ccl ep 5 final

Destiny White and Rod Griffin are hosting Credit Chat Live with special guest Brian Stack. They discuss Identity Theft Awareness 101 and the dark web. The dark web is a marketplace where personal information is bought and sold. There are five groups involved in supplying data on the dark web: script kiddies, nation-states, anarchists, hackers hired by organized crime, and disgruntled employees. Dark web data can be used for identity theft and fraud through social engineering attacks or direct attacks on databases. The dark web makes up a small portion of the internet compared to the surface web and the deep web. AI and machine learning are being leveraged to do harm, such as deepfake scams and voice cloning. Experian is cautious about using these technologies and is investing in generative AI while ensuring thorough testing. I'm your co-host, Destiny White, and I'm so excited to guide you through this new chapter of Credit Chat Live. Let's get into the episode. Welcome, everybody, to Credit Chat Live. I am your co-host, Destiny White, and I'm so happy to be joined by my co-host, Rod Griffin. Rod is our Senior Director of Consumer Education and Advocacy, so it's a really special treat to have him on. We have our special guest, Brian Stack, who is the Vice President of Engineering and Dark Web Intelligence. I'm just so happy to have you, Brian, and we are going to be uncovering Identity Theft Awareness 101. Brian, thank you so much for joining us. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. Thank you for having me. What I wanted to add is, you know, I'm lucky enough to have a global team, so we have dark web analysts around the world in an operational rhythm where basically we have human intelligence looking on the dark web, trying to protect consumers 24 hours a day, pretty much seven days a week, 365 days a year. That's absolutely awesome, and Rod, I'm so happy to have you here as my co-host today. Brian, just to kick off the conversation, would you be able to give us a brief overview of what exactly the dark web is, and how can it be used? So there's two ways to view the dark web. There's kind of a classic and liberal definition, right? And so the classic definition, when people think of the dark web, is, you know, a very scary place on the Internet. You need special software, and you have to be a hacker to get access to it, and they're selling, you know, guns and drugs, and all that's true, all that's true. But at Experian, we kind of open up the aperture and take a little bit more of a liberal view of the dark web. Basically for us, the dark web is any part, whether it be the classic dark web or the Internet overall, where people are selling personal information online. And so we go into places like Telegram and Discord and Facebook Messenger, any site, whether it be a website, a messaging app, where people are actually trying to sell personal information. At the end of the day, when you think of, quote-unquote, the liberal definition of the dark web, really, again, it's a marketplace where people buy and sell personal information, credit cards, driver's license, passports, medical IDs, any type of information that can be monetized and resold. There's pretty much five groups I always like to educate people on that make up the suppliers of data on the dark web. One is script kiddies, which you can think of them as a traditional kind of Hollywood hacker, the kid in the basement doing things, more or less, not really for money, but more just to disrupt things. Then there's the nation-states, right? They're doing it, sometimes it's to fund some of their operations, but often it's for some type of political gain or to make a political statement. Then there's anarchists, there's hackers, which are usually hired through organized crime. That is where, in terms of selling and buying information, organized crime across the globe in multiple different nations, that is where we've seen the most operationalization of the dark web, where it has become, in a sense, a business. Then there's the fifth group that often people forget, is disgruntled employees. There are websites on the dark web that are actively pursuing people who are in key positions of data, whether it be in HR or in finance, where you could take payroll information or intellectual property and post it on the dark web and potentially get paid by some of these nefarious characters. How this data is ultimately used for identity theft and fraud is it boils usually down to some type of social engineering attack on an individual, or the information can be used to try to directly attack a specific data center or server of a business and try to exfiltrate an entire database. The dark web is where bad actors live, but there's also, and you and I have talked in the past, and one of the things that was interesting to me was, for most of us, we're interacting on the internet, and we think, it's huge, it's where everything is. How does the dark web compare in size to where most of us are interacting, with social media and those sorts of things? I think it's a really interesting... Often there's an illustration that's floated around for a few years that shows the internet as an iceberg, and the tip of the iceberg is the, quote-unquote, surface web. These are YouTube and Google and your favorite websites that you go to for news and sports. That makes up maybe 10% of the internet. Then there's a big chunk known as the deep web. Often people conflate deep web with the dark web. The deep web is not the dark web. The deep web is anywhere that needs, where you need special