WTH – The Data Grift Everyone Missed (Transcript)

Beau: So there’s a reason when you go to Google, a professional athlete, a high profile judge, or celebrity, you’re not gonna find their address or a lot of information, personal information online. It’s ’cause they’ve had it removed. The fact is if they didn’t, anyone could find them and that would be dangerous.

Eva: People have lost their lives because their data is available to their abuser. 

Beau: But here’s the part, nobody talks about the same thing that makes them vulnerable. Makes all of us vulnerable. Uh, you don’t have to be famous. Even if you think you have nothing to hide, it’s still an issue. 

Eva: All of these scams, identity theft, and misuse and just fraud in general is leveraging our data.

Beau: In a few clicks, I can find your home address most likely, and I’m pretty good at that, but you don’t have to be pretty good at it. I can figure out what your kids’ names are, if you have any. I can track you. I could probably impersonate you if I got enough video. If you, if you post on social media, why would I do it?

Beau: Well, maybe I just didn’t like something you said on social media, or maybe I over overheard you say something in a checkout line. I mean, who knows? There’s an entire industry that most people don’t think of too much and that industry wants to keep it that way. 

Eva: There are so many terrible misuses of our data.

Eva: And the industry is rife with people who are abusing it, not following the rules. It doesn’t have good regulation. 

Beau: This isn’t about privacy in the abstract, it’s about safety. Yours, mine, and, and that’s why we need to talk about it. We’re talking about. Data brokers. I’m Bo Friedlander, and this is what the heck, the show that asks, in a world where your data is everywhere, how do you stay safe online?

Beau: Eva Velazquez, CEO of the Identity Theft Resource Center. Welcome to the show. 

Eva: Happy to be here, Bo. 

Beau: We’ve known each other for a really long time, fighting the same fight. Uh, which is against the scourge of identity theft out there. Talk a little bit about what the ITRC does. 

Eva: Well, we are a 5 0 1 C3 nonprofit organization.

Eva: We’ve been around for 25 years, so we were established in 1999, and we provide absolutely free services to victims of identity crimes. So identity theft, identity misuse, scams, fraud. And people can contact us through our TOLLFREE number on our website. They can email us live, chat with us, speak to a real human being, and get direct one-on-one support.

Eva: We also do a lot of preventative education, so we’re out there telling people how to avoid scams, how to understand. Uses of their identity and the good, the bad, and the ugly uses of their identity. 

Beau: That’s interesting that there’s even a good use. We’ll get to that in a moment. But first, let’s talk about how all this information is even out there in the first place.

Beau: ’cause if you go back, I dunno, 25 years, it wasn’t hackers on the internet. Right. It was just good old fashioned mail theft, dumpster diving. Mm-hmm. Filmed from a fax machine, the, the temporary storage on a, on a printer. Sometimes people just dumped employee records in the in landfills. And now all of our data is in one place.

Beau: It’s called the internet. And yeah, the dumpster diving stuff still happens, but more and more our data isn’t on paper at all. It’s on the internet. Right. And, um, it’s, it’s in, it’s in cloud servers. It’s, it’s stored places and there’s a number of ways that people can scoop it up. And, and, and that practice is getting bigger, not smaller.

Eva: More and more of our data. It’s not in filing cabinets, it’s not on paper forms. It’s not necessarily going through the mail. It’s going over the interwebs. Yeah, and identity credentials keep expanding 

Beau: 25, 30 years ago. You could still open your mailbox and find a letter from a Nigerian prince explaining to you that you had inherited money and you needed to do a few things in order to get it.

Beau: That particular scam is alive and well. It’s changed, it’s morphed, it’s grown. It know black acts, which is a Nigerian scam group, has mostly relocated to South Africa, but they’re still doing stuff. Mm-hmm. It’s just different. They’ve grown. What we’re talking about though is. That letter that I got in my mailbox, which takes a stamp, takes a moment.

Beau: You gotta go and get the paper. Paper, the 

Eva: cost of the physical document, all that. 

Beau: There’s a cost of doing business. So now it’s no longer, the scale has just grown and the scale has grown because people are using software as a service that facilitates crime. And, and so software as a service, a software created by a criminal for criminals, those crimes are still being done today because.

Beau: They’re just online and it’s, it’s the same crime. As things became digital, it became a lot easier, right? 

Eva: The analog stuff is still happening, Uhhuh, but the digital activities have really eclipsed that in scope and scale because it’s just much easier to perpetrate on a, on a massive level. Think, think about it this way, for me to communicate my.

Eva: Scam or my fraud to somebody through snail mail. I have to hit each house. I have to send the letter. You know, there’s postage. I can send an email to millions of people as long as I have their email address. It just takes less time. The scope and the scale of this stuff is much faster and easier. 

