This article is part of the series "[Podcast] “Hacked Again” Author Scott Schober". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
Scott Schober wears many hats. He’s an inventor, software engineer, and runs his own wireless security company. He’s also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN.
In the first part of our interview, Scott tells us about some of his adventures in data security. He’s been a victim of fraudulent bank transfers and credit card transactions. He’s aroused the wrath of cyber gangs, and his company’s site was a DDoS target. He also gives small businesses and consumers great security tips on dealing with the threat environment.
Andy Green: Scott Schober wears more than a few hats. Scott is President and CEO of Berkeley Varitronics, a company that makes wireless test and security solutions. He is also an inventor. The gadget that enforces no cell phone policies, that’s one of his. He’s a sought-after security speaker and has been interviewed on ABC News, Bloomberg TV, CNBC, CNN. And he’s been on the other side of the security equation, having been hacked himself, and writing that experience in his book, “Hacked Again.” So, we’re excited to have Scott on this podcast. Thanks for coming.
Scott Schober: Yeah, thanks for having me on here.
Andy Green: Yeah, so for me, what was most interesting about your book “Hacked Again,” is that hackers actively go after small, medium businesses, and these hacks probably don’t get reported in the same way as an attack on, of course, Target or Home Depot. So, I was wondering if you could just talk about some of your early experiences with credit card fraud at your security company?
Scott Schober: Yeah, I’d be happy to. My story, and what I’m finding, too, is not necessarily that different than many other small business owners. What perhaps I’m finding is more different is many small businesses and medium size business owners are somewhat reluctant to share the fact that they actually have had breach within their company. And often times, because they perhaps are embarrassed or maybe there’s a brand that they don’t wanna have tarnished, they’re afraid customers won’t come back to the well and purchase products or services from them. In reality… And I talk about this often about breaches, pretty much every week now, trying to educate and share my story with audiences and I always take a poll. And I am amazed, almost, now, everybody raises their hand that they’ve had some level of having their business compromised or personally compromised be it a debit card or credit card.
So, it’s something now that resonates, and a lot more people realize that it’s frequent, and it almost becomes commonplace. And another card gets issued, and they have to dispute charges, and write letters, and go through the wonderful procedure that I’ve had to do. I think, with myself, it’s happened more frequently unfortunately because, again, sharing tips and how-to and best practices with individuals, it kinda gets the hackers a little bit annoyed and they like to take on a challenge to see if they could be disruptive or send a message to those that are educating people how to stay safe, because obviously it makes their game a lot harder.
And I’m not alone, I’m in good company with a lot of other security experts out there and in the cyber world that had been targeted. And we all share war stories and we’re always got the target on our back, I guess it’s safe to say. And with myself, it started with debit card, credit card, then eventually the checking account. Sixty-five thousand dollar was taken out. And I realized this was not just a coincidence. This is a targeted, focused attack against me, and it really hasn’t stopped since. I wish I could say it has, but every week I’m surprised with something I find.
Andy Green: Right.
Scott Schober: Very scary. I have to just keep reinforcing what we’re doing in making it safer to run our business and protect ourselves and our assets.
Andy Green: Right. So, I was wondering if you had just some basic tips because I know you talked a lot…you had some credit card fraud early on. But some basic advice for companies that are using credit cards or e-commerce. Is there something like an essential tip in terms of dealing with credit card processing?
Scott Schober: Yeah, yeah, absolutely. There’s actually a couple things that I always share with people. Number one, a lot of it has to do with how well do you manage your finances, and this is basic 101 finances. When you have a lot of credit cards, it’s hard to manage and hard to keep on top of looking at the statements or going online and making sure that there’s no fraudulent activity. Regular monitoring of statements is essential. I always emphasize, minimize the number of cards you use. Maybe it’s one card that you use, perhaps a second card you use for online purchases. Again, so it could be very quickly isolated and cleaned up if there is a compromise.
