Ep. 243: “Criminal Mind vs. Criminal Mind”

“What the Hack?” is DeleteMe’s true cybercrime podcast hosted by Beau Friedlander

Trigger Warning: This episode contains brief mentions of childhood sex abuse. If you don’t want to hear those moments, you might want to skip this episode.

Beau: A former FBI profiler got scammed. He co-hosts a popular true crime podcast. He’s a former prosecutor. He’s not an easy target.

Jim Clemente: They understood that I had maybe an additional insight into these offenders and into victimology and how to investigate these cases.

Beau: His account was drained into a peer-to-peer finance app. It was kind of a data-related drive-by, and the kind that no one can dodge. Nobody. You can only react. That’s it. And his bank’s response, actually, speaking of reactions, they didn’t’ have the right reaction. They basically said it wasn’t their problem.

Jim Clemente: How am I supposed to protect myself from that?

Beau: You’re not. So, what does this have to do with Ted Kaczynski, also known as the Unabomber? Well, therein lies a tale. I’m Beau Friedlander, and this is What the Hack, the podcast that asks, in a world where your data is everywhere, how do you stay safe online? Jim Clemente is a former New York prosecutor, FBI undercover agent and profiler in the FBI’s Behavioral Analysis Unit. He was a technical advisor and then later a writer and a producer for the hit show Criminal Minds. He created and produced the television show Manhunt: Unabomber. These days he has a couple of projects going, including a podcast called Real Crime Profile, which he co-hosts with Laura Richards of Scotland Yard and fellow Criminal Minds alum Lisa Zambetti. Jim, I feel like I’m embarrassing you. You do a ton of stuff. I sorta hate to say it given the circumstances, but it is actually really great to finally have you on What the Hack.

Jim: It’s great to see you Beau.

Beau: So your work as a profiler goes way back and we have a little tiny bit of overlap ’cause you did a television series called Manhunt: Unabomber. It was an eight episode series that was on Discovery. What was your role in the Unabomber case?

Jim: I was one of the profilers who consulted on the investigation. Jim Fitzgerald took the lead in it, and he developed forensic linguistic profiling where he utilized it in the case to actually put together an affidavit that got us into Ted Kaczynski’s cabin. Before that, the judge did not believe there was enough probable cause to give us a search warrant for Ted Kaczynski because here he is just a, you know, basically a homeless guy in the middle of the woods and nobody thought he would be capable of doing 17 bombings over… more than 17 bombings over 17 years.

CLIP: The indictment came after Theodore Kaczynski had spent two months in a Montana jail, charged only with possessing bomb components. The Sacramento grand jury slapped Kaczynski with ten charges of transporting, mailing, and using explosives with intent to kill or injure.

Beau: Now our overlap is that after his arrest, I was at a publishing house and I had contacted him along with a flotilla of other people trying to get this story. And I was his publisher. He wanted to publish a book that explained that he wasn’t crazy and that he meant every last bit of what he did. Now, I think you can be crazy and mean every last bit of what you do. Both can be true.

Jim: Right. Absolutely. But apparently he saw a kindred spirit in you, because so many people he turned down, including Jim Fitzgerald. He had, he told Fitz that he would talk to him. Fitz drove all the way out there, and then when he got to the prison, he was told, ah, Mr. Kaczynski apologizes, but he’s busy today. And so he never got the interview.

Beau: So I’m interested in it for a number of reasons, but I sort of backed into this work that I do in cybersecurity and privacy through him.

Jim: Right.

Beau: There was an affinity when it came to what he was saying about the over-socialization of people and technology. And mind you, he said it years before social media actually started killing people.

