ccl audio ep5

Brian Stack, Vice President of Engineering and Dark Web Intelligence at Experian, explains that the dark web is a marketplace where personal information is bought and sold. He identifies five groups that supply data on the dark web: script kiddies, nation states, anarchists, hackers hired by organized crime, and disgruntled employees. Stack also discusses how the dark web is used for identity theft and fraud, and highlights the importance of AI and machine learning in protecting against these threats. He gives examples of deepfake video call scams and AI voice cloning used to deceive individuals. Experian is cautious in utilizing these technologies due to their non-deterministic nature. Welcome, everybody, to Credit Chat Live. I am your co-host, Destiny White, and I'm so happy to be joined by my co-host, Rod Griffin. Rod is our Senior Director of Consumer Education and Advocacy, so it's a really special treat to have him on. We have our special guest, Brian Stack, who is the Vice President of Engineering and Dark Web Intelligence. I'm just so happy to have you, Brian, and we are going to be uncovering Identity Theft Awareness 101. Brian, do you have anything that you want to add just about your background and your time at Experian because you've been here a wonderful two decades? Well, thanks, Destiny and Rod, for taking the time out and allowing me to be a guest on the show. I'm definitely looking forward to the conversation today. Yeah, the only thing I would add is, you know, I'm lucky enough to have a global team, so we have dark web analysts around the world in an operational rhythm where basically we have human intelligence looking on the dark web trying to protect consumers 24 hours a day, pretty much seven days a week, 365 days a year. That's absolutely awesome, and Rod, I'm so happy to have you here as my co-host today. Brian, just to kick off the conversation, would you be able to give us a brief overview of what exactly the dark web is and how can it be used? So there's two ways to view the dark web. There's kind of a classic and liberal definition, right? And so the classic definition, when people think of the dark web, is, you know, a very scary place on the internet. You need special software, and you have to be a hacker to get access to it, and they're selling, you know, guns and drugs, and all that's true. All that's true. But at Experian, we kind of open up the aperture and take a little bit more of a liberal view of the dark web. Basically for us, the dark web is any part, whether it be the classic dark web or the internet overall, where people are selling personal information online. And so we go into places like Telegram, and Discord, and Facebook Messenger, any app, any site, whether it be a website, a messaging app where people are actually trying to sell personal information. At the end of the day, when you think of, quote, unquote, the liberal definition of the dark web, really, again, it's a marketplace where people buy and sell personal information, credit cards, driver's license, passports, medical IDs, any type of information that can be monetized and resold. There's pretty much five groups that I would like to educate people on that make up the suppliers of data on the dark web. One is script kiddies, which you can think of them as a traditional kind of Hollywood hacker, the kid in the basement doing things more or less, not really for money, but more just to disrupt things. Then there's the nation states, right? They're doing it, sometimes it's to fund some of their operations, but often it's for some type of political gain or to make a political statement. Then there's anarchists, there's hackers, which are usually hired through organized crime. And so that is where, in terms of selling and buying information, organized crime across the globe in multiple different nations, that is where we've seen the most operationalization of the dark web, where it has become, in a sense, a business. And then there's the fifth group that often people forget, is disgruntled employees. There are websites on the dark web that are actively pursuing people who are in key positions of data, whether it be in HR or in finance, where you could take payroll information or intellectual property and post it on the dark web and potentially get paid by some of these nefarious characters. How this data is ultimately used for identity theft and fraud it boils usually down to some type of social engineering attack on an individual, or the information can be used to try to directly attack a specific data center or server of a business and try to exfiltrate an entire database. So the dark web is where bad actors live, but there's also, and you and I have talked in the past, and one of the things that was interesting to me was, for most of us, we're interacting on the internet and we think it's huge, it's where everything is. How does the dark web compare in size to where most of us are interacting with social media and those sorts of things? So I think it's a really interesting… Often there's an illustration that's floated around for a few years that shows kind of the internet as an iceberg, and the tip of the iceberg is the quote-unquote surface web. So these are YouTube and Google and your favorite websites that you go to for news and sports. And that makes up, you know, maybe 10% of the internet. Then there's a big chunk known as the deep web. And often people conflate deep web with the dark web. The deep web is not the dark web. The deep web is anywhere that needs, where you need special credentials to get access to. Think about getting access through your doctor, your dentist, right, their websites, or experience network or whatever company you work for, their