Ep. 165 – Nick Espinosa – Cybersecurity
How do you keep your finances safe in a world where cybersecurity has become a household term? In a world where we’re performing most of our tasks online, it is important to be aware of the innovation of cyber fraud and hacking and how to stay safe.
It is crucial that your mobile devices stay encrypted, updated, and with good threat detection to avoid virus infection from malicious sites.
In this episode of the Secure Your Retirement podcast, we have Nick Espinosa, an expert in cybersecurity and network infrastructure who has consulted with clients ranging from small business owners to Fortune 100 level companies. Listen in to learn why you should validate and verify information, especially in financial transactions to avoid phishing.
In this episode, find out:
- Nick explains the type of work he does in cybersecurity.
- The importance of marrying technology with cybersecurity to stay protected from possible hacking.
- Make sure your mobile devices are encrypted to protect your information.
- Have good threat detection on your mobile device to avoid virus infection from malicious sites.
- Why it’s crucial to keep your devices updated to fix the vulnerability and avoid a break-in.
- The importance of enabling multifactor authentication for your password manager to keep you safe.
- Understanding forms of phishing and how they get you infected to steal your information.
- Build a filter of distrust in your technological environment to stay safe.
- Free safe sites and organizations on basic cybersecurity education.
- “We have to understand as technology innovates, so does the innovation of fraud and hacking, so we have to be aware of what we’re clicking on.”– Nick Espinosa
- “Anybody over 60 is targeted at a higher rate on the personal side than any other age group.” – Nick Espinosa
Get in Touch with Steven:
If you are in or nearing retirement and you want to gain clarity on what questions you should be asking, learn what the biggest retirement myths are, and identify what you can do to achieve peace of mind for your retirement, get started today by requesting our complimentary video course, Four Steps to Secure Your Retirement!
To access the course, simply visit POMWealth.net/podcast.
Here’s the Full Transcript:
|Welcome, everyone, to our Secure Your Retirement podcast. Murs and I are certainly happy to talk with you today. One of the things that we have been spending quite a bit of conversations with our clients and those that we talk to is how do we stay safe in a world where cybersecurity is becoming more and more of a term that we’re all hearing about whether that might be one country versus another, or right in our own living room while we’re trying to get to our finances? We have brought on a expert in this area, Nick Espinosa. So Nick, thank you so much for coming on. I know what you have to share with us is going to be beneficial to our listeners, so thank you.
|Yeah. Well, and thanks for having me. To your point, our phone hasn’t stopped ringing. It’s been kind of nuts.
|Could you just give us a, I guess, a real high-level as to what it is that you do and what’s your involvement with cybersecurity?
|Sure, sure. So, I’m the chief security fanatic of security fanatics. We do all things cybersecurity, cyberwarfare, cyberterrorism, infrastructure, government compliance, all those kinds of things. On top of that, I have a nationally syndicated radio show. You can find it on your local NPR affiliate, I hope, that is based around cybersecurity, as well on top of doing TED Talks and writing and all the other stuff that I’ve done. I also co-authored a bestselling book about six years ago or so now. So, I like to say it’s not in my blood, it’s in my DNA.
|Yeah. It seems like you’ve got quite the list of things behind you that say, “Hey, this guy knows what he’s talking about,” so I say we jump right in. The majority of our listeners, the majority of our clients, people that we work with, they are close to retirement or are already retired, but anyone today has access to the internet, for the most part. They’ve got a phone in their hands, they’ve got the Amazon app. While it’s nice and convenient that we can just click a button and within two days, we’ve got something on our front doorstep, we can’t get complacent with how that all works. Could you take us through, as consumers, we’re buying online… Personally, I don’t like going into stores anymore because it’s so convenient to just buy online, I know the websites I like, I know that my sizes and I don’t have to the store. But how do we keep ourselves safe when we’re doing that?