Jim: I know there’s a resurgence of, you know, of that kind of ideology. People are sort of flocking to his ideology, but his methodology is what was incredibly bad. I mean, I got to interview, I think all of the surviving people who were injured by him, but also the family members who survived the people who were killed by him. And these, I mean, without exception, these were people who were doing amazing things, good things. Preserving trees, helping on the forefront of genetics, helping parents give better lives, provide better lives for their children. There were so many people; a guy who was in the Air Force who wanted to be an astronaut, and two weeks before he got his letter from NASA saying, we accepted you into the program, you’re gonna be an astronaut, he got his fingers blown off and one of his eyes destroyed. And of course, he was no longer eligible for the program, but that’s the sick thing is how he decided to address those issues as opposed to what should have been done.

Beau: If you’re familiar with all of the case work, which I am, and you are, you begin to see that it really does boil down to, “I decided I wanted to kill people.”

Jim: Yeah.

Beau: Now, but that’s not the case, you know? I don’t know how we went. I know we, that was overdue. I’ve known you for a while and, and we, you know, I…

Jim: And we hadn’t talked about it yet.

Beau: So was a long time coming and I’m glad that we did have that conversation. It’s not why we’re here today. So how did you get into this field? Did you start out as a kid wanting to become an FBI agent or get in, become a prosecutor? Like, how did it start for you?

Jim: Well, a couple of things. One, when I was a kid, I was very curious. I liked science. I asked for a telescope for Christmas, and then next year I asked for a microscope and an erector set. I thought I would like biology, but ended up being disgusted by what people look like on the inside. I’m so happy for skin. I’m so grateful for skin. So there was this, you know, desire to find things out and to explain things. And as I grew up, you know, I read the Hardy Boys Mysteries and so forth, and Sherlock Holmes and I said I really want to be a detective. Now, I went to college. That’s when I decided I was gonna go to law school. In that process, definitely fell in love with criminal law and became a prosecutor. But while I was a prosecutor, my brother calls me up and says we should go after the guy, at the camp, you know, the director of the camp when we were kids. And I said, why? And he said, because I snuck into his office once and I found three paper bags filled with Polaroid pictures of him molesting boys. And I said, I thought I was the only one. And so I went after him with the FBI and NYPD, Sexual Exploitation of Children Taskforce, wore a wire, locked him up, put him in jail. And after that case, the FBI agent who worked the case handed me an application to the FBI and I said, wow, you know, I never really thought about being an FBI agent. He said, but you said you really wanted to be a detective and FBI agents are just federal detectives. And that was a lightbulb moment. I was like, wow, that’s cool. And that encouraged me to put the application in. A year later, I was in the FBI.

Beau: So did you go and work for the FBI to work on that kind of case? You know-

Jim: Yes, they-

Beau: -Protect people like you?

Jim: Yeah, absolutely. I ended up working on the same squad that had just finished investigating my case, so it was something I hid from everyone in the prosecutor’s office. But now, I didn’t have to hide anymore. I literally was working with the people who had just helped me find some justice, and it was, they understood that I had maybe an additional insight into these offenders and into victimology and how to investigate these cases. So that’s what I did.

Beau: And that has proven true. I mean, you’re a profiler, but you’re not a psych- Are you a psychol- Do you have a degree in psychology?

Jim: No, I don’t have a degree in psychology. I’ve certainly taken a whole bunch of psychology courses in the undergrad and in the graduate level. In the FBI’s Behavioral Analysis Unit, it’s part of the National Center for the Analysis of Violent Crime. We actually study with world-renowned psychologists and psychiatrists on a one-to-one basis. It’s not a diploma program. It is a certification program for FBI profilers.

Beau: But profiling is, I mean, we’ll go back to the Unabomber for a second. ‘Cause a lot of people asked me, how did you get him to trust you?

Jim: Mm-hmm.

Beau: And it wasn’t because I was a criminal, ’cause I wasn’t. It was because I honestly, I read the manifesto and I read everything that I could find that had something to do with what actually came out of his mouth or his typewriter.

Jim: Mm-hmm.

Beau: And I wrote a letter that seemed like it would be the appropriate way to talk to someone like that.

Jim: Oh yeah. So you profiled him in your head and then used that to get access to him, and certainly that’s what we did as law enforcement officers.