Beau: What crimes now?

Beau: Uh, you know, are you seeing the most? What’s like. The big thing these days, the 

Eva: big thing that we’re seeing right now, there are a lot of job scams, um, a lot of misuse. It’s still financial. Um, for identity misuse, it’s in the financial sector, either existing account takeover, so taking over credit cards, bank accounts, or opening new accounts.

Eva: Uhhuh 

Eva: government benefits are a second, so applying for government benefits in someone else’s name. Those two broad categories usually flip flop. They’re one and two, and then medical and criminal. So misuse in those two sectors. Yeah, it’s, they’re kind of growing a little bit, but. In, in small amounts. And then in the scam world, it’s imposter scams and, um, job scams.

Beau: One of the things that they have in common. Is they start with the criminal, accessing personal information and leveraging. It’s leveraging our 

Eva: data. What the common thread is that all of these scams, identity theft and misuse, um, and just fraud in general, is leveraging our data and information in order to help thie with access or with putting together a better picture of what is going to appeal to that particular target.

Beau: So that information doesn’t just appear right. It just doesn’t. It happen, it exists because there’s a whole industry or many industries built around gathering and reselling details about us. Some are just kind of criminal on the dark web, but a lot are legit companies and they spend their days collecting little fragments of our lives piece by piece, day by day, hour by hour, address from one place, shopping habits from another, our search history where we are on a daily basis.

Beau: Loyalty card swipes. None of these pieces look especially powerful on their own, but when you stitch them together, you get a surprisingly complete picture of a person. And, and that includes like, it really includes everything, like what you like. And when you might be most vulnerable to this or that kind of offer or approach, these companies package that stuff and pass it along.

Beau: They sell it, right? That’s a business. So you, you get it. The end result is that a version of you exists out there, not built by you, but built about you and it travels a lot In your mind. Is meta a data broker, you know, is. It are social media platforms, data brokers, because they certainly are selling our data.

Eva: Yes. It is such a broad, broad, broad category. 

Beau: Okay, so on one end of this spectrum, you’ve got the big social media companies, meta. Um, Google selling incredibly granular slices of who we are every day to advertisers. On the other end, there are the shadowy sites, scraping whatever they can find. Building dossiers you can buy for a few bucks or a few cents.

Beau: You, you just mentioned, the good, the bad, and the ugly uses of our identities or our, our data. And I can pretty easily imagine the bad and the ugly. That part makes sense. What’s harder to wrap my head around is the idea that there’s such a thing as the good. Like why on earth would there be a good reason for my personal data to be brokered?

Eva: I actually think it’s so hard to wrap your head around that there are legitimate use cases. Okay. And that there are actors and, and entities, organizations out there that are leveraging data for good. I am as an advocate. Yeah. Uh, it’s hard for me to come out on that side and say, Hey, let’s talk about some of the, the quote unquote good, because there are so many terrible misuses of our data, and the industry is rife with people who are abusing it, not following the rules.

Beau: Give me, give me. I, I just want one. I can’t think of one case scenario where the use of my personal information is okay and beneficial to me. Me, now I could see how it might benefit society or something like that. 

Eva: Let’s just say that you legitimately want to open a new credit card account, okay? 

Beau: Yep. 

Eva: Bo wants to open a new credit card account.

Eva: Yes. So you, and you don’t wanna have to get in your car, you don’t wanna have to fill out paperwork. You wanna do all of this online. 

Beau: Yep. 

Eva: So you unfreeze your credit because it’s always frozen. 

Beau: It is. 

Eva: You’re good about that. 

Beau: Yes. Yep. 

Eva: And then you go to the website for a, a credit card issuer that you do not have a relationship with.

Beau: Okay. 

Eva: That is not known to you. 

Beau: Yes. 

Eva: And you go to make that application. You put in all of your. Personal data. 

Beau: Uhhuh, 

Eva: which is not a secret. We just talked about this ecosystem. So things like your date of birth, your name, your social security number, your address, your phone number, your email address. Oh yeah.

Eva: It’s not a secret. I 

Beau: mean, I mean even if I put my email address in there, they probably can auto-fill the rest, 

Eva: right? So some of the signals about is what we, they have to go deeper. Is this really bow? The only way? That they can know that because they don’t have a past relationship with you is through the purchase of data.

Eva: Data being used for fraud detection and sending signals to flag legitimate transactions from fraudulent transactions has a direct benefit to you because it can potentially stop a thief who has all of your data from. I’m trying to pretend to be you. So there are some legitimate use cases. 

