♪ ♪
-[ Charlsie ] We're about
to test one of Canada's
largest telcos.
My name is Charlsie.
-[ Charlsie ] These two ethical
hackers, Joshua Crumbaugh and
Alex Heid, are
taking on my identity,
so they can take
over my account.
Yeah, it's 1234.
-[ Charlsie ] What you're
watching is called
social engineering.
I wanted to add HBO
to my account.
-[ Charlsie ] A hack that relies
on charm and persuasion to get
access to your info,
and even your money.
[ ♪♪ ]
-[ Charlsie ] Erynn Tomlinson
never thought she would be
a victim.
She's a former cryptocurrency
exec who thought her info was
secure from hackers.
But that wasn't the case.
When did you
know you'd been hacked?
Well, I was out and my service
cut out on my phone.
I went to a local
cafe that I always go to.
One of the first things I did
when I got there was check one
of my financial accounts,
and I saw it was at zero.
That was the moment that I
realized what was happening.
I rushed home so that I could
be at my desktop where I had the
most control.
And then it was-- it was a race,
and it was right at the moment
where they took out the last
transaction that I saw go
through that I effectively
blocked them.
You basically watched
yourself get hacked?
Yes.
-[ Charlsie ] As
far as she can tell,
the only information
the hackers had?
Erynn's name and phone number.
And that was
enough to take it all.
It was $30,000
equivalent in crypto.
I was closing a
mortgage weeks later.
So, that's-- that's
what that money was for.
-[ Charlsie ] So how
did it all unfold?
Someone or someones
contacted Rogers through chat
message through their
online support system.
Right.
And pretending to be
me with very little information,
they proceeded to ask
Rogers for information about me.
And each time they got one piece
of information they would say,
"Thank you, I got
what I needed."
They would end the chat
get a new agent and start
all over again.
-[ Charlsie ] Erynn got
her hands on those chats.
She couldn't believe how
easily Rogers gave away all
her information.
They were given my
account number,
my email, my credit
card information,
my birth date, the amount
of data on my account,
my last bill amount.
-[ Charlsie ] It takes
8 different chats,
but eventually the hackers
convince the employee to
deactivate Erynn's SIM
card and activate a new one.
It's called a SIM swap and gives
hackers access to all your apps
and financial accounts.
I don't know
how to describe it.
I was sort of in shock
at the whole thing.
-[ Charlsie ] Erynn's case
might sound extreme,
but she's not alone.
In 2017, TELUS gave out one
customer's personal info to her
stalker, putting her info
and her security at risk.
Just three months ago, the
government ordered all companies
to report all hacks to
Canada's privacy commissioner.
Since then, there have been over
a dozen cases involving social
engineering in the
telco sector alone.
And companies around the world
admit social engineering attacks
are on the rise.
We're in New York City about
to meet with some cyber security
pros who are going to tell us
and show us just how hacking can
hurt us all and what
we can do to stop them.
[ ♪♪ ]
One of my email accounts
has been compromised.
[ ♪♪ ]
This is what the bad guys do.
They actually spend time
trying to force errors.
This is Infosecurity
North America.
Dozens of experts, hundreds of
enthusiasts finding flaws in
security systems, and showcasing
solutions all in one place.
[ ♪♪ ]
-[ Charlsie ] From videos
that teach you how to avoid
getting hacked.
The biggest threat for an
organization is your users.
We call it the human firewall.
Instead of a user blindly
clicking on links or opening
attachments, we want to train
that user to take a moment,
think about what
they're going to do,
and then actually
make a decision,
an informed decision.
-[ Charlsie ] To interactive
games like squashing bad
computer bots.
So we're differentiating
bad bots from humans,
and so as you play, you'll
see bots light up in random
locations, and you
have to smash the bots.
This is so hard!
It's pretty hard, right?
Top three!
-[ Charlsie ] There's even a
security-themed escape room!
Okay.
An escape room?
What does this have to do
with social engineering?
So we do immersive
security awareness training.
So the first code for
the routers is B124.
So in this room, there's a bunch
of puzzles that have to do with
helping people understand what
social engineering is and how
they can better
protect themselves.
-[ Charlsie ] These guys
are at the conference too.
They're ethical hackers ready
to use their skills on my cable
provider, Rogers.
It's just psychology,
so if you understand how
somebody's going to
react to something,
you can easily manipulate
somebody into giving them
information or access to things
that maybe they shouldn't.