It’s ironic, the other day I was actually presenting at a cyber security show and I was about to go up on stage and my wife called me in a panic. She has one credit card in her own name that she took out many years ago, and she says, “You won’t believe it, my card was compromised. How could this happen?” So here it is, I’m preaching to my own family and she’s asking me how it happened. She was all embarrassed and frustrated. It’s because if we’re not regularly monitoring the statement and not careful where we’re shopping, we just increase the odds. It’s a numbers game. So, really, minimizing and being very careful where we shop, especially online. If we shop for the best price, the best bargain, oftentimes there will be a site with the cheapest price, that’s a telltale sign there’s gonna be stolen credit card there. Go to name brand stores online, you have a much, much more successful chance that you’re not gonna be compromised with your credit card.
Andy Green: Right. So, that’s actually some good advice for consumers, but what about for vendors because as a company, you were taken advantage of. I think I have a note here of $14,000 charge?
Scott Schober: You’re exactly right, yes. That’s a little different. That particular charge, just to clarify, that was somebody that was purchasing our equipment and provided stolen credit card to purchase equipment. So there the challenge is how do you vet somebody that provides… Somebody that you don’t see face-to-face or don’t know personally, especially in another country, how do you make sure that that customer’s legit? And I’ve done a couple simple things to do that. In fact, I had one earlier today, I actually did. Number one, pick up the phone and ask a lot of questions, verify that they are who they say they are, what their corporate address is. Make sure you’re talking to a person in the accounting department if it’s a larger company. Try to vet them and make sure they’re legit, go online and see. And there are fake websites and there are fake company profiles and things. But sometimes crisscrossing, you do a quick Google search, go onto LinkedIn and see if you see that same person and their title, what their background. Does it kind of jive with what you’re hearing on the phone and what you’re reading in the email? It’s very, very important. Do your due diligence even if it takes you five or ten extra minutes. You could prevent a breach and save yourself a lot of hassle and a lot of money.
Andy Green: Right. So, would a small business like yours be held liable if you don’t do that due diligence, or does the credit card company protect you if you do the due diligence and then there turns out to be a fraudulent charge?
Scott Schober: Great question. Unfortunately, the laws greatly protect the buyer, the consumer. There’s a lot less laws in place to protect the business owner. And I found that out the hard way, in some cases, in talking to other business owners. Really hard to get your money back, where the second that there’s a dispute, that money comes out of the account and goes into an account between the two parties till it can actually be settled or arbitrated.
And it’s usually a series, you each have two shots of writing a letter and trying to show your case, so on and so forth. In a case where I had been given fraudulent stolen credit cards from somebody that actually had a lawnmower shop, in that particular case, the money went out of our account, went into this other account, and I said right away, “Honestly…” I said, “I didn’t realize these were fraudulent charges,” they immediately went back into the other person’s account. So, the person that was compromised fortunately they got their money back and I felt good that small business owner wasn’t duped or stuck.
The problem I had was the fact we shipped the goods and almost lost them. So, we got hit with some shipping bills and things like that, but it was more the lesson I learned that was powerful. Spend that time up front, even if cost you a little bit of money, to save the potential that you’re receiving a fraudulent charges. The card companies, the credit card companies that accept it, yes, there are some basic checks that they do. If it’s in, like the United States, they’ll do is a zip code check or address check, very basic.
They really don’t validate for you a 100% that that card is not compromised. There’s not enough checks and balances in place, or security that can say, “Hey.” And really, what does it do, the onerous goes back to you, on the business owner. Your name is at the bottom of it, signed, that they can go after your company or you personally, depending upon what your agreement is. And most of the credit card agreements, they can go after you personally if something fraudulent happens. So really be aware what you sign on with your credit card processor.
Andy Green: Right, right. We talk a lot about what they call the PCI credit card industry DSS, Data Security Standard, which is supposed to put companies that store credit card information at a certain security level. And it’s been a little bit controversial or people had issues with the standard, I guess vendors. I was wondering if you had any thoughts on that standard? Is that something that you have implemented or you don’t store credit card numbers and it’s not an issue for you or…?
