, I better do something. My account's been compromised, I better interact with this person who's telling me this. They seem, it looks like it came from my bank.
Yeah. So that kind of dovetails right into the, the question that I was going to ask next was, the most common cyber threats that individuals and businesses, which I'm sure Mike can talk a lot more about in detail, will face, so it sounds like email phishing scams, those are probably some of the most common but what other types of scams should people be aware of? Or how does, maybe scams is a bad term. What other types of cybersecurity events should people be aware of?
Well, I mean, Mike mentioned phishing, which is probably the biggest, you know, for most people to get those emails to try to trick you into doing something, but not only email, there's a similar attack called smishing. Ever, you know, we love these weird words in cybersecurity, but it's the same thing just over SMS text message. So, you can get the exact same thing from a text message, you know, click this link to reset your password or whatever. And if you fall for it, I mean, who knows who you're giving your information to. So, a lot of the attacks that people have to be aware of are just things that are, like Mike said, they're trying to play on your fear, or your, your emotions to make you react without thinking. And, I think both of us can agree that whenever we teach this stuff, that's really what we try to tell people. Just stop and think, you know, take a minute, does this make sense? Should I really click on that?
Yeah, um, and what I've seen too, is that it's not always people trying to make you, I mean, you are, you're trying to make people react rather than think. But sometimes they're even getting crafty and saying, like, well, we're trying to prevent a cyber incident for you, click this link to make sure that we can reset your password. It's not even just trying to say that you were hacked, or something you're trying to say that, we were trying to prevent a hack. And we need you to give me your information. So, like, as speaking from a bank's perspective, we will never, we will never call you email, you text you and say, we need your username and password for your online banking, that will never happen. We have that information already. We don't need to ask you for it. And I would say in a lot of other industries, it would have to be the same.
Yeah, most companies, they do the same thing. You know, they will tell their people don't ever give it out over the phone. Nobody needs that. And like you said, with those emails, I mean, that goes back to rule number one of email, stop clicking on things, like never click a link. And even if the email looks like it's from a friend, it might not be right, phishing attacks are really good. Don't click on links and emails, because you never know, unless you're technically savvy, you know, we could tell you in great detail how to figure out where those links are really going. I don't know that, that would work in an audio only form, probably need some video to show you. But unless you know how to do that, just don't click the links, you know, if you need to reset your password for your bank's website, go to the bank's website on your own. Type it in the browser yourself, so you know that you're going there.
And one of the things I do in class, one of the themes that I will consistently present in every class, is building a healthy skepticism. Like the great President Ronald Reagan said, trust but verify. Yeah. And you know, I'll tell you, you know, a couple of interesting stories Drew, you hit on a scam where you get an email that says, hey, somebody tried to compromise your account, and they weren't able to, so we're here to help. That's actually how one of the DNC hacks a couple years ago against John Podesta occurred. He actually received an email, and if you search online, you can see the email he received, and it said, hey, somebody tried to access your account from I believe Ukraine, click on this link and change your password. So, he actually did that. He clicked on a link and he put in his password which was given to the attacker, now they had access to his account. They didn't actually change it. And there was another one, you know, you talk about other scams, phishing is a big one. Invoice scams, invoice scams are a very big deal. And what that is, is an attacker will email an invoice to a company and say, hey, you owe us money. Now you wouldn't, you might think, who's gonna pay that? Who's going to just pay an invoice? Well, Facebook was in a scam, Facebook paid $10s of millions, actually, I think it was up to around $100 million, over a couple years of fake invoices. This fella was just sending Facebook invoices, and Facebook kept paying them. So, he was eventually caught, but you know, a lot of money. And, you know, locally. Sometimes people think well, you know, we're in, we're in a small area who would target us? Somerset County last year was the target of an invoice scam. And the county lost about $17,000. They got an invoice, they wired out money to the attacker and, and the money was lost. So that's right here, right in our right in our backyard.
I think some, some of the time, and again, I'm making a generalization here, but I think sometimes older people, they came from a space mentality where if someone said they owed them money, they felt very obligated to immediately make that right. They didn't really question it, because they just assumed that they had forgotten to pay the bill or that they had misplaced something and not follow through. And they didn't want to have that reputation for having not been, you know, making good on their debts. So, when someone comes to them and says, you know, you didn't pay your electric bill last month, they don't really question it at all. It goes back I think to what to what you were saying was, you know, this idea of reacting rather than thinking, you know, they just assumed that they must have forgotten to pay it and they don't want that reputation for having, you know, been behind on their bills. So, they just immediately send money.