Beau: I tried to get his vibe. I just tried to get his vibe. And then when I was like, okay, this guy probably likes precision, this guy probably doesn’t like any throat clearing whatsoever. He, you know, the statement is what is required. Anything more than the statement is going to lose you points. And he’s keeping score.

Jim: He was an injustice collector and certainly a, you know, I would say probably a vulnerable narcissist and he certainly harbored a tremendous amount of anger and rage and his-

Beau: Towards his folks. Actually, if you go back, like, ’cause I spoke to Quinn Denver about this as the prosecute- you know, his defender. And Quinn was like, Beau, you don’t understand what you’re walking into. And to be fair, I was 27 years old and he was right. But I had whatever, you know, that sixth sense was to understand how to talk to him. So I had access for a while until he finally did call and he said, if you think I can’t get to you from prison, you’re out of your mind.

Jim: Yeah. Wow. I didn’t know that.

Beau: And I was like, okay. Yeah, yeah, yeah. He did. He was mad at me. When I think about what happened between me and Ted Kaczynski, it was not like… I was not hacking him, but I was, and I think that’s probably a bit of what you do as a profiler. You’re kind of hacking an individual to understand how to get access.

Jim: Well, yeah, so there is, during the investigation when you’re trying to identify him through his behavior, right, you’re reverse-engineering the behavior to figure out what kind of person does this. And then there’s attempting to get him to interact with us so that he’s going to eventually leak out more and more and more information. And then there’s after the fact, getting him to, after he is convicted and sentenced, getting him to actually open up and talk to us. Those are things that we would do as a part of our normal operating procedure in the behavioral analysis unit, we were not able to do that last part. And you were, so good job.

Beau: No, but I had information you didn’t have. He had already been arrested. There was already his, there were interviews with David Kaczynski, his brother, and his sister-in-law. I don’t know if his mom, Wanda, ever said anything, but I know there was a lot of information out there and it was about a month old. So, no, I had a ton of information you didn’t have.

Jim: But what I’m saying is once we had the information, once he was convicted, we couldn’t get him to talk to us. Generally we can get serial offenders to talk to us so we can document their crimes and they go down in history and that feeds their ego enough to allow us in.

Beau: Yeah.

Jim: And to give us really really detailed explanations about what they were thinking at the time, how this whole thought process developed and so on and so forth.

Beau: So here’s the interesting thing though, is I want to segue here to this idea of hacking. Kaczynski was good at it. You are good at it. Kaczynski couldn’t be found for a long time because he didn’t exist. A homeless man living in the woods doesn’t have an address. They don’t have a subscription to TV Guide. They don’t have an electric bill. They don’t have… maybe he had an electric bill, but I don’t remember if he had electricity up there, but…

Jim: He did not.

Beau: Nope, nope. So completely not connected, in other words, doesn’t exist.

Jim: Right. He was so off the grid and he went so low-tech on us that all the traditional ways of investigating bombings, almost all of them, were completely thwarted. He carved the bombs out of wood. He picked up parts from a junkyard, a car junkyard, or from neighbor’s junkyards, wires and batteries. He peeled off the exterior of the batteries. He fabricated many of the things that generally we would go back and find out when and where they were purchased, and start narrowing down the number of people that were in the store at that time, purchasing those things. And eventually we were able to find, you know, all the other bombers that we found in those ways, but not him, because he was doing things and deliberately, for example, picking up hairs from a gas station restroom and putting them on inside one of his letters and, you know, you know, using, forensics against us. But those sophisticated moves, told Jim Fitzgerald that we’re not dealing with, you know, some dumb airplane mechanic like everybody was thinking at first. And we’re dealing with somebody who’s very sophisticated, very well-educated and is trying to pull the wall over our eyes.