Beau: Yes. We’ve all had that experience where we’re on the road, we’re doing something we don’t ordinarily do.

Beau: Maybe it’s just buying gasoline in a state we don’t live in. And the credit card company says, Nope. And you’re like, and you, and you say, what do you mean? No, I’m buying gas. I’m in the middle of nowhere. And the answer is no. If you’ve ever had that happen to you in a place with bad, um, service, it’s pretty frustrating.

Beau: Because you might not be able to get gas gas right away, but that is a predictive measure. That identity related, you know, my personal information is being used to decide whether or not a fraud is being committed against me. 

Eva: Your behavior, your behavioral analytics, another big treasure trove of David.

Eva: Yep. Data. Yep. Yep. Is being used to determine is this normal behavior or is this anomalous behavior? And the only way they can say, oh, this is anomalous. Is by having a pretty robust stack of your regular behavior. Most of us aren’t really bothered by this because it’s usually our bank or our credit card issuer, and we have a relationship with them.

Eva: So I think the expectation is, well, they’re gonna have my data. They’re going to know my, my purchasing. Behavior. So, and that’s why I use the example, not of someone that you have an existing relationship with, but someone you an a business you’re trying to establish a relationship with.

Beau: I mean, sure that makes sense. I mean, in theory, but businesses can still act in bad faith. A few years ago there was a Turkish crime syndicate that you may remember that was hijacking people’s Instagram accounts. High count, you know, influencer accounts, and they did this with messaging and saying, Hey, is this you?

Beau: I’m having a hard time getting in. Can you just do, can you just verify your account? Or whatever they did. We dealt with a lot of them on the show. Now, one of the things that had to happen was the. Scammer had to log into that Instagram account. And when they did that, they were doing it from a location that was not 

Beau: mm-hmm.

Beau: Where 

Beau: I live, right? 

Beau: Mm-hmm. 

Beau: And Meta knew it. Meta was in a position to stop it. They could have just said, wait a minute, why is Bo logging into his account in Turkey? He’s not in Turkey, he’s in the northeast of the United States of America. They didn’t bother stopping it because. There was no incentive.

Beau: There was no money on the table. So the good, I do understand the good, I can’t believe I’m gonna say this. My credit score, depending on which one you go to, is I have gamed my credit score for years. It’s frozen, so screw off. But while credit bureaus provide a service, and if you use your credit wisely, you can beneficial it financially.

Beau: They do have a reputation for being exploitative. I mean, they just do, the information they gather is not just for our benefit. Right. They benefit from it too. 

Eva: There are a lot of these organizations that are on sort of both sides of the, the fence. They not only collect our data, they also turn around and sell it and monetize it.

Eva: And monetize it. Yeah. Yes, I think. Okay, so starting with the good, so is that good? 

Beau: I’m guessing is that good or is that like the eh, 

Eva: um, I, I see, I always go to use cases. I don’t like to throw the baby out with the, the bath water. I also do not want to. Become like the data broker apologist. Okay. I want to see more regulation, very strong regulation in, and I want to see more of the use cases being called out and us looking at, this is a terrible use case.

Eva: This benefits no one, but some sleazy data broker. We need to disallow that. Yeah. Versus, okay, this is a neutral use case. It. Maybe it benefits the company and doesn’t benefit me, but it doesn’t harm me either. Right. And then there’s the use case of, oh, actually that use of my data directly benefits me.

Beau: Yeah, 

Eva: we need to make sure there’s an exception in regulations to that use case. And the problem is, there’s a couple problems there. The first one being that whenever the, the fraud detection industry and advocates such as myself bring up, Hey, keep this in mind. We need some of these exceptions. If the lobbies get involved, the exceptions become so broad as to be almost useless, and then the, the regulations can become useless and the advocates know it.

Eva: And so there’s this, this real tension there. 

Beau: Here’s the deal. If you have gained the credit score game, if you’ve done well, you’ll benefit from it directly because the car that you’re buying could be cheaper. The house that you buy, well, the money that you borrow will also be cheaper and right on down the line.

Beau: You are going to benefit from your information being analyzed by mm-hmm. Let’s just say the, the Glinda, the good witch of data, business behavior g Glenda. Okay. Alright. Now, so this is Glinda territory and so I, I don’t, I’m not gonna, this is gonna be a, we stretch a little too far, but it’s gonna snap before I stretch it where it’s going because the opposite side of the spectrum is the wicked witch of the west.

Beau: Like you were saying, like there, there’s no good reason for your address, your home address to be public facing on a website that anyone can look at. And for a fee, a lot more information can be made available to anyone. There’s no to, there’s no good, there’s no good reason for that kind of information to be at the fingertips for the purchase by anyone.