Yeah, and to get all sciency for a second, you know, any, you know, biology experts will be familiar, but there's a term called amygdala hijacking. Amygdala hijacking is actually that, it's getting your body to short circuit, the logic part of your brain and act before you can think. And that's what whenever we talk about fear, uncertainty and doubt, you get these emails and they're scary. You know, somebody, hey somebody got my password, somebody has information about me. I better do something right now, I'm not going to think I'm gonna just act and you know, it's a chemical reaction, our brains, we can't really control it. But it's over time, you can start to realize, and once you develop that healthy skepticism, yes, I got this email, but let me take a step back from my computer. Let me just take a minute, take a breath. Is this something I need to react to? There's a biology behind this. It's not you know, if you're a victim of one of these scams of a phishing attack, don't feel bad, don't feel like you did something wrong. You know, these are the something that these are professional criminals who are really, really good at what they do. So, there's a lot of victims out there, the most important thing is to be educated to prevent yourself, hopefully becoming a victim. But if you are, well, what are the steps you can take to, to limit the damage, limit the blast radius of whatever. If you've gone and, you know, changed your password, you thought you change your password, but you actually gave it to an attacker. Well, okay, maybe it's a case where you actually type in the website and go specifically to that website, change your password that way, the correct way, rather than a link that's in your email. But, you know, going back to what Kevin said, you know, rule number one, stop clicking on links in your email. You know, banks, I think you've become educated to the fact that, hey, let's not put links in people's emails ever. Let's direct them, hey, don't click on a link and email go directly to the AmeriServ website. Yeah, type in your credentials the correct way. So that they can say, well, I'm never gonna send you a link. So, if you do get a link that says it's from us, it's not from us.
Yeah, it's, it is a difficult thing sometimes. Because, you know, from a banking perspective, we're sending out communications at times that involve accessing things like, like privacy policies, and letting them know like, we're legally obligated to tell you like, hey, your bank statement is now available if you're receiving them electronically, because you're not getting that envelope in the mail anymore, right. So, we have to send you an email. And usually in that email, what it'll say is, your bank statement is available, we encourage you to log into online banking, and then access your statement. We may provide you for your convenience, here's a link, but there is always a really a way to reach that information without clicking that link. Because of that reason, because we want you know, we're constantly preaching to people don't click on links and emails, and then, you know, yeah, we'll send you an email that has a link in it, which is a little counterintuitive, but we want to make sure that people understand that you don't have to click the link, there is always a way to get to that information some other way.
And what we always like to tell people, you know, your, your one, you might be wondering, you know, why can't I just click the link, I see where it's going, the link says, you know, HTTP ameriserv.com, it says where it's going. But, when it comes to putting links in emails, you know, attackers can change where it actually goes, what you see in the email doesn't have to be the link, then it'll actually take you to. So, one easy way around that, you know, let's use AmeriServ as an example. If you, for customer service reasons, provide people a link, they still shouldn't click it, but what can they do to make their life easier? Well, they can copy and paste it. So, you can see the letters on your screen, and you can see what the link says, rather than clicking it, highlight it, copy it pasted into your web browser. And then you can literally see on your screen what got put in your web browser and where it's going to go. Yeah, because it's very easy to hide, you know, www.hacker.com, behind a link that says ameriserv.com. But if you copy and paste what you see on the screen, that can happen.
Yeah, and going into, this may be a little deeper than we wanted to go, and we can maybe touch on this in a future episode, if we want to get really deep into how this works. But, I recently received an email from Meta, which is the parent company of Facebook, for those of you that may not be in the know. And, the funny thing was, is that it was, it was not in fact, from Meta, but they had used an ASCII character that looked like a letter M. But you could tell that it was slightly more narrow than the rest of the font that was being used. And, so it was not coming from Meta it was coming from random ASCII character that looks like an M, eta. And, they can get very, very creative in trying to make it look like it's coming from a company that you recognize or respect or deal with, when it's not actually coming from that particular company.