Beau: But couldn’t be found. And my point here is that the couldn’t be found part is, I think there’s a lot of people in the world, including myself right now, that wish that were the case. That wish that, you know, when social media happened, I maybe had with… just been like, nah, I don’t think so. I don’t think I’m gonna do that. Or like, when podcasting became a thing, like maybe I’m not gonna put my voice print out there a thousand million times so anyone can imitate me. And my image and all the other things. Like, maybe that’s all kind of a bad idea. The cat’s out of the bag for all of us. Coming up, whether you live in the woods or the desert, you’re not off the hook. So, you know, you know how criminals work. You have a very, very finely tuned sense of the extremely nuanced ways that a criminal can achieve their goals. The reason you’re here today is, believe it or not, not to talk about the Unabomber, but because somebody figured out how to get to you. Now I happen to know you have a UFO in your front yard. Now it’s not a real UFO. I think it’s not, right?

Jim: Well, I’m not… I think I’m going to decline to answer that question.

Beau: You did work for the FBI. It is an open question, but, you know, so you, you live out in the desert. Fair enough? Fair?

Jim: Fair enough.

Beau: Okay. So you live out in the desert and, you know, you’ve been associated with some very big media projects. Criminal Minds is a huge, huge show. You’re findable, you’re knowable. Has anyone you’ve ever prosecuted, has that ever been an issue with anyone that you’ve ever been on the the right side of the law against?

Jim: Well, certainly while I was in the FBI, I stayed away from all social media, and it wasn’t until I retired and got more involved in entertainment and media and production and writing that I actually got more involved in it. And, I have not had any incidents with people that I’ve locked up. Fortunately, a lot of the people that I locked up are in forever. They’re not getting out, but certainly some of them have gotten out. Some of them have been deported or were on a hold for another jurisdiction when they got out. So those aren’t, I’m not too concerned about, but certainly, yeah, some bad people who did horrible things they’re out there. However, it’s very taboo for criminals to attack agents because they know that if you do that, the firestorm that you bring down on yourself is just tremendous. There will be no- not only no stone left unturned, but no prosecutive avenue left untapped. So everything will get thrown at you, and so generally that doesn’t happen. The agents who have been killed, especially in the last several decades, were killed by people who had lost their own desire to live and thought they would be better off not being around and taking an agent or two with them. So, but it rarely ever happens that somebody actually comes through and goes after an agent after they’ve been pursued and arrested and prosecuted.

Beau: That makes sense. And if you didn’t hear a very implicit threat there, then you weren’t listening. So because it does sound, it sounds like a…

Jim: It’s real.

Beau: It’s a real thing. Now your stuff is out there though, and you…

Jim: Yeah, I mean…

Beau: You recently had something happen to you, a scam that… it didn’t have anything to do with who you are. Did it?

Jim: I don’t believe so, but I do know that, you know, my assistant is a very sophisticated IT guy who really understands the vulnerability of our information data being out there. But you know, you have doctors and hospitals and dentists and pharmacies and, you know, general, you use Microsoft, you use Apple, whatever. Everybody, every major organization has been hacked at one point or another. And so they may get a piece of your information here and there and somewhere else. And so it becomes almost impossible to completely protect yourself because you, there are things, the DMV, the utility companies there, there are so many places in which-

Beau: Your fishing license. I mean, it can be anything, honestly.

Jim: I know. It can be. And it’s those agencies that aren’t protecting your information well enough. And so, you know, on the dark web, people sell this kind of information to random people. And if those people are able to find, you know, do a search, which is not too difficult, that they can put together pieces from different places and create an alternate persona using your information, alternate accounts. And basically, in my case, it was, you know, one of the payment apps that I paid somebody who worked for me through that app, somebody who helped me, you know, on construction project, and that linked my card to that account, and that ended up giving them access. They created, from what I’ve been able to piece together, they created a separate account using the same card, and then just in a matter of days, started making these charges. And you know, there’s a delay between when they actually do that and when it actually hits your bank. And all of a sudden all of these like 30 or 40 transactions hit my bank at the same time, and none of them were stopped by the bank, which really pissed me off. Because how many times have you been either traveling or even in your own town, going to three different stores in the same day and using the same card, and then the third time you try to use it, they block it because they thought it might be fraud? However, in this case, 30 or 40 transactions have been done and they don’t notify me until my account is overdrawn, completely cleaned it out, and that, that should have been something they caught.