network. That's everything there is all deep web. And then the dark web, and that makes up pretty much, you know, probably 85-90%. And then the classic dark web is really like 3-4% when people think about it, when you think about the total internet in terms of web pages and blogs and such. So we really, most of us don't experience 90% of what happens in the internet or in the worldwide web. Correct. So it's fascinating that we are unaware of a lot of, you know, what happens and where things occur. Exactly. And probably for the better, because we don't know how to get there. And it's probably better that most of us don't know how to get to the dark web and don't want to. So try not to stumble into there either. So thinking about the technologies and things that are out there today, we are all talking about artificial intelligence and AI. What are you seeing in terms of how AI or machine learning are being leveraged to do harm? And how are we using it, that Experian and others who are, you know, working to protect against and fight against those who would do harm, you know, how are we using those tools and why are they important to us? And, you know, what are we seeing there? Yeah, it's a great question and a really complicated one. But for the audience, I'll try to boil it down and illustrate it based on two recent news stories. So first, there was a company out of Hong Kong that ended up paying around 25 million US dollars due to a deepfake video call scam. So according to the police report, it happened in the end of January and a clerk at this company received a video conference call that she jumped on and the individuals within the video conference looked like people that she works with who were in a higher position. The fraudsters invited her onto this conference call and then convinced her to transfer some money from obviously the company's bank account into these other accounts. The threat actors use a combination of AI voice cloning and AI deepfake software to basically simulate some of the faces of people she knew and they were able to pull this off. So very complicated, very sophisticated, but they were able to get a $25 million payday. Something maybe a little more unnerving but much cheaper. So there was a mom in Arizona. She gets a phone call from an unknown number. She picks up. And she hears on the other line, mom, I messed up from a girl who's visibly screaming and scared. The voice sounded just like her daughter. The inflection, everything about it. Immediately a man comes on and says, listen here, I have your daughter. Don't call the police. If you try to involve anyone else, I'm going to drug this person, do bad things, and ship them out of the United States. You'll never see them again. So there was a chaotic few minutes with this mom. And there was a $1 million ransom. Thankfully, she was around other people and they were able to try to call to verify, wait, no, your daughter, we just talked to her. She's fine. So this was pulled off again with AI voice cloning. With just a few seconds of her daughter's voice from online social posts, they were able to complete a conversation that was able to convince her mother that she was kidnapped. So this is where these technologies, I think, are going to start to spring up more and more, both on a direct consumer level and also in terms of corporations look for more sophisticated threat actors looking for big paydays. In terms of, you know, we're at Experian. We are obviously heavily looking at this technology. We're looking at generative AI. We are making some internal investments. We're being very cautious in terms of, you know, how could this technology be used? Because at the end of the day, a lot of this technology is still not refined. Meaning you build a chatbot, you say, okay, we have a chatbot we're going to give to a consumer. You have to really do a lot of testing around it. And what makes generative AI tricky from a technology point of view compared to other technologies is it's non-deterministic. Meaning when I write a piece of software, traditionally, I can test it. If I run three test cases, I know what the output's going to be. And I can say, yep, there's output A, B, and C. And it's always the same. With generative AI, it's non-deterministic. A lot of these models, you can ask it three times, you know, why did my credit score go up? And you could get three potentially different answers. So this is where it becomes very tricky and we have to be very prudent and cautious as we roll out and leverage any of this technology for prevention or to empower consumers and businesses. Wow. And it goes back to some extent, too. For years, we've said when we're looking at how do we help protect people, it's about information. And clearly that's experienced business. We're not just a credit bureau. We are an information services company and one of the world's largest. And we use information to help people have better financial outcomes. And we use information to help protect people and businesses from attacks. And we've said for years that identity thieves, hackers are looking for information to use it nefariously. And we need the same information to be able to identify when it's being potentially misused or being attacked. Do you see AI being a significant part of that? I mean, do we need AI to fight AI in some ways? In some ways, I think businesses will start to leverage AI to fight AI in terms of phishing attacks on the companies, right? There's a lot of really impressive technology that exists to make sure you don't get a spam email or something that looks nefarious, right? And so I think there will be more and more techniques that are AI generated to try to fight some of this stuff. At the end of the day, a lot