|Yeah. So, that’s an incredibly loaded question, only in the sense that, to your point, yes, we’re all online. The pandemic decided to accelerate a couple of different trends that we were going to see in the next five to 10 years anyway, which is the rampant uprising of shopping online, banking online, doing everything else online, not to mention working remote, as well, so it’s obviously been a huge thing. So, I think part of this is an understanding of, essentially, awareness. For example, an article that I wrote for Forbes and my second TED Talk was called The Five Laws of Cybersecurity, and I actually had my 80-something year old mother in mind when I wrote that. Meaning if she, one of the most technologically illiterate people I know, can understand those concepts, then I think the world can, as well. We have to understand that as we are using technology, as technology innovates, so does the innovation of fraud and hacking and everything else.
|We have to be aware of what we are tapping on, what we are clicking on. Is that email really from somebody we know or not? Not to mention the defensive technologies that we can start integrating into a lot of our devices. We need things like antivirus or threat detection systems as we are using our technology for what it is. I like to say that if you have technology, you have to marry it with cybersecurity. At this point, everybody’s hacking everybody, and so that’s a huge thing. So, as we’re going onto the Amazons of the world, understand what would happen if your phone was broken into or your phone was stolen or your computer was hacked into, what information do you have there? How are you quantifying that? What can I do if I break into your machine? Can I buy a whole bunch of stuff and send it my way? Can I not? These are things that we have to understand and we have to educate ourselves, first and foremost on these kinds of things.
|Excellent. So, I guess if you had to think about it, because you just laid out a bunch of different things, if we broke it down into maybe the top 1, 2, 3 things that your online consumer does that’s probably the most common mistake that lets people in and, in all essence, slips up.
|Yeah. One of those things, because we’re an increasingly mobile world, is to make sure that your mobile devices are encrypted. If there ever lost or stolen from you, then you don’t have to worry about somebody really breaking into one of your devices and retrieving your information or using it maliciously against you in some way, shape, or form, i.e. logging into your bank and stealing info or money, or something like that. So, I think that’s one of those things that we really have to understand is important. The other thing is threat detection systems, as well. A lot of people don’t see, basically, our mobile phones as anything except the phone, where it is actually a mobile computer that does a whole bunch of different things for us, and we occasionally use it as a phone. We spend more time on Facebook or texting or other platforms surfing the web than we actually do making phone calls these days. So, understanding that it is essentially equal to the computer that you have in your house, if your computer needs threat detection like antivirus and all of that, so does your mobile device, as well.
|We are downloading things constantly that can get us infected. I can infect you through Facebook, I can infect you through Twitter. They don’t scan for viruses. I can literally create a image, blurry, let’s say of the two of you, and send it to you on Facebook and say, “Hey, is this you? I think this is you from a couple years ago.” You click it thinking, “Oh, it’s me.” It’s coming from somebody you trust, because I’ve probably broken into a friend of yours, and now I’ve infected you through a picture on Facebook. So, these are things that we really have to understand. So, good threat detection, on top of that awareness, on top of things like encryption, ensure that you’re just harder to hit.
|What does that mean, by the way, when you say and make sure your phone is encrypted? How do you do that? Describe that for us so we understand it.
|So, if you have a more modern phone, a later model iPhone or a later model Android, if you are applying a good, solid password to the phone, the phone will now encrypt itself automatically.
|For example, a lot of people use a four digit PIN or something like that, those are actually very easy to crack. We can break into those on iPhone or Android constantly. If you’re thinking “Well, oh, it’s 10 tries until the phone wipes itself,” the answer is we don’t hit the phone. What we do, if we have access to the phone, is we clone the phone and continuously hit the clones until we get the password, because the clones can wipe themselves out. They’ll just keep auto regenerating as we’re attacking the clone and pretty quickly, we’re able to uncover a four digit PIN. So, having a good, solid password, so for example, on my phone, I have a 14-digit password, uppercase, lowercase, numbers, and special characters like question marks and dashes, that kind of stuff, that actually secures my phone very hard, because it encrypts, it basically scrambles the data, and the only way to unlock the data is knowing that password.
|If you’re thinking, “Nick, you’re absolutely nuts if you think I’m going to put a 14-character password into my phone,” the answer is biometrics. I get into my phone instantly, thanks to my thumbprint or Face ID, some people use that. So, having that there assures that if somebody’s attempting to clone that phone and hit a four digit PIN, they’re not going to get into that phone, therefore my data is safe, my data is secure.