Beau: The interesting thing that you just brought up is that the institution where you’re supposed to get remedied, right, has created operational signal disruption.

Jim: Yes.

Beau: You know, and, and then signal disruption if you’re in, you know, trying to protect information is super important. You know, like you don’t want your signal intercepted. Your signal was intercepted, you got taken for a ride. But the company that presided over that hijacking has created a systemic signal disruption so that when you want to say, here’s the clear signal, I got scammed. I need you to help me get my account back online.

Jim: Right.

Beau: That’s the direct signal.

Jim: And protected.

Beau: Oh, and we see that you got scammed. Cool. We’re going to get you back online. Now, that’s a pure signal, like, you know, a question asked and answered. They create a system where, I mean, it’s almost comical if it weren’t such a pain in the butt that you ask a question, it gets repeated by telephone five times, and by the time it gets back to you, it’s not what you asked.

Jim: Right.

Beau: It’s not what you asked. It’s something entirely different. Now let’s go back to like what actually happened. Did you have, on the credit card associated with this account, did you have transaction alerts turned on so that you get a text every time a charge is made on the card?

Jim: Yes. But the alerts are apparently associated with the account, and they switched the account. They made a different account with the same card, and so those alerts did not reach me.

Beau: What was the nature of the charges? What were they buying? Were they buying frozen turkeys? Were they buying guns?

Jim: All cash withdrawals. All cash transfers.

Beau: Really? Wow.

Jim: Every one of them. Yes. Every one of them. And that’s why I’m saying like, why did my bank not see that and immediately stop them?

Beau: Are these withdrawals or are these-

Jim: Cash transfers.

Beau: Cash transfers?

Jim: Yeah. Within that third-party app.

Beau: Yeah. Yeah, so within that third-party thing that you were using, you can do cash advances.

Jim: Yes. And what they did was, I’ve been explained that they had my information where they were able to create a new account that was linked to their bank account.

Beau: Oh, I got, I know what happened. So someone bought your debit card information off the dark web marketplace. That might not be how it happened, but I’m guessing that’s how it happened. So they had your card number, the expiration date, CCV, and they connected it to a new account on the same peer-to-peer money app. Here’s the thing about that. A lot of these peer-to-peer financial apps, their card verification at the linking stage is pretty weak. So they require the number, all the stuff that I just said, but there’s no other step that confirms the person linking the card actually owns it. Yep, so compare that to linking a banking account where you have to use Plaid for example. There’s a lot that goes into that. You have to sign in yourself, which if you’re smart has 2FA involved. So big difference. Really big difference. And I think the reason you didn’t get any alerts was very simple. Your card wasn’t actually being swiped anywhere. This was an ACH, right? This is what’s happening with these peer-to-peer apps. The payment processor is not seeing it as…there’s no merchant. It’s just an ACH transaction. Cash is moving. They’re just charging the account, so from their perspective, the bank’s perspective, nothing unusual happened. And unfortunately, your checking account got quietly drained because of that, and that’s…

Jim: How am I supposed to protect myself from that? I don’t even know.

Beau: You’re not.

Jim: You don’t get the notifications.

Beau: You’re not. I think that there was nothing you could have done. I think that they had information about your accounts from the dark web. And I think furthermore that if we scratch a little bit into your, I hate to say this, into your cyber hygiene, we’re gonna find a few behaviors that need to be upgraded.

Jim: Probably.

Beau: I think you got hit by somebody who knew what they were doing. How much money are we talking about?

Jim: Well, they got about 4,300 and… I think it was $4,334.42. Something like that.

Beau: Not to be too… Not to put too specific a twist on it, but yeah. So they got enough money that they might, you know, and they had no idea that there wasn’t $20,000 there or $50,000.