Scott Schober: I think it’s an issue for everyone because to some degree everybody has credit card storage for a period of time. And be it on premise, be it physical, be it a receipt. What we have done beyond what the standard mandate says, we do shred with micro shredder old documents. So, a customer will call me up a week later, a month later, a year later, and I’m gonna say, “I’m sorry, I need to get your credit card again.” We do it over the phone, traditionally. We say, “Do not email us. Do not fax us your credit card,” even though many people like to do that, there’s risks on many fronts obviously why you should not do that.
A lot of companies also, you have to keep in mind, it’s important to realize that they’re storing a lot of their information in the cloud. Claim to be secure, claim to be encrypted, it’s a remote server. I always ask the question, “Do you know where the physical location of that server is?” And most people say, “No.” “Do you realize that there is redundancy and backup of that?” “Well, no.” “And do you realize that somewhere in the process that data may not all be encrypted, as they say?” “No, I didn’t realize that.” So, to me, I’m very, very cautious. What we do use is for online commerce store, none of the employees within my organization have received a credit card.
And that allows some transparency and, I think, some security. So, you keep it out of our hands, they can buy online. We never are in possession of their physical credit card, or expiration date, or links to their account. And that, I think, is important that you can keep that level of security, and it actually helps customers. I’ve had a couple customers say, “You know what, you guys do it right. I can just go online and buy it. There’s no extra cost or this or that. It’s simple to purchase on your store, and I know nobody’s holding that credit card.” I say, “Great.”
Andy Green: Right, and that’s a very typical solution to go to a processor like that.
Scott Schober: Exactly.
Andy Green: Although some of them have been hacked, and…
Scott Schober: True, true, that is very true.
Andy Green: But, yeah, that is a very typical solution. And then I… Reading your book, going back to your book, “Hacked Again,” there’s a series of hacks. I guess it started out sort of with credit cards, but over the years you also experienced a DDoS attack. So, I was wondering if you can tell us a little bit about that. It sounds like one of the earlier ones, and just how you became suspicious and how your ISP responded?
Scott Schober: Yeah, that’s an interesting one. And again, I think especially in light of just what happened the other week, a lot more people can understand what in the world that acronym, DDoS means. And we learned it firsthand awhile back, and so the pain of it… Having an online commerce store that in the past few years we’ve grown… And we’ll typically do maybe $40,000 to $50,000 in commerce per month on our online store, so it’s an important piece of revenue for a small business. When you start to find that your store is very spotty and having problems, and people cannot buy, and it’s not one or two people, but you start getting the phone calls, “Hey, I can’t process an order. I can’t access your store. I’m being denied. Is there something wrong?” “Gee, that’s funny. Let me try. Wait a second, what’s wrong. Let’s call the ISP, let’s call…” And we started digging in and finding out there’s waves of periods over a time that we’ve been out. None of these were prolonged, wasn’t like we were out for an entire week. There’s short burst of an hour at a time, perhaps, that we’ve been out.
What we did was we got actually some monitoring hardware in place so we can actually look at the traffic and look at the specific content, payload that is sent. And sure enough, classic DDoS attack by analyzing the garbage coming over. So, I always encourage companies, if you are having problems, number one, contact your ISP. They can do some analysis. If you may have to go above and beyond that if the problem keeps happening… We eventually had to change everything that we did, unfortunately from our website, or our host, our ISP. We have a dedicated server now with hardware at the server. We have hardware here before our firewall as well. Again, layers of security, that starts to minimize all the problems. And ironically, we actually receive a lot more DDoS attacks now than we ever did, but we’re actually blocking them, that’s the good news.
Andy Green: Actually, your servers are on premises and…or you’re using them…?
Scott Schober: It’s not here physically in our building, but we have a dedicated server, as opposed to most companies, it’s usually shared. What starts to happen is you start to now inherit some of the problems that others on your server have. And sometimes the hackers use that as backdoor to have access to you, by getting through what the other guys have. So better to just have a dedicated server, pay the extra money.
Andy Green: Okay, that’s right.