Okay. Let's give it a
go, guys.
I'm going to
call this number.
It will look as if
I'm calling from you,
and I am Matthew,
your personal assistant.
-[ Charlsie ] Will
the rep fall for it?
Well, my name is Matthew.
I'm calling on
behalf of my boss.
I'm her personal assistant.
Her name, though,
is Charlsie Agro.
Basically, she's asked me to
call and get HBO added and also
just verify a couple
things about her account.
-[ Charlsie ] First call and
this employee is not buying it.
If at first you
don't succeed,
just hack, hack again?
Think of how many people
work there, though.
You only need one
out of a group.
-[ Charlsie ] So Joshua
tests a new Rogers rep.
-[ Charlsie ] The same
old trick with a twist.
This time, he's
impersonating me.
My name is Charlsie.
Agro.
I'm doing well.
Yeah, I wanted to
add HBO to my account.
Yeah, it's 1234.
That's normally
the one I use.
Let's try 0246.
That's the other one
-[ Charlsie ] Wrong pin but
the rep doesn't flag it.
Strike one.
Date of birth is [ Bleep ].
-[ Charlsie ] After a
quick search online,
they find a postal code.
Okay.
Yeah, there we are.
It's [ Bleep ].
-[ Charlsie ] They're
off by a digit,
but the Rogers rep doesn't
catch that mistake either.
Strike two.
It should be [ Bleep ]@gmail.
-[ Charlsie ] And this
is where it gets scary.
Could we set a passcode,
as long as we're in here?
Yeah, let's make it 0246.
You'll want to change
that right away afterwards.
-[ Charlsie ] Hard to believe,
he actually changes the passcode
on my account.
A serious strike 3.
And the game's
not over yet.
He even adds his own
security question.
We'll go with name
of the first pet.
It was Rufus, R-U-F-U-S.
-[ Charlsie ] And just when you
think it can't get any worse,
he adds himself to my account.
All right.
And while I'm at it, could I add
my personal assistant as a level
one user?
His name is Joshua.
Last name Crumbaugh.
-[ Charlsie ] The rep on the
phone even starts volunteering
information, including the
other name on my account.
Yeah, yeah, that's her.
My husband.
-[ Charlsie ] And just like
that, the damage is done.
So I'm shocked because
you actually got my
postal code wrong.
It was off by a digit, and
they still let you do that.
So based on-- so again it's
all about the profile of the
person who picks up.
I think the biggest
thing is education.
We have got to do more in making
our people aware that these
things happen.
-[ Charlsie ] This
is your "Marketplace".
-[ Charlsie ] It's
the latest con game.
Everyone's always
going to get hacked.
It's just a matter
of when that happens,
not if that happens.
Could we set a passcode,
as long as we're in here?
Yes.
-[ Charlsie ] We're revealing
how hackers can use their skills
to con companies into
giving it all away.
At this security
conference in New York,
the ultimate headliner is one of
the world's most famous hackers,
Kevin Mitnick.
-[ Kevin] I was on a trophy hunt
to see how many companies
I could hack into.
-[ Charlsie ] Once a conman and
one of the FBI's most wanted,
he hacked into 40 big companies,
even went to prison for
five years.
Not for their
information, per se.
It was the challenge of
getting through their security.
So, for me, it was all about
the pursuit of knowledge and
the seduction of adventure.
It was never about
causing any harm,
never about making any money.
-[ Charlsie ] Now, he's flipped,
using his hacker skills to train
companies on how to protect
you from people like him.
What is it about human
nature and the goals of
customer service
that make people,
organizations, vulnerable when
it comes to social engineering?
Well, customer
service, you know,
it's all about
customers is the king,
and customer service is gonna
bend over backwards to make the
customer happy.
-[ Charlsie ] Mitnick says part
of the problem is those security
questions many
companies use to verify you.
The companies need to have
policies put into place to come
up with a way to have a very
high confidence that they're
dealing with the consumer.
They're the ones that are in
control because they are the
ones that can effect change.
The consumer can't.
The consumer can
only demanded change,
and if they are
unwilling to do it,
you go to a different vendor.
-[ Charlsie ] Social engineering
victim Erynn Tomlinson agrees.
She says Rogers should have
done more to protect her info.
What did they offer you?
They offered me, at first,
three months' free service.
Sorry.
Three months of free service?