|So, I like what you said earlier about really understanding, not just how much power that little phone has, but also knowing what your risk exposure is. We work in the world of investing and we talk to clients all the time about, “Hey, what is our risk exposure and tolerance here?” About, “Hey, if we’re in stocks, there’s risk there. If we’re in bonds here, there’s risk there,” everything has risk exposure. We don’t think about it from the perspective of, “My phone has all of my life in this thing,” so I thought that was a really good point, that’s something that I’ve never approached it from that way, either. So, while we’re talking about passwords, every website and every recommendation is, and what we are, probably at one point in our life, or still currently at fault of, is using the same password everywhere, on every different website, right?
|So, then came these things, I don’t know the technical term for them, but they’re basically password banks. So, it’s one password to be able to store all of your passwords in a very safe, encrypted.
|Password manager, exactly.
|So, what is your thought on those? Because in my mind, it seems like it makes a lot of sense in one aspect, because you’re encrypting all of your passwords and keeping those very safe. But in the other side, it’s saying, “Well, there’s one password to access your entire life of passwords.”
|Right, right. So, to back up just a little bit. You’re 100% right, we are creatures of habit, we are creatures of complacency, and complacency is the death knell of cybersecurity. All cybersecurity does, all we do, in the same way as you’re advising your clients, all we do is quantify risk, and then attempt to mitigate the risk based on the appetite of the organization. How much risk can you have? How many computers can be off for how long until it’s so economically unviable for your company that you’re out of business, torches and pitchforks at your door? That logic also applies to individuals, as well. Think about this, if you’re a high-net-worth individual or you’ve got enough net worth, let’s say, to retire and you don’t want to see that go to China or somewhere, you want to make sure that you are investing properly in security to ensure that your money is not going to move overseas because somebody got in, somebody attacked you, somebody phished you, you fell for something.
|These are things that we have to understand, risk quantification for the individual is the same as a corporation, it’s just at the scale of an individual. So, as we are talking about that, password managers are one of those things that can help, in the sense that as you, let’s say, sign up for 10 different sites, the password manager can generate very hardened and randomized passwords for you, store them in an encrypted database. But there’s a couple caveats with password managers. Think about it this way, most password managers synchronize between themselves, meaning you have a computer at home, you’ve got that iPhone or whatever you’re carrying, and you update the iPhone, it updates the computer. But, interestingly enough, it’s not a one-to-one connection. What happens is your iPhone updates the password, it goes to the cloud, basically, of the password manager, and then synchronizes down to your computer.
|So, what is one of the largest targets in the cloud for attackers? Password clouds, because if I can break One Pass, LastPass, KeePass, take your pick, game on, I’ve got everybody’s password. So, understand that about half a dozen times a year, we read articles that say, “Oh, there’s a huge vulnerability in One Pass, LastPass, KeePass, take your pick, that requires you to update this immediately.” People, being creatures of habit and complacent, do not like to update things. We come into technology all the time where it’s like, “Yeah, I haven’t updated my phone in six months, and Apple keeps pushing the updates or Android keeps pushing the updates.” Well, we patch, or we update, primarily to fix vulnerability. So, if you have a password manager, you’ve got to make sure that you are keeping it up-to-date as they are releasing updates for this, otherwise somebody could possibly simply break in because a flaw was discovered that you didn’t fix, even though the fix was provided for you. So, that is, I think, something that is incredibly important to understand.
|The other side of that, too, is that we are evolving past the traditional username and password and we’re enabling, at the most basic level now, things like multifactor authentication. So, you can download an authenticator app into your phone, for example, and when you log into Amazon or your bank with your username and password, it then prompts you for a second code. So, if I’ve stolen your username and password, let’s say, out of the dark web, where there’s billions of passwords out there, that’s how Colonial Pipeline got hit, stolen username and password, logged into their VPN, if I can get that from you, I don’t have your physical phone, which means I now don’t have that code that changes every 30 to 60 seconds or so. So, that is the other side of this, having just a standard username and password on something is no longer considered valid, not to mention how these sites store passwords is also important, as well.