credentials to get access to. Think about getting access through your doctor or your dentist, their websites, or Experian's network, or whatever company you work for, their network. Everything there is all deep web. And then the dark web, and that makes up pretty much, you know, probably 85%, 90%. And then the classic dark web is really like 3% to 4% when people think about it, when you think about the total internet in terms of web pages and blogs and the such. So we really, most of us don't experience 90% of what happens in the internet or in the worldwide web. So it's fascinating that we are unaware of a lot of what happens and where things occur. And probably for the better, because we don't know how to get there, and it's probably better that most of us don't know how to get to the dark web and don't want to. So try not to stumble into there either. So thinking about the technologies and things that are out there today, we are all talking about artificial intelligence and AI. What are you seeing in terms of how AI or machine learning are being leveraged to do harm? And how are we using it at Experian and others who are, you know, working to protect against and fight against those who would do harm? How are we using those tools and why are they important to us? And, you know, what are we seeing there? Yeah, it's a great question and a really complicated one. But for the audience, I'll try to boil it down and illustrate it based on two recent news stories. So first, there was a company out of Hong Kong that ended up paying around 25 million US dollars due to a deepfake video call scam. So according to the police report, this happened in the end of January, and a clerk at this company received a video conference call that she jumped on, and the individuals within the video conference looked like people that she works with who were in a higher position. The fraudsters invited her onto this conference call and then convinced her to transfer some money from, obviously, the company's bank account into these other accounts. The threat actors used a combination of AI voice cloning and AI deepfake software to basically simulate some of the faces of people she knew, and they were able to pull this off. So very complicated, very sophisticated, but they were able to get a $25 million payday. Something maybe a little more unnerving, but much cheaper. So there was a mom in Arizona, she gets a phone call from an unknown number, she picks up. And she hears on the other line, Mom, I messed up, from a girl who's visibly screaming and scared. The voice sounded just like her daughter. The inflection, everything about it. Immediately, a man comes on and says, Listen, here, I have your daughter. Don't call the police. If you try to involve anyone else, I'm going to drug this person, do bad things, and ship them out of the United States. You'll never see them again. So there was a chaotic few minutes with this mom. And there was a $1 million ransom. Thankfully, she was around other people, and they were able to try to call to verify, Wait, no, your daughter, we just talked to her, she's fine. So this was pulled off, again, with AI voice cloning. With just a few seconds of her daughter's voice from online social posts, they were able to complete a conversation that was able to convince her mother that she was kidnapped. So this is where these technologies, I think, are going to start to spring up more and more, both on a direct-to-consumer level, and also in terms of corporations looking for more sophisticated threat actors looking for big paydays. In terms of, you know, we're at Experian, we are obviously heavily looking at this technology. We're looking at generative AI, we are making some internal investments. We're being very cautious in terms of, you know, how could this technology be used? Because at the end of the day, a lot of this technology is still not refined. Meaning, you build a chatbot, you say, okay, we have a chatbot we're going to give to a consumer. You have to really do a lot of testing around it. And what makes generative AI tricky from a technology point of view compared to other technologies is it's non-deterministic. Meaning, when I write a piece of software, traditionally, I can test it. If I run three test cases, I know what the output's going to be. And I can say, yep, there is output A, B, and C, and it's always the same. With generative AI, it's non-deterministic. A lot of these models, you can ask it three times, you know, why did my credit score go up? And you could get three potentially different answers. So, this is where it becomes very tricky and we have to be very prudent and cautious as we roll out and leverage any of this technology for prevention or to empower consumers and businesses. Wow. And it goes back to some extent, too. For years, we've said when we're looking at how do we help protect people, it's about information. And clearly, that's experienced business. We're not just a credit bureau. We are an information services company and one of the world's largest. And we use information to help people have better financial outcomes. And we use information to help protect people and businesses from attacks. And we've said for years that identity thieves, hackers are looking for information to use it nefariously. And we need the same information to be able to identify when it's being potentially misused or being attacked. Do you see AI being a significant part of that? Do we need AI to fight AI in some ways? In some ways, I think businesses will start to leverage AI to fight AI in terms of phishing attacks on the companies. There's