Even an uppercase L or an uppercase i or an L. Sure. Yeah, don't look identical. And you're right, attackers will buy domains, and they'll look very, very similar and you know, our brains are awesome error correcting devices. And whenever we read something If we see the first couple letters in the last couple letters, we kind of tune out the middle, and we can make sense of what the word is. And you'll see often one switch of a letter in the middle of a longer word. And your brain just tosses that out and says, I know what that word is, and you read on. So, you know, we see that as in spoofing, you know, we see that in domains, we also see it in who it looks like it's coming from, you know, hey, I'm gonna send an email to somebody and say, I'm Kevin, and it's gonna look like it came from Kevin, but it didn't. And then all of a sudden, you know, the people that got it, thought it was, they think they're interacting with a different person than they are.
I want to, I want to stop just for half a second and go back to something you mentioned spoofing. Let's talk about what that is. Let's define that for people that may not know.
No great point. Spoofing is whenever you are assuming somebody else's identity, you know, it's almost similar, like identity theft, lite? We're going to see an email that it just says, hey, this is coming from John Smith. Okay. So, you look at the, where it says from, he says, John Smith, and it's coming from John Smith, you know, you're not reading any further you, you've got the information, especially if it's somebody you know, you know. I'll tell you a funny story that several years ago, my mom actually got an email that was spoofed, and it was spoofed in that it looked like it was coming from me, okay, and it said, hey, great news, I'm recommending this new weight loss product. And, you know, and we're at this family event. And my mom kind of sheepishly said, hey, did you, did you recommend me this, this this diet pill? I was like, no. What? I got this email that said it was from you. And, you know, I'm gonna, I was, you know, looking into it. I was like, so whenever we went back to her house, I looked at the email and said, okay, it's definitely not for me, and there are ways to look at the technical details, but you know, it's really about to have that healthy skepticism. Does this make sense? Okay, this email that, that looks like it's coming from somebody I know. And to find out somebody, you know, it's easy to look you up online, see who your relatives are, you know, anybody can do that. And attackers will take advantage of that.
So, I think that goes to one of the other terms that, that I think we may have mentioned, but I wanted to sort of touch on is social engineering. The idea that you know, what you put out on the internet, you may put it out there for completely benign reasons. But people can use that at times to try to make things look more legitimate.
Yeah, this is, this is something that I actually teach my students how to do in our ethical hacking classes. And I'm sure Mike also teaches it in some of his open source intelligence classes that we can take the things that people put online, and make really good guesses about what your email might be, what your username might be, what your password might be. You know, a lot of people when they're making their passwords, they make them something that somebody who knows information about them might be able to guess. You know, a lot of people might use their dog's name, or you know, their family name or something easy to guess. So, the more you put on Facebook, the more you put on LinkedIn, the more, I'm sure everybody have seen these on Facebook, when people say, you know, I just want to see you know, what my friends will say? And there's like a 30 questions survey that they copy and paste asking you, what's your favorite movie? What was your favorite vacation? If you fill those out, you're giving attackers everything they need to make really good guesses about what your password is, or anything about you. Like those security questions. If you forgot your password, and it makes you answer three questions to prove that you're you. Those were probably some of those things that you answered in that Facebook post. So, you've just been socially engineered, and you didn't even know it, people are able to just trick you into giving out information that you probably shouldn't be giving out to random people online. So, you know, less is more. Don't, don't fill out those stupid surveys, don't post things that you don't need to post. And more importantly, don't accept friend requests from people you don't know, just so your follower count goes up on Instagram. Yeah, like, I know, that means a lot to some people, but don't do that.
Yeah. I was gonna ask a question, one of the things that I had read at some point, and I don't know if this is a good idea or not, you don't, you mentioned security questions that a lot of people, businesses and so forth will present to you to confirm your password or to reset your password. You don't actually have to answer the question that's asked of you.
Because the bank knows what state I was born in? They don't know.
So, you could put anything.
Yeah. So, I mean, you could, you could choose the question, what state were you born in? And the answer could be your favorite color, right? As long as you remember that you change the answer, the prompt doesn't really have to correlate to the, to the response you provide.