Eva: I agree. When we look at domestic violence, there can be real world consequences. People have lost their lives. 

Beau: Yeah, 

Eva: because their data is available to their abuser. That is a use case that needs to be banned. Anyone with no business reason as an individual can come in and purchase a dossier on Eva Velazquez.

Eva: I am all for not making that available or easy to do. My overarching message here is I, I do think we need a little bit more of a surgical precision here, and not just the patient is dead, get ’em off the slab and, and bury him. 

Beau: If data isn’t just good or bad, it lives on a spectrum from the helpful to the exploitative to the downright.

Beau: Dangerous. After the break, we’ll dig into the good, the bad, and the ugly of an industry built, built on the bedrock of our information. Our stuff should not be their stuff, but somehow it is.

Beau: I think that what we’re talking about here when we get into the good, the bad, the ugly is it’s not semantics. I get it. I mean, data by itself is neutral. 

Eva: Data and tech are agnostic. It’s the users that have motivations that we need to worry about. 

Beau: Correct. Here’s what I keep bumping up against. The, the very same information that lets a bank verify me is the information marketers buy to target me.

Beau: It’s one thing to use my data to protect me, and it’s another to use it to sell me stuff. And, and by the way, I don’t mind go ahead and sell me stuff that. As long as you got my number, so, so why don’t I just take control, wipe that data clean, scrub it from every system. Well, I, I mean, go ahead. I have my theory, but go ahead Eva.

Eva: So when you go and erase your data, you say, I don’t even want this company that I have a relationship with to have. Any history on me or my data. So the next time I come back to visit this website, I’m a clean slate. 

Beau: Mm-hmm. 

Eva: They don’t know who I am. There’s no history, there’s no, oh, we know that’s Eva’s device and we know that’s the browser she uses and all of those.

Eva: And we know she bought 

Beau: a pound of coffee. 

Eva: Right. All of those behind the scenes signals, they’re gone. So the next time I come back, I am unknown. I’m a new visitor, they don’t know me. Does that create an opportunity for someone else to come back and go, hi, I am Eva, because there’s no history there. Does it actually make it easier for the thieves?

Beau: That’s a, that’s a really interesting thought about clean, you know, clean slate, creating a vulnerability. I can see how you got there with that analogy, but, but let’s look at the actual mechanics of how this works. When you exercise your, uh. Right to be forgotten. Under laws like the GDPR or your right to deletion under the CCPA, California’s privacy law, you’re making a formal request.

Beau: A company is legally required to remove your personal data from their systems, and in some cases notify third parties. They’ve shared it with two. However, the information used for most identity theft isn’t coming from a company’s single database. It’s coming from the vast amount of data that has been scraped and sold by data brokers or leaked in major breaches.

Beau: This is like, it’s already out there completely independent of any company’s records. So while deleting your data is a great step toward reducing your digital footprint, it doesn’t create an open slot for a thief to fill. Exactly. The thief is already armed with information they need from other sources, and that’s the real problem we need to take to tackle here.

Eva: Yeah. The, the URL squatting, basically, this 

Beau: is almost like actually like, uh, back when you could do this, you know, like getting Bo Freelander at for whatever email or. Social media or whatever handle you wanted to get, but here’s the deal. Sure. You know, does it mean that, uh, a thief can like create an account in your name and use it to mimic you somewhere else?

Beau: It’s possible. It’s pretty tedious. It’s, there’s easier ways to do what. Identity thieves and crooks do. So this brings us to another powerful tool that cyber criminals use. I just mentioned it, mimicry. They don’t always need to steal your entire identity. They just need to gather enough information to create a believable digital.

Beau: Facade. They use this to, you know, impersonate you or to create a fake version of your identity to deceive somebody, whoever their target is, and, and this, this, that, that is why it’s sort of a concern, but I feel like it’s a little bit in the woods. But yes, the, the mimicry thing is, is a real issue.

Beau: I want to talk about our data, which has wound up on the side of the road. Again, the digital trash, the. Being collected by bottom feeding data brokers, you know, exactly like the dumpster divers who were looking for bank statements back in the day. They, they post anything they can find and, and so, you know, that’s a problem.

Beau: Are identity thieves using that information though to commit crimes? 

Eva: Potentially, yes. Okay. Anything, and it, it could be in a variety of ways because it isn’t just about. Your core identity credentials and your foundational identity documents. So it’s not just your SSN date of birth, passport driver’s license number.