After losing...
$30,000.
And then they-- you
know, obviously I said,
"I don't think
that's appropriate."
They came back to
me, again, and said,
"Um, okay, you
know, you're right.
"We're gonna offer you one year
of free service," to which I
said, "I feel like that is a
joke at my expense."
-[ Charlsie ]
Erynn's not giving up.
She's now suing Rogers.
What I really want to see
is, not just that they give
platitudes and say, "Oh,
we're sorry this happened" from
a customer service point of
view, but that they make real
changes to their policies and
their training internally,
so that this can't happen.
Rogers declined to speak
to us about Erynn's case
as it's before the courts but
argue they're not responsible
for what happened to her.
They do say they provide ongoing
training for their staff and
take their customer's privacy
and security very seriously,
always improving and updating
their security measures and
verification processes.
Rogers does admit those steps
were not followed properly by
the customer service rep
when my account was hacked.
Do you think your members
right now are doing a
good job protecting
customers' privacy?
I think they are.
-[ Charlsie ] Meet Robert Ghiz.
He's the head of the Canadian
Wireless Telecommunications
Association, an industry group
representing some of the
big telcos.
I think they're putting
mechanisms in place,
that they are training
and educating,
but the difficulty is staying
ahead of the fraudsters.
I know they're good.
You know how I know?
We had two ethical hackers.
They got into my Rogers account.
They had the wrong PIN number.
They had the wrong postal code.
And they still got in, so that's
troubling for me as a consumer.
But I want to know how
troubling it is for you.
Well, obviously we
want to protect our members.
It's something
that's important to them,
and that's why they will
continue to educate they will
continue to train.
But there's always
going to be human error.
There's always going to
be fraudsters out there.
It's up to all industries to
ensure that they do the best to
protect individual security with
a constantly evolving technology
that is only going to
grow in the future.
Experts have been
really clear with us.
We need to move away from
using personal information
to authenticate or
validate a user.
When are you going to stand
up to telco companies and say,
"Let's make a change?
This isn't working?"
Well, that's only one
portion of what they do,
whether it's asking
birthday, asking your address,
that's why they're adding pins,
passwords, security questions.
Even though these have
these measures in place,
it doesn't seem to matter.
They're not working.
They got in anyway.
They are working.
The thing is there's
millions of calls--
It didn't work for me
There's millions of calls
that come in every week.
There's always going to be
some human error that's going to
exist, but you're right.
It's gotta be about educating
those front line services and
training those
front line services,
and that needs to continue and
needs to be more vigilant in
the future.
[ ♪♪ ]
-[ Charlsie ] Ethical hackers
Joshua and Alex agree.
Companies shouldn't be asking
for personal information to
verify us but say we shouldn't
make it too easy for hackers by
sharing too much ourselves.
So many people will use their
children's names or birthdates,
or their animals
names as passwords.
And then you go onto
their social media,
and they've posted a million
pictures of the same dog with
the name of their dog.
And they're basically putting
their passwords out there for
everyone to see.
-[ Charlsie ] Is he right?
Do we really share too much?
[ ♪♪ ]
-[ Charlsie ] We're taking that
question to the streets.
-[ Charlsie] What kind of
password do you have?
Like a dog's name, birthdate?
I do use my dog's name.
-[ Charlsie] Oh, what kind
of a dog do you have?
I have a shih-poo.
-[ Charlsie] Aww.
What's his name?
[ Bleep ]
-[ Charlsie] What security
question would you choose?
My mother's name.
-[ Charlsie] What's
your mom's name?
Can I reveal that?
Okay, my mom's
name is [ Bleep ].
-[ Charlsie] So your security
answer would be [ Bleep ]?
Yes.
-[ Charlsie] How strong do you
think your online password is?
Very, very strong.
It's a name that
nobody would guess.
-[ Charlsie] So, like,
your partner's name?
Yeah, something like that.
-[ Charlsie] What's
your partner's name?
I can't-- I can't say.
-[ Charlsie] Why?
[ Bleep ]
-[ Charlsie] So your password
is [ Bleep ] plus a bunch
of numbers?
-Yes, yes, it is.
-[ Charlsie] Thank
you very much.
Thank you, yeah.
-[ Charlsie] Please go
change your password!
Have a good one, guys.
Take care.
-[ Charlsie ] I've
changed my password.
And now it's up to companies
to change their practices.