Don't outsmart yourself. Right? Exactly. Whenever you go back in, you have to remember what you put down. But you know, I think social engineering, you brought up a really interesting concept. You know, sometimes whenever people think cybersecurity and hackers, what, what comes to mind is that, that person with a hoodie, hunched over, typing away and doing all these very, very technical things. Some of the classes that we have, we teach extremely technical things where you can break into a computer. And that's what people will think a hacker looks like. Sometimes a hacker will do something called social engineering, which means they're using non-technical methods to get you to do something that is not in your own best interests. And it could be something as simple as a phone call, many, many scenarios, there's a two-minute video on YouTube of this woman, and if you saw her you'd never think hacker. But she socially engineers, a phone company into changing the interviewers password, and also adding herself to the interviewers account, and he's just facepalming. He's like, but what she did was, she actually put a baby crying audio on her computer. So, she's talking to the rep, and then she says, oh, I'm sorry, my baby's crying, my husband was supposed to add me to the account, he didn't, can you add me on? And the person said, sure, I can add you on, you seem, you know, without going through the security protocols. Because he was trying to help you know, he's the service and customer services, that person is trying to help. And social engineers take advantage of that all the time.
That is, that is a crazy story. But that's, I never would have thought I mean, I guess I would make a terrible hacker, I never would think to do that. But it's a, that's a really interesting story.
Well, you can try to, you know, hack into somebody's devices with a technical means, or you can go the simple route, and just ask them for their password. And, you know, sometimes it's just that easy. And, honestly, in a discussion like this will say, well, who would fall for that. But in the moment, it is very, very effective method. You know, it's, it's social engineering, we want to think of that non-technical hacking of a person.
And again, you'll find different statistics on, on cybersecurity, no matter, you could, you could Google today and get different stats, but it's something on the order of 90 to 95% of cybersecurity breaches could have been prevented had somebody just stopped to think before they provided the information, right out right in the clear. Without anybody having to hack into your account or anything else.
Yeah, movies tend to glorify the guy in the hoodie in his mom's basement. Yeah, typing away at a keyboard. But in real life, it's much easier than that, you just have to trick somebody.
So, we started talking and then, and this is, this is fantastic information, but I want to make sure we get to a number of the different sort of overview topics that we were talking about. So, let's talk a little bit about passwords and how they, how they're either acquired, or, you know, how do you create a strong password? What is this? What is something you should be doing to create a strong password? Yeah,
let's start there. So, the way I like to explain this to people is there are two things you have to think of when you're trying to make a strong password. You have to be able to trick a computer, and you have to be able to trick somebody who knows you, a human. So, tricking a computer, you know, how do you make sure that that hacker with a supercomputer can't break your password. So, the way that you do that is very simple, you make it long, the longer you make it, the longer it takes a hacker with a supercomputer to break it. You know, once you go over 12 to 16 characters, that supercomputer will not be able to break that password within your lifetime. So, we can essentially say it'll never be broken. So, length is the key, make it long, but then you get people saying, you know, how do I remember something that that's long? So, then we get into the part about being able to trick a human, and what it means for you as a person to be able to remember that password. Don't think of the password as a word, think of it as a sentence, or a phrase. So, what I tell people to do, I give them the example, what if your password was this, my house is the color dog. And there was a capital M on my, there was an exclamation point at the end. That sentence is over 20 characters long. So, you're already able to trick a computer, it's long. It's a sentence, so it's easy for you to remember, and it doesn't make sense, right? Dog is not a color. Right. So, if your best friend who knows everything about you tried to guess your password based on things they know about you, they wouldn't do it because it doesn't make sense. So just make it a sentence. You know, most places that allow you to set a password will allow spaces in passwords. So, you can do that. And even if they don't allow spaces, just remove the spaces, just run the sentence together. But either way, it's something very easy for you to remember and it's really long, so computers won't be able to break it. Okay, and
that that certainly may make sense. Mike, did you have?
Yeah, I saw an interesting cartoon. I love memes online and it said, somebody gets my password. So, I have to rename my dog. And because so many people will use a pet's name or something close to them, or add 2022, and attackers know this. And going back to what we talked about social media, hey, I just got a new pet my name, my dog's name is Fluffy. Well, I'm going to try to guess your password, I'm going to start with Fluffy, Fluffy2023. So, like Kevin said, right on target, think about a passphrase. Think about a sentence, you have the length of that thought that is going to be something that's close to you. And whenever you look into words, hey, what winter 2022 or so things like that, the attackers will get those. And like whenever Kevin mentioned the supercomputers, there's libraries of possible passwords, popular passwords, they'll try all those first. And if you have a sentence, you have a passphrase, it's not going to be in any of those, what we call dictionaries of popular passwords.