a lot of really impressive technology that exists to make sure you don't get a spam email or something that looks nefarious. And so, I think there will be more and more techniques that are AI generated to try to fight some of this stuff. At the end of the day, a lot of it, whether it be direct to consumer or B2B, it is about getting the data, building models, and building intelligence. Not necessarily AI-based intelligence, but just traditional machine learning models that we've been building for years to better inform people to make better decisions. At the end of the day, we are a data company, but I think, and a few executives have said this, we're a decisioning company. We try to have people, whether it be businesses or consumers, give them the right signals and information to make better decisions. My team specifically, and I don't want to steal any thunder from our product team, but we are working on some models and some new features leveraging dark web data, leveraging more fraud data, leveraging data potentially from phishing attacks or ransomware, and trying to boil that down into something that's consumable for consumers. Say, hey, based on all these crazy signals, here's what we think you should do with your password or with your current footprint. Maybe your footprint is just too big. Maybe remove some emails, change your email accounts, sign up for different services based on where we see maybe a greater footprint of a threat for you as an individual. So really about giving people information and tools to minimize their risk and to manage it. Yes. Like I said, building features for mom. We've got to build these features, these very complicated technology, very complicated pieces of data, and being able to message it in such a way that moms can make good decisions on, should I be shopping on this website or maybe I shouldn't because every time I shop there, my credit card number gets stolen. Those are the types of decisions we want to be able to have our consumers make. I love that. I love that. That definitely ties into helping consumers to spot these red flags early on. It's very, very important. With all that being said, how can financial education aid consumers in spotting these red flags on their own as well? Financial education definitely is key. We all have really busy lives. Aside from maybe myself and a few other people in my group, probably identity theft and getting educated on identity theft is not in the top 10 or the top 100 of things people do every day. So we've really got to provide people advice that allows them to be smart and efficient. So things like looking for random small charges on your credit card. Just check your credit cards once a month. Look at anything that looks like a small random charge. Those are always telling signs that someone may be trying to leverage and steal your information. Unfamiliar accounts on your credit report. You get a free credit report once a year. Our products you can sign up for. You can pull it multiple times a year. If you don't receive mail over the course of a week, potentially your address information has been changed. This happened to a family member of mine. They received a letter from a company saying they were denied an application to one of the big retailers out there. And they just threw it away and said, oh, this is a mistake. That's not a mistake. Someone has your information. They're trying to open a loan up in your name. So some of that junk mail, you're like, that doesn't make sense. If you don't have time today, put it aside and try to look at it in the next few days. And then if you get an increase in spam emails or text messages, that's often a signal that your email or phone number probably has been part of a recent data breach. And Brian, you touched on, you mentioned social engineering earlier. And that's something that, from an education perspective, we can't know everything. But if we can know enough to know what we don't know and to trigger those responses, you know, the AI example you gave of the woman and her daughter, that's sort of the ultimate in social engineering. Or, you know, people on a video screen that you know who aren't them, who have their same voices. I mean, that's kind of hard to recognize. So I think that's going to be the sort of level of education about learn to be when to be suspicious and what triggers that thought. Even the best of us, people who are in the space, the technology is getting so good. And again, the one for an acting group that pulled off the $25 million one, you know, that was a lot of time and effort. But things are getting cheaper and easier and this technology will become more available to different threat actors. And so, yeah, you know, it isn't like back, you know, back five, 10 years ago, you see the email like that's clearly a fake email. Right now, things have gotten much more sophisticated, much more streamlined. And that's, you know, it's no longer necessarily from the Nigerian prince. It's still a matter of awareness. And I think that, you know, as we talk about, you know, being able to have enough knowledge to be aware and then couple that with the tools we try to innovate and bring the market help, then act on that. So, yeah, great points. I have a question about the example that you gave with just the deep fake videos, the conference call, the call from the daughter. Whenever consumers are receiving these emails, these calls, is it possible that these bad actors are using email addresses and phone numbers that are exactly the same as the people they're impersonating? I just want to clarify