of it, for whether it be direct-to-consumer or B2B, it is about getting the data, building models and building intelligence, not necessarily AI-based intelligence, but just traditional machine learning models that we've been building for years to better inform people to make better decisions. At the end of the day, we are a data company, but I think, and a few executives have said this, we're a decisioning company. We try to have people, whether it be businesses or consumers, give them the right signals and information to make better decisions. And so, yeah, my team specifically, and I don't want to steal any thunder from our product team, but we are working on some models and some new features leveraging dark web data, leveraging more fraud data, leveraging data potentially from phishing attacks or ransomware, and trying to boil that down into something that's consumable for a consumer to say, hey, based on all these crazy signals, here's what we think you should do with your password or with your current footprint. Maybe your footprint is just too big. Maybe remove some emails, change your email accounts, sign up for different services based on where we see maybe a greater footprint of a threat for you as an individual. Well, so really about giving people information and tools to minimize their risk and to manage it. Yes. Despite where this is. You know, like I said, building features for mom, right? We got to build these features, very complicated technology, very complicated pieces of data, and being able to message it in such a way that moms can make good decisions on, should I be shopping on this website? Or maybe I shouldn't because they seem to be every time I shop there, my credit card number gets stolen. Those are the types of decisions that we want to be able to have our consumers make. I love that. I love that. And that definitely ties into helping consumers to spot these red flags early on. And it's very, very important. And with all that being said, how can financial education aid consumers in spotting these red flags on their own as well? So financial education definitely is key, right? But we all have really busy lives. And aside from maybe myself and a few other people in my group, probably identity theft and getting educated on identity theft is not in the top 10 or the top 100 of things people do every day. So we've really got to provide people advice that allows them to be smart and efficient, right? So things like looking for random small charges on your credit card. Just check your credit cards once a month. Look at anything that looks like a small random charge. Those are always telling signs that someone may be trying to leverage and steal your information. Unfamiliar accounts on your credit report. You get a free credit report once a year. Our products you can sign up for and you can pull it multiple times a year. If you don't receive mail over the course of a week, potentially your address information has been changed. If you get, and this happened to a family member of mine, they received a letter from a company saying they were denied an application to one of the big retailers out there and they just threw it away. It's all, oh, this is a mistake. That's not a mistake. Someone has your information, they're trying to open a loan up in your name. So some of that junk mail, you're like, that doesn't make sense. If you don't have time today, put it aside and try to look at it in the next few days. And then if you get an increase in spam emails or text messages, that's often a signal that your email or phone number probably has been part of a recent data breach. And Brian, you touched on, you mentioned social engineering earlier. And that's something that, from an education perspective, we can't know everything. But if we can know enough to know what we don't know and to trigger those responses, the AI example you gave of the woman and her daughter, that's sort of the ultimate in social engineering. Or people on a video screen that you know who aren't them, who have their same voices. I mean, that's kind of hard to recognize. So I think that's going to be the sort of level of education about learn to be when to be suspicious and what triggers that thought. And even the best of us, people who are in this space, the technology is getting so good. And again, the one third acting group that pulled off the $25 million one, that was a lot of time and effort. But things are getting cheaper and easier. And this technology will become more available to different threat actors. And so, yeah, it isn't like back five, 10 years ago, you see the email, like that's clearly a fake email, right? Now things have gotten much more sophisticated, much more streamlined. And that's, it's no longer necessarily from the Nigerian prince. It's still a matter of awareness. And I think that, as we talk about, it's being able to have enough knowledge to be aware and then couple that with the tools we try to innovate and bring the market help then act on that. So yeah, great points. I have a question about the example that you gave with just the deep fake videos, the conference call, the call from the daughter. Whenever consumers are receiving these emails, these calls, is it possible that these bad actors are using email addresses and phone numbers that are exactly the same as the people they're impersonating? I just want to clarify that and see if there's ways that we can spot red flags right then and there, or if most of the time they're impersonating the exact addresses. Yes, so email and phone spoofing, which is kind of what you're referring to, can be done. It's really pretty hard. So generally, again, the mother in Arizona, it came from an unknown number. The email will usually