You okay, so we're talking about how to create a strong password. But what do you do when you have so many passwords to remember, and everybody is telling you to use a unique password for every site, or every app you're using.
That was the key that I was just going to key in on there, having different passwords for every site, that's actually a good thing. You should never ever use the same password for multiple places. So, before I answer the real question that you're asking, I just want to touch on this part real, real quick. So, you know, if you are a person who uses the same password for every site that you have, let's think about why that could be a problem. So, you know, let's say somebody breaks into the McDonald's app, because McDonald's has bad sec-, I don't know that they have bad security. But let's just assume, McDonald's
does not have bad. So, we are not saying from a legal standpoint, McDonald's is not a bad security.
But, but let's just assume that they did. And somebody hacked McDonald's, and they were able to get all of the passwords for everybody's McDonald's account. And you might think, who cares? It's McDonald's, they don't have any of my personal information, I don't care. But if you use the same password for everything, now, they also have the password that you use for your email. And you might think, Oh, who cares? Who do I email? You know, what am I doing with my personal Gmail, but isn't that email, the same email that you use to reset the password for your bank account? And for Amazon, that probably has your credit card saved, as well, and all of these other places? So, you know, if, if hackers can get back to your email, they own your entire life, you know, you don't want them to have access to your email. So, if you use the same password everywhere, you're just making it one step easier for the attacker. So, use different passwords for everything. And that sounds awful.
Oh, absolutely, Kevin, that sounds like wow, I'm gonna have to remember like, you know, hundreds of passwords. How am I going to do that?
How are you going to do that? Well, there are apps out there to help you. You know, I used to recommend LastPass to people. But LastPass recently had a very big lapse in security, that we in the in the government sector have decided let's stop using that. So, I don't recommend LastPass anymore. But there, there are other ones such as 1Password, and that's kind of the one that I tell people to use now, but we call them password managers. So, say you want to go make an account, and again, we are not saying go do this, because we're not endorsing anything on this podcast, but if you were to pick something like 1Password, that would be a thing that you could use, you remember a single master password to get into this app. And then the app keeps track of all your 100 other passwords for you. So, you don't have to remember 100 other passwords.
Now, when it comes to that, how do you access the passwords, right? Because if it's being stored in a database of sorts behind your master password, you have to enter that password and then go search out the password for your app and then find it and then enter it, or do these apps sort of make things a little more streamlined than that in most cases?
Some have a plugin where it'll actually plug into your browser, or you can do a copy, paste. And honestly, some people, we talked about healthy skepticism, will say, you know, password managers sound great, and then you say, well, where's the password stored? It's stored on someone else's computer or in the cloud, in the application. So, you might say, well, hey, I don't don't really want all my passwords stored in that type of environment, which is fine. You know, you can also get a password manager that's local to your computer, which passwords will be saved on your computer. So, either in the cloud or on your computer, either one is going to be in an environment where you have all your passwords behind that master password, which will be very long you know, when we talked about the sentences, the past phrases, make it very, very difficult to guess. And, and then you have your passwords there and hopefully makes your life easier. And also, you know, some of them will actually have alerts and say, this password was in a breach. I've seen those before with password managers. And because they have your passwords, they'll say with this password was, was found in a data breach, make sure you change it.
Okay, so we've so we've, we've established essentially, and again, I feel like I keep needing to reiterate this, this is all just, we could go into a 40-minute conversation just on passwords. I mean, there are so many different things to consider and things you can know. But that's the general, the general overview that I think that we wanted to make, make sure that we touched on today. I do want to take some time to talk about, what are some some of the other cybersecurity practices that people should be following regularly when it comes to their, their smartphones and their, their, their, their laptop, computers, things like that?
