The financial services industry is reputed to be over-represented with psychopaths. In my book I talk about the recent Australia Banking Royal Commission as one example of how the industry seems to attract them en masse. It’s hard to read this story about “cum-ex” fraud without thinking a lot of the people tied up in it, including the lawyers, might be psychopaths.
One of the German lawyers involved in stealing tens of billions of dollars from public treasuries reputedly said:
“Whoever has a problem with the fact that because of our work there are fewer kindergartens being built,” Dr. Berger reportedly said, “here’s the door.”
This is why I argue that the number one thing we can do to stop psychopaths from destroying the world is to implement psychopath tests of all managers across all kinds of organisations.
One of the guys who created the CIA torture program says that waterboarding a prisoner, who has been held in jail for 13 years and never charged with a crime, over 80 times, only “verged” on breaking the law. Gee, I’d hate to see what ACTUALLY breaking the law looks like.
Imagine what kind of person you have to be to get paid $80 million to design a torture program.
One of the downsides of technology is that it makes it easier for bad people in distant lands to do bad things. A couple of years ago we got hacked and learned some good security lessons as a result. They might help you avoid finding yourself in a similar situation.
A couple of years ago, my mobile phone number and Chrissy’s mobile phone number were both fraudulently ported to another carrier – meaning somebody set up fake accounts with a phone carrier in our names, then requested that new carrier transfer our numbers over from our existing carrier. This is known as “number portability” and was set up years ago to make it easy for people to change service providers. Of course when they did that, nobody foresaw the day when mobile numbers would be used as authentication for bank accounts, etc. All they needed to provide to port our numbers was our mobile number, name, DOB and address. Pretty easy information to get, especially if they have access to your Facebook profile, etc. The number gets ported over to the new carrier within minutes and our phones were left with “SOS Only”. No signal. No carrier. If you’re lucky, you get a SMS message just before it happens. Chrissy got one – I didn’t. But it wouldn’t have mattered anyway, because we were camping and didn’t have much reception.
Once the hackers have access to your phone number, then any account where you have 2-factor authentication (2FA) connected to that number (eg bank accounts, email accounts, Dropbox, any cloud service) can be lost minutes later. The process is simple. They try to login to your online account (which requires them to know your email address or bank account number) – and check the “Forgot Password” box. That generates a six digit code which is sent to the mobile number as a text. They enter that number online and then create a new password. They can also change the email address on the account, the security questions, etc. And, of course, empty the bank accounts – which is what they did to us.
They also took over a couple of my email accounts which, of course, they use to try to find out things like your bank account number, family details (birthdays, names, passport numbers, etc). All of which they can use for further identity theft. All of this took a few minutes from start to finish.
Fortunately we got our money back quickly (although I had to play hardball with the bank). We also got our mobile numbers back, that took a few days. And with those I could retrieve the lost email accounts.
So that’s how it happens. Here’s what I did afterwards to try to prevent it happening again.
Remove my public mobile number from all forms of 2FA.
Where possible, use a physical security token for 2FA for things like bank accounts. I set up new accounts with a new bank, got tokens on our accounts, and locked the accounts down so the token is required for every login. It means always having the token on my person but that’s a small price to pay.
Where a physical token isn’t possible, try to use a Time-based One-Time Password algorithm (TOTP) authentication app, like Google Authenticator. It works for Gmail, Dropbox, Evernote, Stripe, Facebook, Twitter, PayPal, etc. You need to provide a six digit code for every login and that code is provided the app on your phone (not the mobile number on the phone). An alternative is something like Yubikey, a USB-based physical token but support for Yubikey isn’t widespread yet.
Where I can’t use a physical token or GA, I have set up a separate, totally secret mobile number. It’s on a SIM card which is sitting in an old iPhone 4 I had lying around which surprisingly still works. It’s only purpose now is to receive 2FA texts. The number will never be made public and therefore should be difficult to fraudulently port.
Hope you find that useful. I highly recommend setting something like this up. ID Fraud is apparently a lot larger (and easier) than I previously understood.