come from, again, it may look like whatever bank or Amazon email, but the address itself, it will be slightly, slightly different. But aside from phone numbers versus an unknown phone number, very rarely do people actually check the email address. That's the tricky part. That's what I really want to highlight for those listening who are ramping up their identity theft awareness. Please watch out. Incorrect spelling, bad grammar, the smartest, the most adept individuals, anybody can be a victim. And that kind of goes to the question, what do people do to protect themselves? What steps can they take? What tools can they use to prevent the attack in the first place or recognize when it's happening? So the first piece of advice that I always give, just from a philosophical point of view, is try to shrink your online presence whenever possible. Do you need that many accounts attached to, you know, the retail companies and merchants you use? Do you need that many credit cards? Do you need that many emails? Anything you can do just to shrink your overall digital footprint is a good thing. Next is what I always, and I've been talking about this for several years, is the four Ps. So passwords, public Wi-Fi, patching, and protection software. So for passwords, especially those tied to your financial institutions, definitely try to make them long. They don't have to be, this is a bit of a misnomer. They don't have to be super random. You don't need A, B, C, hashtag, pound sign. As long as they're very long, they can be somewhat easy to remember. Now don't do something like, I'm a huge Star Wars fan, as your password, right? Don't use pop culture references, but you can use long passwords that are easy to remember. One of the techniques to do is think of something that doesn't exist. A pink bear doesn't exist. So, you know, I'm a fan of pink bears actually would be a halfway decent long password, maybe with a hashtag at the end. Public Wi-Fi, again, never use it for anything related to financials. If you're gonna stream Netflix or do something like that, you know, go ahead. But still be aware public Wi-Fi is fairly susceptible to threat actors. Patching, both phones and operating systems have gotten better to automatically do this for you. Just make sure that when you do, an update does come up, Microsoft or Apple, or whatever you're using, try to update it as soon as possible. Especially if it says, if you see the words zero day attack, definitely do it that day. That's a huge red flag. That means the threat community, like the cybersecurity community, has discovered something that nobody has a patch for and they know the threat actors know about it. So it's something that usually can be very damaging to companies and to individuals. And then protection software. So obviously, I'm gonna promote Experian Identity Works. So it's a great product. You can look at your dark web reports, you can monitor things like your social security number. There also are opportunities to put in emails and socials to pull some of this stuff for free on occasion. So any type of protection software just to get a sense of your overall, only if you just pull an initial report, just to get a sense of what your overall footprint is. Some other pieces of general advice on top of that, separate financial accounts or non-financial accounts for your email and phone number. So maybe have an email and phone just for your financials and one for not. So again, if you're using, because often people will use the same email and password together. And so if, I don't know, some merchant gets hacked and that same email is a tie to your bank and that same password is tied to your bank, that's where you can get into trouble. I do recommend freezing your credit file or locking it at all three credit bureaus, unless obviously you're about to buy a home or something significant. Use two-factor authentication, especially on your financial accounts. If it offers it, it is a bit of a pain when you have to log into your bank and get a text message plus your password. But stuff like that, you don't, you want to make it as hard as possible. Take the extra effort on those things as much as you can. A little inconvenience goes a long way. Correct. What do you think about password management software tools? So, I mean, I do use some password managers. I know it can be cumbersome for most consumers, right? And so that's why I do stress, try to lower your overall digital footprint separate out your financial and non-financial accounts in terms of the emails you use. And again, you can make them, as long as they're long, they can be easy to remember. So, again, password managers are great. Some of them have been hacked themselves over the years, and I don't want to name any names, but it's one of those things where just doing that alone doesn't necessarily mean you could just not think about it anymore. And that's the kind of the caveat that I always have about fraud and identity theft is, even freezing your credit file doesn't mean you should feel complacent. Doesn't mean that everything's protected. Doesn't mean that you're safe from identity theft. Doesn't stop someone from stealing a computer or breaching a database or stealing your mail. So, it's a tool in the toolbox. And one of the ones that I often expect people ask me when they're traveling, you know, what should I do? There's anti-theft backpacks that are out there. So, you know, some of the protection isn't necessarily just about technology and digital assets. Some of it's your behavior out in the world. So, there's some greats, and you can look on Amazon and others, anti-theft backpacks, so someone can't basically pickpocket you while you're traveling. They can't get into your