So, one that I'd like to add on the kind of goes along with passwords is this idea, if any of the listeners have ever heard or seen this acronym, MFA, or 2-FA you may have seen, it stands for multi factor authentication, or two factor authentication. And even if you haven't heard of that, you've probably used it whenever you go to sign into your bank's website, and they send you a text message. And you have to enter that code as a second thing to be able to log in. So, while a lot of people might say that's annoying, I hate that it takes 10 more seconds now to log into my stuff, that is one of the best things that you can do to protect yourself online. If a website allows you to set up or turn on MFA, you should do it. And the reason we tell people to you know, take that extra 10 seconds is because in the cybersecurity world, we always tell people assume your password has been stolen. You know, passwords have been around for decades, hackers are good at getting them, like we've already talked about, social engineering and all these other things, you should be living your life, assuming that hackers have your password for everything. So, what does that mean? Well, that means they can access everything, right, your email, your bank, whatever. So, if we're assuming that they have our passwords, and they can access our stuff, what can we do to make sure that they can't access our stuff? And MFA is one of the best ways to do that, because if they have your password, what don't they have? They don't have your physical cell phone, that you're getting that text message on, or that you're opening up Google Authenticator and getting that randomly generated six-digit code. So, they don't have your physical device, that second factor of authentication. So, if you turn that on, that is a great way to prevent bad guys from getting into your accounts. And we can go down that rabbit hole with you know, other attacks that can happen with MFA. But, you know, that's always suggestion number one, turn that on, if you have the ability to turn it on. And, you know, most financial institutions will force that to be turned on or you don't have a choice, but some don't, and some other websites that maybe aren't financial institutions, don't turn it on by default. But if you go into the settings, and you look, and it's available, turn it on, for everything, you know, every account I have has that turned on, you should see my list in my authenticator app of all the different codes I have. It's crazy, but it's necessary. It's one of our only protections, you know, against the bad guys who we know are going to get our passwords somehow.
From what I've seen, too, there are now companies that are sort of experimenting and password managers that are experimenting with the idea of not using the password at all. Like you put in your username, and the only way to gain access to that account is for them to you, you put that username in, and it says okay, we've sent a link to your app on your phone, we've sent a text message, you have to respond to that, or you just can't get in.
Yeah, we are starting to see some websites try to move away from passwords, and you know, passwords have been around a long time. Eventually, we'll see the end of passwords, we'll see other authentication methods, but it's not going to be in the near future. Like, as Kevin mentioned, it's so important to have those, those extra protective measures, multifactor authentication. You know, another one is, you know, you want to assume your information has been at a data breach, you can actually check to see if it has been there's a great website, it's called have I been poned. Okay, and then in cybersecurity, we like to spell words wrong, and we like to use acronyms. So it's haveIbeen, b-e-e-n, and then pwned, okay. You can go to that website, and you can put your email address in and you can actually see if you've been in data breaches. It'll say, you've been in data breach, and it'll give you that information so you can find out for sure. And we can probably provide a link in the show. I actually, I believe it's haveIbeen pwnd. Okay,
we'll make sure we put it in the description. Yeah, but it's
free service, you can put your email address in, or you can actually put any anybody's email address and, and see if they've been in a data breach.
Yeah, well, we'll put it in, we'll put that in the description of the show. It is a link, you can click on or copy and paste, the link.
We'll email you the link.
That's, it's a slippery slope, you know, you really it really is, you know, it's a slippery slope to tell people, you know, to make absolute statements of don't do this. And then, well, how else am I gonna get you this information? Right. So now that we'll definitely put that in the description of this episode. Some other things too, that I just wanted to get your, get your take on things like keeping your operating system up to date. You know, right now, as we're recording this, Apple has just released their latest iOS version. And if tradition holds true, in about a week, there will be a point one version of that, that comes out. Because there's some sort of a security issue or some other kind of fix that has to go in. How important is it to keep your windows up to date, your, your smartphone up to date, things like that? And for some people that aren't technologically savvy, how easy is that to do?
It's absolutely critical. I mean, and it's another, I feel like I'm, you know, a broken record. Because every time I talk about something, I say, well, this is something that everybody hates, because it takes 10 extra seconds. Yeah, doing those updates, you know, whenever you see on your Windows machine, that little pop up that, you know, once a month, Microsoft, we've given it the name Patch Tuesday, because the second Tuesday of every month, Microsoft releases all of their updates that you should be installing. And you know what, why should we do that on our phones on our computers? It's because these companies are finding vulnerabilities that hackers have taken advantage of. And they know that if we don't fix these, your computer or your phone now has a hole in it, that hackers know about that they can break in and steal your data. So yes, clicking that button to update your machine, you know, once a month, it is going to take five to 10 minutes for those updates to install, your computer to reboot, it's going to be a hassle. But again, it's just one of those easy things we can do to make sure that we are protected, and our data isn't at risk. Okay.