|You can have a super awesome password, but Facebook was caught, basically, storing passwords for hundreds of millions of users in plain text, meaning 20,000 plus of their employees, their engineers, could actually read your super awesome secure password. If you’re using that password on Facebook for your bank, you need to change that, because now, 20,000 people have the same password that you’re using everywhere. If I have a stolen username and password, we use a technique known as password spraying, which means I’m going to, if I have, let’s say, Radon, I have your username and password, I’m going to try every bank and credit union that I can possibly think of, I’m going to try every social media, every retail site, like the Amazons of the world. I’m not sitting here doing this one by one, I basically load up the username and password and my machines rip through every bank, rip through every social media, every financial institution, instantly.
|Hackers are lazy. I’d love to wake up at the crack of noon every day if I could. We go for the lowest hanging fruit, so you’ve got to make sure that you are enabling multifactor authentication, at least now, in your life.
|So, with that multifactor, does that then, in all essence, exponentially make you safer, just by having the multifactor?
|Yes, yes. Understand that every little thing you do, adds up to you, basically, being much more of a pain in the butt to break into. So, think about it this way, when we are attacking organizations or companies, and this is a really good example, one of the things we do is we will set up at a local coffee shop where we know their employees will go, and we will spoof the wireless for Starbucks or wherever. People walk in, they connect to our fake wireless, now we’re inserting infections, now we’re copying data out. Now we’ve got all of this information, because that’s essentially what we are, this is who people are. So, we’ve got to make sure that as we are evolving our cybersecurity standards, we’re also evolving into multifactor authentication.
|So, if you’ve got multifactor authentication and you’re in that coffee shop and I’m stealing your information, but I find out another user doesn’t, I’m probably going to ignore you, because your information is useless to me, unless I have direct access to that phone, and as soon as you’re out of my wireless, you’re gone. I might have inserted infections in you, all those kinds of things. So, every little thing you do adds up to make you more secure.
|So, I want to remind everyone that’s listening, we brought Nick on to educate us and help us think through, basically, get inside the mind of that hacker so that you can understand, “Hey, here’s the things that they’re looking at.” Now, I’m sitting here right now in this recording, I’m like, “Man, I’m getting a little bit of anxiety just hearing about it.” Because we don’t hear about how the inner workings work in the day-to-day, the password spraying, all these things that are actually happening. It should be scary that that’s the world that we live in right now, so we do need to take every precaution that we can. Can you talk to us a little bit about phishing emails?
|How they work on a very high-level, and then, also, what are the best things to be doing to be protecting ourselves from going through a phishing scam?
|Sure, sure. So, I think it’s important to understand that… For the record, I’m fun at parties. My job might be like, “Oh my God, but,” but I’m fun at parties, I really am. So, phishing actually takes many forms and a lot of people don’t realize that. For example, the one you mentioned is email, you get an email, it could be anything from, “Prince Ubuntu in Nigeria needs help for his revolution, please send money, those things,” or you can have things like spear phishing, we see this both in the corporate and the personal world. Here’s the problem that, essentially, retirees are going to have being in the older generation, and seriously, no offense to retirees, you didn’t grow up with this kind of technology. By virtue of that, they are targeted, basically, anybody over 60 is targeted at a much higher rate on the personal side, than any other age group, and so that’s a huge problem.
|Part of that is understanding that if I’m able to, let’s say, break into a mailbox and I realize, “Oh. Well, I’ve got a 22-year-old individual here and I’m seeing correspondence back between Grandma and Grandpa,” I’m going to craft something that says, “Hey Grandma or Grandpa, it’s me, Johnny, I’m stuck in England, I got robbed. Please send $3,000.” Grandparents tend to do anything for their grandkids. I know that if my two kids went to my mom and said, “Hey, I accidentally murdered somebody,” my mom would say, “I have a shovel and I can keep a secret.” This is what grandparents do. So, by virtue of that, we have to make sure that as we are communicating through email, we are actually validating who we are, so if Johnny is actually stuck in England, then Johnny can pick up a phone and talk, two factors of authentication, and so we have to understand this. My mother sends me all of these crazy emails that my uncle, because everybody’s got a crazy uncle and I love him, but he’s crazy, sends to her, and I don’t open a single thing.