Jim: Right. They just kept spending until they couldn’t get any more out.

Beau: All right, so Jim, so was it, wait a second. Now I do want to clarify. Was it, it was a credit card or a debit card?

Jim: It was a debit card.

Beau: Okay. So you, I know by the way that you said that, ’cause ‘ve heard that micro-expressions aren’t real, but I beg to differ. Your micro-expressions suggest that you are aware that debit card is not the ideal thing to connect to…

Jim: Well, especially since the bank told me that that was risky behavior and that they’re considering it, my fault, because-

Beau: No, no, no, no. That’s, no, no, no, no, no. That’s garbage. That’s such a garbage response.

Jim: I know and I’m, it pissed me off and believe me, I let them know that.

Beau: I’m sure you did.

Jim: But literally they said, yeah, we just sent you a letter explaining that you took a… not extreme risk. They said some other word that wasn’t quite extreme. You took the risk of putting your debit card on this app and therefore we consider your business to be too risky. And they said, we are closing that account.

Beau: I hope that you challenge that, and I’m gonna tell you why. The famous example of this, Jim, is Zelle. There are a lot of scams on Zelle and Venmo and now, you know, when you go on those apps, they now have prominently like, are you sure you’re not falling for a scam? Are you positive? Like, who is this person? Why are you giving them money? Do you wanna make sure that that’s their phone number and email? They ask you a thousand questions. And you call him Bob, but are you sure this is Robert Bob? Like Bobby, that guy?

Jim: You’re right. They do.

Beau: They wanna know and now, but here’s the deal. First of all, I happen to know and with a little open source intelligence, so can you, dear listener, who the company was, and they have a limit of $500 liability that they will agree to and you should at least go after that. But that’s just like, to me, abusive behavior for them to say, well, because you did this thing, we’re not giving you, not only are we not giving you your money back, but we’re banning you from the- you’re no longer allowed on the island. Like, that’s bonkers.

Jim: It is bonkers. It really upset me and especially since the app was supposed to be a protection, right? It was not. I mean, that company, they’re saying, oh, we can’t go after the money because the charges came out of your account to this app, and the app is a third-money transfer.

Beau: That’s the trick. No, no, no. That’s, that’s the trick is that it’s-

Jim: And therefore we can’t, they don’t have the money, so we can’t go to them, and we can’t go through to where the money went to. We’re legally prohibited from doing that, and it just burns me up.

Beau: Of course, because, but it’s the same thing. I mean, given what you did at the FBI, you’ll know this one: Section 230, which it protected companies like Meta, Google, Facebook, Twitter. It protected them against things that were said on their platforms in the comments. So like somebody in the comments could say, here’s how you make a pipe bomb.

Jim: Right.

Beau: And Facebook could say, we didn’t publish that. We have no liability. We can’t control what people say. And it’s a similar kind of like absolute despicable tech bro point of view about liability. Like, “well, it’s not really our problem. ‘Cause see, we are just a, we’re just the wire between the two cups.”

Jim: We’re just a pass through. Yeah. We’re not really involved in it, and we don’t really investigate. They said, well, we don’t investigate who is behind those transactions, but we’ll cooperate with your bank. They’ll investigate it.

Beau: We don’t investigate. We annihilate.

Jim: Yeah, well, my bank says, no, no, no, no, no, no. We have turned it over to our, you know, investigative team, and they are only able to look at the entity that is listed in the transaction. We cannot go through that entity to the next level, the actual person who actually took the money. You can make a police complaint and they can do an investigation. And of course I know because I worked for the FBI that if this happened in my town, I could go to my town police and tell them, and they might make an attempt at investigating, but there’s no way this person or entity was in my town.

They might not be in my country or my continent or in my, you know, hemisphere. And so there’s no way that a local police agency is going to investigate that. And the FBI has benchmarks. If it’s not over a certain amount, they’re not gonna investigate it. They don’t have the resources to address every fraud, every cyber fraud that’s reported to IC3. And so I know that the amount that was stolen from me is not a significant amount compared to what they will actually investigate. So I’m basically outta luck there.