Right, for the security updates, yeah, it is a bit of a hassle for us. It's also a bit of a hassle for the companies. Microsoft doesn't want to have to come up with patches all the time. It's expensive to them. What it means is every time there's a security patch, that means there was a vulnerability found, not just for Windows or Mac OS, but any of the applications you have on your phone. You'll see they're constantly hey, there's a new update, you always want to have the most recent updates, because you run into a situation where if you have an older one, well once the vulnerability is exposed, attackers are like, you ever, you ever go down to the water in the lake and throw some food in and all the fish come? That's what the attackers look like. That's what we're going for is that vulnerability. You know, we saw just a couple weeks ago, defense contractor in the UK that makes fencing for military bases. They were breached because they were still running Windows 7, Windows 7, went end of life back in 2020, January 2020. So, so anybody listening, if you are still running Windows 7, you want to make sure you upgrade to Windows 10 or Windows 11. Because windows 7 is not, they don't have any security patches, any vulnerabilities found can be actively exploited and are being actively exploited by attackers. So, it's just as simple as bumping that up. It's,
so wait, I don't want to do that because I don't want to pay Microsoft money.
Exactly. Right. Yeah, exactly. But a lot of times you can get a free upgrade. But in the case where you have a very old computer, if you do have to pay for it, great investment, it much better to have the most recent operating system then lose 1000s of dollars and hours and hours of your time. You know, we talk about MFA, you know, Kevin mentioned an extra 10 seconds. It's so aggravating, you know, in our fast-paced lives, 10 seconds is an eternity. But we think about it, do I want to be on hold with the bank for hours or sitting there dealing with a cybersecurity event or incident? That's a lot of time, that's a real hassle, that 10 seconds becomes well I wish I would have done that. And
and honestly speaking from experience when, when we're dealing with identity theft, hours, cleaning it up is a, is a really, really good scenario. You're normally talking days, weeks, depending on, on the severity, it can drag on for quite some time it can involve litigation. There is a lot that comes from having your identity stolen that, that is I agree, Mike, you'll want to spend the 10 seconds.
What's the phrase, an ounce of prevention is worth a pound of cure? Yeah, that sounds like it would be apropos in the situation.
Yeah, absolutely. So based on what we've talked about today, some of the key takeaways that people should probably have and maybe a few resources that where they can go beyond the one that we're already putting in the description to try to find some good resources on, on cybersecurity prevention and things like that.
So, if I was to pick, you know, one, one take, or let's pick two takeaways, because I can't narrow it down to one, stop clicking on things and emails, and enable MFA. You know, if there were two things, I would say from this show that you want to go out and do right now, do those two things that will probably pay dividends in the future.
Another one is awareness. You know, I hear this so often from small businesses and individuals as well, oh, I'm just a small business. I'm just one person, no one's coming after me. If you are on the internet, if you have an email address, if you have access to an application, you are a potential target, by what's called an opportunistic attacker, somebody who's just looking for that low hanging fruit. So, you are a potential victim. Even if you're a small business, even if you're just an individual, attackers will find those scenarios that find your password in a password dump. So, awareness is important to understand, yes you could be a potential victim, the positive is there are things you can do. Like I've mentioned, stop clicking on links. You know, if you have a link in your email, that healthy skepticism, do I really want to click on this? Do I need to click on this? It says it's from Amazon, let me just go to the browser and type in amazon.com and go in that way. And see, does that match up with the reality of what this email says.
And there's, there are a lot of places online that offer free cybersecurity awareness, I don't want to call them courses, but videos that you could watch. I mean, even the Department of Defense, you know, we're not necessarily talking to federal contractors, you know, who are listening to the show, but their cybersecurity awareness training video is free that anybody can sign up and take it. And it covers the basics of pretty much everything we've been talking about. Yeah. So, you know, if you wanted a really good resource to go and learn the basics of what to look out for, you know, just do a Google search for Department of Defense, a cybersecurity awareness, and you'll find their website and be able to watch their course.