Eva: Your behavior 

Beau: yes, 

Eva: can be an entree into, particularly for scams, not, not necessarily identity misuse, but an entree for, for scams or to get you to give more of your data. So, so here’s an example. Maybe it’s your name, it’s your cell phone number, it’s your address, and it’s the last four digits of your cable provider account.

Eva: Sounds like trash on the side of the road. Does scammer buys it, calls you and says, hi, bo. It’s your X, Y, Z cable company calling and we’re calling ’cause there’s a problem with your bill and you go, oh, what are you talking about? Well, we don’t have the payment, but I paid my bill. Well, do you have the account ending in blah blah in 1, 2, 3, 4?

Eva: Yes, I do. And that’s my account. Okay. Well I need to get into the system. Can you verify that I’m really talking to Bo? So Bo, what is the full account number? What, uh, was the card you paid with and on and on and on. So, and they’re gonna keep 

Beau: you going. And that’s the thing. Until, 

Eva: keep asking you, until you stop for information.

Eva: Until you stop and they already have it. So yes, that trash Yep. On the side of the road. Can create a vulnerability for you and it can be used. And that, by the way, that example I just gave you is a recent call we got into the contact center. That is not a theoretical example. I hear you. That’s a real one.

Beau: You mentioned your team actually hears about this stuff firsthand. What kind of calls are you getting into the contact center right now? 

Eva: So we have a national call center staffed by real people, 

Beau: Uhhuh, 

Eva: who we take the incoming calls from, people who either have questions about. A transaction that’s currently happening.

Eva: They got a weird email. They got a weird text message. They got a phone call that they’re not sure what to do with it. And if it’s a known scam, we’ll tell people that’s a known scam. You don’t need to engage. 

Beau: Right. 

Eva: And if it’s really esoteric, which a lot of them. They’re getting so different. There’s just, the standards keep changing.

Eva: So we hear about new scams and new hooks every day. Yeah. We will then walk the person through the process of how, how do I verify that that was legitimate, legitimate communication? Or they will, people can call us and say, Hey man, I’m a, I’ve been a victim. I’m a victim of an identity crime and I need a recovery plan.

Eva: And we will, they’ll get a, a case manager. Who will listen to all the details, give them a recovery plan that puts in order the order that they need to take the steps, what’s the highest priority? Yeah. Um, and then on down and walk them through the process and they can stay involved, talk to their case manager as many times as they need, for as long as they need, and it’s all free.

Eva: It’s 

Beau: all free, and so it’s all free, and all they need to do is go to the Identity Theft Resource Center website, which is 

Eva: id theft center.org. Yeah, or they can call us at eight eight eight four hundred. 55, 30. 

Beau: Yeah. 

Eva: You know, the I, all of our services are free, so we rely on things like donations, uhhuh. So if people want to support our mission and make sure, yes, that we can keep providing these free services, I would encourage them to.

Eva: Reach out, go to the website, make a donation. If you can find that in your heart, 

Beau: it is a good time to make a donation to the Identity Theft Resource Center. It’s a very good gift to give because you’re giving them the gift of doing the right thing without them having to even think about what that might be.

Beau: And, and so let’s go back like I am sure you get these other kinds of phone calls. I am spending the day weeding my garden. Having a beautiful day. ’cause I like that. I like weeding my garden. I get a phone call and it is somebody who has found another piece of information on the side of the road, the digital side of the road, and it’s another creative.

Beau: Exploit. Maybe they know that I have a, a subscription to Time Magazine. Whatever it is, they’re going to ask me questions. And those questions, none of those questions are idle questions. They are trying to create a dossier about me. And one of the things that we learned when we spoke to our friend from the Secret Services, some of these, uh, identity thieves, thieves belong to crime rings.

Beau: And they might not be able to use the information that they’ve harvested from you, so they sell it to another ring that can 

Eva: Oh, absolutely. It’s an ecosystem. 

Beau: And you know what, it’s just like the bottom feeder data brokers. Now let’s talk about that business in California. Your state. Where, where, where you happen to live.

Beau: Sorry, I know that’s in, that’s personal information, but I’m sure someone could figure it out. 

Eva: It’s not, everybody knows I’m a native San Agan. Yes. So, so big city. Big state. It’s okay. So in 

Beau: your, in your state it was just re uh, you know, revealed that several of these, what I would call low lowlife data broker sites have.

Beau: Refuse to take content down even when asked to do it, that they’re just not doing it. The other part that I think we just reveal that delete me, is that there’s, there, there are a whole nother category of of data brokers who use something called dark patterns in web design. That means that you’re, you’re hiding a link.

Beau: In other words, you wanna sub, you wanna unsubscribe. Well, good luck finding the unsubscribe button. Subscribe 

Eva: button. You know? Yeah. 