backpack. So, it's, again, small investment, but it goes a long way. Very smart. I love it. Just implementing these habits into your day-to-day life could protect you, could save you from being a victim. Brian, really, thank you so much for touching on these topics. So, one or two more questions. So, thinking about how things are evolving so rapidly now, you know, get to look in that crystal ball. If your crystal ball is like mine, it's extremely foggy. But what do you think? Are there things that are on the horizon that we're looking at that could be interesting and are developing? Or, you know, what's out there? So, I think three things that are... And so, let's say, if I'm going to be a... I'm going to, you know, put on my Nostradamus hat here. Obviously, AI bots like ChatGPT are going to be more and more in the hands of threat actors. And I know, you know, the commercial products are saying, well, we have controls in place, so people can't use it to, you know, create hacks or figure out ways to exploit systems. The technology itself isn't going to be controlled by Microsoft or controlled by Google. So, threat actors are going to have access to the technology that are going to leverage it, like we've already seen, again, in Hong Kong with the mom in Arizona. This is a... This has become more and more of a business for organized crime in nation states. And so, part of that means they try to become operationally efficient. So, they're looking at the data. They look at how their attacks performed. Who clicked? Who didn't click? Why didn't they click? So, I think things around geo-calibrated phishing attacks. So, we talked about, hey, even the best of us can get tricked. What some of the threat actors are starting to learn is they're leaning more into human behavior. Again, I'm probably not going to click on a spam message at 1 p.m., but you know what? At 11 o'clock at night, if I'm expecting an Amazon package or something the next day for some... There's probably a much better... So, they're starting to leverage more human psychology even more and more and trying to exploit people in their weakest points, which is, you know, you send a text message late at night or early in the morning, people just get up out of bed. They look at their phone. They start playing. They're kind of half asleep, half awake. That's a great time to try to hit somebody. And then the last piece, this doesn't get covered a lot, but there has been some research in this area around hacks on satellites. So, more and more of our everyday, whether it be, you know, our television and our technology, how we get streaming content, it interfaces with satellites. And so, I think satellites as assets that could potentially be attacked as a new threat landscape will become more commonplace amongst, I think, obviously, you know, the bigger threat actors in the space and nation states. Just expands. And so, we have to expand too. We have to make sure we're evolving and innovating. Yeah, and if you dig into some of the satellite technology, a lot of the operating systems and things that were built for these satellites that have been up there, some of them, you know, 10, 20 years, they weren't built with security measures in place. And so, if you kind of know the protocol and you can spend, you know, $10,000, $20,000 to get enough power to send a signal, they're pretty much as easy to hack as like websites from the early 90s at this point. Wow. That's very scary. And Brian, I wanted to see if you had one resource that people can use to stay up to date with these emerging trends in identity theft and fraud. Well, I mean, yeah, I mean, a few, for sure. One of them is obviously the Experian website and blog. We do have a great team of people who keep things up to date, both on our Experian blog and also the Twitter feeds, obviously, podcasts like this. Outside of Experian, so I'm just not promoting Experian, the FBI, FTC website, financial news, often, you know, will give you some key information. And anyone, you know, I'm not super active on Twitter, but I do post things on occasion that I think are important or critical. And occasionally, I do podcasts like this where we talk about important topics. So anyone, feel free to connect with me on Twitter at brianmstack. And it's always a good source of information that I try to float some advice from time to time. Thank you. Thank you so much, Brian. And thank you so much, Rod. It's great to have you on. And Rod, did you have any more questions for Brian as we wrap up the podcast today? Well, we could go on for hours, but I won't hold Brian any longer. It's always fascinating, always interesting, and I think so crucial and critical to everyone because there's good out there, immense amounts of good and positive, but there are always people who are trying to take advantage. And we want to help people have the knowledge they need. You know, as Brian said, you can't know everything, but if we can give them enough knowledge and they can retain, you know, that just a few tips to trigger that thought, something's not right here. That's what we really want to do. And it's extremely want to help people protect themselves and make better financial decisions, better life decisions when it comes to being online and to protect themselves. So glad to have Brian on. Always says that I could talk for hours with you and just absolutely fascinating. And when it comes to AI, I don't know if the Terminator's name is Jasper yet, but who knows where that's going to lead. But it's going to be interesting to see what happens over the next months and years in terms of where technology goes and going to be a fun ride to be on. Thanks for joining us, Brian. Certainly. Thanks for having me. Thank you so much.