|I don’t open pictures, I don’t click on links, I don’t do any of that. If it’s important information, meaning my mom comes to me and says, “Hey, I need you to change my bank account information,” I’m picking up a phone and I’m talking to my mother. These are things that we have to understand that we need to do. Now, there are other forms of phishing outside of just the generic phishing email, as well as those that are very well-crafted, looking directly at you because I’ve compromised somebody in your life, and now I’m attacking you. There are also fake forms online. So, you accidentally type in gooogle.com as opposed to google.com, and it will take you to a website that looks exactly like Google. You’re logging into your Gmail account, it’s stealing your username and password, and then it’s actually logging you into your actual account, but now I’m stealing that information. Or I might have infections on these sites, as well, so we see this through phishing like, “Oh, UPS has a package for you that’s delayed, click here.”
|Or you might see an email that basically says, “Oh, you just got an $800 charge on Amazon,” and you’re like, “What on earth are you talking about? I don’t…” You click there. These are the kinds of things that we are talking about, those can get you infected, as well. The other kind of phishing is actually coming through infections, as well. So if you ever get a prompt on your computer that says, “Facebook needs to call you. Call 1-800-FACEBOOK or call 1-800-MICROSOFT,” or whatever, those are 100% fake, 100% of the time. Try finding an actual support phone number for Facebook or Google, it’s like unlocking the Da Vinci Code. They don’t want to hear from you, just use their products and let them data mine, that’s all they want. So, that is always, always, always fake. So, if you’re seeing something along those lines, if you’re clicking on all of these things, this is a huge problem. You’ve got to validate and verify, especially when it comes to financial transactions.
|I don’t care if your grandkid’s asking for $50 or $50,000, you better pick up the phone and talk to them or her, it’s so unbelievably important. The number one thing that we have for, essentially, phishing is awareness. Understand that if it says it’s from UPS, the email better be from @ups.com, it’d better not be from Yahoo or Gmail, or any one of the plethora of free accounts out there, the links better go there. If you get an email from your bank that says, “Change the password,” open up a web browser, go to the bank’s website itself. Save the actual link yourself, don’t click on links. If your bank really needs you to do something, then as soon as you log in using the link you have saved that you know is legitimate, they should tell you what to do, or call the bank based off the phone number on the bank’s website.
|We see scams, especially coming, interestingly enough, out of Pakistan, where they put these things like, “Oh, Chase needs your help, please call.” Everybody’s used to call centers in Asia, so it’s no big deal to talk to somebody with an Indian accent or a Pakistani, anything like that, and so people are now getting ripped off that way, as well. So, make sure that you’re using those legitimate links, but you have to think before you click, think before you open something. You have to build a filter of distrust, essentially, in the technological environment around you. This is our biggest problem, hands down. Hands down, it’s awareness.
|Well, in just a short 20 minutes, Nick, you have enlightened us quite a bit, and it’s certainly beneficial. Is there any resource you know of that people can go to, just to keep their mind… You’re talking about awareness, this is, obviously, making us aware, but is there anywhere we might be able to go to go, “Oh, this is the new thing that we need to be looking out for.”
|Yeah, yeah. The perfect example that I have is there’s a lot of different sites out there that will give you basic and free education. I know, overwhelmingly, communities across the United States, they have senior centers, community centers, all that kind of stuff, that offer, oftentimes, free or very cheap education in cybersecurity, in good cyber hygiene. Those are places to check out, personally. Also, there are organizations. So, I sit on the board of a company called Bits N’ Bytes Cybersecurity Education that is geared, basically, on basic education for kids from kindergarten through 12th grade, but the lessons apply to everybody, universally. I don’t care if you’re 80 or eight, we all need, basically, cyber hygiene in this way. So, there are good resources out there. There are also platforms out there that will basically show you or educate you on how to spot phishing email. Udemy, I think has one, there’s a whole bunch of others, Prey Project, I believe, is another one. So, there’s a lot of resources out there for everybody.
|Well, fantastic. Thank you so very much, we appreciate it. It’s been extremely insightful. Thank you for spending some time with us.
|Thanks for having me.