Beau: It’s a dark pattern. So we know that these companies are doing that. Now, who does that? Who hides the unsubscribe button? 

Eva: Exactly. That is a, the unscrupulous players. Right. And so there does need to be an enforcement mechanism.

Eva: So how do we stop 

Beau: the trash pickers? How do we stop the digital trash pickers? What do we do? 

Eva: You know that that is going to be, it sounds like it would be easy. Yeah. But ’cause it’s digital. Yep. There are so many. Challenges with that one? Where are they? Where is this data being housed? Well, we of know that 

Beau: some of those we do know over at well, for the ones 

Eva: that you know, then there needs to be an enforcement mechanism that makes the crime.

Eva: Um, that’s the best way I can put it. It can’t be the cost of doing business. 

Beau: I know. Wait, you know, you know what you just said, which is amazing. Imagine if you were to connect. The crime to the data broker and say, well, there is liability there, there’s damage. 

Eva: I think that this is where you’re gonna start getting into challenges with, just like we do with breaches.

Beau: Yeah. 

Eva: Because of it’s, it’s a little bit like the, uh, closing the barn door after the, the horses run out. Because of the state of data and how ubiquitous it is, tracing back a particular piece of data to its point of origin. It is very, very challenging. 

Beau: So if you don’t have a unique identifier on that data, it’s, it’s not gonna happen.

Beau: But that’s never gonna work. None of that’s gonna work. There’s no identifiers that actually will make this possible so that, well, we 

Eva: haven’t, okay. We haven’t found the solution yet. 

Beau: Yeah. So that 

Eva: wouldn’t work. But if we talk about the concept of having. Um, you know, enforceable regulations that make the, the, that aren’t just fine.

Eva: That, that makes it built into the cost of doing business because as someone who worked in consumer protection. There were a lot of violators that were just like, well, you’re just gonna find me 5% of what I made by engaging in this questionable, be 

Beau: right. Questionable behavior. 

Eva: So my net profit is 95% of it.

Eva: I don’t care. They put it, that’s a line item in their budget is paying fines. Yep. So we have to establish some enforcement mechanism and. Something that makes it really hurt. 

Beau: Yeah. So 

Eva: that they won’t violate that again. But that’s really just for the legitimate businesses, the, the scam businesses, the scam entities.

Eva: Were fighting a war on two fronts 

Beau: now for your, for your job going after the criminal software as a service malware. As a service is, is very important. ’cause they are going to be taking that raw data from the data brokers that we’ve been saying mean things about, um, and turn it into actionable data. And there is a process there.

Beau: They have to do work, they have to make phone calls, they have to develop, you know, rapport. So when they, when these, uh, malware as a service companies, companies operations are selling leads, those leads are developed and they, they can say like, this one’s good for romance scam. This one has crypto already, this one has Yep.

Beau: You know, five credit cards and these are the numbers. Um, so all of that is, is, is interesting and, and is for the secret service, the FBI and local law enforcement to figure out. 

Eva: For people. They can play a role. Individuals can do something too. 

Beau: Let’s talk about that. So what, go ahead. 

Eva: If you didn’t initiate the contact, don’t engage.

Eva: Bingo. Go to the source. It is simple, but not easy. 

Beau: As, as our dear friend who’s on the advisory board for the ITRC, Adam Levin would say, if you don’t want remorse, go to the source. 

Eva: Ooh, I love that, that rhyme. 

Beau: The other side of this though is, you know, you were just saying that consumers can play a part in their own protection.

Beau: Absolutely. They can. And you, you know, you said it about my credit when we were talking about that my credit’s frozen. Sure it is. And I get a pin code from the IRS too. Yep. So that people can’t do that. What are some other preventative measures that folks can do to protect themselves from this wild west of data, from the misuse of 

Eva: their data?

Eva: Look, I, I’m not trying to place the burden of data regulation and, and misuse on just your, your end consumer. There’s a lot of responsibility on these organizations, on the government, on industry to solve this problem. No, but 

Beau: the meantime, 

Eva: until, yeah. In the meantime, in the meantime. There are some things that you can do to reduce your risk surface.

Eva: We talked about a couple of them. I also encourage people to use multifactor authentication. 

Beau: Yep. 

Eva: On all of their accounts. Not just where it’s mandatory, like at your bank or your health portal, but any account where it’s an option, use it. And can I can add just, 

Beau: can I just add right there on that one that SMS is.

Beau: Of the different kinds of multifactor authentication you can use. If you’re, if you’re thinking you’re gonna just use your cell phone number, remember that for 150 bucks or less, a criminal can walk into whatever your, your phone company is and buy a SIM card and steal your account. 