Beau: Well, that’s right. So, did you live at [BEEP]?

Jim: Do I have to say yes? Yes.

Beau: You don’t have to, but that’s you, right? That the-

Jim: What’s the purpose of you asking me that?

Beau: The purpose is ’cause there’s…because data online that breadcrumbs people and allows us to put together, you know, a semblance of understanding who someone is, it’s the same thing as reading a bunch of stuff by Kaczynski and kind of figuring out what his…

Jim: Reverse engineering it, yeah.

Beau: What he’s going to respond to, and these scams happen because you get reverse engineered. They just need a piece of you. And it sounds to me like it was a synthetic attack and you, they needed a piece of you. They needed your, in this case checking account. They had no idea what was gonna be in it, but I suspect they did know that there might be more than $10 in it. Because you are a successful podcaster. You worked on Criminal Minds, you’re a known entity, so probably some money. And that’s all it took. And it is part of the puzzle because these exposures are not just on the dark web. It’s a combination of things. And that’s kind of what I was trying to get at earlier when we were talking about the cat being out of the bag. Because once, you know, when you were at the FBI, you were probably relatively safe. This episode should be called an FBI profiler agrees with me that it’s important to think like the Unabomber, because when it comes to your, you know, protecting yourself online, you kind of have to. I mean, you kind of, and it does come to signal disruption. So the hairs that Kaczynski left in letters intentionally, that he picked up somewhere else that weren’t his, but that were going to be a beautiful DNA red herring to the FBI, those were signal disruptions. And the idea I think is quite sound that you want to create as many signal disruptions as possible. You know, it is become sort of Professor Moriarty versus Sherlock Holmes.

Jim: Right. And the bank is so good at the signal disruptions. And so I love that characterization of it because I wouldn’t have come up with that myself, but each one of those departments that I had to deal with, and there were seven of them refused to stay on the line to talk to the next level, right? So I had to start from zero with each person. And when I got there to the next thing, almost inevitably, they said, oh, well, you have to go back to that person and do this again, but then you have to go forward to this other person and do this. And you eventually get so frustrated with this process that you just want to give up on it. Look, I don’t have the time to spend another five hours on the phone today because I have work to do and I have a life to live. And I just can’t, I can’t keep pursuing this and arguing with people and saying, no, that’s not the case. “Oh, yeah. Look, this department made this determination, so you have to do this.”

Beau: Yeah, no, but you know, it’s signal disruption in the way that, you know, Muhammad Ali’s rope-a-dope strategy against George Foreman was signal disruption. Like, you want to hit me? Okay. Nope. Oops. Missed. Do it again. Oh wow. Looks like I’m tired, huh? Nope, you missed. That is kind of what they’re doing is rope-a-dope with you. You are gonna tire yourself out trying to get where you’re going now. Now, do I think it’s probably institutionalized? Yes. I personally think it’s institutionalized. Are they gonna sue me? Well, we haven’t said who they are, so, no. But the fact is it seems intentional. And, you know, Occam’s Razor says if it seems so, it probably is. The attack also seems like it’s related to your data being a few different places. And what it suggests is a few things like best practices are: obviously you know this one, don’t use your… your debit card provides less protection than a credit card. That’s it. That’s the bottom line. Now, I actually will tell you that a debit card does afford quite a bit of protection and I think you need to push back. I do think that for 40-some odd, 4,000-some odd dollars, it is worth pushing back. And, and I just, you know, also just think it’s a shame because not all of us have the good fortune of having a million dollars stolen from us so that the FBI will get involved.

Jim: Right.