I can speak from my own side and say that there is the National Cybersecurity Alliance, stay safe online.org, where you can go, and you can get a lot of really great free information about cybersecurity and information security and things like that. And we'll put, again, a lot of these things in the description for you to find the, there is information on the AmeriServ website. If you go to ameriserv.com/fraud, we have a lot of great information, links out there that you can find that will, you know, be able to, to hopefully help you through some of this information as well. So yeah, gentleman, I mean, I really, really appreciate your time today, going through some of this stuff. And again, really looking forward to talking with you in future episodes to really delve into some of the stuff that we talked about today in more detail, because believe it or not, there is more detail. There is so much more detail. We, it may seem overwhelming, and we seem to have gotten into some, some weeds, but believe it or not, there are more things to talk about. Different types of, of malware and different terminology that's used, I think that we could probably do a significant conversation just on some of this some of these terms that we've tried to identify a little bit throughout our conversation today that are thrown around by people that maybe assume that you know what they are, but maybe you don't. Any final thoughts before we, before we wrap things up?
No, not really, stop clicking on links.
You know, I would say ask questions, reach out to us. We are always happy to engage with you any questions, you want to reach out and say, hey, I had a specific question. I'd be glad to answer it on a future show.
That'd be great. So, with that, I think that we'll wrap this particular episode up and I thank you both very much. And we'll talk again in a future time.
All right, thanks a lot, man great.
This podcast focuses on having valuable conversations on various topics related to banking and financial health. The podcast is grounded in having open conversations with professionals and experts with the goal of helping to take some of the mystery out of financial and related topics, as learning about financial products and services can help you make more informed financial decisions. Please keep in mind that the information contained within this podcast and any resources available for download from our website or other resources relating to bank chats, is not intended, and should not be understood, or interpreted to be, financial advice. The host, guests, and production staff of bank chats expressly recommend that you seek advice from a trusted financial professional before making financial decisions. The host of Bank Chats is not an attorney, accountant, or financial advisor, and the program is simply intended as one source of information. The podcast is not a substitute for a financial professional who is aware of the facts and circumstances of your individual situation.
Our thanks once again to Kevin Slonka and Michael Zambotti from Saint Francis University for joining us today. We opened the episode with a fast fact that 19 out of 20 or 95% of cyber-attacks are a result of human error. That statistic should not make anyone feel badly about having been a victim. We all make mistakes. But this statistic is actually great news, because it means that we can make a significant impact on reducing cybercrime through education. And that has been our goal today. Don't forget that links to websites and other educational materials discussed in our conversation today can be found in this episode's description. Please make sure to like, follow, and subscribe to the podcast to make sure you don't miss any additional episodes on cybersecurity, or our other discussions on topics related to banking and financial wellbeing. AmeriServ Presents: Bank Chats is produced and distributed by AmeriServ Financial Incorporated. Music by Rattlesnake, Millo, and Andrey Kalitkin. Production assistance by Jeffrey Matevish. Previous episodes can be found by visiting ameriserv.com/bankchats, or on your favorite podcast service. For now, I'm Drew Thomas, so long.
Comment via Text Message
Leave a Comment on Our Website
In honor of Cybersecurity Awareness Month, this Bank Chats episode features two experts on the subject, Kevin Slonka and Michael Zambotti, from Saint Francis University, in Loretto, Pennsylvania. The high-level conversation on cybersecurity in this episode includes topics such as defining cybersecurity, various scams (email, invoice, and spoofing scams), creating a strong password, password managers, and much more.
Related Materials:
https://haveibeenpwned.com/
Fraud Overview
Credits:
An AmeriServ Financial, Inc. Production
Music by Rattlesnake, Millo, and Andrey Kalitkin
Hosted by Drew Thomas
Cybersecurity 101
View VideoDISCLAIMER
This podcast focuses on having valuable conversations on various topics related to banking and financial health. The podcast is grounded in having open conversations with professionals and experts, with the goal of helping to take some of the mystery out of financial and related topics; as learning about financial products and services can help you make more informed financial decisions. Please keep in mind that the information contained within this podcast, and any resources available for download from our website or other resources relating to Bank Chats is not intended, and should not be understood or interpreted to be, financial advice. The host, guests, and production staff of Bank Chats expressly recommend that you seek advice from a trusted financial professional before making financial decisions. The host of Bank Chats is not an attorney, accountant, or financial advisor, and the program is simply intended as one source of information. The podcast is not a substitute for a financial professional who is aware of the facts and circumstances of your individual situation. AmeriServ Presents: Bank Chats is produced and distributed by AmeriServ Financial, Incorporated.