Beau: Yes. And so that is true.

Beau: So what you can do, and what they can’t do is they, they can’t, they can also probably figure this out, but use an authenticator. 

Eva: Yes. That’s the ne I go to. Good. Better best. 

Beau: Oh, do it. Do it. Do it. Okay. I’m try again. 

Eva: So good. Enable MFA. 

Beau: Yeah. 

Eva: Better use an authenticator app. 

Beau: Best. 

Eva: Best use pass keys where they’re available.

Beau: Such a drag though. Come on. All right. This 

Eva: is not a drag. It’s easy. 

Beau: I have pass keys, full disclosure, so I know of when I speak. No, I, I use a pass key on things that really, really matter and I, I actually have, I just noticed that my bank no longer accepts, and this is super cool facial recognition alone.

Beau: On my phone to open the app for my bank. Super smart because anybody can punch me in the gut and say, 

Beau: yep, 

Beau: open your phone. Now they have to punch me in the gut twice because they’re gonna get my, they need my pin code. So it’s something I have and something I know, something I am and something I know. Um, so, so that’s a good, also a good way of thinking about it is, you know, good security is something you have, something you are and something, you know, it’s a good, you know, so the key is something you have, something you know, is your password or your passcode and something you are is a biometrics and 

Eva: we need to come back and talk about.

Eva: Biometrics. Let’s 

Beau: do it. 

Eva: Because weirdly, yeah, this whole conversation that we’ve had where I’m saying, let’s use a scalpel and let’s talk about the legitimate use cases and make sure that that small number Yeah. For data brokers is. That we have a conversation about that. I feel the same way about biometrics.

Eva: There are, we have to look at the legitimate use cases of biometrics. Yep. And yes, there’s some stuff that’s really bad. Broad surveillance, state facial recognition. I, we’re not gonna get on board. I’m not talking about that. But I am talking about consent based authorization to use my biometrics to prove that I am me, because my static data.

Eva: Yeah, is out there in the wild and it needs to be devalued and the only way to devalue it is through the use of biometrics. 

Beau: So these are great. But I wanna add one more thing. Yes, I know I work for Delete Me, but I think data removal is a really important thing people can do. But here’s the thing that costs the consumer money.

Beau: So it’s costing money to protect myself from losing money. Now, is that a good thing? Well. I happen to subscribe to Experian service too. So Experian tells me where my social security number is, ’cause I know it’s on the dark web. It tells me what passwords are out there. It’s, it’s all very good in, in, in, in and okay or whatever.

Beau: But at the end of the day. The only person keeping me from getting hacked and scammed is me. 

Beau: Mm-hmm. 

Beau: What do, so what’s your read on all this stuff? Do you do everything okay or do you just freeze everything down? 

Eva: I cannot endorse or approve any particular company, product or service. When you talk about the consumers having to pay money, I personally get very offended when we see industry create a problem.

Eva: Industry creates a problem, then develops a product to solve a problem they created and charges me for it. 

Beau: But we are talking about credit bureaus here. Just to be clear, 

Eva: I find that deeply offensive. It is, however, the American way, it’s all over our ecosystem. I personally don’t like it. I believe that an unencumbered identity is a right.

Eva: I have a right to that. Just like privacy is a right. I believe in an unencumbered identity is a right that. That you should not have to deal with the fact that someone else is pretending to be you. Mm-hmm. And you have to clean up that mess. And that’s the current system that we have. Now, 

Beau: I also believe in an unencumbered walk down the street, but I can be accosted at any moment and mugged.

Eva: Yes, that is true. That’s 

Beau: just the reality. There’s criminals out there. 

Eva: Yes. You’re never going to get. Crime down to zero. 

Beau: Correct. 

Eva: That is not, that is not going to exist. But you got assaulted on the street and the police came out to take a report. They don’t charge you to come out and take that report. 

Beau: No, but I’m saying like the big three.

Beau: Let’s talk about like the fact that I have this experience subscription to help me monitor my credit and stuff. That is a good example of a company that has made its bread and butter doing the stuff that I now have to pay to maximize, like I am using Experian to maximize my score at Experian, which is like that, that’s, that’s quite a business model to say like, you know, well, and to save yourself 

Eva: time, which sure, 

Beau: no, sure, but here’s the deal.

Beau: On the personal data removal front, there was a post, uh, last week on Reddit. That said, delete me is actually a data broker, to which you know, which isn’t true. And I wrote back a really, really snarky response, which I shared with my supervisor, and he said, Hmm, it’s a little too snarky. And because I was like, oh, that’s weird.