that and see if there's ways that we can spot red flags right then and there or if most of the time they're impersonating the exact addresses. Yes. So, email and phone spoofing, which is kind of what you're referring to, can be done. It's really pretty hard. So, generally, again, coming from an unknown number, the email will usually come from, again, it may look like whatever bank or Amazon, you know, an Amazon email, but the address itself, it will be slightly, slightly different. But, aside from phone numbers versus an unknown phone number, emails, very rarely do people actually check the email address. That's the tricky part. That's what I really want to highlight. For those listening who are ramping up their identity theft awareness, please watch out. Incorrect spellings, bad grammar, the smartest, the most adept individuals, anybody can be a victim. Yeah, and that kind of goes to the question, what do people do to protect themselves? What can, what steps can they take? What tools can they use to prevent the attack in the first place or recognize when it's happening? So, the first piece of advice that I always give just from a philosophical point of view is try to shrink your online presence whenever possible. Do you need that many accounts attached to, you know, the retail companies and merchants you use? Do you need that many credit cards? Do you need that many emails? Anything you can, anything you can do just to shrink your overall digital footprint is a good thing. Next is what I always, and I've been talking about this for several years, is the four P's. So, passwords, public life, bypatching, and protection software. So, for passwords, especially those tied to your financial institutions, definitely try to make them long. They don't have to be, this is a bit of a misnomer, they don't have to be super random. You don't need A, B, C, hashtag, pound sign. As long as they're very long, they can be somewhat easy to remember. Now, don't do something like I'm a huge Star Wars fan don't use pop culture references but you can use long passwords that are easy to remember. You know, one of the techniques to do is think of something that doesn't exist. A pink bear doesn't exist. So, I'm a fan of pink bears actually would be a halfway decent long password maybe with a hashtag at the end. Public Wi-Fi, again, never use it for anything related to financials. If you're going to stream Netflix that, you know, go ahead. But still be aware public Wi-Fi is fairly susceptible to threat actors. Patching, both phones and operating systems have gotten better to automatically do this for you. Just make sure that when you do an update does come up Microsoft or Apple or whatever you're using try to update it as soon as possible. Especially if it says if you see the words zero day attack definitely do it that day. Those are that's a huge red flag. That means the you know the threat community like the cybersecurity community has discovered something that nobody has a patch for and they know the threat actors know about it. So, it's something that usually can be very damaging to companies and to individuals. And then protection software. So, obviously it's a great product. You can look at your dark web reports you can monitor things like your social security number. There also are opportunities to put in emails and socials to pull some of this stuff for free on occasion. So, any type of protection software just to get a sense of your overall footprint. Some other pieces are separate financial accounts or non-financial accounts for your email and phone number. So, maybe have an email and phone just for your financials and one for not. So, again if you're you know using because often people will use the same email and password together and so if I don't know some you know if you're trying to file or locking it at all three credit bureaus unless you're about to buy a home or something significant use two-factor authentication especially on your financial accounts if it offers it it is a bit of a What do you think about password management software or tools? So, I mean I do use some password managers I know it can be cumbersome for most consumers right and so that's why I do stress try to lower your overall digital footprint separate out your financial and non-financial management managers are great some of them have been hacked themselves over the years and I don't want to name any names but it's one of those things where just doing that alone doesn't necessarily mean you can just not that you're safe from identity theft doesn't stop someone from stealing a computer or breaching a database or stealing your mail so it's a tool in the toolbox and one of the ones that I know someone can't pick pocket you while you're traveling they can't get into your backpack so it's a small investment but it goes a long way very smart I love that line it's extremely foggy but where do you think are the things that are on the horizon that we're looking at that could be interesting and are developing what's out there and I know the commercial products are saying we have controls in place so people can't use it to create hacks or exploit systems the technology itself is going to be controlled by Microsoft or in nation states and so part of that part of that means they try to become operationally efficient so they're looking at the data they look at how their attacks performed who clicked who didn't click why didn't they click so I think things around geo calibrated phishing attacks are going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and they're going to be more effective and