Beau: We’ve had guests on the show who lost upwards of $600,000. They’re often older adults, often it’s retirement savings, often through Southeast Asian scam compounds. If you haven’t heard the episodes that we did on those scam compounds, they’re worth your time. Please go back and listen to them. I totally recommend them. The bottom line on recovery: it’s possible, especially with crypto, which is more traceable than people think. Erin West out in California has had real success clawing money back with her peeps. But by and large, gone is gone—unless your bank decides to honor the relationship. As for best practices, mine are a pain in the butt by design. The idea is to make your debit card basically, inert by default—locked unless you’re actually using it, locked again the moment you’re done using it. And I only use it at ATMs period, and when I’m using an ATM, I cover my fingers when I’m entering my PIN code. Yes, I do all that. The same principle applies to my SIM card in my phone. I have called my carrier and I let them know that I want extra protections so that my number can’t be transferred without my direct involvement. Friction is the point. The goal is to make yourself a bad target, just a pain in the butt, not an easy target.

Jim: All right.

Beau: It doesn’t exist for anything else. It exists for going to ATMs, period. And that is, I think, the safest you can get with a debit card. Maybe there’s one step safer, which is not having one. So, Jim, it’s telling that we can talk openly about something like child sex abuse and it’s embarrassing to talk about getting scammed. Both are often beyond anything we can control. There are reasons…

Jim: And vulnerabilities.

Beau: Vulnerabilities, but also as a fellow, fellow survivor, I can say like, it was beyond anything I could control, but the… at the time when I was seven, but the other thing is, when, when we’re in this ecosystem with threat actors everywhere and our information everywhere, it’s beyond our control. And it is sometimes the luck of the draw, just that they haven’t gotten to you yet. And the best thing you can do is have protection so that when they get you, they don’t get very much.

Jim: Right. Well that’s good advice and yeah, it’s a learning experience and unfortunately, you know, luckily I’m at a point in my life where I am very cognizant of how frustration and anxiety is not healthy. And so I’m making a positive effort to let the things that I cannot control roll off my back and do the best I can to prevent them from happening again. That’s the best way I guess to put it. But without carrying around the, you know, all of that emotional baggage that generally follows when something horrible like this happens to you, at least it’s not completely devastating. At least it’s not life-taking.

Beau: Yeah. And so Jim, I want to thank you so much for joining me on What the Hack this week.

Jim: Well, thank you for having me.

Beau: It’s time for the Tinfoil Swan, our paranoid takeaway for keeping you safe on and offline. I’m going to sayh it again. The bottom line with the debit card is use it as little as possible. Never, ever, ever use it to buy something. Don’t. I use it only for ATM, only to get cash, period. That’s it. The end. And when I’m not using it, it’s locked. I go into the app and I say it’s lost. They ask me do you need a new card and I say, “No, no, I know where it is. Somewhere, but it’s lost for the time being.” I’ve only gotten a phone call once. Now, keep it locked, and when you go to your ATM to get money out, unlock it, and when you’re done getting the money, lock it again. Keep the phone in your hand. I mean it. Only open to get cash. Sure, there are phone carriers and other companies that will give you a break on your monthly fees if you use your direct payment from a bank, from your checking acocunt. Totally fine. Use your ABA routing number and your account number. Don’t use your debit card number. Just don’t. It’s not for that. You know when you put your debit card out there what happens is it gets you scammed, and I’m not saying that you’re not gonna get scammed if you do exactly what I just said. Because we all know, every time we think you’re safe, you’re not, so I’m just saying, make yourself as hard to hit as possible and have a great week. Thanks for listening. This episode of What the Hack was produced by me and Andrew Steven who also did the editing. What the Hack is a production of DeleteMe, which was picked by the New York Times’ Wirecutter as the #1 personal information removal service. You should be using it already. If you’re not and you want to, you can. Here’s what to do. Go to joindeleteme.com/wth. That’s joindeleteme.com/wth and get 20% off. I kid you not, 20%. 20% off. That’s joindeleteme.com/wth. Now stay safe out there. See you around.

Learn More:

• See where your data is exposed with our free scan.
• Learn more about data brokers and their impact on privacy.
• Discover how using your debit card can put you at risk of debit card scams.