Beau: ’cause the New York Times said we’re the best one or whatever. And he was like, no, no, no, no. All you need to do is say. You know, uh, we are not, that’s not true. And, uh, you know, that’s the right answer. And then someone else at the company said, actually what you should have said is, we’re not data brokers, but these data removal services do have connections to some of them, you know, and I, which is like snark light.

Beau: But, but I think that, I think that, you know, to say that a business that has set itself up like the ITRC in a, in a way, but not a business. An entity that sets itself up to be a part of a solution of a problem they didn’t cause is a different, is a different, 

Eva: uh, uh, abs one horse of different color percent.

Beau: Yeah. 

Eva: 1000%. Yeah. I do not, when I look at the different services, paid services that are available to help with this problem. Yeah, my message is always, if you have the disposable income to pay for that service, just do your homework and make sure it’s going to, that you understand what you are getting in exchange for your money.

Eva: I think they have value and 

Beau: with the privacy policy, so they’re not selling your stuff. Right. That, 

Eva: that, yeah, you aren’t going to get what you’re, what you’re paying for.

Beau: Eva Velazquez, CEO of ITRC, the Identity Theft Resource Center. I never ceased to learn things from you. I’m so grateful that I can call you a friend and, uh, and a friend of the podcast. Thanks for joining us. 

Eva: It was delightful to be here, and I love it when people say, oh. You got me to think about something in a little bit different way, or I hadn’t considered that.

Eva: So mission accomplished,

Beau: and now it’s time for a tinfoil swan, our paranoid takeaway to keep you safe on and offline. Think about how you prove your you online. You’ve probably heard of MFA or multifactor authentication. That’s a fancy way of saying we’re gonna use more than one thing to prove. It’s you trying to log in. The classic security mantra is something, you know, something you have.

Beau: And something you are, the old way was just a password, right? Something you know. But what if someone steals that password or just figures it out? What if your password is 1, 2, 3, 4, 5, 6? That’s where the other factors come in. Something you have a text message, a dedicated authenticator app on a separate device or even on your, on the same device you’re using.

Beau: Or best of all, a physical key, something. You are a fingerprint, a face scan or a retina scan, or if you’re in a funny movie, you can sit on a scale and get a butt print too. Most people use a text or an authenticator app for that. Something you have part, right, but the But they can be vulnerable. A text can be intercepted and an app can be a target for phishing.

Beau: You know, just like, Hey, can you send me this code? I’m about to send it to you. Not everybody understands what’s going on in that scenario. A physical security key is the ultimate something you have and it’s, it is actually somewhat foolproof. Nothing, there’s no such thing as a silver bullet, but it really does get you a little closer.

Beau: It’s like a little USB or you know, NFCC device that you have to physically plug in. Or tap near a device to confirm it’s you. No one can steal or trick this. Well, they can steal the actual device, but then they still need the other stuff. They literally have to have the key. Right. And that makes it one of the strongest protections against hackers.

Beau: ’cause hackers are almost never just standing right there with you. And if you want to, you’re like, okay, that sounds absurd. I can’t do that. It’s too hard. It’s fair, it’s not. You get a key look for UB Key or the Google Titan key. They’re, they’re, they’re the most common ones. And make sure it fits your computer supports whether you have A-U-S-B-A or A-U-S-B-C.

Beau: Go to your account security settings, log into your Google account, Facebook, or whatever service you’re trying to secure. Find the security or login menu. Fine. Two factor verification, right? I’m sorry, I’m going fast, but I’m just trying to give you an ia. It’s not hard, you know, there’s just, it’s just a, you, you can find this, there’s a ladder of things to do and you’ll do them.

Beau: You’ll see a list of ways to verify your identity. Look for the option, which is a new device or security key. Follow the onscreen steps. Uh, the website will tell you when to plug in the key, so you do that and you’ll have to tap or whatever. Hit a gold button or there’s like a step sensor. Get a backup.

Beau: This is super important. Grab a second key and set it up the same way and keep it in a safe place like a lock. If you have a safe, that’s, I recommend that, but if you don’t, put it somewhere weird, uh, that you don’t forget. Um, and that’s it. Stay safe out there and, uh, we’ll see you next week.

Beau: What the hacks brought to you by Delete me. Delete me. Makes it quick and easy and safe to remove your personal data online and was recently named Number one, picked by New York Times Wirecutter for personal information removal. You can learn more if you go to join delete me.com/wth. That’s join delete me.com.

Beau: Slash wt and if you go there now, you will be able to get a free scan. So go check it out. That’s delete me.com/wth. Do the free scan that show, it’ll tell you exactly what’s out there, and then you can decide for yourself what you want to do next. Stay safe out there. Thanks for listening.